From 1aaf930d637f7d137cd8057e7391f65e77a20d22 Mon Sep 17 00:00:00 2001
From: bz <bz@FreeBSD.org>
Date: Wed, 8 Jun 2011 10:59:36 +0000
Subject: Add the missing call to ip6_ipsec_filtertunnel() to be able to
 control whether decapsulated IPsec packets will be passed to pfil again
 depending on the setting of the net.ip6.ipsec6.filtertunnel sysctl.

PR:		kern/157670
Submitted by:	Manuel Kasper (mk neon1.net)
MFC after:	2 weeks
---
 sys/netinet6/ip6_input.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'sys/netinet6/ip6_input.c')

diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 052b8f6..de3a622 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 #endif
+#ifdef IPSEC
+	/*
+	 * Bypass packet filtering for packets previously handled by IPsec.
+	 */
+	if (ip6_ipsec_filtertunnel(m))
+		goto passin;
+#endif /* IPSEC */
 
 	/*
 	 * Run through list of hooks for input packets.
-- 
cgit v1.1