From 320c8e5164d793a94bf5d538add0abe0d4f665ca Mon Sep 17 00:00:00 2001
From: thompsa <thompsa@FreeBSD.org>
Date: Mon, 26 Jun 2006 22:30:08 +0000
Subject: Add a pseudo interface for packet filtering IPSec connections before
 or after encryption. There are two functions, a bpf tap which has a basic
 header with the SPI number which our current tcpdump knows how to display,
 and handoff to pfil(9) for packet filtering.

Obtained from:	OpenBSD
Based on:	kern/94829
No objections:	arch, net
MFC after:	1 month
---
 sys/netipsec/ipsec_input.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'sys/netipsec/ipsec_input.c')

diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 753b78a..24bc1c3 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -43,6 +43,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_enc.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
+#ifdef DEV_ENC
+	/*
+	 * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
+	 * packet later after it has been decapsulated.
+	 */
+	ipsec_bpf(m, sav, AF_INET);
+
+	if (prot != IPPROTO_IPIP)
+		if ((error = ipsec_filter(&m, 1)) != 0)
+			return (error);
+#endif
+
 	/*
 	 * Re-dispatch via software interrupt.
 	 */
-- 
cgit v1.1