Date: Wed, 8 Jun 2011 10:59:36 +0000 (UTC) From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r222856 - head/sys/netinet6 Message-ID: <201106081059.p58Axa8D028053@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bz Date: Wed Jun 8 10:59:36 2011 New Revision: 222856 URL: http://svn.freebsd.org/changeset/base/222856 Log: Add the missing call to ip6_ipsec_filtertunnel() to be able to control whether decapsulated IPsec packets will be passed to pfil again depending on the setting of the net.ip6.ipsec6.filtertunnel sysctl. PR: kern/157670 Submitted by: Manuel Kasper (mk neon1.net) MFC after: 2 weeks Modified: head/sys/netinet6/ip6_input.c Modified: head/sys/netinet6/ip6_input.c ============================================================================== --- head/sys/netinet6/ip6_input.c Wed Jun 8 08:22:54 2011 (r222855) +++ head/sys/netinet6/ip6_input.c Wed Jun 8 10:59:36 2011 (r222856) @@ -504,6 +504,13 @@ ip6_input(struct mbuf *m) goto bad; } #endif +#ifdef IPSEC + /* + * Bypass packet filtering for packets previously handled by IPsec. + */ + if (ip6_ipsec_filtertunnel(m)) + goto passin; +#endif /* IPSEC */ /* * Run through list of hooks for input packets.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201106081059.p58Axa8D028053>