From owner-svn-src-all@FreeBSD.ORG Wed May 27 12:44:36 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9983F1065680; Wed, 27 May 2009 12:44:36 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 6CC0A8FC0C; Wed, 27 May 2009 12:44:36 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n4RCiaKD097326; Wed, 27 May 2009 12:44:36 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n4RCiaRP097325; Wed, 27 May 2009 12:44:36 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <200905271244.n4RCiaRP097325@svn.freebsd.org> From: Edward Tomasz Napierala Date: Wed, 27 May 2009 12:44:36 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r192893 - head/sys/netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 May 2009 12:44:37 -0000 Author: trasz Date: Wed May 27 12:44:36 2009 New Revision: 192893 URL: http://svn.freebsd.org/changeset/base/192893 Log: Don't discard packets with 'Destination Unreachable' at the beginning of ip_forward(), if the IPSEC is compiled in. It is possible that there is an SPD that this packets will go through, even if there is no matching route. If not, ICMP will be sent anyway, after ip_output(). This is somewhat similar in purpose to r191621, except that one was for the packets sent from the host, while this one is for packets being forwarded by the host. Reviewed by: bz@ Sponsored by: Wheel Sp. z o.o. (http://www.wheel.pl) Modified: head/sys/netinet/ip_input.c Modified: head/sys/netinet/ip_input.c ============================================================================== --- head/sys/netinet/ip_input.c Wed May 27 12:33:57 2009 (r192892) +++ head/sys/netinet/ip_input.c Wed May 27 12:44:36 2009 (r192893) @@ -1356,7 +1356,7 @@ ip_forward(struct mbuf *m, int srcrt) { INIT_VNET_INET(curvnet); struct ip *ip = mtod(m, struct ip *); - struct in_ifaddr *ia = NULL; + struct in_ifaddr *ia; struct mbuf *mcopy; struct in_addr dest; struct route ro; @@ -1380,10 +1380,17 @@ ip_forward(struct mbuf *m, int srcrt) #endif ia = ip_rtaddr(ip->ip_dst, M_GETFIB(m)); +#ifndef IPSEC + /* + * 'ia' may be NULL if there is no route for this destination. + * In case of IPsec, Don't discard it just yet, but pass it to + * ip_output in case of outgoing IPsec policy. + */ if (!srcrt && ia == NULL) { icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0); return; } +#endif /* * Save the IP header and at most 8 bytes of the payload, @@ -1435,7 +1442,8 @@ ip_forward(struct mbuf *m, int srcrt) * or a route modified by a redirect. */ dest.s_addr = 0; - if (!srcrt && V_ipsendredirects && ia->ia_ifp == m->m_pkthdr.rcvif) { + if (!srcrt && V_ipsendredirects && + ia != NULL && ia->ia_ifp == m->m_pkthdr.rcvif) { struct sockaddr_in *sin; struct rtentry *rt; @@ -1502,7 +1510,7 @@ ip_forward(struct mbuf *m, int srcrt) /* type, code set above */ break; - case ENETUNREACH: /* shouldn't happen, checked above */ + case ENETUNREACH: case EHOSTUNREACH: case ENETDOWN: case EHOSTDOWN: