git: da0efbdb8d95 - main - ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated

[Konstantin Belousov]

The branch main has been updated by kib:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=da0efbdb8d952a1e9d15a5e332149e1f1092f5d9

commit da0efbdb8d952a1e9d15a5e332149e1f1092f5d9
Author:     Konstantin Belousov <k...@freebsd.org>
AuthorDate: 2023-01-25 11:03:51 +0000
Commit:     Konstantin Belousov <k...@freebsd.org>
CommitDate: 2024-07-12 03:29:31 +0000

    ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated
    
    To be able to pass ifp and mtu to the ipsec_output() and ipsec
    accelerator filter.
    
    Sponsored by:   NVIDIA networking
    Differential revision:  https://reviews.freebsd.org/D44225
---
 sys/netinet6/ip6_output.c | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 68dd376af5d0..7eea64bb6344 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -449,27 +449,6 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 #endif
        }
 
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-       /*
-        * IPSec checking which handles several cases.
-        * FAST IPSEC: We re-injected the packet.
-        * XXX: need scope argument.
-        */
-       if (IPSEC_ENABLED(ipv6)) {
-               m = mb_unmapped_to_ext(m);
-               if (m == NULL) {
-                       IP6STAT_INC(ip6s_odropped);
-                       error = ENOBUFS;
-                       goto bad;
-               }
-               if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) {
-                       if (error == EINPROGRESS)
-                               error = 0;
-                       goto done;
-               }
-       }
-#endif /* IPSEC */
-
        /* Source address validation. */
        ip6 = mtod(m, struct ip6_hdr *);
        if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) &&
@@ -806,6 +785,27 @@ nonh6lookup:
        KASSERT((ifp != NULL), ("output interface must not be NULL"));
        KASSERT((origifp != NULL), ("output address interface must not be 
NULL"));
 
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
+       /*
+        * IPSec checking which handles several cases.
+        * FAST IPSEC: We re-injected the packet.
+        * XXX: need scope argument.
+        */
+       if (IPSEC_ENABLED(ipv6)) {
+               m = mb_unmapped_to_ext(m);
+               if (m == NULL) {
+                       IP6STAT_INC(ip6s_odropped);
+                       error = ENOBUFS;
+                       goto bad;
+               }
+               if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) {
+                       if (error == EINPROGRESS)
+                               error = 0;
+                       goto done;
+               }
+       }
+#endif /* IPSEC */
+
        if ((flags & IPV6_FORWARDING) == 0) {
                /* XXX: the FORWARDING flag can be set for mrouting. */
                in6_ifstat_inc(ifp, ifs6_out_request);