Hi,
Do not transfer diverted packets into IPsec processing. They should
reach the socket that the user has specified in pf.conf.
ok?
bluhm
Index: netinet/ipsec_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.110
diff -u -p -r1.110 ipsec_input.c
--- netinet/ipsec_input.c 28 Mar 2013 23:10:06 -0000 1.110
+++ netinet/ipsec_input.c 29 Mar 2013 16:19:02 -0000
@@ -137,6 +137,9 @@ ipsec_common_input(struct mbuf *m, int s
if ((sproto == IPPROTO_ESP && !esp_enable) ||
(sproto == IPPROTO_AH && !ah_enable) ||
+#if NPF > 0
+ (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) ||
+#endif
(sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
switch (af) {
#ifdef INET
Index: netinet/udp_usrreq.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v
retrieving revision 1.155
diff -u -p -r1.155 udp_usrreq.c
--- netinet/udp_usrreq.c 29 Mar 2013 13:16:14 -0000 1.155
+++ netinet/udp_usrreq.c 29 Mar 2013 16:19:02 -0000
@@ -323,6 +323,9 @@ udp_input(struct mbuf *m, ...)
#ifdef IPSEC
if (udpencap_enable && udpencap_port &&
+#if NPF > 0
+ !(m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) &&
+#endif
uh->uh_dport == htons(udpencap_port)) {
u_int32_t spi;
int skip = iphlen + sizeof(struct udphdr);
