svn commit: r191621 - head/sys/netinet

Tue, 28 Apr 2009 04:10:54 -0700 

Author: trasz
Date: Tue Apr 28 11:10:33 2009
New Revision: 191621
URL: http://svn.freebsd.org/changeset/base/191621

Log:
  Don't require packet to match a route (any route; this information wasn't
  used anyway, so a typical workaround was to add a dummy route) if it's going
  to be sent through IPSec tunnel.
  
  Reviewed by:  bz

Modified:
  head/sys/netinet/ip_ipsec.c
  head/sys/netinet/ip_output.c

Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c Tue Apr 28 09:45:32 2009        (r191620)
+++ head/sys/netinet/ip_ipsec.c Tue Apr 28 11:10:33 2009        (r191621)
@@ -385,7 +385,8 @@ ip_ipsec_output(struct mbuf **m, struct 
                 * the interface supports it.
                 */ 
                mtag = m_tag_find(*m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
-               if (mtag != NULL && ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) {
+               if (mtag != NULL && ifp != NULL &&
+                   ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) {
                        /* notify IPsec to do its own crypto */
                        ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
                        *error = EHOSTUNREACH;

Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c        Tue Apr 28 09:45:32 2009        
(r191620)
+++ head/sys/netinet/ip_output.c        Tue Apr 28 11:10:33 2009        
(r191621)
@@ -145,6 +145,9 @@ ip_output(struct mbuf *m, struct mbuf *o
 #ifdef IPFIREWALL_FORWARD
        struct m_tag *fwd_tag = NULL;
 #endif
+#ifdef IPSEC
+       int no_route_but_check_spd = 0;
+#endif
        M_ASSERTPKTHDR(m);
 
        if (ro == NULL) {
@@ -272,6 +275,15 @@ again:
                            inp ? inp->inp_inc.inc_fibnum : M_GETFIB(m));
 #endif
                if (ro->ro_rt == NULL) {
+#ifdef IPSEC
+                       /*
+                        * There is no route for this packet, but it is
+                        * possible that a matching SPD entry exists.
+                        */
+                       no_route_but_check_spd = 1;
+                       mtu = 0; /* Silence GCC warning. */
+                       goto sendit;
+#endif
                        IPSTAT_INC(ips_noroute);
                        error = EHOSTUNREACH;
                        goto bad;
@@ -467,6 +479,14 @@ sendit:
        default:
                break;  /* Continue with packet processing. */
        }
+       /*
+        * Check if there was a route for this packet; return error if not.
+        */
+       if (no_route_but_check_spd) {
+               IPSTAT_INC(ips_noroute);
+               error = EHOSTUNREACH;
+               goto bad;
+       }
        /* Update variables that are affected by ipsec4_output(). */
        ip = mtod(m, struct ip *);
        hlen = ip->ip_hl << 2;
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to