Author: bz
Date: Wed Jun 8 10:59:36 2011
New Revision: 222856
URL: http://svn.freebsd.org/changeset/base/222856
Log:
Add the missing call to ip6_ipsec_filtertunnel() to be able to control
whether decapsulated IPsec packets will be passed to pfil again depending
on the setting of the net.ip6.ipsec6.filtertunnel sysctl.
PR: kern/157670
Submitted by: Manuel Kasper (mk neon1.net)
MFC after: 2 weeks
Modified:
head/sys/netinet6/ip6_input.c
Modified: head/sys/netinet6/ip6_input.c
==============================================================================
--- head/sys/netinet6/ip6_input.c Wed Jun 8 08:22:54 2011
(r222855)
+++ head/sys/netinet6/ip6_input.c Wed Jun 8 10:59:36 2011
(r222856)
@@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
goto bad;
}
#endif
+#ifdef IPSEC
+ /*
+ * Bypass packet filtering for packets previously handled by IPsec.
+ */
+ if (ip6_ipsec_filtertunnel(m))
+ goto passin;
+#endif /* IPSEC */
/*
* Run through list of hooks for input packets.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "[email protected]"
