It's better to perform the socket bypass check before we start dealing with SAs. OK?
--- sys/netinet/ip_spd.c | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git sys/netinet/ip_spd.c sys/netinet/ip_spd.c index 81e22da..e4b858c 100644 --- sys/netinet/ip_spd.c +++ sys/netinet/ip_spd.c @@ -320,48 +320,49 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int *error, int direction, /* Do we have a cached entry ? If so, check if it's still valid. */ if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) { TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo, ipo_tdb_next); ipo->ipo_tdb = NULL; } /* Outgoing packet policy check. */ if (direction == IPSP_DIRECTION_OUT) { /* - * Fetch the incoming TDB based on the SPI passed - * in ipsecflow and use it's dstid when looking - * up the outgoing TDB. - */ - if (ipsecflowinfo && - (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc, - ipo->ipo_sproto)) != NULL) { - srcid = tdbin->tdb_dstid; - dstid = tdbin->tdb_srcid; - } - /* * If the packet is destined for the policy-specified * gateway/endhost, and the socket has the BYPASS * option set, skip IPsec processing. */ if ((inp != NULL) && (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { /* Direct match. */ if (dignore || !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { *error = 0; return NULL; } } + /* + * Fetch the incoming TDB based on the SPI passed + * in ipsecflow and use it's dstid when looking + * up the outgoing TDB. + */ + if (ipsecflowinfo && + (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc, + ipo->ipo_sproto)) != NULL) { + srcid = tdbin->tdb_dstid; + dstid = tdbin->tdb_srcid; + } + /* Check that the cached TDB (if present), is appropriate. */ if (ipo->ipo_tdb) { if ((ipo->ipo_last_searched <= ipsec_last_added) || (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) || memcmp(dignore ? &sdst : &ipo->ipo_dst, &ipo->ipo_tdb->tdb_dst, ipo->ipo_tdb->tdb_dst.sa.sa_len)) goto nomatchout; if (!ipsp_aux_match(ipo->ipo_tdb, -- 2.3.4