svn commit: r191621 - head/sys/netinet
Edward Tomasz Napierala
trasz at FreeBSD.org
Tue Apr 28 11:10:34 UTC 2009
Author: trasz
Date: Tue Apr 28 11:10:33 2009
New Revision: 191621
URL: http://svn.freebsd.org/changeset/base/191621
Log:
Don't require packet to match a route (any route; this information wasn't
used anyway, so a typical workaround was to add a dummy route) if it's going
to be sent through IPSec tunnel.
Reviewed by: bz
Modified:
head/sys/netinet/ip_ipsec.c
head/sys/netinet/ip_output.c
Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c Tue Apr 28 09:45:32 2009 (r191620)
+++ head/sys/netinet/ip_ipsec.c Tue Apr 28 11:10:33 2009 (r191621)
@@ -385,7 +385,8 @@ ip_ipsec_output(struct mbuf **m, struct
* the interface supports it.
*/
mtag = m_tag_find(*m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
- if (mtag != NULL && ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) {
+ if (mtag != NULL && ifp != NULL &&
+ ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) {
/* notify IPsec to do its own crypto */
ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
*error = EHOSTUNREACH;
Modified: head/sys/netinet/ip_output.c
==============================================================================
--- head/sys/netinet/ip_output.c Tue Apr 28 09:45:32 2009 (r191620)
+++ head/sys/netinet/ip_output.c Tue Apr 28 11:10:33 2009 (r191621)
@@ -145,6 +145,9 @@ ip_output(struct mbuf *m, struct mbuf *o
#ifdef IPFIREWALL_FORWARD
struct m_tag *fwd_tag = NULL;
#endif
+#ifdef IPSEC
+ int no_route_but_check_spd = 0;
+#endif
M_ASSERTPKTHDR(m);
if (ro == NULL) {
@@ -272,6 +275,15 @@ again:
inp ? inp->inp_inc.inc_fibnum : M_GETFIB(m));
#endif
if (ro->ro_rt == NULL) {
+#ifdef IPSEC
+ /*
+ * There is no route for this packet, but it is
+ * possible that a matching SPD entry exists.
+ */
+ no_route_but_check_spd = 1;
+ mtu = 0; /* Silence GCC warning. */
+ goto sendit;
+#endif
IPSTAT_INC(ips_noroute);
error = EHOSTUNREACH;
goto bad;
@@ -467,6 +479,14 @@ sendit:
default:
break; /* Continue with packet processing. */
}
+ /*
+ * Check if there was a route for this packet; return error if not.
+ */
+ if (no_route_but_check_spd) {
+ IPSTAT_INC(ips_noroute);
+ error = EHOSTUNREACH;
+ goto bad;
+ }
/* Update variables that are affected by ipsec4_output(). */
ip = mtod(m, struct ip *);
hlen = ip->ip_hl << 2;
More information about the svn-src-all
mailing list