svn commit: r222856 - head/sys/netinet6
Bjoern A. Zeeb
bz at FreeBSD.org
Wed Jun 8 10:59:36 UTC 2011
Author: bz
Date: Wed Jun 8 10:59:36 2011
New Revision: 222856
URL: http://svn.freebsd.org/changeset/base/222856
Log:
Add the missing call to ip6_ipsec_filtertunnel() to be able to control
whether decapsulated IPsec packets will be passed to pfil again depending
on the setting of the net.ip6.ipsec6.filtertunnel sysctl.
PR: kern/157670
Submitted by: Manuel Kasper (mk neon1.net)
MFC after: 2 weeks
Modified:
head/sys/netinet6/ip6_input.c
Modified: head/sys/netinet6/ip6_input.c
==============================================================================
--- head/sys/netinet6/ip6_input.c Wed Jun 8 08:22:54 2011 (r222855)
+++ head/sys/netinet6/ip6_input.c Wed Jun 8 10:59:36 2011 (r222856)
@@ -504,6 +504,13 @@ ip6_input(struct mbuf *m)
goto bad;
}
#endif
+#ifdef IPSEC
+ /*
+ * Bypass packet filtering for packets previously handled by IPsec.
+ */
+ if (ip6_ipsec_filtertunnel(m))
+ goto passin;
+#endif /* IPSEC */
/*
* Run through list of hooks for input packets.
More information about the svn-src-head
mailing list