diff options
| author | Cedric Berger <cedric@cvs.openbsd.org> | 2003-11-03 07:50:01 +0000 |
|---|---|---|
| committer | Cedric Berger <cedric@cvs.openbsd.org> | 2003-11-03 07:50:01 +0000 |
| commit | 878410430021c341576dd0f5c5b787a01ef285a7 (patch) | |
| tree | 5d1757497bb4fdc0188c92504830752a0195ae8c | |
| parent | 69135e49ef175cc14bf6009d37ddbf95f5f5bcfe (diff) | |
pf_route() can change output NIC, so we need to check its capabilities.
good candidate for 3.X errata.
ok dhartmei@ henning@ mcbride@
| -rw-r--r-- | sys/net/pf.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/sys/net/pf.c b/sys/net/pf.c index 82bf922670c..aebb95980c0 100644 --- a/sys/net/pf.c +++ b/sys/net/pf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pf.c,v 1.397 2003/10/31 10:34:47 mcbride Exp $ */ +/* $OpenBSD: pf.c,v 1.398 2003/11/03 07:50:00 cedric Exp $ */ /* * Copyright (c) 2001 Daniel Hartmeier @@ -4539,6 +4539,34 @@ pf_route(struct mbuf **m, struct pf_rule *r, int dir, struct ifnet *oifp, } /* Copied from ip_output. */ +#ifdef IPSEC + /* + * If deferred crypto processing is needed, check that the + * interface supports it. + */ + if ((mtag = m_tag_find(m0, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) + != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { + /* Notify IPsec to do its own crypto. */ + ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); + goto bad; + } +#endif /* IPSEC */ + + /* Catch routing changes wrt. hardware checksumming for TCP or UDP. */ + if (m0->m_pkthdr.csum & M_TCPV4_CSUM_OUT) { + if (!(ifp->if_capabilities & IFCAP_CSUM_TCPv4) || + ifp->if_bridge != NULL) { + in_delayed_cksum(m0); + m0->m_pkthdr.csum &= ~M_TCPV4_CSUM_OUT; /* Clear */ + } + } else if (m0->m_pkthdr.csum & M_UDPV4_CSUM_OUT) { + if (!(ifp->if_capabilities & IFCAP_CSUM_UDPv4) || + ifp->if_bridge != NULL) { + in_delayed_cksum(m0); + m0->m_pkthdr.csum &= ~M_UDPV4_CSUM_OUT; /* Clear */ + } + } + if (ntohs(ip->ip_len) <= ifp->if_mtu) { if ((ifp->if_capabilities & IFCAP_CSUM_IPv4) && ifp->if_bridge == NULL) { |