There is no point in checking NIC capabilities before calling pf_test(),

since pf_test() can drop the packet or route it through another NIC.
ok dhartmei@ mcbride@
comment requested by markus@

1 files changed, 24 insertions, 17 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 10f2c4aae45..1ec3333ffe4 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.157 2003/10/02 05:47:29 itojun Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.158 2003/11/03 07:58:36 cedric Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -624,7 +624,30 @@ sendit:
 		splx(s);
 		return error;  /* Nothing more to be done */
 	}
+#endif /* IPSEC */
+
+	/*
+	 * Packet filter
+	 *
+	 * This should be called before checking NIC capabilities,
+	 * because pf_test() can:
+	 *  - drop the packet.
+	 *  - route the packet through another NIC.
+	 */
+#if NPF > 0
+	if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
+		error = EHOSTUNREACH;
+		m_freem(m);
+		goto done;
+	}
+	if (m == NULL)
+		goto done;
+
+	ip = mtod(m, struct ip *);
+	hlen = ip->ip_hl << 2;
+#endif
 
+#ifdef IPSEC
 	/*
 	 * If deferred crypto processing is needed, check that the
 	 * interface supports it.
@@ -655,22 +678,6 @@ sendit:
 	}
 
 	/*
-	 * Packet filter
-	 */
-#if NPF > 0
-	if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
-		error = EHOSTUNREACH;
-		m_freem(m);
-		goto done;
-	}
-	if (m == NULL)
-		goto done;
-
-	ip = mtod(m, struct ip *);
-	hlen = ip->ip_hl << 2;
-#endif
-
-	/*
 	 * If small enough for interface, can just send directly.
 	 */
 	if (ntohs(ip->ip_len) <= mtu) {