Read IPsec forwarding information once.

Fix MP race between reading ip_forwarding in ip_input() and checking
ip_forwarding == 2 in ip_output().  In theory ip_forwarding could
be 2 during ip_input() and later 0 in ip_output().  Then a packet
would be forwarded that was never allowed.  Currently exclusive
netlock in sysctl(2) prevents all races.

Introduce IP_FORWARDING_IPSEC and pass it with the flags parameter
that was introduced for IP_FORWARDING.

Instead of calling m_tag_find(), traversing the list, and comparing
with NULL, just check the PACKET_TAG_IPSEC_IN_DONE bit.  Reading
ipsec_in_use in ip_output() is a performance hack that is not
necessary.  New code only checks tree bits.

OK mvs@

1 files changed, 9 insertions, 3 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index d561a703488..21221c149d7 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.396 2024/06/24 12:19:19 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.397 2024/07/02 18:33:47 bluhm Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -465,8 +465,14 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 		SET(flags, IP_REDIRECT);
 #endif
 
-	if (ip_forwarding != 0)
+	switch (ip_forwarding) {
+	case 2:
+		SET(flags, IP_FORWARDING_IPSEC);
+		/* FALLTHROUGH */
+	case 1:
 		SET(flags, IP_FORWARDING);
+		break;
+	}
 	if (ip_directedbcast)
 		SET(flags, IP_ALLOWBROADCAST);
 
@@ -529,7 +535,7 @@ ip_input_if(struct mbuf **mp, int *offp, int nxt, int af, struct ifnet *ifp)
 			 * ip_output().)
 			 */
 			KERNEL_LOCK();
-			error = ip_mforward(m, ifp);
+			error = ip_mforward(m, ifp, flags);
 			KERNEL_UNLOCK();
 			if (error) {
 				ipstat_inc(ips_cantforward);