add support to tag ipsec traffic belonging to specific IKE-initiated

phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

1 files changed, 14 insertions, 1 deletions

diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 39611a04eed..196aab812f7 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.c,v 1.165 2006/01/13 10:11:23 mpf Exp $	*/
+/*	$OpenBSD: ip_ipsp.c,v 1.166 2006/11/24 13:52:14 reyk Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -37,6 +37,8 @@
  * PURPOSE.
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
@@ -46,6 +48,10 @@
 #include <net/if.h>
 #include <net/route.h>
 
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
 #ifdef INET
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -858,6 +864,13 @@ tdb_free(struct tdb *tdbp)
 		tdbp->tdb_remote_cred = NULL;
 	}
 
+#if NPF > 0
+	if (tdbp->tdb_tag) {
+		pf_tag_unref(tdbp->tdb_tag);
+		tdbp->tdb_tag = 0;
+	}
+#endif
+
 	if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp))
 		tdbp->tdb_onext->tdb_inext = NULL;