diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-29 03:51:12 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2000-09-29 03:51:12 +0000 |
| commit | 5843a15c7e4147752374a9a426cd635928aab984 (patch) | |
| tree | 344e5e0a284e0485553f3affb24fb41899561daa /sys/netinet/ip_output.c | |
| parent | 621bd0202506b5e0afa8ceb0323816b2693d70b5 (diff) | |
Outgoing packets that hit IPsec will be IPF/IPNAT processed as well on
the enc* interface, usually enc0; cedric@wireless-networks.com
Diffstat (limited to 'sys/netinet/ip_output.c')
| -rw-r--r-- | sys/netinet/ip_output.c | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index d38374eb455..64a7ce17ebd 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.81 2000/09/19 03:20:59 angelos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.82 2000/09/29 03:51:11 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -72,6 +72,7 @@ #include <netinet/udp.h> #include <netinet/tcp.h> #include <net/pfkeyv2.h> +#include <net/if_enc.h> #ifdef ENCDEBUG #define DPRINTF(x) do { if (encdebug) printf x ; } while (0) @@ -542,6 +543,27 @@ sendit: if (sproto != 0) { s = splnet(); +#if defined(IPFILTER) || defined(IPFILTER_LKM) + if (fr_checkp) { + /* + * Ok, it's time for a simple round-trip to the IPF/NAT + * code with the enc# interface + */ + struct mbuf *m0 = m; + void *ifp = tdb->tdb_interface ? + (void *)tdb->tdb_interface : + (void *)&encif[0].sc_if; + if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) { + error = EHOSTUNREACH; + splx(s); + goto done; + } else { + ip = mtod(m = m0, struct ip *); + hlen = ip->ip_hl << 2; + } + } +#endif /* IPFILTER */ + tdb = gettdb(sspi, &sdst, sproto); if (tdb == NULL) { error = EHOSTUNREACH; |