diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-12 14:04:10 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-05-12 14:04:10 +0000 |
| commit | 333eb523da93f500b6dea9106bf8e8c6a412a6ce (patch) | |
| tree | 2b100d5f258ed1060cf47f3f6d87de340f44bf6a /sys/netinet6/ip6_input.c | |
| parent | 8de5d6a4f10fbc77a5fb80e06639b0debff2770e (diff) | |
Use the IPsec policy check from ipv4_input() also when forwarding
in ip6_input(). While there avoid an ugly #ifdef in ipv4_input().
OK mikeb@
Diffstat (limited to 'sys/netinet6/ip6_input.c')
| -rw-r--r-- | sys/netinet6/ip6_input.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 47f422fa7ec..79371e89813 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.185 2017/05/11 11:36:20 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.186 2017/05/12 14:04:09 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -470,6 +470,24 @@ ip6_input(struct mbuf *m) goto out; } +#ifdef IPSEC + if (ipsec_in_use) { + int rv; + + KERNEL_LOCK(); + rv = ip_input_ipsec_fwd_check(m, off, AF_INET6); + KERNEL_UNLOCK(); + if (rv != 0) { + ipstat_inc(ips_cantforward); + goto bad; + } + /* + * Fall through, forward packet. Outbound IPsec policy + * checking will occur in ip6_forward(). + */ + } +#endif /* IPSEC */ + ip6_forward(m, rt, srcrt); if_put(ifp); return; |