Replace enc(4) with a new implementation as a cloner device. We still

create enc0 by default, but it is possible to add additional enc
interfaces.  This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.

manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@

1 files changed, 6 insertions, 2 deletions

diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index c55f53e6132..cd5fbe44c21 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.112 2010/05/07 13:33:17 claudio Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.113 2010/06/29 21:28:38 reyk Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -180,6 +180,9 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, struct route_in6 *ro,
 	u_int32_t sspi;
 	struct tdb *tdb;
 	int s;
+#if NPF > 0
+	struct ifnet *encif;
+#endif
 #endif /* IPSEC */
 
 #ifdef IPSEC
@@ -502,7 +505,8 @@ reroute:
 	        s = splnet();
 
 #if NPF > 0
-		if (pf_test6(PF_OUT, &encif[0].sc_if, &m, NULL) != PF_PASS) {
+		if ((encif = enc_getif(0)) == NULL ||
+		    pf_test6(PF_OUT, encif, &m, NULL) != PF_PASS) {
 			splx(s);
 			error = EHOSTUNREACH;
 			m_freem(m);