summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorNiels Provos <provos@cvs.openbsd.org>2001-06-25 01:21:16 +0000
committerNiels Provos <provos@cvs.openbsd.org>2001-06-25 01:21:16 +0000
commita10f9958afb69fd8b8735a135507dcf7ace599cb (patch)
tree41b47ff34089db41c2acdf621a058a704614c904 /sys/netinet
parentdf9417b37cead3a970e0e3f65b3745854105cb1a (diff)
put pf before ipsec processing. return error code and free mbuf chain
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_output.c26
1 files changed, 24 insertions, 2 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index cadf56cd8b2..cefbdded6f6 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.119 2001/06/24 23:42:40 mickey Exp $ */
+/* $OpenBSD: ip_output.c,v 1.120 2001/06/25 01:21:15 provos Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -48,6 +48,7 @@
#include <sys/kernel.h>
#include <net/if.h>
+#include <net/if_enc.h>
#include <net/route.h>
#if NPF > 0
@@ -564,6 +565,24 @@ sendit:
if (sproto != 0) {
s = splnet();
+ /*
+ * Packet filter
+ */
+#if NPF > 0
+ {
+ void *ifp = (void *)&encif[0].sc_if;
+ struct mbuf *m1 = m;
+ if (pf_test(PF_OUT, ifp, &m1) != PF_PASS) {
+ error = EHOSTUNREACH;
+ splx(s);
+ m_freem(m1);
+ goto done;
+ }
+ ip = mtod(m = m1, struct ip *);
+ hlen = ip->ip_hl << 2;
+ }
+#endif
+
tdb = gettdb(sspi, &sdst, sproto);
if (tdb == NULL) {
error = EHOSTUNREACH;
@@ -642,8 +661,11 @@ sendit:
#if NPF > 0
{
struct mbuf *m1 = m;
- if (pf_test(PF_OUT, ifp, &m1) != PF_PASS)
+ if (pf_test(PF_OUT, ifp, &m1) != PF_PASS) {
+ error = EHOSTUNREACH;
+ m_freem(m1);
goto done;
+ }
ip = mtod(m = m1, struct ip *);
}
#endif