diff options
author | Niels Provos <provos@cvs.openbsd.org> | 2001-06-25 01:21:16 +0000 |
---|---|---|
committer | Niels Provos <provos@cvs.openbsd.org> | 2001-06-25 01:21:16 +0000 |
commit | a10f9958afb69fd8b8735a135507dcf7ace599cb (patch) | |
tree | 41b47ff34089db41c2acdf621a058a704614c904 /sys/netinet | |
parent | df9417b37cead3a970e0e3f65b3745854105cb1a (diff) |
put pf before ipsec processing. return error code and free mbuf chain
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_output.c | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index cadf56cd8b2..cefbdded6f6 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.119 2001/06/24 23:42:40 mickey Exp $ */ +/* $OpenBSD: ip_output.c,v 1.120 2001/06/25 01:21:15 provos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -48,6 +48,7 @@ #include <sys/kernel.h> #include <net/if.h> +#include <net/if_enc.h> #include <net/route.h> #if NPF > 0 @@ -564,6 +565,24 @@ sendit: if (sproto != 0) { s = splnet(); + /* + * Packet filter + */ +#if NPF > 0 + { + void *ifp = (void *)&encif[0].sc_if; + struct mbuf *m1 = m; + if (pf_test(PF_OUT, ifp, &m1) != PF_PASS) { + error = EHOSTUNREACH; + splx(s); + m_freem(m1); + goto done; + } + ip = mtod(m = m1, struct ip *); + hlen = ip->ip_hl << 2; + } +#endif + tdb = gettdb(sspi, &sdst, sproto); if (tdb == NULL) { error = EHOSTUNREACH; @@ -642,8 +661,11 @@ sendit: #if NPF > 0 { struct mbuf *m1 = m; - if (pf_test(PF_OUT, ifp, &m1) != PF_PASS) + if (pf_test(PF_OUT, ifp, &m1) != PF_PASS) { + error = EHOSTUNREACH; + m_freem(m1); goto done; + } ip = mtod(m = m1, struct ip *); } #endif |