diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-08-21 06:53:37 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-08-21 06:53:37 +0000 |
| commit | 91cdd31f909e12fb3982994617ac38e901f93d65 (patch) | |
| tree | b4c377db36e4bf6c667b6cd2cf650599e1a371c2 /sys/netinet | |
| parent | eb9bfe8e8247b288f22ac9b06a0798c92ddc42e7 (diff) | |
Don't check for BYPASS options in PCB on ip_output/ip6_output --- this
is already done in ip_spd_lookup()
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_output.c | 20 |
1 files changed, 1 insertions, 19 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index be5c4d20b22..672c0da7bfb 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.134 2001/07/17 20:34:50 provos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.135 2001/08/21 06:53:36 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -287,24 +287,6 @@ ip_output(m0, va_alist) goto done; } } else { - /* - * If the socket has set the bypass flags and SA - * destination matches the IP destination, skip - * IPsec. This allows IKE packets to travel through - * IPsec tunnels. - */ - if ((inp != NULL) && - (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS) && - (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && - (inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) - && (inp->inp_seclevel[SL_IPCOMP] == IPSEC_LEVEL_BYPASS) - && (sdst.sa.sa_family == AF_INET) && - (sdst.sin.sin_addr.s_addr == ip->ip_dst.s_addr)) { - splx(s); - sproto = 0; /* mark as no-IPsec-needed */ - goto done_spd; - } - /* Loop detection */ for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) { |