diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2008-09-28 15:25:33 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2008-09-28 15:25:33 +0000 |
| commit | 4dbdb19a51f2191b6b1113e484447816c0474d0e (patch) | |
| tree | 6b9cc20d42e01b0907d38b8d5cbeb14032473609 /sys | |
| parent | da4515167a1da80236b161feab279d1dbbe6d2b1 (diff) | |
Clear the PF state key before an IP packet exits a gif(4) tunnel, in order
to prevent state key mismatches.
ok henning@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/netinet/in_gif.c | 11 | ||||
| -rw-r--r-- | sys/netinet6/in6_gif.c | 13 |
2 files changed, 21 insertions, 3 deletions
diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index ce6591d7156..61e68de45fd 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_gif.c,v 1.33 2007/02/15 22:40:02 claudio Exp $ */ +/* $OpenBSD: in_gif.c,v 1.34 2008/09/28 15:25:32 jsing Exp $ */ /* $KAME: in_gif.c,v 1.50 2001/01/22 07:27:16 itojun Exp $ */ /* @@ -30,6 +30,8 @@ * SUCH DAMAGE. */ +#include "pf.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/socket.h> @@ -53,6 +55,10 @@ #include "gif.h" #include "bridge.h" +#if NPF > 0 +#include <net/pfvar.h> +#endif + int in_gif_output(ifp, family, m) struct ifnet *ifp; @@ -121,6 +127,9 @@ in_gif_output(ifp, family, m) m = mp; +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif return ip_output(m, (void *)NULL, (void *)NULL, 0, (void *)NULL, (void *)NULL); } diff --git a/sys/netinet6/in6_gif.c b/sys/netinet6/in6_gif.c index 939d1c1ad89..1beaee07d05 100644 --- a/sys/netinet6/in6_gif.c +++ b/sys/netinet6/in6_gif.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in6_gif.c,v 1.26 2008/06/11 19:00:50 mcbride Exp $ */ +/* $OpenBSD: in6_gif.c,v 1.27 2008/09/28 15:25:32 jsing Exp $ */ /* $KAME: in6_gif.c,v 1.43 2001/01/22 07:27:17 itojun Exp $ */ /* @@ -30,6 +30,8 @@ * SUCH DAMAGE. */ +#include "pf.h" + #include <sys/param.h> #include <sys/systm.h> #include <sys/socket.h> @@ -42,6 +44,10 @@ #include <net/if.h> #include <net/route.h> +#if NPF > 0 +#include <net/pfvar.h> +#endif + #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip_ipsp.h> @@ -75,7 +81,7 @@ int in6_gif_output(struct ifnet *ifp, int family, struct mbuf *m) { struct gif_softc *sc = (struct gif_softc*)ifp; - struct sockaddr_in6 *dst = (struct sockaddr_in6 *)&sc->gif_ro6.ro_dst; + struct sockaddr_in6 *dst = (struct sockaddr_in6 *)&sc->gif_ro6.ro_dst; struct sockaddr_in6 *sin6_src = (struct sockaddr_in6 *)sc->gif_psrc; struct sockaddr_in6 *sin6_dst = (struct sockaddr_in6 *)sc->gif_pdst; struct tdb tdb; @@ -166,6 +172,9 @@ in6_gif_output(struct ifnet *ifp, int family, struct mbuf *m) * it is too painful to ask for resend of inner packet, to achieve * path MTU discovery for encapsulated packets. */ +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif error = ip6_output(m, 0, &sc->gif_ro6, IPV6_MINMTU, 0, NULL, NULL); return error; |