diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-01 00:28:26 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-06-01 00:28:26 +0000 |
| commit | a04be4ec89e8019a956dc875f065fdb082a35f6f (patch) | |
| tree | ab4571304b50654ba69ba0fa7215f0429bf8dc23 /sys | |
| parent | 0f93e96fb0c9c7dc1aefd5e3c64f597687264ca1 (diff) | |
Don't let packets that need IPsec crypto processing at the NIC be
bridge-broadcast; rather, turn off offloading for now. The IPsec stack
will do its own crypto for subsequent packets, which will be
broadcast. Once the bridge knows which interface to send packets for
that MAC to, if that interface supports IPsec offloading it'll turn it
back on.
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/net/if_bridge.c | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c index f6599495097..de67c4a8370 100644 --- a/sys/net/if_bridge.c +++ b/sys/net/if_bridge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_bridge.c,v 1.56 2001/05/30 02:12:24 deraadt Exp $ */ +/* $OpenBSD: if_bridge.c,v 1.57 2001/06/01 00:28:25 angelos Exp $ */ /* * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net) @@ -742,6 +742,9 @@ bridge_output(ifp, m, sa, rt) struct ether_addr *src, *dst; struct bridge_softc *sc; int s; +#ifdef IPSEC + struct m_tag *mtag; +#endif /* IPSEC */ if (m->m_len < sizeof(*eh)) { m = m_pullup(m, sizeof(*eh)); @@ -775,6 +778,21 @@ bridge_output(ifp, m, sa, rt) struct mbuf *mc; int used = 0; +#ifdef IPSEC + /* + * Don't send out the packet if IPsec is needed, and + * notify IPsec to do its own crypto for now. + */ + if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, + NULL)) != NULL) { + /* Notify IPsec */ + ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); + m_freem(m); + splx(s); + return (0); + } +#endif /* IPSEC */ + LIST_FOREACH(p, &sc->sc_iflist, next) { dst_if = p->ifp; if ((dst_if->if_flags & IFF_RUNNING) == 0) @@ -1254,6 +1272,11 @@ bridge_broadcast(sc, ifp, eh, m) continue; } + /* Drop non-IP frames if the appropriate flag is set. */ + if (p->bif_flags & IFBIF_BLOCKNONIP && + bridge_blocknonip(eh, m)) + continue; + if (bridge_filterrule(&p->bif_brlout, eh) == BRL_ACTION_BLOCK) continue; @@ -1269,12 +1292,6 @@ bridge_broadcast(sc, ifp, eh, m) } } - if (p->bif_flags & IFBIF_BLOCKNONIP && - bridge_blocknonip(eh, mc)) { - m_freem(mc); - continue; - } - sc->sc_if.if_opackets++; sc->sc_if.if_obytes += mc->m_pkthdr.len; dst_if->if_obytes += m->m_pkthdr.len; |