summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-05-29 01:09:15 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>2001-05-29 01:09:15 +0000
commitda12c2531c0c0a983b0f9633d5e5213c4a412926 (patch)
tree73363e4ea4f5ea8191863efe219a71ef5f6efbe5 /sys
parentc14e20a2f8ae626639af3f2ea171c81eeec339f2 (diff)
Make sure packets that need crypto processing on the NIC don't escape
(because of routing changes etc.)
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet/ip_output.c51
1 files changed, 32 insertions, 19 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index bc10dfa0d09..7ff5629d4d0 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.96 2001/05/28 05:30:54 angelos Exp $ */
+/* $OpenBSD: ip_output.c,v 1.97 2001/05/29 01:09:14 angelos Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -560,24 +560,24 @@ sendit:
#if defined(IPFILTER) || defined(IPFILTER_LKM)
if (fr_checkp) {
- /*
- * Ok, it's time for a simple round-trip to the IPF/NAT
- * code with the enc0 interface
- */
- struct mbuf *m0 = m;
- void *ifp = (void *)&encif[0].sc_if;
- if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) {
- error = EHOSTUNREACH;
- splx(s);
- goto done;
- }
- if (m0 == 0) { /* in case of 'fastroute' */
- error = 0;
- splx(s);
- goto done;
- }
- ip = mtod(m = m0, struct ip *);
- hlen = ip->ip_hl << 2;
+ /*
+ * Ok, it's time for a simple round-trip to the IPF/NAT
+ * code with the enc0 interface.
+ */
+ struct mbuf *m0 = m;
+ void *ifp = (void *)&encif[0].sc_if;
+ if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) {
+ error = EHOSTUNREACH;
+ splx(s);
+ goto done;
+ }
+ if (m0 == 0) { /* in case of 'fastroute' */
+ error = 0;
+ splx(s);
+ goto done;
+ }
+ ip = mtod(m = m0, struct ip *);
+ hlen = ip->ip_hl << 2;
}
#endif /* IPFILTER */
@@ -609,6 +609,19 @@ sendit:
splx(s);
return error; /* Nothing more to be done */
}
+
+ /*
+ * If deferred crypto processing is needed, check that the
+ * interface supports it.
+ */
+ if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL))
+ != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) {
+ /* Notify IPsec to do its own crypto. */
+ ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
+ m_freem(m);
+ error = EHOSTUNREACH;
+ goto done;
+ }
#endif /* IPSEC */
#if defined(IPFILTER) || defined(IPFILTER_LKM)