diff options
author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-29 01:09:15 +0000 |
---|---|---|
committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 2001-05-29 01:09:15 +0000 |
commit | da12c2531c0c0a983b0f9633d5e5213c4a412926 (patch) | |
tree | 73363e4ea4f5ea8191863efe219a71ef5f6efbe5 /sys | |
parent | c14e20a2f8ae626639af3f2ea171c81eeec339f2 (diff) |
Make sure packets that need crypto processing on the NIC don't escape
(because of routing changes etc.)
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/ip_output.c | 51 |
1 files changed, 32 insertions, 19 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index bc10dfa0d09..7ff5629d4d0 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.96 2001/05/28 05:30:54 angelos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.97 2001/05/29 01:09:14 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -560,24 +560,24 @@ sendit: #if defined(IPFILTER) || defined(IPFILTER_LKM) if (fr_checkp) { - /* - * Ok, it's time for a simple round-trip to the IPF/NAT - * code with the enc0 interface - */ - struct mbuf *m0 = m; - void *ifp = (void *)&encif[0].sc_if; - if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) { - error = EHOSTUNREACH; - splx(s); - goto done; - } - if (m0 == 0) { /* in case of 'fastroute' */ - error = 0; - splx(s); - goto done; - } - ip = mtod(m = m0, struct ip *); - hlen = ip->ip_hl << 2; + /* + * Ok, it's time for a simple round-trip to the IPF/NAT + * code with the enc0 interface. + */ + struct mbuf *m0 = m; + void *ifp = (void *)&encif[0].sc_if; + if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) { + error = EHOSTUNREACH; + splx(s); + goto done; + } + if (m0 == 0) { /* in case of 'fastroute' */ + error = 0; + splx(s); + goto done; + } + ip = mtod(m = m0, struct ip *); + hlen = ip->ip_hl << 2; } #endif /* IPFILTER */ @@ -609,6 +609,19 @@ sendit: splx(s); return error; /* Nothing more to be done */ } + + /* + * If deferred crypto processing is needed, check that the + * interface supports it. + */ + if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL)) + != NULL && (ifp->if_capabilities & IFCAP_IPSEC) == 0) { + /* Notify IPsec to do its own crypto. */ + ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); + m_freem(m); + error = EHOSTUNREACH; + goto done; + } #endif /* IPSEC */ #if defined(IPFILTER) || defined(IPFILTER_LKM) |