summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sys/netinet/ip_output.c41
1 files changed, 24 insertions, 17 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 10f2c4aae45..1ec3333ffe4 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.157 2003/10/02 05:47:29 itojun Exp $ */
+/* $OpenBSD: ip_output.c,v 1.158 2003/11/03 07:58:36 cedric Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -624,7 +624,30 @@ sendit:
splx(s);
return error; /* Nothing more to be done */
}
+#endif /* IPSEC */
+
+ /*
+ * Packet filter
+ *
+ * This should be called before checking NIC capabilities,
+ * because pf_test() can:
+ * - drop the packet.
+ * - route the packet through another NIC.
+ */
+#if NPF > 0
+ if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
+ error = EHOSTUNREACH;
+ m_freem(m);
+ goto done;
+ }
+ if (m == NULL)
+ goto done;
+
+ ip = mtod(m, struct ip *);
+ hlen = ip->ip_hl << 2;
+#endif
+#ifdef IPSEC
/*
* If deferred crypto processing is needed, check that the
* interface supports it.
@@ -655,22 +678,6 @@ sendit:
}
/*
- * Packet filter
- */
-#if NPF > 0
- if (pf_test(PF_OUT, ifp, &m) != PF_PASS) {
- error = EHOSTUNREACH;
- m_freem(m);
- goto done;
- }
- if (m == NULL)
- goto done;
-
- ip = mtod(m, struct ip *);
- hlen = ip->ip_hl << 2;
-#endif
-
- /*
* If small enough for interface, can just send directly.
*/
if (ntohs(ip->ip_len) <= mtu) {