diff options
-rw-r--r-- | sys/netinet/ip_output.c | 41 |
1 files changed, 24 insertions, 17 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 10f2c4aae45..1ec3333ffe4 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.157 2003/10/02 05:47:29 itojun Exp $ */ +/* $OpenBSD: ip_output.c,v 1.158 2003/11/03 07:58:36 cedric Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -624,7 +624,30 @@ sendit: splx(s); return error; /* Nothing more to be done */ } +#endif /* IPSEC */ + + /* + * Packet filter + * + * This should be called before checking NIC capabilities, + * because pf_test() can: + * - drop the packet. + * - route the packet through another NIC. + */ +#if NPF > 0 + if (pf_test(PF_OUT, ifp, &m) != PF_PASS) { + error = EHOSTUNREACH; + m_freem(m); + goto done; + } + if (m == NULL) + goto done; + + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; +#endif +#ifdef IPSEC /* * If deferred crypto processing is needed, check that the * interface supports it. @@ -655,22 +678,6 @@ sendit: } /* - * Packet filter - */ -#if NPF > 0 - if (pf_test(PF_OUT, ifp, &m) != PF_PASS) { - error = EHOSTUNREACH; - m_freem(m); - goto done; - } - if (m == NULL) - goto done; - - ip = mtod(m, struct ip *); - hlen = ip->ip_hl << 2; -#endif - - /* * If small enough for interface, can just send directly. */ if (ntohs(ip->ip_len) <= mtu) { |