6 files changed, 84 insertions, 50 deletions

diff --git a/sys/net/if_bridge.c b/sys/net/if_bridge.c
index 5dd8b2e9217..4fbe0470dbe 100644
--- a/sys/net/if_bridge.c
+++ b/sys/net/if_bridge.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_bridge.c,v 1.181 2010/07/02 02:40:16 blambert Exp $	*/
+/*	$OpenBSD: if_bridge.c,v 1.182 2010/07/09 16:58:06 reyk Exp $	*/
 
 /*
  * Copyright (c) 1999, 2000 Jason L. Wright (jason@thought.net)
@@ -2402,7 +2402,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 
 		s = spltdb();
 
-		tdb = gettdb(spi, &dst, proto);
+		tdb = gettdb(ifp->if_rdomain, spi, &dst, proto);
 		if (tdb != NULL && (tdb->tdb_flags & TDBF_INVALID) == 0 &&
 		    tdb->tdb_xform != NULL) {
 			if (tdb->tdb_first_use == 0) {
@@ -2457,7 +2457,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 			switch (af) {
 #ifdef INET
 			case AF_INET:
-				if ((encif = enc_getif(0,
+				if ((encif = enc_getif(tdb->tdb_rdomain,
 				    tdb->tdb_tap)) == NULL ||
 				    pf_test(dir, encif,
 				    &m, NULL) != PF_PASS) {
@@ -2468,7 +2468,7 @@ bridge_ipsec(struct bridge_softc *sc, struct ifnet *ifp,
 #endif /* INET */
 #ifdef INET6
 			case AF_INET6:
-				if ((encif = enc_getif(0,
+				if ((encif = enc_getif(tdb->tdb_rdomain,
 				    tdb->tdb_tap)) == NULL ||
 				    pf_test6(dir, encif,
 				    &m, NULL) != PF_PASS) {
diff --git a/sys/net/if_pfsync.c b/sys/net/if_pfsync.c
index 95894c3cb0c..535205daaf9 100644
--- a/sys/net/if_pfsync.c
+++ b/sys/net/if_pfsync.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.c,v 1.151 2010/07/09 13:09:34 dlg Exp $	*/
+/*	$OpenBSD: if_pfsync.c,v 1.152 2010/07/09 16:58:06 reyk Exp $	*/
 
 /*
  * Copyright (c) 2002 Michael Shalayeff
@@ -1239,7 +1239,7 @@ pfsync_update_net_tdb(struct pfsync_tdb *pt)
 		goto bad;
 
 	s = spltdb();
-	tdb = gettdb(pt->spi, &pt->dst, pt->sproto);
+	tdb = gettdb(ntohs(pt->rdomain), pt->spi, &pt->dst, pt->sproto);
 	if (tdb) {
 		pt->rpl = ntohl(pt->rpl);
 		pt->cur_bytes = betoh64(pt->cur_bytes);
@@ -2162,6 +2162,7 @@ pfsync_out_tdb(struct tdb *t, void *buf)
 	    RPL_INCR : 0));
 	ut->cur_bytes = htobe64(t->tdb_cur_bytes);
 	ut->sproto = t->tdb_sproto;
+	ut->rdomain = htons(t->tdb_rdomain);
 }
 
 void
diff --git a/sys/net/if_pfsync.h b/sys/net/if_pfsync.h
index dafe6d4e43f..ba83a6607ff 100644
--- a/sys/net/if_pfsync.h
+++ b/sys/net/if_pfsync.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: if_pfsync.h,v 1.42 2010/01/12 23:38:02 dlg Exp $	*/
+/*	$OpenBSD: if_pfsync.h,v 1.43 2010/07/09 16:58:06 reyk Exp $	*/
 
 /*
  * Copyright (c) 2001 Michael Shalayeff
@@ -216,7 +216,7 @@ struct pfsync_tdb {
 	u_int64_t			cur_bytes;
 	u_int8_t			sproto;
 	u_int8_t			updates;
-	u_int8_t			_pad[2];
+	u_int16_t			rdomain;
 } __packed;
 
 /*
diff --git a/sys/net/pfkeyv2.c b/sys/net/pfkeyv2.c
index b5c0178406f..19568d3be13 100644
--- a/sys/net/pfkeyv2.c
+++ b/sys/net/pfkeyv2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.c,v 1.120 2010/07/01 02:09:45 reyk Exp $ */
+/* $OpenBSD: pfkeyv2.c,v 1.121 2010/07/09 16:58:06 reyk Exp $ */
 
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) 17 January 1995
@@ -159,6 +159,12 @@ pfkeyv2_create(struct socket *socket)
 	pfkeyv2_socket->socket = socket;
 	pfkeyv2_socket->pid = curproc->p_pid;
 
+	/*
+	 * XXX we should get this from the socket instead but
+	 * XXX rawcb doesn't store the rdomain like inpcb does.
+	 */
+	pfkeyv2_socket->rdomain = rtable_l2(curproc->p_p->ps_rtableid);
+
 	pfkeyv2_sockets = pfkeyv2_socket;
 
 	return (0);
@@ -201,7 +207,7 @@ pfkeyv2_release(struct socket *socket)
  */
 int
 pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
-    u_int8_t satype, int count)
+    u_int8_t satype, int count, u_int rdomain)
 {
 	int i, j, rval;
 	void *p, *buffer = NULL;
@@ -272,7 +278,8 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
 		 */
 		for (s = pfkeyv2_sockets; s; s = s->next)
 			if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
-			    (s->socket != socket))
+			    (s->socket != socket) &&
+			    (s->rdomain == rdomain))
 				pfkey_sendup(s->socket, packet, 1);
 
 		/* Done, let's be a bit paranoid */
@@ -286,7 +293,8 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
 		 * the specified satype (e.g., all IPSEC-ESP negotiators)
 		 */
 		for (s = pfkeyv2_sockets; s; s = s->next)
-			if (s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) {
+			if ((s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) &&
+			    (s->rdomain == rdomain)) {
 				if (!satype)    /* Just send to everyone registered */
 					pfkey_sendup(s->socket, packet, 1);
 				else {
@@ -316,7 +324,8 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
 		/* Send to all registered promiscuous listeners */
 		for (s = pfkeyv2_sockets; s; s = s->next)
 			if ((s->flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
-			    !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED))
+			    !(s->flags & PFKEYV2_SOCKETFLAGS_REGISTERED) &&
+			    (s->rdomain == rdomain))
 				pfkey_sendup(s->socket, packet, 1);
 
 		m_freem(packet);
@@ -324,9 +333,10 @@ pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
 
 	case PFKEYV2_SENDMESSAGE_BROADCAST:
 		/* Send message to all sockets */
-		for (s = pfkeyv2_sockets; s; s = s->next)
-			pfkey_sendup(s->socket, packet, 1);
-
+		for (s = pfkeyv2_sockets; s; s = s->next) {
+			if (s->rdomain == rdomain)
+				pfkey_sendup(s->socket, packet, 1);
+		}
 		m_freem(packet);
 		break;
 	}
@@ -742,7 +752,8 @@ pfkeyv2_dump_walker(struct tdb *sa, void *state, int last)
 
 		/* Send the message to the specified socket */
 		rval = pfkeyv2_sendmessage(headers,
-		    PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0);
+		    PFKEYV2_SENDMESSAGE_UNICAST, dump_state->socket, 0, 0,
+		    sa->tdb_rdomain);
 
 		free(buffer, M_PFKEY);
 		if (rval)
@@ -859,6 +870,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 	struct sadb_supported *ssup;
 	struct sadb_ident *sid;
 
+	u_int rdomain;
+
 	/* Verify that we received this over a legitimate pfkeyv2 socket */
 	bzero(headers, sizeof(headers));
 
@@ -872,6 +885,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		goto ret;
 	}
 
+	rdomain = pfkeyv2_socket->rdomain;
+
 	/* If we have any promiscuous listeners, send them a copy of the message */
 	if (npromisc) {
 		struct mbuf *packet;
@@ -899,9 +914,11 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			goto ret;
 
 		/* Send to all promiscuous listeners */
-		for (so = pfkeyv2_sockets; so; so = so->next)
-			if (so->flags & PFKEYV2_SOCKETFLAGS_PROMISC)
+		for (so = pfkeyv2_sockets; so; so = so->next) {
+			if ((so->flags & PFKEYV2_SOCKETFLAGS_PROMISC) &&
+			    (so->rdomain == rdomain))
 				pfkey_sendup(so->socket, packet, 1);
+		}
 
 		/* Paranoid */
 		m_zero(packet);
@@ -934,9 +951,9 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		/* Find an unused SA identifier */
 		sprng = (struct sadb_spirange *) headers[SADB_EXT_SPIRANGE];
-		sa.tdb_spi = reserve_spi(sprng->sadb_spirange_min,
-		    sprng->sadb_spirange_max, &sa.tdb_src, &sa.tdb_dst,
-		    sa.tdb_sproto, &rval);
+		sa.tdb_spi = reserve_spi(rdomain,
+		    sprng->sadb_spirange_min, sprng->sadb_spirange_max,
+		    &sa.tdb_src, &sa.tdb_dst, sa.tdb_sproto, &rval);
 		if (sa.tdb_spi == 0)
 			goto ret;
 
@@ -989,7 +1006,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		s = spltdb();
 
 		/* Find TDB */
-		sa2 = gettdb(ssa->sadb_sa_spi, sunionp,
+		sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(smsg->sadb_msg_satype));
 
 		/* If there's no such SA, we're done */
@@ -1005,7 +1022,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			int alg;
 
 			/* Create new TDB */
-			freeme = tdb_alloc();
+			freeme = tdb_alloc(rdomain);
 			bzero(&ii, sizeof(struct ipsecinit));
 
 			newsa = (struct tdb *) freeme;
@@ -1150,7 +1167,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		s = spltdb();
 
-		sa2 = gettdb(ssa->sadb_sa_spi, sunionp,
+		sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(smsg->sadb_msg_satype));
 
 		/* We can't add an existing SA! */
@@ -1166,7 +1183,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		}
 
 		/* Allocate and initialize new TDB */
-		freeme = tdb_alloc();
+		freeme = tdb_alloc(rdomain);
 
 		{
 			struct tdb *newsa = (struct tdb *) freeme;
@@ -1262,7 +1279,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			sizeof(struct sadb_address));
 		s = spltdb();
 
-		sa2 = gettdb(ssa->sadb_sa_spi, sunionp,
+		sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(smsg->sadb_msg_satype));
 		if (sa2 == NULL) {
 			rval = ESRCH;
@@ -1298,7 +1315,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		s = spltdb();
 
-		sa2 = gettdb(ssa->sadb_sa_spi, sunionp,
+		sa2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(smsg->sadb_msg_satype));
 		if (sa2 == NULL) {
 			rval = ESRCH;
@@ -1398,7 +1415,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			for (ipo = TAILQ_FIRST(&ipsec_policy_head);
 			    ipo != NULL; ipo = tmpipo) {
 				tmpipo = TAILQ_NEXT(ipo, ipo_list);
-				if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET))
+				if (!(ipo->ipo_flags & IPSP_POLICY_SOCKET) &&
+				    ipo->ipo_rdomain == rdomain)
 					ipsec_delete_policy(ipo);
 			}
 			splx(s);
@@ -1412,7 +1430,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 #endif /* TCP_SIGNATURE */
 			s = spltdb();
 
-			tdb_walk(pfkeyv2_flush_walker,
+			tdb_walk(rdomain, pfkeyv2_flush_walker,
 			    (u_int8_t *) &(smsg->sadb_msg_satype));
 
 			splx(s);
@@ -1431,7 +1449,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		dump_state.socket = socket;
 
 		s = spltdb();
-		rval = tdb_walk(pfkeyv2_dump_walker, &dump_state);
+		rval = tdb_walk(rdomain, pfkeyv2_dump_walker, &dump_state);
 		splx(s);
 
 		if (!rval)
@@ -1453,7 +1471,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		s = spltdb();
 
-		tdb1 = gettdb(ssa->sadb_sa_spi, sunionp,
+		tdb1 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(smsg->sadb_msg_satype));
 		if (tdb1 == NULL) {
 			rval = ESRCH;
@@ -1465,7 +1483,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 		    sizeof(struct sadb_address));
 		sa_proto = ((struct sadb_protocol *) headers[SADB_X_EXT_PROTOCOL]);
 
-		tdb2 = gettdb(ssa->sadb_sa_spi, sunionp,
+		tdb2 = gettdb(rdomain, ssa->sadb_sa_spi, sunionp,
 		    SADB_X_GETSPROTO(sa_proto->sadb_protocol_proto));
 		if (tdb2 == NULL) {
 			rval = ESRCH;
@@ -1544,6 +1562,9 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 		s = spltdb();
 
+		/* Set the rdomain that was obtained from the socket */
+		re.re_tableid = rdomain;
+
 		rtalloc((struct route *) &re);
 		if (re.re_rt != NULL) {
 			ipo = ((struct sockaddr_encap *) re.re_rt->rt_gateway)->sen_ipsp;
@@ -1617,6 +1638,8 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    sizeof(struct sockaddr_encap));
 			bcopy(&encapnetmask, &ipo->ipo_mask,
 			    sizeof(struct sockaddr_encap));
+
+			ipo->ipo_rdomain = rdomain;
 		}
 
 		switch (((struct sadb_protocol *) headers[SADB_X_EXT_FLOW_TYPE])->sadb_protocol_proto) {
@@ -1744,7 +1767,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 			    (struct sockaddr *)&encapnetmask;
 			info.rti_flags = RTF_UP | RTF_GATEWAY | RTF_STATIC;
 			if ((rval = rtrequest1(RTM_ADD, &info, RTP_DEFAULT,
-			    NULL, 0)) != 0) {
+			    NULL, rdomain)) != 0) {
 				/* Remove from linked list of policies on TDB */
 				if (ipo->ipo_tdb)
 					TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head,
@@ -1779,6 +1802,7 @@ pfkeyv2_send(struct socket *socket, void *message, int len)
 
 			for (so = pfkeyv2_sockets; so; so = so->next)
 				if ((so != pfkeyv2_socket) &&
+				    (so->rdomain == rdomain) &&
 				    (!smsg->sadb_msg_seq ||
 				    (smsg->sadb_msg_seq == pfkeyv2_socket->pid)))
 					pfkey_sendup(so->socket, packet, 1);
@@ -1840,7 +1864,7 @@ ret:
 			goto realret;
 	}
 
-	rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0);
+	rval = pfkeyv2_sendmessage(headers, mode, socket, 0, 0, rdomain);
 
 realret:
 	if (freeme)
@@ -2121,8 +2145,8 @@ pfkeyv2_acquire(struct ipsec_policy *ipo, union sockaddr_union *gw,
 
 	/* Send the ACQUIRE message to all compliant registered listeners. */
 	if ((rval = pfkeyv2_sendmessage(headers,
-	    PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0))
-	    != 0)
+	    PFKEYV2_SENDMESSAGE_REGISTERED, NULL, smsg->sadb_msg_satype, 0,
+	    ipo->ipo_rdomain)) != 0)
 		goto ret;
 
 	rval = 0;
@@ -2203,7 +2227,7 @@ pfkeyv2_expire(struct tdb *sa, u_int16_t type)
 	export_address(&p, (struct sockaddr *) &sa->tdb_dst);
 
 	if ((rval = pfkeyv2_sendmessage(headers, PFKEYV2_SENDMESSAGE_BROADCAST,
-	    NULL, 0, 0)) != 0)
+	    NULL, 0, 0, sa->tdb_rdomain)) != 0)
 		goto ret;
 
 	rval = 0;
@@ -2415,13 +2439,17 @@ ret:
  * Caller is responsible for setting at least spltdb().
  */
 int
-pfkeyv2_ipo_walk(int (*walker)(struct ipsec_policy *, void *), void *arg)
+pfkeyv2_ipo_walk(u_int rdomain, int (*walker)(struct ipsec_policy *, void *),
+    void *arg)
 {
 	int rval = 0;
 	struct ipsec_policy *ipo;
 
-	TAILQ_FOREACH(ipo, &ipsec_policy_head, ipo_list)
+	TAILQ_FOREACH(ipo, &ipsec_policy_head, ipo_list) {
+		if (ipo->ipo_rdomain != rdomain)
+			continue;
 		rval = walker(ipo, (void *)arg);
+	}
 	return (rval);
 }
 
@@ -2494,6 +2522,7 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 {
 	struct pfkeyv2_sysctl_walk w;
 	int s, error = EINVAL;
+	u_int rdomain;
 
 	if (new)
 		return (EPERM);
@@ -2504,12 +2533,14 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 	w.w_where = oldp;
 	w.w_len = oldp ? *oldlenp : 0;
 
+	rdomain = rtable_l2(curproc->p_p->ps_rtableid);
+
 	switch(w.w_op) {
 	case NET_KEY_SADB_DUMP:
 		if ((error = suser(curproc, 0)) != 0)
 			return (error);
 		s = spltdb();
-		error = tdb_walk(pfkeyv2_sysctl_walker, &w);
+		error = tdb_walk(rdomain, pfkeyv2_sysctl_walker, &w);
 		splx(s);
 		if (oldp)
 			*oldlenp = w.w_where - oldp;
@@ -2519,7 +2550,8 @@ pfkeyv2_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
 
 	case NET_KEY_SPD_DUMP:
 		s = spltdb();
-		error = pfkeyv2_ipo_walk(pfkeyv2_sysctl_policydumper, &w);
+		error = pfkeyv2_ipo_walk(rdomain,
+		    pfkeyv2_sysctl_policydumper, &w);
 		splx(s);
 		if (oldp)
 			*oldlenp = w.w_where - oldp;
diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h
index 6e4d146b374..efe79a1ab1a 100644
--- a/sys/net/pfkeyv2.h
+++ b/sys/net/pfkeyv2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfkeyv2.h,v 1.57 2010/07/01 02:09:45 reyk Exp $ */
+/* $OpenBSD: pfkeyv2.h,v 1.58 2010/07/09 16:58:06 reyk Exp $ */
 /*
  *	@(#)COPYRIGHT	1.1 (NRL) January 1998
  * 
@@ -412,6 +412,7 @@ struct pfkeyv2_socket
 	int flags;
 	uint32_t pid;
 	uint32_t registration;    /* Increase size if SATYPE_MAX > 31 */
+	uint rdomain;
 };
 
 struct dump_state
@@ -436,14 +437,14 @@ int pfkeyv2_get(struct tdb *, void **, void **, int *);
 int pfkeyv2_policy(struct ipsec_acquire *, void **, void **);
 int pfkeyv2_release(struct socket *);
 int pfkeyv2_send(struct socket *, void *, int);
-int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int);
+int pfkeyv2_sendmessage(void **, int, struct socket *, u_int8_t, int, u_int);
 int pfkeyv2_dump_policy(struct ipsec_policy *, void **, void **, int *);
 int pfkeyv2_dump_walker(struct tdb *, void *, int);
 int pfkeyv2_flush_walker(struct tdb *, void *, int);
 int pfkeyv2_get_proto_alg(u_int8_t, u_int8_t *, int *);
 int pfkeyv2_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 int pfkeyv2_sysctl_walker(struct tdb *, void *, int);
-int pfkeyv2_ipo_walk(int (*)(struct ipsec_policy *, void *), void *);
+int pfkeyv2_ipo_walk(u_int, int (*)(struct ipsec_policy *, void *), void *);
 int pfkeyv2_sysctl_dump(void *);
 int pfkeyv2_sysctl_policydumper(struct ipsec_policy *, void *);
 
diff --git a/sys/net/route.c b/sys/net/route.c
index 07ae9d72d30..6f5541bcd55 100644
--- a/sys/net/route.c
+++ b/sys/net/route.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: route.c,v 1.124 2010/07/09 15:44:20 claudio Exp $	*/
+/*	$OpenBSD: route.c,v 1.125 2010/07/09 16:58:06 reyk Exp $	*/
 /*	$NetBSD: route.c,v 1.14 1996/02/13 22:00:46 christos Exp $	*/
 
 /*
@@ -129,7 +129,7 @@
 #include <netinet/ip_ipsp.h>
 #include <net/if_enc.h>
 
-struct ifaddr	*encap_findgwifa(struct sockaddr *);
+struct ifaddr	*encap_findgwifa(struct sockaddr *, u_int);
 #endif
 
 #define	SA(p) ((struct sockaddr *)(p))
@@ -165,11 +165,11 @@ TAILQ_HEAD(rt_labels, rt_label)	rt_labels = TAILQ_HEAD_INITIALIZER(rt_labels);
 
 #ifdef IPSEC
 struct ifaddr *
-encap_findgwifa(struct sockaddr *gw)
+encap_findgwifa(struct sockaddr *gw, u_int rdomain)
 {
 	struct ifnet	*encif;
 
-	if ((encif = enc_getif(0, 0)) == NULL)
+	if ((encif = enc_getif(rdomain, 0)) == NULL)
 		return (NULL);
 
 	return (TAILQ_FIRST(&encif->if_addrlist));
@@ -624,7 +624,7 @@ ifa_ifwithroute(int flags, struct sockaddr *dst, struct sockaddr *gateway,
 	 * enc0.
 	 */
 	if (dst && (dst->sa_family == PF_KEY))
-		return (encap_findgwifa(gateway));
+		return (encap_findgwifa(gateway, rtableid));
 #endif
 
 	if ((flags & RTF_GATEWAY) == 0) {