summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_output.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/ip_output.c')
-rw-r--r--sys/netinet/ip_output.c27
1 files changed, 20 insertions, 7 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 0c0400c0c1a..2f74c801df4 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_output.c,v 1.44 1999/03/27 21:04:20 provos Exp $ */
+/* $OpenBSD: ip_output.c,v 1.45 1999/04/11 19:41:39 niklas Exp $ */
/* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */
/*
@@ -64,7 +64,8 @@
#include <machine/stdarg.h>
#ifdef IPSEC
-#include <netinet/ip_ipsp.h>
+#include <netinet/ip_ah.h>
+#include <netinet/ip_esp.h>
#include <netinet/udp.h>
#include <netinet/tcp.h>
@@ -167,14 +168,14 @@ ip_output(m0, va_alist)
/*
* Check if the packet needs encapsulation
*/
- if (!(flags & IP_ENCAPSULATED) &&
+ if (!(flags & IP_ENCAPSULATED) &&
(inp == NULL ||
- (inp->inp_seclevel[SL_AUTH] != IPSEC_LEVEL_BYPASS ||
- inp->inp_seclevel[SL_ESP_TRANS] != IPSEC_LEVEL_BYPASS ||
- inp->inp_seclevel[SL_ESP_NETWORK] != IPSEC_LEVEL_BYPASS))) {
+ inp->inp_seclevel[SL_AUTH] != IPSEC_LEVEL_BYPASS ||
+ inp->inp_seclevel[SL_ESP_TRANS] != IPSEC_LEVEL_BYPASS ||
+ inp->inp_seclevel[SL_ESP_NETWORK] != IPSEC_LEVEL_BYPASS)) {
struct route_enc re0, *re = &re0;
struct sockaddr_encap *ddst, *gw;
- struct tdb *tdb;
+ struct tdb *tdb, *t;
u_int8_t sa_require, sa_have = 0;
if (inp == NULL)
@@ -318,6 +319,18 @@ ip_output(m0, va_alist)
goto done;
}
+ for (t = tdb; t != NULL; t = t->tdb_onext)
+ if ((t->tdb_sproto == IPPROTO_ESP && !esp_enable) ||
+ (t->tdb_sproto == IPPROTO_AH && !ah_enable)) {
+ DPRINTF(("ip_output(): IPSec outbound packet dropped due to policy\n"));
+
+ if (re->re_rt)
+ RTFREE(re->re_rt);
+ error = EHOSTUNREACH;
+ m_freem(m);
+ goto done;
+ }
+
/* Fix the ip_src field if necessary */
if (ip->ip_src.s_addr == INADDR_ANY) {
if (tdb && tdb->tdb_src.sin.sin_addr.s_addr != 0 &&