1 files changed, 23 insertions, 2 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 8247955acab..b59ffcaaf2d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.194 2009/06/05 00:05:22 claudio Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.195 2009/10/06 21:21:48 claudio Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -245,6 +245,10 @@ ip_output(struct mbuf *m0, ...)
 			ip->ip_src = ia->ia_addr.sin_addr;
 	}
 
+#if NPF > 0
+reroute:
+#endif
+
 #ifdef IPSEC
 	if (!ipsec_in_use && inp == NULL)
 		goto done_spd;
@@ -594,6 +598,13 @@ sendit:
 		}
 		ip = mtod(m, struct ip *);
 		hlen = ip->ip_hl << 2;
+		/*
+		 * PF_TAG_REROUTE handling or not...
+		 * Packet is entering IPsec so the routing is
+		 * already overruled by the IPsec policy.
+		 * Until now the change was not reconsidered.
+		 * What's the behaviour?
+		 */
 #endif
 
 		tdb = gettdb(sspi, &sdst, sproto);
@@ -703,9 +714,19 @@ sendit:
 	}
 	if (m == NULL)
 		goto done;
-
 	ip = mtod(m, struct ip *);
 	hlen = ip->ip_hl << 2;
+	if ((m->m_pkthdr.pf.flags & (PF_TAG_REROUTE | PF_TAG_GENERATED)) ==
+	    (PF_TAG_REROUTE | PF_TAG_GENERATED))
+		/* already rerun the route lookup, go on */
+		m->m_pkthdr.pf.flags &= ~(PF_TAG_GENERATED | PF_TAG_REROUTE);
+	else if (m->m_pkthdr.pf.flags & PF_TAG_REROUTE) {
+		/* tag as generated to skip over pf_test on rerun */
+		m->m_pkthdr.pf.flags |= PF_TAG_GENERATED;
+		ro = NULL;
+		donerouting = 0;
+		goto reroute;
+	}
 #endif
 
 #ifdef IPSEC