diff options
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/ip_output.c | 41 |
1 files changed, 17 insertions, 24 deletions
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 1ec3333ffe4..5a8680e8d0b 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.158 2003/11/03 07:58:36 cedric Exp $ */ +/* $OpenBSD: ip_output.c,v 1.159 2003/11/06 16:57:41 dhartmei Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -624,30 +624,7 @@ sendit: splx(s); return error; /* Nothing more to be done */ } -#endif /* IPSEC */ - - /* - * Packet filter - * - * This should be called before checking NIC capabilities, - * because pf_test() can: - * - drop the packet. - * - route the packet through another NIC. - */ -#if NPF > 0 - if (pf_test(PF_OUT, ifp, &m) != PF_PASS) { - error = EHOSTUNREACH; - m_freem(m); - goto done; - } - if (m == NULL) - goto done; - - ip = mtod(m, struct ip *); - hlen = ip->ip_hl << 2; -#endif -#ifdef IPSEC /* * If deferred crypto processing is needed, check that the * interface supports it. @@ -678,6 +655,22 @@ sendit: } /* + * Packet filter + */ +#if NPF > 0 + if (pf_test(PF_OUT, ifp, &m) != PF_PASS) { + error = EHOSTUNREACH; + m_freem(m); + goto done; + } + if (m == NULL) + goto done; + + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; +#endif + + /* * If small enough for interface, can just send directly. */ if (ntohs(ip->ip_len) <= mtu) { |