From 428cba84e069ae4233e5e0a75978d4c0b9e6bd8f Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Mon, 25 Jun 2001 06:09:43 +0000 Subject: Apply pending TDBs (as indicated by tags). This will be used to handle the case of both the socket and system-wide IPsec policy specifying TDBs to be applied to the same packet. --- sys/netinet/ip_output.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'sys/netinet/ip_output.c') diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e347ec543c1..d84a307caf1 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.123 2001/06/25 02:54:44 angelos Exp $ */ +/* $OpenBSD: ip_output.c,v 1.124 2001/06/25 06:09:42 angelos Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -275,9 +275,18 @@ ip_output(m0, va_alist) !bcmp(&inp->inp_tdb_out->tdb_dst.sin.sin_addr, &ip->ip_dst, sizeof(ip->ip_dst))) tdb = inp->inp_tdb_out; - else - tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, - IPSP_DIRECTION_OUT, NULL, inp); + else { + /* Do we have any pending SAs to apply ? */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto); + m_tag_delete(m, mtag); + } + else + tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, + IPSP_DIRECTION_OUT, NULL, inp); + } if (tdb == NULL) { splx(s); -- cgit v1.2.3