From 9b4939a135e7439d02025abc3fae443f6b34a436 Mon Sep 17 00:00:00 2001 From: Reyk Floeter Date: Fri, 9 Jul 2010 16:58:07 +0000 Subject: Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@ --- sys/netinet/tcp_output.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sys/netinet/tcp_output.c') diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index cb9964e9e32..58de7ef9557 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_output.c,v 1.89 2010/07/03 04:44:51 guenther Exp $ */ +/* $OpenBSD: tcp_output.c,v 1.90 2010/07/09 16:58:06 reyk Exp $ */ /* $NetBSD: tcp_output.c,v 1.16 1997/06/03 16:17:09 kml Exp $ */ /* @@ -924,7 +924,8 @@ send: /* XXX gettdbbysrcdst() should really be called at spltdb(). */ /* XXX this is splsoftnet(), currently they are the same. */ - tdb = gettdbbysrcdst(0, &src, &dst, IPPROTO_TCP); + tdb = gettdbbysrcdst(rtable_l2(tp->t_inpcb->inp_rtableid), + 0, &src, &dst, IPPROTO_TCP); if (tdb == NULL) return (EPERM); -- cgit v1.2.3