From 91cdd31f909e12fb3982994617ac38e901f93d65 Mon Sep 17 00:00:00 2001 From: "Angelos D. Keromytis" Date: Tue, 21 Aug 2001 06:53:37 +0000 Subject: Don't check for BYPASS options in PCB on ip_output/ip6_output --- this is already done in ip_spd_lookup() --- sys/netinet6/ip6_output.c | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) (limited to 'sys/netinet6') diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index a1fc7cf1474..21e4b628dd6 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_output.c,v 1.46 2001/06/27 03:49:54 angelos Exp $ */ +/* $OpenBSD: ip6_output.c,v 1.47 2001/08/21 06:53:36 angelos Exp $ */ /* $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $ */ /* @@ -249,22 +249,6 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp) goto freehdrs; } } else { - /* - * If the socket has set the bypass flags and SA destination - * matches the IP destination, skip IPsec. This allows - * IKE packets to travel through IPsec tunnels. - */ - if (inp != NULL && - inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS && - inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS && - inp->inp_seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS && - sdst.sa.sa_family == AF_INET6 && - IN6_ARE_ADDR_EQUAL(&sdst.sin6.sin6_addr, &ip6->ip6_dst)) { - splx(s); - sproto = 0; /* mark as no-IPsec-needed */ - goto done_spd; - } - /* Loop detection */ for (mtag = m_tag_first(m); mtag != NULL; mtag = m_tag_next(m, mtag)) { -- cgit v1.2.3