From 5843a15c7e4147752374a9a426cd635928aab984 Mon Sep 17 00:00:00 2001
From: "Angelos D. Keromytis" <angelos@cvs.openbsd.org>
Date: Fri, 29 Sep 2000 03:51:12 +0000
Subject: Outgoing packets that hit IPsec will be IPF/IPNAT processed as well
 on the enc* interface, usually enc0; cedric@wireless-networks.com

---
 sys/netinet/ip_output.c | 24 +++++++++++++++++++++++-
 1 file changed, 23 insertions(+), 1 deletion(-)

(limited to 'sys')

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index d38374eb455..64a7ce17ebd 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.81 2000/09/19 03:20:59 angelos Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.82 2000/09/29 03:51:11 angelos Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -72,6 +72,7 @@
 #include <netinet/udp.h>
 #include <netinet/tcp.h>
 #include <net/pfkeyv2.h>
+#include <net/if_enc.h>
 
 #ifdef ENCDEBUG
 #define DPRINTF(x)    do { if (encdebug) printf x ; } while (0)
@@ -542,6 +543,27 @@ sendit:
 	if (sproto != 0) {
 	        s = splnet();
 
+#if defined(IPFILTER) || defined(IPFILTER_LKM)
+		if (fr_checkp) {
+		    /*
+		     * Ok, it's time for a simple round-trip to the IPF/NAT
+		     * code with the enc# interface
+		     */
+		    struct mbuf *m0 = m;
+		    void *ifp = tdb->tdb_interface ?
+				(void *)tdb->tdb_interface :
+				      (void *)&encif[0].sc_if;
+		    if ((*fr_checkp)(ip, hlen, ifp, 1, &m0)) {
+			error = EHOSTUNREACH;
+			splx(s);
+			goto done;
+		    } else {
+			ip = mtod(m = m0, struct ip *);
+			hlen = ip->ip_hl << 2;
+		    }
+  	        }
+#endif /* IPFILTER */
+		
 		tdb = gettdb(sspi, &sdst, sproto);
 		if (tdb == NULL) {
 			error = EHOSTUNREACH;
-- 
cgit v1.2.3