[src/netbsd-1-5]: src/sys/netinet Pull up revision 1.127 (via patch, requeste...

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d6dafd2cb65d
branches:  netbsd-1-5
changeset: 491193:d6dafd2cb65d
user:      he <he%NetBSD.org@localhost>
date:      Fri Apr 06 00:24:47 2001 +0000

description:
Pull up revision 1.127 (via patch, requested by itojun):
  Record IPsec packet history in m_aux structure.  Let ipfilter
  look at wire-format packet only (not the decapsulated ones), so
  that VPN setting can work with NAT/ipfilter settings.

diffstat:

 sys/netinet/ip_input.c |  15 +++++++++++++--
 1 files changed, 13 insertions(+), 2 deletions(-)

diffs (43 lines):

diff -r 1f71e81239cb -r d6dafd2cb65d sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c    Fri Apr 06 00:24:30 2001 +0000
+++ b/sys/netinet/ip_input.c    Fri Apr 06 00:24:47 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_input.c,v 1.114.4.4 2001/03/11 21:10:34 he Exp $    */
+/*     $NetBSD: ip_input.c,v 1.114.4.5 2001/04/06 00:24:47 he Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -459,6 +459,14 @@
 #endif
 
 #ifdef PFIL_HOOKS
+#ifdef IPSEC
+       /*
+        * let ipfilter look at packet on the wire,
+        * not the decapsulated packet.
+        */
+       if (ipsec_gethist(m, NULL))
+               goto nofilt;
+#endif
        /*
         * Run through list of hooks for input packets.  If there are any
         * filters which require that additional packets in the flow are
@@ -479,6 +487,9 @@
                                return;
                        ip = mtod(m, struct ip *);
                }
+#ifdef IPSEC
+nofilt:;
+#endif
 #endif /* PFIL_HOOKS */
 
        /*
@@ -1452,7 +1463,7 @@
 
 #ifdef IPSEC
        /* Don't lookup socket in forwading case */
-       ipsec_setsocket(m, NULL);
+       (void)ipsec_setsocket(m, NULL);
 #endif
        error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
            (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0);