[src/trunk]: src/sys For FAST_IPSEC, ipfilter gets to see wire-format IPsec-e...

[scw <scw%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9b2ea2d72336
branches:  trunk
changeset: 555667:9b2ea2d72336
user:      scw <scw%NetBSD.org@localhost>
date:      Mon Nov 24 20:54:59 2003 +0000

description:
For FAST_IPSEC, ipfilter gets to see wire-format IPsec-encapsulated packets
only. Decapsulated packets bypass ipfilter. This mimics current behaviour
for Kame IPsec.

diffstat:

 sys/netinet/ip_input.c |  6 ++++--
 sys/netipsec/ipsec.h   |  4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diffs (45 lines):

diff -r 23e54d7de3c7 -r 9b2ea2d72336 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c    Mon Nov 24 20:41:15 2003 +0000
+++ b/sys/netinet/ip_input.c    Mon Nov 24 20:54:59 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $      */
+/*     $NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $       */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -98,7 +98,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.185 2003/11/19 22:40:55 fvdl Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.186 2003/11/24 20:54:59 scw Exp $");
 
 #include "opt_inet.h"
 #include "opt_gateway.h"
@@ -588,6 +588,8 @@
         */
 #ifdef IPSEC
        if (!ipsec_getnhist(m))
+#elif defined(FAST_IPSEC)
+       if (!ipsec_indone(m))
 #else
        if (1)
 #endif
diff -r 23e54d7de3c7 -r 9b2ea2d72336 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Mon Nov 24 20:41:15 2003 +0000
+++ b/sys/netipsec/ipsec.h      Mon Nov 24 20:54:59 2003 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.3 2003/10/06 22:05:15 tls Exp $    */
+/*     $NetBSD: ipsec.h,v 1.4 2003/11/24 20:54:59 scw Exp $    */
 /*     $FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.1 2003/01/24 05:11:35 sam Exp $      */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -411,6 +411,8 @@
 extern int ipsec4_process_packet __P((struct mbuf *, struct ipsecrequest *,
                        int, int));
 extern int ipsec_process_done __P((struct mbuf *, struct ipsecrequest *));
+#define ipsec_indone(m)        \
+       (m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 
 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));