| ip6_forward.c (122921) | ip6_forward.c (126006) |
|---|---|
| 1/* $FreeBSD: head/sys/netinet6/ip6_forward.c 122921 2003-11-20 19:47:31Z andre $ */ | 1/* $FreeBSD: head/sys/netinet6/ip6_forward.c 126006 2004-02-19 14:57:22Z ume $ */ |
| 2/* $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $ */ 3 4/* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions --- 252 unchanged lines hidden (view full) --- 262 * IPsec transport mode to the packet is not proper. this check 263 * avoid from this. 264 * at present, if there is even a transport mode SA request in the 265 * security policy, the kernel does not apply IPsec to the packet. 266 * this check is not enough because the following case is valid. 267 * ipsec esp/tunnel/xxx-xxx/require esp/transport//require; 268 */ 269 for (isr = sp->req; isr; isr = isr->next) { | 2/* $KAME: ip6_forward.c,v 1.69 2001/05/17 03:48:30 itojun Exp $ */ 3 4/* 5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions --- 252 unchanged lines hidden (view full) --- 262 * IPsec transport mode to the packet is not proper. this check 263 * avoid from this. 264 * at present, if there is even a transport mode SA request in the 265 * security policy, the kernel does not apply IPsec to the packet. 266 * this check is not enough because the following case is valid. 267 * ipsec esp/tunnel/xxx-xxx/require esp/transport//require; 268 */ 269 for (isr = sp->req; isr; isr = isr->next) { |
| 270 if (isr->saidx.mode == IPSEC_MODE_TRANSPORT) 271 goto skip_ipsec; | 270 if (isr->saidx.mode == IPSEC_MODE_ANY) 271 goto doipsectunnel; 272 if (isr->saidx.mode == IPSEC_MODE_TUNNEL) 273 goto doipsectunnel; |
| 272 } 273 274 /* | 274 } 275 276 /* |
| 277 * if there's no need for tunnel mode IPsec, skip. 278 */ 279 if (!isr) 280 goto skip_ipsec; 281 282 doipsectunnel: 283 /* |
|
| 275 * All the extension headers will become inaccessible 276 * (since they can be encrypted). 277 * Don't panic, we need no more updates to extension headers 278 * on inner IPv6 packet (since they are now encapsulated). 279 * 280 * IPv6 [ESP|AH] IPv6 [extension headers] payload 281 */ 282 bzero(&state, sizeof(state)); --- 29 unchanged lines hidden (view full) --- 312#else 313 m_freem(mcopy); 314#endif 315 } 316 m_freem(m); 317 return; 318 } 319 | 284 * All the extension headers will become inaccessible 285 * (since they can be encrypted). 286 * Don't panic, we need no more updates to extension headers 287 * on inner IPv6 packet (since they are now encapsulated). 288 * 289 * IPv6 [ESP|AH] IPv6 [extension headers] payload 290 */ 291 bzero(&state, sizeof(state)); --- 29 unchanged lines hidden (view full) --- 321#else 322 m_freem(mcopy); 323#endif 324 } 325 m_freem(m); 326 return; 327 } 328 |
| 329 if (ip6 != mtod(m, struct ip6_hdr *)) { 330 /* 331 * now tunnel mode headers are added. we are originating 332 * packet instead of forwarding the packet. 333 */ 334 ip6_output(m, NULL, NULL, IPV6_FORWARDING/*XXX*/, NULL, NULL, 335 NULL); 336 goto freecopy; 337 } 338 |
|
| 320 /* adjust pointer */ | 339 /* adjust pointer */ |
| 321 ip6 = mtod(m, struct ip6_hdr *); | |
| 322 dst = (struct sockaddr_in6 *)state.dst; 323 rt = state.ro ? state.ro->ro_rt : NULL; 324 if (dst != NULL && rt != NULL) 325 ipsecrt = 1; 326 } 327 skip_ipsec: 328#endif /* IPSEC */ 329 --- 297 unchanged lines hidden --- | 340 dst = (struct sockaddr_in6 *)state.dst; 341 rt = state.ro ? state.ro->ro_rt : NULL; 342 if (dst != NULL && rt != NULL) 343 ipsecrt = 1; 344 } 345 skip_ipsec: 346#endif /* IPSEC */ 347 --- 297 unchanged lines hidden --- |