From owner-svn-src-all@FreeBSD.ORG Tue Apr 28 11:10:33 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEB8F106564A; Tue, 28 Apr 2009 11:10:33 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 925478FC21; Tue, 28 Apr 2009 11:10:33 +0000 (UTC) (envelope-from trasz@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n3SBAXYb047845; Tue, 28 Apr 2009 11:10:33 GMT (envelope-from trasz@svn.freebsd.org) Received: (from trasz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n3SBAXIb047843; Tue, 28 Apr 2009 11:10:33 GMT (envelope-from trasz@svn.freebsd.org) Message-Id: <200904281110.n3SBAXIb047843@svn.freebsd.org> From: Edward Tomasz Napierala Date: Tue, 28 Apr 2009 11:10:33 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r191621 - head/sys/netinet X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Apr 2009 11:10:34 -0000 Author: trasz Date: Tue Apr 28 11:10:33 2009 New Revision: 191621 URL: http://svn.freebsd.org/changeset/base/191621 Log: Don't require packet to match a route (any route; this information wasn't used anyway, so a typical workaround was to add a dummy route) if it's going to be sent through IPSec tunnel. Reviewed by: bz Modified: head/sys/netinet/ip_ipsec.c head/sys/netinet/ip_output.c Modified: head/sys/netinet/ip_ipsec.c ============================================================================== --- head/sys/netinet/ip_ipsec.c Tue Apr 28 09:45:32 2009 (r191620) +++ head/sys/netinet/ip_ipsec.c Tue Apr 28 11:10:33 2009 (r191621) @@ -385,7 +385,8 @@ ip_ipsec_output(struct mbuf **m, struct * the interface supports it. */ mtag = m_tag_find(*m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL); - if (mtag != NULL && ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) { + if (mtag != NULL && ifp != NULL && + ((*ifp)->if_capenable & IFCAP_IPSEC) == 0) { /* notify IPsec to do its own crypto */ ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); *error = EHOSTUNREACH; Modified: head/sys/netinet/ip_output.c ============================================================================== --- head/sys/netinet/ip_output.c Tue Apr 28 09:45:32 2009 (r191620) +++ head/sys/netinet/ip_output.c Tue Apr 28 11:10:33 2009 (r191621) @@ -145,6 +145,9 @@ ip_output(struct mbuf *m, struct mbuf *o #ifdef IPFIREWALL_FORWARD struct m_tag *fwd_tag = NULL; #endif +#ifdef IPSEC + int no_route_but_check_spd = 0; +#endif M_ASSERTPKTHDR(m); if (ro == NULL) { @@ -272,6 +275,15 @@ again: inp ? inp->inp_inc.inc_fibnum : M_GETFIB(m)); #endif if (ro->ro_rt == NULL) { +#ifdef IPSEC + /* + * There is no route for this packet, but it is + * possible that a matching SPD entry exists. + */ + no_route_but_check_spd = 1; + mtu = 0; /* Silence GCC warning. */ + goto sendit; +#endif IPSTAT_INC(ips_noroute); error = EHOSTUNREACH; goto bad; @@ -467,6 +479,14 @@ sendit: default: break; /* Continue with packet processing. */ } + /* + * Check if there was a route for this packet; return error if not. + */ + if (no_route_but_check_spd) { + IPSTAT_INC(ips_noroute); + error = EHOSTUNREACH; + goto bad; + } /* Update variables that are affected by ipsec4_output(). */ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2;