From owner-svn-src-all@FreeBSD.ORG Thu Oct 2 02:00:22 2014 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BCA273AA; Thu, 2 Oct 2014 02:00:22 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A80E5E90; Thu, 2 Oct 2014 02:00:22 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id s9220M5V055013; Thu, 2 Oct 2014 02:00:22 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id s9220M4E055012; Thu, 2 Oct 2014 02:00:22 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201410020200.s9220M4E055012@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Thu, 2 Oct 2014 02:00:22 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r272394 - head/sys/netipsec X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2014 02:00:22 -0000 Author: ae Date: Thu Oct 2 02:00:21 2014 New Revision: 272394 URL: https://svnweb.freebsd.org/changeset/base/272394 Log: Do not strip outer header when operating in transport mode. Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP encapsulation, it will be handled with tunneling interface. And thus proper interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling interface will see packets in both directions. Sponsored by: Yandex LLC Modified: head/sys/netipsec/ipsec_input.c Modified: head/sys/netipsec/ipsec_input.c ============================================================================== --- head/sys/netipsec/ipsec_input.c Thu Oct 2 01:16:30 2014 (r272393) +++ head/sys/netipsec/ipsec_input.c Thu Oct 2 02:00:21 2014 (r272394) @@ -391,7 +391,8 @@ ipsec4_common_input_cb(struct mbuf *m, s #endif /* DEV_ENC */ /* IP-in-IP encapsulation */ - if (prot == IPPROTO_IPIP) { + if (prot == IPPROTO_IPIP && + saidx->mode != IPSEC_MODE_TRANSPORT) { if (m->m_pkthdr.len - skip < sizeof(struct ip)) { IPSEC_ISTAT(sproto, hdrops); @@ -431,7 +432,8 @@ ipsec4_common_input_cb(struct mbuf *m, s } #ifdef INET6 /* IPv6-in-IP encapsulation. */ - if (prot == IPPROTO_IPV6) { + if (prot == IPPROTO_IPV6 && + saidx->mode != IPSEC_MODE_TRANSPORT) { if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { IPSEC_ISTAT(sproto, hdrops); @@ -502,6 +504,12 @@ ipsec4_common_input_cb(struct mbuf *m, s key_sa_recordxfer(sav, m); /* record data transfer */ + /* + * In transport mode requeue decrypted mbuf back to IPv4 protocol + * handler. This is necessary to correctly expose rcvif. + */ + if (saidx->mode == IPSEC_MODE_TRANSPORT) + prot = IPPROTO_IPIP; #ifdef DEV_ENC /* * Pass the mbuf to enc0 for bpf and pfil.