Changeset View
Changeset View
Standalone View
Standalone View
sys/netinet6/ip6_forward.c
Context not available. | |||||
m_freem(m); | m_freem(m); | ||||
return; | return; | ||||
} | } | ||||
#ifdef IPSEC | |||||
/* | |||||
* Check if this packet has an active SA and needs to be dropped | |||||
* instead of forwarded. | |||||
*/ | |||||
if (ip6_ipsec_fwd(m) != 0) { | |||||
IP6STAT_INC(ip6s_cantforward); | |||||
m_freem(m); | |||||
return; | |||||
} | |||||
#endif /* IPSEC */ | |||||
#ifdef IPSTEALTH | #ifdef IPSTEALTH | ||||
if (!V_ip6stealth) { | if (!V_ip6stealth) { | ||||
Context not available. | |||||
} | } | ||||
#endif | #endif | ||||
#ifdef IPSEC | |||||
/* get a security policy for this packet */ | |||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, &error); | |||||
ae: In case when you have no OUTBOUND policies, but have some INBOUND DISCARD policy, SPD will not… | |||||
if (sp == NULL) { | |||||
IPSEC6STAT_INC(ips_out_inval); | |||||
IP6STAT_INC(ip6s_cantforward); | |||||
/* XXX: what icmp ? */ | |||||
m_freem(m); | |||||
return; | |||||
} else { | |||||
/* | |||||
* Check if this packet has an active SA and needs to be dropped | |||||
* instead of forwarded. | |||||
*/ | |||||
if (ipsec_in_reject(sp, m)) { | |||||
IPSEC6STAT_INC(ips_out_polvio); | |||||
IP6STAT_INC(ip6s_cantforward); | |||||
KEY_FREESP(&sp); | |||||
/* XXX: what icmp ? */ | |||||
m_freem(m); | |||||
return; | |||||
} | |||||
} | |||||
#endif | |||||
/* | /* | ||||
* Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - | * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - | ||||
* size of IPv6 + ICMPv6 headers) bytes of the packet in case | * size of IPv6 + ICMPv6 headers) bytes of the packet in case | ||||
Context not available. | |||||
mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); | mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); | ||||
#ifdef IPSEC | #ifdef IPSEC | ||||
/* get a security policy for this packet */ | |||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, &error); | |||||
if (sp == NULL) { | |||||
IPSEC6STAT_INC(ips_out_inval); | |||||
IP6STAT_INC(ip6s_cantforward); | |||||
if (mcopy) { | |||||
#if 0 | |||||
/* XXX: what icmp ? */ | |||||
#else | |||||
m_freem(mcopy); | |||||
#endif | |||||
} | |||||
m_freem(m); | |||||
return; | |||||
} | |||||
error = 0; | error = 0; | ||||
/* check policy */ | /* check policy */ | ||||
switch (sp->policy) { | switch (sp->policy) { | ||||
case IPSEC_POLICY_DISCARD: | /* NOTE: _DISCARD is checked above in ipsec_in_reject */ | ||||
/* | /* case IPSEC_POLICY_DISCARD: */ | ||||
* This packet is just discarded. | |||||
*/ | |||||
IPSEC6STAT_INC(ips_out_polvio); | |||||
IP6STAT_INC(ip6s_cantforward); | |||||
KEY_FREESP(&sp); | |||||
if (mcopy) { | |||||
#if 0 | |||||
/* XXX: what icmp ? */ | |||||
#else | |||||
m_freem(mcopy); | |||||
#endif | |||||
} | |||||
m_freem(m); | |||||
return; | |||||
case IPSEC_POLICY_BYPASS: | case IPSEC_POLICY_BYPASS: | ||||
case IPSEC_POLICY_NONE: | case IPSEC_POLICY_NONE: | ||||
Context not available. | |||||
Not Done Inline ActionsThis part of comment has become stale. ae: This part of comment has become stale. |
In case when you have no OUTBOUND policies, but have some INBOUND DISCARD policy, SPD will not be applied and packet will not be rejected.