Changeset View
Changeset View
Standalone View
Standalone View
sys/netinet6/ip6_forward.c
| Context not available. | |||||
| m_freem(m); | m_freem(m); | ||||
| return; | return; | ||||
| } | } | ||||
| #ifdef IPSEC | |||||
| /* | |||||
| * Check if this packet has an active SA and needs to be dropped | |||||
| * instead of forwarded. | |||||
| */ | |||||
| if (ip6_ipsec_fwd(m) != 0) { | |||||
| IP6STAT_INC(ip6s_cantforward); | |||||
| m_freem(m); | |||||
| return; | |||||
| } | |||||
| #endif /* IPSEC */ | |||||
| #ifdef IPSTEALTH | #ifdef IPSTEALTH | ||||
| if (!V_ip6stealth) { | if (!V_ip6stealth) { | ||||
| Context not available. | |||||
| } | } | ||||
| #endif | #endif | ||||
| #ifdef IPSEC | |||||
| /* get a security policy for this packet */ | |||||
| sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, &error); | |||||
ae: In case when you have no OUTBOUND policies, but have some INBOUND DISCARD policy, SPD will not… | |||||
| if (sp == NULL) { | |||||
| IPSEC6STAT_INC(ips_out_inval); | |||||
| IP6STAT_INC(ip6s_cantforward); | |||||
| /* XXX: what icmp ? */ | |||||
| m_freem(m); | |||||
| return; | |||||
| } else { | |||||
| /* | |||||
| * Check if this packet has an active SA and needs to be dropped | |||||
| * instead of forwarded. | |||||
| */ | |||||
| if (ipsec_in_reject(sp, m)) { | |||||
| IPSEC6STAT_INC(ips_out_polvio); | |||||
| IP6STAT_INC(ip6s_cantforward); | |||||
| KEY_FREESP(&sp); | |||||
| /* XXX: what icmp ? */ | |||||
| m_freem(m); | |||||
| return; | |||||
| } | |||||
| } | |||||
| #endif | |||||
| /* | /* | ||||
| * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - | * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU - | ||||
| * size of IPv6 + ICMPv6 headers) bytes of the packet in case | * size of IPv6 + ICMPv6 headers) bytes of the packet in case | ||||
| Context not available. | |||||
| mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); | mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); | ||||
| #ifdef IPSEC | #ifdef IPSEC | ||||
| /* get a security policy for this packet */ | |||||
| sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, &error); | |||||
| if (sp == NULL) { | |||||
| IPSEC6STAT_INC(ips_out_inval); | |||||
| IP6STAT_INC(ip6s_cantforward); | |||||
| if (mcopy) { | |||||
| #if 0 | |||||
| /* XXX: what icmp ? */ | |||||
| #else | |||||
| m_freem(mcopy); | |||||
| #endif | |||||
| } | |||||
| m_freem(m); | |||||
| return; | |||||
| } | |||||
| error = 0; | error = 0; | ||||
| /* check policy */ | /* check policy */ | ||||
| switch (sp->policy) { | switch (sp->policy) { | ||||
| case IPSEC_POLICY_DISCARD: | /* NOTE: _DISCARD is checked above in ipsec_in_reject */ | ||||
| /* | /* case IPSEC_POLICY_DISCARD: */ | ||||
| * This packet is just discarded. | |||||
| */ | |||||
| IPSEC6STAT_INC(ips_out_polvio); | |||||
| IP6STAT_INC(ip6s_cantforward); | |||||
| KEY_FREESP(&sp); | |||||
| if (mcopy) { | |||||
| #if 0 | |||||
| /* XXX: what icmp ? */ | |||||
| #else | |||||
| m_freem(mcopy); | |||||
| #endif | |||||
| } | |||||
| m_freem(m); | |||||
| return; | |||||
| case IPSEC_POLICY_BYPASS: | case IPSEC_POLICY_BYPASS: | ||||
| case IPSEC_POLICY_NONE: | case IPSEC_POLICY_NONE: | ||||
| Context not available. | |||||
Not Done Inline ActionsThis part of comment has become stale. ae: This part of comment has become stale. | |||||
In case when you have no OUTBOUND policies, but have some INBOUND DISCARD policy, SPD will not be applied and packet will not be rejected.