Apply pending TDBs (as indicated by tags). This will be used to handle

the case of both the socket and system-wide IPsec policy specifying
TDBs to be applied to the same packet.

1 files changed, 13 insertions, 4 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index e347ec543c1..d84a307caf1 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.123 2001/06/25 02:54:44 angelos Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.124 2001/06/25 06:09:42 angelos Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -275,9 +275,18 @@ ip_output(m0, va_alist)
 	    !bcmp(&inp->inp_tdb_out->tdb_dst.sin.sin_addr,
 	        &ip->ip_dst, sizeof(ip->ip_dst)))
 	        tdb = inp->inp_tdb_out;
-	else
-	        tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
-		    IPSP_DIRECTION_OUT, NULL, inp);
+	else {
+		/* Do we have any pending SAs to apply ? */
+		mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
+		if (mtag != NULL) {
+			tdbi = (struct tdb_ident *)(mtag + 1);
+			tdb = gettdb(tdbi->spi, &tdbi->dst, tdbi->proto);
+			m_tag_delete(m, mtag);
+		}
+		else
+			tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
+			    IPSP_DIRECTION_OUT, NULL, inp);
+	}
 
 	if (tdb == NULL) {
 	        splx(s);