add support to tag ipsec traffic belonging to specific IKE-initiated

phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.

this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.

ok hshoexer@

1 files changed, 13 insertions, 1 deletions

diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 2617482c6b2..e00cf80b590 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.79 2006/03/25 22:41:48 djm Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.80 2006/11/24 13:52:14 reyk Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -35,6 +35,8 @@
  * PURPOSE.
  */
 
+#include "pf.h"
+
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/protosw.h>
@@ -47,6 +49,10 @@
 #include <net/netisr.h>
 #include <net/bpf.h>
 
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -554,6 +560,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
 	} else if (sproto == IPPROTO_AH)
 		m->m_flags |= M_AUTH | M_AUTH_AH;
 
+#if NPF > 0
+	/* Add pf tag if requested. */
+	if (pf_tag_packet(m, NULL, tdbp->tdb_tag, -1))
+		DPRINTF(("failed to tag ipsec packet\n"));
+#endif
+
 	if (tdbp->tdb_flags & TDBF_TUNNELING)
 		m->m_flags |= M_TUNNEL;