Do not transfer diverted packets into IPsec processing. They should

reach the socket that the user has specified in pf.conf. OK reyk@
author: bluhm <bluhm@openbsd.org> 2013-03-31 00:59:52 +0000
committer: bluhm <bluhm@openbsd.org> 2013-03-31 00:59:52 +0000
commit: fba28933d131af006f548bfb2aafb152a203147a (patch)
tree: 88ce5c60d242b46cd01418301d55b49b67635ea7 /sys/netinet/ipsec_input.c
parent: replace pool debug magic with shared mem poison code (diff)
download: wireguard-openbsd-fba28933d131af006f548bfb2aafb152a203147a.tar.xz
wireguard-openbsd-fba28933d131af006f548bfb2aafb152a203147a.zip
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 8614f1212df..c19db72558c 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.110 2013/03/28 23:10:06 tedu Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.111 2013/03/31 00:59:52 bluhm Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -137,6 +137,9 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto,
 
 	if ((sproto == IPPROTO_ESP && !esp_enable) ||
 	    (sproto == IPPROTO_AH && !ah_enable) ||
+#if NPF > 0
+	    (m->m_pkthdr.pf.flags & PF_TAG_DIVERTED) ||
+#endif
 	    (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
 		switch (af) {
 #ifdef INET
author	bluhm <bluhm@openbsd.org>	2013-03-31 00:59:52 +0000
committer	bluhm <bluhm@openbsd.org>	2013-03-31 00:59:52 +0000
commit	fba28933d131af006f548bfb2aafb152a203147a (patch)
tree	88ce5c60d242b46cd01418301d55b49b67635ea7 /sys/netinet/ipsec_input.c
parent	replace pool debug magic with shared mem poison code (diff)
download	wireguard-openbsd-fba28933d131af006f548bfb2aafb152a203147a.tar.xz wireguard-openbsd-fba28933d131af006f548bfb2aafb152a203147a.zip