allow gif(4) over ipsec: mark mbuf for transport mode SA,

so in_gif_input can detect whether a proto 4 header is due
to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023
ok itojun@. provos@ and angelos@ agree; tested by sturm@

2 files changed, 9 insertions, 4 deletions

diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c
index 8664f2adc31..ea4e24de774 100644
--- a/sys/netinet/in_gif.c
+++ b/sys/netinet/in_gif.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_gif.c,v 1.27 2003/07/09 22:03:16 itojun Exp $	*/
+/*	$OpenBSD: in_gif.c,v 1.28 2003/07/28 10:10:16 markus Exp $	*/
 /*	$KAME: in_gif.c,v 1.50 2001/01/22 07:27:16 itojun Exp $	*/
 
 /*
@@ -166,9 +166,11 @@ in_gif_input(struct mbuf *m, ...)
 	off = va_arg(ap, int);
 	va_end(ap);
 
-	/* XXX what if we run transport-mode IPsec to protect gif tunnel ? */
-	if (m->m_flags & (M_AUTH | M_CONF))
+	/* IP-in-IP header is caused by tunnel mode, so skip gif lookup */
+	if (m->m_flags & M_TUNNEL) {
+		m->m_flags &= ~M_TUNNEL;
 		goto inject;
+	}
 
 	ip = mtod(m, struct ip *);
 
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 9a8545fd98a..d4282c826ab 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.68 2003/07/24 11:13:47 markus Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.69 2003/07/28 10:10:16 markus Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -548,6 +548,9 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
 	else
 		m->m_flags |= M_AUTH | M_AUTH_AH;
 
+	if (tdbp->tdb_flags & TDBF_TUNNELING)
+		m->m_flags |= M_TUNNEL;
+
 #if NBPFILTER > 0
 	bpfif = &encif[0].sc_if;
 	if (bpfif->if_bpf) {