git: da0efbdb8d95 - main - ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 12 Jul 2024 11:24:58 UTC
The branch main has been updated by kib: URL: https://cgit.FreeBSD.org/src/commit/?id=da0efbdb8d952a1e9d15a5e332149e1f1092f5d9 commit da0efbdb8d952a1e9d15a5e332149e1f1092f5d9 Author: Konstantin Belousov <kib@FreeBSD.org> AuthorDate: 2023-01-25 11:03:51 +0000 Commit: Konstantin Belousov <kib@FreeBSD.org> CommitDate: 2024-07-12 03:29:31 +0000 ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated To be able to pass ifp and mtu to the ipsec_output() and ipsec accelerator filter. Sponsored by: NVIDIA networking Differential revision: https://reviews.freebsd.org/D44225 --- sys/netinet6/ip6_output.c | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 68dd376af5d0..7eea64bb6344 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -449,27 +449,6 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, #endif } -#if defined(IPSEC) || defined(IPSEC_SUPPORT) - /* - * IPSec checking which handles several cases. - * FAST IPSEC: We re-injected the packet. - * XXX: need scope argument. - */ - if (IPSEC_ENABLED(ipv6)) { - m = mb_unmapped_to_ext(m); - if (m == NULL) { - IP6STAT_INC(ip6s_odropped); - error = ENOBUFS; - goto bad; - } - if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) { - if (error == EINPROGRESS) - error = 0; - goto done; - } - } -#endif /* IPSEC */ - /* Source address validation. */ ip6 = mtod(m, struct ip6_hdr *); if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) && @@ -806,6 +785,27 @@ nonh6lookup: KASSERT((ifp != NULL), ("output interface must not be NULL")); KASSERT((origifp != NULL), ("output address interface must not be NULL")); +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + /* + * IPSec checking which handles several cases. + * FAST IPSEC: We re-injected the packet. + * XXX: need scope argument. + */ + if (IPSEC_ENABLED(ipv6)) { + m = mb_unmapped_to_ext(m); + if (m == NULL) { + IP6STAT_INC(ip6s_odropped); + error = ENOBUFS; + goto bad; + } + if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) { + if (error == EINPROGRESS) + error = 0; + goto done; + } + } +#endif /* IPSEC */ + if ((flags & IPV6_FORWARDING) == 0) { /* XXX: the FORWARDING flag can be set for mrouting. */ in6_ifstat_inc(ifp, ifs6_out_request);