git: da0efbdb8d95 - main - ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated

From: Konstantin Belousov <kib_at_FreeBSD.org>
Date: Fri, 12 Jul 2024 11:24:58 UTC
The branch main has been updated by kib:

URL: https://cgit.FreeBSD.org/src/commit/?id=da0efbdb8d952a1e9d15a5e332149e1f1092f5d9

commit da0efbdb8d952a1e9d15a5e332149e1f1092f5d9
Author:     Konstantin Belousov <kib@FreeBSD.org>
AuthorDate: 2023-01-25 11:03:51 +0000
Commit:     Konstantin Belousov <kib@FreeBSD.org>
CommitDate: 2024-07-12 03:29:31 +0000

    ip6_output: place IPSEC_OUTPUT hook after the outgoing ifp is calculated
    
    To be able to pass ifp and mtu to the ipsec_output() and ipsec
    accelerator filter.
    
    Sponsored by:   NVIDIA networking
    Differential revision:  https://reviews.freebsd.org/D44225
---
 sys/netinet6/ip6_output.c | 42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 68dd376af5d0..7eea64bb6344 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -449,27 +449,6 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 #endif
 	}
 
-#if defined(IPSEC) || defined(IPSEC_SUPPORT)
-	/*
-	 * IPSec checking which handles several cases.
-	 * FAST IPSEC: We re-injected the packet.
-	 * XXX: need scope argument.
-	 */
-	if (IPSEC_ENABLED(ipv6)) {
-		m = mb_unmapped_to_ext(m);
-		if (m == NULL) {
-			IP6STAT_INC(ip6s_odropped);
-			error = ENOBUFS;
-			goto bad;
-		}
-		if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) {
-			if (error == EINPROGRESS)
-				error = 0;
-			goto done;
-		}
-	}
-#endif /* IPSEC */
-
 	/* Source address validation. */
 	ip6 = mtod(m, struct ip6_hdr *);
 	if (IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src) &&
@@ -806,6 +785,27 @@ nonh6lookup:
 	KASSERT((ifp != NULL), ("output interface must not be NULL"));
 	KASSERT((origifp != NULL), ("output address interface must not be NULL"));
 
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
+	/*
+	 * IPSec checking which handles several cases.
+	 * FAST IPSEC: We re-injected the packet.
+	 * XXX: need scope argument.
+	 */
+	if (IPSEC_ENABLED(ipv6)) {
+		m = mb_unmapped_to_ext(m);
+		if (m == NULL) {
+			IP6STAT_INC(ip6s_odropped);
+			error = ENOBUFS;
+			goto bad;
+		}
+		if ((error = IPSEC_OUTPUT(ipv6, ifp, m, inp, mtu)) != 0) {
+			if (error == EINPROGRESS)
+				error = 0;
+			goto done;
+		}
+	}
+#endif /* IPSEC */
+
 	if ((flags & IPV6_FORWARDING) == 0) {
 		/* XXX: the FORWARDING flag can be set for mrouting. */
 		in6_ifstat_inc(ifp, ifs6_out_request);