artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7e961ab) | patch
Implement IPv6 forwarding IPsec only.
authorbluhm <bluhm@openbsd.org>
Thu, 4 Jul 2024 12:50:08 +0000 (12:50 +0000)
committerbluhm <bluhm@openbsd.org>
Thu, 4 Jul 2024 12:50:08 +0000 (12:50 +0000)
commit28c60e6351dc1963204b5f2f10d2b35624544ca4
tree6f4586d7fb6eb2cc162ca13d0f4baa4d87fc57bctree | snapshot
parent7e961abbe7afdc5a54cf07c351b139df63cd2e53commit | diff
Implement IPv6 forwarding IPsec only.

IPsec gateways set the forwarding sysctl to 2.  While this worked
for IPv4 since a long time, adapt this feature for IPv6 now.  Set
sysctl net.inet6.ip6.forwarding=2 to forward only packets that have
been processed by IPsec.

Set IPV6_FORWARDING_IPSEC in ip6_input() and pass the flag down to
the call stack.  This provides consistent view on global variable
ip6_forwarding.  In ip6_output() or ip6_forward() drop packets that
do not match the policy.

OK denis@
sys/net/pf.c diff | blob | history
sys/net/pf_norm.c diff | blob | history
sys/netinet6/ip6_forward.c diff | blob | history
sys/netinet6/ip6_input.c diff | blob | history
sys/netinet6/ip6_mroute.c diff | blob | history
sys/netinet6/ip6_output.c diff | blob | history
sys/netinet6/ip6_var.h diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim