From 0591e6d89100bb45ac89c92489429a186bfcae20 Mon Sep 17 00:00:00 2001 From: bluhm Date: Sun, 6 Mar 2022 15:24:50 +0000 Subject: [PATCH] Usually we check ipsec_in_use as shortcut to avoid IPsec lookups, but that does not work when coming from tcp_output() as inp != NULL. This seems to be done to block packets from sockets with options in inp_seclevel. But instead of doing the route lookup, go directly to ipsp_spd_inp() where the socket policy checks are done. Calling rtable_l2() before the shortcut also costs a bit, do it when needed. OK tobhe@ --- sys/netinet/ip_spd.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/sys/netinet/ip_spd.c b/sys/netinet/ip_spd.c index cef1e9d0f1c..4f5b4f24dcc 100644 --- a/sys/netinet/ip_spd.c +++ b/sys/netinet/ip_spd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_spd.c,v 1.112 2022/02/22 01:15:02 guenther Exp $ */ +/* $OpenBSD: ip_spd.c,v 1.113 2022/03/06 15:24:50 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -160,7 +160,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction, struct ipsec_policy *ipo; struct ipsec_ids *ids = NULL; int error, signore = 0, dignore = 0; - u_int rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); + u_int rdomain; NET_ASSERT_LOCKED(); @@ -168,11 +168,8 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction, * If there are no flows in place, there's no point * continuing with the SPD lookup. */ - if (!ipsec_in_use && inp == NULL) { - if (tdbout != NULL) - *tdbout = NULL; - return 0; - } + if (!ipsec_in_use) + return ipsp_spd_inp(m, inp, NULL, tdbout); /* * If an input packet is destined to a BYPASS socket, just accept it. @@ -302,6 +299,7 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction, } /* Actual SPD lookup. */ + rdomain = rtable_l2(m->m_pkthdr.ph_rtableid); if ((rnh = spd_table_get(rdomain)) == NULL || (rn = rn_match((caddr_t)&dst, rnh)) == NULL) { /* -- 2.20.1