From a1db6f2dc60e6f5fbbdac4569797ce28b8a35ce0 Mon Sep 17 00:00:00 2001
From: bluhm <bluhm@openbsd.org>
Date: Thu, 16 May 2024 13:01:04 +0000
Subject: [PATCH] Fix IPsec in use with IP forwarding 2 logic.

If sysctl net.inet.ip.forwarding is 2, only packets processed by
IPsec are forwarded.  Variable ipsec_in_use is a shortcut to avoid
IPsec processing if no policy has been configured.  With ipsec_in_use
unset and ipforwarding set to IPsec only, the packet must be dropped.

OK claudio@
---
 sys/netinet/ip_output.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index c5a9b419cbe..c0aeb76930d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_output.c,v 1.398 2024/04/17 20:48:51 bluhm Exp $	*/
+/*	$OpenBSD: ip_output.c,v 1.399 2024/05/16 13:01:04 bluhm Exp $	*/
 /*	$NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $	*/
 
 /*
@@ -428,8 +428,9 @@ sendit:
 #endif
 
 #ifdef IPSEC
-	if (ipsec_in_use && (flags & IP_FORWARDING) && (ipforwarding == 2) &&
-	    (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
+	if ((flags & IP_FORWARDING) && ipforwarding == 2 &&
+	    (!ipsec_in_use ||
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) == NULL)) {
 		error = EHOSTUNREACH;
 		goto bad;
 	}
-- 
2.20.1