CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2022/03/06 08:24:50
Modified files:
sys/netinet : ip_spd.c
Log message:
Usually we check ipsec_in_use as shortcut to avoid IPsec lookups,
but that does not work when coming from tcp_output() as inp != NULL.
This seems to be done to block packets from sockets with options
in inp_seclevel. But instead of doing the route lookup, go directly
to ipsp_spd_inp() where the socket policy checks are done. Calling
rtable_l2() before the shortcut also costs a bit, do it when needed.
OK tobhe@
