CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2024/07/02 12:33:47
Modified files:
sys/net : pf.c
sys/netinet : ip_input.c ip_mroute.c ip_output.c ip_var.h
Log message:
Read IPsec forwarding information once.
Fix MP race between reading ip_forwarding in ip_input() and checking
ip_forwarding == 2 in ip_output(). In theory ip_forwarding could
be 2 during ip_input() and later 0 in ip_output(). Then a packet
would be forwarded that was never allowed. Currently exclusive
netlock in sysctl(2) prevents all races.
Introduce IP_FORWARDING_IPSEC and pass it with the flags parameter
that was introduced for IP_FORWARDING.
Instead of calling m_tag_find(), traversing the list, and comparing
with NULL, just check the PACKET_TAG_IPSEC_IN_DONE bit. Reading
ipsec_in_use in ip_output() is a performance hack that is not
necessary. New code only checks tree bits.
OK mvs@
