CVSROOT: /cvs Module name: src Changes by: bl...@cvs.openbsd.org 2024/07/04 06:50:08
Modified files: sys/net : pf.c pf_norm.c sys/netinet6 : ip6_forward.c ip6_input.c ip6_mroute.c ip6_output.c ip6_var.h Log message: Implement IPv6 forwarding IPsec only. IPsec gateways set the forwarding sysctl to 2. While this worked for IPv4 since a long time, adapt this feature for IPv6 now. Set sysctl net.inet6.ip6.forwarding=2 to forward only packets that have been processed by IPsec. Set IPV6_FORWARDING_IPSEC in ip6_input() and pass the flag down to the call stack. This provides consistent view on global variable ip6_forwarding. In ip6_output() or ip6_forward() drop packets that do not match the policy. OK denis@