CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2024/07/04 06:50:08
Modified files:
sys/net : pf.c pf_norm.c
sys/netinet6 : ip6_forward.c ip6_input.c ip6_mroute.c
ip6_output.c ip6_var.h
Log message:
Implement IPv6 forwarding IPsec only.
IPsec gateways set the forwarding sysctl to 2. While this worked
for IPv4 since a long time, adapt this feature for IPv6 now. Set
sysctl net.inet6.ip6.forwarding=2 to forward only packets that have
been processed by IPsec.
Set IPV6_FORWARDING_IPSEC in ip6_input() and pass the flag down to
the call stack. This provides consistent view on global variable
ip6_forwarding. In ip6_output() or ip6_forward() drop packets that
do not match the policy.
OK denis@
