perform bypass check before ipsecflowinfo

[Mike Belopuhov]

It's better to perform the socket bypass check before we start dealing
with SAs.  OK?

---
 sys/netinet/ip_spd.c | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git sys/netinet/ip_spd.c sys/netinet/ip_spd.c
index 81e22da..e4b858c 100644
--- sys/netinet/ip_spd.c
+++ sys/netinet/ip_spd.c
@@ -320,48 +320,49 @@ ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int 
*error, int direction,
        /* Do we have a cached entry ? If so, check if it's still valid. */
        if ((ipo->ipo_tdb) && (ipo->ipo_tdb->tdb_flags & TDBF_INVALID)) {
                TAILQ_REMOVE(&ipo->ipo_tdb->tdb_policy_head, ipo,
                    ipo_tdb_next);
                ipo->ipo_tdb = NULL;
        }
 
        /* Outgoing packet policy check. */
        if (direction == IPSP_DIRECTION_OUT) {
                /*
-                * Fetch the incoming TDB based on the SPI passed
-                * in ipsecflow and use it's dstid when looking
-                * up the outgoing TDB.
-                */
-               if (ipsecflowinfo &&
-                  (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc,
-                   ipo->ipo_sproto)) != NULL) {
-                       srcid = tdbin->tdb_dstid;
-                       dstid = tdbin->tdb_srcid;
-               }
-               /*
                 * If the packet is destined for the policy-specified
                 * gateway/endhost, and the socket has the BYPASS
                 * option set, skip IPsec processing.
                 */
                if ((inp != NULL) &&
                    (inp->inp_seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
                    (inp->inp_seclevel[SL_ESP_NETWORK] ==
                        IPSEC_LEVEL_BYPASS) &&
                    (inp->inp_seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
                        /* Direct match. */
                        if (dignore ||
                            !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
                                *error = 0;
                                return NULL;
                        }
                }
 
+               /*
+                * Fetch the incoming TDB based on the SPI passed
+                * in ipsecflow and use it's dstid when looking
+                * up the outgoing TDB.
+                */
+               if (ipsecflowinfo &&
+                  (tdbin = gettdb(rdomain, ipsecflowinfo, &ssrc,
+                   ipo->ipo_sproto)) != NULL) {
+                       srcid = tdbin->tdb_dstid;
+                       dstid = tdbin->tdb_srcid;
+               }
+
                /* Check that the cached TDB (if present), is appropriate. */
                if (ipo->ipo_tdb) {
                        if ((ipo->ipo_last_searched <= ipsec_last_added) ||
                            (ipo->ipo_sproto != ipo->ipo_tdb->tdb_sproto) ||
                            memcmp(dignore ? &sdst : &ipo->ipo_dst,
                            &ipo->ipo_tdb->tdb_dst,
                            ipo->ipo_tdb->tdb_dst.sa.sa_len))
                                goto nomatchout;
 
                        if (!ipsp_aux_match(ipo->ipo_tdb,
-- 
2.3.4