patch-2.1.30 linux/net/ipv4/ip_input.c

Next file: linux/net/ipv4/ip_masq_quake.c
Previous file: linux/net/ipv4/ip_fw.c
Back to the patch index
Back to the overall index

diff -u --recursive --new-file v2.1.29/linux/net/ipv4/ip_input.c linux/net/ipv4/ip_input.c
@@ -155,6 +155,7 @@
 #include <linux/mroute.h>
 #include <net/netlink.h>
 #include <linux/net_alias.h>
+#include <linux/ipsec.h>
 
 /*
  *	SNMP management statistics
@@ -266,7 +267,12 @@
 				else
 					break;	/* One pending raw socket left */
 				if(skb1)
-					raw_rcv(raw_sk, skb1);
+				{
+					if(ipsec_sk_policy(raw_sk,skb1))	
+						raw_rcv(raw_sk, skb1);
+					else
+						kfree_skb(skb1, FREE_WRITE);
+				}
 				raw_sk = sknext;
 			} while(raw_sk!=NULL);
 				
@@ -323,7 +329,12 @@
 	 */
 
 	if(raw_sk!=NULL)	/* Shift to last raw user */
-		raw_rcv(raw_sk, skb);
+	{
+		if(ipsec_sk_policy(raw_sk, skb))
+			raw_rcv(raw_sk, skb);
+		else
+			kfree_skb(skb, FREE_WRITE);
+	}
 	else if (!flag)		/* Free and report errors */
 	{
 		icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PROT_UNREACH, 0);	
@@ -434,7 +445,7 @@
 		int fwres;
 		u16 rport;
 
-		if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport))<FW_ACCEPT) {
+		if ((fwres=call_in_firewall(PF_INET, skb->dev, iph, &rport, &skb))<FW_ACCEPT) {
 			if (fwres==FW_REJECT)
 				icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
 			goto drop;

FUNET's LINUX-ADM group, linux-adm@nic.funet.fi
TCL-scripts by Sam Shen, slshen@lbl.gov