diff options
| -rw-r--r-- | sys/net/if_enc.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c index edc3ca3de71b..5204b454f184 100644 --- a/sys/net/if_enc.c +++ b/sys/net/if_enc.c @@ -255,6 +255,13 @@ ipsec_filter(struct mbuf **mp, int dir) printf("%s: unknown IP version\n", __func__); } + /* + * If the mbuf was consumed by the filter for requeueing (dummynet, etc) + * then error will be zero but we still want to return an error to our + * caller so the null mbuf isn't forwarded further. + */ + if (*mp == NULL && error == 0) + return (-1); /* Consumed by the filter */ if (*mp == NULL) return (error); if (error != 0) |