diff options
| author | Andrey V. Elsukov <ae@FreeBSD.org> | 2024-11-25 17:42:00 +0000 |
|---|---|---|
| committer | Andrey V. Elsukov <ae@FreeBSD.org> | 2024-11-25 17:42:00 +0000 |
| commit | c94d6389e428fac55946bfcdbbc3162c06a9278e (patch) | |
| tree | 1171c866de1eeb11743f72435ab05b7de094a28a /sys/netipsec | |
| parent | 4d58cf6ff905377dbca1ecf004f53133e6b57a46 (diff) | |
Diffstat (limited to 'sys/netipsec')
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 10f1728f72ac..73a32c71fffc 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -1112,7 +1112,7 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx) #endif struct ip *ip; #ifdef INET - int setdf; + int setdf = V_ip4_ipsec_dfbit == 1 ? 1: 0; #endif uint8_t itos, proto; @@ -1122,17 +1122,11 @@ ipsec_encap(struct mbuf **mp, struct secasindex *saidx) case IPVERSION: proto = IPPROTO_IPIP; /* - * Collect IP_DF state from the inner header - * and honor system-wide control of how to handle it. + * Copy IP_DF flag from the inner header if + * system-wide control variable is greater than 1. */ - switch (V_ip4_ipsec_dfbit) { - case 0: /* clear in outer header */ - case 1: /* set in outer header */ - setdf = V_ip4_ipsec_dfbit; - break; - default:/* propagate to outer header */ + if (V_ip4_ipsec_dfbit > 1) setdf = (ip->ip_off & htons(IP_DF)) != 0; - } itos = ip->ip_tos; break; #endif |