From: Alexander Bluhm <bluhm@openbsd.org>
Subject: Re: IPv6 forward IPsec only
To: Denis Fondras <denis@openbsd.org>
Cc: tech@openbsd.org
Date: Thu, 4 Jul 2024 14:03:59 +0200

On Wed, Jul 03, 2024 at 06:07:08PM +0200, Denis Fondras wrote:
> > -				if (ip6_forwarding == 0) {
> > +				switch (ip6_forwarding) {
> > +				case 2:
> > +					SET(flags, IPV6_FORWARDING_IPSEC);
> > +					/* FALLTHROUGH */
> 
> Should `case 2` be enclosed with `#ifdef IPSEC` ?

It is only setting a flag.  Too much #ifdef makes the code unreadable.

> > -	if (ip6_forwarding != 0)
> > +	switch (ip6_forwarding) {
> > +	case 2:
> > +		SET(flags, IPV6_FORWARDING_IPSEC);
> > +		/* FALLTHROUGH */
> > +	case 1:
> >  		SET(flags, IPV6_FORWARDING);
> > +		break;
> 
> No default ?

Default is to keep the flags as they are.  Nothing to do.

> >  #define IPV6_FORWARDING		0x02	/* most of IPv6 header exists */
> >  #define IPV6_MINMTU		0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */
> >  #define IPV6_REDIRECT		0x08	/* redirected by pf */
> > +#define IPV6_FORWARDING_IPSEC	0x10	/* most of IPv6 header exists */
> >  
> 
> The comment is copied from IPV6_FORWARDING ?

Now I copy it from IP_FORWARDING_IPSEC

+#define IPV6_FORWARDING_IPSEC  0x10    /* only packets processed by IPsec */