[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.37 (requested by itojun):

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/208d63dca999
branches:  netbsd-1-5
changeset: 490824:208d63dca999
user:      he <he%NetBSD.org@localhost>
date:      Sun Mar 11 21:12:36 2001 +0000

description:
Pull up revision 1.37 (requested by itojun):
  Ensure that we enforce inbound IPsec policy on all IP protocols,
  not just TCP, UDP and ICMP.

diffstat:

 sys/netinet6/ip6_input.c |  19 ++++++++++++++++++-
 1 files changed, 18 insertions(+), 1 deletions(-)

diffs (40 lines):

diff -r 263656cb7ee0 -r 208d63dca999 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Sun Mar 11 21:12:19 2001 +0000
+++ b/sys/netinet6/ip6_input.c  Sun Mar 11 21:12:36 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.22.2.2 2000/08/27 01:25:08 itojun Exp $        */
+/*     $NetBSD: ip6_input.c,v 1.22.2.3 2001/03/11 21:12:36 he Exp $    */
 /*     $KAME: ip6_input.c,v 1.119 2000/08/26 10:00:45 itojun Exp $     */
 
 /*
@@ -111,6 +111,10 @@
 #include <netinet6/ip6_fw.h>
 #endif
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -695,6 +699,19 @@
                        goto bad;
                }
 
+#ifdef IPSEC
+               /*
+                * enforce IPsec policy checking if we are seeing last header.
+                * note that we do not visit this with protocols with pcb layer
+                * code - like udp/tcp/raw ip.
+                */
+               if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+                   ipsec6_in_reject(m, NULL)) {
+                       ipsec6stat.in_polvio++;
+                       goto bad;
+               }
+#endif
+               
                nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
        }
        return;