diff options
author | George V. Neville-Neil <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
---|---|---|
committer | George V. Neville-Neil <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
commit | 2cb64cb272ad94f7a5e903f76fb9817f1b8452ba (patch) | |
tree | 2bcfb09751e29be8d172ae9e835bab3e5c5699f2 /sys/netinet6/ip6_input.c | |
parent | 069441f7185186e3f9cf00f10c49ee0ac6876106 (diff) | |
download | src-2cb64cb272ad94f7a5e903f76fb9817f1b8452ba.tar.gz src-2cb64cb272ad94f7a5e903f76fb9817f1b8452ba.zip |
Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes only the kernel files, the rest of the files
will follow in a second commit.
Reviewed by: bz
Approved by: re
Supported by: Secure Computing
Notes
Notes:
svn path=/head/; revision=171133
Diffstat (limited to 'sys/netinet6/ip6_input.c')
-rw-r--r-- | sys/netinet6/ip6_input.c | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index aa604bd78841..96e78505a4ad 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -101,17 +101,10 @@ #include <netinet6/in6_ifattach.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> +#include <netinet6/ip6_ipsec.h> #include <netipsec/ipsec6.h> -#define IPSEC #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -230,16 +223,18 @@ ip6_input(m) int srcrt = 0; GIANT_REQUIRED; /* XXX for now */ -#ifdef IPSEC + +#ifdef FAST_IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). + * NB: m cannot be NULL when passed to the input routine */ - if (m) { - m->m_flags &= ~M_AUTHIPHDR; - m->m_flags &= ~M_AUTHIPDGM; - } -#endif + + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; + +#endif /* FAST_IPSEC */ /* * make sure we don't have onion peering information into m_tag. @@ -766,18 +761,15 @@ passin: goto bad; } -#ifdef IPSEC +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && - ipsec6_in_reject(m, NULL)) { - ipsec6stat.in_polvio++; + if (ip6_ipsec_input(m, nxt)) goto bad; - } -#endif +#endif /* FAST_IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; |