diff options
author | jedgar <jedgar@FreeBSD.org> | 2002-02-26 02:11:13 +0000 |
---|---|---|
committer | jedgar <jedgar@FreeBSD.org> | 2002-02-26 02:11:13 +0000 |
commit | ecdaec0ea7a59257dfbdd719d35276bc28ed4a45 (patch) | |
tree | de14d304df3d9f701ee77d38f9f523179d52cee3 /sys/netinet/ip_input.c | |
parent | 3cea5d4273fbb50c53a035ad676ddcb007850ab7 (diff) | |
download | FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.zip FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.tar.gz |
Enforce inbound IPsec SPD
Reviewed by: fenner
Diffstat (limited to 'sys/netinet/ip_input.c')
-rw-r--r-- | sys/netinet/ip_input.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e82e66f..541510f 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -650,8 +650,18 @@ pass: if (ipforwarding == 0) { ipstat.ips_cantforward++; m_freem(m); - } else + } else { +#ifdef IPSEC + /* + * Enforce inbound IPsec SPD. + */ + if (ipsec4_in_reject(m, NULL)) { + ipsecstat.in_polvio++; + goto bad; + } +#endif /* IPSEC */ ip_forward(m, 0); + } #ifdef IPFIREWALL_FORWARD ip_fw_fwd_addr = NULL; #endif |