Enforce inbound IPsec SPD

Reviewed by: fenner
author: jedgar <jedgar@FreeBSD.org> 2002-02-26 02:11:13 +0000
committer: jedgar <jedgar@FreeBSD.org> 2002-02-26 02:11:13 +0000
commit: ecdaec0ea7a59257dfbdd719d35276bc28ed4a45 (patch)
tree: de14d304df3d9f701ee77d38f9f523179d52cee3 /sys/netinet/ip_input.c
parent: 3cea5d4273fbb50c53a035ad676ddcb007850ab7 (diff)
download: FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.zip
FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.tar.gz
1 files changed, 11 insertions, 1 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index e82e66f..541510f 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -650,8 +650,18 @@ pass:
 	if (ipforwarding == 0) {
 		ipstat.ips_cantforward++;
 		m_freem(m);
-	} else
+	} else {
+#ifdef IPSEC
+		/*
+		 * Enforce inbound IPsec SPD.
+		 */
+		if (ipsec4_in_reject(m, NULL)) {
+			ipsecstat.in_polvio++;
+			goto bad;
+		}
+#endif /* IPSEC */
 		ip_forward(m, 0);
+	}
 #ifdef IPFIREWALL_FORWARD
 	ip_fw_fwd_addr = NULL;
 #endif
author	jedgar <jedgar@FreeBSD.org>	2002-02-26 02:11:13 +0000
committer	jedgar <jedgar@FreeBSD.org>	2002-02-26 02:11:13 +0000
commit	ecdaec0ea7a59257dfbdd719d35276bc28ed4a45 (patch)
tree	de14d304df3d9f701ee77d38f9f523179d52cee3 /sys/netinet/ip_input.c
parent	3cea5d4273fbb50c53a035ad676ddcb007850ab7 (diff)
download	FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.zip FreeBSD-src-ecdaec0ea7a59257dfbdd719d35276bc28ed4a45.tar.gz