diff options
author | sam <sam@FreeBSD.org> | 2002-10-16 02:25:05 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2002-10-16 02:25:05 +0000 |
commit | 0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400 (patch) | |
tree | ae7276b550c8f6a3436b1985ff4cb31e8a826d66 /sys/netinet/raw_ip.c | |
parent | b12d57e66aba52a8bea632c34b458fa9d734aef7 (diff) | |
download | FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.zip FreeBSD-src-0ef6c52bbcc67b0dce67c7ad7a6fc685828a6400.tar.gz |
Tie new "Fast IPsec" code into the build. This involves the usual
configuration stuff as well as conditional code in the IPv4 and IPv6
areas. Everything is conditional on FAST_IPSEC which is mutually
exclusive with IPSEC (KAME IPsec implmentation).
As noted previously, don't use FAST_IPSEC with INET6 at the moment.
Reviewed by: KAME, rwatson
Approved by: silence
Supported by: Vernier Networks
Diffstat (limited to 'sys/netinet/raw_ip.c')
-rw-r--r-- | sys/netinet/raw_ip.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 144554a..de539fa 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -71,6 +71,10 @@ #include <netinet/ip_fw.h> #include <netinet/ip_dummynet.h> +#ifdef FAST_IPSEC +#include <netipsec/ipsec.h> +#endif /*FAST_IPSEC*/ + #ifdef IPSEC #include <netinet6/ipsec.h> #endif /*IPSEC*/ @@ -157,6 +161,13 @@ rip_input(m, off) /* do not inject data to pcb */ } #endif /*IPSEC*/ +#ifdef FAST_IPSEC + /* check AH/ESP integrity. */ + if (ipsec4_in_reject(n, last)) { + policyfail = 1; + /* do not inject data to pcb */ + } +#endif /*FAST_IPSEC*/ #ifdef MAC if (policyfail == 0 && mac_check_socket_deliver(last->inp_socket, @@ -195,6 +206,15 @@ rip_input(m, off) return; } #endif /*IPSEC*/ +#ifdef FAST_IPSEC + /* check AH/ESP integrity. */ + if (ipsec4_in_reject(m, last)) { + m_freem(m); + ipstat.ips_delivered--; + /* do not inject data to pcb */ + return; + } +#endif /*FAST_IPSEC*/ #ifdef MAC if (mac_check_socket_deliver(last->inp_socket, m) != 0) { m_freem(m); |