diff options
author | gnn <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
commit | 0cd74db89b7c7ca5bface8b05ae8263c0a54217b (patch) | |
tree | 2bcfb09751e29be8d172ae9e835bab3e5c5699f2 /sys/netinet6/ip6_input.c | |
parent | 384e40af76655727c82190f4d5dc6c857583206e (diff) | |
download | FreeBSD-src-0cd74db89b7c7ca5bface8b05ae8263c0a54217b.zip FreeBSD-src-0cd74db89b7c7ca5bface8b05ae8263c0a54217b.tar.gz |
Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes only the kernel files, the rest of the files
will follow in a second commit.
Reviewed by: bz
Approved by: re
Supported by: Secure Computing
Diffstat (limited to 'sys/netinet6/ip6_input.c')
-rw-r--r-- | sys/netinet6/ip6_input.c | 32 |
1 files changed, 12 insertions, 20 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index aa604bd..96e7850 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -101,17 +101,10 @@ #include <netinet6/in6_ifattach.h> #include <netinet6/nd6.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> +#include <netinet6/ip6_ipsec.h> #include <netipsec/ipsec6.h> -#define IPSEC #endif /* FAST_IPSEC */ #include <netinet6/ip6protosw.h> @@ -230,16 +223,18 @@ ip6_input(m) int srcrt = 0; GIANT_REQUIRED; /* XXX for now */ -#ifdef IPSEC + +#ifdef FAST_IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). + * NB: m cannot be NULL when passed to the input routine */ - if (m) { - m->m_flags &= ~M_AUTHIPHDR; - m->m_flags &= ~M_AUTHIPDGM; - } -#endif + + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; + +#endif /* FAST_IPSEC */ /* * make sure we don't have onion peering information into m_tag. @@ -766,18 +761,15 @@ passin: goto bad; } -#ifdef IPSEC +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && - ipsec6_in_reject(m, NULL)) { - ipsec6stat.in_polvio++; + if (ip6_ipsec_input(m, nxt)) goto bad; - } -#endif +#endif /* FAST_IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; |