Fixed the behavior when there is no inbound policy for the ipsec

tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet.  If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.

Obtained from:	KAME
MFC after:	1 week

1 files changed, 8 insertions, 0 deletions

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 6f4bd7d..0b276e8 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
 
 	sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 	    (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
+	/*
+	 * when there is no suitable inbound policy for the packet of the ipsec
+	 * tunnel mode, the kernel never decapsulate the tunneled packet
+	 * as the ipsec tunnel mode even when the system wide policy is "none".
+	 * then the kernel leaves the generic tunnel module to process this
+	 * packet.  if there is no rule of the generic tunnel, the packet
+	 * is rejected and the statistics will be counted up.
+	 */
 	if (!sp)
 		return 0;
 	key_freesp(sp);