Commit IPv6 support for FAST_IPSEC to the tree.

This commit includes only the kernel files, the rest of the files
will follow in a second commit.

Reviewed by:    bz
Approved by:    re
Supported by:   Secure Computing

18 files changed, 55 insertions, 382 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index e91ac55..edb7702 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -73,16 +73,8 @@
 #include <netinet6/ip6_var.h>
 #endif /* INET6 */
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netkey/key.h>
-#endif /* IPSEC */
 
 #ifdef FAST_IPSEC
-#if defined(IPSEC) || defined(IPSEC_ESP)
-#error "Bad idea: don't compile with both IPSEC and FAST_IPSEC!"
-#endif
-
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif /* FAST_IPSEC */
@@ -200,15 +192,12 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
 	mac_create_inpcb_from_socket(so, inp);
 	SOCK_UNLOCK(so);
 #endif
-#if defined(IPSEC) || defined(FAST_IPSEC)
+
 #ifdef FAST_IPSEC
 	error = ipsec_init_policy(so, &inp->inp_sp);
-#else
-	error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
-#endif
 	if (error != 0)
 		goto out;
-#endif /*IPSEC*/
+#endif /*FAST_IPSEC*/
 #ifdef INET6
 	if (INP_SOCKAF(so) == AF_INET6) {
 		inp->inp_vflag |= INP_IPV6PROTO;
@@ -226,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
 	INP_LOCK(inp);
 	inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
 	
-#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC)
+#if defined(FAST_IPSEC) || defined(MAC)
 out:
 	if (error != 0)
 		uma_zfree(pcbinfo->ipi_zone, inp);
@@ -535,10 +524,7 @@ in_pcbconnect(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred)
 	inp->inp_faddr.s_addr = faddr;
 	inp->inp_fport = fport;
 	in_pcbrehash(inp);
-#ifdef IPSEC
-	if (inp->inp_socket->so_type == SOCK_STREAM)
-		ipsec_pcbconn(inp->inp_sp);
-#endif
+
 	if (anonport)
 		inp->inp_flags |= INP_ANONPORT;
 	return (0);
@@ -698,9 +684,6 @@ in_pcbdisconnect(struct inpcb *inp)
 	inp->inp_faddr.s_addr = INADDR_ANY;
 	inp->inp_fport = 0;
 	in_pcbrehash(inp);
-#ifdef IPSEC
-	ipsec_pcbdisconn(inp->inp_sp);
-#endif
 }
 
 /*
@@ -728,9 +711,9 @@ in_pcbfree(struct inpcb *inp)
 	INP_INFO_WLOCK_ASSERT(ipi);
 	INP_LOCK_ASSERT(inp);
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	ipsec4_delete_pcbpolicy(inp);
-#endif /*IPSEC*/
+#endif /*FAST_IPSEC*/
 	inp->inp_gencnt = ++ipi->ipi_gencnt;
 	in_pcbremlists(inp);
 	if (inp->inp_options)
diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 1467b6a..0ae913f 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -125,7 +125,7 @@ struct inpcb {
 	struct	label *inp_label;	/* MAC label */
 	int	inp_flags;		/* generic IP/datagram flags */
 
-	struct	inpcbpolicy *inp_sp;	/* for IPSEC */
+	struct	inpcbpolicy *inp_sp;    /* for IPSEC */
 	u_char	inp_vflag;		/* IP version flag (v4/v6) */
 #define	INP_IPV4	0x1
 #define	INP_IPV6	0x2
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index dbf9690..21d7413 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -69,15 +69,6 @@
 
 static struct pr_usrreqs nousrreqs;
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netinet6/ah.h>
-#ifdef IPSEC_ESP
-#include <netinet6/esp.h>
-#endif
-#include <netinet6/ipcomp.h>
-#endif /* IPSEC */
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #endif /* FAST_IPSEC */
@@ -219,34 +210,6 @@ struct protosw inetsw[] = {
 	.pr_ctloutput =		rip_ctloutput,
 	.pr_usrreqs =		&rip_usrreqs
 },
-#ifdef IPSEC
-{
-	.pr_type =		SOCK_RAW,
-	.pr_domain =		&inetdomain,
-	.pr_protocol =		IPPROTO_AH,
-	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		ah4_input,
-	.pr_usrreqs =		&nousrreqs
-},
-#ifdef IPSEC_ESP
-{
-	.pr_type =		SOCK_RAW,
-	.pr_domain =		&inetdomain,
-	.pr_protocol =		IPPROTO_ESP,
-	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		esp4_input,
-	.pr_usrreqs =		&nousrreqs
-},
-#endif
-{
-	.pr_type =		SOCK_RAW,
-	.pr_domain =		&inetdomain,
-	.pr_protocol =		IPPROTO_IPCOMP,
-	.pr_flags =		PR_ATOMIC|PR_ADDR,
-	.pr_input =		ipcomp4_input,
-	.pr_usrreqs =		&nousrreqs
-},
-#endif /* IPSEC */
 #ifdef FAST_IPSEC
 {
 	.pr_type =		SOCK_RAW,
@@ -412,11 +375,7 @@ SYSCTL_NODE(_net_inet, IPPROTO_AH,	ah,	CTLFLAG_RW, 0,	"AH");
 SYSCTL_NODE(_net_inet, IPPROTO_ESP,	esp,	CTLFLAG_RW, 0,	"ESP");
 SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP,	ipcomp,	CTLFLAG_RW, 0,	"IPCOMP");
 SYSCTL_NODE(_net_inet, IPPROTO_IPIP,	ipip,	CTLFLAG_RW, 0,	"IPIP");
-#else
-#ifdef IPSEC
-SYSCTL_NODE(_net_inet, IPPROTO_AH,	ipsec,	CTLFLAG_RW, 0,	"IPSEC");
-#endif /* IPSEC */
-#endif /* !FAST_IPSEC */
+#endif /* FAST_IPSEC */
 SYSCTL_NODE(_net_inet, IPPROTO_RAW,	raw,	CTLFLAG_RW, 0,	"RAW");
 #ifdef DEV_PFSYNC
 SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC,	pfsync,	CTLFLAG_RW, 0,	"PFSYNC");
diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c
index 1ee1908..367d67c 100644
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@@ -93,10 +93,6 @@
 
 #include <altq/if_altq.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#endif
-
 #include <netinet/ip6.h>
 #include <netinet/icmp6.h>
 #ifdef INET6
@@ -3151,9 +3147,6 @@ check_body:
 				match = (m_tag_find(m,
 				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
 #endif
-#ifdef IPSEC
-				match = (ipsec_getnhist(m) != 0);
-#endif
 				/* otherwise no match */
 				break;
 
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index 2ccd6bd..c1a2ae4 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -59,15 +59,9 @@
 #include <netinet/tcpip.h>
 #include <netinet/icmp_var.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netkey/key.h>
-#endif
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
-#define	IPSEC
 #endif
 
 #include <machine/in_cksum.h>
@@ -585,7 +579,7 @@ reflect:
 		  (struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
 		  (struct sockaddr *)&icmpgw);
 		pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 		key_sa_routechange((struct sockaddr *)&icmpsrc);
 #endif
 		break;
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 640bce7..9a10230 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -70,9 +70,9 @@
 #ifdef DEV_CARP
 #include <netinet/ip_carp.h>
 #endif
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 #include <netinet/ip_ipsec.h>
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 #include <sys/socketvar.h>
 
@@ -391,13 +391,13 @@ tooshort:
 		} else
 			m_adj(m, ip->ip_len - m->m_pkthdr.len);
 	}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
 	if (ip_ipsec_filtergif(m))
 		goto passin;
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/*
 	 * Run through list of hooks for input packets.
@@ -601,10 +601,10 @@ passin:
 		ipstat.ips_cantforward++;
 		m_freem(m);
 	} else {
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 		if (ip_ipsec_fwd(m))
 			goto bad;
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 		ip_forward(m, dchg);
 	}
 	return;
@@ -645,7 +645,7 @@ ours:
 	 */
 	ip->ip_len -= hlen;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
@@ -653,7 +653,7 @@ ours:
 	 */
 	if (ip_ipsec_input(m))
 		goto bad;
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/*
 	 * Switch out to protocol's input routine.
@@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt)
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_NEEDFRAG;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 		mtu = ip_ipsec_mtu(m);
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 		/*
 		 * If the MTU wasn't set before use the interface mtu or
 		 * fall back to the next smaller mtu step compared to the
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index 296da69..f240b41 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -55,16 +55,6 @@
 
 #include <machine/in_cksum.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netkey/key.h>
-#ifdef IPSEC_DEBUG
-#include <netkey/key_debug.h>
-#else
-#define	KEYDEBUG(lev,arg)
-#endif
-#endif /*IPSEC*/
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
@@ -81,13 +71,6 @@ extern	struct protosw inetsw[];
 int
 ip_ipsec_filtergif(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
-	/*
-	 * Bypass packet filtering for packets from a tunnel (gif).
-	 */
-	if (ipsec_getnhist(m))
-		return 1;
-#endif
 #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
@@ -112,17 +95,7 @@ ip_ipsec_fwd(struct mbuf *m)
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int s, error;
-#endif /* FAST_IPSEC */
-#ifdef IPSEC
-	/*
-	 * Enforce inbound IPsec SPD.
-	 */
-	if (ipsec4_in_reject(m, NULL)) {
-		ipsecstat.in_polvio++;
-		return 1;
-	}
-#endif /* IPSEC */
-#ifdef FAST_IPSEC
+
 	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
 	s = splnet();
 	if (mtag != NULL) {
@@ -169,20 +142,6 @@ ip_ipsec_input(struct mbuf *m)
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int s, error;
-#endif /* FAST_IPSEC */
-#ifdef IPSEC
-	/*
-	 * enforce IPsec policy checking if we are seeing last header.
-	 * note that we do not visit this with protocols with pcb layer
-	 * code - like udp/tcp/raw ip.
-	 */
-	if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
-	    ipsec4_in_reject(m, NULL)) {
-		ipsecstat.in_polvio++;
-		return 1;
-	}
-#endif
-#ifdef FAST_IPSEC
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
@@ -243,17 +202,10 @@ ip_ipsec_mtu(struct mbuf *m)
 	int ipsecerror;
 	int ipsechdr;
 	struct route *ro;
-#ifdef IPSEC
-	sp = ipsec4_getpolicybyaddr(m,
-				    IPSEC_DIR_OUTBOUND,
-				    IP_FORWARDING,
-				    &ipsecerror);
-#else /* FAST_IPSEC */
 	sp = ipsec_getpolicybyaddr(m,
 				   IPSEC_DIR_OUTBOUND,
 				   IP_FORWARDING,
 				   &ipsecerror);
-#endif
 	if (sp != NULL) {
 		/* count IPsec header size */
 		ipsechdr = ipsec4_hdrsiz(m,
@@ -276,11 +228,7 @@ ip_ipsec_mtu(struct mbuf *m)
 				mtu -= ipsechdr;
 			}
 		}
-#ifdef IPSEC
-		key_freesp(sp);
-#else /* FAST_IPSEC */
 		KEY_FREESP(&sp);
-#endif
 	}
 	return mtu;
 }
@@ -296,152 +244,12 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
     struct route **ro, struct route *iproute, struct sockaddr_in **dst,
     struct in_ifaddr **ia, struct ifnet **ifp)
 {
+#ifdef FAST_IPSEC
 	struct secpolicy *sp = NULL;
 	struct ip *ip = mtod(*m, struct ip *);
-#ifdef IPSEC
-	struct ipsec_output_state state;
-#endif
-#ifdef FAST_IPSEC
 	struct tdb_ident *tdbi;
 	struct m_tag *mtag;
 	int s;
-#endif /* FAST_IPSEC */
-#ifdef IPSEC
-	/* get SP for this packet */
-	if (inp == NULL)
-		sp = ipsec4_getpolicybyaddr(*m, IPSEC_DIR_OUTBOUND,
-		    *flags, error);
-	else
-		sp = ipsec4_getpolicybypcb(*m, IPSEC_DIR_OUTBOUND, inp, error);
-
-	if (sp == NULL) {
-		ipsecstat.out_inval++;
-		goto bad;
-	}
-
-	/* check policy */
-	switch (sp->policy) {
-	case IPSEC_POLICY_DISCARD:
-		/*
-		 * This packet is just discarded.
-		 */
-		ipsecstat.out_polvio++;
-		goto bad;
-
-	case IPSEC_POLICY_BYPASS:
-	case IPSEC_POLICY_NONE:
-	case IPSEC_POLICY_TCP:
-		/* no need to do IPsec. */
-		goto done;
-	
-	case IPSEC_POLICY_IPSEC:
-		if (sp->req == NULL) {
-			/* acquire a policy */
-			*error = key_spdacquire(sp);
-			goto bad;
-		}
-		break;
-
-	case IPSEC_POLICY_ENTRUST:
-	default:
-		printf("%s: Invalid policy found. %d\n", __func__, sp->policy);
-	}
-
-	bzero(&state, sizeof(state));
-	state.m = *m;
-	if (*flags & IP_ROUTETOIF) {
-		state.ro = iproute;
-		bzero(iproute, sizeof(iproute));
-	} else
-		state.ro = *ro;
-	state.dst = (struct sockaddr *)(*dst);
-
-	ip->ip_sum = 0;
-
-	/*
-	 * XXX
-	 * delayed checksums are not currently compatible with IPsec
-	 */
-	if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
-		in_delayed_cksum(*m);
-		(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
-	}
-
-	ip->ip_len = htons(ip->ip_len);
-	ip->ip_off = htons(ip->ip_off);
-
-	*error = ipsec4_output(&state, sp, *flags);
-
-	*m = state.m;
-	if (*flags & IP_ROUTETOIF) {
-		/*
-		 * if we have tunnel mode SA, we may need to ignore
-		 * IP_ROUTETOIF.
-		 */
-		if (state.ro != iproute || state.ro->ro_rt != NULL) {
-			*flags &= ~IP_ROUTETOIF;
-			*ro = state.ro;
-		}
-	} else
-		*ro = state.ro;
-	*dst = (struct sockaddr_in *)state.dst;
-	if (*error != 0) {
-		/* mbuf is already reclaimed in ipsec4_output. */
-		*m = NULL;
-		switch (*error) {
-		case EHOSTUNREACH:
-		case ENETUNREACH:
-		case EMSGSIZE:
-		case ENOBUFS:
-		case ENOMEM:
-			break;
-		default:
-			printf("ip4_output (ipsec): error code %d\n", *error);
-			/*fall through*/
-		case ENOENT:
-			/* don't show these error codes to the user */
-			*error = 0;
-			break;
-		}
-		goto bad;
-	}
-
-	/* be sure to update variables that are affected by ipsec4_output() */
-	if ((*ro)->ro_rt == NULL) {
-		if ((*flags & IP_ROUTETOIF) == 0) {
-			printf("ip_output: "
-				"can't update route after IPsec processing\n");
-			*error = EHOSTUNREACH;	/*XXX*/
-			goto bad;
-		}
-	} else {
-		if (state.encap) {
-			*ia = ifatoia((*ro)->ro_rt->rt_ifa);
-			*ifp = (*ro)->ro_rt->rt_ifp;
-		}
-	}
-	ip = mtod(*m, struct ip *);
-
-	/* make it flipped, again. */
-	ip->ip_len = ntohs(ip->ip_len);
-	ip->ip_off = ntohs(ip->ip_off);
-
-done:
-	if (sp != NULL) {
-		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-			printf("DP ip_output call free SP:%p\n", sp));
-		key_freesp(sp);
-	}
-	return 0;
-bad:
-	if (sp != NULL) {
-		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-			printf("DP ip_output call free SP:%p\n", sp));
-		key_freesp(sp);
-	}
-	return 1;
-#endif /*IPSEC*/
-#ifdef FAST_IPSEC
 	/*
 	 * Check the security policy (SP) for the packet and, if
 	 * required, do IPsec-related processing.  There are two
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 2b800dc..90a21ef 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -59,15 +59,10 @@
 #include <netinet/ip_var.h>
 #include <netinet/ip_options.h>
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
-#include <netinet/ip_ipsec.h>
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#endif
 #ifdef FAST_IPSEC
+#include <netinet/ip_ipsec.h>
 #include <netipsec/ipsec.h>
-#endif
-#endif /*IPSEC*/
+#endif /* FAST_IPSEC*/
 
 #include <machine/in_cksum.h>
 
@@ -417,7 +412,7 @@ again:
 	}
 
 sendit:
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) {
 	case 1:
 		goto bad;
@@ -430,7 +425,7 @@ sendit:
 	/* Update variables that are affected by ipsec4_output(). */
 	ip = mtod(m, struct ip *);
 	hlen = ip->ip_hl << 2;
-#endif /* IPSEC */
+#endif /* FAST_IPSEC */
 
 	/* Jump over all PFIL processing if hooks are not active. */
 	if (!PFIL_HOOKED(&inet_pfil_hook))
@@ -539,10 +534,6 @@ passout:
 				ia->ia_ifa.if_opackets++;
 			ia->ia_ifa.if_obytes += m->m_pkthdr.len;
 		}
-#ifdef IPSEC
-		/* clean ipsec history once it goes out of the node */
-		ipsec_delaux(m);
-#endif
 #ifdef MBUF_STRESS_TEST
 		if (mbuf_frag_size && m->m_pkthdr.len > mbuf_frag_size)
 			m = m_fragment(m, M_DONTWAIT, mbuf_frag_size);
@@ -575,10 +566,6 @@ passout:
 	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
 		m->m_nextpkt = 0;
-#ifdef IPSEC
-		/* clean ipsec history once it goes out of the node */
-		ipsec_delaux(m);
-#endif
 		if (error == 0) {
 			/* Record statistics for this interface address. */
 			if (ia != NULL) {
@@ -979,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 			INP_UNLOCK(inp);
 			break;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 		case IP_IPSEC_POLICY:
 		{
 			caddr_t req;
@@ -1013,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 			m_freem(m);
 			break;
 		}
-#endif /*IPSEC*/
+#endif /* FAST_IPSEC */
 
 		default:
 			error = ENOPROTOOPT;
@@ -1117,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 			error = inp_getmoptions(inp, sopt);
 			break;
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 		case IP_IPSEC_POLICY:
 		{
 			struct mbuf *m = NULL;
@@ -1135,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 				m_freem(m);
 			break;
 		}
-#endif /*IPSEC*/
+#endif /* FAST_IPSEC */
 
 		default:
 			error = ENOPROTOOPT;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 5329c6c..cd0f64a 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -70,10 +70,6 @@
 #include <netipsec/ipsec.h>
 #endif /*FAST_IPSEC*/
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#endif /*IPSEC*/
-
 #include <security/mac/mac_framework.h>
 
 struct	inpcbhead ripcb;
@@ -159,16 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 
 	INP_LOCK_ASSERT(last);
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/* check AH/ESP integrity. */
 	if (ipsec4_in_reject(n, last)) {
 		policyfail = 1;
-#ifdef IPSEC
-		ipsecstat.in_polvio++;
-#endif /*IPSEC*/
-		/* do not inject data to pcb */
 	}
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 #ifdef MAC
 	if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
 		policyfail = 1;
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index ad2f136..a66369b 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -4878,14 +4878,14 @@ sctp_skip_csum_4:
 	} else if (stcb == NULL) {
 		refcount_up = 1;
 	}
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	/*
 	 * I very much doubt any of the IPSEC stuff will work but I have no
 	 * idea, so I will leave it in place.
 	 */
 
 	if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) {
-		ipsecstat.in_polvio++;
+		ipsec4stat.in_polvio++;
 		SCTP_STAT_INCR(sctps_hdrops);
 		goto bad;
 	}
diff --git a/sys/netinet/sctp_os_bsd.h b/sys/netinet/sctp_os_bsd.h
index a159e98..d3d6064 100644
--- a/sys/netinet/sctp_os_bsd.h
+++ b/sys/netinet/sctp_os_bsd.h
@@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$");
 #include <netinet/icmp_var.h>
 
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netkey/key.h>
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #endif				/* IPSEC */
 
 #ifdef INET6
 #include <sys/domain.h>
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 #include <netinet6/ipsec6.h>
 #endif
 #include <netinet/ip6.h>
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 6ec0f30..91d509c 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -1807,11 +1807,11 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
 	inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
 	inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT;
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	{
 		struct inpcbpolicy *pcb_sp = NULL;
 
-		error = ipsec_init_pcbpolicy(so, &pcb_sp);
+		error = ipsec_init_policy(so, &pcb_sp);
 		/* Arrange to share the policy */
 		inp->ip_inp.inp.inp_sp = pcb_sp;
 		((struct in6pcb *)(&inp->ip_inp.inp))->in6p_sp = pcb_sp;
@@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
 		SCTP_INP_INFO_WUNLOCK();
 		return error;
 	}
-#endif				/* IPSEC */
+#endif				/* FAST_IPSEC */
 	SCTP_INCR_EP_COUNT();
 	inp->ip_inp.inp.inp_ip_ttl = ip_defttl;
 	SCTP_INP_INFO_WUNLOCK();
@@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
 	 */
 	cnt = 0;
 	if (so) {
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 		ipsec4_delete_pcbpolicy(ip_pcb);
-#endif				/* IPSEC */
+#endif				/* FAST_IPSEC */
 
 		/* Unlocks not needed since the socket is gone now */
 	}
diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 39a459e..446036b 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -485,9 +485,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
 	int error;
 	uint32_t vrf_id = SCTP_DEFAULT_VRFID;
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	uint32_t flags;
-
 #endif
 	inp = (struct sctp_inpcb *)so->so_pcb;
 	if (inp != 0) {
@@ -509,8 +508,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
 	ip_inp->inp_vflag |= INP_IPV4;
 	ip_inp->inp_ip_ttl = ip_defttl;
 
-#ifdef IPSEC
-	error = ipsec_init_pcbpolicy(so, &ip_inp->inp_sp);
+#ifdef FAST_IPSEC
+	error = ipsec_init_policy(so, &ip_inp->inp_sp);
 #ifdef SCTP_LOG_CLOSING
 	sctp_log_closing(inp, NULL, 17);
 #endif
@@ -529,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
 		}
 		return error;
 	}
-#endif				/* IPSEC */
+#endif				/* FAST_IPSEC */
 	SCTP_INP_WUNLOCK(inp);
 	return 0;
 }
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index 82e36db..9d31c79 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -87,12 +87,6 @@
 #include <netipsec/ipsec6.h>
 #endif /*FAST_IPSEC*/
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#include <netinet6/ipsec6.h>
-#include <netkey/key.h>
-#endif /*IPSEC*/
-
 #include <machine/in_cksum.h>
 
 #include <security/mac/mac_framework.h>
@@ -451,22 +445,18 @@ findpcb:
 						m->m_pkthdr.rcvif);
 	}
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 #ifdef INET6
 	if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) {
-#ifdef IPSEC
 		ipsec6stat.in_polvio++;
-#endif
 		goto dropunlock;
 	} else
 #endif /* INET6 */
 	if (inp != NULL && ipsec4_in_reject(m, inp)) {
-#ifdef IPSEC
-		ipsecstat.in_polvio++;
-#endif
+		ipsec4stat.in_polvio++;
 		goto dropunlock;
 	}
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 
 	/*
 	 * If the INPCB does not exist then all data in the incoming
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index da30813..d80254a 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -72,13 +72,8 @@
 #include <netinet/tcp_debug.h>
 #endif
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#endif /*IPSEC*/
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
-#define	IPSEC
 #endif /*FAST_IPSEC*/
 
 #include <machine/in_cksum.h>
@@ -700,7 +695,7 @@ send:
 				offsetof(struct ipoption, ipopt_list);
 	else
 		ipoptlen = 0;
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 	ipoptlen += ipsec_hdrsiz_tcp(tp);
 #endif
 
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 64c5364..589714f 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -91,14 +91,6 @@
 #endif
 #include <netinet6/ip6protosw.h>
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#include <netkey/key.h>
-#endif /*IPSEC*/
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
@@ -106,7 +98,6 @@
 #include <netipsec/ipsec6.h>
 #endif
 #include <netipsec/key.h>
-#define	IPSEC
 #endif /*FAST_IPSEC*/
 
 #include <machine/in_cksum.h>
@@ -1643,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags)
 }
 #endif /* INET6 */
 
-#ifdef IPSEC
+#ifdef FAST_IPSEC
 /* compute ESP/AH header size for TCP, including outer IP header. */
 size_t
 ipsec_hdrsiz_tcp(struct tcpcb *tp)
@@ -1684,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
 	m_free(m);
 	return (hdrsiz);
 }
-#endif /*IPSEC*/
+#endif /* FAST_IPSEC */
 
 /*
  * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 9d1d12d..9e03f32 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -80,13 +80,6 @@
 #include <netinet6/tcp6_var.h>
 #endif
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#ifdef INET6
-#include <netinet6/ipsec6.h>
-#endif
-#endif /*IPSEC*/
-
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #ifdef INET6
@@ -628,11 +621,6 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
 		inp->inp_lport = 0;
 		goto abort;
 	}
-#ifdef IPSEC
-	/* Copy old policy into new socket's. */
-	if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
-		printf("syncache_socket: could not copy policy\n");
-#endif
 #ifdef FAST_IPSEC
 	/* Copy old policy into new socket's. */
 	if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 04a4434..ae03b54 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -82,10 +82,6 @@
 #include <netipsec/ipsec.h>
 #endif
 
-#ifdef IPSEC
-#include <netinet6/ipsec.h>
-#endif
-
 #include <machine/in_cksum.h>
 
 #include <security/mac/mac_framework.h>
@@ -499,16 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
 
 	INP_LOCK_ASSERT(inp);
 
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	/* check AH/ESP integrity. */
 	if (ipsec4_in_reject(n, inp)) {
-#ifdef IPSEC
-		ipsecstat.in_polvio++;
-#endif
+		ipsec4stat.in_polvio++;
 		m_freem(n);
 		return;
 	}
-#endif /*IPSEC || FAST_IPSEC*/
+#endif /* FAST_IPSEC */
 #ifdef MAC
 	if (mac_check_inpcb_deliver(inp, n) != 0) {
 		m_freem(n);