2 files changed, 8 insertions, 22 deletions

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 6f4bd7d..0b276e8 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
 
 	sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 	    (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
+	/*
+	 * when there is no suitable inbound policy for the packet of the ipsec
+	 * tunnel mode, the kernel never decapsulate the tunneled packet
+	 * as the ipsec tunnel mode even when the system wide policy is "none".
+	 * then the kernel leaves the generic tunnel module to process this
+	 * packet.  if there is no rule of the generic tunnel, the packet
+	 * is rejected and the statistics will be counted up.
+	 */
 	if (!sp)
 		return 0;
 	key_freesp(sp);
diff --git a/sys/netkey/key.c b/sys/netkey/key.c
index 734b838..22b437e 100644
--- a/sys/netkey/key.c
+++ b/sys/netkey/key.c
@@ -577,28 +577,6 @@ key_gettunnel(osrc, odst, isrc, idst)
 		return NULL;
 	}
 
-	/* if no SP found, use default policy. */
-	if (LIST_FIRST(&sptree[dir]) == NULL) {
-		switch (isrc->sa_family) {
-		case PF_INET:
-			if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD)
-				return NULL;
-			ip4_def_policy.refcnt++;
-			return &ip4_def_policy;
-#ifdef INET6
-		case PF_INET6:
-			if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD)
-				return NULL;
-			ip6_def_policy.refcnt++;
-			return &ip6_def_policy;
-#endif
-		default:
-			ipseclog((LOG_ERR, "invalid protocol family %d\n.",
-				isrc->sa_family));
-			return NULL;
-		}
-	}
-
 	s = splnet();	/*called from softclock()*/
 	LIST_FOREACH(sp, &sptree[dir], chain) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)