summaryrefslogtreecommitdiffstats
path: root/sys/netinet/raw_ip.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet/raw_ip.c')
-rw-r--r--sys/netinet/raw_ip.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 144554a..de539fa 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -71,6 +71,10 @@
#include <netinet/ip_fw.h>
#include <netinet/ip_dummynet.h>
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#endif /*FAST_IPSEC*/
+
#ifdef IPSEC
#include <netinet6/ipsec.h>
#endif /*IPSEC*/
@@ -157,6 +161,13 @@ rip_input(m, off)
/* do not inject data to pcb */
}
#endif /*IPSEC*/
+#ifdef FAST_IPSEC
+ /* check AH/ESP integrity. */
+ if (ipsec4_in_reject(n, last)) {
+ policyfail = 1;
+ /* do not inject data to pcb */
+ }
+#endif /*FAST_IPSEC*/
#ifdef MAC
if (policyfail == 0 &&
mac_check_socket_deliver(last->inp_socket,
@@ -195,6 +206,15 @@ rip_input(m, off)
return;
}
#endif /*IPSEC*/
+#ifdef FAST_IPSEC
+ /* check AH/ESP integrity. */
+ if (ipsec4_in_reject(m, last)) {
+ m_freem(m);
+ ipstat.ips_delivered--;
+ /* do not inject data to pcb */
+ return;
+ }
+#endif /*FAST_IPSEC*/
#ifdef MAC
if (mac_check_socket_deliver(last->inp_socket, m) != 0) {
m_freem(m);
OpenPOWER on IntegriCloud