From de3407d02868da17b84be20a37bee2f9d4b5ad99 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 3 Feb 2004 18:20:55 +0000 Subject: pass pcb rather than so. it is expected that per socket policy works again. --- sys/netinet/ip_output.c | 10 +-- sys/netinet/raw_ip.c | 2 +- sys/netinet/tcp_input.c | 4 +- sys/netinet/tcp_output.c | 7 --- sys/netinet/tcp_reass.c | 4 +- sys/netinet/udp_usrreq.c | 2 +- sys/netinet6/icmp6.c | 8 --- sys/netinet6/ip6_output.c | 9 +-- sys/netinet6/ipsec.c | 148 ++++++++++++++++++++------------------------- sys/netinet6/ipsec.h | 11 +--- sys/netinet6/ipsec6.h | 2 + sys/netinet6/nd6_nbr.c | 8 --- sys/netinet6/raw_ip6.c | 11 +--- sys/netinet6/udp6_output.c | 6 -- sys/netinet6/udp6_usrreq.c | 6 +- 15 files changed, 84 insertions(+), 154 deletions(-) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 733df47..a872c00 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -144,7 +144,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, struct in_addr pkt_dst; struct route iproute; #ifdef IPSEC - struct socket *so; struct secpolicy *sp = NULL; #endif #ifdef FAST_IPSEC @@ -195,11 +194,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, } m = m0; -#ifdef IPSEC - so = ipsec_getsocket(m); - (void)ipsec_setsocket(m, NULL); -#endif /*IPSEC*/ - M_ASSERTPKTHDR(m); if (ro == NULL) { @@ -481,11 +475,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, sendit: #ifdef IPSEC /* get SP for this packet */ - if (so == NULL) + if (inp == NULL) sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error); else - sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); + sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); if (sp == NULL) { ipsecstat.out_inval++; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index bd65e81..eff86d3 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -147,7 +147,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) #ifdef IPSEC /* check AH/ESP integrity. */ - if (ipsec4_in_reject_so(n, last->inp_socket)) { + if (ipsec4_in_reject(n, last)) { policyfail = 1; ipsecstat.in_polvio++; /* do not inject data to pcb */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index eef736c..2b7f99a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -572,12 +572,12 @@ findpcb: #ifdef IPSEC if (isipv6) { - if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; goto drop; } } else { - if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec4_in_reject(m, inp)) { ipsecstat.in_polvio++; goto drop; } diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index c44fa96..f30d6c3 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -878,13 +878,6 @@ send: ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL); /* TODO: IPv6 IP6TOS_ECT bit on */ -#if defined(IPSEC) && !defined(FAST_IPSEC) - if (ipsec_setsocket(m, so) != 0) { - m_freem(m); - error = ENOBUFS; - goto out; - } -#endif /*IPSEC*/ error = ip6_output(m, tp->t_inpcb->in6p_outputopts, NULL, (so->so_options & SO_DONTROUTE), NULL, NULL, diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index eef736c..2b7f99a 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -572,12 +572,12 @@ findpcb: #ifdef IPSEC if (isipv6) { - if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; goto drop; } } else { - if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec4_in_reject(m, inp)) { ipsecstat.in_polvio++; goto drop; } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 02a0e77..3852583 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -455,7 +455,7 @@ udp_append(last, ip, n, off) #ifdef IPSEC /* check AH/ESP integrity. */ - if (ipsec4_in_reject_so(n, last->inp_socket)) { + if (ipsec4_in_reject(n, last)) { ipsecstat.in_polvio++; m_freem(n); return; diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 6baa2db..5ef4fff 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -2203,10 +2203,6 @@ icmp6_reflect(m, off) */ m->m_flags &= ~(M_BCAST|M_MCAST); -#ifdef IPSEC - /* Don't lookup socket */ - (void)ipsec_setsocket(m, NULL); -#endif /* IPSEC */ #ifdef COMPAT_RFC1885 ip6_output(m, NULL, &icmp6_reflect_rt, 0, NULL, &outif, NULL); @@ -2714,10 +2710,6 @@ noredhdropt:; sizeof(*ip6), ntohs(ip6->ip6_plen)); /* send the packet to outside... */ -#ifdef IPSEC - /* Don't lookup socket */ - (void)ipsec_setsocket(m, NULL); -#endif /* IPSEC */ ip6_output(m, NULL, NULL, 0, NULL, &outif, NULL); if (outif) { icmp6_ifstat_inc(outif, ifs6_out_msg); diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 821a035..fc69de1 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -191,12 +191,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) #endif /* FAST_IPSEC */ #ifdef IPSEC int needipsectun = 0; - struct socket *so; struct secpolicy *sp = NULL; - - /* for AH processing. stupid to have "socket" variable in IP layer... */ - so = ipsec_getsocket(m); - (void)ipsec_setsocket(m, NULL); #endif /* IPSEC */ ip6 = mtod(m, struct ip6_hdr *); @@ -240,10 +235,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) #ifdef IPSEC /* get a security policy for this packet */ - if (so == NULL) + if (inp == NULL) sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error); else - sp = ipsec6_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); + sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); if (sp == NULL) { ipsec6stat.out_inval++; diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 240cc29..5bb7c93 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -409,10 +409,10 @@ ipsec_invalpcbcacheall() * NOTE: IPv6 mapped adddress concern is implemented here. */ struct secpolicy * -ipsec4_getpolicybysock(m, dir, so, error) +ipsec4_getpolicybypcb(m, dir, inp, error) struct mbuf *m; u_int dir; - struct socket *so; + struct inpcb *inp; int *error; { struct inpcbpolicy *pcbsp = NULL; @@ -422,21 +422,10 @@ ipsec4_getpolicybysock(m, dir, so, error) u_int16_t tag; /* sanity check */ - if (m == NULL || so == NULL || error == NULL) + if (m == NULL || inp == NULL || error == NULL) panic("ipsec4_getpolicybysock: NULL pointer was passed."); - switch (so->so_proto->pr_domain->dom_family) { - case AF_INET: - pcbsp = sotoinpcb(so)->inp_sp; - break; -#ifdef INET6 - case AF_INET6: - pcbsp = sotoin6pcb(so)->in6p_sp; - break; -#endif - default: - panic("ipsec4_getpolicybysock: unsupported address family"); - } + pcbsp = inp->inp_sp; #ifdef DIAGNOSTIC if (pcbsp == NULL) @@ -555,6 +544,19 @@ ipsec4_getpolicybysock(m, dir, so, error) /* NOTREACHED */ } +struct secpolicy * +ipsec4_getpolicybysock(m, dir, so, error) + struct mbuf *m; + u_int dir; + struct socket *so; + int *error; +{ + + if (so == NULL) + panic("ipsec4_getpolicybysock: NULL pointer was passed.\n"); + return (ipsec4_getpolicybypcb(m, dir, sotoinpcb(so), error)); +} + /* * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, * and return a pointer to SP. @@ -624,10 +626,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error) * others: a pointer to SP */ struct secpolicy * -ipsec6_getpolicybysock(m, dir, so, error) +ipsec6_getpolicybypcb(m, dir, inp, error) struct mbuf *m; u_int dir; - struct socket *so; + struct inpcb *inp; int *error; { struct inpcbpolicy *pcbsp = NULL; @@ -637,15 +639,15 @@ ipsec6_getpolicybysock(m, dir, so, error) u_int16_t tag; /* sanity check */ - if (m == NULL || so == NULL || error == NULL) + if (m == NULL || inp == NULL || error == NULL) panic("ipsec6_getpolicybysock: NULL pointer was passed."); #ifdef DIAGNOSTIC - if (so->so_proto->pr_domain->dom_family != AF_INET6) + if ((inp->inp_vflag & INP_IPV6PROTO) == 0) panic("ipsec6_getpolicybysock: socket domain != inet6"); #endif - pcbsp = sotoin6pcb(so)->in6p_sp; + pcbsp = inp->in6p_sp; #ifdef DIAGNOSTIC if (pcbsp == NULL) @@ -765,6 +767,19 @@ ipsec6_getpolicybysock(m, dir, so, error) /* NOTREACHED */ } +struct secpolicy * +ipsec6_getpolicybysock(m, dir, so, error) + struct mbuf *m; + u_int dir; + struct socket *so; + int *error; +{ + + if (so == NULL) + panic("ipsec6_getpolicybysock: NULL pointer was passed.\n"); + return (ipsec6_getpolicybypcb(m, dir, sotoin6pcb(so), error)); +} + /* * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet, * and return a pointer to SP. @@ -1821,9 +1836,9 @@ ipsec_in_reject(sp, m) * and {ah,esp}4_input for tunnel mode */ int -ipsec4_in_reject_so(m, so) +ipsec4_in_reject(m, inp) struct mbuf *m; - struct socket *so; + struct inpcb *inp; { struct secpolicy *sp = NULL; int error; @@ -1837,11 +1852,11 @@ ipsec4_in_reject_so(m, so) * When we are called from ip_forward(), we call * ipsec4_getpolicybyaddr() with IP_FORWARDING flag. */ - if (so == NULL) + if (inp == NULL) sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); else - sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); + sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error); /* XXX should be panic ? -> No, there may be error. */ if (sp == NULL) @@ -1849,23 +1864,20 @@ ipsec4_in_reject_so(m, so) result = ipsec_in_reject(sp, m); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ipsec4_in_reject_so call free SP:%p\n", sp)); + printf("DP ipsec4_in_reject call free SP:%p\n", sp)); key_freesp(sp); return result; } int -ipsec4_in_reject(m, inp) +ipsec4_in_reject_so(m, so) struct mbuf *m; - struct inpcb *inp; + struct socket *so; { - if (inp == NULL) - return ipsec4_in_reject_so(m, NULL); - if (inp->inp_socket) - return ipsec4_in_reject_so(m, inp->inp_socket); - else - panic("ipsec4_in_reject: invalid inpcb/socket"); + if (so == NULL) + return ipsec4_in_reject(m, NULL); + return ipsec4_in_reject(m, sotoinpcb(so)); } #ifdef INET6 @@ -1875,9 +1887,9 @@ ipsec4_in_reject(m, inp) * and {ah,esp}6_input for tunnel mode */ int -ipsec6_in_reject_so(m, so) +ipsec6_in_reject(m, in6p) struct mbuf *m; - struct socket *so; + struct in6pcb *in6p; { struct secpolicy *sp = NULL; int error; @@ -1891,34 +1903,31 @@ ipsec6_in_reject_so(m, so) * When we are called from ip_forward(), we call * ipsec6_getpolicybyaddr() with IP_FORWARDING flag. */ - if (so == NULL) + if (in6p == NULL) sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); else - sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error); + sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error); if (sp == NULL) return 0; /* XXX should be panic ? */ result = ipsec_in_reject(sp, m); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ipsec6_in_reject_so call free SP:%p\n", sp)); + printf("DP ipsec6_in_reject call free SP:%p\n", sp)); key_freesp(sp); return result; } int -ipsec6_in_reject(m, in6p) +ipsec6_in_reject_so(m, so) struct mbuf *m; - struct in6pcb *in6p; + struct socket *so; { - if (in6p == NULL) - return ipsec6_in_reject_so(m, NULL); - if (in6p->in6p_socket) - return ipsec6_in_reject_so(m, in6p->in6p_socket); - else - panic("ipsec6_in_reject: invalid in6p/socket"); + if (so == NULL) + return ipsec6_in_reject(m, NULL); + return ipsec6_in_reject(m, sotoin6pcb(so)); } #endif @@ -2012,8 +2021,11 @@ ipsec4_hdrsiz(m, dir, inp) /* sanity check */ if (m == NULL) return 0; /* XXX should be panic ? */ +#if 0 + /* this is possible in TIME_WAIT state */ if (inp != NULL && inp->inp_socket == NULL) panic("ipsec4_hdrsize: why is socket NULL but there is PCB."); +#endif /* get SP for this packet. * When we are called from ip_forward(), we call @@ -2022,7 +2034,7 @@ ipsec4_hdrsiz(m, dir, inp) if (inp == NULL) sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error); else - sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error); + sp = ipsec4_getpolicybypcb(m, dir, inp, &error); if (sp == NULL) return 0; /* XXX should be panic ? */ @@ -2054,15 +2066,18 @@ ipsec6_hdrsiz(m, dir, in6p) /* sanity check */ if (m == NULL) return 0; /* XXX should be panic ? */ +#if 0 + /* this is possible in TIME_WAIT state */ if (in6p != NULL && in6p->in6p_socket == NULL) panic("ipsec6_hdrsize: why is socket NULL but there is PCB."); +#endif /* get SP for this packet */ /* XXX Is it right to call with IP_FORWARDING. */ if (in6p == NULL) sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error); else - sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error); + sp = ipsec6_getpolicybypcb(m, dir, in6p, &error); if (sp == NULL) return 0; @@ -3625,42 +3640,7 @@ ipsec_optaux(m, aux) if (aux == NULL) return; - if (!aux->so && !aux->sp) - ipsec_delaux(m); -} - -int -ipsec_setsocket(m, so) - struct mbuf *m; - struct socket *so; -{ - struct ipsecaux *aux; - - /* if so == NULL, don't insist on getting the aux mbuf */ - if (so) { - aux = ipsec_addaux(m); - if (aux == NULL) - return ENOBUFS; - } else - aux = ipsec_findaux(m); - if (aux != NULL) { - aux->so = so; - } - ipsec_optaux(m, aux); - return 0; -} - -struct socket * -ipsec_getsocket(m) - struct mbuf *m; -{ - struct ipsecaux *aux; - - aux = ipsec_findaux(m); - if (aux != NULL) - return aux->so; - else - return NULL; + ipsec_delaux(m); } int diff --git a/sys/netinet6/ipsec.h b/sys/netinet6/ipsec.h index 58a4ff9..d74a066 100644 --- a/sys/netinet6/ipsec.h +++ b/sys/netinet6/ipsec.h @@ -149,11 +149,7 @@ struct secspacq { }; struct ipsecaux { - struct socket *so; int hdrs; /* # of ipsec headers */ - - struct secpolicy *sp; - struct ipsecrequest *req; }; #endif /* _KERNEL */ @@ -335,12 +331,13 @@ extern int ipsec_pcbconn __P((struct inpcbpolicy *)); extern int ipsec_pcbdisconn __P((struct inpcbpolicy *)); extern int ipsec_invalpcbcacheall __P((void)); +struct inpcb; +extern struct secpolicy *ipsec4_getpolicybypcb + __P((struct mbuf *, u_int, struct inpcb *, int *)); extern struct secpolicy *ipsec4_getpolicybysock __P((struct mbuf *, u_int, struct socket *, int *)); extern struct secpolicy *ipsec4_getpolicybyaddr __P((struct mbuf *, u_int, int, int *)); -extern struct secpolicy *ipsec4_getpolicybytag - __P((struct mbuf *, u_int, int *)); struct inpcb; extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **)); @@ -376,8 +373,6 @@ extern int ipsec4_tunnel_validate __P((struct mbuf *, int, u_int, struct secasvar *)); extern struct mbuf *ipsec_copypkt __P((struct mbuf *)); extern void ipsec_delaux __P((struct mbuf *)); -extern int ipsec_setsocket __P((struct mbuf *, struct socket *)); -extern struct socket *ipsec_getsocket __P((struct mbuf *)); extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t)); extern int ipsec_getnhist __P((struct mbuf *)); extern void ipsec_clearhist __P((struct mbuf *)); diff --git a/sys/netinet6/ipsec6.h b/sys/netinet6/ipsec6.h index e99dea3..978635e 100644 --- a/sys/netinet6/ipsec6.h +++ b/sys/netinet6/ipsec6.h @@ -51,6 +51,8 @@ extern int ip6_ipsec_ecn; extern int ip6_esp_randpad; struct inpcb; +extern struct secpolicy *ipsec6_getpolicybypcb + __P((struct mbuf *, u_int, struct inpcb *, int *)); extern struct secpolicy *ipsec6_getpolicybysock __P((struct mbuf *, u_int, struct socket *, int *)); extern struct secpolicy *ipsec6_getpolicybyaddr diff --git a/sys/netinet6/nd6_nbr.c b/sys/netinet6/nd6_nbr.c index fcda84f..8a26928 100644 --- a/sys/netinet6/nd6_nbr.c +++ b/sys/netinet6/nd6_nbr.c @@ -487,10 +487,6 @@ nd6_ns_output(ifp, daddr6, taddr6, ln, dad) nd_ns->nd_ns_cksum = in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len); -#ifdef IPSEC - /* Don't lookup socket */ - (void)ipsec_setsocket(m, NULL); -#endif ip6_output(m, NULL, NULL, dad ? IPV6_DADOUTPUT : 0, &im6o, &outif, NULL); if (outif) { icmp6_ifstat_inc(outif, ifs6_out_msg); @@ -932,10 +928,6 @@ nd6_na_output(ifp, daddr6, taddr6, flags, tlladdr, sdl0) nd_na->nd_na_cksum = in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len); -#ifdef IPSEC - /* Don't lookup socket */ - (void)ipsec_setsocket(m, NULL); -#endif ip6_output(m, NULL, NULL, 0, &im6o, &outif, NULL); if (outif) { icmp6_ifstat_inc(outif, ifs6_out_msg); diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 36e3fbc..56f3758 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -180,7 +180,7 @@ rip6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (n && ipsec6_in_reject_so(n, last->inp_socket)) { + if (n && ipsec6_in_reject(n, last)) { m_freem(n); ipsec6stat.in_polvio++; /* do not inject data into pcb */ @@ -219,7 +219,7 @@ rip6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (last && ipsec6_in_reject_so(m, last->inp_socket)) { + if (last && ipsec6_in_reject(m, last)) { m_freem(m); ipsec6stat.in_polvio++; ip6stat.ip6s_delivered--; @@ -467,13 +467,6 @@ rip6_output(m, va_alist) *p = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen); } -#ifdef IPSEC - if (ipsec_setsocket(m, so) != 0) { - error = ENOBUFS; - goto bad; - } -#endif /*IPSEC*/ - error = ip6_output(m, in6p->in6p_outputopts, NULL, 0, in6p->in6p_moptions, &oifp, in6p); if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c index d905e84..5de9188 100644 --- a/sys/netinet6/udp6_output.c +++ b/sys/netinet6/udp6_output.c @@ -288,12 +288,6 @@ udp6_output(in6p, m, addr6, control, td) flags = 0; udp6stat.udp6s_opackets++; -#ifdef IPSEC - if (ipsec_setsocket(m, in6p->in6p_socket) != 0) { - error = ENOBUFS; - goto release; - } -#endif /* IPSEC */ error = ip6_output(m, in6p->in6p_outputopts, NULL, flags, in6p->in6p_moptions, NULL, in6p); break; diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index e0612b3..deb2a31 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -261,7 +261,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject_so(m, last->inp_socket)) + if (ipsec6_in_reject(m, last)) ipsec6stat.in_polvio++; /* do not inject data into pcb */ else @@ -327,7 +327,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject_so(m, last->inp_socket)) { + if (ipsec6_in_reject(m, last)) { ipsec6stat.in_polvio++; goto bad; } @@ -383,7 +383,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject_so(m, in6p->inp_socket)) { + if (ipsec6_in_reject(m, in6p)) { ipsec6stat.in_polvio++; goto bad; } -- cgit v1.1