From a58314c120ff61c5d13a16a3e358cd3a7b2199e1 Mon Sep 17 00:00:00 2001
From: ume <ume@FreeBSD.org>
Date: Tue, 6 Nov 2001 22:45:29 +0000
Subject: Fixed the behavior when there is no inbound policy for the ipsec
 tunneled packet. When there is no suitable inbound policy for the packet of
 the ipsec tunnel mode, the kernel never decapsulate the tunneled packet as
 the ipsec tunnel mode even when the system wide policy is "none". Then the
 kernel leaves the generic tunnel module to process this packet.  If there is
 no rule of the generic tunnel, the packet is rejected and the statistics will
 be counted up.

Obtained from:	KAME
MFC after:	1 week
---
 sys/netinet6/ipsec.c | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'sys/netinet6')

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index 6f4bd7d..0b276e8 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -3329,6 +3329,14 @@ ipsec6_tunnel_validate(m, off, nxt0, sav)
 
 	sp = key_gettunnel((struct sockaddr *)&osrc, (struct sockaddr *)&odst,
 	    (struct sockaddr *)&isrc, (struct sockaddr *)&idst);
+	/*
+	 * when there is no suitable inbound policy for the packet of the ipsec
+	 * tunnel mode, the kernel never decapsulate the tunneled packet
+	 * as the ipsec tunnel mode even when the system wide policy is "none".
+	 * then the kernel leaves the generic tunnel module to process this
+	 * packet.  if there is no rule of the generic tunnel, the packet
+	 * is rejected and the statistics will be counted up.
+	 */
 	if (!sp)
 		return 0;
 	key_freesp(sp);
-- 
cgit v1.1