add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoing

SA to be used, use this SA in ip_output if available. allow mobile road
warriors for bind SAs with wildcard dst and src addresses. check IPSEC
AUTH and ESP level when receiving packets, drop them if protection is
insufficient. add stats to show dropped packets because of insufficient
IPSEC protection. -- phew.  this was all done in canada. dugsong and linh
provided the ride and company.

1 files changed, 4 insertions, 1 deletions

diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h
index 176ce07a742..cb753c3ae82 100644
--- a/sys/netinet/in_pcb.h
+++ b/sys/netinet/in_pcb.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_pcb.h,v 1.16 1999/03/24 02:33:02 cmetz Exp $	*/
+/*	$OpenBSD: in_pcb.h,v 1.17 1999/03/27 21:04:19 provos Exp $	*/
 /*	$NetBSD: in_pcb.h,v 1.14 1996/02/13 23:42:00 christos Exp $	*/
 
 /*
@@ -40,6 +40,7 @@
 #include <netinet6/ipv6.h>
 #include <netinet6/ipv6_var.h>
 #include <netinet6/icmpv6.h>
+#include <netinet/ip_ipsp.h>
 
 union inpaddru {
 	struct in6_addr iau_addr6;
@@ -99,6 +100,8 @@ struct inpcb {
 #define SR_FAILED         1             /* Negotiation failed permanently */
 #define SR_SUCCESS        2             /* SA successfully established */
 #define SR_WAIT           3             /* Waiting for SA */
+	TAILQ_ENTRY(inpcb) inp_tdb_next;
+	struct tdb     *inp_tdb;	/* If tdb_dst matches our dst, use */
 	int	inp_fflowinfo;          /* Foreign flowlabel & priority */
 	int	inp_csumoffset;
 	struct	icmpv6_filter inp_filter;