Add a sysctl for IPsec ingress access control (better explanation on a

follow-up commit).

2 files changed, 9 insertions, 3 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 056d9a7804b..eede25749aa 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.30 2000/01/07 21:45:22 angelos Exp $	*/
+/*	$OpenBSD: in.h,v 1.31 2000/01/09 22:17:56 angelos Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -606,7 +606,8 @@ struct in6_pktinfo {
 #define	IPCTL_IPPORT_MAXQUEUE	11
 #define	IPCTL_ENCDEBUG		12
 #define IPCTL_GIF_TTL		13	/* default TTL for gif encap packet */
-#define	IPCTL_MAXID		14
+#define IPCTL_IPSEC_ACL		14	/* Ingress IPsec access control */
+#define	IPCTL_MAXID		15
 
 #define	IPCTL_NAMES { \
 	{ 0, 0 }, \
@@ -623,6 +624,7 @@ struct in6_pktinfo {
 	{ "maxqueue", CTLTYPE_INT }, \
 	{ "encdebug", CTLTYPE_INT }, \
 	{ "gifttl", CTLTYPE_INT }, \
+	{ "ipsec-acl", CTLTYPE_INT }, \
 }
 
 /* INET6 stuff */
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index a97d8cbd491..a780d777a74 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.44 1999/12/08 06:50:20 itojun Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.45 2000/01/09 22:17:57 angelos Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -78,6 +78,7 @@
 #endif
 
 int encdebug = 0;
+int ipsp_allow_all = 1;
 
 /*
  * Note: DIRECTED_BROADCAST is handled this way so that previous
@@ -1491,6 +1492,9 @@ ip_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
 		    &ip_maxqueue));
 	case IPCTL_ENCDEBUG:
 		return (sysctl_int(oldp, oldlenp, newp, newlen, &encdebug));
+	case IPCTL_IPSEC_ACL:
+		return (sysctl_int(oldp, oldlenp, newp, newlen,
+			&ipsp_allow_all));
 	default:
 		return (EOPNOTSUPP);
 	}