Add IPCOMP setsockopt policy controls. While here fix the other policies too

2 files changed, 18 insertions, 6 deletions

diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h
index feb971032f1..6b05bb94851 100644
--- a/sys/netinet6/in6.h
+++ b/sys/netinet6/in6.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in6.h,v 1.22 2001/03/30 02:43:52 itojun Exp $	*/
+/*	$OpenBSD: in6.h,v 1.23 2001/08/22 06:52:01 niklas Exp $	*/
 /*	$KAME: in6.h,v 1.83 2001/03/29 02:55:07 jinmei Exp $	*/
 
 /*
@@ -413,8 +413,9 @@ struct route_in6 {
 #define IPV6_AUTH_LEVEL		53   /* int; authentication used */
 #define IPV6_ESP_TRANS_LEVEL	54   /* int; transport encryption */
 #define IPV6_ESP_NETWORK_LEVEL	55   /* int; full-packet encryption */
-
 #define IPSEC6_OUTSA		56   /* set the outbound SA for a socket */
+#define IPV6_IPCOMP_LEVEL	60   /* int; compression */
+
 /* to define items, should talk with KAME guys first, for *BSD compatibility */
 
 #define IPV6_RTHDR_LOOSE     0 /* this hop need not be a neighbor. XXX old spec */
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 21e4b628dd6..60245ef8e8f 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_output.c,v 1.47 2001/08/21 06:53:36 angelos Exp $	*/
+/*	$OpenBSD: ip6_output.c,v 1.48 2001/08/22 06:52:01 niklas Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 
 /*
@@ -101,6 +101,7 @@ extern u_int8_t get_sa_require  __P((struct inpcb *));
 extern int ipsec_auth_default_level;
 extern int ipsec_esp_trans_default_level;
 extern int ipsec_esp_network_default_level;
+extern int ipsec_ipcomp_default_level;
 #endif /* IPSEC */
 
 struct ip6_exthdrs {
@@ -1409,6 +1410,7 @@ ip6_ctloutput(op, so, level, optname, mp)
 			case IPV6_AUTH_LEVEL:
 			case IPV6_ESP_TRANS_LEVEL:
 			case IPV6_ESP_NETWORK_LEVEL:
+			case IPV6_IPCOMP_LEVEL:
 #ifndef IPSEC
 				error = EINVAL;
 #else
@@ -1425,7 +1427,7 @@ ip6_ctloutput(op, so, level, optname, mp)
 				}
 					
 				switch (optname) {
-				case IP_AUTH_LEVEL:
+				case IPV6_AUTH_LEVEL:
 				        if (optval < ipsec_auth_default_level &&
 					    suser(p->p_ucred, &p->p_acflag)) {
 						error = EACCES;
@@ -1434,7 +1436,7 @@ ip6_ctloutput(op, so, level, optname, mp)
 					inp->inp_seclevel[SL_AUTH] = optval;
 					break;
 
-				case IP_ESP_TRANS_LEVEL:
+				case IPV6_ESP_TRANS_LEVEL:
 				        if (optval < ipsec_esp_trans_default_level &&
 					    suser(p->p_ucred, &p->p_acflag)) {
 						error = EACCES;
@@ -1443,7 +1445,7 @@ ip6_ctloutput(op, so, level, optname, mp)
 					inp->inp_seclevel[SL_ESP_TRANS] = optval;
 					break;
 
-				case IP_ESP_NETWORK_LEVEL:
+				case IPV6_ESP_NETWORK_LEVEL:
 				        if (optval < ipsec_esp_network_default_level &&
 					    suser(p->p_ucred, &p->p_acflag)) {
 						error = EACCES;
@@ -1451,6 +1453,15 @@ ip6_ctloutput(op, so, level, optname, mp)
 					}
 					inp->inp_seclevel[SL_ESP_NETWORK] = optval;
 					break;
+
+				case IPV6_IPCOMP_LEVEL:
+				        if (optval < ipsec_ipcomp_default_level &&
+					    suser(p->p_ucred, &p->p_acflag)) {
+						error = EACCES;
+						break;
+					}
+					inp->inp_seclevel[SL_IPCOMP] = optval;
+					break;
 				}
 				if (!error)
 					inp->inp_secrequire = get_sa_require(inp);