diff options
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet6/ip6_input.c | 45 |
1 files changed, 43 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index fb3c68a814e..c1ce9cb4571 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.53 2003/06/30 10:30:23 itojun Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.54 2003/10/14 06:39:32 itojun Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -651,6 +651,47 @@ ip6_input(m) goto bad; } +#ifdef IPSEC + /* + * IPsec policy check for local-delivery packets. Look at the + * inner-most SA that protected the packet. This is in fact + * a bit too restrictive (it could end up causing packets to + * be dropped that semantically follow the policy, e.g., in + * certain SA-bundle configurations); but the alternative is + * very complicated (and requires keeping track of what + * kinds of tunneling headers have been seen in-between the + * IPsec headers), and I don't think we lose much functionality + * that's needed in the real world (who uses bundles anyway ?). + */ + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { + struct m_tag *mtag; + struct tdb *tdb; + struct tdb_ident *tdbi; + int error; + int s; + + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); + s = splnet(); + if (mtag) { + tdbi = (struct tdb_ident *)(mtag + 1); + tdb = gettdb(tdbi->spi, &tdbi->dst, + tdbi->proto); + } else + tdb = NULL; + ipsp_spd_lookup(m, AF_INET6, off, &error, + IPSP_DIRECTION_IN, tdb, NULL); + splx(s); + + /* Error or otherwise drop-packet indication. */ + if (error) { + ip6stat.ip6s_cantforward++; + in6_ifstat_inc(m->m_pkthdr.rcvif, + ifs6_in_discard); + goto bad; + } + } +#endif + nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; @@ -1251,7 +1292,7 @@ ip6_nexthdr(m, off, proto, nxtp) if (m->m_pkthdr.len < off + sizeof(fh)) return -1; m_copydata(m, off, sizeof(fh), (caddr_t)&fh); - if ((ntohs(fh.ip6f_offlg) & IP6F_OFF_MASK) != 0) + if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0) return -1; if (nxtp) *nxtp = fh.ip6f_nxt; |