summaryrefslogtreecommitdiff
path: root/sys
diff options
context:
space:
mode:
Diffstat (limited to 'sys')
-rw-r--r--sys/netinet6/ip6_input.c45
1 files changed, 43 insertions, 2 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index fb3c68a814e..c1ce9cb4571 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip6_input.c,v 1.53 2003/06/30 10:30:23 itojun Exp $ */
+/* $OpenBSD: ip6_input.c,v 1.54 2003/10/14 06:39:32 itojun Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -651,6 +651,47 @@ ip6_input(m)
goto bad;
}
+#ifdef IPSEC
+ /*
+ * IPsec policy check for local-delivery packets. Look at the
+ * inner-most SA that protected the packet. This is in fact
+ * a bit too restrictive (it could end up causing packets to
+ * be dropped that semantically follow the policy, e.g., in
+ * certain SA-bundle configurations); but the alternative is
+ * very complicated (and requires keeping track of what
+ * kinds of tunneling headers have been seen in-between the
+ * IPsec headers), and I don't think we lose much functionality
+ * that's needed in the real world (who uses bundles anyway ?).
+ */
+ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
+ struct m_tag *mtag;
+ struct tdb *tdb;
+ struct tdb_ident *tdbi;
+ int error;
+ int s;
+
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+ s = splnet();
+ if (mtag) {
+ tdbi = (struct tdb_ident *)(mtag + 1);
+ tdb = gettdb(tdbi->spi, &tdbi->dst,
+ tdbi->proto);
+ } else
+ tdb = NULL;
+ ipsp_spd_lookup(m, AF_INET6, off, &error,
+ IPSP_DIRECTION_IN, tdb, NULL);
+ splx(s);
+
+ /* Error or otherwise drop-packet indication. */
+ if (error) {
+ ip6stat.ip6s_cantforward++;
+ in6_ifstat_inc(m->m_pkthdr.rcvif,
+ ifs6_in_discard);
+ goto bad;
+ }
+ }
+#endif
+
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
}
return;
@@ -1251,7 +1292,7 @@ ip6_nexthdr(m, off, proto, nxtp)
if (m->m_pkthdr.len < off + sizeof(fh))
return -1;
m_copydata(m, off, sizeof(fh), (caddr_t)&fh);
- if ((ntohs(fh.ip6f_offlg) & IP6F_OFF_MASK) != 0)
+ if ((fh.ip6f_offlg & IP6F_OFF_MASK) != 0)
return -1;
if (nxtp)
*nxtp = fh.ip6f_nxt;