From 7ab4566c34fb0c170d5805b34cd71d628eb1b501 Mon Sep 17 00:00:00 2001
From: Niklas Hallqvist <niklas@cvs.openbsd.org>
Date: Sun, 11 Apr 1999 19:41:42 +0000
Subject: Introduce net.inet.{ah,esp}.enable sysctl controls that are off by
 default. If you are going to use either of AH or ESP or both, enable these in
 /etc/sysctl.conf.  Also correct the IPSec debugging sysctl code, it is now
 named net.inet.ip.encdebug.  Some corrected function signatures too.

---
 sys/netinet/ip_esp.c | 47 ++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 44 insertions(+), 3 deletions(-)

(limited to 'sys/netinet/ip_esp.c')

diff --git a/sys/netinet/ip_esp.c b/sys/netinet/ip_esp.c
index b99460802e1..a09c76481e4 100644
--- a/sys/netinet/ip_esp.c
+++ b/sys/netinet/ip_esp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_esp.c,v 1.20 1999/04/09 22:27:53 niklas Exp $	*/
+/*	$OpenBSD: ip_esp.c,v 1.21 1999/04/11 19:41:37 niklas Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -47,6 +47,7 @@
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
+#include <sys/sysctl.h>
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
@@ -82,15 +83,21 @@ extern struct ifnet enc_softc;
 #define DPRINTF(x)
 #endif
 
-void esp_input __P((struct mbuf *, int));
+int esp_enable = 0;
 
 /*
  * esp_input gets called when we receive an packet with an ESP.
  */
 
 void
-esp_input(register struct mbuf *m, int iphlen)
+#if __STDC__
+esp_input(struct mbuf *m, ...)
+#else
+esp_input(m, va_alist)
+	register struct mbuf *m;
+#endif
 {
+    int iphlen;
     union sockaddr_union sunion;
     struct ifqueue *ifq = NULL;
     struct expiration *exp;
@@ -98,9 +105,21 @@ esp_input(register struct mbuf *m, int iphlen)
     struct tdb *tdbp;
     u_int32_t spi;
     int s;
+    va_list ap;
 	
+    va_start(ap, m);
+    iphlen = va_arg(ap, int);
+    va_end(ap);
+
     espstat.esps_input++;
 
+    if (!esp_enable)
+    {
+        m_freem(m);
+        espstat.esps_pdrops++;
+        return;
+    }
+
     /*
      * Make sure that at least the SPI is in the same mbuf
      */
@@ -316,3 +335,25 @@ esp_input(register struct mbuf *m, int iphlen)
     splx(s);
     return;
 }
+
+int
+esp_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
+	int *name;
+	u_int namelen;
+	void *oldp;
+	size_t *oldlenp;
+	void *newp;
+	size_t newlen;
+{
+	/* All sysctl names at this level are terminal. */
+	if (namelen != 1)
+		return (ENOTDIR);
+
+	switch (name[0]) {
+	case ESPCTL_ENABLE:
+		return (sysctl_int(oldp, oldlenp, newp, newlen, &esp_enable));
+	default:
+		return (ENOPROTOOPT);
+	}
+	/* NOTREACHED */
+}
-- 
cgit v1.2.3