[src/netbsd-1-5]: src/sys/netinet Pull up revision 1.128 (requested by itojun):

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/349b3fbe3fef
branches:  netbsd-1-5
changeset: 490819:349b3fbe3fef
user:      he <he%NetBSD.org@localhost>
date:      Sun Mar 11 21:10:34 2001 +0000

description:
Pull up revision 1.128 (requested by itojun):
  Ensure that we enforce inbound IPsec policy on all IP protocols,
  not just TCP, UDP and ICMP.

diffstat:

 sys/netinet/ip_input.c |  15 ++++++++++++++-
 1 files changed, 14 insertions(+), 1 deletions(-)

diffs (29 lines):

diff -r 2ab4e7f0a95b -r 349b3fbe3fef sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c    Sun Mar 11 21:10:13 2001 +0000
+++ b/sys/netinet/ip_input.c    Sun Mar 11 21:10:34 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_input.c,v 1.114.4.3 2000/10/17 00:59:49 tv Exp $    */
+/*     $NetBSD: ip_input.c,v 1.114.4.4 2001/03/11 21:10:34 he Exp $    */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -687,6 +687,19 @@
                IPQ_UNLOCK();
        }
 
+#ifdef IPSEC
+       /*
+        * enforce IPsec policy checking if we are seeing last header.
+        * note that we do not visit this with protocols with pcb layer
+        * code - like udp/tcp/raw ip.
+        */
+       if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
+           ipsec4_in_reject(m, NULL)) {
+               ipsecstat.in_polvio++;
+               goto bad;
+       }
+#endif
+
        /*
         * Switch out to protocol's input routine.
         */