[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.26 (requested by itojun):

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/fb24fe8a77dd
branches:  netbsd-1-5
changeset: 490820:fb24fe8a77dd
user:      he <he%NetBSD.org@localhost>
date:      Sun Mar 11 21:10:53 2001 +0000

description:
Pull up revision 1.26 (requested by itojun):
  Ensure that we enforce inbound IPsec policy on all IP protocols,
  not just TCP, UDP and ICMP.

diffstat:

 sys/netinet6/ah_input.c |  11 ++++++++---
 1 files changed, 8 insertions(+), 3 deletions(-)

diffs (26 lines):

diff -r 349b3fbe3fef -r fb24fe8a77dd sys/netinet6/ah_input.c
--- a/sys/netinet6/ah_input.c   Sun Mar 11 21:10:34 2001 +0000
+++ b/sys/netinet6/ah_input.c   Sun Mar 11 21:10:53 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ah_input.c,v 1.15.2.4 2000/10/02 23:41:31 itojun Exp $ */
+/*     $NetBSD: ah_input.c,v 1.15.2.5 2001/03/11 21:10:53 he Exp $     */
 /*     $KAME: ah_input.c,v 1.34 2000/10/01 12:37:18 itojun Exp $       */
 
 /*
@@ -537,9 +537,14 @@
 
                key_sa_recordxfer(sav, m);
 
-               if (nxt != IPPROTO_DONE)
+               if (nxt != IPPROTO_DONE) {
+                       if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+                           ipsec4_in_reject(m, NULL)) {
+                               ipsecstat.in_polvio++;
+                               goto fail;
+                       }
                        (*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
-               else
+               } else
                        m_freem(m);
                m = NULL;
        }