Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet/raw_ip.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet/raw_ip.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.45
retrieving revision 1.59
diff -u -p -r1.45 -r1.59
--- src/sys/netinet/raw_ip.c	1999/07/09 22:57:20	1.45
+++ src/sys/netinet/raw_ip.c	2001/11/13 00:32:40	1.59
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip.c,v 1.45 1999/07/09 22:57:20 thorpej Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.59 2001/11/13 00:32:40 lukem Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -64,6 +64,9 @@
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
  */
 
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.59 2001/11/13 00:32:40 lukem Exp $");
+
 #include "opt_ipsec.h"
 #include "opt_mrouting.h"
 
@@ -95,8 +98,6 @@
 #include <netinet6/ipsec.h>
 #endif /*IPSEC*/
 
-extern u_char ip_protox[];
-extern struct  protosw inetsw[];
 struct inpcbtable rawcbtable;
 
 int	 rip_bind __P((struct inpcb *, struct mbuf *));
@@ -140,8 +141,8 @@ rip_input(m, va_alist)
 #endif
 {
 	int off, proto;
-	register struct ip *ip = mtod(m, struct ip *);
-	register struct inpcb *inp;
+	struct ip *ip = mtod(m, struct ip *);
+	struct inpcb *inp;
 	struct inpcb *last = 0;
 	struct mbuf *opts = 0;
 	struct sockaddr_in ripsrc;
@@ -164,9 +165,7 @@ rip_input(m, va_alist)
 	 */
 	ip->ip_len -= ip->ip_hl << 2;
 
-	for (inp = rawcbtable.inpt_queue.cqh_first;
-	    inp != (struct inpcb *)&rawcbtable.inpt_queue;
-	    inp = inp->inp_queue.cqe_next) {
+	CIRCLEQ_FOREACH(inp, &rawcbtable.inpt_queue, inp_queue) {
 		if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != proto)
 			continue;
 		if (!in_nullhost(inp->inp_laddr) &&
@@ -177,6 +176,14 @@ rip_input(m, va_alist)
 			continue;
 		if (last) {
 			struct mbuf *n;
+
+#ifdef IPSEC
+			/* check AH/ESP integrity. */
+			if (ipsec4_in_reject_so(m, last->inp_socket)) {
+				ipsecstat.in_polvio++;
+				/* do not inject data to pcb */
+			} else
+#endif /*IPSEC*/
 			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
 				if (last->inp_flags & INP_CONTROLOPTS ||
 				    last->inp_socket->so_options & SO_TIMESTAMP)
@@ -194,6 +201,15 @@ rip_input(m, va_alist)
 		}
 		last = inp;
 	}
+#ifdef IPSEC
+	/* check AH/ESP integrity. */
+	if (last && ipsec4_in_reject_so(m, last->inp_socket)) {
+		m_freem(m);
+		ipsecstat.in_polvio++;
+		ipstat.ips_delivered--;
+		/* do not inject data to pcb */
+	} else
+#endif /*IPSEC*/
 	if (last) {
 		if (last->inp_flags & INP_CONTROLOPTS ||
 		    last->inp_socket->so_options & SO_TIMESTAMP)
@@ -207,7 +223,8 @@ rip_input(m, va_alist)
 			sorwakeup(last->inp_socket);
 	} else {
 		if (inetsw[ip_protox[ip->ip_p]].pr_input == rip_input) {
-			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PROTOCOL,0,0);
+			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PROTOCOL,
+			    0, 0);
 			ipstat.ips_noproto++;
 			ipstat.ips_delivered--;
 		} else
@@ -229,8 +246,8 @@ rip_output(m, va_alist)
 	va_dcl
 #endif
 {
-	register struct inpcb *inp;
-	register struct ip *ip;
+	struct inpcb *inp;
+	struct ip *ip;
 	struct mbuf *opts;
 	int flags;
 	va_list ap;
@@ -280,7 +297,10 @@ rip_output(m, va_alist)
 		ipstat.ips_rawout++;
 	}
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = (struct ifnet *)inp->inp_socket;	/*XXX*/
+	if (ipsec_setsocket(m, inp->inp_socket) != 0) {
+		m_freem(m);
+		return ENOBUFS;
+	}
 #endif /*IPSEC*/
 	return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions, &inp->inp_errormtu));
 }
@@ -295,7 +315,7 @@ rip_ctloutput(op, so, level, optname, m)
 	int level, optname;
 	struct mbuf **m;
 {
-	register struct inpcb *inp = sotoinpcb(so);
+	struct inpcb *inp = sotoinpcb(so);
 	int error = 0;
 
 	if (level != IPPROTO_IP) {
@@ -370,7 +390,7 @@ rip_bind(inp, nam)
 
 	if (nam->m_len != sizeof(*addr))
 		return (EINVAL);
-	if (ifnet.tqh_first == 0)
+	if (TAILQ_FIRST(&ifnet) == 0)
 		return (EADDRNOTAVAIL);
 	if (addr->sin_family != AF_INET &&
 	    addr->sin_family != AF_IMPLINK)
@@ -391,7 +411,7 @@ rip_connect(inp, nam)
 
 	if (nam->m_len != sizeof(*addr))
 		return (EINVAL);
-	if (ifnet.tqh_first == 0)
+	if (TAILQ_FIRST(&ifnet) == 0)
 		return (EADDRNOTAVAIL);
 	if (addr->sin_family != AF_INET &&
 	    addr->sin_family != AF_IMPLINK)
@@ -414,14 +434,14 @@ u_long	rip_recvspace = RIPRCVQ;
 /*ARGSUSED*/
 int
 rip_usrreq(so, req, m, nam, control, p)
-	register struct socket *so;
+	struct socket *so;
 	int req;
 	struct mbuf *m, *nam, *control;
 	struct proc *p;
 {
-	register struct inpcb *inp;
+	struct inpcb *inp;
 	int s;
-	register int error = 0;
+	int error = 0;
 #ifdef MROUTING
 	extern struct socket *ip_mrouter;
 #endif
@@ -430,6 +450,13 @@ rip_usrreq(so, req, m, nam, control, p)
 		return (in_control(so, (long)m, (caddr_t)nam,
 		    (struct ifnet *)control, p));
 
+	if (req == PRU_PURGEIF) {
+		in_pcbpurgeif0(&rawcbtable, (struct ifnet *)control);
+		in_purgeif((struct ifnet *)control);
+		in_pcbpurgeif(&rawcbtable, (struct ifnet *)control);
+		return (0);
+	}
+
 	s = splsoftnet();
 	inp = sotoinpcb(so);
 #ifdef DIAGNOSTIC
@@ -462,9 +489,6 @@ rip_usrreq(so, req, m, nam, control, p)
 			break;
 		inp = sotoinpcb(so);
 		inp->inp_ip.ip_p = (long)nam;
-#ifdef IPSEC
-		error = ipsec_init_policy(&inp->inp_sp);
-#endif /*IPSEC*/
 		break;
 
 	case PRU_DETACH: