Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.133.2.2 retrieving revision 1.134 diff -u -p -r1.133.2.2 -r1.134 --- src/sys/netinet6/ip6_input.c 2012/04/05 21:33:46 1.133.2.2 +++ src/sys/netinet6/ip6_input.c 2011/12/19 11:59:58 1.134 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.133.2.2 2012/04/05 21:33:46 mrg Exp $ */ +/* $NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.133.2.2 2012/04/05 21:33:46 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -112,6 +112,11 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #include +#ifdef KAME_IPSEC +#include +#include +#endif + #ifdef FAST_IPSEC #include #include @@ -156,8 +161,7 @@ percpu_t *ip6stat_percpu; static void ip6_init2(void *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); -static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); +static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -189,7 +193,7 @@ ip6_init(void) frag6_init(); ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; - ip6_init2(NULL); + ip6_init2((void *)0); #ifdef GATEWAY ip6flow_init(ip6_hashsize); #endif @@ -275,6 +279,15 @@ ip6_input(struct mbuf *m) int s, error; #endif +#ifdef KAME_IPSEC + /* + * should the inner packet be considered authentic? + * see comment in ah4_input(). + */ + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; +#endif + /* * make sure we don't have onion peering information into m_tag. */ @@ -338,11 +351,16 @@ ip6_input(struct mbuf *m) goto bad; } +#if defined(KAME_IPSEC) + /* IPv6 fast forwarding is not compatible with IPsec. */ + m->m_flags &= ~M_CANFASTFWD; +#else /* * Assume that we can create a fast-forward IP flow entry * based on this packet. */ m->m_flags |= M_CANFASTFWD; +#endif #ifdef PFIL_HOOKS /* @@ -356,7 +374,9 @@ ip6_input(struct mbuf *m) * let ipfilter look at packet on the wire, * not the decapsulated packet. */ -#if defined(FAST_IPSEC) +#ifdef KAME_IPSEC + if (!ipsec_getnhist(m)) +#elif defined(FAST_IPSEC) if (!ipsec_indone(m)) #else if (1) @@ -765,6 +785,18 @@ ip6_input(struct mbuf *m) } } +#ifdef KAME_IPSEC + /* + * enforce IPsec policy checking if we are seeing last header. + * note that we do not visit this with protocols with pcb layer + * code - like udp/tcp/raw ip. + */ + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && + ipsec6_in_reject(m, NULL)) { + IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO); + goto bad; + } +#endif #ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. @@ -850,7 +882,7 @@ ip6_getdstifaddr(struct mbuf *m) * * rtalertp - XXX: should be stored more smart way */ -int +static int ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, int *offp) { @@ -895,7 +927,7 @@ ip6_hopopts_input(u_int32_t *plenp, u_in * (RFC2460 p7), opthead is pointer into data content in m, and opthead to * opthead + hbhlen is located in continuous memory region. */ -static int +int ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, u_int32_t *rtalertp, u_int32_t *plenp) {