Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.136.2.1
retrieving revision 1.142
diff -u -p -r1.136.2.1 -r1.142
--- src/sys/netinet6/ip6_input.c	2013/07/08 07:40:07	1.136.2.1
+++ src/sys/netinet6/ip6_input.c	2013/06/05 19:01:26	1.142
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.142 2013/06/05 19:01:26 christos Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.2.1 2013/07/08 07:40:07 jdc Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.142 2013/06/05 19:01:26 christos Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -103,6 +103,7 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,
 #include <netinet/ip_icmp.h>
 #endif /* INET */
 #include <netinet/ip6.h>
+#include <netinet/portalgo.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
@@ -112,16 +113,11 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,
 #include <netinet6/in6_ifattach.h>
 #include <netinet6/nd6.h>
 
-#ifdef KAME_IPSEC
-#include <netinet6/ipsec.h>
-#include <netinet6/ipsec_private.h>
-#endif
-
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
-#endif /* FAST_IPSEC */
+#endif /* IPSEC */
 
 #ifdef COMPAT_50
 #include <compat/sys/time.h>
@@ -273,22 +269,13 @@ ip6_input(struct mbuf *m)
 		struct sockaddr		dst;
 		struct sockaddr_in6	dst6;
 	} u;
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int s, error;
 #endif
 
-#ifdef KAME_IPSEC
-	/*
-	 * should the inner packet be considered authentic?
-	 * see comment in ah4_input().
-	 */
-	m->m_flags &= ~M_AUTHIPHDR;
-	m->m_flags &= ~M_AUTHIPDGM;
-#endif
-
 	/*
 	 * make sure we don't have onion peering information into m_tag.
 	 */
@@ -352,16 +339,11 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 
-#if defined(KAME_IPSEC)
-	/* IPv6 fast forwarding is not compatible with IPsec. */
-	m->m_flags &= ~M_CANFASTFWD;
-#else
 	/*
 	 * Assume that we can create a fast-forward IP flow entry
 	 * based on this packet.
 	 */
 	m->m_flags |= M_CANFASTFWD;
-#endif
 
 #ifdef PFIL_HOOKS
 	/*
@@ -375,9 +357,7 @@ ip6_input(struct mbuf *m)
 	 * let ipfilter look at packet on the wire,
 	 * not the decapsulated packet.
 	 */
-#ifdef KAME_IPSEC
-	if (!ipsec_getnhist(m))
-#elif defined(FAST_IPSEC)
+#if defined(IPSEC)
 	if (!ipsec_indone(m))
 #else
 	if (1)
@@ -786,19 +766,7 @@ ip6_input(struct mbuf *m)
 			}
 		}
 
-#ifdef KAME_IPSEC
-		/*
-		 * enforce IPsec policy checking if we are seeing last header.
-		 * note that we do not visit this with protocols with pcb layer
-		 * code - like udp/tcp/raw ip.
-		 */
-		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
-		    ipsec6_in_reject(m, NULL)) {
-			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
-			goto bad;
-		}
-#endif
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
@@ -835,7 +803,7 @@ ip6_input(struct mbuf *m)
 		if (error)
 			goto bad;
 	}
-#endif /* FAST_IPSEC */
+#endif /* IPSEC */
 
 
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
@@ -1989,11 +1957,37 @@ sysctl_net_inet6_ip6_setup(struct sysctl
 			CTL_NET, PF_INET6, IPPROTO_IPV6,
 			CTL_CREATE, CTL_EOL);
 #endif
+	/* anonportalgo RFC6056 subtree */
+	const struct sysctlnode *portalgo_node;
+	sysctl_createv(clog, 0, NULL, &portalgo_node,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "anonportalgo",
+		       SYSCTL_DESCR("Anonymous port algorithm selection (RFC 6056)"),
+	    	       NULL, 0, NULL, 0,
+		       CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &portalgo_node, NULL,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_STRING, "available",
+		       SYSCTL_DESCR("available algorithms"),
+		       sysctl_portalgo_available, 0, NULL, PORTALGO_MAXLEN,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &portalgo_node, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_STRING, "selected",
+		       SYSCTL_DESCR("selected algorithm"),
+	               sysctl_portalgo_selected6, 0, NULL, PORTALGO_MAXLEN,
+		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, &portalgo_node, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_STRUCT, "reserve",
+		       SYSCTL_DESCR("bitmap of reserved ports"),
+		       sysctl_portalgo_reserve6, 0, NULL, 0,
+		       CTL_CREATE, CTL_EOL);
 	sysctl_createv(clog, 0, NULL, NULL,
 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
 		       CTLTYPE_INT, "neighborgcthresh",
 		       SYSCTL_DESCR("Maximum number of entries in neighbor"
-			 " cache"),
+			" cache"),
 		       NULL, 1, &ip6_neighborgcthresh, 0,
 		       CTL_NET, PF_INET6, IPPROTO_IPV6,
 		       CTL_CREATE, CTL_EOL);