Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.22.2.2
retrieving revision 1.22.2.3
diff -u -p -r1.22.2.2 -r1.22.2.3
--- src/sys/netinet6/ip6_input.c	2000/08/27 01:25:08	1.22.2.2
+++ src/sys/netinet6/ip6_input.c	2001/03/11 21:12:36	1.22.2.3
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.22.2.2 2000/08/27 01:25:08 itojun Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.22.2.3 2001/03/11 21:12:36 he Exp $	*/
 /*	$KAME: ip6_input.c,v 1.119 2000/08/26 10:00:45 itojun Exp $	*/
 
 /*
@@ -111,6 +111,10 @@
 #include <netinet6/ip6_fw.h>
 #endif
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -695,6 +699,19 @@ ip6_input(m)
 			goto bad;
 		}
 
+#ifdef IPSEC
+		/*
+		 * enforce IPsec policy checking if we are seeing last header.
+		 * note that we do not visit this with protocols with pcb layer
+		 * code - like udp/tcp/raw ip.
+		 */
+		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+		    ipsec6_in_reject(m, NULL)) {
+			ipsec6stat.in_polvio++;
+			goto bad;
+		}
+#endif
+		
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;