Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.22.2.2
retrieving revision 1.22.2.5
diff -u -p -r1.22.2.2 -r1.22.2.5
--- src/sys/netinet6/ip6_input.c	2000/08/27 01:25:08	1.22.2.2
+++ src/sys/netinet6/ip6_input.c	2002/02/26 20:14:36	1.22.2.5
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.22.2.2 2000/08/27 01:25:08 itojun Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.22.2.5 2002/02/26 20:14:36 he Exp $	*/
 /*	$KAME: ip6_input.c,v 1.119 2000/08/26 10:00:45 itojun Exp $	*/
 
 /*
@@ -111,6 +111,10 @@
 #include <netinet6/ip6_fw.h>
 #endif
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -304,7 +308,15 @@ ip6_input(m)
 	 * in the list may have previously cleared it.
 	 */
 	m0 = m;
-	pfh = pfil_hook_get(PFIL_IN, &inetsw[ip_protox[IPPROTO_IPV6]].pr_pfh);
+#ifdef IPSEC
+	if (ipsec_gethist(m, NULL))
+		pfh = NULL;
+	else
+		pfh = pfil_hook_get(PFIL_IN,
+		    &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
+#else
+	pfh = pfil_hook_get(PFIL_IN, &inet6sw[ip6_protox[IPPROTO_IPV6]].pr_pfh);
+#endif
 	for (; pfh; pfh = pfh->pfil_link.tqe_next)
 		if (pfh->pfil_func) {
 			rv = pfh->pfil_func(ip6, sizeof(*ip6),
@@ -695,6 +707,19 @@ ip6_input(m)
 			goto bad;
 		}
 
+#ifdef IPSEC
+		/*
+		 * enforce IPsec policy checking if we are seeing last header.
+		 * note that we do not visit this with protocols with pcb layer
+		 * code - like udp/tcp/raw ip.
+		 */
+		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+		    ipsec6_in_reject(m, NULL)) {
+			ipsec6stat.in_polvio++;
+			goto bad;
+		}
+#endif
+		
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;