Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.35
retrieving revision 1.39
diff -u -p -r1.35 -r1.39
--- src/sys/netinet6/ip6_input.c	2001/02/10 04:14:28	1.35
+++ src/sys/netinet6/ip6_input.c	2001/03/21 19:12:56	1.39
@@ -1,5 +1,5 @@
-/*	$NetBSD: ip6_input.c,v 1.35 2001/02/10 04:14:28 itojun Exp $	*/
-/*	$KAME: ip6_input.c,v 1.174 2001/02/09 06:17:41 jinmei Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.39 2001/03/21 19:12:56 itojun Exp $	*/
+/*	$KAME: ip6_input.c,v 1.183 2001/03/01 15:15:23 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -107,6 +107,10 @@
 #include <netinet6/nd6.h>
 #include <netinet6/in6_prefix.h>
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -299,12 +303,23 @@ ip6_input(m)
 	 * Note that filters must _never_ set this flag, as another filter
 	 * in the list may have previously cleared it.
 	 */
-	if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,
-			   PFIL_IN) != 0)
-		return;
-	if (m == NULL)
-		return;
-	ip6 = mtod(m, struct ip6_hdr *);
+	/*
+	 * let ipfilter look at packet on the wire,
+	 * not the decapsulated packet.
+	 */
+#ifdef IPSEC
+	if (!ipsec_gethist(m, NULL))
+#else
+	if (1)
+#endif
+	{
+		if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,
+				   PFIL_IN) != 0)
+			return;
+		if (m == NULL)
+			return;
+		ip6 = mtod(m, struct ip6_hdr *);
+	}
 #endif /* PFIL_HOOKS */
 
 
@@ -374,6 +389,20 @@ ip6_input(m)
 		}
 	}
 
+	/* drop packets if interface ID portion is already filled */
+	if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0) {
+		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src) &&
+		    ip6->ip6_src.s6_addr16[1]) {
+			ip6stat.ip6s_badscope++;
+			goto bad;
+		}
+		if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst) &&
+		    ip6->ip6_dst.s6_addr16[1]) {
+			ip6stat.ip6s_badscope++;
+			goto bad;
+		}
+	}
+  
 #ifndef FAKE_LOOPBACK_IF
 	if ((m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK) == 0)
 #else
@@ -704,6 +733,19 @@ ip6_input(m)
 			goto bad;
 		}
 
+#ifdef IPSEC
+		/*
+		 * enforce IPsec policy checking if we are seeing last header.
+		 * note that we do not visit this with protocols with pcb layer
+		 * code - like udp/tcp/raw ip.
+		 */
+		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+		    ipsec6_in_reject(m, NULL)) {
+			ipsec6stat.in_polvio++;
+			goto bad;
+		}
+#endif
+		
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;
@@ -1162,6 +1204,7 @@ ip6_savecontrol(in6p, mp, ip6, m)
 			nxt = ip6e->ip6e_nxt;
 		}
 	  loopend:
+		;
 	}
 	if ((in6p->in6p_flags & IN6P_HOPOPTS) && privileged) {
 		/* to be done */