Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.36
retrieving revision 1.37
diff -u -p -r1.36 -r1.37
--- src/sys/netinet6/ip6_input.c	2001/02/24 00:02:16	1.36
+++ src/sys/netinet6/ip6_input.c	2001/03/01 16:31:41	1.37
@@ -1,5 +1,5 @@
-/*	$NetBSD: ip6_input.c,v 1.36 2001/02/24 00:02:16 cgd Exp $	*/
-/*	$KAME: ip6_input.c,v 1.174 2001/02/09 06:17:41 jinmei Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.37 2001/03/01 16:31:41 itojun Exp $	*/
+/*	$KAME: ip6_input.c,v 1.183 2001/03/01 15:15:23 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -107,6 +107,10 @@
 #include <netinet6/nd6.h>
 #include <netinet6/in6_prefix.h>
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet6/ip6protosw.h>
 
 /* we need it for NLOOP. */
@@ -704,6 +708,19 @@ ip6_input(m)
 			goto bad;
 		}
 
+#ifdef IPSEC
+		/*
+		 * enforce IPsec policy checking if we are seeing last header.
+		 * note that we do not visit this with protocols with pcb layer
+		 * code - like udp/tcp/raw ip.
+		 */
+		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+		    ipsec6_in_reject(m, NULL)) {
+			ipsec6stat.in_polvio++;
+			goto bad;
+		}
+#endif
+		
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
 	return;