Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present.
retrieving revision 1.83.2.2
retrieving revision 1.90.2.1.2.2
diff -u -p -r1.83.2.2 -r1.90.2.1.2.2
--- src/sys/netinet6/ip6_input.c	2006/05/11 23:31:35	1.83.2.2
+++ src/sys/netinet6/ip6_input.c	2007/09/23 21:36:35	1.90.2.1.2.2
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.83.2.2 2006/05/11 23:31:35 elad Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.90.2.1.2.2 2007/09/23 21:36:35 wrstuden Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.83.2.2 2006/05/11 23:31:35 elad Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.90.2.1.2.2 2007/09/23 21:36:35 wrstuden Exp $");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
@@ -112,6 +112,12 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,
 #include <netinet6/ipsec.h>
 #endif
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#endif /* FAST_IPSEC */
+
 #include <netinet6/ip6protosw.h>
 
 #include "faith.h"
@@ -189,8 +195,7 @@ ip6_init()
 }
 
 static void
-ip6_init2(dummy)
-	void *dummy;
+ip6_init2(void *dummy)
 {
 
 	/* nd6_timer_init */
@@ -242,6 +247,12 @@ ip6_input(m)
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;
 	int srcrt = 0;
+#ifdef FAST_IPSEC
+	struct m_tag *mtag;
+	struct tdb_ident *tdbi;
+	struct secpolicy *sp;
+	int s, error;
+#endif
 
 #ifdef IPSEC
 	/*
@@ -328,6 +339,8 @@ ip6_input(m)
 	 */
 #ifdef IPSEC
 	if (!ipsec_getnhist(m))
+#elif defined(FAST_IPSEC)
+	if (!ipsec_indone(m))
 #else
 	if (1)
 #endif
@@ -410,6 +423,10 @@ ip6_input(m)
 	 * dst are the loopback address and the receiving interface
 	 * is not loopback. 
 	 */
+	if (__predict_false(
+	    m_makewritable(&m, 0, sizeof(struct ip6_hdr), M_DONTWAIT)))
+		goto bad;
+	ip6 = mtod(m, struct ip6_hdr *);
 	if (in6_clearscope(&ip6->ip6_src) || in6_clearscope(&ip6->ip6_dst)) {
 		ip6stat.ip6s_badscope++; /* XXX */
 		goto bad;
@@ -753,6 +770,45 @@ ip6_input(m)
 			goto bad;
 		}
 #endif
+#ifdef FAST_IPSEC
+	/*
+	 * enforce IPsec policy checking if we are seeing last header.
+	 * note that we do not visit this with protocols with pcb layer
+	 * code - like udp/tcp/raw ip.
+	 */
+	if ((inet6sw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
+		/*
+		 * Check if the packet has already had IPsec processing
+		 * done.  If so, then just pass it along.  This tag gets
+		 * set during AH, ESP, etc. input handling, before the
+		 * packet is returned to the ip input queue for delivery.
+		 */
+		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+		s = splsoftnet();
+		if (mtag != NULL) {
+			tdbi = (struct tdb_ident *)(mtag + 1);
+			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
+		} else {
+			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+									IP_FORWARDING, &error);
+		}
+		if (sp != NULL) {
+			/*
+			 * Check security policy against packet attributes.
+			 */
+			error = ipsec_in_reject(sp, m);
+			KEY_FREESP(&sp);
+		} else {
+			/* XXX error stat??? */
+			error = EINVAL;
+			DPRINTF(("ip6_input: no SP, packet discarded\n"));/*XXX*/
+		}
+		splx(s);
+		if (error)
+			goto bad;
+	}
+#endif /* FAST_IPSEC */
+
 
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
@@ -1048,6 +1104,11 @@ ip6_savecontrol(in6p, mp, ip6, m)
 			mp = &(*mp)->m_next;
 	}
 #endif
+
+	/* some OSes call this logic with IPv4 packet, for SO_TIMESTAMP */
+	if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION)
+		return;
+
 	/* RFC 2292 sec. 5 */
 	if ((in6p->in6p_flags & IN6P_PKTINFO) != 0) {
 		struct in6_pktinfo pi6;
@@ -1532,6 +1593,31 @@ ip6_delaux(m)
 		m_tag_delete(m, mtag);
 }
 
+static int
+sysctl_net_inet6_ip6_rht0(SYSCTLFN_ARGS)
+{  
+	int error, tmp;
+	struct sysctlnode node;
+
+	node = *rnode;
+	tmp = ip6_rht0;
+	node.sysctl_data = &tmp;
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error || newp == NULL)
+		return error;
+
+	switch (tmp) {
+	case -1:	/* disable processing */
+	case 0:		/* disable for host, enable for router */
+	case 1:		/* enable for all */
+		break;
+	default:
+		return EINVAL;
+	}
+	ip6_rht0 = tmp;
+	return 0;
+}
+
 /*
  * System control for IP6
  */
@@ -1815,4 +1901,11 @@ SYSCTL_SETUP(sysctl_net_inet6_ip6_setup,
 		       NULL, 0, &ip6_mcast_pmtu, 0,
 		       CTL_NET, PF_INET6, IPPROTO_IPV6,
 		       CTL_CREATE, CTL_EOL);
+	sysctl_createv(clog, 0, NULL, NULL,
+			CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+			CTLTYPE_INT, "rht0",
+			SYSCTL_DESCR("Processing of routing header type 0 (IPv6)"),
+			sysctl_net_inet6_ip6_rht0, 0, &ip6_rht0, 0,
+			CTL_NET, PF_INET6, IPPROTO_IPV6,
+			CTL_CREATE, CTL_EOL);
 }