Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

===================================================================
RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v
retrieving revision 1.90.2.3
retrieving revision 1.91
diff -u -p -r1.90.2.3 -r1.91
--- src/sys/netinet6/ip6_input.c	2007/09/16 15:34:59	1.90.2.3
+++ src/sys/netinet6/ip6_input.c	2006/12/02 18:59:17	1.91
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.90.2.3 2007/09/16 15:34:59 xtraeme Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.91 2006/12/02 18:59:17 dyoung Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.90.2.3 2007/09/16 15:34:59 xtraeme Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.91 2006/12/02 18:59:17 dyoung Exp $");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
@@ -112,12 +112,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,
 #include <netinet6/ipsec.h>
 #endif
 
-#ifdef FAST_IPSEC
-#include <netipsec/ipsec.h>
-#include <netipsec/ipsec6.h>
-#include <netipsec/key.h>
-#endif /* FAST_IPSEC */
-
 #include <netinet6/ip6protosw.h>
 
 #include "faith.h"
@@ -247,12 +241,6 @@ ip6_input(m)
 	int nxt, ours = 0;
 	struct ifnet *deliverifp = NULL;
 	int srcrt = 0;
-#ifdef FAST_IPSEC
-	struct m_tag *mtag;
-	struct tdb_ident *tdbi;
-	struct secpolicy *sp;
-	int s, error;
-#endif
 
 #ifdef IPSEC
 	/*
@@ -339,8 +327,6 @@ ip6_input(m)
 	 */
 #ifdef IPSEC
 	if (!ipsec_getnhist(m))
-#elif defined(FAST_IPSEC)
-	if (!ipsec_indone(m))
 #else
 	if (1)
 #endif
@@ -472,7 +458,7 @@ ip6_input(m)
 	else {
 		struct sockaddr_in6 *dst6;
 
-		if (ip6_forward_rt.ro_rt) {
+		if (ip6_forward_rt.ro_rt != NULL) {
 			/* route is down or destination is different */
 			ip6stat.ip6s_forward_cachemiss++;
 			RTFREE(ip6_forward_rt.ro_rt);
@@ -499,7 +485,7 @@ ip6_input(m)
 	 * But we think it's even useful in some situations, e.g. when using
 	 * a special daemon which wants to intercept the packet.
 	 */
-	if (ip6_forward_rt.ro_rt &&
+	if (ip6_forward_rt.ro_rt != NULL &&
 	    (ip6_forward_rt.ro_rt->rt_flags &
 	     (RTF_HOST|RTF_GATEWAY)) == RTF_HOST &&
 	    !(ip6_forward_rt.ro_rt->rt_flags & RTF_CLONED) &&
@@ -542,7 +528,8 @@ ip6_input(m)
 	 */
 #if defined(NFAITH) && 0 < NFAITH
 	if (ip6_keepfaith) {
-		if (ip6_forward_rt.ro_rt && ip6_forward_rt.ro_rt->rt_ifp &&
+		if (ip6_forward_rt.ro_rt != NULL &&
+		    ip6_forward_rt.ro_rt->rt_ifp != NULL &&
 		    ip6_forward_rt.ro_rt->rt_ifp->if_type == IFT_FAITH) {
 			/* XXX do we need more sanity checks? */
 			ours = 1;
@@ -560,9 +547,7 @@ ip6_input(m)
 	 * working right.
 	 */
 	struct ifaddr *ifa;
-	for (ifa = m->m_pkthdr.rcvif->if_addrlist.tqh_first;
-	     ifa;
-	     ifa = ifa->ifa_list.tqe_next) {
+	TAILQ_FOREACH(ifa, &m->m_pkthdr.rcvif->if_addrlist, ifa_list) {
 		if (ifa->ifa_addr == NULL)
 			continue;	/* just for safety */
 		if (ifa->ifa_addr->sa_family != AF_INET6)
@@ -770,45 +755,6 @@ ip6_input(m)
 			goto bad;
 		}
 #endif
-#ifdef FAST_IPSEC
-	/*
-	 * enforce IPsec policy checking if we are seeing last header.
-	 * note that we do not visit this with protocols with pcb layer
-	 * code - like udp/tcp/raw ip.
-	 */
-	if ((inet6sw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
-		/*
-		 * Check if the packet has already had IPsec processing
-		 * done.  If so, then just pass it along.  This tag gets
-		 * set during AH, ESP, etc. input handling, before the
-		 * packet is returned to the ip input queue for delivery.
-		 */
-		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
-		s = splsoftnet();
-		if (mtag != NULL) {
-			tdbi = (struct tdb_ident *)(mtag + 1);
-			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
-		} else {
-			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
-									IP_FORWARDING, &error);
-		}
-		if (sp != NULL) {
-			/*
-			 * Check security policy against packet attributes.
-			 */
-			error = ipsec_in_reject(sp, m);
-			KEY_FREESP(&sp);
-		} else {
-			/* XXX error stat??? */
-			error = EINVAL;
-			DPRINTF(("ip6_input: no SP, packet discarded\n"));/*XXX*/
-		}
-		splx(s);
-		if (error)
-			goto bad;
-	}
-#endif /* FAST_IPSEC */
-
 
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
 	}
@@ -1593,31 +1539,6 @@ ip6_delaux(m)
 		m_tag_delete(m, mtag);
 }
 
-static int
-sysctl_net_inet6_ip6_rht0(SYSCTLFN_ARGS)
-{  
-	int error, tmp;
-	struct sysctlnode node;
-
-	node = *rnode;
-	tmp = ip6_rht0;
-	node.sysctl_data = &tmp;
-	error = sysctl_lookup(SYSCTLFN_CALL(&node));
-	if (error || newp == NULL)
-		return error;
-
-	switch (tmp) {
-	case -1:	/* disable processing */
-	case 0:		/* disable for host, enable for router */
-	case 1:		/* enable for all */
-		break;
-	default:
-		return EINVAL;
-	}
-	ip6_rht0 = tmp;
-	return 0;
-}
-
 /*
  * System control for IP6
  */
@@ -1901,11 +1822,4 @@ SYSCTL_SETUP(sysctl_net_inet6_ip6_setup,
 		       NULL, 0, &ip6_mcast_pmtu, 0,
 		       CTL_NET, PF_INET6, IPPROTO_IPV6,
 		       CTL_CREATE, CTL_EOL);
-	sysctl_createv(clog, 0, NULL, NULL,
-			CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
-			CTLTYPE_INT, "rht0",
-			SYSCTL_DESCR("Processing of routing header type 0 (IPv6)"),
-			sysctl_net_inet6_ip6_rht0, 0, &ip6_rht0, 0,
-			CTL_NET, PF_INET6, IPPROTO_IPV6,
-			CTL_CREATE, CTL_EOL);
 }