- record IPsec packet history into m_aux structure.

- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation

sys/netinet/ip_icmp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_icmp.c,v 1.57 2000/10/18 20:34:00 itojun Exp $	*/
+/*	$NetBSD: ip_icmp.c,v 1.58 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -839,7 +839,7 @@ icmp_send(m, opts)
 #endif
 #ifdef IPSEC
 	/* Don't lookup socket */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif
 	(void) ip_output(m, opts, NULL, 0, NULL);
 }

sys/netinet/ip_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.126 2000/12/28 21:40:59 thorpej Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.127 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -471,12 +471,23 @@ ip_input(struct mbuf *m)
 	 * Note that filters must _never_ set this flag, as another filter
 	 * in the list may have previously cleared it.
 	 */
-	if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
-			   PFIL_IN) != 0)
+	/*
+	 * let ipfilter look at packet on the wire,
+	 * not the decapsulated packet.
+	 */
+#ifdef IPSEC
+	if (!ipsec_gethist(m, NULL))
+#else
+	if (1)
+#endif
+	{
+		if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
+				   PFIL_IN) != 0)
 		return;
-	if (m == NULL)
-		return;
-	ip = mtod(m, struct ip *);
+		if (m == NULL)
+			return;
+		ip = mtod(m, struct ip *);
+	}
 #endif /* PFIL_HOOKS */
 
 #ifdef ALTQ
@@ -1452,7 +1463,7 @@ ip_forward(m, srcrt)
 
 #ifdef IPSEC
 	/* Don't lookup socket in forwading case */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif
 	error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
 	    (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0);

sys/netinet/ip_mroute.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_mroute.c,v 1.51 2000/11/08 14:28:15 ad Exp $	*/
+/*	$NetBSD: ip_mroute.c,v 1.52 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
  * IP multicast forwarding procedures
@@ -1691,7 +1691,7 @@ tbf_send_packet(vifp, m)
 		/* If tunnel options */
 #ifdef IPSEC
 		/* Don't lookup socket in forwading case */
-		ipsec_setsocket(m, NULL);
+		(void)ipsec_setsocket(m, NULL);
 #endif
 		ip_output(m, (struct mbuf *)0, &vifp->v_route,
 			  IP_FORWARDING, (struct ip_moptions *)0);
@@ -1708,7 +1708,7 @@ tbf_send_packet(vifp, m)
 
 #ifdef IPSEC
 		/* Don't lookup socket in forwading case */
-		ipsec_setsocket(m, NULL);
+		(void)ipsec_setsocket(m, NULL);
 #endif
 		error = ip_output(m, (struct mbuf *)0, (struct route *)0,
 				  IP_FORWARDING|IP_MULTICASTOPTS, &imo);

sys/netinet/ip_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.81 2001/01/13 07:19:33 itojun Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.82 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -200,7 +200,7 @@ ip_output(m0, va_alist)
 
 #ifdef IPSEC
 	so = ipsec_getsocket(m);
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 #ifdef	DIAGNOSTIC
@@ -430,19 +430,6 @@ sendit:
 	HTONS(ip->ip_len);
 	HTONS(ip->ip_off);
 
-#ifdef PFIL_HOOKS
-	/*
-	 * Run through list of hooks for output packets.
-	 */
-	if ((error = pfil_run_hooks(&inet_pfil_hook, &m, ifp,
-				    PFIL_OUT)) != 0)
-		goto done;
-	if (m == NULL)
-		goto done;
-
-	ip = mtod(m, struct ip *);
-#endif /* PFIL_HOOKS */
-
 #ifdef IPSEC
 	/* get SP for this packet */
 	if (so == NULL)
@@ -562,6 +549,19 @@ sendit:
 skip_ipsec:
 #endif /*IPSEC*/
 
+#ifdef PFIL_HOOKS
+	/*
+	 * Run through list of hooks for output packets.
+	 */
+	if ((error = pfil_run_hooks(&inet_pfil_hook, &m, ifp,
+				    PFIL_OUT)) != 0)
+		goto done;
+	if (m == NULL)
+		goto done;
+
+	ip = mtod(m, struct ip *);
+#endif /* PFIL_HOOKS */
+
 	/*
 	 * If small enough for mtu of path, can just send directly.
 	 */
@@ -577,6 +577,10 @@ skip_ipsec:
 #endif
 		ip->ip_sum = 0;
 		ip->ip_sum = in_cksum(m, hlen);
+#ifdef IPSEC
+		/* clean ipsec history once it goes out of the node */
+		ipsec_delaux(m);
+#endif
 		error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
 		goto done;
 	}
@@ -703,6 +707,10 @@ sendorfree:
 				ia->ia_ifa.ifa_data.ifad_outbytes +=
 					ntohs(ip->ip_len);
 			}
+#endif
+#ifdef IPSEC
+			/* clean ipsec history once it goes out of the node */
+			ipsec_delaux(m);
 #endif
 			error = (*ifp->if_output)(ifp, m, sintosa(dst),
 			    ro->ro_rt);

sys/netinet/raw_ip.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip.c,v 1.53 2000/03/30 13:25:04 augustss Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.54 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -279,7 +279,10 @@ rip_output(m, va_alist)
 		ipstat.ips_rawout++;
 	}
 #ifdef IPSEC
-	ipsec_setsocket(m, inp->inp_socket);
+	if (ipsec_setsocket(m, inp->inp_socket) != 0) {
+		m_freem(m);
+		return ENOBUFS;
+	}
 #endif /*IPSEC*/
 	return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions, &inp->inp_errormtu));
 }

sys/netinet/tcp_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.121 2000/12/10 23:39:36 itojun Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.122 2001/01/24 09:04:15 itojun Exp $	*/
 
 /*
 %%% portions-copyright-nrl-95
@@ -3425,7 +3425,10 @@ syn_cache_respond(sc, m)
 		else
 			so = NULL;
 		/* use IPsec policy on listening socket, on SYN ACK */
-		ipsec_setsocket(m, so);
+		if (ipsec_setsocket(m, so) != 0) {
+			m_freem(m);
+			return ENOBUFS;
+		}
 	}
 #endif
 	m->m_pkthdr.rcvif = NULL;

sys/netinet/tcp_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_output.c,v 1.62 2000/11/06 00:50:12 itojun Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.63 2001/01/24 09:04:16 itojun Exp $	*/
 
 /*
 %%% portions-copyright-nrl-95
@@ -1001,7 +1001,11 @@ send:
 	}
 
 #ifdef IPSEC
-	ipsec_setsocket(m, so);
+	if (ipsec_setsocket(m, so) != 0) {
+		m_freem(m);
+		error = ENOBUFS;
+		goto out;
+	}
 #endif /*IPSEC*/
 
 	switch (af) {

sys/netinet/tcp_subr.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_subr.c,v 1.105 2000/12/21 00:45:17 itojun Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.106 2001/01/24 09:04:16 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -651,13 +651,16 @@ tcp_respond(tp, template, m, th0, ack, seq, flags)
 	}
 
 #ifdef IPSEC
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 	if (tp != NULL && tp->t_inpcb != NULL) {
 		ro = &tp->t_inpcb->inp_route;
 #ifdef IPSEC
-		ipsec_setsocket(m, tp->t_inpcb->inp_socket);
+		if (ipsec_setsocket(m, tp->t_inpcb->inp_socket) != 0) {
+			m_freem(m);
+			return ENOBUFS;
+		}
 #endif
 #ifdef DIAGNOSTIC
 		if (family != AF_INET)
@@ -673,7 +676,10 @@ tcp_respond(tp, template, m, th0, ack, seq, flags)
 	else if (tp != NULL && tp->t_in6pcb != NULL) {
 		ro = (struct route *)&tp->t_in6pcb->in6p_route;
 #ifdef IPSEC
-		ipsec_setsocket(m, tp->t_in6pcb->in6p_socket);
+		if (ipsec_setsocket(m, tp->t_in6pcb->in6p_socket) != 0) {
+			m_freem(m);
+			return ENOBUFS;
+		}
 #endif
 #ifdef DIAGNOSTIC
 		if (family == AF_INET) {

sys/netinet/udp_usrreq.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.74 2000/12/04 11:24:20 itojun Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.75 2001/01/24 09:04:16 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1256,7 +1256,10 @@ udp_output(m, va_alist)
 	udpstat.udps_opackets++;
 
 #ifdef IPSEC
-	ipsec_setsocket(m, inp->inp_socket);
+	if (ipsec_setsocket(m, inp->inp_socket) != 0) {
+		error = ENOBUFS;
+		goto release;
+	}
 #endif /*IPSEC*/
 
 	return (ip_output(m, inp->inp_options, &inp->inp_route,

sys/netinet6/ah_input.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: ah_input.c,v 1.23 2000/12/09 01:29:50 itojun Exp $	*/
-/*	$KAME: ah_input.c,v 1.37 2000/10/19 00:37:50 itojun Exp $	*/
+/*	$NetBSD: ah_input.c,v 1.24 2001/01/24 09:04:16 itojun Exp $	*/
+/*	$KAME: ah_input.c,v 1.48 2001/01/23 08:59:37 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -384,7 +384,7 @@ ah4_input(m, va_alist)
 	}
 
 	/* was it transmitted over the IPsec tunnel SA? */
-	if (ipsec4_tunnel_validate(ip, nxt, sav) && nxt == IPPROTO_IPV4) {
+	if (ipsec4_tunnel_validate(ip, nxt, sav)) {
 		/*
 		 * strip off all the headers that precedes AH.
 		 *	IP xx AH IP' payload -> IP' payload
@@ -456,6 +456,11 @@ ah4_input(m, va_alist)
 #endif
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0 ||
+		    ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) {
+			ipsecstat.in_nomem++;
+			goto fail;
+		}
 
 		s = splimp();
 		if (IF_QFULL(&ipintrq)) {
@@ -538,6 +543,10 @@ ah4_input(m, va_alist)
 		/* forget about IP hdr checksum, the check has already been passed */
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0) {
+			ipsecstat.in_nomem++;
+			goto fail;
+		}
 
 		if (nxt != IPPROTO_DONE)
 			(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
@@ -853,7 +862,7 @@ ah6_input(mp, offp, proto)
 	}
 
 	/* was it transmitted over the IPsec tunnel SA? */
-	if (ipsec6_tunnel_validate(ip6, nxt, sav) && nxt == IPPROTO_IPV6) {
+	if (ipsec6_tunnel_validate(ip6, nxt, sav)) {
 		/*
 		 * strip off all the headers that precedes AH.
 		 *	IP6 xx AH IP6' payload -> IP6' payload
@@ -915,6 +924,11 @@ ah6_input(mp, offp, proto)
 #endif
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0 ||
+		    ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) {
+			ipsec6stat.in_nomem++;
+			goto fail;
+		}
 
 		s = splimp();
 		if (IF_QFULL(&ip6intrq)) {
@@ -993,6 +1007,10 @@ ah6_input(mp, offp, proto)
 		ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_AH, spi) != 0) {
+			ipsec6stat.in_nomem++;
+			goto fail;
+		}
 	}
 
 	*offp = off;

sys/netinet6/esp_input.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: esp_input.c,v 1.13 2000/12/09 01:29:50 itojun Exp $	*/
-/*	$KAME: esp_input.c,v 1.37 2000/10/19 00:37:50 itojun Exp $	*/
+/*	$NetBSD: esp_input.c,v 1.14 2001/01/24 09:04:16 itojun Exp $	*/
+/*	$KAME: esp_input.c,v 1.50 2001/01/23 08:59:37 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -382,6 +382,11 @@ noreplaycheck:
 #endif
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 ||
+		    ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) {
+			ipsecstat.in_nomem++;
+			goto bad;
+		}
 
 		s = splimp();
 		if (IF_QFULL(&ipintrq)) {
@@ -419,6 +424,10 @@ noreplaycheck:
 		ip->ip_p = nxt;
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) {
+			ipsecstat.in_nomem++;
+			goto bad;
+		}
 
 		if (nxt != IPPROTO_DONE)
 			(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
@@ -793,6 +802,11 @@ noreplaycheck:
 #endif
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || 
+		    ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) {
+			ipsec6stat.in_nomem++;
+			goto bad;
+		}
 
 		s = splimp();
 		if (IF_QFULL(&ip6intrq)) {
@@ -896,6 +910,10 @@ noreplaycheck:
 		ip6->ip6_plen = htons(ntohs(ip6->ip6_plen) - stripsiz);
 
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0) {
+			ipsec6stat.in_nomem++;
+			goto bad;
+		}
 	}
 
 	*offp = off;

sys/netinet6/icmp6.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.51 2001/01/16 06:16:37 itojun Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.52 2001/01/24 09:04:16 itojun Exp $	*/
 /*	$KAME: icmp6.c,v 1.172 2000/12/11 19:27:06 itojun Exp $	*/
 
 /*
@@ -2071,7 +2071,7 @@ icmp6_reflect(m, off)
 	m->m_flags &= ~(M_BCAST|M_MCAST);
 #ifdef IPSEC
 	/* Don't lookup socket */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 #ifdef COMPAT_RFC1885
@@ -2589,7 +2589,7 @@ noredhdropt:;
 	/* send the packet to outside... */
 #ifdef IPSEC
 	/* Don't lookup socket */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 	ip6_output(m, NULL, NULL, 0, NULL, &outif);
 	if (outif) {

sys/netinet6/ip6_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_output.c,v 1.27 2000/11/11 00:52:39 thorpej Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.28 2001/01/24 09:04:17 itojun Exp $	*/
 /*	$KAME: ip6_output.c,v 1.122 2000/08/19 02:12:02 jinmei Exp $	*/
 
 /*
@@ -168,7 +168,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
 
 	/* for AH processing. stupid to have "socket" variable in IP layer... */
 	so = ipsec_getsocket(m);
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* IPSEC */
 
@@ -862,6 +862,10 @@ skip_ipsec2:;
 				m->m_pkthdr.len;
 		}
 #endif
+#ifdef IPSEC
+		/* clean ipsec history once it goes out of the node */
+		ipsec_delaux(m);
+#endif
 #ifdef OLDIP6OUTPUT
 		error = (*ifp->if_output)(ifp, m, (struct sockaddr *)dst,
 					  ro->ro_rt);
@@ -992,6 +996,10 @@ sendorfree:
 					m->m_pkthdr.len;
 			}
 #endif
+#ifdef IPSEC
+			/* clean ipsec history once it goes out of the node */
+			ipsec_delaux(m);
+#endif
 #ifdef OLDIP6OUTPUT
 			error = (*ifp->if_output)(ifp, m,
 						  (struct sockaddr *)dst,

sys/netinet6/ipcomp_input.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: ipcomp_input.c,v 1.14 2000/10/02 03:55:43 itojun Exp $	*/
-/*	$KAME: ipcomp_input.c,v 1.19 2000/10/01 12:37:20 itojun Exp $	*/
+/*	$NetBSD: ipcomp_input.c,v 1.15 2001/01/24 09:04:17 itojun Exp $	*/
+/*	$KAME: ipcomp_input.c,v 1.22 2001/01/23 08:59:37 itojun Exp $	*/
 
 /*
  * Copyright (C) 1999 WIDE Project.
@@ -209,6 +209,10 @@ ipcomp4_input(m, va_alist)
 
 	if (sav) {
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_IPCOMP, (u_int32_t)cpi) != 0) {
+			ipsecstat.in_nomem++;
+			goto fail;
+		}
 		key_freesav(sav);
 		sav = NULL;
 	}
@@ -320,6 +324,10 @@ ipcomp6_input(mp, offp, proto)
 
 	if (sav) {
 		key_sa_recordxfer(sav, m);
+		if (ipsec_addhist(m, IPPROTO_IPCOMP, (u_int32_t)cpi) != 0) {
+			ipsec6stat.in_nomem++;
+			goto fail;
+		}
 		key_freesav(sav);
 		sav = NULL;
 	}

sys/netinet6/ipsec.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: ipsec.c,v 1.31 2000/11/10 01:10:36 itojun Exp $	*/
-/*	$KAME: ipsec.c,v 1.83 2000/11/09 17:45:30 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.32 2001/01/24 09:04:17 itojun Exp $	*/
+/*	$KAME: ipsec.c,v 1.87 2001/01/23 08:59:38 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -156,6 +156,9 @@ static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *));
 #ifdef INET6
 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
 #endif
+static struct mbuf *ipsec_addaux __P((struct mbuf *));
+static struct mbuf *ipsec_findaux __P((struct mbuf *));
+static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
 
 /*
  * For OUTBOUND packet having a socket. Searching SPD for packet,
@@ -3266,27 +3269,78 @@ ipsec_copypkt(m)
 	return(NULL);
 }
 
+static struct mbuf *
+ipsec_addaux(m)
+	struct mbuf *m;
+{
+	struct mbuf *n;
+
+	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+	if (!n)
+		n = m_aux_add(m, AF_INET, IPPROTO_ESP);
+	if (!n)
+		return n;	/* ENOBUFS */
+	n->m_len = sizeof(struct socket *);
+	bzero(mtod(n, void *), n->m_len);
+	return n;
+}
+
+static struct mbuf *
+ipsec_findaux(m)
+	struct mbuf *m;
+{
+	struct mbuf *n;
+
+	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+#ifdef DIAGNOSTIC
+	if (n && n->m_len < sizeof(struct socket *))
+		panic("invalid ipsec m_aux");
+#endif
+	return n;
+}
+
 void
+ipsec_delaux(m)
+	struct mbuf *m;
+{
+	struct mbuf *n;
+
+	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+	if (n)
+		m_aux_delete(m, n);
+}
+
+/* if the aux buffer is unnecessary, nuke it. */
+static void
+ipsec_optaux(m, n)
+	struct mbuf *m;
+	struct mbuf *n;
+{
+
+	if (!n)
+		return;
+	if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
+		ipsec_delaux(m);
+}
+
+int
 ipsec_setsocket(m, so)
 	struct mbuf *m;
 	struct socket *so;
 {
 	struct mbuf *n;
 
-	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
-	if (so && !n)
-		n = m_aux_add(m, AF_INET, IPPROTO_ESP);
-	if (n) {
-		if (so) {
-			*mtod(n, struct socket **) = so;
-			/*
-			 * XXX think again about it when we put decryption
-			 * histrory into aux mbuf
-			 */
-			n->m_len = sizeof(struct socket *);
-		} else
-			m_aux_delete(m, n);
-	}
+	/* if so == NULL, don't insist on getting the aux mbuf */
+	if (so) {
+		n = ipsec_addaux(m);
+		if (!n)
+			return ENOBUFS;
+	} else
+		n = ipsec_findaux(m);
+	if (n && n->m_len >= sizeof(struct socket *))
+		*mtod(n, struct socket **) = so;
+	ipsec_optaux(m, n);
+	return 0;
 }
 
 struct socket *
@@ -3295,13 +3349,70 @@ ipsec_getsocket(m)
 {
 	struct mbuf *n;
 
-	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+	n = ipsec_findaux(m);
 	if (n && n->m_len >= sizeof(struct socket *))
 		return *mtod(n, struct socket **);
 	else
 		return NULL;
 }
 
+int
+ipsec_addhist(m, proto, spi)
+	struct mbuf *m;
+	int proto;
+	u_int32_t spi;
+{
+	struct mbuf *n;
+	struct ipsec_history *p;
+
+	n = ipsec_addaux(m);
+	if (!n)
+		return ENOBUFS;
+	if (M_TRAILINGSPACE(n) < sizeof(*p))
+		return ENOSPC;	/*XXX*/
+	p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
+	n->m_len += sizeof(*p);
+	bzero(p, sizeof(*p));
+	p->ih_proto = proto;
+	p->ih_spi = spi;
+	return 0;
+}
+
+struct ipsec_history *
+ipsec_gethist(m, lenp)
+	struct mbuf *m;
+	int *lenp;
+{
+	struct mbuf *n;
+	int l;
+
+	n = ipsec_findaux(m);
+	if (!n)
+		return NULL;
+	l = n->m_len;
+	if (sizeof(struct socket *) > l)
+		return NULL;
+	if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
+		return NULL;
+	/* XXX does it make more sense to divide by sizeof(ipsec_history)? */
+	if (lenp)
+		*lenp = l - sizeof(struct socket *);
+	return (struct ipsec_history *)
+	    (mtod(n, caddr_t) + sizeof(struct socket *));
+}
+
+void
+ipsec_clearhist(m)
+	struct mbuf *m;
+{
+	struct mbuf *n;
+
+	n = ipsec_findaux(m);
+	if ((n) && n->m_len > sizeof(struct socket *))
+		n->m_len = sizeof(struct socket *);
+	ipsec_optaux(m, n);
+}
+
 /*
  * System control for IPSEC
  */

sys/netinet6/ipsec.h

@@ -1,5 +1,5 @@
-/*	$NetBSD: ipsec.h,v 1.18 2001/01/04 11:48:44 itojun Exp $	*/
-/*	$KAME: ipsec.h,v 1.40 2001/01/04 11:47:28 itojun Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.19 2001/01/24 09:04:17 itojun Exp $	*/
+/*	$KAME: ipsec.h,v 1.41 2001/01/23 04:42:30 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -261,6 +261,11 @@ struct ipsec_output_state {
 	struct sockaddr *dst;
 };
 
+struct ipsec_history {
+	int ih_proto;
+	u_int32_t ih_spi;
+};
+
 extern int ipsec_debug;
 
 #ifdef INET
@@ -366,8 +371,12 @@ extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
 	struct secasvar *));
 #endif
 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
-extern void ipsec_setsocket __P((struct mbuf *, struct socket *));
+extern void ipsec_delaux __P((struct mbuf *));
+extern int ipsec_setsocket __P((struct mbuf *, struct socket *));
 extern struct socket *ipsec_getsocket __P((struct mbuf *));
+extern int ipsec_addhist __P((struct mbuf *, int, u_int32_t)); 
+extern struct ipsec_history *ipsec_gethist __P((struct mbuf *, int *));
+extern void ipsec_clearhist __P((struct mbuf *));
 
 extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
 extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));

sys/netinet6/nd6_nbr.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: nd6_nbr.c,v 1.24 2001/01/17 11:26:52 itojun Exp $	*/
-/*	$KAME: nd6_nbr.c,v 1.36 2000/05/17 12:35:59 jinmei Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.25 2001/01/24 09:04:17 itojun Exp $	*/
+/*	$KAME: nd6_nbr.c,v 1.51 2001/01/20 17:27:00 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -495,7 +495,7 @@ nd6_ns_output(ifp, daddr6, taddr6, ln, dad)
 
 #ifdef IPSEC
 	/* Don't lookup socket */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif
 	ip6_output(m, NULL, NULL, dad ? IPV6_DADOUTPUT : 0, &im6o, &outif);
 	if (outif) {
@@ -917,7 +917,7 @@ nd6_na_output(ifp, daddr6, taddr6, flags, tlladdr, sdl0)
 
 #ifdef IPSEC
 	/* Don't lookup socket */
-	ipsec_setsocket(m, NULL);
+	(void)ipsec_setsocket(m, NULL);
 #endif
 	ip6_output(m, NULL, NULL, 0, &im6o, &outif);
 	if (outif) {

sys/netinet6/raw_ip6.c

@@ -1,5 +1,5 @@
-/*	$NetBSD: raw_ip6.c,v 1.25 2000/10/19 00:40:45 itojun Exp $	*/
-/*	$KAME: raw_ip6.c,v 1.39 2000/10/19 00:37:50 itojun Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.26 2001/01/24 09:04:17 itojun Exp $	*/
+/*	$KAME: raw_ip6.c,v 1.56 2001/01/11 11:01:23 sumikawa Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -433,7 +433,10 @@ rip6_output(m, va_alist)
 	}
 
 #ifdef IPSEC
-	ipsec_setsocket(m, so);
+	if (ipsec_setsocket(m, so) != 0) {
+		error = ENOBUFS;
+		goto bad;
+	}
 #endif /*IPSEC*/
 	
 	error = ip6_output(m, optp, &in6p->in6p_route, 0, in6p->in6p_moptions,

sys/netinet6/udp6_usrreq.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: udp6_usrreq.c,v 1.36 2000/12/09 01:29:50 itojun Exp $	*/
+/*	$NetBSD: udp6_usrreq.c,v 1.37 2001/01/24 09:04:17 itojun Exp $	*/
 /*	$KAME: udp6_usrreq.c,v 1.62 2000/10/19 01:11:05 itojun Exp $	*/
 
 /*
@@ -732,7 +732,10 @@ udp6_output(in6p, m, addr6, control, p)
 
 		udp6stat.udp6s_opackets++;
 #ifdef IPSEC
-		ipsec_setsocket(m, in6p->in6p_socket);
+		if (ipsec_setsocket(m, in6p->in6p_socket) != 0) {
+			error = ENOBUFS;
+			goto release;
+		}
 #endif /*IPSEC*/
 		error = ip6_output(m, in6p->in6p_outputopts, &in6p->in6p_route,
 			    0, in6p->in6p_moptions, NULL);
@@ -760,7 +763,7 @@ udp6_output(in6p, m, addr6, control, p)
 
 		udpstat.udps_opackets++;
 #ifdef IPSEC
-		ipsec_setsocket(m, NULL);	/*XXX*/
+		(void)ipsec_setsocket(m, NULL);	/*XXX*/
 #endif /*IPSEC*/
 		error = ip_output(m, NULL, &in6p->in6p_route, 0 /*XXX*/);
 		break;