From 769c59467ec1145a3864b2a824ab77dc07e7cc40 Mon Sep 17 00:00:00 2001
From: mycroft <mycroft@NetBSD.org>
Date: Thu, 25 Sep 2003 01:01:39 +0000
Subject: [PATCH] The I/O path is assymetric -- we can't deal with IPsec
 packets coming in, so don't send them out.  For now.

XXX "Oh my does this need work."
---
 dist/dhcp/common/socket.c  | 15 ++++++++++++++-
 dist/dhcp/includes/dhcpd.h |  3 +++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/dist/dhcp/common/socket.c b/dist/dhcp/common/socket.c
index fbe99b48fcc8..715c7212d809 100644
--- a/dist/dhcp/common/socket.c
+++ b/dist/dhcp/common/socket.c
@@ -51,7 +51,7 @@
 
 #ifndef lint
 static char copyright[] =
-"$Id: socket.c,v 1.5 2003/02/18 17:08:41 drochner Exp $ Copyright (c) 1995-2002 The Internet Software Consortium.  All rights reserved.\n";
+"$Id: socket.c,v 1.6 2003/09/25 01:01:39 mycroft Exp $ Copyright (c) 1995-2002 The Internet Software Consortium.  All rights reserved.\n";
 #endif /* not lint */
 
 #include "dhcpd.h"
@@ -111,6 +111,10 @@ int if_register_socket (info)
 	struct sockaddr_in name;
 	int sock;
 	int flag;
+#ifndef SMALL
+	char *buf;
+	char *policy = "out bypass";
+#endif
 
 #if !defined (HAVE_SO_BINDTODEVICE) && !defined (USE_FALLBACK)
 	/* Make sure only one interface is registered. */
@@ -137,6 +141,15 @@ int if_register_socket (info)
 			(char *)&flag, sizeof flag) < 0)
 		log_fatal ("Can't set SO_REUSEADDR option on dhcp socket: %m");
 
+#ifndef SMALL
+	/* Set a per-socket IPsec policy to prevent encryption. */
+	buf = ipsec_set_policy(policy, strlen(policy));
+	if (setsockopt (sock, IPPROTO_IP, IP_IPSEC_POLICY, buf,
+	    ipsec_get_policylen(buf)) < 0 && errno != ENOPROTOOPT)
+		log_fatal ("Can't set IPsec policy on dhcp socket: %m");
+	free (buf);
+#endif
+
 	/* Set the BROADCAST option so that we can broadcast DHCP responses.
 	   We shouldn't do this for fallback devices, and we can detect that
 	   a device is a fallback because it has no ifp structure. */
diff --git a/dist/dhcp/includes/dhcpd.h b/dist/dhcp/includes/dhcpd.h
index 99ae69c2eaec..ddc1fd8ebacd 100644
--- a/dist/dhcp/includes/dhcpd.h
+++ b/dist/dhcp/includes/dhcpd.h
@@ -44,6 +44,9 @@
 #ifndef __CYGWIN32__
 #include <sys/types.h>
 #include <netinet/in.h>
+#ifndef SMALL
+#include <netinet6/ipsec.h>
+#endif
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <arpa/inet.h>