The I/O path is assymetric -- we can't deal with IPsec packets coming in, so

don't send them out.  For now.

XXX "Oh my does this need work."

dist/dhcp/common/socket.c

@@ -51,7 +51,7 @@
 
 #ifndef lint
 static char copyright[] =
-"$Id: socket.c,v 1.5 2003/02/18 17:08:41 drochner Exp $ Copyright (c) 1995-2002 The Internet Software Consortium.  All rights reserved.\n";
+"$Id: socket.c,v 1.6 2003/09/25 01:01:39 mycroft Exp $ Copyright (c) 1995-2002 The Internet Software Consortium.  All rights reserved.\n";
 #endif /* not lint */
 
 #include "dhcpd.h"
@@ -111,6 +111,10 @@ int if_register_socket (info)
 	struct sockaddr_in name;
 	int sock;
 	int flag;
+#ifndef SMALL
+	char *buf;
+	char *policy = "out bypass";
+#endif
 
 #if !defined (HAVE_SO_BINDTODEVICE) && !defined (USE_FALLBACK)
 	/* Make sure only one interface is registered. */
@@ -137,6 +141,15 @@ int if_register_socket (info)
 			(char *)&flag, sizeof flag) < 0)
 		log_fatal ("Can't set SO_REUSEADDR option on dhcp socket: %m");
 
+#ifndef SMALL
+	/* Set a per-socket IPsec policy to prevent encryption. */
+	buf = ipsec_set_policy(policy, strlen(policy));
+	if (setsockopt (sock, IPPROTO_IP, IP_IPSEC_POLICY, buf,
+	    ipsec_get_policylen(buf)) < 0 && errno != ENOPROTOOPT)
+		log_fatal ("Can't set IPsec policy on dhcp socket: %m");
+	free (buf);
+#endif
+
 	/* Set the BROADCAST option so that we can broadcast DHCP responses.
 	   We shouldn't do this for fallback devices, and we can detect that
 	   a device is a fallback because it has no ifp structure. */

dist/dhcp/includes/dhcpd.h

@@ -44,6 +44,9 @@
 #ifndef __CYGWIN32__
 #include <sys/types.h>
 #include <netinet/in.h>
+#ifndef SMALL
+#include <netinet6/ipsec.h>
+#endif
 #include <sys/socket.h>
 #include <sys/un.h>
 #include <arpa/inet.h>