From f7abb16323fc180f63f1bfcee4ae79f53db84a0e Mon Sep 17 00:00:00 2001
From: jonathan <jonathan@NetBSD.org>
Date: Mon, 26 Apr 2004 01:53:59 +0000
Subject: [PATCH] Fix per-PCB IPsec policy cache for FAST_IPSEC:

The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header.  So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined.  ``Make it so''.

We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
---
 sys/netinet6/in6_pcb.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index aaf26b6860cb..98dd62875cbc 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -1,4 +1,4 @@
-/*	$NetBSD: in6_pcb.c,v 1.63 2004/04/25 16:42:42 simonb Exp $	*/
+/*	$NetBSD: in6_pcb.c,v 1.64 2004/04/26 01:53:59 jonathan Exp $	*/
 /*	$KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.63 2004/04/25 16:42:42 simonb Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.64 2004/04/26 01:53:59 jonathan Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -101,6 +101,12 @@ extern struct ifnet loif[NLOOP];
 #include <netkey/key.h>
 #endif /* IPSEC */
 
+#ifdef FAST_IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#endif /* FAST_IPSEC */
+
 struct in6_addr zeroin6_addr;
 
 #define	IN6PCBHASH_PORT(table, lport) \
@@ -143,7 +149,7 @@ in6_pcballoc(so, v)
 	struct inpcbtable *table = v;
 	struct in6pcb *in6p;
 	int s;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	int error;
 #endif
 
@@ -156,7 +162,7 @@ in6_pcballoc(so, v)
 	in6p->in6p_socket = so;
 	in6p->in6p_hops = -1;	/* use kernel default */
 	in6p->in6p_icmp6filt = NULL;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	error = ipsec_init_pcbpolicy(so, &in6p->in6p_sp);
 	if (error != 0) {
 		pool_put(&in6pcb_pool, in6p);
@@ -457,7 +463,7 @@ in6_pcbconnect(v, nam)
 	if (ip6_auto_flowlabel)
 		in6p->in6p_flowinfo |=
 		    (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	if (in6p->in6p_socket->so_type == SOCK_STREAM)
 		ipsec_pcbconn(in6p->in6p_sp);
 #endif
@@ -472,7 +478,7 @@ in6_pcbdisconnect(in6p)
 	in6p->in6p_fport = 0;
 	in6_pcbstate(in6p, IN6P_BOUND);
 	in6p->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	ipsec_pcbdisconn(in6p->in6p_sp);
 #endif
 	if (in6p->in6p_socket->so_state & SS_NOFDREF)
@@ -489,7 +495,7 @@ in6_pcbdetach(in6p)
 	if (in6p->in6p_af != AF_INET6)
 		return;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	ipsec6_delete_pcbpolicy(in6p);
 #endif /* IPSEC */
 	sotoin6pcb(so) = 0;