 @@ -1,14 +1,14 @@
-/*	$NetBSD: in_pcb.c,v 1.139 2011/09/24 17:18:17 christos Exp $	*/
+/*	$NetBSD: in_pcb.c,v 1.140 2011/12/19 11:59:56 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -83,27 +83,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)in_pcb.c	8.4 (Berkeley) 5/24/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.139 2011/09/24 17:18:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.140 2011/12/19 11:59:56 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/ioctl.h>
 #include <sys/errno.h>
 @@ -122,27 +122,27 @@ __KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 #include <netinet/rfc6056.h>
 #ifdef INET6
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/in6_pcb.h>
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
 #elif FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif /* IPSEC */
 #include <netinet/tcp_vtw.h>
 struct	in_addr zeroin_addr;
 #define	INPCBHASH_PORT(table, lport) \
 	&(table)->inpt_porthashtbl[ntohs(lport) & (table)->inpt_porthash]
 @@ -184,43 +184,43 @@ in_pcbinit(struct inpcbtable *table, int
 	    &table->inpt_connecthash);
 	table->inpt_lastlow = IPPORT_RESERVEDMAX;
 	table->inpt_lastport = (u_int16_t)anonportmax;
 	RUN_ONCE(&control, inpcb_poolinit);
+}
 int
 in_pcballoc(struct socket *so, void *v)
+{
 	struct inpcbtable *table = v;
 	struct inpcb *inp;
 	int s;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	int error;
 #endif
 	s = splnet();
 	inp = pool_get(&inpcb_pool, PR_NOWAIT);
 	splx(s);
 	if (inp == NULL)
 		return (ENOBUFS);
 	memset(inp, 0, sizeof(*inp));
 	inp->inp_af = AF_INET;
 	inp->inp_table = table;
 	inp->inp_socket = so;
 	inp->inp_errormtu = -1;
 	inp->inp_rfc6056algo = RFC6056_ALGO_DEFAULT;
 	inp->inp_bindportonsend = false;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
 	if (error != 0) {
 		s = splnet();
 		pool_put(&inpcb_pool, inp);
 		splx(s);
 		return error;
+	}
 #endif
 	so->so_pcb = inp;
 	s = splnet();
 	CIRCLEQ_INSERT_HEAD(&table->inpt_queue, &inp->inp_head,
 	    inph_queue);
 	LIST_INSERT_HEAD(INPCBHASH_PORT(table, inp->inp_lport), &inp->inp_head,
 @@ -544,62 +544,62 @@ in_pcbconnect(void *v, struct mbuf *nam,
         /* Late bind, if needed */
 	if (inp->inp_bindportonsend) {
                struct sockaddr_in lsin = *((const struct sockaddr_in *)
 		    inp->inp_socket->so_proto->pr_domain->dom_sa_any);
 		lsin.sin_addr = inp->inp_laddr;
 		lsin.sin_port = 0;
                if ((error = in_pcbbind_port(inp, &lsin, l->l_cred)) != 0)
                        return error;
+	}
 	in_pcbstate(inp, INP_CONNECTED);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	if (inp->inp_socket->so_type == SOCK_STREAM)
 		ipsec_pcbconn(inp->inp_sp);
 #endif
 	return (0);
+}
 void
 in_pcbdisconnect(void *v)
+{
 	struct inpcb *inp = v;
 	if (inp->inp_af != AF_INET)
 		return;
 	inp->inp_faddr = zeroin_addr;
 	inp->inp_fport = 0;
 	in_pcbstate(inp, INP_BOUND);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	ipsec_pcbdisconn(inp->inp_sp);
 #endif
 	if (inp->inp_socket->so_state & SS_NOFDREF)
 		in_pcbdetach(inp);
+}
 void
 in_pcbdetach(void *v)
+{
 	struct inpcb *inp = v;
 	struct socket *so = inp->inp_socket;
 	int s;
 	if (inp->inp_af != AF_INET)
 		return;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	ipsec4_delete_pcbpolicy(inp);
 #endif /*IPSEC*/
 	so->so_pcb = 0;
 	if (inp->inp_options)
 		(void)m_free(inp->inp_options);
 	rtcache_free(&inp->inp_route);
 	ip_freemoptions(inp->inp_moptions);
 	s = splnet();
 	in_pcbstate(inp, INP_ATTACHED);
 	LIST_REMOVE(&inp->inp_head, inph_lhash);
 	CIRCLEQ_REMOVE(&inp->inp_table->inpt_queue, &inp->inp_head,
 	    inph_queue);
 	pool_put(&inpcb_pool, inp);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: in_proto.c,v 1.101 2011/05/03 17:44:31 dyoung Exp $	*/
+/*	$NetBSD: in_proto.c,v 1.102 2011/12/19 11:59:56 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -51,27 +51,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)in_proto.c	8.2 (Berkeley) 2/9/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.101 2011/05/03 17:44:31 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_proto.c,v 1.102 2011/12/19 11:59:56 drochner Exp $");
 #include "opt_mrouting.h"
 #include "opt_eon.h"			/* ISO CLNL over IP */
 #include "opt_iso.h"			/* ISO TP tunneled over IP */
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_pim.h"
 #include "opt_gateway.h"
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <sys/protosw.h>
 #include <sys/domain.h>
 @@ -106,34 +106,34 @@ __KERNEL_RCSID(0, "$NetBSD: in_proto.c,v
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>
 #include <netinet/ip_encap.h>
 /*
  * TCP/IP protocol family: IP, ICMP, UDP, TCP.
  */
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ah.h>
 #ifdef IPSEC_ESP
 #include <netinet6/esp.h>
 #endif
 #include <netinet6/ipcomp.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif	/* FAST_IPSEC */
 #ifdef TPIP
 #include <netiso/tp_param.h>
 #include <netiso/tp_var.h>
 #endif /* TPIP */
 #ifdef EON
 #include <netiso/eonvar.h>
 @@ -173,27 +173,27 @@ PR_WRAP_CTLINPUT(tcp_ctlinput)
 #define	rip_ctlinput	rip_ctlinput_wrapper
 #define	udp_ctlinput	udp_ctlinput_wrapper
 #define	tcp_ctlinput	tcp_ctlinput_wrapper
 PR_WRAP_CTLOUTPUT(rip_ctloutput)
 PR_WRAP_CTLOUTPUT(udp_ctloutput)
 PR_WRAP_CTLOUTPUT(tcp_ctloutput)
 #define	rip_ctloutput	rip_ctloutput_wrapper
 #define	udp_ctloutput	udp_ctloutput_wrapper
 #define	tcp_ctloutput	tcp_ctloutput_wrapper
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 PR_WRAP_CTLINPUT(ah4_ctlinput)
 #define	ah4_ctlinput	ah4_ctlinput_wrapper
 #endif
 #if defined(IPSEC_ESP) || defined(FAST_IPSEC)
 PR_WRAP_CTLINPUT(esp4_ctlinput)
 #define	esp4_ctlinput	esp4_ctlinput_wrapper
 #endif
 #ifdef TPIP
 PR_WRAP_CTLOUTPUT(tp_ctloutput)
 @@ -260,53 +260,53 @@ const struct protosw inetsw[] = {
 	.pr_output = rip_output,
 	.pr_ctlinput = rip_ctlinput,
 	.pr_ctloutput = rip_ctloutput,
 	.pr_usrreq = rip_usrreq,
 	.pr_init = icmp_init,
 },
 #ifdef GATEWAY
 {	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_IP,
 	.pr_slowtimo = ipflow_slowtimo,
 	.pr_init = ipflow_poolinit,
 },
 #endif /* GATEWAY */
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_AH,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ah4_input,
 	.pr_ctlinput = ah4_ctlinput,
 	.pr_init = ah4_init,
 },
 #ifdef IPSEC_ESP
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_ESP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = esp4_input,
 	.pr_ctlinput = esp4_ctlinput,
 	.pr_init = esp4_init,
 },
 #endif /* IPSEC_ESP */
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_IPCOMP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipcomp4_input,
 	.pr_init = ipcomp4_init,
 },
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_AH,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipsec4_common_input,
 	.pr_ctlinput = ah4_ctlinput,
 },
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inetdomain,
 	.pr_protocol = IPPROTO_ESP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipsec4_common_input,

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip_icmp.c,v 1.125 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: ip_icmp.c,v 1.126 2011/12/19 11:59:56 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -84,27 +84,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_icmp.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.125 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.126 2011/12/19 11:59:56 drochner Exp $");
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
 #include <sys/sysctl.h>
 @@ -113,27 +113,27 @@ __KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/in_var.h>
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/ip_var.h>
 #include <netinet/in_pcb.h>
 #include <netinet/in_proto.h>
 #include <netinet/icmp_var.h>
 #include <netinet/icmp_private.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif	/* FAST_IPSEC*/
 /*
  * ICMP routines: error generation, receive packet processing, and
  * routines to turnaround packets back to the originator, and
  * host table maintenance routines.
 @@ -638,27 +638,27 @@ reflect:
 		if (rt != NULL && icmp_redirtimeout != 0) {
 			i = rt_timer_add(rt, icmp_redirect_timeout,
 					 icmp_redirect_timeout_q);
 			if (i)
 				log(LOG_ERR, "ICMP:  redirect failed to "
 				    "register timeout for route to %x, "
 				    "code %d\n",
 				    icp->icmp_ip.ip_dst.s_addr, i);
+		}
 		if (rt != NULL)
 			rtfree(rt);
 		pfctlinput(PRC_REDIRECT_HOST, sintosa(&icmpsrc));
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		key_sa_routechange((struct sockaddr *)&icmpsrc);
 #endif
 		break;
 	/*
 	 * No kernel processing for the following;
 	 * just fall through to send to raw listener.
 	 */
 	case ICMP_ECHOREPLY:
 	case ICMP_ROUTERADVERT:
 	case ICMP_ROUTERSOLICIT:
 	case ICMP_TSTAMPREPLY:
 	case ICMP_IREQREPLY:

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip_input.c,v 1.296 2011/08/31 18:31:03 plunky Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.297 2011/12/19 11:59:56 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -81,27 +81,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.296 2011/08/31 18:31:03 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.297 2011/12/19 11:59:56 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
 #include "opt_gateway.h"
 #include "opt_pfil_hooks.h"
 #include "opt_ipsec.h"
 #include "opt_mrouting.h"
 #include "opt_mbuftrace.h"
 #include "opt_inet_csum.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 @@ -130,27 +130,27 @@ __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v
 #include <netinet/ip_var.h>
 #include <netinet/ip_private.h>
 #include <netinet/ip_icmp.h>
 /* just for gif_ttl */
 #include <netinet/in_gif.h>
 #include "gif.h"
 #include <net/if_gre.h>
 #include "gre.h"
 #ifdef MROUTING
 #include <netinet/ip_mroute.h>
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netkey/key.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif	/* FAST_IPSEC*/
 #ifndef	IPFORWARDING
 #ifdef GATEWAY
 #define	IPFORWARDING	1	/* forward IP packets not for us */
 #else /* GATEWAY */
 @@ -526,50 +526,50 @@ ip_input(struct mbuf *m)
 	 */
 	if (m->m_pkthdr.len < len) {
 		IP_STATINC(IP_STAT_TOOSHORT);
 		goto bad;
+	}
 	if (m->m_pkthdr.len > len) {
 		if (m->m_len == m->m_pkthdr.len) {
 			m->m_len = len;
 			m->m_pkthdr.len = len;
 		} else
 			m_adj(m, len - m->m_pkthdr.len);
+	}
-#if defined(IPSEC)
+#if defined(KAME_IPSEC)
 	/* ipflow (IP fast forwarding) is not compatible with IPsec. */
 	m->m_flags &= ~M_CANFASTFWD;
 #else
 	/*
 	 * Assume that we can create a fast-forward IP flow entry
 	 * based on this packet.
 	 */
 	m->m_flags |= M_CANFASTFWD;
 #endif
 #ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.  If there are any
 	 * filters which require that additional packets in the flow are
 	 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
 	 * Note that filters must _never_ set this flag, as another filter
 	 * in the list may have previously cleared it.
 	 */
 	/*
 	 * let ipfilter look at packet on the wire,
 	 * not the decapsulated packet.
 	 */
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (!ipsec_getnhist(m))
 #elif defined(FAST_IPSEC)
 	if (!ipsec_indone(m))
 #else
 	if (1)
 #endif
+	{
 		struct in_addr odst;
 		odst = ip->ip_dst;
 		if (pfil_run_hooks(&inet_pfil_hook, &m, m->m_pkthdr.rcvif,
 		    PFIL_IN) != 0)
 			return;
 @@ -733,27 +733,27 @@ ip_input(struct mbuf *m)
 		m_freem(m);
 	} else {
 		/*
 		 * If ip_dst matched any of my address on !IFF_UP interface,
 		 * and there's no IFF_UP interface that matches ip_dst,
 		 * send icmp unreach.  Forwarding it will result in in-kernel
 		 * forwarding loop till TTL goes to 0.
 		 */
 		if (downmatch) {
 			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_HOST, 0, 0);
 			IP_STATINC(IP_STAT_CANTFORWARD);
 			return;
+		}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 		if (ipsec4_in_reject(m, NULL)) {
 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto bad;
+		}
 #endif
 #ifdef FAST_IPSEC
 		mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
 		s = splsoftnet();
 		if (mtag != NULL) {
 			tdbi = (struct tdb_ident *)(mtag + 1);
 			sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
 		} else {
 			sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
 @@ -816,27 +816,27 @@ ours:
+		}
 		if (m == NULL) {
 			/* More fragments should come; silently return. */
 			return;
+		}
 		/*
 		 * Reassembly is done, we have the final packet.
 		 * Updated cached data in local variable(s).
 		 */
 		ip = mtod(m, struct ip *);
 		hlen = ip->ip_hl << 2;
+	}
-#if defined(IPSEC)
+#if defined(KAME_IPSEC)
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
 	if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
 	    ipsec4_in_reject(m, NULL)) {
 		IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 		goto bad;
+	}
 #endif
 #ifdef FAST_IPSEC
 	/*
 @@ -1442,27 +1442,27 @@ ip_forward(struct mbuf *m, int srcrt)
 	case EHOSTDOWN:
 	default:
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_HOST;
 		break;
 	case EMSGSIZE:
 		type = ICMP_UNREACH;
 		code = ICMP_UNREACH_NEEDFRAG;
 		if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
 			destmtu = rt->rt_ifp->if_mtu;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
+		{
 			/*
 			 * If the packet is routed over IPsec tunnel, tell the
 			 * originator the tunnel MTU.
 			 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
 			 * XXX quickhack!!!
 			 */
 			struct secpolicy *sp;
 			int ipsecerror;
 			size_t ipsechdr;
 			struct route *ro;
 @@ -1484,34 +1484,34 @@ ip_forward(struct mbuf *m, int srcrt)
 				 && sp->req->sav != NULL
 				 && sp->req->sav->sah != NULL) {
 					ro = &sp->req->sav->sah->sa_route;
 					rt = rtcache_validate(ro);
 					if (rt && rt->rt_ifp) {
 						destmtu =
 						    rt->rt_rmx.rmx_mtu ?
 						    rt->rt_rmx.rmx_mtu :
 						    rt->rt_ifp->if_mtu;
 						destmtu -= ipsechdr;
+					}
+				}
-#ifdef	IPSEC
+#ifdef	KAME_IPSEC
 				key_freesp(sp);
 #else
 				KEY_FREESP(&sp);
 #endif
+			}
+		}
-#endif /*defined(IPSEC) || defined(FAST_IPSEC)*/
+#endif /*defined(KAME_IPSEC) || defined(FAST_IPSEC)*/
 		IP_STATINC(IP_STAT_CANTFRAG);
 		break;
 	case ENOBUFS:
 #if 1
 		/*
 		 * a router should not generate ICMP_SOURCEQUENCH as
 		 * required in RFC1812 Requirements for IP Version 4 Routers.
 		 * source quench could be a big problem under DoS attacks,
 		 * or if the underlying interface is rate-limited.
 		 */
 		if (mcopy)
 			m_freem(mcopy);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip_output.c,v 1.210 2011/10/31 13:16:01 yamt Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.211 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -81,27 +81,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.210 2011/10/31 13:16:01 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.211 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_pfil_hooks.h"
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_mrouting.h"
 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/errno.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 @@ -119,32 +119,32 @@ __KERNEL_RCSID(0, "$NetBSD: ip_output.c,
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/in_pcb.h>
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 #include <netinet/ip_private.h>
 #include <netinet/in_offload.h>
 #ifdef MROUTING
 #include <netinet/ip_mroute.h>
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netkey/key.h>
 #include <netkey/key_debug.h>
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #include <netipsec/xform.h>
 #endif	/* FAST_IPSEC*/
 #ifdef IPSEC_NAT_T
 #include <netinet/udp.h>
 #endif
 static struct mbuf *ip_insertoptions(struct mbuf *, struct mbuf *, int *);
 static struct ifnet *ip_multicast_if(struct in_addr *, int *);
 @@ -177,29 +177,29 @@ ip_output(struct mbuf *m0, ...)
 	struct in_ifaddr *ia;
 	struct ifaddr *xifa;
 	struct mbuf *opt;
 	struct route *ro;
 	int flags, sw_csum;
 	int *mtu_p;
 	u_long mtu;
 	struct ip_moptions *imo;
 	struct socket *so;
 	va_list ap;
 #ifdef IPSEC_NAT_T
 	int natt_frag = 0;
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	struct secpolicy *sp = NULL;
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 #ifdef FAST_IPSEC
 	struct inpcb *inp;
 	struct secpolicy *sp = NULL;
 	int s;
 #endif
 	u_int16_t ip_len;
 	union {
 		struct sockaddr		dst;
 		struct sockaddr_in	dst4;
 	} u;
 	struct sockaddr *rdst = &u.dst;	/* real IP destination, as opposed
 					 * to the nexthop
 					 */
 @@ -493,27 +493,27 @@ sendit:
+		}
+	}
 	/*
 	 * If we're doing Path MTU Discovery, we need to set DF unless
 	 * the route's MTU is locked.
 	 */
 	if ((flags & IP_MTUDISC) != 0 && rt != NULL &&
 	    (rt->rt_rmx.rmx_locks & RTV_MTU) == 0)
 		ip->ip_off |= htons(IP_DF);
 	/* Remember the current ip_len */
 	ip_len = ntohs(ip->ip_len);
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/* get SP for this packet */
 	if (so == NULL)
 		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
 		    flags, &error);
 	else {
 		if (IPSEC_PCB_SKIP_IPSEC(sotoinpcb_hdr(so)->inph_sp,
 					 IPSEC_DIR_OUTBOUND))
 			goto skip_ipsec;
 		sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
+	}
 	if (sp == NULL) {
 		IPSEC_STATINC(IPSEC_STAT_IN_INVAL);
 @@ -645,27 +645,27 @@ sendit:
 			error = EHOSTUNREACH;	/*XXX*/
 			goto bad;
+		}
 	} else {
 		/* nobody uses ia beyond here */
 		if (state.encap) {
 			ifp = rt->rt_ifp;
 			if ((mtu = rt->rt_rmx.rmx_mtu) == 0)
 				mtu = ifp->if_mtu;
+		}
+	}
+    }
 skip_ipsec:
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 #ifdef FAST_IPSEC
 	/*
 	 * Check the security policy (SP) for the packet and, if
 	 * required, do IPsec-related processing.  There are two
 	 * cases here; the first time a packet is sent through
 	 * it will be untagged and handled by ipsec4_checkpolicy.
 	 * If the packet is resubmitted to ip_output (e.g. after
 	 * AH, ESP, etc. processing), there will be a tag to bypass
 	 * the lookup and related policy checking.
 	 */
 	if (!ipsec_outdone(m)) {
 		s = splsoftnet();
 		if (inp != NULL &&
 @@ -806,27 +806,27 @@ spd_done:
 				ip->ip_sum = in_cksum(m, hlen);
 				m->m_pkthdr.csum_flags &= ~M_CSUM_IPv4;
+			}
 			if (sw_csum & (M_CSUM_TCPv4|M_CSUM_UDPv4)) {
 				if (IN_NEED_CHECKSUM(ifp,
 				    sw_csum & (M_CSUM_TCPv4|M_CSUM_UDPv4))) {
 					in_delayed_cksum(m);
+				}
 				m->m_pkthdr.csum_flags &=
 				    ~(M_CSUM_TCPv4|M_CSUM_UDPv4);
+			}
+		}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 		/* clean ipsec history once it goes out of the node */
 		ipsec_delaux(m);
 #endif
 		if (__predict_true(
 		    (m->m_pkthdr.csum_flags & M_CSUM_TSOv4) == 0 ||
 		    (ifp->if_capenable & IFCAP_TSOv4) != 0)) {
 			KERNEL_LOCK(1, NULL);
 			error =
 			    (*ifp->if_output)(ifp, m,
 				(m->m_flags & M_MCAST) ?
 				    sintocsa(rdst) : sintocsa(dst),
 				rt);
 @@ -872,30 +872,30 @@ spd_done:
 		m = NULL;
 		goto bad;
+	}
 	for (; m; m = m0) {
 		m0 = m->m_nextpkt;
 		m->m_nextpkt = 0;
 		if (error == 0) {
 #if IFA_STATS
 			if (ia)
 				ia->ia_ifa.ifa_data.ifad_outbytes +=
 				    ntohs(ip->ip_len);
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 			/* clean ipsec history once it goes out of the node */
 			ipsec_delaux(m);
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef IPSEC_NAT_T
 			/*
 			 * If we get there, the packet has not been handeld by
 			 * IPSec whereas it should have. Now that it has been
 			 * fragmented, re-inject it in ip_output so that IPsec
 			 * processing can occur.
 			 */
 			if (natt_frag) {
 				error = ip_output(m, opt,
 				    ro, flags, imo, so, mtu_p);
 			} else
 #endif /* IPSEC_NAT_T */
 @@ -908,33 +908,33 @@ spd_done:
 					sintocsa(rdst) : sintocsa(dst),
 				    rt);
 				KERNEL_UNLOCK_ONE(NULL);
+			}
 		} else
 			m_freem(m);
+	}
 	if (error == 0)
 		IP_STATINC(IP_STAT_FRAGMENTED);
 done:
 	rtcache_free(&iproute);
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (sp != NULL) {
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 			printf("DP ip_output call free SP:%p\n", sp));
 		key_freesp(sp);
+	}
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	if (sp != NULL)
 		KEY_FREESP(&sp);
 #endif /* FAST_IPSEC */
 	return (error);
 bad:
 	m_freem(m);
 	goto done;
+}
 int
 ip_fragment(struct mbuf *m, struct ifnet *ifp, u_long mtu)
 @@ -1204,27 +1204,27 @@ ip_optcopy(struct ip *ip, struct ip *jp)
 		*dp++ = IPOPT_EOL;
 	return (optlen);
+}
 /*
  * IP socket option processing.
  */
 int
 ip_ctloutput(int op, struct socket *so, struct sockopt *sopt)
+{
 	struct inpcb *inp = sotoinpcb(so);
 	int optval = 0;
 	int error = 0;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	struct lwp *l = curlwp;	/*XXX*/
 #endif
 	if (sopt->sopt_level != IPPROTO_IP) {
 		if (sopt->sopt_level == SOL_SOCKET && sopt->sopt_name == SO_NOHEADER)
 			return 0;
 		return ENOPROTOOPT;
+	}
 	switch (op) {
 	case PRCO_SETOPT:
 		switch (sopt->sopt_name) {
 		case IP_OPTIONS:
 @@ -1311,27 +1311,27 @@ ip_ctloutput(int op, struct socket *so,
 				break;
 			case IP_PORTRANGE_LOW:
 				inp->inp_flags |= INP_LOWPORT;
 				break;
 			default:
 				error = EINVAL;
 				break;
+			}
 			/* INP_UNLOCK(inp); */
 			break;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		case IP_IPSEC_POLICY:
+		    {
 			error = ipsec4_set_policy(inp, sopt->sopt_name,
 			    sopt->sopt_data, sopt->sopt_size, l->l_cred);
 			break;
+		    }
 #endif /*IPSEC*/
 		default:
 			error = ENOPROTOOPT;
 			break;
+		}
 		break;
 @@ -1395,27 +1395,27 @@ ip_ctloutput(int op, struct socket *so,
 				break;
 			case IP_RECVIF:
 				optval = OPTBIT(INP_RECVIF);
 				break;
 			case IP_RECVTTL:
 				optval = OPTBIT(INP_RECVTTL);
 				break;
+			}
 			error = sockopt_setint(sopt, optval);
 			break;
-#if 0	/* defined(IPSEC) || defined(FAST_IPSEC) */
+#if 0	/* defined(KAME_IPSEC) || defined(FAST_IPSEC) */
 		case IP_IPSEC_POLICY:
+		{
 			struct mbuf *m = NULL;
 			/* XXX this will return EINVAL as sopt is empty */
 			error = ipsec4_get_policy(inp, sopt->sopt_data,
 			    sopt->sopt_size, &m);
 			if (error == 0)
 				error = sockopt_setmbuf(sopt, m);
 			break;
+		}
 #endif /*IPSEC*/

 @@ -1,14 +1,14 @@
-/*	$NetBSD: raw_ip.c,v 1.112 2011/07/17 20:54:53 joerg Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.113 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -51,27 +51,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)raw_ip.c	8.7 (Berkeley) 5/15/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.112 2011/07/17 20:54:53 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.113 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
 #include "opt_ipsec.h"
 #include "opt_mrouting.h"
 #include <sys/param.h>
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/protosw.h>
 #include <sys/socketvar.h>
 @@ -84,30 +84,30 @@ __KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
 #include <netinet/ip_private.h>
 #include <netinet/ip_mroute.h>
 #include <netinet/ip_icmp.h>
 #include <netinet/in_pcb.h>
 #include <netinet/in_proto.h>
 #include <netinet/in_var.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec_var.h>
 #include <netipsec/ipsec_private.h>
 #endif	/* FAST_IPSEC */
 #ifdef COMPAT_50
 #include <compat/sys/socket.h>
 #endif
 struct inpcbtable rawcbtable;
 @@ -198,41 +198,41 @@ rip_input(struct mbuf *m, ...)
 		inp = (struct inpcb *)inph;
 		if (inp->inp_af != AF_INET)
 			continue;
 		if (inp->inp_ip.ip_p && inp->inp_ip.ip_p != proto)
 			continue;
 		if (!in_nullhost(inp->inp_laddr) &&
 		    !in_hosteq(inp->inp_laddr, ip->ip_dst))
 			continue;
 		if (!in_nullhost(inp->inp_faddr) &&
 		    !in_hosteq(inp->inp_faddr, ip->ip_src))
 			continue;
 		if (last == NULL)
+			;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		/* check AH/ESP integrity. */
 		else if (ipsec4_in_reject_so(m, last->inp_socket)) {
 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 			/* do not inject data to pcb */
+		}
 #endif /*IPSEC*/
 		else if ((n = m_copypacket(m, M_DONTWAIT)) != NULL) {
 			rip_sbappendaddr(last, ip, sintosa(&ripsrc), hlen, opts,
 			    n);
 			opts = NULL;
+		}
 		last = inp;
+	}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	/* check AH/ESP integrity. */
 	if (last != NULL && ipsec4_in_reject_so(m, last->inp_socket)) {
 		m_freem(m);
 		IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 		IP_STATDEC(IP_STAT_DELIVERED);
 		/* do not inject data to pcb */
 	} else
 #endif /*IPSEC*/
 	if (last != NULL)
 		rip_sbappendaddr(last, ip, sintosa(&ripsrc), hlen, opts, m);
 	else if (inetsw[ip_protox[ip->ip_p]].pr_input == rip_input) {
 		uint64_t *ips;

 @@ -1,14 +1,14 @@
-/*	$NetBSD: tcp_input.c,v 1.318 2011/11/19 22:51:25 tls Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.319 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -138,27 +138,27 @@
  */
 /*
  *	TODO list for SYN cache stuff:
+ *
  *	Find room for a "state" field, which is needed to keep a
  *	compressed state for TIME_WAIT TCBs.  It's been noted already
  *	that this is fairly important for very high-volume web and
  *	mail servers, which use a large number of short-lived
  *	connections.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.318 2011/11/19 22:51:25 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.319 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_inet_csum.h"
 #include "opt_tcp_debug.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 @@ -206,37 +206,37 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_input.c,
 #include <netinet/ip6.h>
 #endif
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcp_private.h>
 #include <netinet/tcpip.h>
 #include <netinet/tcp_congctl.h>
 #include <netinet/tcp_debug.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netkey/key.h>
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 #ifdef INET6
 #include "faith.h"
 #if defined(NFAITH) && NFAITH > 0
 #include <net/if_faith.h>
 #endif
-#endif	/* IPSEC */
+#endif	/* INET6 */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec_var.h>
 #include <netipsec/ipsec_private.h>
 #include <netipsec/key.h>
 #ifdef INET6
 #include <netipsec/ipsec6.h>
 #endif
 #endif	/* FAST_IPSEC*/
 #include <netinet/tcp_vtw.h>
 @@ -1443,27 +1443,27 @@ findpcb:
 		if (inp == 0 && !vestige.valid)
 #else
 		if (inp == 0 && in6p == 0 && !vestige.valid)
 #endif
+		{
 			TCP_STATINC(TCP_STAT_NOPORT);
 			if (tcp_log_refused &&
 			    (tiflags & (TH_RST|TH_ACK|TH_SYN)) == TH_SYN) {
 				tcp4_log_refused(ip, th);
+			}
 			tcp_fields_to_host(th);
 			goto dropwithreset_ratelim;
+		}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		if (inp && (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0 &&
 		    ipsec4_in_reject(m, inp)) {
 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto drop;
+		}
 #ifdef INET6
 		else if (in6p &&
 		    (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0 &&
 		    ipsec6_in_reject_so(m, in6p->in6p_socket)) {
 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto drop;
+		}
 #endif
 @@ -1486,27 +1486,27 @@ findpcb:
 			TCP_STATINC(TCP_STAT_PCBHASHMISS);
 			in6p = in6_pcblookup_bind(&tcbtable, &ip6->ip6_dst,
 				th->th_dport, faith);
+		}
 		if (!in6p && !vestige.valid) {
 			TCP_STATINC(TCP_STAT_NOPORT);
 			if (tcp_log_refused &&
 			    (tiflags & (TH_RST|TH_ACK|TH_SYN)) == TH_SYN) {
 				tcp6_log_refused(ip6, th);
+			}
 			tcp_fields_to_host(th);
 			goto dropwithreset_ratelim;
+		}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		if (in6p
 		    && (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
 		    && ipsec6_in_reject(m, in6p)) {
 			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto drop;
+		}
 #endif /*IPSEC*/
 		break;
+	    }
 #endif
+	}
 	/*
 @@ -1795,27 +1795,27 @@ findpcb:
 				 * is the best one, so we follow 5.5.4.
 				 */
 				if (af == AF_INET6 && !ip6_use_deprecated) {
 					struct in6_ifaddr *ia6;
 					if ((ia6 = in6ifa_ifpwithaddr(m->m_pkthdr.rcvif,
 					    &ip6->ip6_dst)) &&
 					    (ia6->ia6_flags & IN6_IFF_DEPRECATED)) {
 						tp = NULL;
 						goto dropwithreset;
+					}
+				}
 #endif
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 				switch (af) {
 #ifdef INET
 				case AF_INET:
 					if (ipsec4_in_reject_so(m, so)) {
 						IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 						tp = NULL;
 						goto dropwithreset;
+					}
 					break;
 #endif
 #ifdef INET6
 				case AF_INET6:
 					if (ipsec6_in_reject_so(m, so)) {
 @@ -4055,27 +4055,27 @@ syn_cache_get(struct sockaddr *src, stru
 	if (in6p && in6totcpcb(in6p)->t_family == AF_INET6 && sotoinpcb(oso)) {
 		struct in6pcb *oin6p = sotoin6pcb(oso);
 		/* inherit socket options from the listening socket */
 		in6p->in6p_flags |= (oin6p->in6p_flags & IN6P_CONTROLOPTS);
 		if (in6p->in6p_flags & IN6P_CONTROLOPTS) {
 			m_freem(in6p->in6p_options);
 			in6p->in6p_options = 0;
+		}
 		ip6_savecontrol(in6p, &in6p->in6p_options,
 			mtod(m, struct ip6_hdr *), m);
+	}
 #endif
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	/*
 	 * we make a copy of policy, instead of sharing the policy,
 	 * for better behavior in terms of SA lookup and dead SA removal.
 	 */
 	if (inp) {
 		/* copy old policy into new socket's */
 		if (ipsec_copy_pcbpolicy(sotoinpcb(oso)->inp_sp, inp->inp_sp))
 			printf("tcp_input: could not copy policy\n");
+	}
 #ifdef INET6
 	else if (in6p) {
 		/* copy old policy into new socket's */
 		if (ipsec_copy_pcbpolicy(sotoin6pcb(oso)->in6p_sp,

 @@ -1,14 +1,14 @@
-/*	$NetBSD: tcp_output.c,v 1.171 2011/04/14 16:08:53 yamt Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.172 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -125,27 +125,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)tcp_output.c	8.4 (Berkeley) 5/24/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.171 2011/04/14 16:08:53 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_output.c,v 1.172 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_tcp_debug.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/errno.h>
 @@ -172,44 +172,44 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_output.c
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/nd6.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #ifdef INET6
 #include <netipsec/ipsec6.h>
 #endif
 #endif	/* FAST_IPSEC*/
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #endif
 #include <netinet/tcp.h>
 #define	TCPOUTFLAGS
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcp_private.h>
 #include <netinet/tcp_congctl.h>
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 #include <netinet/in_offload.h>
 #include <netinet6/in6_offload.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netkey/key.h>
 #endif
 #ifdef notyet
 extern struct mbuf *m_copypack();
 #endif
 /*
  * Knob to enable Congestion Window Monitoring, and control
  * the burst size it allows.  Default burst is 4 packets, per
  * the Internet draft.
  */
 int	tcp_cwm = 0;
 @@ -347,45 +347,45 @@ tcp_segsize(struct tcpcb *tp, int *txseg
  out:
 	/*
 	 * Now we must make room for whatever extra TCP/IP options are in
 	 * the packet.
 	 */
 	optlen = tcp_optlen(tp);
 	/*
 	 * XXX tp->t_ourmss should have the right size, but without this code
 	 * fragmentation will occur... need more investigation
 	 */
 #ifdef INET
 	if (inp) {
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		if (! IPSEC_PCB_SKIP_IPSEC(inp->inp_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec4_hdrsiz_tcp(tp);
 #endif
 		optlen += ip_optlen(inp);
+	}
 #endif
 #ifdef INET6
 #ifdef INET
 	if (in6p && tp->t_family == AF_INET) {
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		if (! IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec4_hdrsiz_tcp(tp);
 #endif
 		/* XXX size -= ip_optlen(in6p); */
 	} else
 #endif
 	if (in6p && tp->t_family == AF_INET6) {
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		if (! IPSEC_PCB_SKIP_IPSEC(in6p->in6p_sp, IPSEC_DIR_OUTBOUND))
 			optlen += ipsec6_hdrsiz_tcp(tp);
 #endif
 		optlen += ip6_optlen(in6p);
+	}
 #endif
 	size -= optlen;
 	/* there may not be any room for data if mtu is too small */
 	if (size < 0)
 		return (EMSGSIZE);
 	/*
 @@ -623,36 +623,36 @@ tcp_output(struct tcpcb *tp)
 		return (EMSGSIZE);
 	idle = (tp->snd_max == tp->snd_una);
 	/*
 	 * Determine if we can use TCP segmentation offload:
 	 * - If we're using IPv4
 	 * - If there is not an IPsec policy that prevents it
 	 * - If the interface can do it
 	 */
 	has_tso4 = has_tso6 = false;
 #if defined(INET)
 	has_tso4 = tp->t_inpcb != NULL &&
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		  IPSEC_PCB_SKIP_IPSEC(tp->t_inpcb->inp_sp,
 		  		       IPSEC_DIR_OUTBOUND) &&
 #endif
 		  (rt = rtcache_validate(&tp->t_inpcb->inp_route)) != NULL &&
 		  (rt->rt_ifp->if_capenable & IFCAP_TSOv4) != 0;
 #endif /* defined(INET) */
 #if defined(INET6)
 	has_tso6 = tp->t_in6pcb != NULL &&
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		  IPSEC_PCB_SKIP_IPSEC(tp->t_in6pcb->in6p_sp,
 		  		       IPSEC_DIR_OUTBOUND) &&
 #endif
 		  (rt = rtcache_validate(&tp->t_in6pcb->in6p_route)) != NULL &&
 		  (rt->rt_ifp->if_capenable & IFCAP_TSOv6) != 0;
 #endif /* defined(INET6) */
 	has_tso = (has_tso4 || has_tso6) && !alwaysfrag;
 	/*
 	 * Restart Window computation.  From draft-floyd-incr-init-win-03:
+	 *
 	 *	Optionally, a TCP MAY set the restart window to the
 	 *	minimum of the value used for the initial window and

 @@ -1,14 +1,14 @@
-/*	$NetBSD: tcp_subr.c,v 1.244 2011/12/17 20:05:39 tls Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.245 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -81,27 +81,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)tcp_subr.c	8.2 (Berkeley) 5/24/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.244 2011/12/17 20:05:39 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v 1.245 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_tcp_compat_42.h"
 #include "opt_inet_csum.h"
 #include "opt_mbuftrace.h"
 #include <sys/param.h>
 #include <sys/proc.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 @@ -136,30 +136,30 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_subr.c,v
 #include <netinet6/nd6.h>
 #endif
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcp_vtw.h>
 #include <netinet/tcp_private.h>
 #include <netinet/tcp_congctl.h>
 #include <netinet/tcpip.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/xform.h>
 #ifdef INET6
 #include <netipsec/ipsec6.h>
 #endif
  #include <netipsec/key.h>
 #endif	/* FAST_IPSEC*/
 struct	inpcbtable tcbtable;	/* head of queue of active tcpcb's */
 u_int32_t tcp_now;		/* slow ticks, for RFC 1323 timestamps */
 @@ -2299,27 +2299,27 @@ tcp_new_iss1(void *laddr, void *faddr, u
 	if (tcp_compat_42) {
 		/*
 		 * Limit it to the positive range for really old TCP
 		 * implementations.
 		 * Just AND off the top bit instead of checking if
 		 * is set first - saves a branch 50% of the time.
 		 */
 		tcp_iss &= 0x7fffffff;		/* XXX */
+	}
 	return (tcp_iss);
+}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 /* compute ESP/AH header size for TCP, including outer IP header. */
 size_t
 ipsec4_hdrsiz_tcp(struct tcpcb *tp)
+{
 	struct inpcb *inp;
 	size_t hdrsiz;
 	/* XXX mapped addr case (tp->t_in6pcb) */
 	if (!tp || !tp->t_template || !(inp = tp->t_inpcb))
 		return 0;
 	switch (tp->t_family) {
 	case AF_INET:
 		/* XXX: should use currect direction. */

 @@ -1,14 +1,14 @@
-/*	$NetBSD: tcp_usrreq.c,v 1.160 2011/06/06 19:15:43 dyoung Exp $	*/
+/*	$NetBSD: tcp_usrreq.c,v 1.161 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -85,27 +85,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)tcp_usrreq.c	8.5 (Berkeley) 6/21/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.160 2011/06/06 19:15:43 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c,v 1.161 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_tcp_debug.h"
 #include "opt_mbuftrace.h"
 #include "rnd.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 @@ -143,29 +143,29 @@ __KERNEL_RCSID(0, "$NetBSD: tcp_usrreq.c
 #include <netinet/tcp.h>
 #include <netinet/tcp_fsm.h>
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcp_private.h>
 #include <netinet/tcp_congctl.h>
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 #include <netinet/tcp_vtw.h>
 #include "opt_tcp_space.h"
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
-#endif /*IPSEC*/
+#endif /*KAME_IPSEC*/
 /*
  * TCP protocol interface to socket abstraction.
  */
 /*
  * Process a TCP user request for TCP tb.  If this is a send request
  * then m is the mbuf chain of send data.  If this is a timer expiration
  * (called from the software clock routine), then timertype tells which timer.
  */
 /*ARGSUSED*/
 int
 tcp_usrreq(struct socket *so, int req,

 @@ -1,14 +1,14 @@
-/*	$NetBSD: udp_usrreq.c,v 1.183 2011/09/24 17:18:17 christos Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.184 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
 @@ -51,27 +51,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)udp_usrreq.c	8.6 (Berkeley) 5/23/95
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.183 2011/09/24 17:18:17 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.184 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_compat_netbsd.h"
 #include "opt_ipsec.h"
 #include "opt_inet_csum.h"
 #include "opt_ipkdb.h"
 #include "opt_mbuftrace.h"
 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 @@ -119,32 +119,32 @@ __KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c
 #include <net/if_faith.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec_var.h>
 #include <netipsec/ipsec_private.h>
 #include <netipsec/esp.h>
 #ifdef INET6
 #include <netipsec/ipsec6.h>
 #endif
 #endif	/* FAST_IPSEC */
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netinet6/esp.h>
 #include <netkey/key.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef COMPAT_50
 #include <compat/sys/socket.h>
 #endif
 #ifdef IPKDB
 #include <ipkdb/ipkdb.h>
 #endif
 /*
  * UDP protocol implementation.
  * Per RFC 768, August, 1980.
  */
 @@ -624,27 +624,27 @@ udp4_sendup(struct mbuf *m, int off /* o
 		return;
 	switch (so->so_proto->pr_domain->dom_family) {
 	case AF_INET:
 		inp = sotoinpcb(so);
 		break;
 #ifdef INET6
 	case AF_INET6:
 		break;
 #endif
 	default:
 		return;
+	}
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	/* check AH/ESP integrity. */
 	if (so != NULL && ipsec4_in_reject_so(m, so)) {
 		IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 		if ((n = m_copypacket(m, M_DONTWAIT)) != NULL)
 			icmp_error(n, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT,
 , 0);
 		return;
+	}
 #endif /*IPSEC*/
 	if ((n = m_copypacket(m, M_DONTWAIT)) != NULL) {
 		if (inp && (inp->inp_flags & INP_CONTROLOPTS
 #ifdef SO_OTIMESTAMP
 @@ -674,27 +674,27 @@ static void
 udp6_sendup(struct mbuf *m, int off /* offset of data portion */,
 	struct sockaddr *src, struct socket *so)
+{
 	struct mbuf *opts = NULL;
 	struct mbuf *n;
 	struct in6pcb *in6p = NULL;
 	if (!so)
 		return;
 	if (so->so_proto->pr_domain->dom_family != AF_INET6)
 		return;
 	in6p = sotoin6pcb(so);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	/* check AH/ESP integrity. */
 	if (so != NULL && ipsec6_in_reject_so(m, so)) {
 		IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 		if ((n = m_copypacket(m, M_DONTWAIT)) != NULL)
 			icmp6_error(n, ICMP6_DST_UNREACH,
 			    ICMP6_DST_UNREACH_ADMIN, 0);
 		return;
+	}
 #endif /*IPSEC*/
 	if ((n = m_copypacket(m, M_DONTWAIT)) != NULL) {
 		if (in6p && (in6p->in6p_flags & IN6P_CONTROLOPTS
 #ifdef SO_OTIMESTAMP

 @@ -1,14 +1,14 @@
-/*	$NetBSD: icmp6.c,v 1.157 2011/08/31 18:31:03 plunky Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.158 2011/12/19 11:59:57 drochner Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_icmp.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.157 2011/08/31 18:31:03 plunky Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.158 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 @@ -89,27 +89,27 @@ __KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.
 #include <netinet/in_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet/icmp6.h>
 #include <netinet6/icmp6_private.h>
 #include <netinet6/mld6_var.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/nd6.h>
 #include <netinet6/in6_ifattach.h>
 #include <netinet6/ip6protosw.h>
 #include <netinet6/scope6_var.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif
 #include "faith.h"
 #if defined(NFAITH) && 0 < NFAITH
 #include <net/if_faith.h>
 @@ -2312,27 +2312,27 @@ icmp6_redirect_input(struct mbuf *m, int
 		if (newrt) {
 			(void)rt_timer_add(newrt, icmp6_redirect_timeout,
 			    icmp6_redirect_timeout_q);
 			rtfree(newrt);
+		}
+	}
 	/* finally update cached route in each socket via pfctlinput */
+	{
 		struct sockaddr_in6 sdst;
 		sockaddr_in6_init(&sdst, &reddst6, 0, 0, 0);
 		pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		key_sa_routechange((struct sockaddr *)&sdst);
 #endif
+	}
  freeit:
 	m_freem(m);
 	return;
  bad:
 	ICMP6_STATINC(ICMP6_STAT_BADREDIRECT);
 	m_freem(m);
+}

 @@ -1,14 +1,14 @@
-/*	$NetBSD: in6_pcb.c,v 1.116 2011/09/24 17:22:14 christos Exp $	*/
+/*	$NetBSD: in6_pcb.c,v 1.117 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)in_pcb.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.116 2011/09/24 17:22:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.117 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/ioctl.h>
 #include <sys/errno.h>
 @@ -89,30 +89,30 @@ __KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v
 #include <netinet/in_var.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
 #include <netinet/in_pcb.h>
 #include <netinet/ip6.h>
 #include <netinet/rfc6056.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/scope6_var.h>
 #include <netinet6/nd6.h>
 #include "faith.h"
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #endif /* FAST_IPSEC */
 #include <netinet/tcp_vtw.h>
 const struct in6_addr zeroin6_addr;
 #define	IN6PCBHASH_PORT(table, lport) \
 	&(table)->inpt_porthashtbl[ntohs(lport) & (table)->inpt_porthash]
 @@ -152,44 +152,44 @@ in6_pcbinit(struct inpcbtable *table, in
 	in_pcbinit(table, bindhashsize, connecthashsize);
 	table->inpt_lastport = (u_int16_t)ip6_anonportmax;
 	RUN_ONCE(&control, in6pcb_poolinit);
+}
 int
 in6_pcballoc(struct socket *so, void *v)
+{
 	struct inpcbtable *table = v;
 	struct in6pcb *in6p;
 	int s;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	int error;
 #endif
 	s = splnet();
 	in6p = pool_get(&in6pcb_pool, PR_NOWAIT);
 	splx(s);
 	if (in6p == NULL)
 		return (ENOBUFS);
 	memset((void *)in6p, 0, sizeof(*in6p));
 	in6p->in6p_af = AF_INET6;
 	in6p->in6p_table = table;
 	in6p->in6p_socket = so;
 	in6p->in6p_hops = -1;	/* use kernel default */
 	in6p->in6p_icmp6filt = NULL;
 	in6p->in6p_rfc6056algo = RFC6056_ALGO_DEFAULT;
 	in6p->in6p_bindportonsend = false;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	error = ipsec_init_pcbpolicy(so, &in6p->in6p_sp);
 	if (error != 0) {
 		s = splnet();
 		pool_put(&in6pcb_pool, in6p);
 		splx(s);
 		return error;
+	}
 #endif /* IPSEC */
 	s = splnet();
 	CIRCLEQ_INSERT_HEAD(&table->inpt_queue, (struct inpcb_hdr*)in6p,
 	    inph_queue);
 	LIST_INSERT_HEAD(IN6PCBHASH_PORT(table, in6p->in6p_lport),
 	    &in6p->in6p_head, inph_lhash);
 @@ -557,57 +557,57 @@ in6_pcbconnect(void *v, struct mbuf *nam
 		    in6p->in6p_socket->so_proto->pr_domain->dom_sa_any);
 		lsin.sin6_addr = in6p->in6p_laddr;
 		lsin.sin6_port = 0;
                if ((error = in6_pcbbind_port(in6p, &lsin, l)) != 0)
                        return error;
+	}
 	in6_pcbstate(in6p, IN6P_CONNECTED);
 	in6p->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
 	if (ip6_auto_flowlabel)
 		in6p->in6p_flowinfo |=
 		    (htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	if (in6p->in6p_socket->so_type == SOCK_STREAM)
 		ipsec_pcbconn(in6p->in6p_sp);
 #endif
 	return (0);
+}
 void
 in6_pcbdisconnect(struct in6pcb *in6p)
+{
 	memset((void *)&in6p->in6p_faddr, 0, sizeof(in6p->in6p_faddr));
 	in6p->in6p_fport = 0;
 	in6_pcbstate(in6p, IN6P_BOUND);
 	in6p->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	ipsec_pcbdisconn(in6p->in6p_sp);
 #endif
 	if (in6p->in6p_socket->so_state & SS_NOFDREF)
 		in6_pcbdetach(in6p);
+}
 void
 in6_pcbdetach(struct in6pcb *in6p)
+{
 	struct socket *so = in6p->in6p_socket;
 	int s;
 	if (in6p->in6p_af != AF_INET6)
 		return;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 	ipsec6_delete_pcbpolicy(in6p);
 #endif /* IPSEC */
 	so->so_pcb = 0;
 	if (in6p->in6p_options)
 		m_freem(in6p->in6p_options);
 	if (in6p->in6p_outputopts != NULL) {
 		ip6_clearpktopts(in6p->in6p_outputopts, -1);
 		free(in6p->in6p_outputopts, M_IP6OPT);
+	}
 	rtcache_free(&in6p->in6p_route);
 	ip6_freemoptions(in6p->in6p_moptions);
 	s = splnet();
 	in6_pcbstate(in6p, IN6P_ATTACHED);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: in6_proto.c,v 1.93 2011/09/24 17:22:14 christos Exp $	*/
+/*	$NetBSD: in6_proto.c,v 1.94 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)in_proto.c	8.1 (Berkeley) 6/10/93
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.93 2011/09/24 17:22:14 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.94 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_gateway.h"
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_iso.h"
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <sys/protosw.h>
 #include <sys/kernel.h>
 #include <sys/domain.h>
 #include <sys/mbuf.h>
 @@ -97,34 +97,34 @@ __KERNEL_RCSID(0, "$NetBSD: in6_proto.c,
 #include <netinet/tcp_seq.h>
 #include <netinet/tcp_timer.h>
 #include <netinet/tcp_var.h>
 #include <netinet/tcpip.h>
 #include <netinet/tcp_debug.h>
 #include <netinet6/udp6.h>
 #include <netinet6/udp6_var.h>
 #include <netinet6/pim6_var.h>
 #include <netinet6/nd6.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ah.h>
 #ifdef IPSEC_ESP
 #include <netinet6/esp.h>
 #endif
 #include <netinet6/ipcomp.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #endif /* FAST_IPSEC */
 #include "carp.h"
 #if NCARP > 0
 #include <netinet/ip_carp.h>
 #endif
 @@ -167,33 +167,33 @@ PR_WRAP_CTLINPUT(tcp6_ctlinput)
 #define	udp6_ctlinput	udp6_ctlinput_wrapper
 #define	tcp6_ctlinput	tcp6_ctlinput_wrapper
 PR_WRAP_CTLOUTPUT(rip6_ctloutput)
 PR_WRAP_CTLOUTPUT(tcp_ctloutput)
 PR_WRAP_CTLOUTPUT(udp6_ctloutput)
 PR_WRAP_CTLOUTPUT(icmp6_ctloutput)
 #define	rip6_ctloutput	rip6_ctloutput_wrapper
 #define	tcp_ctloutput	tcp_ctloutput_wrapper
 #define	udp6_ctloutput	udp6_ctloutput_wrapper
 #define	icmp6_ctloutput	icmp6_ctloutput_wrapper
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 PR_WRAP_CTLINPUT(ah6_ctlinput)
 #define	ah6_ctlinput	ah6_ctlinput_wrapper
 #endif
-#if (defined(IPSEC) && defined(IPSEC_ESP)) || defined(FAST_IPSEC)
+#if (defined(KAME_IPSEC) && defined(IPSEC_ESP)) || defined(FAST_IPSEC)
 PR_WRAP_CTLINPUT(esp6_ctlinput)
 #define	esp6_ctlinput	esp6_ctlinput_wrapper
 #endif
 const struct ip6protosw inet6sw[] = {
 {	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_IPV6,
 	.pr_init = ip6_init,
 	.pr_fasttimo = frag6_fasttimo,
 	.pr_slowtimo = frag6_slowtimo,
 	.pr_drain = frag6_drainstub,
 },
 @@ -258,53 +258,53 @@ const struct ip6protosw inet6sw[] = {
 },
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_ROUTING,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = route6_input,
 },
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_FRAGMENT,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = frag6_input,
 },
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_AH,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ah6_input,
 	.pr_ctlinput = ah6_ctlinput,
 	.pr_init = ah6_init,
 },
 #ifdef IPSEC_ESP
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_ESP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = esp6_input,
 	.pr_ctlinput = esp6_ctlinput,
 	.pr_init = esp6_init,
 },
 #endif
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_IPCOMP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipcomp6_input,
 	.pr_init = ipcomp6_init,
 },
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_AH,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipsec6_common_input,
 	.pr_ctlinput = ah6_ctlinput,
 },
 {	.pr_type = SOCK_RAW,
 	.pr_domain = &inet6domain,
 	.pr_protocol = IPPROTO_ESP,
 	.pr_flags = PR_ATOMIC|PR_ADDR,
 	.pr_input = ipsec6_common_input,

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip6_forward.c,v 1.68 2010/02/04 21:48:35 joerg Exp $	*/
+/*	$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -21,27 +21,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.68 2010/02/04 21:48:35 joerg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.69 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_gateway.h"
 #include "opt_ipsec.h"
 #include "opt_pfil_hooks.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/errno.h>
 @@ -52,31 +52,31 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_forward.
 #include <net/if.h>
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet/ip_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet6/scope6_var.h>
 #include <netinet/icmp6.h>
 #include <netinet6/nd6.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netkey/key.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #include <netipsec/xform.h>
 #endif /* FAST_IPSEC */
 #ifdef PFIL_HOOKS
 #include <net/pfil.h>
 #endif
 #include <net/net_osdep.h>
 @@ -101,55 +101,55 @@ extern struct pfil_head inet6_pfil_hook;
  */
 void
 ip6_forward(struct mbuf *m, int srcrt)
+{
 	struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
 	const struct sockaddr_in6 *dst;
 	struct rtentry *rt;
 	int error = 0, type = 0, code = 0;
 	struct mbuf *mcopy = NULL;
 	struct ifnet *origifp;	/* maybe unnecessary */
 	u_int32_t inzone, outzone;
 	struct in6_addr src_in6, dst_in6;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	struct secpolicy *sp = NULL;
 	int ipsecrt = 0;
 #endif
 #ifdef FAST_IPSEC
     struct secpolicy *sp = NULL;
     int needipsec = 0;
     int s;
 #endif
 	/*
 	 * Clear any in-bound checksum flags for this packet.
 	 */
 	m->m_pkthdr.csum_flags = 0;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	/*
 	 * Don't increment ip6s_cantforward because this is the check
 	 * before forwarding packet actually.
 	 */
 	if (ipsec6_in_reject(m, NULL)) {
 		IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 		m_freem(m);
 		return;
+	}
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 	/*
 	 * Do not forward packets to multicast destination (should be handled
 	 * by ip6_mforward().
 	 * Do not forward packets with unspecified source.  It was discussed
 	 * in July 2000, on ipngwg mailing list.
 	 */
 	if ((m->m_flags & (M_BCAST|M_MCAST)) != 0 ||
 	    IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst) ||
 	    IN6_IS_ADDR_UNSPECIFIED(&ip6->ip6_src)) {
 		IP6_STATINC(IP6_STAT_CANTFORWARD);
 		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard) */
 		if (ip6_log_time + ip6_log_interval < time_second) {
 @@ -175,27 +175,27 @@ ip6_forward(struct mbuf *m, int srcrt)
 	ip6->ip6_hlim -= IPV6_HLIMDEC;
 	/*
 	 * Save at most ICMPV6_PLD_MAXLEN (= the min IPv6 MTU -
 	 * size of IPv6 + ICMPv6 headers) bytes of the packet in case
 	 * we need to generate an ICMP6 message to the src.
 	 * Thanks to M_EXT, in most cases copy will not occur.
+	 *
 	 * It is important to save it before IPsec processing as IPsec
 	 * processing may modify the mbuf.
 	 */
 	mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/* get a security policy for this packet */
 	sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
 	    IP_FORWARDING, &error);
 	if (sp == NULL) {
 		IPSEC6_STATINC(IPSEC_STAT_OUT_INVAL);
 		IP6_STATINC(IP6_STAT_CANTFORWARD);
 		if (mcopy) {
 #if 0
 			/* XXX: what icmp ? */
 #else
 			m_freem(mcopy);
 #endif
+		}
 @@ -339,27 +339,27 @@ ip6_forward(struct mbuf *m, int srcrt)
 		    NULL);
 		goto freecopy;
+	}
 	/* adjust pointer */
 	rt = state.ro ? rtcache_validate(state.ro) : NULL;
 	dst = (const struct sockaddr_in6 *)state.dst;
 	if (dst != NULL && rt != NULL) {
 		ipsecrt = 1;
 		goto skip_routing;
+	}
+    }
     skip_ipsec:
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	/* Check the security policy (SP) for the packet */
 	sp = ipsec6_check_policy(m,NULL,0,&needipsec,&error);
 	if (error != 0) {
 		/*
 		 * Hack: -EINVAL is used to signal that a packet
 		 * should be silently discarded.  This is typically
 		 * because we asked key management for an SA and
 		 * it was delayed (e.g. kicked up to IKE).
 		 */
 	if (error == -EINVAL)
 		error = 0;
 @@ -390,29 +390,29 @@ ip6_forward(struct mbuf *m, int srcrt)
 		 * rtcache_getdst(ip6_forward_rt)->sin6_addr was equal to
 		 * ip6->ip6_dst
 		 */
 		IP6_STATINC(IP6_STAT_NOROUTE);
 		/* XXX in6_ifstat_inc(rt->rt_ifp, ifs6_in_noroute) */
 		if (mcopy) {
 			icmp6_error(mcopy, ICMP6_DST_UNREACH,
 			    ICMP6_DST_UNREACH_NOROUTE, 0);
+		}
 		m_freem(m);
 		return;
+	}
 	dst = satocsin6(rtcache_getdst(&ip6_forward_rt));
-#ifdef IPSEC
+#ifdef KAME_IPSEC
     skip_routing:;
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 	/*
 	 * Source scope check: if a packet can't be delivered to its
 	 * destination for the reason that the destination is beyond the scope
 	 * of the source address, discard the packet and return an icmp6
 	 * destination unreachable error with Code 2 (beyond scope of source
 	 * address).  We use a local copy of ip6_src, since in6_setscope()
 	 * will possibly modify its first argument.
 	 * [draft-ietf-ipngwg-icmp-v3-07, Section 3.1]
 	 */
 	src_in6 = ip6->ip6_src;
 	if (in6_setscope(&src_in6, rt->rt_ifp, &outzone)) {
 		/* XXX: this should not happen */
 @@ -422,27 +422,27 @@ ip6_forward(struct mbuf *m, int srcrt)
 		IP6_STAT_PUTREF();
 		m_freem(m);
 		return;
+	}
 	if (in6_setscope(&src_in6, m->m_pkthdr.rcvif, &inzone)) {
 		uint64_t *ip6s = IP6_STAT_GETREF();
 		ip6s[IP6_STAT_CANTFORWARD]++;
 		ip6s[IP6_STAT_BADSCOPE]++;
 		IP6_STAT_PUTREF();
 		m_freem(m);
 		return;
+	}
 	if (inzone != outzone
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	    && !ipsecrt
 #endif
 	    ) {
 		uint64_t *ip6s = IP6_STAT_GETREF();
 		ip6s[IP6_STAT_CANTFORWARD]++;
 		ip6s[IP6_STAT_BADSCOPE]++;
 		IP6_STAT_PUTREF();
 		in6_ifstat_inc(rt->rt_ifp, ifs6_in_discard);
 		if (ip6_log_time + ip6_log_interval < time_second) {
 			ip6_log_time = time_second;
 			log(LOG_DEBUG,
 			    "cannot forward "
 @@ -487,34 +487,34 @@ ip6_forward(struct mbuf *m, int srcrt)
 	    inzone != outzone) {
 		uint64_t *ip6s = IP6_STAT_GETREF();
 		ip6s[IP6_STAT_CANTFORWARD]++;
 		ip6s[IP6_STAT_BADSCOPE]++;
 		IP6_STAT_PUTREF();
 		m_freem(m);
 		return;
+	}
 	if (m->m_pkthdr.len > IN6_LINKMTU(rt->rt_ifp)) {
 		in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
 		if (mcopy) {
 			u_long mtu;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 			struct secpolicy *xsp;
 			int ipsecerror;
 			size_t ipsechdrsiz;
 #endif
 			mtu = IN6_LINKMTU(rt->rt_ifp);
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 			/*
 			 * When we do IPsec tunnel ingress, we need to play
 			 * with the link value (decrement IPsec header size
 			 * from mtu value).  The code is much simpler than v4
 			 * case, as we have the outgoing interface for
 			 * encapsulated packet as "rt->rt_ifp".
 			 */
 			xsp = ipsec6_getpolicybyaddr(mcopy, IPSEC_DIR_OUTBOUND,
 				IP_FORWARDING, &ipsecerror);
 			if (xsp) {
 				ipsechdrsiz = ipsec6_hdrsiz(mcopy,
 					IPSEC_DIR_OUTBOUND, NULL);
 				if (ipsechdrsiz < mtu)
 @@ -537,27 +537,27 @@ ip6_forward(struct mbuf *m, int srcrt)
 	if (rt->rt_flags & RTF_GATEWAY)
 		dst = (struct sockaddr_in6 *)rt->rt_gateway;
 	/*
 	 * If we are to forward the packet using the same interface
 	 * as one we got the packet from, perhaps we should send a redirect
 	 * to sender to shortcut a hop.
 	 * Only send redirect if source is sending directly to us,
 	 * and if packet was not source routed (or has any options).
 	 * Also, don't send redirect if forwarding using a route
 	 * modified by a redirect.
 	 */
 	if (rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt && ip6_sendredirects &&
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	    !ipsecrt &&
 #endif
 	    (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
 		if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) &&
 		    nd6_is_addr_neighbor(
 		        satocsin6(rtcache_getdst(&ip6_forward_rt)),
 			rt->rt_ifp)) {
 			/*
 			 * If the incoming interface is equal to the outgoing
 			 * one, the link attached to the interface is
 			 * point-to-point, and the IPv6 destination is
 			 * regarded as on-link on the link, then it will be
 			 * highly probable that the destination address does

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip6_input.c,v 1.133 2011/11/19 22:51:29 tls Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_input.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.133 2011/11/19 22:51:29 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.134 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_gateway.h"
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
 #include "opt_pfil_hooks.h"
 #include "opt_compat_netbsd.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 @@ -102,27 +102,27 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,
 #include <netinet/ip.h>
 #include <netinet/ip_icmp.h>
 #endif /* INET */
 #include <netinet/ip6.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet/icmp6.h>
 #include <netinet6/scope6_var.h>
 #include <netinet6/in6_ifattach.h>
 #include <netinet6/nd6.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #endif /* FAST_IPSEC */
 #ifdef COMPAT_50
 #include <compat/sys/time.h>
 #include <compat/sys/socket.h>
 @@ -269,27 +269,27 @@ ip6_input(struct mbuf *m)
 	int srcrt = 0;
 	const struct rtentry *rt;
 	union {
 		struct sockaddr		dst;
 		struct sockaddr_in6	dst6;
 	} u;
 #ifdef FAST_IPSEC
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int s, error;
 #endif
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/*
 	 * should the inner packet be considered authentic?
 	 * see comment in ah4_input().
 	 */
 	m->m_flags &= ~M_AUTHIPHDR;
 	m->m_flags &= ~M_AUTHIPDGM;
 #endif
 	/*
 	 * make sure we don't have onion peering information into m_tag.
 	 */
 	ip6_delaux(m);
 @@ -341,50 +341,50 @@ ip6_input(struct mbuf *m)
 			in6_ifstat_inc(inifp, ifs6_in_hdrerr);
 			return;
+		}
+	}
 	ip6 = mtod(m, struct ip6_hdr *);
 	if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
 		IP6_STATINC(IP6_STAT_BADVERS);
 		in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_hdrerr);
 		goto bad;
+	}
-#if defined(IPSEC)
+#if defined(KAME_IPSEC)
 	/* IPv6 fast forwarding is not compatible with IPsec. */
 	m->m_flags &= ~M_CANFASTFWD;
 #else
 	/*
 	 * Assume that we can create a fast-forward IP flow entry
 	 * based on this packet.
 	 */
 	m->m_flags |= M_CANFASTFWD;
 #endif
 #ifdef PFIL_HOOKS
 	/*
 	 * Run through list of hooks for input packets.  If there are any
 	 * filters which require that additional packets in the flow are
 	 * not fast-forwarded, they must clear the M_CANFASTFWD flag.
 	 * Note that filters must _never_ set this flag, as another filter
 	 * in the list may have previously cleared it.
 	 */
 	/*
 	 * let ipfilter look at packet on the wire,
 	 * not the decapsulated packet.
 	 */
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (!ipsec_getnhist(m))
 #elif defined(FAST_IPSEC)
 	if (!ipsec_indone(m))
 #else
 	if (1)
 #endif
+	{
 		struct in6_addr odst;
 		odst = ip6->ip6_dst;
 		if (pfil_run_hooks(&inet6_pfil_hook, &m, m->m_pkthdr.rcvif,
 				   PFIL_IN) != 0)
 			return;
 @@ -775,27 +775,27 @@ ip6_input(struct mbuf *m)
 			in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
 			goto bad;
+		}
 		if (nxt == IPPROTO_ROUTING) {
 			if (rh_present++) {
 				in6_ifstat_inc(m->m_pkthdr.rcvif,
 				    ifs6_in_hdrerr);
 				IP6_STATINC(IP6_STAT_BADOPTIONS);
 				goto bad;
+			}
+		}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.
 		 * note that we do not visit this with protocols with pcb layer
 		 * code - like udp/tcp/raw ip.
 		 */
 		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
 		    ipsec6_in_reject(m, NULL)) {
 			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto bad;
+		}
 #endif
 #ifdef FAST_IPSEC
 	/*

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip6_output.c,v 1.140 2011/04/25 22:20:59 yamt Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.141 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)ip_output.c	8.3 (Berkeley) 1/21/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.140 2011/04/25 22:20:59 yamt Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.141 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
 #include "opt_pfil_hooks.h"
 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/errno.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 @@ -89,31 +89,31 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_output.c
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet/ip6.h>
 #include <netinet/icmp6.h>
 #include <netinet/in_offload.h>
 #include <netinet6/in6_offload.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/nd6.h>
 #include <netinet6/ip6protosw.h>
 #include <netinet6/scope6_var.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
 #include <netkey/key.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
 #include <netipsec/xform.h>
 #endif
 #include <net/net_osdep.h>
 #ifdef PFIL_HOOKS
 extern struct pfil_head inet6_pfil_hook;	/* XXX */
 @@ -179,32 +179,32 @@ ip6_output(
 	const struct sockaddr_in6 *dst = NULL;
 	struct sockaddr_in6 src_sa, dst_sa;
 	int error = 0;
 	struct in6_ifaddr *ia = NULL;
 	u_long mtu;
 	int alwaysfrag, dontfrag;
 	u_int32_t optlen = 0, plen = 0, unfragpartlen = 0;
 	struct ip6_exthdrs exthdrs;
 	struct in6_addr finaldst, src0, dst0;
 	u_int32_t zone;
 	struct route *ro_pmtu = NULL;
 	int hdrsplit = 0;
 	int needipsec = 0;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	int needipsectun = 0;
 	struct secpolicy *sp = NULL;
 	ip6 = mtod(m, struct ip6_hdr *);
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	struct secpolicy *sp = NULL;
 	int s;
 #endif
 	memset(&ip6route, 0, sizeof(ip6route));
 #ifdef  DIAGNOSTIC
 	if ((m->m_flags & M_PKTHDR) == 0)
 		panic("ip6_output: no HDR");
 	if ((m->m_pkthdr.csum_flags &
 	    (M_CSUM_TCPv4|M_CSUM_UDPv4|M_CSUM_TSOv4)) != 0) {
 @@ -234,27 +234,27 @@ ip6_output(
 	memset(&exthdrs, 0, sizeof(exthdrs));
 	if (opt) {
 		/* Hop-by-Hop options header */
 		MAKE_EXTHDR(opt->ip6po_hbh, &exthdrs.ip6e_hbh);
 		/* Destination options header(1st part) */
 		MAKE_EXTHDR(opt->ip6po_dest1, &exthdrs.ip6e_dest1);
 		/* Routing header */
 		MAKE_EXTHDR(opt->ip6po_rthdr, &exthdrs.ip6e_rthdr);
 		/* Destination options header(2nd part) */
 		MAKE_EXTHDR(opt->ip6po_dest2, &exthdrs.ip6e_dest2);
+	}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if ((flags & IPV6_FORWARDING) != 0) {
 		needipsec = 0;
 		goto skippolicycheck;
+	}
 	/* get a security policy for this packet */
 	if (so == NULL)
 		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
 	else {
 		if (IPSEC_PCB_SKIP_IPSEC(sotoinpcb_hdr(so)->inph_sp,
 					 IPSEC_DIR_OUTBOUND)) {
 			needipsec = 0;
 			goto skippolicycheck;
 @@ -290,27 +290,27 @@ ip6_output(
 			printf("ip6_output: No IPsec request specified.\n");
 			error = EINVAL;
 			goto freehdrs;
+		}
 		needipsec = 1;
 		break;
 	case IPSEC_POLICY_ENTRUST:
 	default:
 		printf("ip6_output: Invalid policy found. %d\n", sp->policy);
+	}
   skippolicycheck:;
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 	/*
 	 * Calculate the total length of the extension header chain.
 	 * Keep the length of the unfragmentable part for fragmentation.
 	 */
 	optlen = 0;
 	if (exthdrs.ip6e_hbh) optlen += exthdrs.ip6e_hbh->m_len;
 	if (exthdrs.ip6e_dest1) optlen += exthdrs.ip6e_dest1->m_len;
 	if (exthdrs.ip6e_rthdr) optlen += exthdrs.ip6e_rthdr->m_len;
 	unfragpartlen = optlen + sizeof(struct ip6_hdr);
 	/* NOTE: we don't add AH/ESP length here. do that later. */
 	if (exthdrs.ip6e_dest2) optlen += exthdrs.ip6e_dest2->m_len;
 @@ -430,27 +430,27 @@ ip6_output(
 		 * result: IPv6 hbh dest1 rthdr dest2 payload
 		 * m will point to IPv6 header.  mprev will point to the
 		 * extension header prior to dest2 (rthdr in the above case).
 		 */
 		MAKE_CHAIN(exthdrs.ip6e_hbh, mprev, nexthdrp, IPPROTO_HOPOPTS);
 		MAKE_CHAIN(exthdrs.ip6e_dest1, mprev, nexthdrp,
 		    IPPROTO_DSTOPTS);
 		MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
 		    IPPROTO_ROUTING);
 		M_CSUM_DATA_IPv6_HL_SET(m->m_pkthdr.csum_data,
 		    sizeof(struct ip6_hdr) + optlen);
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 		if (!needipsec)
 			goto skip_ipsec2;
 		/*
 		 * pointers after IPsec headers are not valid any more.
 		 * other pointers need a great care too.
 		 * (IPsec routines should not mangle mbufs prior to AH/ESP)
 		 */
 		exthdrs.ip6e_dest2 = NULL;
+	    {
 		struct ip6_rthdr *rh = NULL;
 		int segleft_org = 0;
 @@ -586,27 +586,27 @@ skip_ipsec2:;
 			ip6->ip6_flow |= htonl((opt->ip6po_tclass & mask) << 20);
+	}
 	/* fill in or override the hop limit field, if necessary. */
 	if (opt && opt->ip6po_hlim != -1)
 		ip6->ip6_hlim = opt->ip6po_hlim & 0xff;
 	else if (IN6_IS_ADDR_MULTICAST(&ip6->ip6_dst)) {
 		if (im6o != NULL)
 			ip6->ip6_hlim = im6o->im6o_multicast_hlim;
 		else
 			ip6->ip6_hlim = ip6_defmcasthlim;
+	}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (needipsec && needipsectun) {
 		struct ipsec_output_state state;
 		/*
 		 * All the extension headers will become inaccessible
 		 * (since they can be encrypted).
 		 * Don't panic, we need no more updates to extension headers
 		 * on inner IPv6 packet (since they are now encapsulated).
+		 *
 		 * IPv6 [ESP|AH] IPv6 [extension headers] payload
 		 */
 		memset(&exthdrs, 0, sizeof(exthdrs));
 		exthdrs.ip6e_ip6 = m;
 @@ -635,27 +635,27 @@ skip_ipsec2:;
 			default:
 				printf("ip6_output (ipsec): error code %d\n", error);
 				/* FALLTHROUGH */
 			case ENOENT:
 				/* don't show these error codes to the user */
 				error = 0;
 				break;
+			}
 			goto bad;
+		}
 		exthdrs.ip6e_ip6 = m;
+	}
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	if (needipsec) {
 		s = splsoftnet();
 		error = ipsec6_process_packet(m,sp->req);
 		/*
 		 * Preserve KAME behaviour: ENOENT can be returned
 		 * when an SA acquire is in progress.  Don't propagate
 		 * this to user-level; it confuses applications.
 		 * XXX this will go away when the SADB is redone.
 		 */
 		if (error == ENOENT)
 			error = 0;
 @@ -807,27 +807,27 @@ skip_ipsec2:;
+	}
 	/*
 	 * Fill the outgoing inteface to tell the upper layer
 	 * to increment per-interface statistics.
 	 */
 	if (ifpp)
 		*ifpp = ifp;
 	/* Determine path MTU. */
 	if ((error = ip6_getpmtu(ro_pmtu, ro, ifp, &finaldst, &mtu,
 	    &alwaysfrag)) != 0)
 		goto bad;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (needipsectun)
 		mtu = IPV6_MMTU;
 #endif
 	/*
 	 * The caller of this function may specify to use the minimum MTU
 	 * in some cases.
 	 * An advanced API option (IPV6_USE_MIN_MTU) can also override MTU
 	 * setting.  The logic is a bit complicated; by default, unicast
 	 * packets will follow path MTU while multicast packets will be sent at
 	 * the minimum MTU.  If IP6PO_MINMTU_ALL is specified, all packets
 	 * including unicast ones will be sent at the minimum MTU.  Multicast
 	 * packets will always be sent at the minimum MTU unless
 @@ -949,27 +949,27 @@ skip_ipsec2:;
 	 * transmit packet without fragmentation
 	 */
 	if (dontfrag || (!alwaysfrag && (tlen <= mtu || tso))) {
 		/* case 1-a and 2-a */
 		struct in6_ifaddr *ia6;
 		int sw_csum;
 		ip6 = mtod(m, struct ip6_hdr *);
 		ia6 = in6_ifawithifp(ifp, &ip6->ip6_src);
 		if (ia6) {
 			/* Record statistics for this interface address. */
 			ia6->ia_ifa.ifa_data.ifad_outbytes += m->m_pkthdr.len;
+		}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 		/* clean ipsec history once it goes out of the node */
 		ipsec_delaux(m);
 #endif
 		sw_csum = m->m_pkthdr.csum_flags & ~ifp->if_csum_flags_tx;
 		if ((sw_csum & (M_CSUM_UDPv6|M_CSUM_TCPv6)) != 0) {
 			if (IN6_NEED_CHECKSUM(ifp,
 			    sw_csum & (M_CSUM_UDPv6|M_CSUM_TCPv6))) {
 				in6_delayed_cksum(m);
+			}
 			m->m_pkthdr.csum_flags &= ~(M_CSUM_UDPv6|M_CSUM_TCPv6);
+		}
 @@ -1143,46 +1143,46 @@ sendorfree:
 		m->m_nextpkt = 0;
 		if (error == 0) {
 			struct in6_ifaddr *ia6;
 			ip6 = mtod(m, struct ip6_hdr *);
 			ia6 = in6_ifawithifp(ifp, &ip6->ip6_src);
 			if (ia6) {
 				/*
 				 * Record statistics for this interface
 				 * address.
 				 */
 				ia6->ia_ifa.ifa_data.ifad_outbytes +=
 				    m->m_pkthdr.len;
+			}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 			/* clean ipsec history once it goes out of the node */
 			ipsec_delaux(m);
 #endif
 			KASSERT(dst != NULL);
 			error = nd6_output(ifp, origifp, m, dst, rt);
 		} else
 			m_freem(m);
+	}
 	if (error == 0)
 		IP6_STATINC(IP6_STAT_FRAGMENTED);
 done:
 	rtcache_free(&ip6route);
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	if (sp != NULL)
 		key_freesp(sp);
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	if (sp != NULL)
 		KEY_FREESP(&sp);
 #endif /* FAST_IPSEC */
 	return (error);
 freehdrs:
 	m_freem(exthdrs.ip6e_hbh);	/* m_freem will check if mbuf is 0 */
 	m_freem(exthdrs.ip6e_dest1);
 	m_freem(exthdrs.ip6e_rthdr);
 	m_freem(exthdrs.ip6e_dest2);
 @@ -1822,27 +1822,27 @@ else 					\
 			case IPV6_PORTRANGE_LOW:
 				in6p->in6p_flags &= ~(IN6P_HIGHPORT);
 				in6p->in6p_flags |= IN6P_LOWPORT;
 				break;
 			default:
 				error = EINVAL;
 				break;
+			}
 			break;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		case IPV6_IPSEC_POLICY:
 			error = ipsec6_set_policy(in6p, optname,
 			    sopt->sopt_data, sopt->sopt_size, kauth_cred_get());
 			break;
 #endif /* IPSEC */
 		default:
 			error = ENOPROTOOPT;
 			break;
+		}
 		break;
 	case PRCO_GETOPT:
 @@ -2006,27 +2006,27 @@ else 					\
 		case IPV6_USE_MIN_MTU:
 			error = ip6_getpcbopt(in6p->in6p_outputopts,
 			    optname, sopt);
 			break;
 		case IPV6_MULTICAST_IF:
 		case IPV6_MULTICAST_HOPS:
 		case IPV6_MULTICAST_LOOP:
 		case IPV6_JOIN_GROUP:
 		case IPV6_LEAVE_GROUP:
 			error = ip6_getmoptions(sopt, in6p->in6p_moptions);
 			break;
-#if defined(IPSEC) || defined(FAST_IPSEC)
+#if defined(KAME_IPSEC) || defined(FAST_IPSEC)
 		case IPV6_IPSEC_POLICY:
+		    {
 			struct mbuf *m = NULL;
 			/* XXX this will return EINVAL as sopt is empty */
 			error = ipsec6_get_policy(in6p, sopt->sopt_data,
 			    sopt->sopt_size, &m);
 			if (!error)
 				error = sockopt_setmbuf(sopt, m);
 			break;
+		    }
 #endif /* IPSEC */

 @@ -1,14 +1,14 @@
-/*	$NetBSD: nd6.c,v 1.138 2011/11/19 22:51:29 tls Exp $	*/
+/*	$NetBSD: nd6.c,v 1.139 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -21,27 +21,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.138 2011/11/19 22:51:29 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.139 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/callout.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sockio.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 @@ -59,27 +59,27 @@ __KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.13
 #include <net/if_ether.h>
 #include <net/if_fddi.h>
 #include <net/if_arc.h>
 #include <netinet/in.h>
 #include <netinet6/in6_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/scope6_var.h>
 #include <netinet6/nd6.h>
 #include <netinet/icmp6.h>
 #include <netinet6/icmp6_private.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #endif
 #include <net/net_osdep.h>
 #define ND6_SLOWTIMER_INTERVAL (60 * 60) /* 1 hour */
 #define ND6_RECALC_REACHTM_INTERVAL (60 * 120) /* 2 hours */
 /* timer values */
 int	nd6_prune	= 1;	/* walk list every 1 seconds */
 int	nd6_delay	= 5;	/* delay first probe time 5 second */
 int	nd6_umaxtries	= 3;	/* maximum unicast query */
 int	nd6_mmaxtries	= 3;	/* maximum multicast query */
 @@ -2121,27 +2121,27 @@ nd6_output(struct ifnet *ifp, struct ifn
 		nd6_llinfo_settimer(ln,
 		    (long)ND_IFINFO(ifp)->retrans * hz / 1000);
 		nd6_ns_output(ifp, NULL, &dst->sin6_addr, ln, 0);
+	}
 	return 0;
   sendpkt:
 	/* discard the packet if IPv6 operation is disabled on the interface */
 	if ((ND_IFINFO(ifp)->flags & ND6_IFF_IFDISABLED)) {
 		error = ENETDOWN; /* better error? */
 		goto bad;
+	}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/* clean ipsec history once it goes out of the node */
 	ipsec_delaux(m);
 #endif
 	if ((ifp->if_flags & IFF_LOOPBACK) != 0)
 		return (*ifp->if_output)(origifp, m, sin6tocsa(dst), rt);
 	return (*ifp->if_output)(ifp, m, sin6tocsa(dst), rt);
   bad:
 	if (m != NULL)
 		m_freem(m);
 	return error;
+}
 #undef senderr

 @@ -1,14 +1,14 @@
-/*	$NetBSD: nd6_nbr.c,v 1.94 2009/04/18 14:58:05 tsutsui Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: nd6_nbr.c,v 1.61 2001/02/10 16:06:14 jinmei Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -21,27 +21,27 @@
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.94 2009/04/18 14:58:05 tsutsui Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v 1.95 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sockio.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 @@ -57,27 +57,27 @@ __KERNEL_RCSID(0, "$NetBSD: nd6_nbr.c,v
 #include <net/route.h>
 #include <netinet/in.h>
 #include <netinet/in_var.h>
 #include <netinet6/in6_var.h>
 #include <netinet6/in6_ifattach.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/scope6_var.h>
 #include <netinet6/nd6.h>
 #include <netinet/icmp6.h>
 #include <netinet6/icmp6_private.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #endif
 #include "carp.h"
 #if NCARP > 0
 #include <netinet/ip_carp.h>
 #endif
 #include <net/net_osdep.h>
 struct dadq;
 static struct dadq *nd6_dad_find(struct ifaddr *);
 static void nd6_dad_starttimer(struct dadq *, int);

 @@ -1,14 +1,14 @@
-/*	$NetBSD: raw_ip6.c,v 1.108 2011/05/03 18:28:45 dyoung Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.109 2011/12/19 11:59:58 drochner Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
  * All rights reserved.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
 @@ -52,27 +52,27 @@
  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
+ *
  *	@(#)raw_ip.c	8.2 (Berkeley) 1/4/94
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.108 2011/05/03 18:28:45 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.109 2011/12/19 11:59:58 drochner Exp $");
 #include "opt_ipsec.h"
 #include <sys/param.h>
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/protosw.h>
 #include <sys/socketvar.h>
 #include <sys/errno.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
 @@ -87,30 +87,30 @@ __KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v
 #include <netinet/in_var.h>
 #include <netinet/ip6.h>
 #include <netinet6/ip6_var.h>
 #include <netinet6/ip6_private.h>
 #include <netinet6/ip6_mroute.h>
 #include <netinet/icmp6.h>
 #include <netinet6/icmp6_private.h>
 #include <netinet6/in6_pcb.h>
 #include <netinet6/nd6.h>
 #include <netinet6/ip6protosw.h>
 #include <netinet6/scope6_var.h>
 #include <netinet6/raw_ip6.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netinet6/ipsec_private.h>
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec_var.h>
 #include <netipsec/ipsec_private.h>
 #include <netipsec/ipsec6.h>
 #endif
 #include "faith.h"
 #if defined(NFAITH) && 0 < NFAITH
 #include <net/if_faith.h>
 #endif
 @@ -196,71 +196,71 @@ rip6_input(struct mbuf **mp, int *offp,
 		    !IN6_ARE_ADDR_EQUAL(&in6p->in6p_faddr, &ip6->ip6_src))
 			continue;
 		if (in6p->in6p_cksum != -1) {
 			RIP6_STATINC(RIP6_STAT_ISUM);
 			if (in6_cksum(m, proto, *offp,
 			    m->m_pkthdr.len - *offp)) {
 				RIP6_STATINC(RIP6_STAT_BADSUM);
 				continue;
+			}
+		}
 		if (last) {
 			struct	mbuf *n;
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 			/*
 			 * Check AH/ESP integrity.
 			 */
 			if (ipsec6_in_reject(m, last)) {
 				IPSEC6_STATINC(IPSEC_STAT_IN_INVAL);
 				/* do not inject data into pcb */
 			} else
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 			/*
 			 * Check AH/ESP integrity
 			 */
 			if (!ipsec6_in_reject(m,last))
 #endif /* FAST_IPSEC */
 			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS)
 					ip6_savecontrol(last, &opts, ip6, n);
 				/* strip intermediate headers */
 				m_adj(n, *offp);
 				if (sbappendaddr(&last->in6p_socket->so_rcv,
 				    (struct sockaddr *)&rip6src, n, opts) == 0) {
 					/* should notify about lost packet */
 					m_freem(n);
 					if (opts)
 						m_freem(opts);
 					RIP6_STATINC(RIP6_STAT_FULLSOCK);
 				} else
 					sorwakeup(last->in6p_socket);
 				opts = NULL;
+			}
+		}
 		last = in6p;
+	}
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	if (last && ipsec6_in_reject(m, last)) {
 		m_freem(m);
 		IPSEC6_STATINC(IPSEC_STAT_IN_INVAL);
 		IP6_STATDEC(IP6_STAT_DELIVERED);
 		/* do not inject data into pcb */
 	} else
-#endif /* IPSEC */
+#endif /* KAME_IPSEC */
 #ifdef FAST_IPSEC
 	if (last && ipsec6_in_reject(m, last)) {
 		m_freem(m);
 		/*
 		 * XXX ipsec6_in_reject update stat if there is an error
 		 * so we just need to update stats by hand in the case of last is
 		 * NULL
 		 */
 		if (!last)
 			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 			IP6_STATDEC(IP6_STAT_DELIVERED);
 			/* do not inject data into pcb */
 		} else

 @@ -1,27 +1,28 @@
-#	$NetBSD: files.ipsec,v 1.6 2011/11/19 22:51:26 tls Exp $
+#	$NetBSD: files.ipsec,v 1.7 2011/12/19 11:59:57 drochner Exp $
-defflag opt_ipsec.h		IPSEC
+defflag opt_ipsec.h		KAME_IPSEC
 defflag opt_ipsec.h		IPSEC: KAME_IPSEC
 defflag opt_ipsec.h		IPSEC_ESP: des, blowfish, cast128
 defflag opt_ipsec.h		IPSEC_NAT_T
-file	netinet6/ah_aesxcbcmac.c	ipsec
+file	netinet6/ah_aesxcbcmac.c	kame_ipsec
-file	netinet6/ah_core.c		ipsec
+file	netinet6/ah_core.c		kame_ipsec
-file	netinet6/ah_input.c		ipsec
+file	netinet6/ah_input.c		kame_ipsec
-file	netinet6/ah_output.c		ipsec
+file	netinet6/ah_output.c		kame_ipsec
-file	netinet6/esp_core.c		ipsec & ipsec_esp
+file	netinet6/esp_core.c		kame_ipsec & ipsec_esp
-file	netinet6/esp_output.c		ipsec & ipsec_esp
+file	netinet6/esp_output.c		kame_ipsec & ipsec_esp
-file	netinet6/esp_input.c		ipsec & ipsec_esp
+file	netinet6/esp_input.c		kame_ipsec & ipsec_esp
-file	netinet6/esp_rijndael.c		ipsec & ipsec_esp
+file	netinet6/esp_rijndael.c		kame_ipsec & ipsec_esp
-file	netinet6/esp_aesctr.c		ipsec & ipsec_esp
+file	netinet6/esp_aesctr.c		kame_ipsec & ipsec_esp
-file	netinet6/ipcomp_core.c		ipsec
+file	netinet6/ipcomp_core.c		kame_ipsec
-file	netinet6/ipcomp_input.c		ipsec
+file	netinet6/ipcomp_input.c		kame_ipsec
-file	netinet6/ipcomp_output.c	ipsec
+file	netinet6/ipcomp_output.c	kame_ipsec
-file	netinet6/ipsec.c		ipsec
+file	netinet6/ipsec.c		kame_ipsec
-file	netkey/key.c			ipsec
+file	netkey/key.c			kame_ipsec
-file	netkey/key_debug.c		ipsec
+file	netkey/key_debug.c		kame_ipsec
-file	netkey/keydb.c			ipsec
+file	netkey/keydb.c			kame_ipsec
-file	netkey/keysock.c		ipsec
+file	netkey/keysock.c		kame_ipsec

 @@ -1,17 +1,19 @@
-#	$Id: files.netipsec,v 1.7 2007/11/16 21:15:20 christos Exp $
+#	$Id: files.netipsec,v 1.8 2011/12/19 11:59:58 drochner Exp $
+#
+#
 defflag opt_ipsec.h	FAST_IPSEC:	opencrypto
 # notyet
 #defflag opt_ipsec.h	IPSEC: FAST_IPSEC
 defflag opt_ipsec.h	IPSEC_DEBUG
 file	netipsec/ipsec.c		fast_ipsec	needs-flag
 file	netipsec/ipsec_input.c		fast_ipsec
 file	netipsec/ipsec_mbuf.c		fast_ipsec
 file	netipsec/ipsec_output.c		fast_ipsec
 file	netipsec/xform_ah.c		fast_ipsec
 file	netipsec/xform_esp.c		fast_ipsec
 file	netipsec/xform_ipcomp.c		fast_ipsec
 file	netipsec/xform_ipip.c		fast_ipsec
 file	netipsec/ipsec_netbsd.c		fast_ipsec
 file	netipsec/key.c			fast_ipsec

 @@ -1,14 +1,14 @@
-/*	$NetBSD: ip_mroute.c,v 1.121 2011/10/19 01:52:22 dyoung Exp $	*/
+/*	$NetBSD: ip_mroute.c,v 1.122 2011/12/19 11:59:57 drochner Exp $	*/
 /*
  * Copyright (c) 1992, 1993
  *      The Regents of the University of California.  All rights reserved.
+ *
  * This code is derived from software contributed to Berkeley by
  * Stephen Deering of Stanford University.
+ *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
 @@ -83,27 +83,27 @@
  * Modified by Charles M. Hannum, NetBSD, May 1995.
  * Modified by Ahmed Helmy, SGI, June 1996
  * Modified by George Edmond Eddy (Rusty), ISI, February 1998
  * Modified by Pavlin Radoslavov, USC/ISI, May 1998, August 1999, October 2000
  * Modified by Hitoshi Asaeda, WIDE, August 2000
  * Modified by Pavlin Radoslavov, ICSI, October 2002
+ *
  * MROUTING Revision: 1.2
  * and PIM-SMv2 and PIM-DM support, advanced API support,
  * bandwidth metering and signaling
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.121 2011/10/19 01:52:22 dyoung Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,v 1.122 2011/12/19 11:59:57 drochner Exp $");
 #include "opt_inet.h"
 #include "opt_ipsec.h"
 #include "opt_pim.h"
 #ifdef PIM
 #define _PIM_VT 1
 #endif
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/callout.h>
 #include <sys/mbuf.h>
 @@ -126,27 +126,27 @@ __KERNEL_RCSID(0, "$NetBSD: ip_mroute.c,
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
 #include <netinet/in_pcb.h>
 #include <netinet/udp.h>
 #include <netinet/igmp.h>
 #include <netinet/igmp_var.h>
 #include <netinet/ip_mroute.h>
 #ifdef PIM
 #include <netinet/pim.h>
 #include <netinet/pim_var.h>
 #endif
 #include <netinet/ip_encap.h>
-#ifdef IPSEC
+#ifdef KAME_IPSEC
 #include <netinet6/ipsec.h>
 #include <netkey/key.h>
 #endif
 #ifdef FAST_IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
 #endif
 #define IP_MULTICASTOPTS 0
 #define	M_PULLUP(m, len)						 \
 	do {								 \
 		if ((m) && ((m)->m_flags & M_EXT || (m)->m_len < (len))) \