diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index e82e66fa0dea..541510fd3cf1 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -650,8 +650,18 @@ ip_input(struct mbuf *m) if (ipforwarding == 0) { ipstat.ips_cantforward++; m_freem(m); - } else + } else { +#ifdef IPSEC + /* + * Enforce inbound IPsec SPD. + */ + if (ipsec4_in_reject(m, NULL)) { + ipsecstat.in_polvio++; + goto bad; + } +#endif /* IPSEC */ ip_forward(m, 0); + } #ifdef IPFIREWALL_FORWARD ip_fw_fwd_addr = NULL; #endif