From d30f6152e33559f5b07fdfb3f6ea560153c53f01 Mon Sep 17 00:00:00 2001
From: ume <ume@FreeBSD.org>
Date: Mon, 29 Oct 2001 16:29:41 +0000
Subject: [PATCH] System wide policy should be returned when no policy found in
 the SPD. The packet was rejected in ipsec[46]_tunnel_validate().

Obtained from:	KAME
MFC after:	1 week
---
 sys/netkey/key.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/sys/netkey/key.c b/sys/netkey/key.c
index 6c2e7ed2286c..0ee6b74730fa 100644
--- a/sys/netkey/key.c
+++ b/sys/netkey/key.c
@@ -570,6 +570,32 @@ key_gettunnel(osrc, odst, isrc, idst)
 	struct sockaddr *os, *od, *is, *id;
 	struct secpolicyindex spidx;
 
+	if (isrc->sa_family != idst->sa_family) {
+		printf("protocol family mismatched %d != %d\n.",
+		       isrc->sa_family, idst->sa_family);
+		return NULL;
+	}
+
+	/* if no SP found, use default policy. */
+	if (LIST_FIRST(&sptree[dir]) == NULL) {
+		switch (isrc->sa_family) {
+		case PF_INET:
+			if (ip4_def_policy.policy == IPSEC_POLICY_DISCARD)
+				return NULL;
+			ip4_def_policy.refcnt++;
+			return &ip4_def_policy;
+		case PF_INET6:
+			if (ip6_def_policy.policy == IPSEC_POLICY_DISCARD)
+				return NULL;
+			ip6_def_policy.refcnt++;
+			return &ip6_def_policy;
+		default:
+			printf("invalid protocol family %d\n.",
+			       isrc->sa_family);
+			return NULL;
+		}
+	}
+
 	s = splnet();	/*called from softclock()*/
 	LIST_FOREACH(sp, &sptree[dir], chain) {
 		if (sp->state == IPSEC_SPSTATE_DEAD)