Dedup: merge ipsec4_in_reject and ipsec6_in_reject into ipsec_in_reject. trunk
authormaxv <maxv@NetBSD.org>
Mon, 26 Feb 2018 09:04:29 +0000
branchtrunk
changeset 316450 0dec3dc2306a
parent 316449 1b9855be59d7
child 316451 4705449403b4
Dedup: merge ipsec4_in_reject and ipsec6_in_reject into ipsec_in_reject. While here fix misleading comment. ok ozaki-r@
sys/netinet/raw_ip.c
sys/netinet/sctp_input.c
sys/netinet/tcp_input.c
sys/netinet/udp_usrreq.c
sys/netinet6/icmp6.c
sys/netinet6/raw_ip6.c
sys/netinet6/sctp6_usrreq.c
sys/netinet6/udp6_usrreq.c
sys/netipsec/ipsec.c
sys/netipsec/ipsec.h
sys/netipsec/ipsec6.h
sys/netipsec/ipsec_input.c
sys/rump/librump/rumpnet/net_stub.c
--- a/sys/netinet/raw_ip.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet/raw_ip.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip.c,v 1.168 2018/02/14 16:45:24 christos Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.169 2018/02/26 09:04:29 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -65,7 +65,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.168 2018/02/14 16:45:24 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.169 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -204,7 +204,7 @@
 			;
 #if defined(IPSEC)
 		/* check AH/ESP integrity. */
-		else if (ipsec_used && ipsec4_in_reject(m, last)) {
+		else if (ipsec_used && ipsec_in_reject(m, last)) {
 			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 			/* do not inject data to pcb */
 		}
@@ -218,7 +218,7 @@
 	}
 #if defined(IPSEC)
 	/* check AH/ESP integrity. */
-	if (ipsec_used && last != NULL && ipsec4_in_reject(m, last)) {
+	if (ipsec_used && last != NULL && ipsec_in_reject(m, last)) {
 		m_freem(m);
 		IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 		IP_STATDEC(IP_STAT_DELIVERED);
--- a/sys/netinet/sctp_input.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet/sctp_input.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,5 +1,5 @@
 /*	$KAME: sctp_input.c,v 1.28 2005/04/21 18:36:21 nishida Exp $	*/
-/*	$NetBSD: sctp_input.c,v 1.7 2017/06/27 13:27:54 rjs Exp $	*/
+/*	$NetBSD: sctp_input.c,v 1.8 2018/02/26 09:04:29 maxv Exp $	*/
 
 /*
  * Copyright (C) 2002, 2003, 2004 Cisco Systems Inc,
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.7 2017/06/27 13:27:54 rjs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sctp_input.c,v 1.8 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -4238,7 +4238,7 @@
 	 * I very much doubt any of the IPSEC stuff will work but I have
 	 * no idea, so I will leave it in place.
 	 */
-	if (ipsec_used && ipsec4_in_reject(m, (struct inpcb *)inp)) {
+	if (ipsec_used && ipsec_in_reject(m, (struct inpcb *)inp)) {
 #if 0
 		ipsecstat.in_polvio++;
 #endif
--- a/sys/netinet/tcp_input.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet/tcp_input.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.379 2018/02/12 08:22:26 maxv Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.380 2018/02/26 09:04:29 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -148,7 +148,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.379 2018/02/12 08:22:26 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: tcp_input.c,v 1.380 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -1460,14 +1460,14 @@
 		if (ipsec_used) {
 			if (inp &&
 			    (inp->inp_socket->so_options & SO_ACCEPTCONN) == 0
-			    && ipsec4_in_reject(m, inp)) {
+			    && ipsec_in_reject(m, inp)) {
 				IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 				goto drop;
 			}
 #ifdef INET6
 			else if (in6p &&
 			    (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0
-			    && ipsec6_in_reject(m, in6p)) {
+			    && ipsec_in_reject(m, in6p)) {
 				IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 				goto drop;
 			}
@@ -1505,7 +1505,7 @@
 #if defined(IPSEC)
 		if (ipsec_used && in6p &&
 		    (in6p->in6p_socket->so_options & SO_ACCEPTCONN) == 0 &&
-		    ipsec6_in_reject(m, in6p)) {
+		    ipsec_in_reject(m, in6p)) {
 			IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 			goto drop;
 		}
@@ -1785,7 +1785,7 @@
 					 */
 					KASSERT(inp == NULL ||
 					    sotoinpcb(so) == inp);
-					if (!ipsec4_in_reject(m, inp))
+					if (!ipsec_in_reject(m, inp))
 						break;
 					IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 					tp = NULL;
@@ -1794,7 +1794,7 @@
 #ifdef INET6
 				case AF_INET6:
 					KASSERT(sotoin6pcb(so) == in6p);
-					if (!ipsec6_in_reject(m, in6p))
+					if (!ipsec_in_reject(m, in6p))
 						break;
 					IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 					tp = NULL;
--- a/sys/netinet/udp_usrreq.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet/udp_usrreq.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.242 2018/02/14 05:24:44 maxv Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.243 2018/02/26 09:04:29 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.242 2018/02/14 05:24:44 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp_usrreq.c,v 1.243 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -479,7 +479,7 @@
 
 #if defined(IPSEC)
 	/* check AH/ESP integrity. */
-	if (ipsec_used && ipsec4_in_reject(m, inp)) {
+	if (ipsec_used && ipsec_in_reject(m, inp)) {
 		IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
 		if ((n = m_copypacket(m, M_DONTWAIT)) != NULL)
 			icmp_error(n, ICMP_UNREACH, ICMP_UNREACH_ADMIN_PROHIBIT,
--- a/sys/netinet6/icmp6.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet6/icmp6.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.220 2018/02/12 12:52:12 maxv Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.221 2018/02/26 09:04:29 maxv Exp $	*/
 /*	$KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.220 2018/02/12 12:52:12 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.221 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -2008,7 +2008,7 @@
 			 * Check AH/ESP integrity
 			 */
 			if (!ipsec_used ||
-			    (ipsec_used && !ipsec6_in_reject(m, last)))
+			    (ipsec_used && !ipsec_in_reject(m, last)))
 #endif
 			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS)
@@ -2030,7 +2030,7 @@
 	}
 
 #ifdef IPSEC
-	if (ipsec_used && last && ipsec6_in_reject(m, last)) {
+	if (ipsec_used && last && ipsec_in_reject(m, last)) {
 		m_freem(m);
 		IP6_STATDEC(IP6_STAT_DELIVERED);
 		/* do not inject data into pcb */
--- a/sys/netinet6/raw_ip6.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet6/raw_ip6.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.163 2018/02/26 09:04:29 maxv Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.82 2001/07/23 18:57:56 jinmei Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.162 2018/02/08 19:58:05 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip6.c,v 1.163 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_ipsec.h"
@@ -198,7 +198,7 @@
 			 * Check AH/ESP integrity
 			 */
 			if (!ipsec_used ||
-			    (ipsec_used && !ipsec6_in_reject(m, last)))
+			    (ipsec_used && !ipsec_in_reject(m, last)))
 #endif
 			if ((n = m_copy(m, 0, (int)M_COPYALL)) != NULL) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS)
@@ -221,7 +221,7 @@
 	}
 
 #ifdef IPSEC
-	if (ipsec_used && last && ipsec6_in_reject(m, last)) {
+	if (ipsec_used && last && ipsec_in_reject(m, last)) {
 		m_freem(m);
 		IP6_STATDEC(IP6_STAT_DELIVERED);
 		/* do not inject data into pcb */
--- a/sys/netinet6/sctp6_usrreq.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet6/sctp6_usrreq.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,5 +1,5 @@
 /* $KAME: sctp6_usrreq.c,v 1.38 2005/08/24 08:08:56 suz Exp $ */
-/* $NetBSD: sctp6_usrreq.c,v 1.14 2017/10/17 19:23:42 rjs Exp $ */
+/* $NetBSD: sctp6_usrreq.c,v 1.15 2018/02/26 09:04:29 maxv Exp $ */
 
 /*
  * Copyright (c) 2001, 2002, 2003, 2004 Cisco Systems, Inc.
@@ -33,7 +33,7 @@
  * SUCH DAMAGE.
  */
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.14 2017/10/17 19:23:42 rjs Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sctp6_usrreq.c,v 1.15 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -235,7 +235,7 @@
 	/*
 	 * Check AH/ESP integrity.
 	 */
-	if (ipsec_used && ipsec6_in_reject(m, (struct in6pcb *)in6p_ip)) {
+	if (ipsec_used && ipsec_in_reject(m, (struct in6pcb *)in6p_ip)) {
 /* XXX */
 #if 0
 		/* FIX ME: need to find right stat */
--- a/sys/netinet6/udp6_usrreq.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netinet6/udp6_usrreq.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $ */
+/* $NetBSD: udp6_usrreq.c,v 1.135 2018/02/26 09:04:29 maxv Exp $ */
 /* $KAME: udp6_usrreq.c,v 1.86 2001/05/27 17:33:00 itojun Exp $ */
 /* $KAME: udp6_output.c,v 1.43 2001/10/15 09:19:52 itojun Exp $ */
 
@@ -63,7 +63,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.134 2018/02/08 19:58:05 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: udp6_usrreq.c,v 1.135 2018/02/26 09:04:29 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -353,7 +353,7 @@
 
 #if defined(IPSEC)
 	/* check AH/ESP integrity. */
-	if (ipsec_used && ipsec6_in_reject(m, in6p)) {
+	if (ipsec_used && ipsec_in_reject(m, in6p)) {
 		IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO);
 		if ((n = m_copypacket(m, M_DONTWAIT)) != NULL)
 			icmp6_error(n, ICMP6_DST_UNREACH,
--- a/sys/netipsec/ipsec.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netipsec/ipsec.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.138 2018/02/26 08:50:25 maxv Exp $ */
+/* $NetBSD: ipsec.c,v 1.139 2018/02/26 09:04:29 maxv Exp $ */
 /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.138 2018/02/26 08:50:25 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.139 2018/02/26 09:04:29 maxv Exp $");
 
 /*
  * IPsec controller part.
@@ -1701,12 +1701,13 @@
 }
 
 /*
- * Check AH/ESP integrity.
- * This function is called from tcp_input(), udp_input(),
- * and {ah,esp}4_input for tunnel mode
+ * Check security policy requirements.
+ *
+ * This function is called from tcp{6}_input(), udp{6}_input(),
+ * and {ah,esp}_input for tunnel mode
  */
 int
-ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
+ipsec_in_reject(struct mbuf *m, void *inp)
 {
 	struct inpcb_hdr *inph = (struct inpcb_hdr *)inp;
 	struct secpolicy *sp;
@@ -1733,41 +1734,6 @@
 	return result;
 }
 
-#ifdef INET6
-/*
- * Check AH/ESP integrity.
- * This function is called from tcp6_input(), udp6_input(),
- * and {ah,esp}6_input for tunnel mode
- */
-int
-ipsec6_in_reject(struct mbuf *m, struct in6pcb *in6p)
-{
-	struct inpcb_hdr *inph = (struct inpcb_hdr *)in6p;
-	struct secpolicy *sp;
-	int error;
-	int result;
-
-	KASSERT(m != NULL);
-
-	if (inph == NULL)
-		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
-		    IP_FORWARDING, &error);
-	else
-		sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND,
-		    inph, &error);
-
-	if (sp != NULL) {
-		result = ipsec_sp_reject(sp, m);
-		if (result)
-			IPSEC_STATINC(IPSEC_STAT_IN_POLVIO);
-		KEY_SP_UNREF(&sp);
-	} else {
-		result = 0;
-	}
-	return result;
-}
-#endif
-
 /*
  * Compute the byte size to be occupied by the IPsec header. If it is
  * tunneled, it includes the size of outer IP header.
--- a/sys/netipsec/ipsec.h	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netipsec/ipsec.h	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.68 2018/02/26 08:50:25 maxv Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.69 2018/02/26 09:04:29 maxv Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -294,7 +294,7 @@
 int ipsec4_set_policy(struct inpcb *, int, const void *, size_t, kauth_cred_t);
 int ipsec4_get_policy(struct inpcb *, const void *, size_t, struct mbuf **);
 int ipsec4_delete_pcbpolicy(struct inpcb *);
-int ipsec4_in_reject(struct mbuf *, struct inpcb *);
+int ipsec_in_reject(struct mbuf *, void *);
 
 struct secasvar *ipsec_lookup_sa(const struct ipsecrequest *,
     const struct mbuf *);
--- a/sys/netipsec/ipsec6.h	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netipsec/ipsec6.h	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec6.h,v 1.23 2018/02/26 08:42:16 maxv Exp $	*/
+/*	$NetBSD: ipsec6.h,v 1.24 2018/02/26 09:04:29 maxv Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $	*/
 /*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/
 
@@ -58,11 +58,9 @@
 int ipsec6_get_policy(struct in6pcb *, const void *, size_t, struct mbuf **);
 struct secpolicy *ipsec6_check_policy(struct mbuf *, 
     struct in6pcb *, int, int*,int*);
-int ipsec6_in_reject(struct mbuf *, struct in6pcb *);
 
 struct tcp6cb;
 
-size_t ipsec6_hdrsiz(struct mbuf *, u_int, struct in6pcb *);
 size_t ipsec6_hdrsiz_tcp(struct tcpcb*);
 
 /* NetBSD protosw ctlin entrypoint */
--- a/sys/netipsec/ipsec_input.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/netipsec/ipsec_input.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.61 2018/02/26 06:58:56 maxv Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.62 2018/02/26 09:04:29 maxv Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.61 2018/02/26 06:58:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.62 2018/02/26 09:04:29 maxv Exp $");
 
 /*
  * IPsec input processing.
@@ -459,7 +459,7 @@
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
 	if ((inetsw[ip_protox[prot]].pr_flags & PR_LASTHDR) != 0 &&
-	    ipsec4_in_reject(m, NULL)) {
+	    ipsec_in_reject(m, NULL)) {
 		error = EINVAL;
 		goto bad;
 	}
@@ -685,7 +685,7 @@
 		 * code - like udp/tcp/raw ip.
 		 */
 		if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
-		    ipsec6_in_reject(m, NULL)) {
+		    ipsec_in_reject(m, NULL)) {
 			error = EINVAL;
 			goto bad;
 		}
--- a/sys/rump/librump/rumpnet/net_stub.c	Mon Feb 26 08:50:25 2018 +0000
+++ b/sys/rump/librump/rumpnet/net_stub.c	Mon Feb 26 09:04:29 2018 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: net_stub.c,v 1.28 2018/02/26 08:50:25 maxv Exp $	*/
+/*	$NetBSD: net_stub.c,v 1.29 2018/02/26 09:04:29 maxv Exp $	*/
 
 /*
  * Copyright (c) 2008 Antti Kantee.  All Rights Reserved.
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.28 2018/02/26 08:50:25 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.29 2018/02/26 09:04:29 maxv Exp $");
 
 #include <sys/mutex.h>
 #include <sys/param.h>
@@ -92,17 +92,16 @@
 __weak_alias(ipsec4_delete_pcbpolicy,rumpnet_stub);
 __weak_alias(ipsec4_forward,rumpnet_stub);
 __weak_alias(ipsec4_input,rumpnet_stub);
-__weak_alias(ipsec4_in_reject,rumpnet_stub);
 __weak_alias(ipsec4_set_policy,rumpnet_stub);
 __weak_alias(ipsec6_common_input,rumpnet_stub);
 __weak_alias(ipsec6_input,rumpnet_stub);
 __weak_alias(ipsec6_check_policy,rumpnet_stub);
 __weak_alias(ipsec6_delete_pcbpolicy,rumpnet_stub);
 __weak_alias(ipsec6_get_policy,rumpnet_stub);
-__weak_alias(ipsec6_in_reject,rumpnet_stub);
 __weak_alias(ipsec6_process_packet,rumpnet_stub);
 __weak_alias(ipsec6_set_policy,rumpnet_stub);
 __weak_alias(ipsec_hdrsiz,rumpnet_stub);
+__weak_alias(ipsec_in_reject,rumpnet_stub);
 __weak_alias(ipsec_init_policy,rumpnet_stub);
 __weak_alias(ipsec_pcbconn,rumpnet_stub);
 __weak_alias(ipsec_pcbdisconn,rumpnet_stub);