Hi, This allows to build a kernel without ipsec or inet6.
ok? bluhm Index: netinet/ip_ah.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ah.c,v retrieving revision 1.167 diff -u -p -r1.167 ip_ah.c --- netinet/ip_ah.c 21 Nov 2021 16:17:48 -0000 1.167 +++ netinet/ip_ah.c 1 Dec 2021 23:47:50 -0000 @@ -201,12 +201,12 @@ ah_massage_headers(struct mbuf **mp, int { struct mbuf *m = *mp; unsigned char *ptr; - int off, count; + int off, count, error; struct ip *ip; #ifdef INET6 struct ip6_ext *ip6e; struct ip6_hdr ip6; - int ad, alloc, nxt, noff, error; + int ad, alloc, nxt, noff; #endif /* INET6 */ switch (af) { Index: netinet/ip_ipsp.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.c,v retrieving revision 1.259 diff -u -p -r1.259 ip_ipsp.c --- netinet/ip_ipsp.c 1 Dec 2021 22:34:31 -0000 1.259 +++ netinet/ip_ipsp.c 1 Dec 2021 23:47:50 -0000 @@ -661,7 +661,9 @@ tdb_timeout(void *v) if (tdb->tdb_flags & TDBF_TIMER) { /* If it's an "invalid" TDB do a silent expiration. */ if (!(tdb->tdb_flags & TDBF_INVALID)) { +#ifdef IPSEC ipsecstat_inc(ipsec_exctdb); +#endif /* IPSEC */ pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); } tdb_delete(tdb); @@ -680,7 +682,9 @@ tdb_firstuse(void *v) if (tdb->tdb_flags & TDBF_SOFT_FIRSTUSE) { /* If the TDB hasn't been used, don't renew it. */ if (tdb->tdb_first_use != 0) { +#ifdef IPSEC ipsecstat_inc(ipsec_exctdb); +#endif /* IPSEC */ pfkeyv2_expire(tdb, SADB_EXT_LIFETIME_HARD); } tdb_delete(tdb); Index: netinet/ipsec_input.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_input.c,v retrieving revision 1.194 diff -u -p -r1.194 ipsec_input.c --- netinet/ipsec_input.c 1 Dec 2021 12:51:09 -0000 1.194 +++ netinet/ipsec_input.c 1 Dec 2021 23:47:50 -0000 @@ -1009,8 +1009,10 @@ esp4_ctlinput(int cmd, struct sockaddr * int ipsec_protoff(struct mbuf *m, int off, int af) { +#ifdef INET6 struct ip6_ext ip6e; int protoff, nxt, l; +#endif /* INET6 */ switch (af) { case AF_INET: @@ -1018,11 +1020,12 @@ ipsec_protoff(struct mbuf *m, int off, i #ifdef INET6 case AF_INET6: break; -#endif +#endif /* INET6 */ default: unhandled_af(af); } +#ifdef INET6 if (off < sizeof(struct ip6_hdr)) return -1; @@ -1057,6 +1060,7 @@ ipsec_protoff(struct mbuf *m, int off, i protoff += offsetof(struct ip6_ext, ip6e_nxt); return protoff; +#endif /* INET6 */ } int Index: netinet/ipsec_output.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ipsec_output.c,v retrieving revision 1.92 diff -u -p -r1.92 ipsec_output.c --- netinet/ipsec_output.c 25 Nov 2021 13:46:02 -0000 1.92 +++ netinet/ipsec_output.c 1 Dec 2021 23:47:50 -0000 @@ -162,13 +162,16 @@ ipsp_process_packet(struct mbuf *m, stru * doing tunneling. */ if (af == tdb->tdb_dst.sa.sa_family) { - if (af == AF_INET) + switch (af) { + case AF_INET: hlen = sizeof(struct ip); - + break; #ifdef INET6 - if (af == AF_INET6) + case AF_INET6: hlen = sizeof(struct ip6_hdr); + break; #endif /* INET6 */ + } /* Bring the network header in the first mbuf. */ if (m->m_len < hlen) { Index: netinet/udp_usrreq.c =================================================================== RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.266 diff -u -p -r1.266 udp_usrreq.c --- netinet/udp_usrreq.c 1 Dec 2021 12:51:09 -0000 1.266 +++ netinet/udp_usrreq.c 1 Dec 2021 23:47:50 -0000 @@ -173,12 +173,6 @@ udp_input(struct mbuf **mp, int *offp, i #endif /* INET6 */ } srcsa, dstsa; struct ip6_hdr *ip6 = NULL; -#ifdef IPSEC - struct m_tag *mtag; - struct tdb_ident *tdbi; - struct tdb *tdb; - int error, protoff; -#endif /* IPSEC */ u_int32_t ipsecflowinfo = 0; udpstat_inc(udps_ipackets); @@ -291,6 +285,8 @@ udp_input(struct mbuf **mp, int *offp, i * to userland */ if (spi != 0) { + int protoff; + if ((m = *mp = m_pullup(m, skip)) == NULL) { udpstat_inc(udps_hdrops); return IPPROTO_DONE; @@ -309,7 +305,7 @@ udp_input(struct mbuf **mp, int *offp, i af, IPPROTO_ESP, 1); } } -#endif +#endif /* IPSEC */ switch (af) { case AF_INET: @@ -503,6 +499,11 @@ udp_input(struct mbuf **mp, int *offp, i #ifdef IPSEC if (ipsec_in_use) { + struct m_tag *mtag; + struct tdb_ident *tdbi; + struct tdb *tdb; + int error; + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); if (mtag != NULL) { tdbi = (struct tdb_ident *)(mtag + 1);