svn commit: r275713 - head/sys/netinet

Thu, 11 Dec 2014 11:39:45 -0800 

Author: ae
Date: Thu Dec 11 18:55:54 2014
New Revision: 275713
URL: https://svnweb.freebsd.org/changeset/base/275713

Log:
  Use ipsec4_in_reject() to simplify ip_ipsec_fwd() and ip_ipsec_input().
  ipsec4_in_reject() does the same things, also it counts policy violation
  errors.
  
  Obtained from:        Yandex LLC
  Sponsored by: Yandex LLC

Modified:
  head/sys/netinet/ip_ipsec.c

Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c Thu Dec 11 18:46:11 2014        (r275712)
+++ head/sys/netinet/ip_ipsec.c Thu Dec 11 18:55:54 2014        (r275713)
@@ -107,20 +107,8 @@ ip_ipsec_filtertunnel(struct mbuf *m)
 int
 ip_ipsec_fwd(struct mbuf *m)
 {
-       struct secpolicy *sp;
-       int error;
 
-       sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-       if (sp != NULL) {
-               /*
-                * Check security policy against packet attributes.
-                */
-               error = ipsec_in_reject(sp, m);
-               KEY_FREESP(&sp);
-       }
-       if (error != 0)
-               return (1);
-       return (0);
+       return (ipsec4_in_reject(m, NULL));
 }
 
 /*
@@ -133,29 +121,13 @@ ip_ipsec_fwd(struct mbuf *m)
 int
 ip_ipsec_input(struct mbuf *m, int nxt)
 {
-       struct secpolicy *sp;
-       int error;
        /*
         * enforce IPsec policy checking if we are seeing last header.
         * note that we do not visit this with protocols with pcb layer
         * code - like udp/tcp/raw ip.
         */
-       if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
-               sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-               if (sp != NULL) {
-                       /*
-                        * Check security policy against packet attributes.
-                        */
-                       error = ipsec_in_reject(sp, m);
-                       KEY_FREESP(&sp);
-               } else {
-                       /* XXX error stat??? */
-                       error = EINVAL;
-                       DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
-               }
-               if (error != 0)
-                       return (1);
-       }
+       if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0)
+               return (ipsec4_in_reject(m, NULL));
        return (0);
 }
 
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"

Reply via email to