CVS commit: src/sys

Ryota Ozaki Tue, 31 Mar 2015 19:50:29 -0700

Module Name:    src
Committed By:   ozaki-r
Date:           Wed Apr  1 02:49:44 UTC 2015


Modified Files:
        src/sys/netinet6: ip6_input.c
        src/sys/netipsec: ipsec.c ipsec.h

Log Message:
Pull out ipsec routines from ip6_input

This change reduces symbol references from netinet6 to netipsec
and improves modularity of netipsec.

No functional change is intended.


To generate a diff of this commit:
cvs rdiff -u -r1.150 -r1.151 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.65 -r1.66 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.36 -r1.37 src/sys/netipsec/ipsec.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.150 src/sys/netinet6/ip6_input.c:1.151
--- src/sys/netinet6/ip6_input.c:1.150	Tue Jan 20 21:27:36 2015
+++ src/sys/netinet6/ip6_input.c	Wed Apr  1 02:49:44 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -748,11 +748,6 @@ ip6_input(struct mbuf *m)
 
 #ifdef IPSEC
 		if (ipsec_used) {
-			struct m_tag *mtag;
-			struct tdb_ident *tdbi;
-			struct secpolicy *sp;
-			int s, error;
-
 			/*
 			 * enforce IPsec policy checking if we are seeing last
 			 * header. note that we do not visit this with
@@ -760,39 +755,7 @@ ip6_input(struct mbuf *m)
 			 */
 			if ((inet6sw[ip_protox[nxt]].pr_flags
 			    & PR_LASTHDR) != 0) {
-				/*
-				 * Check if the packet has already had IPsec
-				 * processing done. If so, then just pass it
-				 * along. This tag gets set during AH, ESP,
-				 * etc. input handling, before the packet is
-				 * returned to the ip input queue for delivery.
-				 */
-				mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
-				    NULL);
-				s = splsoftnet();
-				if (mtag != NULL) {
-					tdbi = (struct tdb_ident *)(mtag + 1);
-					sp = ipsec_getpolicy(tdbi,
-					    IPSEC_DIR_INBOUND);
-				} else {
-					sp = ipsec_getpolicybyaddr(m,
-					    IPSEC_DIR_INBOUND, IP_FORWARDING,
-					    &error);
-				}
-				if (sp != NULL) {
-					/*
-					 * Check security policy against packet
-					 * attributes.
-					 */
-					error = ipsec_in_reject(sp, m);
-					KEY_FREESP(&sp);
-				} else {
-					/* XXX error stat??? */
-					error = EINVAL;
-					DPRINTF(("ip6_input: no SP, packet"
-					    " discarded\n"));/*XXX*/
-				}
-				splx(s);
+				int error = ipsec6_input(m);
 				if (error)
 					goto bad;
 			}

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.65 src/sys/netipsec/ipsec.c:1.66
--- src/sys/netipsec/ipsec.c:1.65	Wed Apr  1 01:44:56 2015
+++ src/sys/netipsec/ipsec.c	Wed Apr  1 02:49:44 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -2425,7 +2425,52 @@ skippolicycheck:;
 	*needipsecp = needipsec;
 	return sp;
 }
-#endif
+
+int
+ipsec6_input(struct mbuf *m)
+{
+	struct m_tag *mtag;
+	struct tdb_ident *tdbi;
+	struct secpolicy *sp;
+	int s, error;
+
+	/*
+	 * Check if the packet has already had IPsec
+	 * processing done. If so, then just pass it
+	 * along. This tag gets set during AH, ESP,
+	 * etc. input handling, before the packet is
+	 * returned to the ip input queue for delivery.
+	 */
+	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
+	    NULL);
+	s = splsoftnet();
+	if (mtag != NULL) {
+		tdbi = (struct tdb_ident *)(mtag + 1);
+		sp = ipsec_getpolicy(tdbi,
+		    IPSEC_DIR_INBOUND);
+	} else {
+		sp = ipsec_getpolicybyaddr(m,
+		    IPSEC_DIR_INBOUND, IP_FORWARDING,
+		    &error);
+	}
+	if (sp != NULL) {
+		/*
+		 * Check security policy against packet
+		 * attributes.
+		 */
+		error = ipsec_in_reject(sp, m);
+		KEY_FREESP(&sp);
+	} else {
+		/* XXX error stat??? */
+		error = EINVAL;
+		DPRINTF(("ip6_input: no SP, packet"
+		    " discarded\n"));/*XXX*/
+	}
+	splx(s);
+
+	return error;
+}
+#endif /* INET6 */
 
 
 

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.36 src/sys/netipsec/ipsec.h:1.37
--- src/sys/netipsec/ipsec.h:1.36	Fri Sep  5 09:26:44 2014
+++ src/sys/netipsec/ipsec.h	Wed Apr  1 02:49:44 2015
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.36 2014/09/05 09:26:44 matt Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.37 2015/04/01 02:49:44 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -260,6 +260,9 @@ int ipsec4_output(struct mbuf *, struct 
 	struct secpolicy **, u_long *, bool *, bool *);
 int ipsec4_input(struct mbuf *, int);
 int ipsec4_forward(struct mbuf *, int *);
+#ifdef INET6
+int ipsec6_input(struct mbuf *);
+#endif
 
 static __inline struct secpolicy*
 ipsec4_getpolicybysock(

CVS commit: src/sys

Reply via email to