Module Name: src Committed By: ozaki-r Date: Wed Apr 1 02:49:44 UTC 2015
Modified Files: src/sys/netinet6: ip6_input.c src/sys/netipsec: ipsec.c ipsec.h Log Message: Pull out ipsec routines from ip6_input This change reduces symbol references from netinet6 to netipsec and improves modularity of netipsec. No functional change is intended. To generate a diff of this commit: cvs rdiff -u -r1.150 -r1.151 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.65 -r1.66 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.36 -r1.37 src/sys/netipsec/ipsec.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.150 src/sys/netinet6/ip6_input.c:1.151 --- src/sys/netinet6/ip6_input.c:1.150 Tue Jan 20 21:27:36 2015 +++ src/sys/netinet6/ip6_input.c Wed Apr 1 02:49:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $ */ +/* $NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -748,11 +748,6 @@ ip6_input(struct mbuf *m) #ifdef IPSEC if (ipsec_used) { - struct m_tag *mtag; - struct tdb_ident *tdbi; - struct secpolicy *sp; - int s, error; - /* * enforce IPsec policy checking if we are seeing last * header. note that we do not visit this with @@ -760,39 +755,7 @@ ip6_input(struct mbuf *m) */ if ((inet6sw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { - /* - * Check if the packet has already had IPsec - * processing done. If so, then just pass it - * along. This tag gets set during AH, ESP, - * etc. input handling, before the packet is - * returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, - NULL); - s = splsoftnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, - IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, - IPSEC_DIR_INBOUND, IP_FORWARDING, - &error); - } - if (sp != NULL) { - /* - * Check security policy against packet - * attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; - DPRINTF(("ip6_input: no SP, packet" - " discarded\n"));/*XXX*/ - } - splx(s); + int error = ipsec6_input(m); if (error) goto bad; } Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.65 src/sys/netipsec/ipsec.c:1.66 --- src/sys/netipsec/ipsec.c:1.65 Wed Apr 1 01:44:56 2015 +++ src/sys/netipsec/ipsec.c Wed Apr 1 02:49:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $ */ +/* $NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $"); /* * IPsec controller part. @@ -2425,7 +2425,52 @@ skippolicycheck:; *needipsecp = needipsec; return sp; } -#endif + +int +ipsec6_input(struct mbuf *m) +{ + struct m_tag *mtag; + struct tdb_ident *tdbi; + struct secpolicy *sp; + int s, error; + + /* + * Check if the packet has already had IPsec + * processing done. If so, then just pass it + * along. This tag gets set during AH, ESP, + * etc. input handling, before the packet is + * returned to the ip input queue for delivery. + */ + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, + NULL); + s = splsoftnet(); + if (mtag != NULL) { + tdbi = (struct tdb_ident *)(mtag + 1); + sp = ipsec_getpolicy(tdbi, + IPSEC_DIR_INBOUND); + } else { + sp = ipsec_getpolicybyaddr(m, + IPSEC_DIR_INBOUND, IP_FORWARDING, + &error); + } + if (sp != NULL) { + /* + * Check security policy against packet + * attributes. + */ + error = ipsec_in_reject(sp, m); + KEY_FREESP(&sp); + } else { + /* XXX error stat??? */ + error = EINVAL; + DPRINTF(("ip6_input: no SP, packet" + " discarded\n"));/*XXX*/ + } + splx(s); + + return error; +} +#endif /* INET6 */ Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.36 src/sys/netipsec/ipsec.h:1.37 --- src/sys/netipsec/ipsec.h:1.36 Fri Sep 5 09:26:44 2014 +++ src/sys/netipsec/ipsec.h Wed Apr 1 02:49:44 2015 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.36 2014/09/05 09:26:44 matt Exp $ */ +/* $NetBSD: ipsec.h,v 1.37 2015/04/01 02:49:44 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -260,6 +260,9 @@ int ipsec4_output(struct mbuf *, struct struct secpolicy **, u_long *, bool *, bool *); int ipsec4_input(struct mbuf *, int); int ipsec4_forward(struct mbuf *, int *); +#ifdef INET6 +int ipsec6_input(struct mbuf *); +#endif static __inline struct secpolicy* ipsec4_getpolicybysock(