netipsec

Ryota Ozaki Sun, 07 May 2017 23:40:00 -0700

Module Name:    src
Committed By:   ozaki-r
Date:           Mon May  8 06:39:23 UTC 2017


Modified Files:
        src/sys/netipsec: ipsec.c ipsec.h ipsec_output.c

Log Message:
Omit two arguments of ipsec4_process_packet

flags is unused and tunalready is always 0. So NFC.


To generate a diff of this commit:
cvs rdiff -u -r1.85 -r1.86 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.44 -r1.45 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.45 -r1.46 src/sys/netipsec/ipsec_output.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.85 src/sys/netipsec/ipsec.c:1.86
--- src/sys/netipsec/ipsec.c:1.85	Fri Apr 28 02:29:38 2017
+++ src/sys/netipsec/ipsec.c	Mon May  8 06:39:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.85 2017/04/28 02:29:38 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.86 2017/05/08 06:39:23 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.85 2017/04/28 02:29:38 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.86 2017/05/08 06:39:23 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -733,7 +733,7 @@ ipsec4_output(struct mbuf *m, struct inp
 	}
 
 	/* Note: callee frees mbuf */
-	error = ipsec4_process_packet(m, sp->req, flags, 0);
+	error = ipsec4_process_packet(m, sp->req);
 	/*
 	 * Preserve KAME behaviour: ENOENT can be returned
 	 * when an SA acquire is in progress.  Don't propagate

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.44 src/sys/netipsec/ipsec.h:1.45
--- src/sys/netipsec/ipsec.h:1.44	Tue Apr 25 05:44:11 2017
+++ src/sys/netipsec/ipsec.h	Mon May  8 06:39:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.44 2017/04/25 05:44:11 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.45 2017/05/08 06:39:23 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -320,8 +320,7 @@ struct m_tag;
 void ipsec4_common_input(struct mbuf *m, ...);
 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *,
 			int, int, struct m_tag *);
-int ipsec4_process_packet (struct mbuf *, struct ipsecrequest *,
-			int, int);
+int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
 int ipsec_process_done (struct mbuf *, struct ipsecrequest *);
 #define ipsec_indone(m)	\
 	(m_tag_find((m), PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)

Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.45 src/sys/netipsec/ipsec_output.c:1.46
--- src/sys/netipsec/ipsec_output.c:1.45	Wed Apr 19 03:39:14 2017
+++ src/sys/netipsec/ipsec_output.c	Mon May  8 06:39:23 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_output.c,v 1.45 2017/04/19 03:39:14 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $	*/
 
 /*-
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.45 2017/04/19 03:39:14 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.46 2017/05/08 06:39:23 ozaki-r Exp $");
 
 /*
  * IPsec output processing.
@@ -250,7 +250,7 @@ ipsec_process_done(struct mbuf *m, struc
 		switch ( saidx->dst.sa.sa_family ) {
 #ifdef INET
 		case AF_INET:
-			return ipsec4_process_packet(m, isr->next, 0,0);
+			return ipsec4_process_packet(m, isr->next);
 #endif /* INET */
 #ifdef INET6
 		case AF_INET6:
@@ -447,17 +447,14 @@ bad:
  * IPsec output logic for IPv4.
  */
 int
-ipsec4_process_packet(
-    struct mbuf *m,
-    struct ipsecrequest *isr,
-    int flags,
-    int tunalready
-)
+ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
 {
 	struct secasindex saidx;
 	struct secasvar *sav;
 	struct ip *ip;
 	int s, error, i, off;
+	union sockaddr_union *dst;
+	int setdf;
 
 	KASSERT(m != NULL);
 	KASSERT(isr != NULL);
@@ -478,92 +475,89 @@ ipsec4_process_packet(
 	}
 
 	sav = isr->sav;
-	if (!tunalready) {
-		union sockaddr_union *dst = &sav->sah->saidx.dst;
-		int setdf;
+	dst = &sav->sah->saidx.dst;
 
-		/*
-		 * Collect IP_DF state from the outer header.
-		 */
-		if (dst->sa.sa_family == AF_INET) {
-			if (m->m_len < sizeof (struct ip) &&
-			    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
-				error = ENOBUFS;
-				goto bad;
-			}
-			ip = mtod(m, struct ip *);
-			/* Honor system-wide control of how to handle IP_DF */
-			switch (ip4_ipsec_dfbit) {
-			case 0:			/* clear in outer header */
-			case 1:			/* set in outer header */
-				setdf = ip4_ipsec_dfbit;
-				break;
-			default:		/* propagate to outer header */
-				setdf = ip->ip_off;
-				setdf = ntohs(setdf);
-				setdf = htons(setdf & IP_DF);
-				break;
-			}
-		} else {
-			ip = NULL;		/* keep compiler happy */
-			setdf = 0;
+	/*
+	 * Collect IP_DF state from the outer header.
+	 */
+	if (dst->sa.sa_family == AF_INET) {
+		if (m->m_len < sizeof (struct ip) &&
+		    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+			error = ENOBUFS;
+			goto bad;
+		}
+		ip = mtod(m, struct ip *);
+		/* Honor system-wide control of how to handle IP_DF */
+		switch (ip4_ipsec_dfbit) {
+		case 0:			/* clear in outer header */
+		case 1:			/* set in outer header */
+			setdf = ip4_ipsec_dfbit;
+			break;
+		default:		/* propagate to outer header */
+			setdf = ip->ip_off;
+			setdf = ntohs(setdf);
+			setdf = htons(setdf & IP_DF);
+			break;
 		}
-		/* Do the appropriate encapsulation, if necessary */
-		if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
-		    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
+	} else {
+		ip = NULL;		/* keep compiler happy */
+		setdf = 0;
+	}
+	/* Do the appropriate encapsulation, if necessary */
+	if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
+	    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
 #if 0
-		    (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */
-		    sav->tdb_xform->xf_type == XF_IP4 ||    /* ditto */
+	    (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */
+	    sav->tdb_xform->xf_type == XF_IP4 ||    /* ditto */
 #endif
-		    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
-		     dst->sin.sin_addr.s_addr != INADDR_ANY &&
-		     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
-			struct mbuf *mp;
+	    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
+	     dst->sin.sin_addr.s_addr != INADDR_ANY &&
+	     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
+		struct mbuf *mp;
+
+		/* Fix IPv4 header checksum and length */
+		if (m->m_len < sizeof (struct ip) &&
+		    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+			error = ENOBUFS;
+			goto bad;
+		}
+		ip = mtod(m, struct ip *);
+		ip->ip_len = htons(m->m_pkthdr.len);
+		ip->ip_sum = 0;
+		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
 
-			/* Fix IPv4 header checksum and length */
+		/* Encapsulate the packet */
+		error = ipip_output(m, isr, &mp, 0, 0);
+		if (mp == NULL && !error) {
+			/* Should never happen. */
+			DPRINTF(("ipsec4_process_packet: ipip_output "
+				"returns no mbuf and no error!"));
+			error = EFAULT;
+		}
+		if (error) {
+			if (mp) {
+				/* XXX: Should never happen! */
+				m_freem(mp);
+			}
+			m = NULL; /* ipip_output() already freed it */
+			goto bad;
+		}
+		m = mp, mp = NULL;
+		/*
+		 * ipip_output clears IP_DF in the new header.  If
+		 * we need to propagate IP_DF from the outer header,
+		 * then we have to do it here.
+		 *
+		 * XXX shouldn't assume what ipip_output does.
+		 */
+		if (dst->sa.sa_family == AF_INET && setdf) {
 			if (m->m_len < sizeof (struct ip) &&
 			    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
 				error = ENOBUFS;
 				goto bad;
 			}
 			ip = mtod(m, struct ip *);
-			ip->ip_len = htons(m->m_pkthdr.len);
-			ip->ip_sum = 0;
-			ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
-
-			/* Encapsulate the packet */
-			error = ipip_output(m, isr, &mp, 0, 0);
-			if (mp == NULL && !error) {
-				/* Should never happen. */
-				DPRINTF(("ipsec4_process_packet: ipip_output "
-					"returns no mbuf and no error!"));
-				error = EFAULT;
-			}
-			if (error) {
-				if (mp) {
-					/* XXX: Should never happen! */
-					m_freem(mp);
-				}
-				m = NULL; /* ipip_output() already freed it */
-				goto bad;
-			}
-			m = mp, mp = NULL;
-			/*
-			 * ipip_output clears IP_DF in the new header.  If
-			 * we need to propagate IP_DF from the outer header,
-			 * then we have to do it here.
-			 *
-			 * XXX shouldn't assume what ipip_output does.
-			 */
-			if (dst->sa.sa_family == AF_INET && setdf) {
-				if (m->m_len < sizeof (struct ip) &&
-				    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
-					error = ENOBUFS;
-					goto bad;
-				}
-				ip = mtod(m, struct ip *);
-				ip->ip_off |= htons(IP_DF);
-			}
+			ip->ip_off |= htons(IP_DF);
 		}
 	}
 
@@ -578,7 +572,6 @@ ipsec4_process_packet(
 	 *     for reclaiming their resources.
 	 */
 	if (sav->tdb_xform->xf_type != XF_IP4) {
-		union sockaddr_union *dst = &sav->sah->saidx.dst;
 		if (dst->sa.sa_family == AF_INET) {
 			ip = mtod(m, struct ip *);
 			i = ip->ip_hl << 2;

CVS commit: src/sys/netipsec

Reply via email to