netipsec

Ryota Ozaki Thu, 20 Jul 2017 21:39:46 -0700

Module Name:    src
Committed By:   ozaki-r
Date:           Fri Jul 21 04:39:08 UTC 2017


Modified Files:
        src/sys/netipsec: ipsec.c ipsec.h key.c key.h

Log Message:
Don't use key_lookup_sp that depends on unstable sp->req->sav

It provided a fast look-up of SP. We will provide an alternative
method in the future (after basic MP-ification finishes).


To generate a diff of this commit:
cvs rdiff -u -r1.108 -r1.109 src/sys/netipsec/ipsec.c
cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.188 -r1.189 src/sys/netipsec/key.c
cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/key.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec.c
diff -u src/sys/netipsec/ipsec.c:1.108 src/sys/netipsec/ipsec.c:1.109
--- src/sys/netipsec/ipsec.c:1.108	Fri Jul 21 03:08:10 2017
+++ src/sys/netipsec/ipsec.c	Fri Jul 21 04:39:08 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $	*/
 /*	$KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $");
 
 /*
  * IPsec controller part.
@@ -410,33 +410,6 @@ key_get_default_sp(int af, const char *w
  *
  * NOTE: IPv6 mapped address concern is implemented here.
  */
-struct secpolicy *
-ipsec_getpolicy(const struct tdb_ident *tdbi, u_int dir)
-{
-	struct secpolicy *sp;
-
-	KASSERT(tdbi != NULL);
-	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
-
-	sp = KEY_LOOKUP_SP(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
-	if (sp == NULL)			/*XXX????*/
-		sp = KEY_GET_DEFAULT_SP(tdbi->dst.sa.sa_family);
-	KASSERT(sp != NULL);
-	return sp;
-}
-
-/*
- * For OUTBOUND packet having a socket. Searching SPD for packet,
- * and return a pointer to SP.
- * OUT:	NULL:	no apropreate SP found, the following value is set to error.
- *		0	: bypass
- *		EACCES	: discard packet.
- *		ENOENT	: ipsec_acquire() in progress, maybe.
- *		others	: error occurred.
- *	others:	a pointer to SP
- *
- * NOTE: IPv6 mapped address concern is implemented here.
- */
 static struct secpolicy *
 ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
     int *error)
@@ -747,26 +720,11 @@ ipsec4_output(struct mbuf *m, struct inp
 int
 ipsec4_input(struct mbuf *m, int flags)
 {
-	struct m_tag *mtag;
-	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int error, s;
 
-	/*
-	 * Check if the packet has already had IPsec processing done.
-	 * If so, then just pass it along.  This tag gets set during AH,
-	 * ESP, etc. input handling, before the packet is returned to
-	 * the IP input queue for delivery.
-	 */
-	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
 	s = splsoftnet();
-	if (mtag != NULL) {
-		tdbi = (struct tdb_ident *)(mtag + 1);
-		sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
-	} else {
-		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
-		    IP_FORWARDING, &error);
-	}
+	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
 	if (sp == NULL) {
 		splx(s);
 		return EINVAL;
@@ -2311,30 +2269,11 @@ skippolicycheck:;
 int
 ipsec6_input(struct mbuf *m)
 {
-	struct m_tag *mtag;
-	struct tdb_ident *tdbi;
 	struct secpolicy *sp;
 	int s, error;
 
-	/*
-	 * Check if the packet has already had IPsec
-	 * processing done. If so, then just pass it
-	 * along. This tag gets set during AH, ESP,
-	 * etc. input handling, before the packet is
-	 * returned to the ip input queue for delivery.
-	 */
-	mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
-	    NULL);
 	s = splsoftnet();
-	if (mtag != NULL) {
-		tdbi = (struct tdb_ident *)(mtag + 1);
-		sp = ipsec_getpolicy(tdbi,
-		    IPSEC_DIR_INBOUND);
-	} else {
-		sp = ipsec_getpolicybyaddr(m,
-		    IPSEC_DIR_INBOUND, IP_FORWARDING,
-		    &error);
-	}
+	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
 	if (sp != NULL) {
 		/*
 		 * Check security policy against packet

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.53 src/sys/netipsec/ipsec.h:1.54
--- src/sys/netipsec/ipsec.h:1.53	Fri Jul 21 03:08:10 2017
+++ src/sys/netipsec/ipsec.h	Fri Jul 21 04:39:08 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.53 2017/07/21 03:08:10 ozaki-r Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.54 2017/07/21 04:39:08 ozaki-r Exp $	*/
 /*	$FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -267,8 +267,6 @@ void ipsec_pcbconn (struct inpcbpolicy *
 void ipsec_pcbdisconn (struct inpcbpolicy *);
 void ipsec_invalpcbcacheall (void);
 
-struct tdb_ident;
-struct secpolicy *ipsec_getpolicy (const struct tdb_ident*, u_int);
 struct inpcb;
 struct secpolicy *ipsec4_checkpolicy (struct mbuf *, u_int, u_int,
 	int *, struct inpcb *);

Index: src/sys/netipsec/key.c
diff -u src/sys/netipsec/key.c:1.188 src/sys/netipsec/key.c:1.189
--- src/sys/netipsec/key.c:1.188	Tue Jul 18 02:10:33 2017
+++ src/sys/netipsec/key.c	Fri Jul 21 04:39:08 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $	*/
+/*	$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $	*/
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $");
 
 /*
  * This code is referd to RFC 2367
@@ -691,70 +691,6 @@ found:
 }
 
 /*
- * allocating a SP for OUTBOUND or INBOUND packet.
- * Must call key_freesp() later.
- * OUT:	NULL:	not found
- *	others:	found and return the pointer.
- */
-struct secpolicy *
-key_lookup_sp(u_int32_t spi,
-	     const union sockaddr_union *dst,
-	     u_int8_t proto,
-	     u_int dir,
-	     const char* where, int tag)
-{
-	struct secpolicy *sp;
-	int s;
-
-	KASSERT(dst != NULL);
-	KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
-
-	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
-
-	/* get a SP entry */
-	s = splsoftnet();	/*called from softclock()*/
-	if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
-		printf("*** objects\n");
-		printf("spi %u proto %u dir %u\n", spi, proto, dir);
-		kdebug_sockaddr(&dst->sa);
-	}
-
-	LIST_FOREACH(sp, &sptree[dir], chain) {
-		if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
-			printf("*** in SPD\n");
-			kdebug_secpolicyindex(&sp->spidx);
-		}
-
-		if (sp->state == IPSEC_SPSTATE_DEAD)
-			continue;
-		/* compare simple values, then dst address */
-		if (sp->spidx.ul_proto != proto)
-			continue;
-		/* NB: spi's must exist and match */
-		if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi)
-			continue;
-		if (key_sockaddr_match(&sp->spidx.dst.sa, &dst->sa, PORT_STRICT))
-			goto found;
-	}
-	sp = NULL;
-found:
-	if (sp) {
-		/* sanity check */
-		KEY_CHKSPDIR(sp->spidx.dir, dir);
-
-		/* found a SPD entry */
-		sp->lastused = time_uptime;
-		SP_ADDREF2(sp, where, tag);
-	}
-	splx(s);
-
-	KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
-	    "DP return SP:%p (ID=%u) refcnt %u\n",
-	    sp, sp ? sp->id : 0, sp ? sp->refcnt : 0);
-	return sp;
-}
-
-/*
  * return a policy that matches this particular inbound packet.
  * XXX slow
  */

Index: src/sys/netipsec/key.h
diff -u src/sys/netipsec/key.h:1.23 src/sys/netipsec/key.h:1.24
--- src/sys/netipsec/key.h:1.23	Fri Jul 14 12:26:26 2017
+++ src/sys/netipsec/key.h	Fri Jul 21 04:39:08 2017
@@ -1,4 +1,4 @@
-/*	$NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $	*/
+/*	$NetBSD: key.h,v 1.24 2017/07/21 04:39:08 ozaki-r Exp $	*/
 /*	$FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $	*/
 
@@ -50,8 +50,6 @@ union sockaddr_union;
 int key_havesp(u_int dir);
 struct secpolicy *key_lookup_sp_byspidx(const struct secpolicyindex *, u_int,
 	const char*, int);
-struct secpolicy *key_lookup_sp(u_int32_t spi, const union sockaddr_union *dst,
-	u_int8_t proto, u_int dir, const char*, int);
 struct secpolicy *key_newsp(const char*, int);
 struct secpolicy *key_gettunnel(const struct sockaddr *,
 	const struct sockaddr *, const struct sockaddr *,
@@ -70,8 +68,6 @@ void key_sa_ref(struct secasvar *, const
  */
 #define	KEY_LOOKUP_SP_BYSPIDX(spidx, dir)			\
 	key_lookup_sp_byspidx(spidx, dir, __func__, __LINE__)
-#define	KEY_LOOKUP_SP(spi, dst, proto, dir)			\
-	key_lookup_sp(spi, dst, proto, dir, __func__, __LINE__)
 #define	KEY_NEWSP()						\
 	key_newsp(__func__, __LINE__)
 #define	KEY_GETTUNNEL(osrc, odst, isrc, idst)			\

CVS commit: src/sys/netipsec

Reply via email to