Module Name: src Committed By: ozaki-r Date: Fri Jul 21 04:39:08 UTC 2017
Modified Files: src/sys/netipsec: ipsec.c ipsec.h key.c key.h Log Message: Don't use key_lookup_sp that depends on unstable sp->req->sav It provided a fast look-up of SP. We will provide an alternative method in the future (after basic MP-ification finishes). To generate a diff of this commit: cvs rdiff -u -r1.108 -r1.109 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.53 -r1.54 src/sys/netipsec/ipsec.h cvs rdiff -u -r1.188 -r1.189 src/sys/netipsec/key.c cvs rdiff -u -r1.23 -r1.24 src/sys/netipsec/key.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.108 src/sys/netipsec/ipsec.c:1.109 --- src/sys/netipsec/ipsec.c:1.108 Fri Jul 21 03:08:10 2017 +++ src/sys/netipsec/ipsec.c Fri Jul 21 04:39:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $ */ +/* $NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $"); /* * IPsec controller part. @@ -410,33 +410,6 @@ key_get_default_sp(int af, const char *w * * NOTE: IPv6 mapped address concern is implemented here. */ -struct secpolicy * -ipsec_getpolicy(const struct tdb_ident *tdbi, u_int dir) -{ - struct secpolicy *sp; - - KASSERT(tdbi != NULL); - KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); - - sp = KEY_LOOKUP_SP(tdbi->spi, &tdbi->dst, tdbi->proto, dir); - if (sp == NULL) /*XXX????*/ - sp = KEY_GET_DEFAULT_SP(tdbi->dst.sa.sa_family); - KASSERT(sp != NULL); - return sp; -} - -/* - * For OUTBOUND packet having a socket. Searching SPD for packet, - * and return a pointer to SP. - * OUT: NULL: no apropreate SP found, the following value is set to error. - * 0 : bypass - * EACCES : discard packet. - * ENOENT : ipsec_acquire() in progress, maybe. - * others : error occurred. - * others: a pointer to SP - * - * NOTE: IPv6 mapped address concern is implemented here. - */ static struct secpolicy * ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph, int *error) @@ -747,26 +720,11 @@ ipsec4_output(struct mbuf *m, struct inp int ipsec4_input(struct mbuf *m, int flags) { - struct m_tag *mtag; - struct tdb_ident *tdbi; struct secpolicy *sp; int error, s; - /* - * Check if the packet has already had IPsec processing done. - * If so, then just pass it along. This tag gets set during AH, - * ESP, etc. input handling, before the packet is returned to - * the IP input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splsoftnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); if (sp == NULL) { splx(s); return EINVAL; @@ -2311,30 +2269,11 @@ skippolicycheck:; int ipsec6_input(struct mbuf *m) { - struct m_tag *mtag; - struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; - /* - * Check if the packet has already had IPsec - * processing done. If so, then just pass it - * along. This tag gets set during AH, ESP, - * etc. input handling, before the packet is - * returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, - NULL); s = splsoftnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, - IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, - IPSEC_DIR_INBOUND, IP_FORWARDING, - &error); - } + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); if (sp != NULL) { /* * Check security policy against packet Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.53 src/sys/netipsec/ipsec.h:1.54 --- src/sys/netipsec/ipsec.h:1.53 Fri Jul 21 03:08:10 2017 +++ src/sys/netipsec/ipsec.h Fri Jul 21 04:39:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.53 2017/07/21 03:08:10 ozaki-r Exp $ */ +/* $NetBSD: ipsec.h,v 1.54 2017/07/21 04:39:08 ozaki-r Exp $ */ /* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -267,8 +267,6 @@ void ipsec_pcbconn (struct inpcbpolicy * void ipsec_pcbdisconn (struct inpcbpolicy *); void ipsec_invalpcbcacheall (void); -struct tdb_ident; -struct secpolicy *ipsec_getpolicy (const struct tdb_ident*, u_int); struct inpcb; struct secpolicy *ipsec4_checkpolicy (struct mbuf *, u_int, u_int, int *, struct inpcb *); Index: src/sys/netipsec/key.c diff -u src/sys/netipsec/key.c:1.188 src/sys/netipsec/key.c:1.189 --- src/sys/netipsec/key.c:1.188 Tue Jul 18 02:10:33 2017 +++ src/sys/netipsec/key.c Fri Jul 21 04:39:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $ */ +/* $NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $"); /* * This code is referd to RFC 2367 @@ -691,70 +691,6 @@ found: } /* - * allocating a SP for OUTBOUND or INBOUND packet. - * Must call key_freesp() later. - * OUT: NULL: not found - * others: found and return the pointer. - */ -struct secpolicy * -key_lookup_sp(u_int32_t spi, - const union sockaddr_union *dst, - u_int8_t proto, - u_int dir, - const char* where, int tag) -{ - struct secpolicy *sp; - int s; - - KASSERT(dst != NULL); - KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir); - - KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag); - - /* get a SP entry */ - s = splsoftnet(); /*called from softclock()*/ - if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { - printf("*** objects\n"); - printf("spi %u proto %u dir %u\n", spi, proto, dir); - kdebug_sockaddr(&dst->sa); - } - - LIST_FOREACH(sp, &sptree[dir], chain) { - if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) { - printf("*** in SPD\n"); - kdebug_secpolicyindex(&sp->spidx); - } - - if (sp->state == IPSEC_SPSTATE_DEAD) - continue; - /* compare simple values, then dst address */ - if (sp->spidx.ul_proto != proto) - continue; - /* NB: spi's must exist and match */ - if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi) - continue; - if (key_sockaddr_match(&sp->spidx.dst.sa, &dst->sa, PORT_STRICT)) - goto found; - } - sp = NULL; -found: - if (sp) { - /* sanity check */ - KEY_CHKSPDIR(sp->spidx.dir, dir); - - /* found a SPD entry */ - sp->lastused = time_uptime; - SP_ADDREF2(sp, where, tag); - } - splx(s); - - KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, - "DP return SP:%p (ID=%u) refcnt %u\n", - sp, sp ? sp->id : 0, sp ? sp->refcnt : 0); - return sp; -} - -/* * return a policy that matches this particular inbound packet. * XXX slow */ Index: src/sys/netipsec/key.h diff -u src/sys/netipsec/key.h:1.23 src/sys/netipsec/key.h:1.24 --- src/sys/netipsec/key.h:1.23 Fri Jul 14 12:26:26 2017 +++ src/sys/netipsec/key.h Fri Jul 21 04:39:08 2017 @@ -1,4 +1,4 @@ -/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */ +/* $NetBSD: key.h,v 1.24 2017/07/21 04:39:08 ozaki-r Exp $ */ /* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */ @@ -50,8 +50,6 @@ union sockaddr_union; int key_havesp(u_int dir); struct secpolicy *key_lookup_sp_byspidx(const struct secpolicyindex *, u_int, const char*, int); -struct secpolicy *key_lookup_sp(u_int32_t spi, const union sockaddr_union *dst, - u_int8_t proto, u_int dir, const char*, int); struct secpolicy *key_newsp(const char*, int); struct secpolicy *key_gettunnel(const struct sockaddr *, const struct sockaddr *, const struct sockaddr *, @@ -70,8 +68,6 @@ void key_sa_ref(struct secasvar *, const */ #define KEY_LOOKUP_SP_BYSPIDX(spidx, dir) \ key_lookup_sp_byspidx(spidx, dir, __func__, __LINE__) -#define KEY_LOOKUP_SP(spi, dst, proto, dir) \ - key_lookup_sp(spi, dst, proto, dir, __func__, __LINE__) #define KEY_NEWSP() \ key_newsp(__func__, __LINE__) #define KEY_GETTUNNEL(osrc, odst, isrc, idst) \