Module Name: src Committed By: maxv Date: Wed Feb 21 17:04:52 UTC 2018
Modified Files: src/sys/netipsec: ipsec_output.c Log Message: Style, no functional change. To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/ipsec_output.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec_output.c diff -u src/sys/netipsec/ipsec_output.c:1.67 src/sys/netipsec/ipsec_output.c:1.68 --- src/sys/netipsec/ipsec_output.c:1.67 Wed Feb 21 16:55:53 2018 +++ src/sys/netipsec/ipsec_output.c Wed Feb 21 17:04:52 2018 @@ -1,6 +1,6 @@ -/* $NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $ */ +/* $NetBSD: ipsec_output.c,v 1.68 2018/02/21 17:04:52 maxv Exp $ */ -/*- +/* * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting * All rights reserved. * @@ -29,11 +29,8 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.68 2018/02/21 17:04:52 maxv Exp $"); -/* - * IPsec output processing. - */ #if defined(_KERNEL_OPT) #include "opt_inet.h" #include "opt_net_mpsafe.h" @@ -88,7 +85,7 @@ static percpu_t *ipsec_rtcache_percpu __ /* * Add a IPSEC_OUT_DONE tag to mark that we have finished the ipsec processing - * It will be used by ip{,6}_output to check if we have already or not + * It will be used by ip{,6}_output to check if we have already or not * processed this packet. */ static int @@ -148,10 +145,10 @@ ipsec_process_done(struct mbuf *m, const int error; #ifdef INET struct ip * ip; -#endif /* INET */ +#endif #ifdef INET6 struct ip6_hdr * ip6; -#endif /* INET6 */ +#endif struct mbuf * mo; struct udphdr *udp = NULL; uint64_t * data = NULL; @@ -165,11 +162,11 @@ ipsec_process_done(struct mbuf *m, const saidx = &sav->sah->saidx; - if(sav->natt_type != 0) { + if (sav->natt_type != 0) { ip = mtod(m, struct ip *); hlen = sizeof(struct udphdr); - if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) hlen += sizeof(uint64_t); mo = m_makespace(m, sizeof(struct ip), hlen, &roff); @@ -182,9 +179,9 @@ ipsec_process_done(struct mbuf *m, const error = ENOBUFS; goto bad; } - - udp = (struct udphdr*) (mtod(mo, char*) + roff); - data = (uint64_t*) (udp + 1); + + udp = (struct udphdr *)(mtod(mo, char *) + roff); + data = (uint64_t *)(udp + 1); if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) *data = 0; /* NON-IKE Marker */ @@ -193,12 +190,12 @@ ipsec_process_done(struct mbuf *m, const udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); else udp->uh_sport = key_portfromsaddr(&saidx->src); - + udp->uh_dport = key_portfromsaddr(&saidx->dst); udp->uh_sum = 0; udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2)); } - + switch (saidx->dst.sa.sa_family) { #ifdef INET case AF_INET: @@ -208,15 +205,15 @@ ipsec_process_done(struct mbuf *m, const if (sav->natt_type != 0) ip->ip_p = IPPROTO_UDP; break; -#endif /* INET */ +#endif #ifdef INET6 case AF_INET6: /* Fix the header length, for AH processing. */ - if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) { + if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { error = ENXIO; goto bad; } - if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) { + if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) { /* No jumbogram support. */ error = ENXIO; /*?*/ goto bad; @@ -226,7 +223,7 @@ ipsec_process_done(struct mbuf *m, const if (sav->natt_type != 0) ip6->ip6_nxt = IPPROTO_UDP; break; -#endif /* INET6 */ +#endif default: IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n", saidx->dst.sa.sa_family); @@ -245,16 +242,16 @@ ipsec_process_done(struct mbuf *m, const */ if (isr->next) { IPSEC_STATINC(IPSEC_STAT_OUT_BUNDLESA); - switch ( saidx->dst.sa.sa_family ) { + switch (saidx->dst.sa.sa_family) { #ifdef INET case AF_INET: return ipsec4_process_packet(m, isr->next, NULL); -#endif /* INET */ +#endif #ifdef INET6 case AF_INET6: - return ipsec6_process_packet(m,isr->next); -#endif /* INET6 */ - default : + return ipsec6_process_packet(m, isr->next); +#endif + default: IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n", saidx->dst.sa.sa_family); error = ENXIO; @@ -263,18 +260,19 @@ ipsec_process_done(struct mbuf *m, const } /* - * We're done with IPsec processing, + * We're done with IPsec processing, * mark that we have already processed the packet - * transmit it packet using the appropriate network protocol (IP or IPv6). + * transmit it packet using the appropriate network protocol (IP or IPv6). */ if (ipsec_register_done(m, &error) < 0) goto bad; return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family); + bad: m_freem(m); - return (error); + return error; } static void @@ -351,18 +349,13 @@ ipsec_lookup_sa(const struct ipsecreques * ipsec_nextisr can return : * - isr == NULL and error != 0 => something is bad : the packet must be * discarded - * - isr == NULL and error == 0 => no more rules to apply, ipsec processing + * - isr == NULL and error == 0 => no more rules to apply, ipsec processing * is done, reinject it in ip stack * - isr != NULL (error == 0) => we need to apply one rule to the packet */ static const struct ipsecrequest * -ipsec_nextisr( - struct mbuf *m, - const struct ipsecrequest *isr, - int af, - int *error, - struct secasvar **ret -) +ipsec_nextisr(struct mbuf *m, const struct ipsecrequest *isr, int af, + int *error, struct secasvar **ret) { #define IPSEC_OSTAT(type) \ do { \ @@ -413,18 +406,18 @@ again: goto bad; } /* sav may be NULL here if we have an USE rule */ - if (sav == NULL) { + if (sav == NULL) { KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, "no SA found, but required; level %u", ipsec_get_reqlevel(isr)); isr = isr->next; - /* - * No more rules to apply, return NULL isr and no error + /* + * No more rules to apply, return NULL isr and no error * It can happen when the last rules are USE rules - * */ + */ if (isr == NULL) { *ret = NULL; - *error = 0; + *error = 0; return isr; } goto again; @@ -451,6 +444,7 @@ again: KASSERT(sav->tdb_xform != NULL); *ret = sav; return isr; + bad: KASSERTMSG(*error != 0, "error return w/ no error code"); return NULL; @@ -474,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, co KASSERT(m != NULL); KASSERT(isr != NULL); - s = splsoftnet(); /* insure SA contents don't change */ + s = splsoftnet(); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav); if (isr == NULL) { @@ -488,8 +482,8 @@ ipsec4_process_packet(struct mbuf *m, co return ipsec_reinject_ipstack(m, AF_INET); } } - KASSERT(sav != NULL); + /* * Check if we need to handle NAT-T fragmentation. */ @@ -514,8 +508,8 @@ noneed: * Collect IP_DF state from the outer header. */ if (dst->sa.sa_family == AF_INET) { - if (m->m_len < sizeof (struct ip) && - (m = m_pullup(m, sizeof (struct ip))) == NULL) { + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { error = ENOBUFS; goto unrefsav; } @@ -536,6 +530,7 @@ noneed: ip = NULL; /* keep compiler happy */ setdf = 0; } + /* Do the appropriate encapsulation, if necessary */ if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ dst->sa.sa_family != AF_INET || /* PF mismatch */ @@ -549,8 +544,8 @@ noneed: struct mbuf *mp; /* Fix IPv4 header checksum and length */ - if (m->m_len < sizeof (struct ip) && - (m = m_pullup(m, sizeof (struct ip))) == NULL) { + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { error = ENOBUFS; goto unrefsav; } @@ -576,6 +571,7 @@ noneed: goto unrefsav; } m = mp, mp = NULL; + /* * ipip_output clears IP_DF in the new header. If * we need to propagate IP_DF from the outer header, @@ -584,8 +580,8 @@ noneed: * XXX shouldn't assume what ipip_output does. */ if (dst->sa.sa_family == AF_INET && setdf) { - if (m->m_len < sizeof (struct ip) && - (m = m_pullup(m, sizeof (struct ip))) == NULL) { + if (m->m_len < sizeof(struct ip) && + (m = m_pullup(m, sizeof(struct ip))) == NULL) { error = ENOBUFS; goto unrefsav; } @@ -620,6 +616,7 @@ noneed: KEY_SA_UNREF(&sav); splx(s); return error; + unrefsav: KEY_SA_UNREF(&sav); bad: @@ -634,10 +631,10 @@ bad: static void compute_ipsec_pos(struct mbuf *m, int *i, int *off) { - int nxt; - struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr*); + struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *); struct ip6_ext ip6e; int dstopt = 0; + int nxt; *i = sizeof(struct ip6_hdr); *off = offsetof(struct ip6_hdr, ip6_nxt); @@ -646,7 +643,7 @@ compute_ipsec_pos(struct mbuf *m, int *i /* * chase mbuf chain to find the appropriate place to * put AH/ESP/IPcomp header. - * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] + * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload] */ do { switch (nxt) { @@ -677,7 +674,7 @@ compute_ipsec_pos(struct mbuf *m, int *i dstopt = 1; } else if (nxt == IPPROTO_ROUTING) { /* - * if we see destionation option next + * if we see destination option next * time, it must be dest2. */ dstopt = 2; @@ -700,7 +697,8 @@ compute_ipsec_pos(struct mbuf *m, int *i } static int -in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr *ia) +in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, + const struct in6_addr *ia) { struct in6_addr ia2; @@ -712,10 +710,7 @@ in6_sa_equal_addrwithscope(const struct } int -ipsec6_process_packet( - struct mbuf *m, - const struct ipsecrequest *isr - ) +ipsec6_process_packet(struct mbuf *m, const struct ipsecrequest *isr) { struct secasvar *sav = NULL; struct ip6_hdr *ip6; @@ -748,11 +743,10 @@ ipsec6_process_packet( /* Do the appropriate encapsulation, if necessary */ if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */ - dst->sa.sa_family != AF_INET6 || /* PF mismatch */ + dst->sa.sa_family != AF_INET6 || /* AF mismatch */ ((dst->sa.sa_family == AF_INET6) && (!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) && - (!in6_sa_equal_addrwithscope(&dst->sin6, - &ip6->ip6_dst)))) { + (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) { struct mbuf *mp; /* Fix IPv6 header payload length. */ @@ -799,13 +793,14 @@ ipsec6_process_packet( ip = mtod(m, struct ip *); i = ip->ip_hl << 2; off = offsetof(struct ip, ip_p); - } else { + } else { compute_ipsec_pos(m, &i, &off); } error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off); KEY_SA_UNREF(&sav); splx(s); return error; + unrefsav: KEY_SA_UNREF(&sav); bad: @@ -814,7 +809,7 @@ bad: m_freem(m); return error; } -#endif /*INET6*/ +#endif /* INET6 */ void ipsec_output_init(void)