Module Name: src
Committed By: maxv
Date: Wed Feb 21 17:04:52 UTC 2018
Modified Files:
src/sys/netipsec: ipsec_output.c
Log Message:
Style, no functional change.
To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/ipsec_output.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipsec_output.c
diff -u src/sys/netipsec/ipsec_output.c:1.67 src/sys/netipsec/ipsec_output.c:1.68
--- src/sys/netipsec/ipsec_output.c:1.67 Wed Feb 21 16:55:53 2018
+++ src/sys/netipsec/ipsec_output.c Wed Feb 21 17:04:52 2018
@@ -1,6 +1,6 @@
-/* $NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $ */
+/* $NetBSD: ipsec_output.c,v 1.68 2018/02/21 17:04:52 maxv Exp $ */
-/*-
+/*
* Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
* All rights reserved.
*
@@ -29,11 +29,8 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.67 2018/02/21 16:55:53 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.68 2018/02/21 17:04:52 maxv Exp $");
-/*
- * IPsec output processing.
- */
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
#include "opt_net_mpsafe.h"
@@ -88,7 +85,7 @@ static percpu_t *ipsec_rtcache_percpu __
/*
* Add a IPSEC_OUT_DONE tag to mark that we have finished the ipsec processing
- * It will be used by ip{,6}_output to check if we have already or not
+ * It will be used by ip{,6}_output to check if we have already or not
* processed this packet.
*/
static int
@@ -148,10 +145,10 @@ ipsec_process_done(struct mbuf *m, const
int error;
#ifdef INET
struct ip * ip;
-#endif /* INET */
+#endif
#ifdef INET6
struct ip6_hdr * ip6;
-#endif /* INET6 */
+#endif
struct mbuf * mo;
struct udphdr *udp = NULL;
uint64_t * data = NULL;
@@ -165,11 +162,11 @@ ipsec_process_done(struct mbuf *m, const
saidx = &sav->sah->saidx;
- if(sav->natt_type != 0) {
+ if (sav->natt_type != 0) {
ip = mtod(m, struct ip *);
hlen = sizeof(struct udphdr);
- if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
+ if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
hlen += sizeof(uint64_t);
mo = m_makespace(m, sizeof(struct ip), hlen, &roff);
@@ -182,9 +179,9 @@ ipsec_process_done(struct mbuf *m, const
error = ENOBUFS;
goto bad;
}
-
- udp = (struct udphdr*) (mtod(mo, char*) + roff);
- data = (uint64_t*) (udp + 1);
+
+ udp = (struct udphdr *)(mtod(mo, char *) + roff);
+ data = (uint64_t *)(udp + 1);
if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE)
*data = 0; /* NON-IKE Marker */
@@ -193,12 +190,12 @@ ipsec_process_done(struct mbuf *m, const
udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT);
else
udp->uh_sport = key_portfromsaddr(&saidx->src);
-
+
udp->uh_dport = key_portfromsaddr(&saidx->dst);
udp->uh_sum = 0;
udp->uh_ulen = htons(m->m_pkthdr.len - (ip->ip_hl << 2));
}
-
+
switch (saidx->dst.sa.sa_family) {
#ifdef INET
case AF_INET:
@@ -208,15 +205,15 @@ ipsec_process_done(struct mbuf *m, const
if (sav->natt_type != 0)
ip->ip_p = IPPROTO_UDP;
break;
-#endif /* INET */
+#endif
#ifdef INET6
case AF_INET6:
/* Fix the header length, for AH processing. */
- if (m->m_pkthdr.len < sizeof (struct ip6_hdr)) {
+ if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
error = ENXIO;
goto bad;
}
- if (m->m_pkthdr.len - sizeof (struct ip6_hdr) > IPV6_MAXPACKET) {
+ if (m->m_pkthdr.len - sizeof(struct ip6_hdr) > IPV6_MAXPACKET) {
/* No jumbogram support. */
error = ENXIO; /*?*/
goto bad;
@@ -226,7 +223,7 @@ ipsec_process_done(struct mbuf *m, const
if (sav->natt_type != 0)
ip6->ip6_nxt = IPPROTO_UDP;
break;
-#endif /* INET6 */
+#endif
default:
IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n",
saidx->dst.sa.sa_family);
@@ -245,16 +242,16 @@ ipsec_process_done(struct mbuf *m, const
*/
if (isr->next) {
IPSEC_STATINC(IPSEC_STAT_OUT_BUNDLESA);
- switch ( saidx->dst.sa.sa_family ) {
+ switch (saidx->dst.sa.sa_family) {
#ifdef INET
case AF_INET:
return ipsec4_process_packet(m, isr->next, NULL);
-#endif /* INET */
+#endif
#ifdef INET6
case AF_INET6:
- return ipsec6_process_packet(m,isr->next);
-#endif /* INET6 */
- default :
+ return ipsec6_process_packet(m, isr->next);
+#endif
+ default:
IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n",
saidx->dst.sa.sa_family);
error = ENXIO;
@@ -263,18 +260,19 @@ ipsec_process_done(struct mbuf *m, const
}
/*
- * We're done with IPsec processing,
+ * We're done with IPsec processing,
* mark that we have already processed the packet
- * transmit it packet using the appropriate network protocol (IP or IPv6).
+ * transmit it packet using the appropriate network protocol (IP or IPv6).
*/
if (ipsec_register_done(m, &error) < 0)
goto bad;
return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family);
+
bad:
m_freem(m);
- return (error);
+ return error;
}
static void
@@ -351,18 +349,13 @@ ipsec_lookup_sa(const struct ipsecreques
* ipsec_nextisr can return :
* - isr == NULL and error != 0 => something is bad : the packet must be
* discarded
- * - isr == NULL and error == 0 => no more rules to apply, ipsec processing
+ * - isr == NULL and error == 0 => no more rules to apply, ipsec processing
* is done, reinject it in ip stack
* - isr != NULL (error == 0) => we need to apply one rule to the packet
*/
static const struct ipsecrequest *
-ipsec_nextisr(
- struct mbuf *m,
- const struct ipsecrequest *isr,
- int af,
- int *error,
- struct secasvar **ret
-)
+ipsec_nextisr(struct mbuf *m, const struct ipsecrequest *isr, int af,
+ int *error, struct secasvar **ret)
{
#define IPSEC_OSTAT(type) \
do { \
@@ -413,18 +406,18 @@ again:
goto bad;
}
/* sav may be NULL here if we have an USE rule */
- if (sav == NULL) {
+ if (sav == NULL) {
KASSERTMSG(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE,
"no SA found, but required; level %u",
ipsec_get_reqlevel(isr));
isr = isr->next;
- /*
- * No more rules to apply, return NULL isr and no error
+ /*
+ * No more rules to apply, return NULL isr and no error
* It can happen when the last rules are USE rules
- * */
+ */
if (isr == NULL) {
*ret = NULL;
- *error = 0;
+ *error = 0;
return isr;
}
goto again;
@@ -451,6 +444,7 @@ again:
KASSERT(sav->tdb_xform != NULL);
*ret = sav;
return isr;
+
bad:
KASSERTMSG(*error != 0, "error return w/ no error code");
return NULL;
@@ -474,7 +468,7 @@ ipsec4_process_packet(struct mbuf *m, co
KASSERT(m != NULL);
KASSERT(isr != NULL);
- s = splsoftnet(); /* insure SA contents don't change */
+ s = splsoftnet(); /* insure SA contents don't change */
isr = ipsec_nextisr(m, isr, AF_INET, &error, &sav);
if (isr == NULL) {
@@ -488,8 +482,8 @@ ipsec4_process_packet(struct mbuf *m, co
return ipsec_reinject_ipstack(m, AF_INET);
}
}
-
KASSERT(sav != NULL);
+
/*
* Check if we need to handle NAT-T fragmentation.
*/
@@ -514,8 +508,8 @@ noneed:
* Collect IP_DF state from the outer header.
*/
if (dst->sa.sa_family == AF_INET) {
- if (m->m_len < sizeof (struct ip) &&
- (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+ if (m->m_len < sizeof(struct ip) &&
+ (m = m_pullup(m, sizeof(struct ip))) == NULL) {
error = ENOBUFS;
goto unrefsav;
}
@@ -536,6 +530,7 @@ noneed:
ip = NULL; /* keep compiler happy */
setdf = 0;
}
+
/* Do the appropriate encapsulation, if necessary */
if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
dst->sa.sa_family != AF_INET || /* PF mismatch */
@@ -549,8 +544,8 @@ noneed:
struct mbuf *mp;
/* Fix IPv4 header checksum and length */
- if (m->m_len < sizeof (struct ip) &&
- (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+ if (m->m_len < sizeof(struct ip) &&
+ (m = m_pullup(m, sizeof(struct ip))) == NULL) {
error = ENOBUFS;
goto unrefsav;
}
@@ -576,6 +571,7 @@ noneed:
goto unrefsav;
}
m = mp, mp = NULL;
+
/*
* ipip_output clears IP_DF in the new header. If
* we need to propagate IP_DF from the outer header,
@@ -584,8 +580,8 @@ noneed:
* XXX shouldn't assume what ipip_output does.
*/
if (dst->sa.sa_family == AF_INET && setdf) {
- if (m->m_len < sizeof (struct ip) &&
- (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+ if (m->m_len < sizeof(struct ip) &&
+ (m = m_pullup(m, sizeof(struct ip))) == NULL) {
error = ENOBUFS;
goto unrefsav;
}
@@ -620,6 +616,7 @@ noneed:
KEY_SA_UNREF(&sav);
splx(s);
return error;
+
unrefsav:
KEY_SA_UNREF(&sav);
bad:
@@ -634,10 +631,10 @@ bad:
static void
compute_ipsec_pos(struct mbuf *m, int *i, int *off)
{
- int nxt;
- struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr*);
+ struct ip6_hdr *ip6 = mtod(m, struct ip6_hdr *);
struct ip6_ext ip6e;
int dstopt = 0;
+ int nxt;
*i = sizeof(struct ip6_hdr);
*off = offsetof(struct ip6_hdr, ip6_nxt);
@@ -646,7 +643,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
/*
* chase mbuf chain to find the appropriate place to
* put AH/ESP/IPcomp header.
- * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
+ * IPv6 hbh dest1 rthdr ah* [esp* dest2 payload]
*/
do {
switch (nxt) {
@@ -677,7 +674,7 @@ compute_ipsec_pos(struct mbuf *m, int *i
dstopt = 1;
} else if (nxt == IPPROTO_ROUTING) {
/*
- * if we see destionation option next
+ * if we see destination option next
* time, it must be dest2.
*/
dstopt = 2;
@@ -700,7 +697,8 @@ compute_ipsec_pos(struct mbuf *m, int *i
}
static int
-in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa, const struct in6_addr *ia)
+in6_sa_equal_addrwithscope(const struct sockaddr_in6 *sa,
+ const struct in6_addr *ia)
{
struct in6_addr ia2;
@@ -712,10 +710,7 @@ in6_sa_equal_addrwithscope(const struct
}
int
-ipsec6_process_packet(
- struct mbuf *m,
- const struct ipsecrequest *isr
- )
+ipsec6_process_packet(struct mbuf *m, const struct ipsecrequest *isr)
{
struct secasvar *sav = NULL;
struct ip6_hdr *ip6;
@@ -748,11 +743,10 @@ ipsec6_process_packet(
/* Do the appropriate encapsulation, if necessary */
if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
- dst->sa.sa_family != AF_INET6 || /* PF mismatch */
+ dst->sa.sa_family != AF_INET6 || /* AF mismatch */
((dst->sa.sa_family == AF_INET6) &&
(!IN6_IS_ADDR_UNSPECIFIED(&dst->sin6.sin6_addr)) &&
- (!in6_sa_equal_addrwithscope(&dst->sin6,
- &ip6->ip6_dst)))) {
+ (!in6_sa_equal_addrwithscope(&dst->sin6, &ip6->ip6_dst)))) {
struct mbuf *mp;
/* Fix IPv6 header payload length. */
@@ -799,13 +793,14 @@ ipsec6_process_packet(
ip = mtod(m, struct ip *);
i = ip->ip_hl << 2;
off = offsetof(struct ip, ip_p);
- } else {
+ } else {
compute_ipsec_pos(m, &i, &off);
}
error = (*sav->tdb_xform->xf_output)(m, isr, sav, NULL, i, off);
KEY_SA_UNREF(&sav);
splx(s);
return error;
+
unrefsav:
KEY_SA_UNREF(&sav);
bad:
@@ -814,7 +809,7 @@ bad:
m_freem(m);
return error;
}
-#endif /*INET6*/
+#endif /* INET6 */
void
ipsec_output_init(void)
