Module Name: src Committed By: maxv Date: Mon Feb 26 10:36:24 UTC 2018
Modified Files: src/sys/netipsec: ipsec.c Log Message: Dedup: call ipsec_in_reject directly. IPSEC_STAT_IN_POLVIO also gets increased now. To generate a diff of this commit: cvs rdiff -u -r1.140 -r1.141 src/sys/netipsec/ipsec.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.140 src/sys/netipsec/ipsec.c:1.141 --- src/sys/netipsec/ipsec.c:1.140 Mon Feb 26 10:19:13 2018 +++ src/sys/netipsec/ipsec.c Mon Feb 26 10:36:24 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.140 2018/02/26 10:19:13 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.141 2018/02/26 10:36:24 maxv Exp $"); /* * IPsec controller part. @@ -723,20 +723,10 @@ ipsec4_input(struct mbuf *m, int flags) int error, s; s = splsoftnet(); - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); - if (sp == NULL) { - splx(s); - return EINVAL; - } - - /* - * Check security policy against packet attributes. - */ - error = ipsec_sp_reject(sp, m); - KEY_SP_UNREF(&sp); + error = ipsec_in_reject(m, NULL); splx(s); if (error) { - return error; + return EINVAL; } if (flags == 0) { @@ -1702,9 +1692,6 @@ ipsec_sp_reject(const struct secpolicy * /* * Check security policy requirements. - * - * This function is called from tcp{6}_input(), udp{6}_input(), - * and {ah,esp}_input for tunnel mode */ int ipsec_in_reject(struct mbuf *m, void *inp) @@ -2135,24 +2122,16 @@ skippolicycheck:; int ipsec6_input(struct mbuf *m) { - struct secpolicy *sp; int s, error; s = splsoftnet(); - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); - if (sp == NULL) { - splx(s); + error = ipsec_in_reject(m, NULL); + splx(s); + if (error) { return EINVAL; } - /* - * Check security policy against packet attributes. - */ - error = ipsec_sp_reject(sp, m); - KEY_SP_UNREF(&sp); - splx(s); - - return error; + return 0; } #endif /* INET6 */