Module Name: src Committed By: maxv Date: Sun Apr 29 14:35:36 UTC 2018
Modified Files: src/sys/netipsec: ipsec_input.c xform_ipip.c Log Message: Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this way anymore (XF_IP4 partly dropped by FAST_IPSEC). To generate a diff of this commit: cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/ipsec_input.c cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipsec_input.c diff -u src/sys/netipsec/ipsec_input.c:1.67 src/sys/netipsec/ipsec_input.c:1.68 --- src/sys/netipsec/ipsec_input.c:1.67 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/ipsec_input.c Sun Apr 29 14:35:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $"); /* * IPsec input processing. @@ -375,84 +375,6 @@ cantpull: prot = ip->ip_p; -#ifdef notyet - /* IP-in-IP encapsulation */ - if (prot == IPPROTO_IPIP) { - struct ip ipn; - - /* ipn will now contain the inner IPv4 header */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn); - - /* XXX PROXY address isn't recorded in SAH */ - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET && - saidx->proxy.sin.sin_addr.s_addr != - INADDR_ANY && - ipn.ip_src.s_addr != - saidx->proxy.sin.sin_addr.s_addr) || - (saidx->proxy.sa.sa_family != AF_INET && - saidx->proxy.sa.sa_family != 0)) { - - char ipbuf[INET_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - IN_PRINT(ipbuf, ipn.ip_src), - ipsp_address(saidx->proxy), - ipsp_address(saidx->dst), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, - IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#if INET6 - /* IPv6-in-IP encapsulation. */ - if (prot == IPPROTO_IPV6) { - struct ip6_hdr ip6n; - - /* ip6n will now contain the inner IPv6 header. */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &saidx->proxy.sin6.sin6_addr)) || - (saidx->proxy.sa.sa_family != AF_INET6 && - saidx->proxy.sa.sa_family != 0)) { - - char ip6buf[INET6_ADDRSTRLEN]; - char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - ip6_sprintf(ip6buf, &ip6n.ip6_src), - ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), - ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, - IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#endif /* INET6 */ -#endif /* notyet */ - M_VERIFY_PACKET(m); key_sa_recordxfer(sav, m); /* record data transfer */ @@ -574,80 +496,6 @@ ipsec6_common_input_cb(struct mbuf *m, s /* Save protocol */ m_copydata(m, protoff, 1, &prot); -#ifdef notyet -#ifdef INET - /* IP-in-IP encapsulation */ - if (prot == IPPROTO_IPIP) { - struct ip ipn; - - /* ipn will now contain the inner IPv4 header */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, skip, sizeof(struct ip), &ipn); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET && - saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY && - ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) || - (saidx->proxy.sa.sa_family != AF_INET && - saidx->proxy.sa.sa_family != 0)) { - - char ipbuf[INET_ADDRSTRLEN]; - char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - IN_PRINT(ipbuf, ipn.ip_src), - ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), - ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#endif /* INET */ - /* IPv6-in-IP encapsulation */ - if (prot == IPPROTO_IPV6) { - struct ip6_hdr ip6n; - - /* ip6n will now contain the inner IPv6 header. */ - /* XXX: check m_pkthdr.len */ - m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n); - - /* - * Check that the inner source address is the same as - * the proxy address, if available. - */ - if ((saidx->proxy.sa.sa_family == AF_INET6 && - !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) && - !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src, - &saidx->proxy.sin6.sin6_addr)) || - (saidx->proxy.sa.sa_family != AF_INET6 && - saidx->proxy.sa.sa_family != 0)) { - - char ip6buf[INET6_ADDRSTRLEN]; - char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN]; - IPSECLOG(LOG_DEBUG, - "inner source address %s doesn't correspond to " - "expected proxy source %s, SA %s/%08lx\n", - ip6_sprintf(ip6buf, &ip6n.ip6_src), - ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)), - ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)), - (u_long) ntohl(sav->spi)); - - IPSEC_ISTAT(sproto, ESP_STAT_PDROPS, - AH_STAT_PDROPS, IPCOMP_STAT_PDROPS); - error = EACCES; - goto bad; - } - } -#endif /* notyet */ - key_sa_recordxfer(sav, m); /* Retrieve new protocol */ Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.69 src/sys/netipsec/xform_ipip.c:1.70 --- src/sys/netipsec/xform_ipip.c:1.69 Sat Apr 28 15:45:16 2018 +++ src/sys/netipsec/xform_ipip.c Sun Apr 29 14:35:35 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $"); /* * IP-inside-IP processing @@ -506,10 +506,6 @@ nofamily: IPIP_STATINC(IPIP_STAT_OPACKETS); IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen); -#if 0 - if (sav->tdb_xform->xf_type == XF_IP4) - tdb->tdb_cur_bytes += m->m_pkthdr.len - iphlen; -#endif *mp = m; return 0;