netipsec

Maxime Villard Sun, 29 Apr 2018 07:35:50 -0700

Module Name:    src
Committed By:   maxv
Date:           Sun Apr 29 14:35:36 UTC 2018


Modified Files:
        src/sys/netipsec: ipsec_input.c xform_ipip.c

Log Message:
Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this
way anymore (XF_IP4 partly dropped by FAST_IPSEC).


To generate a diff of this commit:
cvs rdiff -u -r1.67 -r1.68 src/sys/netipsec/ipsec_input.c
cvs rdiff -u -r1.69 -r1.70 src/sys/netipsec/xform_ipip.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.67 src/sys/netipsec/ipsec_input.c:1.68
--- src/sys/netipsec/ipsec_input.c:1.67	Sat Apr 28 15:45:16 2018
+++ src/sys/netipsec/ipsec_input.c	Sun Apr 29 14:35:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $	*/
 /*	$FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $");
 
 /*
  * IPsec input processing.
@@ -375,84 +375,6 @@ cantpull:
 
 	prot = ip->ip_p;
 
-#ifdef notyet
-	/* IP-in-IP encapsulation */
-	if (prot == IPPROTO_IPIP) {
-		struct ip ipn;
-
-		/* ipn will now contain the inner IPv4 header */
-		/* XXX: check m_pkthdr.len */
-		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn);
-
-		/* XXX PROXY address isn't recorded in SAH */
-		/*
-		 * Check that the inner source address is the same as
-		 * the proxy address, if available.
-		 */
-		if ((saidx->proxy.sa.sa_family == AF_INET &&
-		    saidx->proxy.sin.sin_addr.s_addr !=
-		    INADDR_ANY &&
-		    ipn.ip_src.s_addr !=
-		    saidx->proxy.sin.sin_addr.s_addr) ||
-		    (saidx->proxy.sa.sa_family != AF_INET &&
-			saidx->proxy.sa.sa_family != 0)) {
-
-			char ipbuf[INET_ADDRSTRLEN];
-			IPSECLOG(LOG_DEBUG,
-			    "inner source address %s doesn't correspond to "
-			    "expected proxy source %s, SA %s/%08lx\n",
-			    IN_PRINT(ipbuf, ipn.ip_src),
-			    ipsp_address(saidx->proxy),
-			    ipsp_address(saidx->dst),
-			    (u_long) ntohl(sav->spi));
-
-			IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-			    AH_STAT_PDROPS,
-			    IPCOMP_STAT_PDROPS);
-			error = EACCES;
-			goto bad;
-		}
-	}
-#if INET6
-	/* IPv6-in-IP encapsulation. */
-	if (prot == IPPROTO_IPV6) {
-		struct ip6_hdr ip6n;
-
-		/* ip6n will now contain the inner IPv6 header. */
-		/* XXX: check m_pkthdr.len */
-		m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n);
-
-		/*
-		 * Check that the inner source address is the same as
-		 * the proxy address, if available.
-		 */
-		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
-		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
-		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
-			&saidx->proxy.sin6.sin6_addr)) ||
-		    (saidx->proxy.sa.sa_family != AF_INET6 &&
-			saidx->proxy.sa.sa_family != 0)) {
-
-			char ip6buf[INET6_ADDRSTRLEN];
-			char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-			IPSECLOG(LOG_DEBUG,
-			    "inner source address %s doesn't correspond to "
-			    "expected proxy source %s, SA %s/%08lx\n",
-			    ip6_sprintf(ip6buf, &ip6n.ip6_src),
-			    ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-			    ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-			    (u_long) ntohl(sav->spi));
-
-			IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-			    AH_STAT_PDROPS,
-			    IPCOMP_STAT_PDROPS);
-			error = EACCES;
-			goto bad;
-		}
-	}
-#endif /* INET6 */
-#endif /* notyet */
-
 	M_VERIFY_PACKET(m);
 
 	key_sa_recordxfer(sav, m);		/* record data transfer */
@@ -574,80 +496,6 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	/* Save protocol */
 	m_copydata(m, protoff, 1, &prot);
 
-#ifdef notyet
-#ifdef INET
-	/* IP-in-IP encapsulation */
-	if (prot == IPPROTO_IPIP) {
-		struct ip ipn;
-
-		/* ipn will now contain the inner IPv4 header */
-		/* XXX: check m_pkthdr.len */
-		m_copydata(m, skip, sizeof(struct ip), &ipn);
-
-		/*
-		 * Check that the inner source address is the same as
-		 * the proxy address, if available.
-		 */
-		if ((saidx->proxy.sa.sa_family == AF_INET &&
-		    saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
-		    ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
-		    (saidx->proxy.sa.sa_family != AF_INET &&
-			saidx->proxy.sa.sa_family != 0)) {
-
-			char ipbuf[INET_ADDRSTRLEN];
-			char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-			IPSECLOG(LOG_DEBUG,
-			    "inner source address %s doesn't correspond to "
-			    "expected proxy source %s, SA %s/%08lx\n",
-			    IN_PRINT(ipbuf, ipn.ip_src),
-			    ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-			    ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-			    (u_long) ntohl(sav->spi));
-
-			IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-			    AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
-			error = EACCES;
-			goto bad;
-		}
-	}
-#endif /* INET */
-	/* IPv6-in-IP encapsulation */
-	if (prot == IPPROTO_IPV6) {
-		struct ip6_hdr ip6n;
-
-		/* ip6n will now contain the inner IPv6 header. */
-		/* XXX: check m_pkthdr.len */
-		m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n);
-
-		/*
-		 * Check that the inner source address is the same as
-		 * the proxy address, if available.
-		 */
-		if ((saidx->proxy.sa.sa_family == AF_INET6 &&
-		    !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
-		    !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
-			&saidx->proxy.sin6.sin6_addr)) ||
-		    (saidx->proxy.sa.sa_family != AF_INET6 &&
-			saidx->proxy.sa.sa_family != 0)) {
-
-			char ip6buf[INET6_ADDRSTRLEN];
-			char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-			IPSECLOG(LOG_DEBUG,
-			    "inner source address %s doesn't correspond to "
-			    "expected proxy source %s, SA %s/%08lx\n",
-			    ip6_sprintf(ip6buf, &ip6n.ip6_src),
-			    ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-			    ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-			    (u_long) ntohl(sav->spi));
-
-			IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-			    AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
-			error = EACCES;
-			goto bad;
-		}
-	}
-#endif /* notyet */
-
 	key_sa_recordxfer(sav, m);
 
 	/* Retrieve new protocol */

Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.69 src/sys/netipsec/xform_ipip.c:1.70
--- src/sys/netipsec/xform_ipip.c:1.69	Sat Apr 28 15:45:16 2018
+++ src/sys/netipsec/xform_ipip.c	Sun Apr 29 14:35:35 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $	*/
+/*	$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $	*/
 /*	$FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $	*/
 /*	$OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $");
 
 /*
  * IP-inside-IP processing
@@ -506,10 +506,6 @@ nofamily:
 
 	IPIP_STATINC(IPIP_STAT_OPACKETS);
 	IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen);
-#if 0
-	if (sav->tdb_xform->xf_type == XF_IP4)
-		tdb->tdb_cur_bytes += m->m_pkthdr.len - iphlen;
-#endif
 
 	*mp = m;
 	return 0;

CVS commit: src/sys/netipsec

Reply via email to