Module Name: src Committed By: maxv Date: Mon May 7 09:08:06 UTC 2018
Modified Files: src/sys/netipsec: xform.h xform_ipip.c Log Message: Clarify IPIP: ipe4_xformsw is not allowed to call ipip_output, so replace the pointer by ipe4_output, which just panics. Group the ipe4_* functions together. Localify other functions. ok ozaki-r@ To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/netipsec/xform.h cvs rdiff -u -r1.70 -r1.71 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/xform.h diff -u src/sys/netipsec/xform.h:1.16 src/sys/netipsec/xform.h:1.17 --- src/sys/netipsec/xform.h:1.16 Tue May 1 08:08:46 2018 +++ src/sys/netipsec/xform.h Mon May 7 09:08:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform.h,v 1.16 2018/05/01 08:08:46 maxv Exp $ */ +/* $NetBSD: xform.h,v 1.17 2018/05/07 09:08:06 maxv Exp $ */ /* $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $ */ /* @@ -92,8 +92,6 @@ extern int xform_init(struct secasvar *s struct cryptoini; /* XF_IP4 */ -int ip4_input6(struct mbuf **m, int *offp, int proto, void *); -void ip4_input(struct mbuf *m, int, int, void *); int ipip_output(struct mbuf *, const struct ipsecrequest *, struct secasvar *, struct mbuf **, int, int); Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.70 src/sys/netipsec/xform_ipip.c:1.71 --- src/sys/netipsec/xform_ipip.c:1.70 Sun Apr 29 14:35:35 2018 +++ src/sys/netipsec/xform_ipip.c Mon May 7 09:08:06 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.71 2018/05/07 09:08:06 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.71 2018/05/07 09:08:06 maxv Exp $"); /* * IP-inside-IP processing @@ -90,12 +90,10 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c int ipip_spoofcheck = 1; percpu_t *ipipstat_percpu; -void ipe4_attach(void); - static void _ipip_input(struct mbuf *, int); #ifdef INET6 -int +static int ip4_input6(struct mbuf **m, int *offp, int proto, void *eparg __unused) { _ipip_input(*m, *offp); @@ -104,7 +102,7 @@ ip4_input6(struct mbuf **m, int *offp, i #endif #ifdef INET -void +static void ip4_input(struct mbuf *m, int off, int proto, void *eparg __unused) { _ipip_input(m, off); @@ -517,6 +515,40 @@ bad: return error; } +#ifdef INET +static struct encapsw ipe4_encapsw = { + .encapsw4 = { + .pr_input = ip4_input, + .pr_ctlinput = NULL, + } +}; +#endif +#ifdef INET6 +static struct encapsw ipe4_encapsw6 = { + .encapsw6 = { + .pr_input = ip4_input6, + .pr_ctlinput = NULL, + } +}; +#endif + +/* + * Check the encapsulated packet to see if we want it + */ +static int +ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) +{ + /* + * Only take packets coming from IPSEC tunnels; the rest + * must be handled by the gif tunnel code. Note that we + * also return a minimum priority when we want the packet + * so any explicit gif tunnels take precedence. + */ + return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); +} + +/* -------------------------------------------------------------------------- */ + static int ipe4_init(struct secasvar *sav, const struct xformsw *xsp) { @@ -541,6 +573,13 @@ ipe4_input(struct mbuf *m, struct secasv return EOPNOTSUPP; } +static int +ipe4_output(struct mbuf *m, const struct ipsecrequest *isr, + struct secasvar *sav, struct mbuf **mp, int skip, int protoff) +{ + panic("%s: should not have been called", __func__); +} + static struct xformsw ipe4_xformsw = { .xf_type = XF_IP4, .xf_flags = 0, @@ -548,41 +587,11 @@ static struct xformsw ipe4_xformsw = { .xf_init = ipe4_init, .xf_zeroize = ipe4_zeroize, .xf_input = ipe4_input, - .xf_output = ipip_output, + .xf_output = ipe4_output, .xf_next = NULL, }; -#ifdef INET -static struct encapsw ipe4_encapsw = { - .encapsw4 = { - .pr_input = ip4_input, - .pr_ctlinput = NULL, - } -}; -#endif -#ifdef INET6 -static struct encapsw ipe4_encapsw6 = { - .encapsw6 = { - .pr_input = ip4_input6, - .pr_ctlinput = NULL, - } -}; -#endif - -/* - * Check the encapsulated packet to see if we want it - */ -static int -ipe4_encapcheck(struct mbuf *m, int off, int proto, void *arg) -{ - /* - * Only take packets coming from IPSEC tunnels; the rest - * must be handled by the gif tunnel code. Note that we - * also return a minimum priority when we want the packet - * so any explicit gif tunnels take precedence. - */ - return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); -} +/* -------------------------------------------------------------------------- */ void ipe4_attach(void)