Author: ae
Date: Thu Dec 11 19:09:57 2014
New Revision: 275715
URL: https://svnweb.freebsd.org/changeset/base/275715
Log:
Use ipsec6_in_reject() to simplify ip6_ipsec_fwd() and ip6_ipsec_input().
ipsec6_in_reject() does the same things, also it counts policy violation
errors.
Do IPSEC check in the ip6_forward() after addresses checks.
Also use ip6_ipsec_fwd() to make code similar to IPv4 implementation.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Modified:
head/sys/netinet6/ip6_forward.c
head/sys/netinet6/ip6_ipsec.c
Modified: head/sys/netinet6/ip6_forward.c
==============================================================================
--- head/sys/netinet6/ip6_forward.c Thu Dec 11 18:58:22 2014
(r275714)
+++ head/sys/netinet6/ip6_forward.c Thu Dec 11 19:09:57 2014
(r275715)
@@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
#include <netinet/in_pcb.h>
#ifdef IPSEC
+#include <netinet6/ip6_ipsec.h>
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
@@ -109,21 +110,6 @@ ip6_forward(struct mbuf *m, int srcrt)
struct m_tag *fwd_tag;
char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
-#ifdef IPSEC
- /*
- * Check AH/ESP integrity.
- */
- /*
- * Don't increment ip6s_cantforward because this is the check
- * before forwarding packet actually.
- */
- if (ipsec6_in_reject(m, NULL)) {
- IPSEC6STAT_INC(ips_in_polvio);
- m_freem(m);
- return;
- }
-#endif /* IPSEC */
-
/*
* Do not forward packets to multicast destination (should be handled
* by ip6_mforward().
@@ -148,6 +134,17 @@ ip6_forward(struct mbuf *m, int srcrt)
m_freem(m);
return;
}
+#ifdef IPSEC
+ /*
+ * Check if this packet has an active SA and needs to be dropped
+ * instead of forwarded.
+ */
+ if (ip6_ipsec_fwd(m) != 0) {
+ IP6STAT_INC(ip6s_cantforward);
+ m_freem(m);
+ return;
+ }
+#endif /* IPSEC */
#ifdef IPSTEALTH
if (!V_ip6stealth) {
Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c Thu Dec 11 18:58:22 2014
(r275714)
+++ head/sys/netinet6/ip6_ipsec.c Thu Dec 11 19:09:57 2014
(r275715)
@@ -118,28 +118,18 @@ ip6_ipsec_filtertunnel(struct mbuf *m)
/*
* Check if this packet has an active SA and needs to be dropped instead
* of forwarded.
- * Called from ip6_input().
+ * Called from ip6_forward().
* 1 = drop packet, 0 = forward packet.
*/
int
ip6_ipsec_fwd(struct mbuf *m)
{
-#ifdef IPSEC
- struct secpolicy *sp;
- int error;
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
- if (sp != NULL) {
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- }
- if (error != 0)
- return (1);
-#endif /* IPSEC */
+#ifdef IPSEC
+ return (ipsec6_in_reject(m, NULL));
+#else
return (0);
+#endif /* !IPSEC */
}
/*
@@ -152,31 +142,15 @@ ip6_ipsec_fwd(struct mbuf *m)
int
ip6_ipsec_input(struct mbuf *m, int nxt)
{
+
#ifdef IPSEC
- struct secpolicy *sp;
- int error;
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
- if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
- ipsec6_in_reject(m, NULL)) {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
- if (sp != NULL) {
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- } else {
- /* XXX error stat??? */
- error = EINVAL;
- DPRINTF(("%s: no SP, packet discarded\n",
__func__));/*XXX*/
- }
- if (error != 0)
- return (1);
- }
+ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0)
+ return (ipsec6_in_reject(m, NULL));
#endif /* IPSEC */
return (0);
}
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
