Hi,
This adds TDB ref counting to ipsp_spd_lookup().
While there make ip6_output() look a bit more like ip_output().
ok?
bluhm
Index: net/if_bridge.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.360
diff -u -p -r1.360 if_bridge.c
--- net/if_bridge.c 1 Dec 2021 12:51:09 -0000 1.360
+++ net/if_bridge.c 1 Dec 2021 23:41:28 -0000
@@ -1606,11 +1606,14 @@ bridge_ipsec(struct ifnet *ifp, struct e
tdb->tdb_tap)) == NULL ||
pf_test(af, dir, encif, &m) != PF_PASS) {
m_freem(m);
+ tdb_unref(tdb);
return (1);
}
- if (m == NULL)
+ if (m == NULL) {
+ tdb_unref(tdb);
return (1);
- else if (af == AF_INET)
+ }
+ if (af == AF_INET)
in_proto_cksum_out(m, encif);
#ifdef INET6
else if (af == AF_INET6)
@@ -1628,6 +1631,7 @@ bridge_ipsec(struct ifnet *ifp, struct e
ICMP_UNREACH, ICMP_UNREACH_NEEDFRAG);
else
error = ipsp_process_packet(m, tdb, af, 0);
+ tdb_unref(tdb);
return (1);
} else
return (0);
Index: netinet/ip_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
retrieving revision 1.376
diff -u -p -r1.376 ip_output.c
--- netinet/ip_output.c 1 Dec 2021 12:51:09 -0000 1.376
+++ netinet/ip_output.c 1 Dec 2021 23:41:28 -0000
@@ -523,6 +523,9 @@ done:
if (ro == &iproute && ro->ro_rt)
rtfree(ro->ro_rt);
if_put(ifp);
+#ifdef IPSEC
+ tdb_unref(tdb);
+#endif /* IPSEC */
return (error);
bad:
@@ -558,6 +561,7 @@ ip_output_ipsec_lookup(struct mbuf *m, i
!memcmp(&tdbi->dst, &tdb->tdb_dst,
sizeof(union sockaddr_union))) {
/* no IPsec needed */
+ tdb_unref(tdb);
*tdbout = NULL;
return 0;
}
Index: netinet/ip_spd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_spd.c,v
retrieving revision 1.107
diff -u -p -r1.107 ip_spd.c
--- netinet/ip_spd.c 1 Dec 2021 12:51:09 -0000 1.107
+++ netinet/ip_spd.c 1 Dec 2021 23:41:28 -0000
@@ -825,9 +825,10 @@ ipsp_spd_inp(struct mbuf *m, struct inpc
justreturn:
if (tdbout != NULL) {
- if (ipo != NULL)
+ if (ipo != NULL) {
+ tdb_ref(ipo->ipo_tdb);
*tdbout = ipo->ipo_tdb;
- else
+ } else
*tdbout = NULL;
}
return 0;
Index: netinet6/ip6_forward.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_forward.c,v
retrieving revision 1.103
diff -u -p -r1.103 ip6_forward.c
--- netinet6/ip6_forward.c 1 Dec 2021 12:51:09 -0000 1.103
+++ netinet6/ip6_forward.c 1 Dec 2021 23:41:28 -0000
@@ -397,4 +397,7 @@ freecopy:
out:
rtfree(rt);
if_put(ifp);
+#ifdef IPSEC
+ tdb_unref(tdb);
+#endif /* IPSEC */
}
Index: netinet6/ip6_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
retrieving revision 1.262
diff -u -p -r1.262 ip6_output.c
--- netinet6/ip6_output.c 1 Dec 2021 12:51:09 -0000 1.262
+++ netinet6/ip6_output.c 1 Dec 2021 23:41:28 -0000
@@ -220,7 +220,7 @@ ip6_output(struct mbuf *m, struct ip6_pk
}
#ifdef IPSEC
- if (ipsec_in_use || inp) {
+ if (ipsec_in_use || inp != NULL) {
error = ip6_output_ipsec_lookup(m, inp, &tdb);
if (error) {
/*
@@ -433,7 +433,7 @@ reroute:
}
#ifdef IPSEC
- if (tdb) {
+ if (tdb != NULL) {
/*
* XXX what should we do if ip6_hlim == 0 and the
* packet gets tunneled?
@@ -762,12 +762,15 @@ reroute:
ip6stat_inc(ip6s_fragmented);
done:
- if_put(ifp);
if (ro == &ip6route && ro->ro_rt) {
rtfree(ro->ro_rt);
} else if (ro_pmtu == &ip6route && ro_pmtu->ro_rt) {
rtfree(ro_pmtu->ro_rt);
}
+ if_put(ifp);
+#ifdef IPSEC
+ tdb_unref(tdb);
+#endif /* IPSEC */
return (error);
freehdrs:
@@ -2770,6 +2773,7 @@ ip6_output_ipsec_lookup(struct mbuf *m,
!memcmp(&tdbi->dst, &tdb->tdb_dst,
sizeof(union sockaddr_union))) {
/* no IPsec needed */
+ tdb_unref(tdb);
*tdbout = NULL;
return 0;
}
