On 16/04/16(Sat) 18:41, Markus Friedl wrote:
> Hi, this matches the IPsec/IPv4 change I committed back in December, but
> since I don't have extensive IPv6 setups it's still not committed. Please
> test, give feedback and it will finally go into the next release.
I hope it will go before the next release! This would help me a lot to
turn the IPv6 forwarding path mpsafe.
ok mpi@
>Index: netinet6/ip6_forward.c
>===
>RCS file: /cvs/src/sys/netinet6/ip6_forward.c,v
>retrieving revision 1.87
>diff -u -p -u -r1.87 ip6_forward.c
>--- netinet6/ip6_forward.c 29 Mar 2016 11:57:51 - 1.87
>+++ netinet6/ip6_forward.c 13 Apr 2016 21:47:09 -
>@@ -93,15 +93,7 @@ ip6_forward(struct mbuf *m, int srcrt)
> int error = 0, type = 0, code = 0;
> struct mbuf *mcopy = NULL;
> #ifdef IPSEC
>- u_int8_t sproto = 0;
>- struct m_tag *mtag;
>- union sockaddr_union sdst;
>- struct tdb_ident *tdbi;
>- u_int32_t sspi;
>- struct tdb *tdb;
>-#if NPF > 0
>- struct ifnet *encif;
>-#endif
>+ struct tdb *tdb = NULL;
> #endif /* IPSEC */
> u_int rtableid = 0;
> char src6[INET6_ADDRSTRLEN], dst6[INET6_ADDRSTRLEN];
>@@ -155,64 +147,21 @@ reroute:
> #endif
>
> #ifdef IPSEC
>- if (!ipsec_in_use)
>- goto done_spd;
>-
>- /*
>- * Check if there was an outgoing SA bound to the flow
>- * from a transport protocol.
>- */
>-
>- /* Do we have any pending SAs to apply ? */
>- tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
>- , IPSP_DIRECTION_OUT, NULL, NULL, 0);
>-
>- if (tdb == NULL) {
>- if (error == 0) {
>- /*
>- * No IPsec processing required, we'll just send the
>- * packet out.
>- */
>- sproto = 0;
>-
>- /* Fall through to routing/multicast handling */
>- } else {
>- /*
>+ if (ipsec_in_use) {
>+ tdb = ip6_output_ipsec_lookup(m, , NULL);
>+ if (error != 0) {
>+ /*
>* -EINVAL is used to indicate that the packet should
>* be silently dropped, typically because we've asked
>* key management for an SA.
>*/
>- if (error == -EINVAL) /* Should silently drop packet */
>+ if (error == -EINVAL) /* Should silently drop packet */
> error = 0;
>
> m_freem(m);
> goto freecopy;
> }
>- } else {
>- /* Loop detection */
>- for (mtag = m_tag_first(m); mtag != NULL;
>- mtag = m_tag_next(m, mtag)) {
>- if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE)
>- continue;
>- tdbi = (struct tdb_ident *)(mtag + 1);
>- if (tdbi->spi == tdb->tdb_spi &&
>- tdbi->proto == tdb->tdb_sproto &&
>- tdbi->rdomain == tdb->tdb_rdomain &&
>- !bcmp(>dst, >tdb_dst,
>- sizeof(union sockaddr_union))) {
>- sproto = 0; /* mark as no-IPsec-needed */
>- goto done_spd;
>- }
>- }
>-
>- /* We need to do IPsec */
>- bcopy(>tdb_dst, , sizeof(sdst));
>- sspi = tdb->tdb_spi;
>- sproto = tdb->tdb_sproto;
> }
>-
>- /* Fall through to the routing/multicast handling code */
>- done_spd:
> #endif /* IPSEC */
>
> #if NPF > 0
>@@ -313,40 +262,12 @@ reroute:
>* XXX ipsp_process_packet() calls ip6_output(), and there'll be no
>* PMTU notification. is it okay?
>*/
>- if (sproto != 0) {
>- tdb = gettdb(rtable_l2(m->m_pkthdr.ph_rtableid),
>- sspi, , sproto);
>- if (tdb == NULL) {
>- error = EHOSTUNREACH;
>- m_freem(m);
>- goto senderr; /*XXX*/
>- }
>-
>-#if NPF > 0
>- if ((encif = enc_getif(tdb->tdb_rdomain,
>- tdb->tdb_tap)) == NULL ||
>- pf_test(AF_INET6, PF_FWD, encif, ) != PF_PASS) {
>- error = EHOSTUNREACH;
>- m_freem(m);
>- goto senderr;
>- }
>- if (m == NULL)
>- goto senderr;
>- /*
>- * PF_TAG_REROUTE handling or not...
>- * Packet is entering IPsec so the routing is
>- * already overruled by the IPsec policy.
>- * Until now the change was not reconsidered.
>- * What's