Not sure it's worth the effort, but these printfs are sometimes useful.
Anyone's willing to OK?
diff --git sys/netinet/ip_ah.c sys/netinet/ip_ah.c
index f66ea31..d1e270c 100644
--- sys/netinet/ip_ah.c
+++ sys/netinet/ip_ah.c
@@ -531,10 +531,13 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
struct tdb_crypto *tc;
struct m_tag *mtag;
u_int32_t btsx, esn;
u_int8_t hl;
int rplen;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
struct cryptodesc *crda = NULL;
struct cryptop *crp;
rplen = AH_FLENGTH + sizeof(u_int32_t);
@@ -553,43 +556,45 @@ ah_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
case 0: /* All's well. */
break;
case 1:
m_freem(m);
DPRINTF(("ah_input(): replay counter wrapped for "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_wrap++;
return ENOBUFS;
case 2:
m_freem(m);
DPRINTF(("ah_input(): old packet received in "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
return ENOBUFS;
case 3:
m_freem(m);
DPRINTF(("ah_input(): duplicate packet received in "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
return ENOBUFS;
default:
m_freem(m);
DPRINTF(("ah_input(): bogus value from "
"checkreplaywindow() in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
return ENOBUFS;
}
}
/* Verify AH header length. */
if (hl * sizeof(u_int32_t) != ahx->authsize + rplen - AH_FLENGTH) {
- DPRINTF(("ah_input(): bad authenticator length %d for packet "
+ DPRINTF(("ah_input(): bad authenticator length %ld for packet "
"in SA %s/%08x\n", hl * sizeof(u_int32_t),
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ahstat.ahs_badauthl++;
m_freem(m);
return EACCES;
}
@@ -736,10 +741,13 @@ ah_input_cb(void *op)
struct m_tag *mtag;
struct tdb *tdb;
u_int32_t btsx, esn;
u_int8_t prot;
caddr_t ptr;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
crp = (struct cryptop *) op;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
@@ -805,11 +813,12 @@ ah_input_cb(void *op)
if (timingsafe_bcmp(ptr + skip + rplen, calc, ahx->authsize)) {
free(tc, M_XDATA, 0);
DPRINTF(("ah_input(): authentication failed for "
"packet in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ahstat.ahs_badauth++;
error = EACCES;
goto baddone;
}
@@ -839,33 +848,34 @@ ah_input_cb(void *op)
pfsync_update_tdb(tdb,0);
#endif
break;
case 1:
DPRINTF(("ah_input(): replay counter wrapped for "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_wrap++;
error = ENOBUFS;
goto baddone;
case 2:
DPRINTF(("ah_input_cb(): old packet received in "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
error = ENOBUFS;
goto baddone;
case 3:
DPRINTF(("ah_input_cb(): duplicate packet received in "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
error = ENOBUFS;
goto baddone;
default:
DPRINTF(("ah_input_cb(): bogus value from "
"checkreplaywindow() in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ahstat.ahs_replay++;
error = ENOBUFS;
goto baddone;
}
}
@@ -876,11 +886,11 @@ ah_input_cb(void *op)
ahstat.ahs_hdrops++;
splx(s);
m_freem(m);
DPRINTF(("ah_input(): bad mbuf chain for packet in SA "
- "%s/%08x\n", ipsp_address(tdb->tdb_dst),
+ "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
return EINVAL;
}
@@ -974,10 +984,13 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
int len, rplen;
u_int8_t prot;
struct ah *ah;
#if NBPFILTER > 0
struct ifnet *encif;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
if ((encif = enc_getif(tdb->tdb_rdomain, tdb->tdb_tap)) != NULL) {
encif->if_opackets++;
encif->if_obytes += m->m_pkthdr.len;
@@ -1002,11 +1015,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
* Check for replay counter wrap-around in automatic (not
* manual) keying.
*/
if ((tdb->tdb_rpl == 0) && (tdb->tdb_wnd > 0)) {
DPRINTF(("ah_output(): SA %s/%08x should have expired\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_wrap++;
return EINVAL;
}
@@ -1016,11 +1030,12 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
case AF_INET:
/* Check for IP maximum packet size violations. */
if (rplen + ahx->authsize + m->m_pkthdr.len > IP_MAXPACKET) {
DPRINTF(("ah_output(): packet in SA %s/%08x got too "
"big\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_toobig++;
return EMSGSIZE;
}
break;
@@ -1028,23 +1043,24 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
#ifdef INET6
case AF_INET6:
/* Check for IPv6 maximum packet size violations. */
if (rplen + ahx->authsize + m->m_pkthdr.len > IPV6_MAXPACKET) {
DPRINTF(("ah_output(): packet in SA %s/%08x "
- "got too big\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "got too big\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_toobig++;
return EMSGSIZE;
}
break;
#endif /* INET6 */
default:
DPRINTF(("ah_output(): unknown/unsupported protocol "
"family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family,
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_nopf++;
return EPFNOSUPPORT;
}
@@ -1099,11 +1115,11 @@ ah_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
/* Inject AH header. */
mi = m_inject(m, skip, rplen + ahx->authsize, M_DONTWAIT);
if (mi == NULL) {
DPRINTF(("ah_output(): failed to inject AH header for SA "
- "%s/%08x\n", ipsp_address(tdb->tdb_dst),
+ "%s/%08x\n", ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
m_freem(m);
ahstat.ahs_hdrops++;
return ENOBUFS;
diff --git sys/netinet/ip_esp.c sys/netinet/ip_esp.c
index 69a2303..a859a43 100644
--- sys/netinet/ip_esp.c
+++ sys/netinet/ip_esp.c
@@ -142,21 +142,26 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct
ipsecinit *ii)
case SADB_X_EALG_CAST:
txform = &enc_xform_cast5;
break;
default:
- DPRINTF(("esp_init(): unsupported encryption algorithm
%d specified\n", ii->ii_encalg));
+ DPRINTF(("esp_init(): unsupported encryption "
+ "algorithm %d specified\n", ii->ii_encalg));
return EINVAL;
}
if (ii->ii_enckeylen < txform->minkey) {
- DPRINTF(("esp_init(): keylength %d too small (min
length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->minkey,
txform->name));
+ DPRINTF(("esp_init(): keylength %d too small "
+ "(min length is %d) for algorithm %s\n",
+ ii->ii_enckeylen, txform->minkey, txform->name));
return EINVAL;
}
if (ii->ii_enckeylen > txform->maxkey) {
- DPRINTF(("esp_init(): keylength %d too large (max
length is %d) for algorithm %s\n", ii->ii_enckeylen, txform->maxkey,
txform->name));
+ DPRINTF(("esp_init(): keylength %d too large "
+ "(max length is %d) for algorithm %s\n",
+ ii->ii_enckeylen, txform->maxkey, txform->name));
return EINVAL;
}
if (ii->ii_encalg == SADB_X_EALG_AESGCM16 ||
ii->ii_encalg == SADB_X_EALG_AESGMAC) {
@@ -220,16 +225,19 @@ esp_init(struct tdb *tdbp, struct xformsw *xsp, struct
ipsecinit *ii)
case SADB_X_AALG_AES256GMAC:
thash = &auth_hash_gmac_aes_256;
break;
default:
- DPRINTF(("esp_init(): unsupported authentication
algorithm %d specified\n", ii->ii_authalg));
+ DPRINTF(("esp_init(): unsupported authentication "
+ "algorithm %d specified\n", ii->ii_authalg));
return EINVAL;
}
if (ii->ii_authkeylen != thash->keysize) {
- DPRINTF(("esp_init(): keylength %d doesn't match
algorithm %s keysize (%d)\n", ii->ii_authkeylen, thash->name, thash->keysize));
+ DPRINTF(("esp_init(): keylength %d doesn't match "
+ "algorithm %s keysize (%d)\n", ii->ii_authkeylen,
+ thash->name, thash->keysize));
return EINVAL;
}
tdbp->tdb_authalgxform = thash;
@@ -326,10 +334,13 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
struct cryptop *crp;
struct tdb_crypto *tc;
int plen, alen, hlen;
struct m_tag *mtag;
u_int32_t btsx, esn;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
/* Determine the ESP header length */
hlen = 2 * sizeof(u_int32_t) + tdb->tdb_ivlen; /* "new" ESP */
alen = esph ? esph->authsize : 0;
plen = m->m_pkthdr.len - (skip + hlen + alen);
@@ -344,11 +355,14 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
/*
* Verify payload length is multiple of encryption algorithm
* block size.
*/
if (plen & (espx->blocksize - 1)) {
- DPRINTF(("esp_input(): payload of %d octets not a
multiple of %d octets, SA %s/%08x\n", plen, espx->blocksize,
ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input(): payload of %d octets "
+ "not a multiple of %d octets, SA %s/%08x\n",
+ plen, espx->blocksize, ipsp_address(&tdb->tdb_dst,
+ buf, sizeof(buf)), ntohl(tdb->tdb_spi)));
espstat.esps_badilen++;
m_freem(m);
return EINVAL;
}
}
@@ -364,32 +378,36 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
break;
case 1:
m_freem(m);
DPRINTF(("esp_input(): replay counter wrapped"
" for SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
return EACCES;
case 2:
m_freem(m);
DPRINTF(("esp_input(): old packet received"
" in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
return EACCES;
case 3:
m_freem(m);
DPRINTF(("esp_input(): duplicate packet received"
" in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
return EACCES;
default:
m_freem(m);
DPRINTF(("esp_input(): bogus value from"
" checkreplaywindow() in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
return EACCES;
}
}
@@ -477,11 +495,12 @@ esp_input(struct mbuf *m, struct tdb *tdb, int skip, int
protoff)
else
crda->crd_len = m->m_pkthdr.len - (skip + alen);
/* Copy the authenticator */
if (mtag == NULL)
- m_copydata(m, m->m_pkthdr.len - alen, alen, (caddr_t)
(tc + 1));
+ m_copydata(m, m->m_pkthdr.len - alen, alen,
+ (caddr_t)(tc + 1));
} else
crde = crp->crp_desc;
/* Crypto operation descriptor */
crp->crp_ilen = m->m_pkthdr.len; /* Total input length */
@@ -534,10 +553,13 @@ esp_input_cb(void *op)
struct cryptop *crp;
struct m_tag *mtag;
struct tdb *tdb;
u_int32_t btsx, esn;
caddr_t ptr;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
crp = (struct cryptop *) op;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
@@ -584,12 +606,12 @@ esp_input_cb(void *op)
}
/* If authentication was performed, check now. */
if (esph != NULL) {
/*
- * If we have a tag, it means an IPsec-aware NIC did the
verification
- * for us.
+ * If we have a tag, it means an IPsec-aware NIC did the
+ * verification for us.
*/
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - esph->authsize,
esph->authsize, aalg);
@@ -597,11 +619,14 @@ esp_input_cb(void *op)
ptr = (caddr_t) (tc + 1);
/* Verify authenticator */
if (timingsafe_bcmp(ptr, aalg, esph->authsize)) {
free(tc, M_XDATA, 0);
- DPRINTF(("esp_input_cb(): authentication failed
for packet in SA %s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input_cb(): authentication "
+ "failed for packet in SA %s/%08x\n",
+ ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
espstat.esps_badauth++;
error = EACCES;
goto baddone;
}
}
@@ -625,32 +650,36 @@ esp_input_cb(void *op)
break;
case 1:
DPRINTF(("esp_input_cb(): replay counter wrapped"
" for SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_wrap++;
error = EACCES;
goto baddone;
case 2:
DPRINTF(("esp_input_cb(): old packet received"
" in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
error = EACCES;
goto baddone;
case 3:
DPRINTF(("esp_input_cb(): duplicate packet received"
" in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
error = EACCES;
goto baddone;
default:
DPRINTF(("esp_input_cb(): bogus value from"
" checkreplaywindow() in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_replay++;
error = EACCES;
goto baddone;
}
}
@@ -665,11 +694,12 @@ esp_input_cb(void *op)
m1 = m_getptr(m, skip, &roff);
if (m1 == NULL) {
espstat.esps_hdrops++;
splx(s);
DPRINTF(("esp_input_cb(): bad mbuf chain, SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
return EINVAL;
}
/* Remove the ESP header and IV from the mbuf. */
@@ -686,11 +716,11 @@ esp_input_cb(void *op)
*/
if (roff + hlen > m1->m_len) {
/* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
- /* The second mbuf is guaranteed not to have a
pkthdr... */
+ /* The second mbuf is guaranteed not to have a pkthdr */
m->m_pkthdr.len -= (roff + hlen - m1->m_len);
}
/* Now, let's unlink the mbuf chain for a second...*/
mo = m1->m_next;
@@ -720,20 +750,25 @@ esp_input_cb(void *op)
/* Verify pad length */
if (lastthree[1] + 2 > m->m_pkthdr.len - skip) {
espstat.esps_badilen++;
splx(s);
- DPRINTF(("esp_input_cb(): invalid padding length %d for packet
in SA %s/%08x\n", lastthree[1], ipsp_address(tdb->tdb_dst),
ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input_cb(): invalid padding length %d for "
+ "packet in SA %s/%08x\n", lastthree[1],
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
return EINVAL;
}
/* Verify correct decryption by checking the last padding bytes */
if ((lastthree[1] != lastthree[0]) && (lastthree[1] != 0)) {
espstat.esps_badenc++;
splx(s);
- DPRINTF(("esp_input(): decryption failed for packet in SA
%s/%08x\n", ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("esp_input(): decryption failed for packet in "
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
return EINVAL;
}
/* Trim the mbuf chain to remove the trailing authenticator and padding
*/
@@ -771,11 +806,13 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
u_int32_t replay;
struct mbuf *mi, *mo = (struct mbuf *) NULL;
struct tdb_crypto *tc;
unsigned char *pad;
u_int8_t prot;
-
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
struct cryptodesc *crde = NULL, *crda = NULL;
struct cryptop *crp;
#if NBPFILTER > 0
struct ifnet *encif;
@@ -817,11 +854,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
switch (tdb->tdb_dst.sa.sa_family) {
case AF_INET:
/* Check for IP maximum packet size violations. */
if (skip + hlen + rlen + padding + alen > IP_MAXPACKET) {
DPRINTF(("esp_output(): packet in SA %s/%08x got "
- "too big\n", ipsp_address(tdb->tdb_dst),
+ "too big\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)),
ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
return EMSGSIZE;
}
@@ -830,23 +868,24 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
#ifdef INET6
case AF_INET6:
/* Check for IPv6 maximum packet size violations. */
if (skip + hlen + rlen + padding + alen > IPV6_MAXPACKET) {
DPRINTF(("esp_output(): packet in SA %s/%08x got too "
- "big\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "big\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_toobig++;
return EMSGSIZE;
}
break;
#endif /* INET6 */
default:
DPRINTF(("esp_output(): unknown/unsupported protocol "
- "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family
- , ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ "family %d, SA %s/%08x\n", tdb->tdb_dst.sa.sa_family,
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_nopf++;
return EPFNOSUPPORT;
}
@@ -885,11 +924,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
/* Replace the rest of the mbuf chain. */
struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT);
if (n == NULL) {
DPRINTF(("esp_output(): bad mbuf chain, SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
espstat.esps_hdrops++;
m_freem(m);
return ENOBUFS;
}
@@ -903,12 +943,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
/* Inject ESP header. */
mo = m_inject(m, skip, hlen, M_DONTWAIT);
if (mo == NULL) {
DPRINTF(("esp_output(): failed to inject ESP header for "
- "SA %s/%08x\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi)));
+ "SA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
espstat.esps_hdrops++;
return ENOBUFS;
}
@@ -928,11 +968,12 @@ esp_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int skip,
* although if/when we support compression, we'd have to do that.
*/
mo = m_inject(m, m->m_pkthdr.len, padding + alen, M_DONTWAIT);
if (mo == NULL) {
DPRINTF(("esp_output(): m_inject failed for SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
m_freem(m);
return ENOBUFS;
}
pad = mtod(mo, u_char *);
diff --git sys/netinet/ip_ipcomp.c sys/netinet/ip_ipcomp.c
index e9680c1..a2f3e26 100644
--- sys/netinet/ip_ipcomp.c
+++ sys/netinet/ip_ipcomp.c
@@ -209,10 +209,13 @@ ipcomp_input_cb(op)
struct tdb_crypto *tc;
struct cryptop *crp;
struct tdb *tdb;
struct ipcomp *ipcomp;
caddr_t addr;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
crp = (struct cryptop *) op;
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
@@ -291,11 +294,12 @@ ipcomp_input_cb(op)
/* Find the beginning of the IPCOMP header */
m1 = m_getptr(m, skip, &roff);
if (m1 == NULL) {
ipcompstat.ipcomps_hdrops++;
DPRINTF(("ipcomp_input_cb(): bad mbuf chain, IPCA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
error = EINVAL;
goto baddone;
}
/* Keep the next protocol field */
addr = (caddr_t) mtod(m, struct ip *) + skip;
@@ -375,10 +379,13 @@ ipcomp_output(m, tdb, mp, skip, protoff)
int hlen;
struct cryptodesc *crdc = NULL;
struct cryptop *crp;
struct tdb_crypto *tc;
struct mbuf *mi, *mo;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
#if NBPFILTER > 0
struct ifnet *encif;
if ((encif = enc_getif(0, tdb->tdb_tap)) != NULL) {
encif->if_opackets++;
@@ -407,33 +414,36 @@ ipcomp_output(m, tdb, mp, skip, protoff)
/*
* Since compression is going to reduce the size, no need to
* worry
*/
if (m->m_pkthdr.len + hlen > IP_MAXPACKET) {
- DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got
too big\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x "
+ "got too big\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_toobig++;
return EMSGSIZE;
}
break;
#ifdef INET6
case AF_INET6:
/* Check for IPv6 maximum packet size violations */
if (m->m_pkthdr.len + hlen > IPV6_MAXPACKET) {
- DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x got
too big\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ DPRINTF(("ipcomp_output(): packet in IPCA %s/%08x "
+ "got too big\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_toobig++;
return EMSGSIZE;
}
#endif /* INET6 */
default:
- DPRINTF(("ipcomp_output(): unknown/unsupported protocol family
%d, IPCA %s/%08x\n",
- tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst),
+ DPRINTF(("ipcomp_output(): unknown/unsupported protocol "
+ "family %d, IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family,
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
m_freem(m);
ipcompstat.ipcomps_nopf++;
return EPFNOSUPPORT;
}
@@ -472,11 +482,12 @@ ipcomp_output(m, tdb, mp, skip, protoff)
/* Replace the rest of the mbuf chain. */
struct mbuf *n = m_copym2(mi, 0, M_COPYALL, M_DONTWAIT);
if (n == NULL) {
DPRINTF(("ipcomp_output(): bad mbuf chain, IPCA
%s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_hdrops++;
m_freem(m);
return ENOBUFS;
}
if (mo != NULL)
@@ -550,10 +561,13 @@ ipcomp_output_cb(cp)
struct ip *ip;
#ifdef INET6
struct ip6_hdr *ip6;
#endif
struct ipcomp *ipcomp;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
tc = (struct tdb_crypto *) crp->crp_opaque;
skip = tc->tc_skip;
rlen = crp->crp_ilen - skip;
@@ -608,12 +622,12 @@ ipcomp_output_cb(cp)
/* Inject IPCOMP header */
mo = m_inject(m, skip, IPCOMP_HLENGTH, M_DONTWAIT);
if (mo == NULL) {
DPRINTF(("ipcomp_output_cb(): failed to inject IPCOMP header "
- "for IPCA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ "for IPCA %s/%08x\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_wrap++;
error = ENOBUFS;
goto baddone;
}
@@ -637,12 +651,12 @@ ipcomp_output_cb(cp)
ip6->ip6_nxt = IPPROTO_IPCOMP;
break;
#endif
default:
DPRINTF(("ipcomp_output_cb(): unsupported protocol family %d, "
- "IPCA %s/%08x\n",
- tdb->tdb_dst.sa.sa_family, ipsp_address(tdb->tdb_dst),
+ "IPCA %s/%08x\n", tdb->tdb_dst.sa.sa_family,
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
ntohl(tdb->tdb_spi)));
ipcompstat.ipcomps_nopf++;
error = EPFNOSUPPORT;
goto baddone;
break;
diff --git sys/netinet/ip_ipip.c sys/netinet/ip_ipip.c
index 4128e3d..db0e3f6 100644
--- sys/netinet/ip_ipip.c
+++ sys/netinet/ip_ipip.c
@@ -389,10 +389,13 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int dummy,
struct ip *ipo;
#ifdef INET6
struct ip6_hdr *ip6, *ip6o;
#endif /* INET6 */
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
/* XXX Deal with empty TDB source/destination addresses. */
m_copydata(m, 0, 1, &tp);
tp = (tp >> 4) & 0xff; /* Get the IP version number. */
@@ -403,11 +406,12 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int dummy,
tdb->tdb_src.sin.sin_addr.s_addr == INADDR_ANY ||
tdb->tdb_dst.sin.sin_addr.s_addr == INADDR_ANY) {
DPRINTF(("ipip_output(): unspecified tunnel endpoind "
"address in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ipipstat.ipips_unspec++;
m_freem(m);
*mp = NULL;
return EINVAL;
@@ -488,11 +492,12 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf
**mp, int dummy,
tdb->tdb_src.sa.sa_family != AF_INET6 ||
IN6_IS_ADDR_UNSPECIFIED(&tdb->tdb_src.sin6.sin6_addr)) {
DPRINTF(("ipip_output(): unspecified tunnel endpoind "
"address in SA %s/%08x\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi)));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi)));
ipipstat.ipips_unspec++;
m_freem(m);
*mp = NULL;
return ENOBUFS;
diff --git sys/netinet/ip_ipsp.c sys/netinet/ip_ipsp.c
index 0c93cf6..7efc946 100644
--- sys/netinet/ip_ipsp.c
+++ sys/netinet/ip_ipsp.c
@@ -876,21 +876,24 @@ tdb_free(struct tdb *tdbp)
int
tdb_init(struct tdb *tdbp, u_int16_t alg, struct ipsecinit *ii)
{
struct xformsw *xsp;
int err;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) {
if (xsp->xf_type == alg) {
err = (*(xsp->xf_init))(tdbp, xsp, ii);
return err;
}
}
DPRINTF(("tdb_init(): no alg %d for spi %08x, addr %s, proto %d\n",
- alg, ntohl(tdbp->tdb_spi), ipsp_address(tdbp->tdb_dst),
- tdbp->tdb_sproto));
+ alg, ntohl(tdbp->tdb_spi), ipsp_address(&tdbp->tdb_dst, buf,
+ sizeof(buf)), tdbp->tdb_sproto));
return EINVAL;
}
/*
@@ -956,28 +959,21 @@ tdb_add_inp(struct tdb *tdb, struct inpcb *inp, int inout)
}
#ifdef ENCDEBUG
/* Return a printable string for the address. */
const char *
-ipsp_address(union sockaddr_union sa)
+ipsp_address(union sockaddr_union *sa, char *buf, socklen_t size)
{
- static char ipspbuf[4][INET6_ADDRSTRLEN];
- static int ipspround = 0;
- char *buf;
-
- ipspround = (ipspround + 1) % 4;
- buf = ipspbuf[ipspround];
-
- switch (sa.sa.sa_family) {
+ switch (sa->sa.sa_family) {
case AF_INET:
- return inet_ntop(AF_INET, &sa.sin.sin_addr,
- buf, INET_ADDRSTRLEN);
+ return inet_ntop(AF_INET, &sa->sin.sin_addr,
+ buf, (size_t)size);
#ifdef INET6
case AF_INET6:
- return inet_ntop(AF_INET6, &sa.sin6.sin6_addr,
- buf, INET6_ADDRSTRLEN);
+ return inet_ntop(AF_INET6, &sa->sin6.sin6_addr,
+ buf, (size_t)size);
#endif /* INET6 */
default:
return "(unknown address family)";
}
diff --git sys/netinet/ip_ipsp.h sys/netinet/ip_ipsp.h
index f436e49..19b4b23 100644
--- sys/netinet/ip_ipsp.h
+++ sys/netinet/ip_ipsp.h
@@ -494,11 +494,11 @@ do {
\
} while (/* CONSTCOND */ 0)
/* Misc. */
uint8_t get_sa_require(struct inpcb *);
#ifdef ENCDEBUG
-const char *ipsp_address(union sockaddr_union);
+const char *ipsp_address(union sockaddr_union *, char *, socklen_t);
#endif /* ENCDEBUG */
/* TDB management routines */
void tdb_add_inp(struct tdb *, struct inpcb *, int);
uint32_t reserve_spi(u_int, u_int32_t, u_int32_t, union sockaddr_union *,
diff --git sys/netinet/ipsec_input.c sys/netinet/ipsec_input.c
index 498c940..89b27c8 100644
--- sys/netinet/ipsec_input.c
+++ sys/netinet/ipsec_input.c
@@ -123,10 +123,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff,
int af, int sproto,
struct tdb *tdbp;
struct ifnet *encif;
u_int32_t spi;
u_int16_t cpi;
int s, error;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
IPSEC_ISTAT(espstat.esps_input, ahstat.ahs_input,
ipcompstat.ipcomps_input);
if (m == 0) {
@@ -230,37 +233,43 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff,
int af, int sproto,
spi, &dst_address, sproto);
if (tdbp == NULL) {
splx(s);
DPRINTF(("ipsec_common_input(): could not find SA for "
"packet to %s, spi %08x\n",
- ipsp_address(dst_address), ntohl(spi)));
+ ipsp_address(&dst_address, buf, sizeof(buf)), ntohl(spi)));
m_freem(m);
IPSEC_ISTAT(espstat.esps_notdb, ahstat.ahs_notdb,
ipcompstat.ipcomps_notdb);
return ENOENT;
}
if (tdbp->tdb_flags & TDBF_INVALID) {
splx(s);
- DPRINTF(("ipsec_common_input(): attempted to use invalid SA
%s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF(("ipsec_common_input(): attempted to use invalid "
+ "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf,
+ sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
m_freem(m);
IPSEC_ISTAT(espstat.esps_invalid, ahstat.ahs_invalid,
ipcompstat.ipcomps_invalid);
return EINVAL;
}
if (udpencap && !(tdbp->tdb_flags & TDBF_UDPENCAP)) {
splx(s);
- DPRINTF(("ipsec_common_input(): attempted to use non-udpencap
SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF(("ipsec_common_input(): attempted to use non-udpencap "
+ "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf,
+ sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
m_freem(m);
espstat.esps_udpinval++;
return EINVAL;
}
if (tdbp->tdb_xform == NULL) {
splx(s);
- DPRINTF(("ipsec_common_input(): attempted to use uninitialized
SA %s/%08x/%u\n", ipsp_address(dst_address), ntohl(spi), tdbp->tdb_sproto));
+ DPRINTF(("ipsec_common_input(): attempted to use uninitialized "
+ "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf,
+ sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
m_freem(m);
IPSEC_ISTAT(espstat.esps_noxform, ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
return ENXIO;
}
@@ -269,12 +278,12 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff,
int af, int sproto,
if ((encif = enc_getif(tdbp->tdb_rdomain,
tdbp->tdb_tap)) == NULL) {
splx(s);
DPRINTF(("ipsec_common_input(): "
"no enc%u interface for SA %s/%08x/%u\n",
- tdbp->tdb_tap, ipsp_address(dst_address),
- ntohl(spi), tdbp->tdb_sproto));
+ tdbp->tdb_tap, ipsp_address(&dst_address, buf,
+ sizeof(buf)), ntohl(spi), tdbp->tdb_sproto));
m_freem(m);
IPSEC_ISTAT(espstat.esps_pdrops,
ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
@@ -330,10 +339,14 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp,
int skip, int protoff,
struct ip6_hdr *ip6, ip6n;
#endif /* INET6 */
struct m_tag *mtag;
struct tdb_ident *tdbi;
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
+
af = tdbp->tdb_dst.sa.sa_family;
sproto = tdbp->tdb_sproto;
tdbp->tdb_last_used = time_second;
@@ -347,12 +360,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp,
int skip, int protoff,
/* Fix IPv4 header */
if (af == AF_INET) {
if ((m->m_len < skip) && ((m = m_pullup(m, skip)) == NULL)) {
DPRINTF(("ipsec_common_input_cb(): processing failed "
- "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst),
- ntohl(tdbp->tdb_spi)));
+ "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst,
+ buf, sizeof(buf)), ntohl(tdbp->tdb_spi)));
IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
return ENOBUFS;
}
@@ -399,12 +412,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp,
int skip, int protoff,
{
if (m->m_len < sizeof(struct ip6_hdr) &&
(m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
DPRINTF(("ipsec_common_input_cb(): processing failed "
- "for SA %s/%08x\n", ipsp_address(tdbp->tdb_dst),
- ntohl(tdbp->tdb_spi)));
+ "for SA %s/%08x\n", ipsp_address(&tdbp->tdb_dst,
+ buf, sizeof(buf)), ntohl(tdbp->tdb_spi)));
IPSEC_ISTAT(espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
return EACCES;
}
@@ -854,11 +867,11 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct
sockaddr *sa,
/* Store adjusted MTU in tdb */
tdbp->tdb_mtu = mtu;
tdbp->tdb_mtutimeout = time_second +
ip_mtudisc_timeout;
DPRINTF(("ipsec_common_ctlinput: "
- "spi %08x mtu %d adjust %d\n",
+ "spi %08x mtu %d adjust %ld\n",
ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
adjust));
}
splx(s);
return (NULL);
@@ -913,11 +926,11 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int
rdomain, void *v)
/* Store adjusted MTU in tdb */
tdbp->tdb_mtu = mtu - adjust;
tdbp->tdb_mtutimeout = time_second +
ip_mtudisc_timeout;
DPRINTF(("udpencap_ctlinput: "
- "spi %08x mtu %d adjust %d\n",
+ "spi %08x mtu %d adjust %ld\n",
ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
adjust));
}
}
}
diff --git sys/netinet/ipsec_output.c sys/netinet/ipsec_output.c
index 95717a3..40de7c1 100644
--- sys/netinet/ipsec_output.c
+++ sys/netinet/ipsec_output.c
@@ -78,10 +78,14 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int
af, int tunalready)
struct ip *ip;
#ifdef INET6
struct ip6_hdr *ip6;
#endif /* INET6 */
+#ifdef ENCDEBUG
+ char buf[INET6_ADDRSTRLEN];
+#endif
+
/* Check that the transform is allowed by the administrator. */
if ((tdb->tdb_sproto == IPPROTO_ESP && !esp_enable) ||
(tdb->tdb_sproto == IPPROTO_AH && !ah_enable) ||
(tdb->tdb_sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
DPRINTF(("ipsp_process_packet(): IPsec outbound packet "
@@ -98,12 +102,12 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int
af, int tunalready)
}
/* Check if the SPI is invalid. */
if (tdb->tdb_flags & TDBF_INVALID) {
DPRINTF(("ipsp_process_packet(): attempt to use invalid "
- "SA %s/%08x/%u\n", ipsp_address(tdb->tdb_dst),
- ntohl(tdb->tdb_spi), tdb->tdb_sproto));
+ "SA %s/%08x/%u\n", ipsp_address(&tdb->tdb_dst, buf,
+ sizeof(buf)), ntohl(tdb->tdb_spi), tdb->tdb_sproto));
m_freem(m);
return ENXIO;
}
/* Check that the network protocol is supported */
@@ -117,12 +121,13 @@ ipsp_process_packet(struct mbuf *m, struct tdb *tdb, int
af, int tunalready)
#endif /* INET6 */
default:
DPRINTF(("ipsp_process_packet(): attempt to use "
"SA %s/%08x/%u for protocol family %d\n",
- ipsp_address(tdb->tdb_dst), ntohl(tdb->tdb_spi),
- tdb->tdb_sproto, tdb->tdb_dst.sa.sa_family));
+ ipsp_address(&tdb->tdb_dst, buf, sizeof(buf)),
+ ntohl(tdb->tdb_spi), tdb->tdb_sproto,
+ tdb->tdb_dst.sa.sa_family));
m_freem(m);
return ENXIO;
}
/*
@@ -574,11 +579,11 @@ ipsec_adjust_mtu(struct mbuf *m, u_int32_t mtu)
mtu -= adjust;
tdbp->tdb_mtu = mtu;
tdbp->tdb_mtutimeout = time_second + ip_mtudisc_timeout;
DPRINTF(("ipsec_adjust_mtu: "
- "spi %08x mtu %d adjust %d mbuf %p\n",
+ "spi %08x mtu %d adjust %ld mbuf %p\n",
ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
adjust, m));
}
splx(s);
