Module Name: src Committed By: maxv Date: Mon May 14 17:34:26 UTC 2018
Modified Files: src/sys/netinet: ip_input.c src/sys/netinet6: ip6_input.c src/sys/netipsec: ipsec.c ipsec.h ipsec6.h src/sys/rump/librump/rumpnet: net_stub.c Log Message: Merge ipsec4_input and ipsec6_input into ipsec_ip_input. Make the argument a bool for clarity. Optimize the function: if M_CANFASTFWD is not there (because already removed by the firewall) leave now. Makes it easier to see that M_CANFASTFWD is not removed on IPv6. To generate a diff of this commit: cvs rdiff -u -r1.382 -r1.383 src/sys/netinet/ip_input.c cvs rdiff -u -r1.201 -r1.202 src/sys/netinet6/ip6_input.c cvs rdiff -u -r1.163 -r1.164 src/sys/netipsec/ipsec.c cvs rdiff -u -r1.81 -r1.82 src/sys/netipsec/ipsec.h cvs rdiff -u -r1.28 -r1.29 src/sys/netipsec/ipsec6.h cvs rdiff -u -r1.35 -r1.36 src/sys/rump/librump/rumpnet/net_stub.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netinet/ip_input.c diff -u src/sys/netinet/ip_input.c:1.382 src/sys/netinet/ip_input.c:1.383 --- src/sys/netinet/ip_input.c:1.382 Thu May 10 05:08:53 2018 +++ src/sys/netinet/ip_input.c Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.382 2018/05/10 05:08:53 maxv Exp $ */ +/* $NetBSD: ip_input.c,v 1.383 2018/05/14 17:34:26 maxv Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.382 2018/05/10 05:08:53 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.383 2018/05/14 17:34:26 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -729,7 +729,7 @@ ip_input(struct mbuf *m) #ifdef IPSEC /* Check the security policy (SP) for the packet */ if (ipsec_used) { - if (ipsec4_input(m, IP_FORWARDING) != 0) { + if (ipsec_ip_input(m, true) != 0) { goto out; } } @@ -776,7 +776,7 @@ ours: */ if (ipsec_used && (inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { - if (ipsec4_input(m, 0) != 0) { + if (ipsec_ip_input(m, false) != 0) { goto out; } } Index: src/sys/netinet6/ip6_input.c diff -u src/sys/netinet6/ip6_input.c:1.201 src/sys/netinet6/ip6_input.c:1.202 --- src/sys/netinet6/ip6_input.c:1.201 Tue May 1 07:21:39 2018 +++ src/sys/netinet6/ip6_input.c Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.201 2018/05/01 07:21:39 maxv Exp $ */ +/* $NetBSD: ip6_input.c,v 1.202 2018/05/14 17:34:26 maxv Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.201 2018/05/01 07:21:39 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.202 2018/05/14 17:34:26 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -742,7 +742,7 @@ hbhcheck: & PR_LASTHDR) != 0) { int error; - error = ipsec6_input(m); + error = ipsec_ip_input(m, false); if (error) goto bad; } Index: src/sys/netipsec/ipsec.c diff -u src/sys/netipsec/ipsec.c:1.163 src/sys/netipsec/ipsec.c:1.164 --- src/sys/netipsec/ipsec.c:1.163 Thu May 10 05:15:14 2018 +++ src/sys/netipsec/ipsec.c Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $ */ +/* $NetBSD: ipsec.c,v 1.164 2018/05/14 17:34:26 maxv Exp $ */ /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.164 2018/05/14 17:34:26 maxv Exp $"); /* * IPsec controller part. @@ -697,7 +697,7 @@ ipsec4_output(struct mbuf *m, struct inp } int -ipsec4_input(struct mbuf *m, int flags) +ipsec_ip_input(struct mbuf *m, bool forward) { struct secpolicy *sp; int error, s; @@ -709,8 +709,7 @@ ipsec4_input(struct mbuf *m, int flags) return EINVAL; } - if (flags == 0) { - /* We are done. */ + if (!forward || !(m->m_flags & M_CANFASTFWD)) { return 0; } @@ -719,12 +718,14 @@ ipsec4_input(struct mbuf *m, int flags) * it is a Fast Forward candidate. */ s = splsoftnet(); - sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL); + sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, + &error, NULL); if (sp != NULL) { m->m_flags &= ~M_CANFASTFWD; KEY_SP_UNREF(&sp); } splx(s); + return 0; } @@ -1828,21 +1829,6 @@ skippolicycheck: *needipsecp = needipsec; return sp; } - -int -ipsec6_input(struct mbuf *m) -{ - int s, error; - - s = splsoftnet(); - error = ipsec_in_reject(m, NULL); - splx(s); - if (error) { - return EINVAL; - } - - return 0; -} #endif /* INET6 */ /* Index: src/sys/netipsec/ipsec.h diff -u src/sys/netipsec/ipsec.h:1.81 src/sys/netipsec/ipsec.h:1.82 --- src/sys/netipsec/ipsec.h:1.81 Thu May 10 05:08:53 2018 +++ src/sys/netipsec/ipsec.h Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.81 2018/05/10 05:08:53 maxv Exp $ */ +/* $NetBSD: ipsec.h,v 1.82 2018/05/14 17:34:26 maxv Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -256,8 +256,8 @@ void ipsec_invalpcbcacheall(void); struct inpcb; int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *); -int ipsec4_input(struct mbuf *, int); +int ipsec_ip_input(struct mbuf *, bool); void ipsec_mtu(struct mbuf *, int *); struct inpcb; Index: src/sys/netipsec/ipsec6.h diff -u src/sys/netipsec/ipsec6.h:1.28 src/sys/netipsec/ipsec6.h:1.29 --- src/sys/netipsec/ipsec6.h:1.28 Sat Apr 28 14:25:56 2018 +++ src/sys/netipsec/ipsec6.h Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec6.h,v 1.28 2018/04/28 14:25:56 maxv Exp $ */ +/* $NetBSD: ipsec6.h,v 1.29 2018/05/14 17:34:26 maxv Exp $ */ /* $FreeBSD: ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ @@ -60,7 +60,6 @@ struct m_tag; int ipsec6_common_input(struct mbuf **, int *, int); int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int); int ipsec6_process_packet(struct mbuf *, const struct ipsecrequest *); -int ipsec6_input(struct mbuf *); #endif /*_KERNEL*/ #endif /* !_NETIPSEC_IPSEC6_H_ */ Index: src/sys/rump/librump/rumpnet/net_stub.c diff -u src/sys/rump/librump/rumpnet/net_stub.c:1.35 src/sys/rump/librump/rumpnet/net_stub.c:1.36 --- src/sys/rump/librump/rumpnet/net_stub.c:1.35 Thu May 10 05:08:53 2018 +++ src/sys/rump/librump/rumpnet/net_stub.c Mon May 14 17:34:26 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: net_stub.c,v 1.35 2018/05/10 05:08:53 maxv Exp $ */ +/* $NetBSD: net_stub.c,v 1.36 2018/05/14 17:34:26 maxv Exp $ */ /* * Copyright (c) 2008 Antti Kantee. All Rights Reserved. @@ -26,7 +26,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.35 2018/05/10 05:08:53 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.36 2018/05/14 17:34:26 maxv Exp $"); #include <sys/mutex.h> #include <sys/param.h> @@ -97,12 +97,11 @@ __weak_alias(esp4_ctlinput,rumpnet_stub) __weak_alias(esp6_ctlinput,rumpnet_stub); __weak_alias(ipsec4_output,rumpnet_stub); __weak_alias(ipsec4_common_input,rumpnet_stub); -__weak_alias(ipsec4_input,rumpnet_stub); __weak_alias(ipsec6_common_input,rumpnet_stub); -__weak_alias(ipsec6_input,rumpnet_stub); __weak_alias(ipsec6_check_policy,rumpnet_stub); __weak_alias(ipsec6_process_packet,rumpnet_stub); __weak_alias(ipsec_mtu,rumpnet_stub); +__weak_alias(ipsec_ip_input,rumpnet_stub); __weak_alias(ipsec_set_policy,rumpnet_stub); __weak_alias(ipsec_get_policy,rumpnet_stub); __weak_alias(ipsec_delete_pcbpolicy,rumpnet_stub);