Author: bz
Date: Wed Apr 27 19:28:42 2011
New Revision: 221129
URL: http://svn.freebsd.org/changeset/base/221129
Log:
Make IPsec compile without INET adding appropriate #ifdef checks.
Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c
to not need three different versions depending on INET, INET6 or both.
Mark two places preparing for not yet supported functionality with IPv6.
Reviewed by: gnn
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 4 days
Modified:
head/sys/netinet6/ip6_ipsec.c
head/sys/netipsec/ipsec_input.c
head/sys/netipsec/ipsec_output.c
head/sys/netipsec/key.c
head/sys/netipsec/xform_ah.c
head/sys/netipsec/xform_esp.c
head/sys/netipsec/xform_ipcomp.c
head/sys/netipsec/xform_ipip.c
Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netinet6/ip6_ipsec.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -30,6 +30,7 @@
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
+#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
@@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$");
#include <sys/socket.h>
#include <sys/socketvar.h>
#include <sys/sysctl.h>
+#include <sys/syslog.h>
#include <net/if.h>
#include <net/route.h>
@@ -291,7 +293,11 @@ ip6_ipsec_output(struct mbuf **m, struct
* this is done in the normal processing path.
*/
if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+ ipseclog((LOG_DEBUG,
+ "%s: we do not support IPv4 over IPv6", __func__));
+#ifdef INET
in_delayed_cksum(*m);
+#endif
(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
}
Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/ipsec_input.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -119,9 +119,11 @@ ipsec_common_input(struct mbuf *m, int s
struct secasvar *sav;
u_int32_t spi;
int error;
+#ifdef INET
#ifdef IPSEC_NAT_T
struct m_tag *tag;
#endif
+#endif
IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
V_ipcompstat.ipcomps_input);
Modified: head/sys/netipsec/ipsec_output.c
==============================================================================
--- head/sys/netipsec/ipsec_output.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/ipsec_output.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -165,7 +165,29 @@ ipsec_process_done(struct mbuf *m, struc
*/
if (isr->next) {
V_ipsec4stat.ips_out_bundlesa++;
- return ipsec4_process_packet(m, isr->next, 0, 0);
+ sav = isr->next->sav;
+ saidx = &sav->sah->saidx;
+ switch (saidx->dst.sa.sa_family) {
+#ifdef INET
+ case AF_INET:
+ return ipsec4_process_packet(m, isr->next, 0, 0);
+ /* NOTREACHED */
+#endif
+#ifdef notyet
+#ifdef INET6
+ case AF_INET6:
+ /* XXX */
+ ipsec6_output_trans()
+ ipsec6_output_tunnel()
+ /* NOTREACHED */
+#endif /* INET6 */
+#endif
+ default:
+ DPRINTF(("%s: unknown protocol family %u\n", __func__,
+ saidx->dst.sa.sa_family));
+ error = ENXIO;
+ goto bad;
+ }
}
key_sa_recordxfer(sav, m); /* record data transfer */
Modified: head/sys/netipsec/key.c
==============================================================================
--- head/sys/netipsec/key.c Wed Apr 27 18:25:35 2011 (r221128)
+++ head/sys/netipsec/key.c Wed Apr 27 19:28:42 2011 (r221129)
@@ -73,7 +73,7 @@
#include <netinet6/ip6_var.h>
#endif /* INET6 */
-#ifdef INET
+#if defined(INET) || defined(INET6)
#include <netinet/in_pcb.h>
#endif
#ifdef INET6
Modified: head/sys/netipsec/xform_ah.c
==============================================================================
--- head/sys/netipsec/xform_ah.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/xform_ah.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -91,6 +91,7 @@ VNET_DEFINE(int, ah_enable) = 1; /* cont
VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */
VNET_DEFINE(struct ahstat, ahstat);
+#ifdef INET
SYSCTL_DECL(_net_inet_ah);
SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
@@ -98,6 +99,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS,
stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, "");
+#endif
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
@@ -724,19 +726,6 @@ ah_input(struct mbuf *m, struct secasvar
return ah_input_cb(crp);
}
-#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {
\
- if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
- } else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
- } \
-} while (0)
-#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)
\
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
/*
* AH input callback from the crypto driver.
*/
@@ -873,7 +862,21 @@ ah_input_cb(struct cryptop *crp)
goto bad;
}
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+ switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+ case AF_INET6:
+ error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+#ifdef INET
+ case AF_INET:
+ error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+ default:
+ panic("%s: Unexpected address family: %d saidx=%p", __func__,
+ saidx->dst.sa.sa_family, saidx);
+ }
KEY_FREESAV(&sav);
return error;
Modified: head/sys/netipsec/xform_esp.c
==============================================================================
--- head/sys/netipsec/xform_esp.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/xform_esp.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -451,19 +451,6 @@ esp_input(struct mbuf *m, struct secasva
return esp_input_cb(crp);
}
-#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {
\
- if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
- } else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
- } \
-} while (0)
-#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)
\
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
/*
* ESP input callback from the crypto driver.
*/
@@ -647,7 +634,21 @@ esp_input_cb(struct cryptop *crp)
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+ switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+ case AF_INET6:
+ error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+#ifdef INET
+ case AF_INET:
+ error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+ break;
+#endif
+ default:
+ panic("%s: Unexpected address family: %d saidx=%p", __func__,
+ saidx->dst.sa.sa_family, saidx);
+ }
KEY_FREESAV(&sav);
return error;
Modified: head/sys/netipsec/xform_ipcomp.c
==============================================================================
--- head/sys/netipsec/xform_ipcomp.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/xform_ipcomp.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -213,19 +213,6 @@ ipcomp_input(struct mbuf *m, struct seca
return crypto_dispatch(crp);
}
-#ifdef INET6
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {
\
- if (saidx->dst.sa.sa_family == AF_INET6) { \
- error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
- } else { \
- error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
- } \
-} while (0)
-#else
-#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)
\
- (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
/*
* IPComp input callback from the crypto driver.
*/
@@ -316,7 +303,21 @@ ipcomp_input_cb(struct cryptop *crp)
/* Restore the Next Protocol field */
m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
- IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL);
+ switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+ case AF_INET6:
+ error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
+ break;
+#endif
+#ifdef INET
+ case AF_INET:
+ error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
+ break;
+#endif
+ default:
+ panic("%s: Unexpected address family: %d saidx=%p", __func__,
+ saidx->dst.sa.sa_family, saidx);
+ }
KEY_FREESAV(&sav);
return error;
Modified: head/sys/netipsec/xform_ipip.c
==============================================================================
--- head/sys/netipsec/xform_ipip.c Wed Apr 27 18:25:35 2011
(r221128)
+++ head/sys/netipsec/xform_ipip.c Wed Apr 27 19:28:42 2011
(r221129)
@@ -412,8 +412,10 @@ ipip_output(
u_int8_t tp, otos;
struct secasindex *saidx;
int error;
-#ifdef INET
+#if defined(INET) || defined(INET6)
u_int8_t itos;
+#endif
+#ifdef INET
struct ip *ipo;
#endif /* INET */
#ifdef INET6
@@ -466,7 +468,8 @@ ipip_output(
ipo->ip_id = ip_newid();
/* If the inner protocol is IP... */
- if (tp == IPVERSION) {
+ switch (tp) {
+ case IPVERSION:
/* Save ECN notification */
m_copydata(m, sizeof(struct ip) +
offsetof(struct ip, ip_tos),
@@ -484,9 +487,10 @@ ipip_output(
ipo->ip_off = ntohs(ipo->ip_off);
ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
ipo->ip_off = htons(ipo->ip_off);
- }
+ break;
#ifdef INET6
- else if (tp == (IPV6_VERSION >> 4)) {
+ case (IPV6_VERSION >> 4):
+ {
u_int32_t itos32;
/* Save ECN notification. */
@@ -496,9 +500,10 @@ ipip_output(
itos = ntohl(itos32) >> 20;
ipo->ip_p = IPPROTO_IPV6;
ipo->ip_off = 0;
+ break;
}
#endif /* INET6 */
- else {
+ default:
goto nofamily;
}
@@ -547,8 +552,9 @@ ipip_output(
ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
ip6o->ip6_src = saidx->src.sin6.sin6_addr;
+ switch (tp) {
#ifdef INET
- if (tp == IPVERSION) {
+ case IPVERSION:
/* Save ECN notification */
m_copydata(m, sizeof(struct ip6_hdr) +
offsetof(struct ip, ip_tos), sizeof(u_int8_t),
@@ -556,21 +562,23 @@ ipip_output(
/* This is really IPVERSION. */
ip6o->ip6_nxt = IPPROTO_IPIP;
- } else
+ break;
#endif /* INET */
- if (tp == (IPV6_VERSION >> 4)) {
- u_int32_t itos32;
+ case (IPV6_VERSION >> 4):
+ {
+ u_int32_t itos32;
+
+ /* Save ECN notification. */
+ m_copydata(m, sizeof(struct ip6_hdr) +
+ offsetof(struct ip6_hdr, ip6_flow),
+ sizeof(u_int32_t), (caddr_t) &itos32);
+ itos = ntohl(itos32) >> 20;
- /* Save ECN notification. */
- m_copydata(m, sizeof(struct ip6_hdr) +
- offsetof(struct ip6_hdr, ip6_flow),
- sizeof(u_int32_t), (caddr_t) &itos32);
- itos = ntohl(itos32) >> 20;
-
- ip6o->ip6_nxt = IPPROTO_IPV6;
- } else {
- goto nofamily;
- }
+ ip6o->ip6_nxt = IPPROTO_IPV6;
+ }
+ default:
+ goto nofamily;
+ }
otos = 0;
ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
@@ -622,6 +630,7 @@ bad:
}
#ifdef IPSEC
+#if defined(INET) || defined(INET6)
static int
ipe4_init(struct secasvar *sav, struct xformsw *xsp)
{
@@ -652,6 +661,8 @@ static struct xformsw ipe4_xformsw = {
};
extern struct domain inetdomain;
+#endif /* INET || INET6 */
+#ifdef INET
static struct protosw ipe4_protosw = {
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
@@ -661,7 +672,8 @@ static struct protosw ipe4_protosw = {
.pr_ctloutput = rip_ctloutput,
.pr_usrreqs = &rip_usrreqs
};
-#ifdef INET6
+#endif /* INET */
+#if defined(INET6) && defined(INET)
static struct ip6protosw ipe6_protosw = {
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
@@ -671,8 +683,9 @@ static struct ip6protosw ipe6_protosw =
.pr_ctloutput = rip_ctloutput,
.pr_usrreqs = &rip_usrreqs
};
-#endif
+#endif /* INET6 && INET */
+#if defined(INET)
/*
* Check the encapsulated packet to see if we want it
*/
@@ -687,6 +700,7 @@ ipe4_encapcheck(const struct mbuf *m, in
*/
return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
}
+#endif /* INET */
static void
ipe4_attach(void)
@@ -695,9 +709,11 @@ ipe4_attach(void)
xform_register(&ipe4_xformsw);
/* attach to encapsulation framework */
/* XXX save return cookie for detach on module remove */
+#ifdef INET
(void) encap_attach_func(AF_INET, -1,
ipe4_encapcheck, &ipe4_protosw, NULL);
-#ifdef INET6
+#endif
+#if defined(INET6) && defined(INET)
(void) encap_attach_func(AF_INET6, -1,
ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
#endif
_______________________________________________
svn-src-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
