On Tue, Jul 30, 2013 at 11:30:51AM +0200, Martin Pieuchot wrote: > On 12/07/13(Fri) 11:35, Mike Belopuhov wrote: > > Hi, > > > > As it was pointed out by dhill there are some rogue splnets in > > the tcp_input that shouldn't be there really. The only reason > > they're still there is to match overzealous splnets in bridge_ > > broadcast. bridge_ifenqueue is the only function call in there > > that requires splnet protection since it's dealing with send > > queues. Narrowing the range of the splnet protection allows us > > to remove all splnet protection of the IPsec SPD and TDB code. > > This as well removes the only pf_test call done under IPL_NET. > > > > Below are essentially two diffs that are rather hard to separate. > > I've tested the diff with the gif-to-ethernet IPsec bridge but > > some additional IPsec and bridge testing won't hurt. > > > > mpi@ has provided some feedback already, so I'm really looking > > for OK's on this. > > ok mpi@
been running this on i386 for a while with plenty of ipsec traffic. no issues. > > > diff --git sys/net/if_bridge.c sys/net/if_bridge.c > > index 41d7b67..0ca2710 100644 > > --- sys/net/if_bridge.c > > +++ sys/net/if_bridge.c > > @@ -969,12 +969,10 @@ bridge_output(struct ifnet *ifp, struct mbuf *m, > > struct sockaddr *sa, > > return (ENOBUFS); > > } > > eh = mtod(m, struct ether_header *); > > dst = (struct ether_addr *)&eh->ether_dhost[0]; > > > > - s = splnet(); > > - > > /* > > * If bridge is down, but original output interface is up, > > * go ahead and send out that interface. Otherwise the packet > > * is dropped below. > > */ > > @@ -1007,11 +1005,10 @@ bridge_output(struct ifnet *ifp, struct mbuf *m, > > struct sockaddr *sa, > > */ > > if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, > > NULL)) != NULL) { > > ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1)); > > m_freem(m); > > - splx(s); > > return (0); > > } > > #endif /* IPSEC */ > > bridge_span(sc, NULL, m); > > > > @@ -1074,22 +1071,24 @@ bridge_output(struct ifnet *ifp, struct mbuf *m, > > struct sockaddr *sa, > > m1->m_pkthdr.len = len; > > } > > mc = m1; > > } > > > > + s = splnet(); > > error = bridge_ifenqueue(sc, dst_if, mc); > > + splx(s); > > if (error) > > continue; > > } > > if (!used) > > m_freem(m); > > - splx(s); > > return (0); > > } > > > > sendunicast: > > bridge_span(sc, NULL, m); > > + s = splnet(); > > if ((dst_if->if_flags & IFF_RUNNING) == 0) { > > m_freem(m); > > splx(s); > > return (ENETDOWN); > > } > > @@ -1251,13 +1250,11 @@ bridgeintr_frame(struct bridge_softc *sc, struct > > mbuf *m) > > * If the packet is a multicast or broadcast OR if we don't > > * know any better, forward it to all interfaces. > > */ > > if ((m->m_flags & (M_BCAST | M_MCAST)) || dst_if == NULL) { > > sc->sc_if.if_imcasts++; > > - s = splnet(); > > bridge_broadcast(sc, src_if, &eh, m); > > - splx(s); > > return; > > } > > > > /* > > * At this point, we're dealing with a unicast frame going to a > > @@ -1496,13 +1493,11 @@ bridge_broadcast(struct bridge_softc *sc, struct > > ifnet *ifp, > > struct ether_header *eh, struct mbuf *m) > > { > > struct bridge_iflist *p; > > struct mbuf *mc; > > struct ifnet *dst_if; > > - int len, used = 0; > > - > > - splassert(IPL_NET); > > + int len, s, used = 0; > > > > TAILQ_FOREACH(p, &sc->sc_iflist, next) { > > /* > > * Don't retransmit out of the same interface where > > * the packet was received from. > > @@ -1587,11 +1582,13 @@ bridge_broadcast(struct bridge_softc *sc, struct > > ifnet *ifp, > > len += ETHER_VLAN_ENCAP_LEN; > > #endif > > if ((len - ETHER_HDR_LEN) > dst_if->if_mtu) > > bridge_fragment(sc, dst_if, eh, mc); > > else { > > + s = splnet(); > > bridge_ifenqueue(sc, dst_if, mc); > > + splx(s); > > } > > } > > > > if (!used) > > m_freem(m); > > @@ -1643,11 +1640,11 @@ bridge_span(struct bridge_softc *sc, struct > > ether_header *eh, > > struct mbuf *morig) > > { > > struct bridge_iflist *p; > > struct ifnet *ifp; > > struct mbuf *mc, *m; > > - int error; > > + int s, error; > > > > if (TAILQ_EMPTY(&sc->sc_spanlist)) > > return; > > > > m = m_copym2(morig, 0, M_COPYALL, M_NOWAIT); > > @@ -1679,11 +1676,13 @@ bridge_span(struct bridge_softc *sc, struct > > ether_header *eh, > > if (mc == NULL) { > > sc->sc_if.if_oerrors++; > > continue; > > } > > > > + s = splnet(); > > error = bridge_ifenqueue(sc, ifp, mc); > > + splx(s); > > if (error) > > continue; > > } > > m_freem(m); > > } > > diff --git sys/netinet/ip_input.c sys/netinet/ip_input.c > > index 664afbf..221a6f4 100644 > > --- sys/netinet/ip_input.c > > +++ sys/netinet/ip_input.c > > @@ -243,11 +243,11 @@ ipv4_input(struct mbuf *m) > > { > > struct ip *ip; > > int hlen, len; > > in_addr_t pfrdr = 0; > > #ifdef IPSEC > > - int error, s; > > + int error; > > struct tdb *tdb; > > struct tdb_ident *tdbi; > > struct m_tag *mtag; > > #endif /* IPSEC */ > > > > @@ -452,20 +452,18 @@ ipv4_input(struct mbuf *m) > > /* > > * IPsec policy check for forwarded packets. Look at > > * inner-most IPsec SA used. > > */ > > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); > > - s = splnet(); > > if (mtag != NULL) { > > tdbi = (struct tdb_ident *)(mtag + 1); > > tdb = gettdb(tdbi->rdomain, tdbi->spi, > > &tdbi->dst, tdbi->proto); > > } else > > tdb = NULL; > > ipsp_spd_lookup(m, AF_INET, hlen, &error, > > IPSP_DIRECTION_IN, tdb, NULL, 0); > > - splx(s); > > > > /* Error or otherwise drop-packet indication */ > > if (error) { > > ipstat.ips_cantforward++; > > goto bad; > > @@ -495,11 +493,11 @@ ip_ours(struct mbuf *m) > > struct ip *ip = mtod(m, struct ip *); > > struct ipq *fp; > > struct ipqent *ipqe; > > int mff, hlen; > > #ifdef IPSEC > > - int error, s; > > + int error; > > struct tdb *tdb; > > struct tdb_ident *tdbi; > > struct m_tag *mtag; > > #endif /* IPSEC */ > > > > @@ -637,20 +635,18 @@ found: > > * kinds of tunneling headers have been seen in-between the > > * IPsec headers), and I don't think we lose much functionality > > * that's needed in the real world (who uses bundles anyway ?). > > */ > > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); > > - s = splnet(); > > if (mtag) { > > tdbi = (struct tdb_ident *)(mtag + 1); > > tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, > > tdbi->proto); > > } else > > tdb = NULL; > > ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN, > > tdb, NULL, 0); > > - splx(s); > > > > /* Error or otherwise drop-packet indication. */ > > if (error) { > > ipstat.ips_cantforward++; > > goto bad; > > diff --git sys/netinet/ip_output.c sys/netinet/ip_output.c > > index e0e6b7d..088dd01 100644 > > --- sys/netinet/ip_output.c > > +++ sys/netinet/ip_output.c > > @@ -107,11 +107,10 @@ ip_output(struct mbuf *m0, ...) > > struct tdb_ident *tdbi; > > > > struct inpcb *inp; > > struct tdb *tdb; > > u_int32_t ipsecflowinfo; > > - int s; > > #if NPF > 0 > > struct ifnet *encif; > > #endif > > #endif /* IPSEC */ > > > > @@ -254,16 +253,10 @@ reroute: > > > > #ifdef IPSEC > > if (!ipsec_in_use && inp == NULL) > > goto done_spd; > > > > - /* > > - * splnet is chosen over splsoftnet because we are not allowed to > > - * lower the level, and udp_output calls us in splnet(). > > - */ > > - s = splnet(); > > - > > /* Do we have any pending SAs to apply ? */ > > mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); > > if (mtag != NULL) { > > #ifdef DIAGNOSTIC > > if (mtag->m_tag_len != sizeof (struct tdb_ident)) > > @@ -280,12 +273,10 @@ reroute: > > else > > tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error, > > IPSP_DIRECTION_OUT, NULL, inp, ipsecflowinfo); > > > > if (tdb == NULL) { > > - splx(s); > > - > > if (error == 0) { > > /* > > * No IPsec processing required, we'll just send the > > * packet out. > > */ > > @@ -316,21 +307,19 @@ reroute: > > if (tdbi->spi == tdb->tdb_spi && > > tdbi->proto == tdb->tdb_sproto && > > tdbi->rdomain == tdb->tdb_rdomain && > > !bcmp(&tdbi->dst, &tdb->tdb_dst, > > sizeof(union sockaddr_union))) { > > - splx(s); > > sproto = 0; /* mark as no-IPsec-needed */ > > goto done_spd; > > } > > } > > > > /* We need to do IPsec */ > > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); > > sspi = tdb->tdb_spi; > > sproto = tdb->tdb_sproto; > > - splx(s); > > > > /* > > * If it needs TCP/UDP hardware-checksumming, do the > > * computation now. > > */ > > @@ -573,18 +562,15 @@ sendit: > > #ifdef IPSEC > > /* > > * Check if the packet needs encapsulation. > > */ > > if (sproto != 0) { > > - s = splnet(); > > - > > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain), > > sspi, &sdst, sproto); > > if (tdb == NULL) { > > DPRINTF(("ip_output: unknown TDB")); > > error = EHOSTUNREACH; > > - splx(s); > > m_freem(m); > > goto done; > > } > > > > /* > > @@ -593,16 +579,14 @@ sendit: > > #if NPF > 0 > > if ((encif = enc_getif(tdb->tdb_rdomain, > > tdb->tdb_tap)) == NULL || > > pf_test(AF_INET, PF_OUT, encif, &m, NULL) != PF_PASS) { > > error = EACCES; > > - splx(s); > > m_freem(m); > > goto done; > > } > > if (m == NULL) { > > - splx(s); > > goto done; > > } > > ip = mtod(m, struct ip *); > > hlen = ip->ip_hl << 2; > > /* > > @@ -625,11 +609,10 @@ sendit: > > > > transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET) > > && > > (tdb->tdb_dst.sin.sin_addr.s_addr == > > ip->ip_dst.s_addr); > > icmp_mtu = tdb->tdb_mtu; > > - splx(s); > > > > /* Find a host route to store the mtu in */ > > if (ro != NULL) > > rt = ro->ro_rt; > > /* but don't add a PMTU route for transport mode SAs */ > > @@ -665,11 +648,10 @@ sendit: > > */ > > m->m_flags &= ~(M_MCAST | M_BCAST); > > > > /* Callee frees mbuf */ > > error = ipsp_process_packet(m, tdb, AF_INET, 0); > > - splx(s); > > return error; /* Nothing more to be done */ > > } > > > > /* > > * If we got here and IPsec crypto processing didn't happen, drop it. > > diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c > > index 4e39e7f..c44e796 100644 > > --- sys/netinet/tcp_input.c > > +++ sys/netinet/tcp_input.c > > @@ -376,11 +376,11 @@ tcp_input(struct mbuf *m, ...) > > #endif /* INET6 */ > > #ifdef IPSEC > > struct m_tag *mtag; > > struct tdb_ident *tdbi; > > struct tdb *tdb; > > - int error, s; > > + int error; > > #endif /* IPSEC */ > > int af; > > #ifdef TCP_ECN > > u_char iptos; > > #endif > > @@ -884,22 +884,20 @@ findpcb: > > #endif > > > > #ifdef IPSEC > > /* Find most recent IPsec tag */ > > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); > > - s = splnet(); > > if (mtag != NULL) { > > tdbi = (struct tdb_ident *)(mtag + 1); > > tdb = gettdb(tdbi->rdomain, tdbi->spi, > > &tdbi->dst, tdbi->proto); > > } else > > tdb = NULL; > > ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN, > > tdb, inp, 0); > > if (error) { > > tcpstat.tcps_rcvnosec++; > > - splx(s); > > goto drop; > > } > > > > /* Latch SA */ > > if (inp->inp_tdb_in != tdb) { > > @@ -907,11 +905,10 @@ findpcb: > > tdb_add_inp(tdb, inp, 1); > > if (inp->inp_ipo == NULL) { > > inp->inp_ipo = ipsec_add_policy(inp, af, > > IPSP_DIRECTION_OUT); > > if (inp->inp_ipo == NULL) { > > - splx(s); > > goto drop; > > } > > } > > if (inp->inp_ipo->ipo_dstid == NULL && > > tdb->tdb_srcid != NULL) { > > @@ -934,11 +931,10 @@ findpcb: > > TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp, > > inp_tdb_in_next); > > inp->inp_tdb_in = NULL; > > } > > } > > - splx(s); > > #endif /* IPSEC */ > > > > /* > > * Segment received on connection. > > * Reset idle time and keep-alive timer. > > @@ -967,11 +963,11 @@ findpcb: > > if (opti.ts_present && opti.ts_ecr) { > > int rtt_test; > > > > /* subtract out the tcp timestamp modulator */ > > opti.ts_ecr -= tp->ts_modulate; > > - > > + > > /* make sure ts_ecr is sensible */ > > rtt_test = tcp_now - opti.ts_ecr; > > if (rtt_test < 0 || rtt_test > TCP_RTT_MAX) > > opti.ts_ecr = 0; > > } > > diff --git sys/netinet/udp_usrreq.c sys/netinet/udp_usrreq.c > > index 2b5623f..b1f2c5c 100644 > > --- sys/netinet/udp_usrreq.c > > +++ sys/netinet/udp_usrreq.c > > @@ -176,11 +176,11 @@ udp_input(struct mbuf *m, ...) > > #endif /* INET6 */ > > #ifdef IPSEC > > struct m_tag *mtag; > > struct tdb_ident *tdbi; > > struct tdb *tdb; > > - int error, s; > > + int error; > > u_int32_t ipsecflowinfo = 0; > > #endif /* IPSEC */ > > > > va_start(ap, m); > > iphlen = va_arg(ap, int); > > @@ -598,22 +598,20 @@ udp_input(struct mbuf *m, ...) > > m->m_pkthdr.pf.statekey = NULL; > > #endif > > > > #ifdef IPSEC > > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); > > - s = splnet(); > > if (mtag != NULL) { > > tdbi = (struct tdb_ident *)(mtag + 1); > > tdb = gettdb(tdbi->rdomain, tdbi->spi, > > &tdbi->dst, tdbi->proto); > > } else > > tdb = NULL; > > ipsp_spd_lookup(m, srcsa.sa.sa_family, iphlen, &error, > > IPSP_DIRECTION_IN, tdb, inp, 0); > > if (error) { > > udpstat.udps_nosec++; > > - splx(s); > > goto bad; > > } > > > > /* Latch SA only if the socket is connected */ > > if (inp->inp_tdb_in != tdb && > > @@ -622,11 +620,10 @@ udp_input(struct mbuf *m, ...) > > tdb_add_inp(tdb, inp, 1); > > if (inp->inp_ipo == NULL) { > > inp->inp_ipo = ipsec_add_policy(inp, > > srcsa.sa.sa_family, IPSP_DIRECTION_OUT); > > if (inp->inp_ipo == NULL) { > > - splx(s); > > goto bad; > > } > > } > > if (inp->inp_ipo->ipo_dstid == NULL && > > tdb->tdb_srcid != NULL) { > > @@ -653,11 +650,10 @@ udp_input(struct mbuf *m, ...) > > } > > /* create ipsec options while we know that tdb cannot be modified */ > > if (tdb) > > ipsecflowinfo = tdb->tdb_spi; > > > > - splx(s); > > #endif /*IPSEC */ > > > > opts = NULL; > > #ifdef INET6 > > if (ip6 && (inp->inp_flags & IN6P_CONTROLOPTS || > > diff --git sys/netinet6/ip6_forward.c sys/netinet6/ip6_forward.c > > index 4e2e459..0444352 100644 > > --- sys/netinet6/ip6_forward.c > > +++ sys/netinet6/ip6_forward.c > > @@ -98,11 +98,10 @@ ip6_forward(struct mbuf *m, int srcrt) > > struct m_tag *mtag; > > union sockaddr_union sdst; > > struct tdb_ident *tdbi; > > u_int32_t sspi; > > struct tdb *tdb; > > - int s; > > #if NPF > 0 > > struct ifnet *encif; > > #endif > > #endif /* IPSEC */ > > u_int rtableid = 0; > > @@ -146,12 +145,10 @@ reroute: > > > > #ifdef IPSEC > > if (!ipsec_in_use) > > goto done_spd; > > > > - s = splnet(); > > - > > /* > > * Check if there was an outgoing SA bound to the flow > > * from a transport protocol. > > */ > > > > @@ -172,12 +169,10 @@ reroute: > > } else > > tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr), > > &error, IPSP_DIRECTION_OUT, NULL, NULL, 0); > > > > if (tdb == NULL) { > > - splx(s); > > - > > if (error == 0) { > > /* > > * No IPsec processing required, we'll just send the > > * packet out. > > */ > > @@ -207,21 +202,19 @@ reroute: > > if (tdbi->spi == tdb->tdb_spi && > > tdbi->proto == tdb->tdb_sproto && > > tdbi->rdomain == tdb->tdb_rdomain && > > !bcmp(&tdbi->dst, &tdb->tdb_dst, > > sizeof(union sockaddr_union))) { > > - splx(s); > > sproto = 0; /* mark as no-IPsec-needed */ > > goto done_spd; > > } > > } > > > > /* We need to do IPsec */ > > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); > > sspi = tdb->tdb_spi; > > sproto = tdb->tdb_sproto; > > - splx(s); > > } > > > > /* Fall through to the routing/multicast handling code */ > > done_spd: > > #endif /* IPSEC */ > > @@ -335,34 +328,28 @@ reroute: > > * ipsp_process_packet will never come back to here. > > * XXX ipsp_process_packet() calls ip6_output(), and there'll be no > > * PMTU notification. is it okay? > > */ > > if (sproto != 0) { > > - s = splnet(); > > - > > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain), > > sspi, &sdst, sproto); > > if (tdb == NULL) { > > - splx(s); > > error = EHOSTUNREACH; > > m_freem(m); > > goto senderr; /*XXX*/ > > } > > > > #if NPF > 0 > > if ((encif = enc_getif(tdb->tdb_rdomain, > > tdb->tdb_tap)) == NULL || > > pf_test(AF_INET6, PF_FWD, encif, &m, NULL) != PF_PASS) { > > - splx(s); > > error = EHOSTUNREACH; > > m_freem(m); > > goto senderr; > > } > > - if (m == NULL) { > > - splx(s); > > + if (m == NULL) > > goto senderr; > > - } > > ip6 = mtod(m, struct ip6_hdr *); > > /* > > * PF_TAG_REROUTE handling or not... > > * Packet is entering IPsec so the routing is > > * already overruled by the IPsec policy. > > @@ -374,11 +361,10 @@ reroute: > > > > m->m_flags &= ~(M_BCAST | M_MCAST); /* just in case */ > > > > /* Callee frees mbuf */ > > error = ipsp_process_packet(m, tdb, AF_INET6, 0); > > - splx(s); > > m_freem(mcopy); > > goto freert; > > } > > #endif /* IPSEC */ > > > > diff --git sys/netinet6/ip6_output.c sys/netinet6/ip6_output.c > > index d9a11ce..88ccf90 100644 > > --- sys/netinet6/ip6_output.c > > +++ sys/netinet6/ip6_output.c > > @@ -171,11 +171,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, > > struct route_in6 *ro, > > struct m_tag *mtag; > > union sockaddr_union sdst; > > struct tdb_ident *tdbi; > > u_int32_t sspi; > > struct tdb *tdb; > > - int s; > > #if NPF > 0 > > struct ifnet *encif; > > #endif > > #endif /* IPSEC */ > > > > @@ -214,16 +213,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, > > struct route_in6 *ro, > > #ifdef IPSEC > > if (!ipsec_in_use && !inp) > > goto done_spd; > > > > /* > > - * splnet is chosen over splsoftnet because we are not allowed to > > - * lower the level, and udp6_output calls us in splnet(). XXX check > > - */ > > - s = splnet(); > > - > > - /* > > * Check if there was an outgoing SA bound to the flow > > * from a transport protocol. > > */ > > ip6 = mtod(m, struct ip6_hdr *); > > > > @@ -243,12 +236,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, > > struct route_in6 *ro, > > } else > > tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr), > > &error, IPSP_DIRECTION_OUT, NULL, inp, 0); > > > > if (tdb == NULL) { > > - splx(s); > > - > > if (error == 0) { > > /* > > * No IPsec processing required, we'll just send the > > * packet out. > > */ > > @@ -278,21 +269,19 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, > > struct route_in6 *ro, > > if (tdbi->spi == tdb->tdb_spi && > > tdbi->proto == tdb->tdb_sproto && > > tdbi->rdomain == tdb->tdb_rdomain && > > !bcmp(&tdbi->dst, &tdb->tdb_dst, > > sizeof(union sockaddr_union))) { > > - splx(s); > > sproto = 0; /* mark as no-IPsec-needed */ > > goto done_spd; > > } > > } > > > > /* We need to do IPsec */ > > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); > > sspi = tdb->tdb_spi; > > sproto = tdb->tdb_sproto; > > - splx(s); > > } > > > > /* Fall through to the routing/multicast handling code */ > > done_spd: > > #endif /* IPSEC */ > > @@ -495,39 +484,33 @@ reroute: > > /* > > * Check if the packet needs encapsulation. > > * ipsp_process_packet will never come back to here. > > */ > > if (sproto != 0) { > > - s = splnet(); > > - > > /* > > * XXX what should we do if ip6_hlim == 0 and the > > * packet gets tunneled? > > */ > > > > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain), > > sspi, &sdst, sproto); > > if (tdb == NULL) { > > - splx(s); > > error = EHOSTUNREACH; > > m_freem(m); > > goto done; > > } > > > > #if NPF > 0 > > if ((encif = enc_getif(tdb->tdb_rdomain, > > tdb->tdb_tap)) == NULL || > > pf_test(AF_INET6, PF_OUT, encif, &m, NULL) != PF_PASS) { > > - splx(s); > > error = EHOSTUNREACH; > > m_freem(m); > > goto done; > > } > > - if (m == NULL) { > > - splx(s); > > + if (m == NULL) > > goto done; > > - } > > ip6 = mtod(m, struct ip6_hdr *); > > /* > > * PF_TAG_REROUTE handling or not... > > * Packet is entering IPsec so the routing is > > * already overruled by the IPsec policy. > > @@ -545,11 +528,10 @@ reroute: > > * packet just because ip6_dst is different from what tdb has. > > * XXX > > */ > > error = ipsp_process_packet(m, tdb, AF_INET6, > > exthdrs.ip6e_rthdr ? 1 : 0); > > - splx(s); > > > > return error; /* Nothing more to be done */ > > } > > #endif /* IPSEC */ > > > > >