On Tue, Jul 30, 2013 at 11:30:51AM +0200, Martin Pieuchot wrote:
> On 12/07/13(Fri) 11:35, Mike Belopuhov wrote:
> > Hi,
> >
> > As it was pointed out by dhill there are some rogue splnets in
> > the tcp_input that shouldn't be there really. The only reason
> > they're still there is to match overzealous splnets in bridge_
> > broadcast. bridge_ifenqueue is the only function call in there
> > that requires splnet protection since it's dealing with send
> > queues. Narrowing the range of the splnet protection allows us
> > to remove all splnet protection of the IPsec SPD and TDB code.
> > This as well removes the only pf_test call done under IPL_NET.
> >
> > Below are essentially two diffs that are rather hard to separate.
> > I've tested the diff with the gif-to-ethernet IPsec bridge but
> > some additional IPsec and bridge testing won't hurt.
> >
> > mpi@ has provided some feedback already, so I'm really looking
> > for OK's on this.
>
> ok mpi@
been running this on i386 for a while with plenty of ipsec traffic. no
issues.
>
> > diff --git sys/net/if_bridge.c sys/net/if_bridge.c
> > index 41d7b67..0ca2710 100644
> > --- sys/net/if_bridge.c
> > +++ sys/net/if_bridge.c
> > @@ -969,12 +969,10 @@ bridge_output(struct ifnet *ifp, struct mbuf *m,
> > struct sockaddr *sa,
> > return (ENOBUFS);
> > }
> > eh = mtod(m, struct ether_header *);
> > dst = (struct ether_addr *)&eh->ether_dhost[0];
> >
> > - s = splnet();
> > -
> > /*
> > * If bridge is down, but original output interface is up,
> > * go ahead and send out that interface. Otherwise the packet
> > * is dropped below.
> > */
> > @@ -1007,11 +1005,10 @@ bridge_output(struct ifnet *ifp, struct mbuf *m,
> > struct sockaddr *sa,
> > */
> > if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED,
> > NULL)) != NULL) {
> > ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
> > m_freem(m);
> > - splx(s);
> > return (0);
> > }
> > #endif /* IPSEC */
> > bridge_span(sc, NULL, m);
> >
> > @@ -1074,22 +1071,24 @@ bridge_output(struct ifnet *ifp, struct mbuf *m,
> > struct sockaddr *sa,
> > m1->m_pkthdr.len = len;
> > }
> > mc = m1;
> > }
> >
> > + s = splnet();
> > error = bridge_ifenqueue(sc, dst_if, mc);
> > + splx(s);
> > if (error)
> > continue;
> > }
> > if (!used)
> > m_freem(m);
> > - splx(s);
> > return (0);
> > }
> >
> > sendunicast:
> > bridge_span(sc, NULL, m);
> > + s = splnet();
> > if ((dst_if->if_flags & IFF_RUNNING) == 0) {
> > m_freem(m);
> > splx(s);
> > return (ENETDOWN);
> > }
> > @@ -1251,13 +1250,11 @@ bridgeintr_frame(struct bridge_softc *sc, struct
> > mbuf *m)
> > * If the packet is a multicast or broadcast OR if we don't
> > * know any better, forward it to all interfaces.
> > */
> > if ((m->m_flags & (M_BCAST | M_MCAST)) || dst_if == NULL) {
> > sc->sc_if.if_imcasts++;
> > - s = splnet();
> > bridge_broadcast(sc, src_if, &eh, m);
> > - splx(s);
> > return;
> > }
> >
> > /*
> > * At this point, we're dealing with a unicast frame going to a
> > @@ -1496,13 +1493,11 @@ bridge_broadcast(struct bridge_softc *sc, struct
> > ifnet *ifp,
> > struct ether_header *eh, struct mbuf *m)
> > {
> > struct bridge_iflist *p;
> > struct mbuf *mc;
> > struct ifnet *dst_if;
> > - int len, used = 0;
> > -
> > - splassert(IPL_NET);
> > + int len, s, used = 0;
> >
> > TAILQ_FOREACH(p, &sc->sc_iflist, next) {
> > /*
> > * Don't retransmit out of the same interface where
> > * the packet was received from.
> > @@ -1587,11 +1582,13 @@ bridge_broadcast(struct bridge_softc *sc, struct
> > ifnet *ifp,
> > len += ETHER_VLAN_ENCAP_LEN;
> > #endif
> > if ((len - ETHER_HDR_LEN) > dst_if->if_mtu)
> > bridge_fragment(sc, dst_if, eh, mc);
> > else {
> > + s = splnet();
> > bridge_ifenqueue(sc, dst_if, mc);
> > + splx(s);
> > }
> > }
> >
> > if (!used)
> > m_freem(m);
> > @@ -1643,11 +1640,11 @@ bridge_span(struct bridge_softc *sc, struct
> > ether_header *eh,
> > struct mbuf *morig)
> > {
> > struct bridge_iflist *p;
> > struct ifnet *ifp;
> > struct mbuf *mc, *m;
> > - int error;
> > + int s, error;
> >
> > if (TAILQ_EMPTY(&sc->sc_spanlist))
> > return;
> >
> > m = m_copym2(morig, 0, M_COPYALL, M_NOWAIT);
> > @@ -1679,11 +1676,13 @@ bridge_span(struct bridge_softc *sc, struct
> > ether_header *eh,
> > if (mc == NULL) {
> > sc->sc_if.if_oerrors++;
> > continue;
> > }
> >
> > + s = splnet();
> > error = bridge_ifenqueue(sc, ifp, mc);
> > + splx(s);
> > if (error)
> > continue;
> > }
> > m_freem(m);
> > }
> > diff --git sys/netinet/ip_input.c sys/netinet/ip_input.c
> > index 664afbf..221a6f4 100644
> > --- sys/netinet/ip_input.c
> > +++ sys/netinet/ip_input.c
> > @@ -243,11 +243,11 @@ ipv4_input(struct mbuf *m)
> > {
> > struct ip *ip;
> > int hlen, len;
> > in_addr_t pfrdr = 0;
> > #ifdef IPSEC
> > - int error, s;
> > + int error;
> > struct tdb *tdb;
> > struct tdb_ident *tdbi;
> > struct m_tag *mtag;
> > #endif /* IPSEC */
> >
> > @@ -452,20 +452,18 @@ ipv4_input(struct mbuf *m)
> > /*
> > * IPsec policy check for forwarded packets. Look at
> > * inner-most IPsec SA used.
> > */
> > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
> > - s = splnet();
> > if (mtag != NULL) {
> > tdbi = (struct tdb_ident *)(mtag + 1);
> > tdb = gettdb(tdbi->rdomain, tdbi->spi,
> > &tdbi->dst, tdbi->proto);
> > } else
> > tdb = NULL;
> > ipsp_spd_lookup(m, AF_INET, hlen, &error,
> > IPSP_DIRECTION_IN, tdb, NULL, 0);
> > - splx(s);
> >
> > /* Error or otherwise drop-packet indication */
> > if (error) {
> > ipstat.ips_cantforward++;
> > goto bad;
> > @@ -495,11 +493,11 @@ ip_ours(struct mbuf *m)
> > struct ip *ip = mtod(m, struct ip *);
> > struct ipq *fp;
> > struct ipqent *ipqe;
> > int mff, hlen;
> > #ifdef IPSEC
> > - int error, s;
> > + int error;
> > struct tdb *tdb;
> > struct tdb_ident *tdbi;
> > struct m_tag *mtag;
> > #endif /* IPSEC */
> >
> > @@ -637,20 +635,18 @@ found:
> > * kinds of tunneling headers have been seen in-between the
> > * IPsec headers), and I don't think we lose much functionality
> > * that's needed in the real world (who uses bundles anyway ?).
> > */
> > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
> > - s = splnet();
> > if (mtag) {
> > tdbi = (struct tdb_ident *)(mtag + 1);
> > tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst,
> > tdbi->proto);
> > } else
> > tdb = NULL;
> > ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN,
> > tdb, NULL, 0);
> > - splx(s);
> >
> > /* Error or otherwise drop-packet indication. */
> > if (error) {
> > ipstat.ips_cantforward++;
> > goto bad;
> > diff --git sys/netinet/ip_output.c sys/netinet/ip_output.c
> > index e0e6b7d..088dd01 100644
> > --- sys/netinet/ip_output.c
> > +++ sys/netinet/ip_output.c
> > @@ -107,11 +107,10 @@ ip_output(struct mbuf *m0, ...)
> > struct tdb_ident *tdbi;
> >
> > struct inpcb *inp;
> > struct tdb *tdb;
> > u_int32_t ipsecflowinfo;
> > - int s;
> > #if NPF > 0
> > struct ifnet *encif;
> > #endif
> > #endif /* IPSEC */
> >
> > @@ -254,16 +253,10 @@ reroute:
> >
> > #ifdef IPSEC
> > if (!ipsec_in_use && inp == NULL)
> > goto done_spd;
> >
> > - /*
> > - * splnet is chosen over splsoftnet because we are not allowed to
> > - * lower the level, and udp_output calls us in splnet().
> > - */
> > - s = splnet();
> > -
> > /* Do we have any pending SAs to apply ? */
> > mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
> > if (mtag != NULL) {
> > #ifdef DIAGNOSTIC
> > if (mtag->m_tag_len != sizeof (struct tdb_ident))
> > @@ -280,12 +273,10 @@ reroute:
> > else
> > tdb = ipsp_spd_lookup(m, AF_INET, hlen, &error,
> > IPSP_DIRECTION_OUT, NULL, inp, ipsecflowinfo);
> >
> > if (tdb == NULL) {
> > - splx(s);
> > -
> > if (error == 0) {
> > /*
> > * No IPsec processing required, we'll just send the
> > * packet out.
> > */
> > @@ -316,21 +307,19 @@ reroute:
> > if (tdbi->spi == tdb->tdb_spi &&
> > tdbi->proto == tdb->tdb_sproto &&
> > tdbi->rdomain == tdb->tdb_rdomain &&
> > !bcmp(&tdbi->dst, &tdb->tdb_dst,
> > sizeof(union sockaddr_union))) {
> > - splx(s);
> > sproto = 0; /* mark as no-IPsec-needed */
> > goto done_spd;
> > }
> > }
> >
> > /* We need to do IPsec */
> > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst));
> > sspi = tdb->tdb_spi;
> > sproto = tdb->tdb_sproto;
> > - splx(s);
> >
> > /*
> > * If it needs TCP/UDP hardware-checksumming, do the
> > * computation now.
> > */
> > @@ -573,18 +562,15 @@ sendit:
> > #ifdef IPSEC
> > /*
> > * Check if the packet needs encapsulation.
> > */
> > if (sproto != 0) {
> > - s = splnet();
> > -
> > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain),
> > sspi, &sdst, sproto);
> > if (tdb == NULL) {
> > DPRINTF(("ip_output: unknown TDB"));
> > error = EHOSTUNREACH;
> > - splx(s);
> > m_freem(m);
> > goto done;
> > }
> >
> > /*
> > @@ -593,16 +579,14 @@ sendit:
> > #if NPF > 0
> > if ((encif = enc_getif(tdb->tdb_rdomain,
> > tdb->tdb_tap)) == NULL ||
> > pf_test(AF_INET, PF_OUT, encif, &m, NULL) != PF_PASS) {
> > error = EACCES;
> > - splx(s);
> > m_freem(m);
> > goto done;
> > }
> > if (m == NULL) {
> > - splx(s);
> > goto done;
> > }
> > ip = mtod(m, struct ip *);
> > hlen = ip->ip_hl << 2;
> > /*
> > @@ -625,11 +609,10 @@ sendit:
> >
> > transportmode = (tdb->tdb_dst.sa.sa_family == AF_INET)
> > &&
> > (tdb->tdb_dst.sin.sin_addr.s_addr ==
> > ip->ip_dst.s_addr);
> > icmp_mtu = tdb->tdb_mtu;
> > - splx(s);
> >
> > /* Find a host route to store the mtu in */
> > if (ro != NULL)
> > rt = ro->ro_rt;
> > /* but don't add a PMTU route for transport mode SAs */
> > @@ -665,11 +648,10 @@ sendit:
> > */
> > m->m_flags &= ~(M_MCAST | M_BCAST);
> >
> > /* Callee frees mbuf */
> > error = ipsp_process_packet(m, tdb, AF_INET, 0);
> > - splx(s);
> > return error; /* Nothing more to be done */
> > }
> >
> > /*
> > * If we got here and IPsec crypto processing didn't happen, drop it.
> > diff --git sys/netinet/tcp_input.c sys/netinet/tcp_input.c
> > index 4e39e7f..c44e796 100644
> > --- sys/netinet/tcp_input.c
> > +++ sys/netinet/tcp_input.c
> > @@ -376,11 +376,11 @@ tcp_input(struct mbuf *m, ...)
> > #endif /* INET6 */
> > #ifdef IPSEC
> > struct m_tag *mtag;
> > struct tdb_ident *tdbi;
> > struct tdb *tdb;
> > - int error, s;
> > + int error;
> > #endif /* IPSEC */
> > int af;
> > #ifdef TCP_ECN
> > u_char iptos;
> > #endif
> > @@ -884,22 +884,20 @@ findpcb:
> > #endif
> >
> > #ifdef IPSEC
> > /* Find most recent IPsec tag */
> > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
> > - s = splnet();
> > if (mtag != NULL) {
> > tdbi = (struct tdb_ident *)(mtag + 1);
> > tdb = gettdb(tdbi->rdomain, tdbi->spi,
> > &tdbi->dst, tdbi->proto);
> > } else
> > tdb = NULL;
> > ipsp_spd_lookup(m, af, iphlen, &error, IPSP_DIRECTION_IN,
> > tdb, inp, 0);
> > if (error) {
> > tcpstat.tcps_rcvnosec++;
> > - splx(s);
> > goto drop;
> > }
> >
> > /* Latch SA */
> > if (inp->inp_tdb_in != tdb) {
> > @@ -907,11 +905,10 @@ findpcb:
> > tdb_add_inp(tdb, inp, 1);
> > if (inp->inp_ipo == NULL) {
> > inp->inp_ipo = ipsec_add_policy(inp, af,
> > IPSP_DIRECTION_OUT);
> > if (inp->inp_ipo == NULL) {
> > - splx(s);
> > goto drop;
> > }
> > }
> > if (inp->inp_ipo->ipo_dstid == NULL &&
> > tdb->tdb_srcid != NULL) {
> > @@ -934,11 +931,10 @@ findpcb:
> > TAILQ_REMOVE(&inp->inp_tdb_in->tdb_inp_in, inp,
> > inp_tdb_in_next);
> > inp->inp_tdb_in = NULL;
> > }
> > }
> > - splx(s);
> > #endif /* IPSEC */
> >
> > /*
> > * Segment received on connection.
> > * Reset idle time and keep-alive timer.
> > @@ -967,11 +963,11 @@ findpcb:
> > if (opti.ts_present && opti.ts_ecr) {
> > int rtt_test;
> >
> > /* subtract out the tcp timestamp modulator */
> > opti.ts_ecr -= tp->ts_modulate;
> > -
> > +
> > /* make sure ts_ecr is sensible */
> > rtt_test = tcp_now - opti.ts_ecr;
> > if (rtt_test < 0 || rtt_test > TCP_RTT_MAX)
> > opti.ts_ecr = 0;
> > }
> > diff --git sys/netinet/udp_usrreq.c sys/netinet/udp_usrreq.c
> > index 2b5623f..b1f2c5c 100644
> > --- sys/netinet/udp_usrreq.c
> > +++ sys/netinet/udp_usrreq.c
> > @@ -176,11 +176,11 @@ udp_input(struct mbuf *m, ...)
> > #endif /* INET6 */
> > #ifdef IPSEC
> > struct m_tag *mtag;
> > struct tdb_ident *tdbi;
> > struct tdb *tdb;
> > - int error, s;
> > + int error;
> > u_int32_t ipsecflowinfo = 0;
> > #endif /* IPSEC */
> >
> > va_start(ap, m);
> > iphlen = va_arg(ap, int);
> > @@ -598,22 +598,20 @@ udp_input(struct mbuf *m, ...)
> > m->m_pkthdr.pf.statekey = NULL;
> > #endif
> >
> > #ifdef IPSEC
> > mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
> > - s = splnet();
> > if (mtag != NULL) {
> > tdbi = (struct tdb_ident *)(mtag + 1);
> > tdb = gettdb(tdbi->rdomain, tdbi->spi,
> > &tdbi->dst, tdbi->proto);
> > } else
> > tdb = NULL;
> > ipsp_spd_lookup(m, srcsa.sa.sa_family, iphlen, &error,
> > IPSP_DIRECTION_IN, tdb, inp, 0);
> > if (error) {
> > udpstat.udps_nosec++;
> > - splx(s);
> > goto bad;
> > }
> >
> > /* Latch SA only if the socket is connected */
> > if (inp->inp_tdb_in != tdb &&
> > @@ -622,11 +620,10 @@ udp_input(struct mbuf *m, ...)
> > tdb_add_inp(tdb, inp, 1);
> > if (inp->inp_ipo == NULL) {
> > inp->inp_ipo = ipsec_add_policy(inp,
> > srcsa.sa.sa_family, IPSP_DIRECTION_OUT);
> > if (inp->inp_ipo == NULL) {
> > - splx(s);
> > goto bad;
> > }
> > }
> > if (inp->inp_ipo->ipo_dstid == NULL &&
> > tdb->tdb_srcid != NULL) {
> > @@ -653,11 +650,10 @@ udp_input(struct mbuf *m, ...)
> > }
> > /* create ipsec options while we know that tdb cannot be modified */
> > if (tdb)
> > ipsecflowinfo = tdb->tdb_spi;
> >
> > - splx(s);
> > #endif /*IPSEC */
> >
> > opts = NULL;
> > #ifdef INET6
> > if (ip6 && (inp->inp_flags & IN6P_CONTROLOPTS ||
> > diff --git sys/netinet6/ip6_forward.c sys/netinet6/ip6_forward.c
> > index 4e2e459..0444352 100644
> > --- sys/netinet6/ip6_forward.c
> > +++ sys/netinet6/ip6_forward.c
> > @@ -98,11 +98,10 @@ ip6_forward(struct mbuf *m, int srcrt)
> > struct m_tag *mtag;
> > union sockaddr_union sdst;
> > struct tdb_ident *tdbi;
> > u_int32_t sspi;
> > struct tdb *tdb;
> > - int s;
> > #if NPF > 0
> > struct ifnet *encif;
> > #endif
> > #endif /* IPSEC */
> > u_int rtableid = 0;
> > @@ -146,12 +145,10 @@ reroute:
> >
> > #ifdef IPSEC
> > if (!ipsec_in_use)
> > goto done_spd;
> >
> > - s = splnet();
> > -
> > /*
> > * Check if there was an outgoing SA bound to the flow
> > * from a transport protocol.
> > */
> >
> > @@ -172,12 +169,10 @@ reroute:
> > } else
> > tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
> > &error, IPSP_DIRECTION_OUT, NULL, NULL, 0);
> >
> > if (tdb == NULL) {
> > - splx(s);
> > -
> > if (error == 0) {
> > /*
> > * No IPsec processing required, we'll just send the
> > * packet out.
> > */
> > @@ -207,21 +202,19 @@ reroute:
> > if (tdbi->spi == tdb->tdb_spi &&
> > tdbi->proto == tdb->tdb_sproto &&
> > tdbi->rdomain == tdb->tdb_rdomain &&
> > !bcmp(&tdbi->dst, &tdb->tdb_dst,
> > sizeof(union sockaddr_union))) {
> > - splx(s);
> > sproto = 0; /* mark as no-IPsec-needed */
> > goto done_spd;
> > }
> > }
> >
> > /* We need to do IPsec */
> > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst));
> > sspi = tdb->tdb_spi;
> > sproto = tdb->tdb_sproto;
> > - splx(s);
> > }
> >
> > /* Fall through to the routing/multicast handling code */
> > done_spd:
> > #endif /* IPSEC */
> > @@ -335,34 +328,28 @@ reroute:
> > * ipsp_process_packet will never come back to here.
> > * XXX ipsp_process_packet() calls ip6_output(), and there'll be no
> > * PMTU notification. is it okay?
> > */
> > if (sproto != 0) {
> > - s = splnet();
> > -
> > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain),
> > sspi, &sdst, sproto);
> > if (tdb == NULL) {
> > - splx(s);
> > error = EHOSTUNREACH;
> > m_freem(m);
> > goto senderr; /*XXX*/
> > }
> >
> > #if NPF > 0
> > if ((encif = enc_getif(tdb->tdb_rdomain,
> > tdb->tdb_tap)) == NULL ||
> > pf_test(AF_INET6, PF_FWD, encif, &m, NULL) != PF_PASS) {
> > - splx(s);
> > error = EHOSTUNREACH;
> > m_freem(m);
> > goto senderr;
> > }
> > - if (m == NULL) {
> > - splx(s);
> > + if (m == NULL)
> > goto senderr;
> > - }
> > ip6 = mtod(m, struct ip6_hdr *);
> > /*
> > * PF_TAG_REROUTE handling or not...
> > * Packet is entering IPsec so the routing is
> > * already overruled by the IPsec policy.
> > @@ -374,11 +361,10 @@ reroute:
> >
> > m->m_flags &= ~(M_BCAST | M_MCAST); /* just in case */
> >
> > /* Callee frees mbuf */
> > error = ipsp_process_packet(m, tdb, AF_INET6, 0);
> > - splx(s);
> > m_freem(mcopy);
> > goto freert;
> > }
> > #endif /* IPSEC */
> >
> > diff --git sys/netinet6/ip6_output.c sys/netinet6/ip6_output.c
> > index d9a11ce..88ccf90 100644
> > --- sys/netinet6/ip6_output.c
> > +++ sys/netinet6/ip6_output.c
> > @@ -171,11 +171,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
> > struct route_in6 *ro,
> > struct m_tag *mtag;
> > union sockaddr_union sdst;
> > struct tdb_ident *tdbi;
> > u_int32_t sspi;
> > struct tdb *tdb;
> > - int s;
> > #if NPF > 0
> > struct ifnet *encif;
> > #endif
> > #endif /* IPSEC */
> >
> > @@ -214,16 +213,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
> > struct route_in6 *ro,
> > #ifdef IPSEC
> > if (!ipsec_in_use && !inp)
> > goto done_spd;
> >
> > /*
> > - * splnet is chosen over splsoftnet because we are not allowed to
> > - * lower the level, and udp6_output calls us in splnet(). XXX check
> > - */
> > - s = splnet();
> > -
> > - /*
> > * Check if there was an outgoing SA bound to the flow
> > * from a transport protocol.
> > */
> > ip6 = mtod(m, struct ip6_hdr *);
> >
> > @@ -243,12 +236,10 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
> > struct route_in6 *ro,
> > } else
> > tdb = ipsp_spd_lookup(m, AF_INET6, sizeof(struct ip6_hdr),
> > &error, IPSP_DIRECTION_OUT, NULL, inp, 0);
> >
> > if (tdb == NULL) {
> > - splx(s);
> > -
> > if (error == 0) {
> > /*
> > * No IPsec processing required, we'll just send the
> > * packet out.
> > */
> > @@ -278,21 +269,19 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
> > struct route_in6 *ro,
> > if (tdbi->spi == tdb->tdb_spi &&
> > tdbi->proto == tdb->tdb_sproto &&
> > tdbi->rdomain == tdb->tdb_rdomain &&
> > !bcmp(&tdbi->dst, &tdb->tdb_dst,
> > sizeof(union sockaddr_union))) {
> > - splx(s);
> > sproto = 0; /* mark as no-IPsec-needed */
> > goto done_spd;
> > }
> > }
> >
> > /* We need to do IPsec */
> > bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst));
> > sspi = tdb->tdb_spi;
> > sproto = tdb->tdb_sproto;
> > - splx(s);
> > }
> >
> > /* Fall through to the routing/multicast handling code */
> > done_spd:
> > #endif /* IPSEC */
> > @@ -495,39 +484,33 @@ reroute:
> > /*
> > * Check if the packet needs encapsulation.
> > * ipsp_process_packet will never come back to here.
> > */
> > if (sproto != 0) {
> > - s = splnet();
> > -
> > /*
> > * XXX what should we do if ip6_hlim == 0 and the
> > * packet gets tunneled?
> > */
> >
> > tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain),
> > sspi, &sdst, sproto);
> > if (tdb == NULL) {
> > - splx(s);
> > error = EHOSTUNREACH;
> > m_freem(m);
> > goto done;
> > }
> >
> > #if NPF > 0
> > if ((encif = enc_getif(tdb->tdb_rdomain,
> > tdb->tdb_tap)) == NULL ||
> > pf_test(AF_INET6, PF_OUT, encif, &m, NULL) != PF_PASS) {
> > - splx(s);
> > error = EHOSTUNREACH;
> > m_freem(m);
> > goto done;
> > }
> > - if (m == NULL) {
> > - splx(s);
> > + if (m == NULL)
> > goto done;
> > - }
> > ip6 = mtod(m, struct ip6_hdr *);
> > /*
> > * PF_TAG_REROUTE handling or not...
> > * Packet is entering IPsec so the routing is
> > * already overruled by the IPsec policy.
> > @@ -545,11 +528,10 @@ reroute:
> > * packet just because ip6_dst is different from what tdb has.
> > * XXX
> > */
> > error = ipsp_process_packet(m, tdb, AF_INET6,
> > exthdrs.ip6e_rthdr ? 1 : 0);
> > - splx(s);
> >
> > return error; /* Nothing more to be done */
> > }
> > #endif /* IPSEC */
> >
> >
>
