From owner-svn-src-projects@freebsd.org Sun Nov 20 11:57:36 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EC91C4BE2B for ; Sun, 20 Nov 2016 11:57:36 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EF3511F5; Sun, 20 Nov 2016 11:57:35 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKBvZvt042852; Sun, 20 Nov 2016 11:57:35 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKBvZTD042851; Sun, 20 Nov 2016 11:57:35 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201157.uAKBvZTD042851@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 11:57:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308882 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 11:57:36 -0000 Author: ae Date: Sun Nov 20 11:57:34 2016 New Revision: 308882 URL: https://svnweb.freebsd.org/changeset/base/308882 Log: Add ipsec4_getpolicy() function. It returns security policy that matches with give IPv4 packet. First of it uses SP from inpcb. If there is no PCB, or PCB has not cached SP, it fills secpolicyindex using info from given mbuf. Then it does SP lookup using this secpolicyindex. And if SP is not found, it returns default security policy. Modify ipsec4_setspidx_ipaddr() to not return any values, since it never fails. Also move ipsec4_get_ulp() and ipsec4_setspidx_ipaddr() under #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:36:54 2016 (r308881) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:57:34 2016 (r308882) @@ -244,7 +244,8 @@ static int ipsec_in_reject(struct secpol static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); -static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); +static void ipsec4_setspidx_ipaddr(const struct mbuf *, + struct secpolicyindex *); #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); @@ -645,16 +646,17 @@ ipsec_setspidx(const struct mbuf *m, str } } +#ifdef INET static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { - u_int8_t nxt; + uint8_t nxt; int off; /* Sanity check. */ - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); + IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip), + ("packet too short")); if (m->m_len >= sizeof (struct ip)) { const struct ip *ip = mtod(m, const struct ip *); @@ -718,10 +720,12 @@ done: done_proto: spidx->src.sin.sin_port = IPSEC_PORT_ANY; spidx->dst.sin.sin_port = IPSEC_PORT_ANY; + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } /* Assumes that m is sane. */ -static int +static void ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { static const struct sockaddr_in template = { @@ -748,10 +752,30 @@ ipsec4_setspidx_ipaddr(const struct mbuf spidx->prefs = sizeof(struct in_addr) << 3; spidx->prefd = sizeof(struct in_addr) << 3; +} - return (0); +static struct secpolicy * +ipsec4_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir) +{ + struct secpolicyindex spidx; + struct secpolicy *sp; + + sp = ipsec_getpcbpolicy(inp, dir); + if (sp == NULL && key_havesp(dir)) { + /* Make an index to look for a policy. */ + ipsec4_setspidx_ipaddr(m, &spidx); + /* Fill ports in spidx if we have inpcb. */ + ipsec4_get_ulp(m, &spidx, inp != NULL); + spidx.dir = dir; + sp = key_allocsp(&spidx, dir); + } + if (sp == NULL) /* No SP found, use system default. */ + sp = key_allocsp_default(); + return (sp); } +#endif /* INET */ + #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,