Date: Sun, 20 Nov 2016 12:25:14 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308884 - projects/ipsec/sys/netipsec Message-ID: <201611201225.uAKCPE6D054837@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Sun Nov 20 12:25:14 2016 New Revision: 308884 URL: https://svnweb.freebsd.org/changeset/base/308884 Log: Modify ipsec4_checkpolicy() to use ipsec4_getpolicy() and ipsec_checkpolicy(). Move it under #ifdef INET. Also count errors from ipsec_checkpolicy in corresponding IPSECSTAT counters. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:18:10 2016 (r308883) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:25:14 2016 (r308884) @@ -546,49 +546,6 @@ ipsec_getpolicybyaddr(const struct mbuf return (sp); } -struct secpolicy * -ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error, - struct inpcb *inp) -{ - struct secpolicy *sp; - - *error = 0; - if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, error); - else - sp = ipsec_getpolicybysock(m, dir, inp, error); - if (sp == NULL) { - IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - IPSECSTAT_INC(ips_out_inval); - return (NULL); - } - IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); - switch (sp->policy) { - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: invalid policy %u\n", __func__, sp->policy); - /* FALLTHROUGH */ - case IPSEC_POLICY_DISCARD: - IPSECSTAT_INC(ips_out_polvio); - *error = -EINVAL; /* Packet is discarded by caller. */ - break; - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - KEY_FREESP(&sp); - sp = NULL; /* NB: force NULL result. */ - break; - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) /* Acquire a SA. */ - *error = key_spdacquire(sp); - break; - } - if (*error != 0) { - KEY_FREESP(&sp); - sp = NULL; - } - return (sp); -} - static int ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp) { @@ -817,6 +774,36 @@ ipsec4_getpolicy(const struct mbuf *m, s return (sp); } +/* + * Check security policy for *OUTBOUND* IPv4 packet. + */ +struct secpolicy * +ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error) +{ + struct secpolicy *sp; + + *error = 0; + sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND); + if (sp != NULL) + sp = ipsec_checkpolicy(sp, inp, error); + if (sp == NULL) { + switch (*error) { + case 0: /* No IPsec required: BYPASS or NONE */ + break; + case -EINVAL: + IPSECSTAT_INC(ips_out_polvio); + break; + default: + IPSECSTAT_INC(ips_out_inval); + } + } + KEYDBG(IPSEC_STAMP, + printf("%s: using SP(%p), error %d\n", __func__, sp, *error)); + if (sp != NULL) + KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp)); + return (sp); +} + #endif /* INET */ #ifdef INET6
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611201225.uAKCPE6D054837>