From owner-svn-src-projects@freebsd.org  Sun Nov 20 12:25:15 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id AE056C49095
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Sun, 20 Nov 2016 12:25:15 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 611B9883;
 Sun, 20 Nov 2016 12:25:15 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKCPEto054838;
 Sun, 20 Nov 2016 12:25:14 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKCPE6D054837;
 Sun, 20 Nov 2016 12:25:14 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201611201225.uAKCPE6D054837@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sun, 20 Nov 2016 12:25:14 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r308884 - projects/ipsec/sys/netipsec
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Nov 2016 12:25:15 -0000

Author: ae
Date: Sun Nov 20 12:25:14 2016
New Revision: 308884
URL: https://svnweb.freebsd.org/changeset/base/308884

Log:
  Modify ipsec4_checkpolicy() to use ipsec4_getpolicy() and
  ipsec_checkpolicy().
  
  Move it under #ifdef INET. Also count errors from ipsec_checkpolicy
  in corresponding IPSECSTAT counters.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 12:18:10 2016	(r308883)
+++ projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 12:25:14 2016	(r308884)
@@ -546,49 +546,6 @@ ipsec_getpolicybyaddr(const struct mbuf 
 	return (sp);
 }
 
-struct secpolicy *
-ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error,
-    struct inpcb *inp)
-{
-	struct secpolicy *sp;
-
-	*error = 0;
-	if (inp == NULL)
-		sp = ipsec_getpolicybyaddr(m, dir, error);
-	else
-		sp = ipsec_getpolicybysock(m, dir, inp, error);
-	if (sp == NULL) {
-		IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
-		IPSECSTAT_INC(ips_out_inval);
-		return (NULL);
-	}
-	IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
-	switch (sp->policy) {
-	case IPSEC_POLICY_ENTRUST:
-	default:
-		printf("%s: invalid policy %u\n", __func__, sp->policy);
-		/* FALLTHROUGH */
-	case IPSEC_POLICY_DISCARD:
-		IPSECSTAT_INC(ips_out_polvio);
-		*error = -EINVAL;	/* Packet is discarded by caller. */
-		break;
-	case IPSEC_POLICY_BYPASS:
-	case IPSEC_POLICY_NONE:
-		KEY_FREESP(&sp);
-		sp = NULL;		/* NB: force NULL result. */
-		break;
-	case IPSEC_POLICY_IPSEC:
-		if (sp->req == NULL)	/* Acquire a SA. */
-			*error = key_spdacquire(sp);
-		break;
-	}
-	if (*error != 0) {
-		KEY_FREESP(&sp);
-		sp = NULL;
-	}
-	return (sp);
-}
-
 static int
 ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp)
 {
@@ -817,6 +774,36 @@ ipsec4_getpolicy(const struct mbuf *m, s
 	return (sp);
 }
 
+/*
+ * Check security policy for *OUTBOUND* IPv4 packet.
+ */
+struct secpolicy *
+ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error)
+{
+	struct secpolicy *sp;
+
+	*error = 0;
+	sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND);
+	if (sp != NULL)
+		sp = ipsec_checkpolicy(sp, inp, error);
+	if (sp == NULL) {
+		switch (*error) {
+		case 0: /* No IPsec required: BYPASS or NONE */
+			break;
+		case -EINVAL:
+			IPSECSTAT_INC(ips_out_polvio);
+			break;
+		default:
+			IPSECSTAT_INC(ips_out_inval);
+		}
+	}
+	KEYDBG(IPSEC_STAMP,
+	    printf("%s: using SP(%p), error %d\n", __func__, sp, *error));
+	if (sp != NULL)
+		KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
+	return (sp);
+}
+
 #endif /* INET */
 
 #ifdef INET6