Date: Thu, 11 Dec 2014 18:55:55 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r275713 - head/sys/netinet Message-ID: <201412111855.sBBIttPF007416@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 11 18:55:54 2014 New Revision: 275713 URL: https://svnweb.freebsd.org/changeset/base/275713 Log: Use ipsec4_in_reject() to simplify ip_ipsec_fwd() and ip_ipsec_input(). ipsec4_in_reject() does the same things, also it counts policy violation errors. Obtained from: Yandex LLC Sponsored by: Yandex LLC Modified: head/sys/netinet/ip_ipsec.c Modified: head/sys/netinet/ip_ipsec.c ============================================================================== --- head/sys/netinet/ip_ipsec.c Thu Dec 11 18:46:11 2014 (r275712) +++ head/sys/netinet/ip_ipsec.c Thu Dec 11 18:55:54 2014 (r275713) @@ -107,20 +107,8 @@ ip_ipsec_filtertunnel(struct mbuf *m) int ip_ipsec_fwd(struct mbuf *m) { - struct secpolicy *sp; - int error; - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } - if (error != 0) - return (1); - return (0); + return (ipsec4_in_reject(m, NULL)); } /* @@ -133,29 +121,13 @@ ip_ipsec_fwd(struct mbuf *m) int ip_ipsec_input(struct mbuf *m, int nxt) { - struct secpolicy *sp; - int error; /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; - DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - } - if (error != 0) - return (1); - } + if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) + return (ipsec4_in_reject(m, NULL)); return (0); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201412111855.sBBIttPF007416>