Date: Thu, 22 Dec 2016 13:52:31 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310396 - projects/ipsec/sys/netinet Message-ID: <201612221352.uBMDqVPn064604@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 22 13:52:30 2016 New Revision: 310396 URL: https://svnweb.freebsd.org/changeset/base/310396 Log: Convert ip_input.c to use IPsec methods. Modified: projects/ipsec/sys/netinet/ip_input.c Modified: projects/ipsec/sys/netinet/ip_input.c ============================================================================== --- projects/ipsec/sys/netinet/ip_input.c Thu Dec 22 13:50:34 2016 (r310395) +++ projects/ipsec/sys/netinet/ip_input.c Thu Dec 22 13:52:30 2016 (r310396) @@ -77,13 +77,10 @@ __FBSDID("$FreeBSD$"); #include <netinet/ip_options.h> #include <machine/in_cksum.h> #include <netinet/ip_carp.h> -#ifdef IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/key.h> -#include <netinet/ip_ipsec.h> -#endif /* IPSEC */ #include <netinet/in_rss.h> +#include <netipsec/ipsec_support.h> + #include <sys/socketvar.h> #include <security/mac/mac_framework.h> @@ -430,6 +427,12 @@ ip_direct_input(struct mbuf *m) ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0) + return; + } +#endif /* IPSEC */ IPSTAT_INC(ips_delivered); (*inetsw[ip_protox[ip->ip_p]].pr_input)(&m, &hlen, ip->ip_p); return; @@ -550,23 +553,37 @@ tooshort: m_adj(m, ip_len - m->m_pkthdr.len); } - /* Try to forward the packet, but if we fail continue */ -#ifdef IPSEC - /* For now we do not handle IPSEC in tryforward. */ - if (!key_havesp(IPSEC_DIR_INBOUND) && !key_havesp(IPSEC_DIR_OUTBOUND) && - (V_ipforwarding == 1)) - if (ip_tryforward(m) == NULL) + /* + * Try to forward the packet, but if we fail continue. + * ip_tryforward() does inbound and outbound packet firewall + * processing. If firewall has decided that destination becomes + * our local address, it sets M_FASTFWD_OURS flag. In this + * case skip another inbound firewall processing and update + * ip pointer. + */ + if (V_ipforwarding != 0 +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + && (!IPSEC_ENABLED(ipv4) || + IPSEC_CAPS(ipv4, m, IPSEC_CAP_OPERABLE) == 0) +#endif + ) { + if ((m = ip_tryforward(m)) == NULL) return; + if (m->m_flags & M_FASTFWD_OURS) { + m->m_flags &= ~M_FASTFWD_OURS; + ip = mtod(m, struct ip *); + goto ours; + } + } + +#if defined(IPSEC) || defined(IPSEC_SUPPORT) /* * Bypass packet filtering for packets previously handled by IPsec. */ - if (ip_ipsec_filtertunnel(m)) - goto passin; -#else - if (V_ipforwarding == 1) - if (ip_tryforward(m) == NULL) - return; -#endif /* IPSEC */ + if (IPSEC_ENABLED(ipv4) && + IPSEC_CAPS(ipv4, m, IPSEC_CAP_BYPASS_FILTER) != 0) + goto passin; +#endif /* * Run through list of hooks for input packets. @@ -791,14 +808,11 @@ ours: hlen = ip->ip_hl << 2; } -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if (IPSEC_INPUT(ipv4, m, ip->ip_p) != 0) - goto bad; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if (IPSEC_INPUT(ipv4, m, hlen, ip->ip_p) != 0) + return; + } #endif /* IPSEC */ /* @@ -1002,21 +1016,17 @@ ip_forward(struct mbuf *m, int srcrt) if (V_ipstealth == 0) #endif ip->ip_ttl -= IPTTLDEC; -#ifdef IPSEC - if (IPSEC_FORWARD(ipv4, m, &error) != 0) { /* mbuf consumed by IPsec */ - m_freem(mcopy); - return; - } - /* - * mbuf wasn't consumed by IPsec, check error code. - */ - if (error != 0) { - IPSTAT_INC(ips_cantforward); - m_freem(m); - m_freem(mcopy); - return; +#if defined(IPSEC) || defined(IPSEC_SUPPORT) + if (IPSEC_ENABLED(ipv4)) { + if ((error = IPSEC_FORWARD(ipv4, m)) != 0) { + /* mbuf consumed by IPsec */ + m_freem(mcopy); + if (error != EINPROGRESS) + IPSTAT_INC(ips_cantforward); + return; + } + /* No IPsec processing required */ } - /* No IPsec processing required */ #endif /* IPSEC */ /* * If forwarding packet using same interface that it came in on,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612221352.uBMDqVPn064604>