From owner-svn-src-projects@freebsd.org Sun Nov 20 17:17:42 2016 Return-Path: Delivered-To: svn-src-projects@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9A2B2C4C897 for ; Sun, 20 Nov 2016 17:17:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 5AA4A1EDE; Sun, 20 Nov 2016 17:17:42 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uAKHHfT0074902; Sun, 20 Nov 2016 17:17:41 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id uAKHHf0C074901; Sun, 20 Nov 2016 17:17:41 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201611201717.uAKHHf0C074901@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Sun, 20 Nov 2016 17:17:41 +0000 (UTC) To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308892 - projects/ipsec/sys/netipsec X-SVN-Group: projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-projects@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "SVN commit messages for the src " projects" tree" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 Nov 2016 17:17:42 -0000 Author: ae Date: Sun Nov 20 17:17:41 2016 New Revision: 308892 URL: https://svnweb.freebsd.org/changeset/base/308892 Log: Modify ipsec_setspidx_inpcb() function to use given inpcb pointer to fill secpolicyindex's fields instead of taking them from mbuf. Remove ipsec_setspidx() function. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:03:52 2016 (r308891) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 17:17:41 2016 (r308892) @@ -245,8 +245,8 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, static int ipsec_in_reject(struct secpolicy *, struct inpcb *, const struct mbuf *); -static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); -static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); +static void ipsec_setspidx_inpcb(struct inpcb *, struct secpolicyindex *); + static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); static void ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); @@ -551,106 +551,62 @@ ipsec_getpolicybyaddr(const struct mbuf return (sp); } -static int -ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp) -{ - int error; - - IPSEC_ASSERT(inp != NULL, ("null inp")); - IPSEC_ASSERT(inp->inp_sp != NULL, ("null inp_sp")); - IPSEC_ASSERT(inp->inp_sp->sp_out != NULL && inp->inp_sp->sp_in != NULL, - ("null sp_in || sp_out")); - - error = ipsec_setspidx(m, &inp->inp_sp->sp_in->spidx, 1); - if (error == 0) { - inp->inp_sp->sp_in->spidx.dir = IPSEC_DIR_INBOUND; - inp->inp_sp->sp_out->spidx = inp->inp_sp->sp_in->spidx; - inp->inp_sp->sp_out->spidx.dir = IPSEC_DIR_OUTBOUND; - } else { - bzero(&inp->inp_sp->sp_in->spidx, - sizeof (inp->inp_sp->sp_in->spidx)); - bzero(&inp->inp_sp->sp_out->spidx, - sizeof (inp->inp_sp->sp_in->spidx)); - } - return (error); -} - -/* - * Configure security policy index (src/dst/proto/sport/dport) - * by looking at the content of mbuf. - * The caller is responsible for error recovery (like clearing up spidx). - */ -static int -ipsec_setspidx(const struct mbuf *m, struct secpolicyindex *spidx, - int needport) +static void +ipsec_setspidx_inpcb(struct inpcb *inp, struct secpolicyindex *spidx) { - struct ip ipbuf; - const struct ip *ip = NULL; - const struct mbuf *n; - u_int v; - int len; - int error; - - IPSEC_ASSERT(m != NULL, ("null mbuf")); - - /* - * Validate m->m_pkthdr.len. We see incorrect length if we - * mistakenly call this function with inconsistent mbuf chain - * (like 4.4BSD tcp/udp processing). XXX Should we panic here? - */ - len = 0; - for (n = m; n; n = n->m_next) - len += n->m_len; - if (m->m_pkthdr.len != len) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) mismatch (%d), ignored.\n", - __func__, len, m->m_pkthdr.len)); - return (EINVAL); - } - - if (m->m_pkthdr.len < sizeof(struct ip)) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) too small (v4), ignored.\n", - __func__, m->m_pkthdr.len)); - return (EINVAL); - } - if (m->m_len >= sizeof(*ip)) - ip = mtod(m, const struct ip *); - else { - m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); - ip = &ipbuf; - } - v = ip->ip_v; - switch (v) { - case 4: - error = ipsec4_setspidx_ipaddr(m, spidx); - if (error) - return (error); - ipsec4_get_ulp(m, spidx, needport); - return (0); #ifdef INET6 - case 6: - if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) { - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: pkthdr len(%d) too small (v6), " - "ignored\n", __func__, m->m_pkthdr.len)); - return (EINVAL); + if (inp->inp_vflag & INP_IPV6) { + bzero(&spidx->src.sin6, sizeof(spidx->src.sin6)); + spidx->src.sin6.sin6_family = AF_INET6; + spidx->src.sin6.sin6_len = sizeof(struct sockaddr_in6); + spidx->src.sin6.sin6_addr = inp->in6p_laddr; + spidx->src.sin6.sin6_port = inp->inp_lport; + if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_laddr)) { + /* XXXAE: use in6p_zoneid */ + spidx->src.sin6.sin6_addr.s6_addr16[1] = 0; + spidx->src.sin6.sin6_scope_id = ntohs( + inp->in6p_laddr.s6_addr16[1]); } - error = ipsec6_setspidx_ipaddr(m, spidx); - if (error) - return (error); - ipsec6_get_ulp(m, spidx, needport); - return (0); + spidx->prefs = sizeof(struct in6_addr) << 3; + + bzero(&spidx->dst.sin6, sizeof(spidx->dst.sin6)); + spidx->dst.sin6.sin6_family = AF_INET6; + spidx->dst.sin6.sin6_len = sizeof(struct sockaddr_in6); + spidx->dst.sin6.sin6_addr = inp->in6p_faddr; + spidx->dst.sin6.sin6_port = inp->inp_fport; + if (IN6_IS_SCOPE_LINKLOCAL(&inp->in6p_faddr)) { + /* XXXAE: use in6p_zoneid */ + spidx->dst.sin6.sin6_addr.s6_addr16[1] = 0; + spidx->dst.sin6.sin6_scope_id = ntohs( + inp->in6p_faddr.s6_addr16[1]); + } + spidx->prefd = sizeof(struct in6_addr) << 3; + } #endif - default: - KEYDEBUG(KEYDEBUG_IPSEC_DUMP, - printf("%s: " "unknown IP version %u, ignored.\n", - __func__, v)); - return (EINVAL); +#ifdef INET + if (inp->inp_vflag & INP_IPV4) { + bzero(&spidx->src.sin, sizeof(spidx->src.sin)); + spidx->src.sin.sin_family = AF_INET; + spidx->src.sin.sin_len = sizeof(struct sockaddr_in); + spidx->src.sin.sin_addr = inp->inp_laddr; + spidx->src.sin.sin_port = inp->inp_lport; + spidx->prefs = sizeof(struct in_addr) << 3; + + bzero(&spidx->dst.sin, sizeof(spidx->dst.sin)); + spidx->dst.sin.sin_family = AF_INET; + spidx->dst.sin.sin_len = sizeof(struct sockaddr_in); + spidx->dst.sin.sin_addr = inp->inp_faddr; + spidx->dst.sin.sin_port = inp->inp_fport; + spidx->prefd = sizeof(struct in_addr) << 3; } +#endif + spidx->ul_proto = inp->inp_ip_p; + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } + #ifdef INET static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,