Date: Wed, 23 Apr 2014 11:22:54 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-10@freebsd.org Subject: svn commit: r264814 - stable/10/sys/netipsec Message-ID: <201404231122.s3NBMsG8088809@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Wed Apr 23 11:22:54 2014 New Revision: 264814 URL: http://svnweb.freebsd.org/changeset/base/264814 Log: MFC r264124: Remove dead code. MFC r264125: Remove unused variable. MFC r264126: The check for local address spoofing lacks ifaddr locking. Remove these loops and use in_localip() and in6_localip() functions instead. MFC r264520: Remove _IP_VHL* macros and related ifdefs. Modified: stable/10/sys/netipsec/ipsec.c stable/10/sys/netipsec/ipsec_output.c stable/10/sys/netipsec/xform_ipip.c Directory Properties: stable/10/ (props changed) Modified: stable/10/sys/netipsec/ipsec.c ============================================================================== --- stable/10/sys/netipsec/ipsec.c Wed Apr 23 09:56:17 2014 (r264813) +++ stable/10/sys/netipsec/ipsec.c Wed Apr 23 11:22:54 2014 (r264814) @@ -559,11 +559,7 @@ ipsec_setspidx(struct mbuf *m, struct se m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); ip = &ipbuf; } -#ifdef _IP_VHL - v = _IP_VHL_V(ip->ip_vhl); -#else v = ip->ip_v; -#endif switch (v) { case 4: error = ipsec4_setspidx_ipaddr(m, spidx); @@ -607,11 +603,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se struct ip *ip = mtod(m, struct ip *); if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) goto done; -#ifdef _IP_VHL - off = _IP_VHL_HL(ip->ip_vhl) << 2; -#else off = ip->ip_hl << 2; -#endif nxt = ip->ip_p; } else { struct ip ih; @@ -619,11 +611,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih); if (ih.ip_off & htons(IP_MF | IP_OFFMASK)) goto done; -#ifdef _IP_VHL - off = _IP_VHL_HL(ih.ip_vhl) << 2; -#else off = ih.ip_hl << 2; -#endif nxt = ih.ip_p; } Modified: stable/10/sys/netipsec/ipsec_output.c ============================================================================== --- stable/10/sys/netipsec/ipsec_output.c Wed Apr 23 09:56:17 2014 (r264813) +++ stable/10/sys/netipsec/ipsec_output.c Wed Apr 23 11:22:54 2014 (r264814) @@ -205,11 +205,7 @@ ipsec_process_done(struct mbuf *m, struc */ if (sav->natt_type) { struct ip *ip = mtod(m, struct ip *); -#ifdef _IP_VHL - const int hlen = IP_VHL_HL(ip->ip_vhl); -#else const int hlen = (ip->ip_hl << 2); -#endif int size, off; struct mbuf *mi; struct udphdr *udp; @@ -504,15 +500,7 @@ ipsec4_process_packet( ip = mtod(m, struct ip *); ip->ip_len = htons(m->m_pkthdr.len); ip->ip_sum = 0; -#ifdef _IP_VHL - if (ip->ip_vhl == IP_VHL_BORING) - ip->ip_sum = in_cksum_hdr(ip); - else - ip->ip_sum = in_cksum(m, - _IP_VHL_HL(ip->ip_vhl) << 2); -#else ip->ip_sum = in_cksum(m, ip->ip_hl << 2); -#endif /* Encapsulate the packet */ error = ipip_output(m, isr, &mp, 0, 0); Modified: stable/10/sys/netipsec/xform_ipip.c ============================================================================== --- stable/10/sys/netipsec/xform_ipip.c Wed Apr 23 09:56:17 2014 (r264813) +++ stable/10/sys/netipsec/xform_ipip.c Wed Apr 23 11:22:54 2014 (r264814) @@ -64,9 +64,6 @@ #include <netinet/ip_ecn.h> #include <netinet/ip_var.h> #include <netinet/ip_encap.h> -#ifdef MROUTING -#include <netinet/ip_mroute.h> -#endif #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -161,18 +158,11 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { -#ifdef INET - register struct sockaddr_in *sin; -#endif - register struct ifnet *ifp; - register struct ifaddr *ifa; struct ip *ipo; #ifdef INET6 - register struct sockaddr_in6 *sin6; struct ip6_hdr *ip6 = NULL; u_int8_t itos; #endif - u_int8_t nxt; int isr; u_int8_t otos; u_int8_t v; @@ -207,18 +197,8 @@ _ipip_input(struct mbuf *m, int iphlen, return; } } - ipo = mtod(m, struct ip *); -#ifdef MROUTING - if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { - if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { - ipip_mroute_input (m, iphlen); - return; - } - } -#endif /* MROUTING */ - /* Keep outer ecn field. */ switch (v >> 4) { #ifdef INET @@ -287,14 +267,12 @@ _ipip_input(struct mbuf *m, int iphlen, #ifdef INET case 4: ipo = mtod(m, struct ip *); - nxt = ipo->ip_p; ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos); break; #endif /* INET */ #ifdef INET6 case 6: ip6 = (struct ip6_hdr *) ipo; - nxt = ip6->ip6_nxt; itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos); ip6->ip6_flow &= ~htonl(0xff << 20); @@ -309,47 +287,22 @@ _ipip_input(struct mbuf *m, int iphlen, if ((m->m_pkthdr.rcvif == NULL || !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && V_ipip_allow != 2) { - IFNET_RLOCK_NOSLEEP(); - TAILQ_FOREACH(ifp, &V_ifnet, if_link) { - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { -#ifdef INET - if (ipo) { - if (ifa->ifa_addr->sa_family != - AF_INET) - continue; - - sin = (struct sockaddr_in *) ifa->ifa_addr; - - if (sin->sin_addr.s_addr == - ipo->ip_src.s_addr) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - } -#endif /* INET */ - +#ifdef INET + if ((v >> 4) == IPVERSION && + in_localip(ipo->ip_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; + } +#endif #ifdef INET6 - if (ip6) { - if (ifa->ifa_addr->sa_family != - AF_INET6) - continue; - - sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; - - if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - - } -#endif /* INET6 */ - } + if ((v & IPV6_VERSION_MASK) == IPV6_VERSION && + in6_localip(&ip6->ip6_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; } - IFNET_RUNLOCK_NOSLEEP(); +#endif } /* Statistics */
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404231122.s3NBMsG8088809>