From owner-svn-src-projects@freebsd.org  Thu Dec 22 14:05:26 2016
Return-Path: <owner-svn-src-projects@freebsd.org>
Delivered-To: svn-src-projects@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D8C60C8A962
 for <svn-src-projects@mailman.ysv.freebsd.org>;
 Thu, 22 Dec 2016 14:05:26 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 99BE4ED1;
 Thu, 22 Dec 2016 14:05:26 +0000 (UTC) (envelope-from ae@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id uBME5P0w069303;
 Thu, 22 Dec 2016 14:05:25 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id uBME5Pv4069302;
 Thu, 22 Dec 2016 14:05:25 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201612221405.uBME5Pv4069302@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Thu, 22 Dec 2016 14:05:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-projects@freebsd.org
Subject: svn commit: r310404 - projects/ipsec/sys/netinet6
X-SVN-Group: projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-projects@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "SVN commit messages for the src &quot; projects&quot;
 tree" <svn-src-projects.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-projects/>
List-Post: <mailto:svn-src-projects@freebsd.org>
List-Help: <mailto:svn-src-projects-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-projects>, 
 <mailto:svn-src-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 14:05:26 -0000

Author: ae
Date: Thu Dec 22 14:05:25 2016
New Revision: 310404
URL: https://svnweb.freebsd.org/changeset/base/310404

Log:
  Convert ip6_input.c to use IPsec methods.

Modified:
  projects/ipsec/sys/netinet6/ip6_input.c

Modified: projects/ipsec/sys/netinet6/ip6_input.c
==============================================================================
--- projects/ipsec/sys/netinet6/ip6_input.c	Thu Dec 22 14:04:41 2016	(r310403)
+++ projects/ipsec/sys/netinet6/ip6_input.c	Thu Dec 22 14:05:25 2016	(r310404)
@@ -118,11 +118,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/nd6.h>
 #include <netinet6/in6_rss.h>
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#include <netinet6/ip6_ipsec.h>
-#include <netipsec/ipsec6.h>
-#endif /* IPSEC */
+#include <netipsec/ipsec_support.h>
 
 #include <netinet6/ip6protosw.h>
 
@@ -524,14 +520,11 @@ ip6_direct_input(struct mbuf *m)
 			goto bad;
 		}
 
-#ifdef IPSEC
-		/*
-		 * enforce IPsec policy checking if we are seeing last header.
-		 * note that we do not visit this with protocols with pcb layer
-		 * code - like udp/tcp/raw ip.
-		 */
-		if (ip6_ipsec_input(m, nxt))
-			goto bad;
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
+		if (IPSEC_ENABLED(ipv6)) {
+			if (IPSEC_INPUT(ipv6, m, off, nxt) != 0)
+				return;
+		}
 #endif /* IPSEC */
 
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
@@ -554,7 +547,7 @@ ip6_input(struct mbuf *m)
 	int nxt, ours = 0;
 	int srcrt = 0;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	/*
 	 * should the inner packet be considered authentic?
 	 * see comment in ah4_input().
@@ -728,14 +721,39 @@ ip6_input(struct mbuf *m)
 		goto bad;
 	}
 #endif
-#ifdef IPSEC
+#if 0
+	/*
+	 * Try to forward the packet, but if we fail continue.
+	 * ip6_tryforward() does inbound and outbound packet firewall
+	 * processing. If firewall has decided that destination becomes
+	 * our local address, it sets M_FASTFWD_OURS flag. In this
+	 * case skip another inbound firewall processing and update
+	 * ip6 pointer.
+	 */
+	if (V_ip6_forwarding != 0
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
+	    && (!IPSEC_ENABLED(ipv6) ||
+	    IPSEC_CAPS(ipv6, m, IPSEC_CAP_OPERABLE) == 0)
+#endif
+	    ) {
+		if ((m = ip6_tryforward(m)) == NULL)
+			return;
+		if (m->m_flags & M_FASTFWD_OURS) {
+			m->m_flags &= ~M_FASTFWD_OURS;
+			ours = 1;
+			ip6 = mtod(m, struct ip6_hdr *);
+			goto hbhcheck;
+		}
+	}
+#endif
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
-	if (ip6_ipsec_filtertunnel(m))
-		goto passin;
-#endif /* IPSEC */
-
+	if (IPSEC_ENABLED(ipv6) &&
+	    IPSEC_CAPS(ipv6, m, IPSEC_CAP_BYPASS_FILTER) != 0)
+			goto passin;
+#endif
 	/*
 	 * Run through list of hooks for input packets.
 	 *
@@ -945,14 +963,11 @@ passin:
 			goto bad;
 		}
 
-#ifdef IPSEC
-		/*
-		 * enforce IPsec policy checking if we are seeing last header.
-		 * note that we do not visit this with protocols with pcb layer
-		 * code - like udp/tcp/raw ip.
-		 */
-		if (ip6_ipsec_input(m, nxt))
-			goto bad;
+#if defined(IPSEC) || defined(IPSEC_SUPPORT)
+		if (IPSEC_ENABLED(ipv6)) {
+			if (IPSEC_INPUT(ipv6, m, off, nxt) != 0)
+				return;
+		}
 #endif /* IPSEC */
 
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);