Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netipsec Remove obsolete/dead code, the IP-in-IP encapsu...



details:   https://anonhg.NetBSD.org/src/rev/ec3704d6cedd
branches:  trunk
changeset: 322331:ec3704d6cedd
user:      maxv <maxv%NetBSD.org@localhost>
date:      Sun Apr 29 14:35:35 2018 +0000

description:
Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this
way anymore (XF_IP4 partly dropped by FAST_IPSEC).

diffstat:

 sys/netipsec/ipsec_input.c |  156 +--------------------------------------------
 sys/netipsec/xform_ipip.c  |    8 +-
 2 files changed, 4 insertions(+), 160 deletions(-)

diffs (213 lines):

diff -r 3278a46a56b3 -r ec3704d6cedd sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Sun Apr 29 14:21:16 2018 +0000
+++ b/sys/netipsec/ipsec_input.c        Sun Apr 29 14:35:35 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $    */
+/*     $NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $    */
 /*     $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $");
 
 /*
  * IPsec input processing.
@@ -375,84 +375,6 @@
 
        prot = ip->ip_p;
 
-#ifdef notyet
-       /* IP-in-IP encapsulation */
-       if (prot == IPPROTO_IPIP) {
-               struct ip ipn;
-
-               /* ipn will now contain the inner IPv4 header */
-               /* XXX: check m_pkthdr.len */
-               m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn);
-
-               /* XXX PROXY address isn't recorded in SAH */
-               /*
-                * Check that the inner source address is the same as
-                * the proxy address, if available.
-                */
-               if ((saidx->proxy.sa.sa_family == AF_INET &&
-                   saidx->proxy.sin.sin_addr.s_addr !=
-                   INADDR_ANY &&
-                   ipn.ip_src.s_addr !=
-                   saidx->proxy.sin.sin_addr.s_addr) ||
-                   (saidx->proxy.sa.sa_family != AF_INET &&
-                       saidx->proxy.sa.sa_family != 0)) {
-
-                       char ipbuf[INET_ADDRSTRLEN];
-                       IPSECLOG(LOG_DEBUG,
-                           "inner source address %s doesn't correspond to "
-                           "expected proxy source %s, SA %s/%08lx\n",
-                           IN_PRINT(ipbuf, ipn.ip_src),
-                           ipsp_address(saidx->proxy),
-                           ipsp_address(saidx->dst),
-                           (u_long) ntohl(sav->spi));
-
-                       IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-                           AH_STAT_PDROPS,
-                           IPCOMP_STAT_PDROPS);
-                       error = EACCES;
-                       goto bad;
-               }
-       }
-#if INET6
-       /* IPv6-in-IP encapsulation. */
-       if (prot == IPPROTO_IPV6) {
-               struct ip6_hdr ip6n;
-
-               /* ip6n will now contain the inner IPv6 header. */
-               /* XXX: check m_pkthdr.len */
-               m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n);
-
-               /*
-                * Check that the inner source address is the same as
-                * the proxy address, if available.
-                */
-               if ((saidx->proxy.sa.sa_family == AF_INET6 &&
-                   !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
-                   !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
-                       &saidx->proxy.sin6.sin6_addr)) ||
-                   (saidx->proxy.sa.sa_family != AF_INET6 &&
-                       saidx->proxy.sa.sa_family != 0)) {
-
-                       char ip6buf[INET6_ADDRSTRLEN];
-                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-                       IPSECLOG(LOG_DEBUG,
-                           "inner source address %s doesn't correspond to "
-                           "expected proxy source %s, SA %s/%08lx\n",
-                           ip6_sprintf(ip6buf, &ip6n.ip6_src),
-                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-                           (u_long) ntohl(sav->spi));
-
-                       IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-                           AH_STAT_PDROPS,
-                           IPCOMP_STAT_PDROPS);
-                       error = EACCES;
-                       goto bad;
-               }
-       }
-#endif /* INET6 */
-#endif /* notyet */
-
        M_VERIFY_PACKET(m);
 
        key_sa_recordxfer(sav, m);              /* record data transfer */
@@ -574,80 +496,6 @@
        /* Save protocol */
        m_copydata(m, protoff, 1, &prot);
 
-#ifdef notyet
-#ifdef INET
-       /* IP-in-IP encapsulation */
-       if (prot == IPPROTO_IPIP) {
-               struct ip ipn;
-
-               /* ipn will now contain the inner IPv4 header */
-               /* XXX: check m_pkthdr.len */
-               m_copydata(m, skip, sizeof(struct ip), &ipn);
-
-               /*
-                * Check that the inner source address is the same as
-                * the proxy address, if available.
-                */
-               if ((saidx->proxy.sa.sa_family == AF_INET &&
-                   saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
-                   ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
-                   (saidx->proxy.sa.sa_family != AF_INET &&
-                       saidx->proxy.sa.sa_family != 0)) {
-
-                       char ipbuf[INET_ADDRSTRLEN];
-                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-                       IPSECLOG(LOG_DEBUG,
-                           "inner source address %s doesn't correspond to "
-                           "expected proxy source %s, SA %s/%08lx\n",
-                           IN_PRINT(ipbuf, ipn.ip_src),
-                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-                           (u_long) ntohl(sav->spi));
-
-                       IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-                           AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
-                       error = EACCES;
-                       goto bad;
-               }
-       }
-#endif /* INET */
-       /* IPv6-in-IP encapsulation */
-       if (prot == IPPROTO_IPV6) {
-               struct ip6_hdr ip6n;
-
-               /* ip6n will now contain the inner IPv6 header. */
-               /* XXX: check m_pkthdr.len */
-               m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n);
-
-               /*
-                * Check that the inner source address is the same as
-                * the proxy address, if available.
-                */
-               if ((saidx->proxy.sa.sa_family == AF_INET6 &&
-                   !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
-                   !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
-                       &saidx->proxy.sin6.sin6_addr)) ||
-                   (saidx->proxy.sa.sa_family != AF_INET6 &&
-                       saidx->proxy.sa.sa_family != 0)) {
-
-                       char ip6buf[INET6_ADDRSTRLEN];
-                       char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
-                       IPSECLOG(LOG_DEBUG,
-                           "inner source address %s doesn't correspond to "
-                           "expected proxy source %s, SA %s/%08lx\n",
-                           ip6_sprintf(ip6buf, &ip6n.ip6_src),
-                           ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
-                           ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
-                           (u_long) ntohl(sav->spi));
-
-                       IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
-                           AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
-                       error = EACCES;
-                       goto bad;
-               }
-       }
-#endif /* notyet */
-
        key_sa_recordxfer(sav, m);
 
        /* Retrieve new protocol */
diff -r 3278a46a56b3 -r ec3704d6cedd sys/netipsec/xform_ipip.c
--- a/sys/netipsec/xform_ipip.c Sun Apr 29 14:21:16 2018 +0000
+++ b/sys/netipsec/xform_ipip.c Sun Apr 29 14:35:35 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $     */
+/*     $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $     */
 /*     $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $  */
 /*     $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $");
 
 /*
  * IP-inside-IP processing
@@ -506,10 +506,6 @@
 
        IPIP_STATINC(IPIP_STAT_OPACKETS);
        IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen);
-#if 0
-       if (sav->tdb_xform->xf_type == XF_IP4)
-               tdb->tdb_cur_bytes += m->m_pkthdr.len - iphlen;
-#endif
 
        *mp = m;
        return 0;



Home | Main Index | Thread Index | Old Index