Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Introduce 2 new variables: ipsec_enabled and ipsec_used.
details: https://anonhg.NetBSD.org/src/rev/3dafd94a9ab6
branches: trunk
changeset: 329581:3dafd94a9ab6
user: christos <christos%NetBSD.org@localhost>
date: Fri May 30 01:39:03 2014 +0000
description:
Introduce 2 new variables: ipsec_enabled and ipsec_used.
Ipsec enabled is controlled by sysctl and determines if is allowed.
ipsec_used is set automatically based on ipsec being enabled, and
rules existing.
diffstat:
sys/netinet/in.h | 6 +-
sys/netinet/in_pcb.c | 31 +++++----
sys/netinet/in_pcb_hdr.h | 4 +-
sys/netinet/ip_icmp.c | 7 +-
sys/netinet/ip_input.c | 15 ++-
sys/netinet/ip_output.c | 32 ++++++---
sys/netinet/raw_ip.c | 10 +-
sys/netinet/tcp_input.c | 133 ++++++++++++++++++++++---------------------
sys/netinet/tcp_output.c | 29 +++++----
sys/netinet/udp_usrreq.c | 10 +-
sys/netinet6/icmp6.c | 7 +-
sys/netinet6/in6.h | 4 +-
sys/netinet6/in6_pcb.c | 29 ++++----
sys/netinet6/ip6_forward.c | 37 ++++++-----
sys/netinet6/ip6_input.c | 97 +++++++++++++++++--------------
sys/netinet6/ip6_output.c | 76 +++++++++++++-----------
sys/netinet6/raw_ip6.c | 8 +-
sys/netinet6/udp6_usrreq.c | 6 +-
sys/netipsec/ipsec.c | 7 +-
sys/netipsec/ipsec.h | 3 +-
sys/netipsec/ipsec_netbsd.c | 61 +++++++++++++++++++-
sys/netipsec/key.c | 36 +++++++++++-
sys/netipsec/key.h | 4 +-
23 files changed, 390 insertions(+), 262 deletions(-)
diffs (truncated from 1403 to 300 lines):
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/in.h
--- a/sys/netinet/in.h Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/in.h Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in.h,v 1.90 2014/05/22 22:01:12 rmind Exp $ */
+/* $NetBSD: in.h,v 1.91 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (c) 1982, 1986, 1990, 1993
@@ -282,9 +282,7 @@
#define IP_PORTRANGE 19 /* int; range to use for ephemeral port */
#define IP_RECVIF 20 /* bool; receive reception if w/dgram */
#define IP_ERRORMTU 21 /* int; get MTU of last xmit = EMSGSIZE */
-#if 1 /*IPSEC*/
-#define IP_IPSEC_POLICY 22 /* struct; get/set security policy */
-#endif
+#define IP_IPSEC_POLICY 22 /* struct; get/set security policy */
#define IP_RECVTTL 23 /* bool; receive IP TTL w/dgram */
#define IP_MINTTL 24 /* minimum TTL for packet or drop */
#define IP_PKTINFO 25 /* int; send interface and src addr */
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/in_pcb.c
--- a/sys/netinet/in_pcb.c Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/in_pcb.c Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb.c,v 1.147 2014/05/22 22:01:12 rmind Exp $ */
+/* $NetBSD: in_pcb.c,v 1.148 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -93,7 +93,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.147 2014/05/22 22:01:12 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in_pcb.c,v 1.148 2014/05/30 01:39:03 christos Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -191,9 +191,6 @@
struct inpcbtable *table = v;
struct inpcb *inp;
int s;
-#if defined(IPSEC)
- int error;
-#endif
s = splnet();
inp = pool_get(&inpcb_pool, PR_NOWAIT);
@@ -208,12 +205,14 @@
inp->inp_portalgo = PORTALGO_DEFAULT;
inp->inp_bindportonsend = false;
#if defined(IPSEC)
- error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
- if (error != 0) {
- s = splnet();
- pool_put(&inpcb_pool, inp);
- splx(s);
- return error;
+ if (ipsec_enabled) {
+ int error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
+ if (error != 0) {
+ s = splnet();
+ pool_put(&inpcb_pool, inp);
+ splx(s);
+ return error;
+ }
}
#endif
so->so_pcb = inp;
@@ -556,7 +555,7 @@
in_pcbstate(inp, INP_CONNECTED);
#if defined(IPSEC)
- if (inp->inp_socket->so_type == SOCK_STREAM)
+ if (ipsec_enabled && inp->inp_socket->so_type == SOCK_STREAM)
ipsec_pcbconn(inp->inp_sp);
#endif
return (0);
@@ -574,7 +573,8 @@
inp->inp_fport = 0;
in_pcbstate(inp, INP_BOUND);
#if defined(IPSEC)
- ipsec_pcbdisconn(inp->inp_sp);
+ if (ipsec_enabled)
+ ipsec_pcbdisconn(inp->inp_sp);
#endif
if (inp->inp_socket->so_state & SS_NOFDREF)
in_pcbdetach(inp);
@@ -591,8 +591,9 @@
return;
#if defined(IPSEC)
- ipsec4_delete_pcbpolicy(inp);
-#endif /*IPSEC*/
+ if (ipsec_enabled)
+ ipsec4_delete_pcbpolicy(inp);
+#endif /* IPSEC */
so->so_pcb = 0;
if (inp->inp_options)
(void)m_free(inp->inp_options);
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/in_pcb_hdr.h
--- a/sys/netinet/in_pcb_hdr.h Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/in_pcb_hdr.h Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_pcb_hdr.h,v 1.10 2013/11/23 22:23:26 christos Exp $ */
+/* $NetBSD: in_pcb_hdr.h,v 1.11 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 2003 WIDE Project.
@@ -80,9 +80,7 @@
int inph_portalgo;
struct socket *inph_socket; /* back pointer to socket */
struct inpcbtable *inph_table;
-#if 1 /* IPSEC */
struct inpcbpolicy *inph_sp; /* security policy */
-#endif
};
#define sotoinpcb_hdr(so) ((struct inpcb_hdr *)(so)->so_pcb)
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/ip_icmp.c
--- a/sys/netinet/ip_icmp.c Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/ip_icmp.c Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.c,v 1.133 2014/05/19 02:51:25 rmind Exp $ */
+/* $NetBSD: ip_icmp.c,v 1.134 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -94,7 +94,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.133 2014/05/19 02:51:25 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_icmp.c,v 1.134 2014/05/30 01:39:03 christos Exp $");
#include "opt_ipsec.h"
@@ -638,7 +638,8 @@
pfctlinput(PRC_REDIRECT_HOST, sintosa(&icmpsrc));
#if defined(IPSEC)
- key_sa_routechange((struct sockaddr *)&icmpsrc);
+ if (ipsec_used)
+ key_sa_routechange((struct sockaddr *)&icmpsrc);
#endif
break;
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/ip_input.c Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.316 2014/05/29 23:02:48 rmind Exp $ */
+/* $NetBSD: ip_input.c,v 1.317 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.316 2014/05/29 23:02:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.317 2014/05/30 01:39:03 christos Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
@@ -522,7 +522,7 @@
* in the list may have previously cleared it.
*/
#if defined(IPSEC)
- if (!ipsec_indone(m))
+ if (!ipsec_used || !ipsec_indone(m))
#else
if (1)
#endif
@@ -699,7 +699,8 @@
}
#ifdef IPSEC
/* Perform IPsec, if any. */
- if (ipsec4_input(m, IP_FORWARDING | (ip_directedbcast ?
+ if (ipsec_used &&
+ ipsec4_input(m, IP_FORWARDING | (ip_directedbcast ?
IP_ALLOWBROADCAST : 0)) != 0) {
goto bad;
}
@@ -738,7 +739,8 @@
* Note that we do not visit this with protocols with PCB layer
* code - like UDP/TCP/raw IP.
*/
- if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
+ if (ipsec_used &&
+ (inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
if (ipsec4_input(m, 0) != 0) {
goto bad;
}
@@ -1289,7 +1291,8 @@
if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
destmtu = rt->rt_ifp->if_mtu;
#ifdef IPSEC
- (void)ipsec4_forward(mcopy, &destmtu);
+ if (ipsec_used)
+ (void)ipsec4_forward(mcopy, &destmtu);
#endif
IP_STATINC(IP_STAT_CANTFRAG);
break;
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/ip_output.c Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.228 2014/05/29 23:02:48 rmind Exp $ */
+/* $NetBSD: ip_output.c,v 1.229 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.228 2014/05/29 23:02:48 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.229 2014/05/30 01:39:03 christos Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@@ -169,7 +169,9 @@
struct ip_moptions *imo;
struct socket *so;
va_list ap;
+#ifdef IPSEC
struct secpolicy *sp = NULL;
+#endif
bool natt_frag = false;
bool __unused done = false;
union {
@@ -457,10 +459,12 @@
ip->ip_off |= htons(IP_DF);
#ifdef IPSEC
- /* Perform IPsec processing, if any. */
- error = ipsec4_output(m, so, flags, &sp, &mtu, &natt_frag, &done);
- if (error || done) {
- goto done;
+ if (ipsec_used) {
+ /* Perform IPsec processing, if any. */
+ error = ipsec4_output(m, so, flags, &sp, &mtu, &natt_frag,
+ &done);
+ if (error || done)
+ goto done;
}
#endif
@@ -622,11 +626,11 @@
IP_STATINC(IP_STAT_FRAGMENTED);
done:
rtcache_free(&iproute);
+#ifdef IPSEC
if (sp) {
-#ifdef IPSEC
KEY_FREESP(&sp);
+ }
#endif
- }
return error;
bad:
m_freem(m);
@@ -1030,10 +1034,14 @@
#if defined(IPSEC)
case IP_IPSEC_POLICY:
- error = ipsec4_set_policy(inp, sopt->sopt_name,
- sopt->sopt_data, sopt->sopt_size, curlwp->l_cred);
- break;
-#endif /*IPSEC*/
+ if (ipsec_enabled) {
+ error = ipsec4_set_policy(inp, sopt->sopt_name,
+ sopt->sopt_data, sopt->sopt_size,
+ curlwp->l_cred);
+ break;
+ }
+ /*FALLTHROUGH*/
+#endif /* IPSEC */
default:
error = ENOPROTOOPT;
diff -r 1c789e253a4d -r 3dafd94a9ab6 sys/netinet/raw_ip.c
--- a/sys/netinet/raw_ip.c Fri May 30 01:34:32 2014 +0000
+++ b/sys/netinet/raw_ip.c Fri May 30 01:39:03 2014 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: raw_ip.c,v 1.123 2014/05/22 23:42:53 rmind Exp $ */
+/* $NetBSD: raw_ip.c,v 1.124 2014/05/30 01:39:03 christos Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -65,7 +65,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.123 2014/05/22 23:42:53 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: raw_ip.c,v 1.124 2014/05/30 01:39:03 christos Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
Home |
Main Index |
Thread Index |
Old Index