Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Pull out ipsec routines from ip6_input
details: https://anonhg.NetBSD.org/src/rev/1c8c08baad7c
branches: trunk
changeset: 337076:1c8c08baad7c
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Wed Apr 01 02:49:44 2015 +0000
description:
Pull out ipsec routines from ip6_input
This change reduces symbol references from netinet6 to netipsec
and improves modularity of netipsec.
No functional change is intended.
diffstat:
sys/netinet6/ip6_input.c | 43 ++-------------------------------------
sys/netipsec/ipsec.c | 51 +++++++++++++++++++++++++++++++++++++++++++++--
sys/netipsec/ipsec.h | 5 +++-
3 files changed, 55 insertions(+), 44 deletions(-)
diffs (162 lines):
diff -r 120e28488494 -r 1c8c08baad7c sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Wed Apr 01 01:44:56 2015 +0000
+++ b/sys/netinet6/ip6_input.c Wed Apr 01 02:49:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $ */
+/* $NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $");
#include "opt_gateway.h"
#include "opt_inet.h"
@@ -748,11 +748,6 @@
#ifdef IPSEC
if (ipsec_used) {
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
- struct secpolicy *sp;
- int s, error;
-
/*
* enforce IPsec policy checking if we are seeing last
* header. note that we do not visit this with
@@ -760,39 +755,7 @@
*/
if ((inet6sw[ip_protox[nxt]].pr_flags
& PR_LASTHDR) != 0) {
- /*
- * Check if the packet has already had IPsec
- * processing done. If so, then just pass it
- * along. This tag gets set during AH, ESP,
- * etc. input handling, before the packet is
- * returned to the ip input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
- NULL);
- s = splsoftnet();
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi,
- IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m,
- IPSEC_DIR_INBOUND, IP_FORWARDING,
- &error);
- }
- if (sp != NULL) {
- /*
- * Check security policy against packet
- * attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- } else {
- /* XXX error stat??? */
- error = EINVAL;
- DPRINTF(("ip6_input: no SP, packet"
- " discarded\n"));/*XXX*/
- }
- splx(s);
+ int error = ipsec6_input(m);
if (error)
goto bad;
}
diff -r 120e28488494 -r 1c8c08baad7c sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Wed Apr 01 01:44:56 2015 +0000
+++ b/sys/netipsec/ipsec.c Wed Apr 01 02:49:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $ */
+/* $NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -2425,7 +2425,52 @@
*needipsecp = needipsec;
return sp;
}
-#endif
+
+int
+ipsec6_input(struct mbuf *m)
+{
+ struct m_tag *mtag;
+ struct tdb_ident *tdbi;
+ struct secpolicy *sp;
+ int s, error;
+
+ /*
+ * Check if the packet has already had IPsec
+ * processing done. If so, then just pass it
+ * along. This tag gets set during AH, ESP,
+ * etc. input handling, before the packet is
+ * returned to the ip input queue for delivery.
+ */
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
+ NULL);
+ s = splsoftnet();
+ if (mtag != NULL) {
+ tdbi = (struct tdb_ident *)(mtag + 1);
+ sp = ipsec_getpolicy(tdbi,
+ IPSEC_DIR_INBOUND);
+ } else {
+ sp = ipsec_getpolicybyaddr(m,
+ IPSEC_DIR_INBOUND, IP_FORWARDING,
+ &error);
+ }
+ if (sp != NULL) {
+ /*
+ * Check security policy against packet
+ * attributes.
+ */
+ error = ipsec_in_reject(sp, m);
+ KEY_FREESP(&sp);
+ } else {
+ /* XXX error stat??? */
+ error = EINVAL;
+ DPRINTF(("ip6_input: no SP, packet"
+ " discarded\n"));/*XXX*/
+ }
+ splx(s);
+
+ return error;
+}
+#endif /* INET6 */
diff -r 120e28488494 -r 1c8c08baad7c sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Wed Apr 01 01:44:56 2015 +0000
+++ b/sys/netipsec/ipsec.h Wed Apr 01 02:49:44 2015 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.36 2014/09/05 09:26:44 matt Exp $ */
+/* $NetBSD: ipsec.h,v 1.37 2015/04/01 02:49:44 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -260,6 +260,9 @@
struct secpolicy **, u_long *, bool *, bool *);
int ipsec4_input(struct mbuf *, int);
int ipsec4_forward(struct mbuf *, int *);
+#ifdef INET6
+int ipsec6_input(struct mbuf *);
+#endif
static __inline struct secpolicy*
ipsec4_getpolicybysock(
Home |
Main Index |
Thread Index |
Old Index