Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Don't use key_lookup_sp that depends on unstabl...
details: https://anonhg.NetBSD.org/src/rev/bfa8b35ba087
branches: trunk
changeset: 355249:bfa8b35ba087
user: ozaki-r <ozaki-r%NetBSD.org@localhost>
date: Fri Jul 21 04:39:08 2017 +0000
description:
Don't use key_lookup_sp that depends on unstable sp->req->sav
It provided a fast look-up of SP. We will provide an alternative
method in the future (after basic MP-ification finishes).
diffstat:
sys/netipsec/ipsec.c | 69 +++------------------------------------------------
sys/netipsec/ipsec.h | 4 +--
sys/netipsec/key.c | 68 +-------------------------------------------------
sys/netipsec/key.h | 6 +---
4 files changed, 8 insertions(+), 139 deletions(-)
diffs (246 lines):
diff -r fcff3eed2b9f -r bfa8b35ba087 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Fri Jul 21 03:08:10 2017 +0000
+++ b/sys/netipsec/ipsec.c Fri Jul 21 04:39:08 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $ */
+/* $NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.108 2017/07/21 03:08:10 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.109 2017/07/21 04:39:08 ozaki-r Exp $");
/*
* IPsec controller part.
@@ -410,33 +410,6 @@
*
* NOTE: IPv6 mapped address concern is implemented here.
*/
-struct secpolicy *
-ipsec_getpolicy(const struct tdb_ident *tdbi, u_int dir)
-{
- struct secpolicy *sp;
-
- KASSERT(tdbi != NULL);
- KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
-
- sp = KEY_LOOKUP_SP(tdbi->spi, &tdbi->dst, tdbi->proto, dir);
- if (sp == NULL) /*XXX????*/
- sp = KEY_GET_DEFAULT_SP(tdbi->dst.sa.sa_family);
- KASSERT(sp != NULL);
- return sp;
-}
-
-/*
- * For OUTBOUND packet having a socket. Searching SPD for packet,
- * and return a pointer to SP.
- * OUT: NULL: no apropreate SP found, the following value is set to error.
- * 0 : bypass
- * EACCES : discard packet.
- * ENOENT : ipsec_acquire() in progress, maybe.
- * others : error occurred.
- * others: a pointer to SP
- *
- * NOTE: IPv6 mapped address concern is implemented here.
- */
static struct secpolicy *
ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb_hdr *inph,
int *error)
@@ -747,26 +720,11 @@
int
ipsec4_input(struct mbuf *m, int flags)
{
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int error, s;
- /*
- * Check if the packet has already had IPsec processing done.
- * If so, then just pass it along. This tag gets set during AH,
- * ESP, etc. input handling, before the packet is returned to
- * the IP input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
s = splsoftnet();
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
if (sp == NULL) {
splx(s);
return EINVAL;
@@ -2311,30 +2269,11 @@
int
ipsec6_input(struct mbuf *m)
{
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
struct secpolicy *sp;
int s, error;
- /*
- * Check if the packet has already had IPsec
- * processing done. If so, then just pass it
- * along. This tag gets set during AH, ESP,
- * etc. input handling, before the packet is
- * returned to the ip input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
- NULL);
s = splsoftnet();
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi,
- IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m,
- IPSEC_DIR_INBOUND, IP_FORWARDING,
- &error);
- }
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
if (sp != NULL) {
/*
* Check security policy against packet
diff -r fcff3eed2b9f -r bfa8b35ba087 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Fri Jul 21 03:08:10 2017 +0000
+++ b/sys/netipsec/ipsec.h Fri Jul 21 04:39:08 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.53 2017/07/21 03:08:10 ozaki-r Exp $ */
+/* $NetBSD: ipsec.h,v 1.54 2017/07/21 04:39:08 ozaki-r Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -267,8 +267,6 @@
void ipsec_pcbdisconn (struct inpcbpolicy *);
void ipsec_invalpcbcacheall (void);
-struct tdb_ident;
-struct secpolicy *ipsec_getpolicy (const struct tdb_ident*, u_int);
struct inpcb;
struct secpolicy *ipsec4_checkpolicy (struct mbuf *, u_int, u_int,
int *, struct inpcb *);
diff -r fcff3eed2b9f -r bfa8b35ba087 sys/netipsec/key.c
--- a/sys/netipsec/key.c Fri Jul 21 03:08:10 2017 +0000
+++ b/sys/netipsec/key.c Fri Jul 21 04:39:08 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $ */
+/* $NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.188 2017/07/18 02:10:33 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.189 2017/07/21 04:39:08 ozaki-r Exp $");
/*
* This code is referd to RFC 2367
@@ -691,70 +691,6 @@
}
/*
- * allocating a SP for OUTBOUND or INBOUND packet.
- * Must call key_freesp() later.
- * OUT: NULL: not found
- * others: found and return the pointer.
- */
-struct secpolicy *
-key_lookup_sp(u_int32_t spi,
- const union sockaddr_union *dst,
- u_int8_t proto,
- u_int dir,
- const char* where, int tag)
-{
- struct secpolicy *sp;
- int s;
-
- KASSERT(dst != NULL);
- KASSERTMSG(IPSEC_DIR_IS_INOROUT(dir), "invalid direction %u", dir);
-
- KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP, "DP from %s:%u\n", where, tag);
-
- /* get a SP entry */
- s = splsoftnet(); /*called from softclock()*/
- if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
- printf("*** objects\n");
- printf("spi %u proto %u dir %u\n", spi, proto, dir);
- kdebug_sockaddr(&dst->sa);
- }
-
- LIST_FOREACH(sp, &sptree[dir], chain) {
- if (KEYDEBUG_ON(KEYDEBUG_IPSEC_DATA)) {
- printf("*** in SPD\n");
- kdebug_secpolicyindex(&sp->spidx);
- }
-
- if (sp->state == IPSEC_SPSTATE_DEAD)
- continue;
- /* compare simple values, then dst address */
- if (sp->spidx.ul_proto != proto)
- continue;
- /* NB: spi's must exist and match */
- if (!sp->req || !sp->req->sav || sp->req->sav->spi != spi)
- continue;
- if (key_sockaddr_match(&sp->spidx.dst.sa, &dst->sa, PORT_STRICT))
- goto found;
- }
- sp = NULL;
-found:
- if (sp) {
- /* sanity check */
- KEY_CHKSPDIR(sp->spidx.dir, dir);
-
- /* found a SPD entry */
- sp->lastused = time_uptime;
- SP_ADDREF2(sp, where, tag);
- }
- splx(s);
-
- KEYDEBUG_PRINTF(KEYDEBUG_IPSEC_STAMP,
- "DP return SP:%p (ID=%u) refcnt %u\n",
- sp, sp ? sp->id : 0, sp ? sp->refcnt : 0);
- return sp;
-}
-
-/*
* return a policy that matches this particular inbound packet.
* XXX slow
*/
diff -r fcff3eed2b9f -r bfa8b35ba087 sys/netipsec/key.h
--- a/sys/netipsec/key.h Fri Jul 21 03:08:10 2017 +0000
+++ b/sys/netipsec/key.h Fri Jul 21 04:39:08 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: key.h,v 1.23 2017/07/14 12:26:26 ozaki-r Exp $ */
+/* $NetBSD: key.h,v 1.24 2017/07/21 04:39:08 ozaki-r Exp $ */
/* $FreeBSD: src/sys/netipsec/key.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $ */
/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */
@@ -50,8 +50,6 @@
int key_havesp(u_int dir);
struct secpolicy *key_lookup_sp_byspidx(const struct secpolicyindex *, u_int,
const char*, int);
-struct secpolicy *key_lookup_sp(u_int32_t spi, const union sockaddr_union *dst,
- u_int8_t proto, u_int dir, const char*, int);
struct secpolicy *key_newsp(const char*, int);
struct secpolicy *key_gettunnel(const struct sockaddr *,
const struct sockaddr *, const struct sockaddr *,
@@ -70,8 +68,6 @@
*/
#define KEY_LOOKUP_SP_BYSPIDX(spidx, dir) \
key_lookup_sp_byspidx(spidx, dir, __func__, __LINE__)
-#define KEY_LOOKUP_SP(spi, dst, proto, dir) \
- key_lookup_sp(spi, dst, proto, dir, __func__, __LINE__)
#define KEY_NEWSP() \
key_newsp(__func__, __LINE__)
#define KEY_GETTUNNEL(osrc, odst, isrc, idst) \
Home |
Main Index |
Thread Index |
Old Index