Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/netipsec Remove obsolete/dead code, the IP-in-IP encapsu...
details: https://anonhg.NetBSD.org/src/rev/9abf4ad70213
branches: trunk
changeset: 361443:9abf4ad70213
user: maxv <maxv%NetBSD.org@localhost>
date: Sun Apr 29 14:35:35 2018 +0000
description:
Remove obsolete/dead code, the IP-in-IP encapsulation doesn't work this
way anymore (XF_IP4 partly dropped by FAST_IPSEC).
diffstat:
sys/netipsec/ipsec_input.c | 156 +--------------------------------------------
sys/netipsec/xform_ipip.c | 8 +-
2 files changed, 4 insertions(+), 160 deletions(-)
diffs (213 lines):
diff -r 4cf2232fc146 -r 9abf4ad70213 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c Sun Apr 29 14:21:16 2018 +0000
+++ b/sys/netipsec/ipsec_input.c Sun Apr 29 14:35:35 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $ */
/* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.67 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.68 2018/04/29 14:35:35 maxv Exp $");
/*
* IPsec input processing.
@@ -375,84 +375,6 @@
prot = ip->ip_p;
-#ifdef notyet
- /* IP-in-IP encapsulation */
- if (prot == IPPROTO_IPIP) {
- struct ip ipn;
-
- /* ipn will now contain the inner IPv4 header */
- /* XXX: check m_pkthdr.len */
- m_copydata(m, ip->ip_hl << 2, sizeof(struct ip), &ipn);
-
- /* XXX PROXY address isn't recorded in SAH */
- /*
- * Check that the inner source address is the same as
- * the proxy address, if available.
- */
- if ((saidx->proxy.sa.sa_family == AF_INET &&
- saidx->proxy.sin.sin_addr.s_addr !=
- INADDR_ANY &&
- ipn.ip_src.s_addr !=
- saidx->proxy.sin.sin_addr.s_addr) ||
- (saidx->proxy.sa.sa_family != AF_INET &&
- saidx->proxy.sa.sa_family != 0)) {
-
- char ipbuf[INET_ADDRSTRLEN];
- IPSECLOG(LOG_DEBUG,
- "inner source address %s doesn't correspond to "
- "expected proxy source %s, SA %s/%08lx\n",
- IN_PRINT(ipbuf, ipn.ip_src),
- ipsp_address(saidx->proxy),
- ipsp_address(saidx->dst),
- (u_long) ntohl(sav->spi));
-
- IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
- AH_STAT_PDROPS,
- IPCOMP_STAT_PDROPS);
- error = EACCES;
- goto bad;
- }
- }
-#if INET6
- /* IPv6-in-IP encapsulation. */
- if (prot == IPPROTO_IPV6) {
- struct ip6_hdr ip6n;
-
- /* ip6n will now contain the inner IPv6 header. */
- /* XXX: check m_pkthdr.len */
- m_copydata(m, ip->ip_hl << 2, sizeof(struct ip6_hdr), &ip6n);
-
- /*
- * Check that the inner source address is the same as
- * the proxy address, if available.
- */
- if ((saidx->proxy.sa.sa_family == AF_INET6 &&
- !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
- !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
- &saidx->proxy.sin6.sin6_addr)) ||
- (saidx->proxy.sa.sa_family != AF_INET6 &&
- saidx->proxy.sa.sa_family != 0)) {
-
- char ip6buf[INET6_ADDRSTRLEN];
- char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
- IPSECLOG(LOG_DEBUG,
- "inner source address %s doesn't correspond to "
- "expected proxy source %s, SA %s/%08lx\n",
- ip6_sprintf(ip6buf, &ip6n.ip6_src),
- ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
- ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
- (u_long) ntohl(sav->spi));
-
- IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
- AH_STAT_PDROPS,
- IPCOMP_STAT_PDROPS);
- error = EACCES;
- goto bad;
- }
- }
-#endif /* INET6 */
-#endif /* notyet */
-
M_VERIFY_PACKET(m);
key_sa_recordxfer(sav, m); /* record data transfer */
@@ -574,80 +496,6 @@
/* Save protocol */
m_copydata(m, protoff, 1, &prot);
-#ifdef notyet
-#ifdef INET
- /* IP-in-IP encapsulation */
- if (prot == IPPROTO_IPIP) {
- struct ip ipn;
-
- /* ipn will now contain the inner IPv4 header */
- /* XXX: check m_pkthdr.len */
- m_copydata(m, skip, sizeof(struct ip), &ipn);
-
- /*
- * Check that the inner source address is the same as
- * the proxy address, if available.
- */
- if ((saidx->proxy.sa.sa_family == AF_INET &&
- saidx->proxy.sin.sin_addr.s_addr != INADDR_ANY &&
- ipn.ip_src.s_addr != saidx->proxy.sin.sin_addr.s_addr) ||
- (saidx->proxy.sa.sa_family != AF_INET &&
- saidx->proxy.sa.sa_family != 0)) {
-
- char ipbuf[INET_ADDRSTRLEN];
- char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
- IPSECLOG(LOG_DEBUG,
- "inner source address %s doesn't correspond to "
- "expected proxy source %s, SA %s/%08lx\n",
- IN_PRINT(ipbuf, ipn.ip_src),
- ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
- ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
- (u_long) ntohl(sav->spi));
-
- IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
- AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
- error = EACCES;
- goto bad;
- }
- }
-#endif /* INET */
- /* IPv6-in-IP encapsulation */
- if (prot == IPPROTO_IPV6) {
- struct ip6_hdr ip6n;
-
- /* ip6n will now contain the inner IPv6 header. */
- /* XXX: check m_pkthdr.len */
- m_copydata(m, skip, sizeof(struct ip6_hdr), &ip6n);
-
- /*
- * Check that the inner source address is the same as
- * the proxy address, if available.
- */
- if ((saidx->proxy.sa.sa_family == AF_INET6 &&
- !IN6_IS_ADDR_UNSPECIFIED(&saidx->proxy.sin6.sin6_addr) &&
- !IN6_ARE_ADDR_EQUAL(&ip6n.ip6_src,
- &saidx->proxy.sin6.sin6_addr)) ||
- (saidx->proxy.sa.sa_family != AF_INET6 &&
- saidx->proxy.sa.sa_family != 0)) {
-
- char ip6buf[INET6_ADDRSTRLEN];
- char pbuf[IPSEC_ADDRSTRLEN], dbuf[IPSEC_ADDRSTRLEN];
- IPSECLOG(LOG_DEBUG,
- "inner source address %s doesn't correspond to "
- "expected proxy source %s, SA %s/%08lx\n",
- ip6_sprintf(ip6buf, &ip6n.ip6_src),
- ipsec_address(&saidx->proxy, pbuf, sizeof(pbuf)),
- ipsec_address(&saidx->dst, dbuf, sizeof(dbuf)),
- (u_long) ntohl(sav->spi));
-
- IPSEC_ISTAT(sproto, ESP_STAT_PDROPS,
- AH_STAT_PDROPS, IPCOMP_STAT_PDROPS);
- error = EACCES;
- goto bad;
- }
- }
-#endif /* notyet */
-
key_sa_recordxfer(sav, m);
/* Retrieve new protocol */
diff -r 4cf2232fc146 -r 9abf4ad70213 sys/netipsec/xform_ipip.c
--- a/sys/netipsec/xform_ipip.c Sun Apr 29 14:21:16 2018 +0000
+++ b/sys/netipsec/xform_ipip.c Sun Apr 29 14:35:35 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $ */
/* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.69 2018/04/28 15:45:16 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.70 2018/04/29 14:35:35 maxv Exp $");
/*
* IP-inside-IP processing
@@ -506,10 +506,6 @@
IPIP_STATINC(IPIP_STAT_OPACKETS);
IPIP_STATADD(IPIP_STAT_OBYTES, m->m_pkthdr.len - iphlen);
-#if 0
- if (sav->tdb_xform->xf_type == XF_IP4)
- tdb->tdb_cur_bytes += m->m_pkthdr.len - iphlen;
-#endif
*mp = m;
return 0;
Home |
Main Index |
Thread Index |
Old Index