Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-5]: src/sys/netinet6 pullup (approved by releng-1-5)
details: https://anonhg.NetBSD.org/src/rev/65dc4d0508c3
branches: netbsd-1-5
changeset: 489576:65dc4d0508c3
user: itojun <itojun%NetBSD.org@localhost>
date: Fri Sep 29 06:32:43 2000 +0000
description:
pullup (approved by releng-1-5)
cleanup ipsec policy lookup, to fix IPv4 mapped address (outbound) and
explicit port number (sendto).
sys/netinet6/ipsec.c 1.24 -> 1.27
diffstat:
sys/netinet6/ipsec.c | 719 +++++++++++++++++++++++++-------------------------
1 files changed, 364 insertions(+), 355 deletions(-)
diffs (truncated from 888 to 300 lines):
diff -r a033edbb5a65 -r 65dc4d0508c3 sys/netinet6/ipsec.c
--- a/sys/netinet6/ipsec.c Fri Sep 29 06:29:54 2000 +0000
+++ b/sys/netinet6/ipsec.c Fri Sep 29 06:32:43 2000 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ipsec.c,v 1.23 2000/06/15 05:01:07 itojun Exp $ */
-/* $KAME: ipsec.c,v 1.66 2000/06/15 04:08:54 itojun Exp $ */
+/* $NetBSD: ipsec.c,v 1.23.2.1 2000/09/29 06:32:43 itojun Exp $ */
+/* $KAME: ipsec.c,v 1.78 2000/09/22 05:29:48 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -64,9 +64,11 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#include <netinet/ip_ecn.h>
-
+#include <netinet/tcp.h>
+#include <netinet/udp.h>
+
+#include <netinet/ip6.h>
#ifdef INET6
-#include <netinet/ip6.h>
#include <netinet6/ip6_var.h>
#endif
#include <netinet/in_pcb.h>
@@ -121,13 +123,17 @@
#endif /* INET6 */
static int ipsec_setspidx_mbuf
- __P((struct secpolicyindex *, u_int, u_int, struct mbuf *));
-static void ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
-static void ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
+ __P((struct secpolicyindex *, u_int, u_int, struct mbuf *, int));
+static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
#ifdef INET6
-static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *));
-static void ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
-static void ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
+static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
+#endif
+static int ipsec_setspidx __P((struct mbuf *, struct secpolicyindex *, int));
+static void ipsec4_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
+static int ipsec4_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
+#ifdef INET6
+static void ipsec6_get_ulp __P((struct mbuf *m, struct secpolicyindex *, int));
+static int ipsec6_setspidx_ipaddr __P((struct mbuf *, struct secpolicyindex *));
#endif
static struct inpcbpolicy *ipsec_newpcbpolicy __P((void));
static void ipsec_delpcbpolicy __P((struct inpcbpolicy *));
@@ -177,19 +183,29 @@
switch (so->so_proto->pr_domain->dom_family) {
case AF_INET:
/* set spidx in pcb */
- ipsec4_setspidx_inpcb(m, sotoinpcb(so));
- pcbsp = sotoinpcb(so)->inp_sp;
+ *error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
break;
#ifdef INET6
case AF_INET6:
/* set spidx in pcb */
- ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
- pcbsp = sotoin6pcb(so)->in6p_sp;
+ *error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
break;
#endif
default:
panic("ipsec4_getpolicybysock: unsupported address family\n");
}
+ if (*error)
+ return NULL;
+ switch (so->so_proto->pr_domain->dom_family) {
+ case AF_INET:
+ pcbsp = sotoinpcb(so)->inp_sp;
+ break;
+#ifdef INET6
+ case AF_INET6:
+ pcbsp = sotoin6pcb(so)->in6p_sp;
+ break;
+#endif
+ }
/* sanity check */
if (pcbsp == NULL)
@@ -334,7 +350,8 @@
bzero(&spidx, sizeof(spidx));
/* make a index to look for a policy */
- *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m);
+ *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET, m,
+ (flag & IP_FORWARDING) ? 0 : 1);
if (*error != 0)
return NULL;
@@ -390,6 +407,11 @@
if (m == NULL || so == NULL || error == NULL)
panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
+#ifdef DIAGNOSTIC
+ if (so->so_proto->pr_domain->dom_family != AF_INET6)
+ panic("ipsec6_getpolicybysock: socket domain != inet6\n");
+#endif
+
/* set spidx in pcb */
ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
@@ -545,7 +567,8 @@
bzero(&spidx, sizeof(spidx));
/* make a index to look for a policy */
- *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m);
+ *error = ipsec_setspidx_mbuf(&spidx, dir, AF_INET6, m,
+ (flag & IP_FORWARDING) ? 0 : 1);
if (*error != 0)
return NULL;
@@ -586,162 +609,24 @@
* other: failure, and set errno.
*/
int
-ipsec_setspidx_mbuf(spidx, dir, family, m)
+ipsec_setspidx_mbuf(spidx, dir, family, m, needport)
struct secpolicyindex *spidx;
u_int dir, family;
struct mbuf *m;
+ int needport;
{
+ int error;
/* sanity check */
if (spidx == NULL || m == NULL)
panic("ipsec_setspidx_mbuf: NULL pointer was passed.\n");
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: begin\n"); kdebug_mbuf(m));
-
- /* initialize */
bzero(spidx, sizeof(*spidx));
- spidx->dir = dir;
-
- {
- /* sanity check for packet length. */
- struct mbuf *n;
- int tlen;
-
- tlen = 0;
- for (n = m; n; n = n->m_next)
- tlen += n->m_len;
- if (m->m_pkthdr.len != tlen) {
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: "
- "total of m_len(%d) != pkthdr.len(%d), "
- "ignored.\n",
- tlen, m->m_pkthdr.len));
+ error = ipsec_setspidx(m, spidx, needport);
+ if (error)
goto bad;
- }
- }
-
- switch (family) {
- case AF_INET:
- {
- struct ip *ip;
- struct ip ipbuf;
- struct sockaddr_in *sin;
-
- /* sanity check 1 for minimum ip header length */
- if (m->m_pkthdr.len < sizeof(struct ip)) {
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: "
- "pkthdr.len(%d) < sizeof(struct ip), "
- "ignored.\n",
- m->m_pkthdr.len));
- goto bad;
- }
-
- /*
- * get IPv4 header packet. usually the mbuf is contiguous
- * and we need no copies.
- */
- if (m->m_len >= sizeof(*ip))
- ip = mtod(m, struct ip *);
- else {
- m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
- ip = &ipbuf;
- }
-
- /* XXX some more checks on IPv4 header. */
-
- sin = (struct sockaddr_in *)&spidx->src;
- sin->sin_family = AF_INET;
- sin->sin_len = sizeof(*sin);
- bcopy(&ip->ip_src, &sin->sin_addr, sizeof(sin->sin_addr));
- sin->sin_port = IPSEC_PORT_ANY;
-
- sin = (struct sockaddr_in *)&spidx->dst;
- sin->sin_family = AF_INET;
- sin->sin_len = sizeof(*sin);
- bcopy(&ip->ip_dst, &sin->sin_addr, sizeof(sin->sin_addr));
- sin->sin_port = IPSEC_PORT_ANY;
-
- spidx->prefs = spidx->prefd = sizeof(struct in_addr) << 3;
-
- spidx->ul_proto = ip->ip_p;
- break;
- }
-
-#ifdef INET6
- case AF_INET6:
- {
- struct ip6_hdr *ip6;
- struct ip6_hdr ip6buf;
- struct sockaddr_in6 *sin6;
-
- /* sanity check 1 for minimum ip header length */
- if (m->m_pkthdr.len < sizeof(struct ip6_hdr)) {
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: "
- "pkthdr.len(%d) < sizeof(struct ip6_hdr), "
- "ignored.\n",
- m->m_pkthdr.len));
- goto bad;
- }
-
- /*
- * get IPv6 header packet. usually the mbuf is contiguous
- * and we need no copies.
- */
- if (m->m_len >= sizeof(*ip6))
- ip6 = mtod(m, struct ip6_hdr *);
- else {
- m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
- ip6 = &ip6buf;
- }
-
- /* some more checks on IPv4 header. */
- if ((ip6->ip6_vfc & IPV6_VERSION_MASK) != IPV6_VERSION) {
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: "
- "wrong ip version on packet "
- "(expected IPv6), ignored.\n"));
- goto bad;
- }
-
- sin6 = (struct sockaddr_in6 *)&spidx->src;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_len = sizeof(*sin6);
- bcopy(&ip6->ip6_src, &sin6->sin6_addr, sizeof(sin6->sin6_addr));
- sin6->sin6_port = IPSEC_PORT_ANY;
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_src.s6_addr16[1]);
- }
-
- sin6 = (struct sockaddr_in6 *)&spidx->dst;
- sin6->sin6_family = AF_INET6;
- sin6->sin6_len = sizeof(*sin6);
- bcopy(&ip6->ip6_dst, &sin6->sin6_addr, sizeof(sin6->sin6_addr));
- sin6->sin6_port = IPSEC_PORT_ANY;
- if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst)) {
- /* fix scope id for comparing SPD */
- sin6->sin6_addr.s6_addr16[1] = 0;
- sin6->sin6_scope_id = ntohs(ip6->ip6_dst.s6_addr16[1]);
- }
-
- spidx->prefs = spidx->prefd = sizeof(struct in6_addr) << 3;
-
- ipsec6_get_ulp(m, spidx);
- break;
- }
-#endif /* INET6 */
- default:
- panic("ipsec_secsecidx: no supported family passed.\n");
- }
-
- KEYDEBUG(KEYDEBUG_IPSEC_DUMP,
- printf("ipsec_setspidx_mbuf: end\n");
- kdebug_secpolicyindex(spidx));
+ spidx->dir = dir;
return 0;
@@ -751,19 +636,294 @@
return EINVAL;
}
+static int
+ipsec4_setspidx_inpcb(m, pcb)
+ struct mbuf *m;
+ struct inpcb *pcb;
+{
+ struct secpolicyindex *spidx;
+ int error;
+
+ /* sanity check */
+ if (pcb == NULL)
+ panic("ipsec4_setspidx_inpcb: no PCB found.\n");
+ if (pcb->inp_sp == NULL)
Home |
Main Index |
Thread Index |
Old Index