Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Split IPsec code in ip_input() and ip_forward() into the...
details: https://anonhg.NetBSD.org/src/rev/6760238b6b27
branches: trunk
changeset: 787255:6760238b6b27
user: rmind <rmind%NetBSD.org@localhost>
date: Sat Jun 08 13:50:22 2013 +0000
description:
Split IPsec code in ip_input() and ip_forward() into the separate routines
ipsec4_input() and ipsec4_forward(). Tested by christos@.
diffstat:
sys/netinet/ip_input.c | 151 +++++------------------------------------------
sys/netinet/ip_output.c | 8 +-
sys/netipsec/ipsec.c | 109 ++++++++++++++++++++++++++++++++++-
sys/netipsec/ipsec.h | 4 +-
4 files changed, 130 insertions(+), 142 deletions(-)
diffs (truncated from 397 to 300 lines):
diff -r b6d328be0c28 -r 6760238b6b27 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Sat Jun 08 13:13:34 2013 +0000
+++ b/sys/netinet/ip_input.c Sat Jun 08 13:50:22 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.304 2013/06/05 19:01:26 christos Exp $ */
+/* $NetBSD: ip_input.c,v 1.305 2013/06/08 13:50:22 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.304 2013/06/05 19:01:26 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.305 2013/06/08 13:50:22 rmind Exp $");
#include "opt_inet.h"
#include "opt_compat_netbsd.h"
@@ -143,8 +143,7 @@
#ifdef IPSEC
#include <netipsec/ipsec.h>
-#include <netipsec/key.h>
-#endif /* IPSEC*/
+#endif
#ifndef IPFORWARDING
#ifdef GATEWAY
@@ -405,12 +404,6 @@
int downmatch;
int checkif;
int srcrt = 0;
-#ifdef IPSEC
- struct m_tag *mtag;
- struct tdb_ident *tdbi;
- struct secpolicy *sp;
- int error, s;
-#endif /* IPSEC */
MCLAIM(m, &ip_rx_mowner);
KASSERT((m->m_flags & M_PKTHDR) != 0);
@@ -733,54 +726,12 @@
return;
}
#ifdef IPSEC
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- s = splsoftnet();
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
- }
- if (sp == NULL) { /* NB: can happen if error */
- splx(s);
- /*XXX error stat???*/
- DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
+ /* Perform IPsec, if any. */
+ if (ipsec4_input(m, IP_FORWARDING | (ip_directedbcast ?
+ IP_ALLOWBROADCAST : 0)) != 0) {
goto bad;
}
-
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- splx(s);
- if (error) {
- IP_STATINC(IP_STAT_CANTFORWARD);
- goto bad;
- }
-
- /*
- * Peek at the outbound SP for this packet to determine if
- * it's a Fast Forward candidate.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
- if (mtag != NULL)
- m->m_flags &= ~M_CANFASTFWD;
- else {
- s = splsoftnet();
- sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND,
- (IP_FORWARDING |
- (ip_directedbcast ? IP_ALLOWBROADCAST : 0)),
- &error, NULL);
- if (sp != NULL) {
- m->m_flags &= ~M_CANFASTFWD;
- KEY_FREESP(&sp);
- }
- splx(s);
- }
-#endif /* IPSEC */
-
+#endif
ip_forward(m, srcrt);
}
return;
@@ -811,42 +762,16 @@
#ifdef IPSEC
/*
- * enforce IPsec policy checking if we are seeing last header.
- * note that we do not visit this with protocols with pcb layer
- * code - like udp/tcp/raw ip.
+ * Enforce IPsec policy checking if we are seeing last header.
+ * Note that we do not visit this with protocols with PCB layer
+ * code - like UDP/TCP/raw IP.
*/
if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
- /*
- * Check if the packet has already had IPsec processing
- * done. If so, then just pass it along. This tag gets
- * set during AH, ESP, etc. input handling, before the
- * packet is returned to the ip input queue for delivery.
- */
- mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
- s = splsoftnet();
- if (mtag != NULL) {
- tdbi = (struct tdb_ident *)(mtag + 1);
- sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
- } else {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
- IP_FORWARDING, &error);
+ if (ipsec4_input(m, 0) != 0) {
+ goto bad;
}
- if (sp != NULL) {
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- } else {
- /* XXX error stat??? */
- error = EINVAL;
-DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
- }
- splx(s);
- if (error)
- goto bad;
}
-#endif /* IPSEC */
+#endif
/*
* Switch out to protocol's input routine.
@@ -1422,53 +1347,9 @@
if ((rt = rtcache_validate(&ipforward_rt)) != NULL)
destmtu = rt->rt_ifp->if_mtu;
-
-#if defined(IPSEC)
- {
- /*
- * If the packet is routed over IPsec tunnel, tell the
- * originator the tunnel MTU.
- * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
- * XXX quickhack!!!
- */
-
- struct secpolicy *sp;
- int ipsecerror;
- size_t ipsechdr;
- struct route *ro;
-
- sp = ipsec4_getpolicybyaddr(mcopy,
- IPSEC_DIR_OUTBOUND, IP_FORWARDING,
- &ipsecerror);
-
- if (sp != NULL) {
- /* count IPsec header size */
- ipsechdr = ipsec4_hdrsiz(mcopy,
- IPSEC_DIR_OUTBOUND, NULL);
-
- /*
- * find the correct route for outer IPv4
- * header, compute tunnel MTU.
- */
-
- if (sp->req != NULL
- && sp->req->sav != NULL
- && sp->req->sav->sah != NULL) {
- ro = &sp->req->sav->sah->sa_route;
- rt = rtcache_validate(ro);
- if (rt && rt->rt_ifp) {
- destmtu =
- rt->rt_rmx.rmx_mtu ?
- rt->rt_rmx.rmx_mtu :
- rt->rt_ifp->if_mtu;
- destmtu -= ipsechdr;
- }
- }
-
- KEY_FREESP(&sp);
- }
- }
-#endif /*defined(IPSEC)*/
+#ifdef IPSEC
+ (void)ipsec4_forward(mcopy, &destmtu);
+#endif
IP_STATINC(IP_STAT_CANTFRAG);
break;
diff -r b6d328be0c28 -r 6760238b6b27 sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c Sat Jun 08 13:13:34 2013 +0000
+++ b/sys/netinet/ip_output.c Sat Jun 08 13:50:22 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_output.c,v 1.221 2013/06/08 03:26:05 rmind Exp $ */
+/* $NetBSD: ip_output.c,v 1.222 2013/06/08 13:50:22 rmind Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.221 2013/06/08 03:26:05 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_output.c,v 1.222 2013/06/08 13:50:22 rmind Exp $");
#include "opt_pfil_hooks.h"
#include "opt_inet.h"
@@ -474,7 +474,7 @@
ip->ip_off |= htons(IP_DF);
#ifdef IPSEC
- /* Perform IPSec processing, if any. */
+ /* Perform IPsec processing, if any. */
error = ipsec4_output(m, so, flags, &sp, &mtu, &natt_frag, &done);
if (error || done) {
goto done;
@@ -611,7 +611,7 @@
#endif
/*
* If we get there, the packet has not been handled by
- * IPSec whereas it should have. Now that it has been
+ * IPsec whereas it should have. Now that it has been
* fragmented, re-inject it in ip_output so that IPsec
* processing can occur.
*/
diff -r b6d328be0c28 -r 6760238b6b27 sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c Sat Jun 08 13:13:34 2013 +0000
+++ b/sys/netipsec/ipsec.c Sat Jun 08 13:50:22 2013 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.59 2013/06/08 03:26:05 rmind Exp $ */
+/* $NetBSD: ipsec.c,v 1.60 2013/06/08 13:50:22 rmind Exp $ */
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.59 2013/06/08 03:26:05 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.60 2013/06/08 13:50:22 rmind Exp $");
/*
* IPsec controller part.
@@ -73,6 +73,7 @@
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
+#include <netinet/ip_private.h>
#include <netinet/ip6.h>
#ifdef INET6
@@ -829,6 +830,110 @@
return error;
}
+int
+ipsec4_input(struct mbuf *m, int flags)
+{
+ struct m_tag *mtag;
+ struct tdb_ident *tdbi;
+ struct secpolicy *sp;
+ int error, s;
+
+ /*
+ * Check if the packet has already had IPsec processing done.
+ * If so, then just pass it along. This tag gets set during AH,
+ * ESP, etc. input handling, before the packet is returned to
+ * the IP input queue for delivery.
+ */
+ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+ s = splsoftnet();
+ if (mtag != NULL) {
+ tdbi = (struct tdb_ident *)(mtag + 1);
+ sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
+ } else {
+ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+ IP_FORWARDING, &error);
+ }
+ if (sp == NULL) {
+ splx(s);
+ return EINVAL;
+ }
+
Home |
Main Index |
Thread Index |
Old Index