diff options
author | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:28:18 -0600 |
---|---|---|
committer | Matt Smith <mgsmith@netgate.com> | 2015-11-18 10:28:18 -0600 |
commit | 9d8af72514d52766c588622e5480e6981015fb2f (patch) | |
tree | 9cdbb62d4c3f25bd0d7ed70646ab5e88ea462c8e | |
parent | 170aaa3cf4c710e794b733e7c1fee9d507763ccb (diff) | |
download | FreeBSD-src-9d8af72514d52766c588622e5480e6981015fb2f.zip FreeBSD-src-9d8af72514d52766c588622e5480e6981015fb2f.tar.gz |
Importing pfSense patch ipsec_altq.RELENG_10.diff
-rw-r--r-- | sys/net/if_enc.c | 9 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 6 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 26 | ||||
-rw-r--r-- | sys/netipsec/keydb.h | 2 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 2 |
6 files changed, 38 insertions, 9 deletions
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c index dcb82f5..411e0d4 100644 --- a/sys/net/if_enc.c +++ b/sys/net/if_enc.c @@ -52,6 +52,9 @@ #include <net/bpf.h> #include <net/vnet.h> +#include <altq/if_altq.h> +#include <netpfil/pf/pf_mtag.h> + #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -225,10 +228,11 @@ enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } int -ipsec_filter(struct mbuf **mp, int dir, int flags) +ipsec_filter(struct mbuf **mp, struct secasindex *saidx, int dir, int flags) { int error, i; struct ip *ip; + struct pf_mtag *atag; KASSERT(encif != NULL, ("%s: encif is null", __func__)); KASSERT(flags & (ENC_IN|ENC_OUT), @@ -297,6 +301,9 @@ ipsec_filter(struct mbuf **mp, int dir, int flags) if (error != 0) goto bad; + if (saidx && (atag = pf_find_mtag(*mp)) != NULL) + saidx->qid = atag->qid; + return (error); bad: diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 240083a..836a040 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -383,7 +383,7 @@ extern int m_striphdr(struct mbuf *m, int skip, int hlen); #define ENC_AFTER 0x0002 #define ENC_IN 0x0100 #define ENC_OUT 0x0200 -extern int ipsec_filter(struct mbuf **, int, int); +extern int ipsec_filter(struct mbuf **, struct secasindex *, int, int); extern void ipsec_bpf(struct mbuf *, struct secasvar *, int, int); #endif #endif /* _KERNEL */ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index d8eaaa1..15d5bae 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -475,7 +475,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); if (prot != IPPROTO_IPIP) - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + ENC_IN|ENC_BEFORE)) != 0) return (error); #endif @@ -730,7 +731,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* XXX-BZ does not make sense. */ if (prot != IPPROTO_IPIP) - if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, + ENC_IN|ENC_BEFORE)) != 0) return (error); #endif diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index a394590..f77ee66 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -43,6 +43,11 @@ #include <sys/errno.h> #include <sys/syslog.h> +#ifdef DEV_ENC +#include <altq/if_altq.h> +#include <netpfil/pf/pf_mtag.h> +#endif + #include <net/if.h> #include <net/pfil.h> #include <net/route.h> @@ -99,6 +104,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) struct m_tag *mtag; struct secasvar *sav; struct secasindex *saidx; + struct pf_mtag *atag = NULL; int error; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -190,6 +196,14 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) } key_sa_recordxfer(sav, m); /* record data transfer */ +#ifdef DEV_ENC + if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) { + atag->qid = saidx->qid; + /* add hints for ecn */ + atag->af = saidx->dst.sa.sa_family; + atag->hdr = NULL; /* This should be safe! */ + } +#endif /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). SPD lookup will be @@ -447,7 +461,8 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif @@ -544,7 +559,8 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif @@ -802,7 +818,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif @@ -878,7 +895,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT, + ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h index 7494f5f..f22230b 100644 --- a/sys/netipsec/keydb.h +++ b/sys/netipsec/keydb.h @@ -58,6 +58,8 @@ struct secasindex { u_int8_t mode; /* mode of protocol, see ipsec.h */ u_int32_t reqid; /* reqid id who owned this SA */ /* see IPSEC_MANUAL_REQID_MAX. */ + u_int32_t qid; /* used for ALTQ shaping inside */ + /* tunnel */ }; /* diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 3e1fc1f..1c09e0f 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -324,7 +324,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) panic("%s: bogus ip version %u", __func__, v>>4); } /* pass the mbuf to enc0 for packet filtering */ - if (ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER) != 0) + if (ipsec_filter(&m, NULL, PFIL_IN, ENC_IN|ENC_AFTER) != 0) return; #endif |