Importing pfSense patch ipsec_altq.RELENG_10.diff

6 files changed, 38 insertions, 9 deletions

diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c
index dcb82f5..411e0d4 100644
--- a/sys/net/if_enc.c
+++ b/sys/net/if_enc.c
@@ -52,6 +52,9 @@
 #include <net/bpf.h>
 #include <net/vnet.h>
 
+#include <altq/if_altq.h>
+#include <netpfil/pf/pf_mtag.h>
+
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
@@ -225,10 +228,11 @@ enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
 }
 
 int
-ipsec_filter(struct mbuf **mp, int dir, int flags)
+ipsec_filter(struct mbuf **mp, struct secasindex *saidx, int dir, int flags)
 {
 	int error, i;
 	struct ip *ip;
+	struct pf_mtag *atag;
 
 	KASSERT(encif != NULL, ("%s: encif is null", __func__));
 	KASSERT(flags & (ENC_IN|ENC_OUT),
@@ -297,6 +301,9 @@ ipsec_filter(struct mbuf **mp, int dir, int flags)
 	if (error != 0)
 		goto bad;
 
+	if (saidx && (atag = pf_find_mtag(*mp)) != NULL) 
+		saidx->qid = atag->qid; 
+
 	return (error);
 
 bad:
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 240083a..836a040 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -383,7 +383,7 @@ extern	int m_striphdr(struct mbuf *m, int skip, int hlen);
 #define	ENC_AFTER	0x0002
 #define	ENC_IN		0x0100
 #define	ENC_OUT		0x0200
-extern	int ipsec_filter(struct mbuf **, int, int);
+extern	int ipsec_filter(struct mbuf **, struct secasindex *, int, int);
 extern	void ipsec_bpf(struct mbuf *, struct secasvar *, int, int);
 #endif
 #endif /* _KERNEL */
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index d8eaaa1..15d5bae 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -475,7 +475,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 	ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
 
 	if (prot != IPPROTO_IPIP)
-		if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
+		if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, 
+			ENC_IN|ENC_BEFORE)) != 0)
 			return (error);
 #endif
 
@@ -730,7 +731,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 
 	/* XXX-BZ does not make sense. */
 	if (prot != IPPROTO_IPIP)
-		if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
+		if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, 
+			ENC_IN|ENC_BEFORE)) != 0)
 			return (error);
 #endif
 
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index a394590..f77ee66 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -43,6 +43,11 @@
 #include <sys/errno.h>
 #include <sys/syslog.h>
 
+#ifdef DEV_ENC
+#include <altq/if_altq.h>
+#include <netpfil/pf/pf_mtag.h>
+#endif
+
 #include <net/if.h>
 #include <net/pfil.h>
 #include <net/route.h>
@@ -99,6 +104,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	struct m_tag *mtag;
 	struct secasvar *sav;
 	struct secasindex *saidx;
+	struct pf_mtag *atag = NULL;
 	int error;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -190,6 +196,14 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	}
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
+#ifdef DEV_ENC
+	if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) {
+        	atag->qid = saidx->qid;
+                /* add hints for ecn */
+                atag->af = saidx->dst.sa.sa_family;
+                atag->hdr = NULL; /* This should be safe! */
+	}
+#endif
 	/*
 	 * We're done with IPsec processing, transmit the packet using the
 	 * appropriate network protocol (IP or IPv6). SPD lookup will be
@@ -447,7 +461,8 @@ ipsec4_process_packet(
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, 
+		ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
 #endif
 
@@ -544,7 +559,8 @@ ipsec4_process_packet(
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_AFTER);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, 
+		ENC_OUT|ENC_AFTER)) != 0)
 		goto bad;
 #endif
 
@@ -802,7 +818,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT, 
+		ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
 #endif
 
@@ -878,7 +895,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_AFTER);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT, 
+		ENC_OUT|ENC_AFTER)) != 0)
 		goto bad;
 #endif
 
diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h
index 7494f5f..f22230b 100644
--- a/sys/netipsec/keydb.h
+++ b/sys/netipsec/keydb.h
@@ -58,6 +58,8 @@ struct secasindex {
 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
 	u_int32_t reqid;		/* reqid id who owned this SA */
 					/* see IPSEC_MANUAL_REQID_MAX. */
+	u_int32_t qid;			/* used for ALTQ shaping inside */
+					/* tunnel */
 };
 
 /* 
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 3e1fc1f..1c09e0f 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -324,7 +324,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 		panic("%s: bogus ip version %u", __func__, v>>4);
 	}
 	/* pass the mbuf to enc0 for packet filtering */
-	if (ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER) != 0)
+	if (ipsec_filter(&m, NULL, PFIL_IN, ENC_IN|ENC_AFTER) != 0)
 		return;
 #endif