IPSEC and FAST_IPSEC have the same internal API now;

so merge these (IPSEC has an extra ipsecstat)

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>

7 files changed, 42 insertions, 105 deletions

diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index eff86d3..fb95702 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 {
 	int policyfail = 0;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	/* check AH/ESP integrity. */
 	if (ipsec4_in_reject(n, last)) {
 		policyfail = 1;
+#ifdef IPSEC
 		ipsecstat.in_polvio++;
-		/* do not inject data to pcb */
-	}
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
-		policyfail = 1;
 		/* do not inject data to pcb */
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 #ifdef MAC
 	if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
 		policyfail = 1;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index a868f80..01033ff 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -567,29 +567,21 @@ findpcb:
 						1, m->m_pkthdr.rcvif);
       }
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	if (isipv6) {
 		if (inp != NULL && ipsec6_in_reject(m, inp)) {
+#ifdef IPSEC
 			ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
 			goto drop;
 		}
-	} else {
-		if (inp != NULL && ipsec4_in_reject(m, inp)) {
-			ipsecstat.in_polvio++;
-			goto drop;
-		}
-	}
-#endif
-#ifdef FAST_IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
-			goto drop;
-		}
-	} else
-	if (inp != NULL && ipsec4_in_reject(m, inp)) {
+	} else  if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+		ipsecstat.in_polvio++;
+#endif /*IPSEC*/
 		goto drop;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * If the state is CLOSED (i.e., TCB does not exist) then
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index a868f80..01033ff 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -567,29 +567,21 @@ findpcb:
 						1, m->m_pkthdr.rcvif);
       }
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	if (isipv6) {
 		if (inp != NULL && ipsec6_in_reject(m, inp)) {
+#ifdef IPSEC
 			ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
 			goto drop;
 		}
-	} else {
-		if (inp != NULL && ipsec4_in_reject(m, inp)) {
-			ipsecstat.in_polvio++;
-			goto drop;
-		}
-	}
-#endif
-#ifdef FAST_IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
-			goto drop;
-		}
-	} else
-	if (inp != NULL && ipsec4_in_reject(m, inp)) {
+	} else  if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+		ipsecstat.in_polvio++;
+#endif /*IPSEC*/
 		goto drop;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * If the state is CLOSED (i.e., TCB does not exist) then
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 3852583..f0a01b2 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -453,21 +453,16 @@ udp_append(last, ip, n, off)
 	struct sockaddr *append_sa;
 	struct mbuf *opts = 0;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	/* check AH/ESP integrity. */
 	if (ipsec4_in_reject(n, last)) {
+#ifdef IPSEC
 		ipsecstat.in_polvio++;
-		m_freem(n);
-		return;
-	}
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
 		m_freem(n);
 		return;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 #ifdef MAC
 	if (mac_check_inpcb_deliver(last, n) != 0) {
 		m_freem(n);
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 1b30fa7..2dd5fc9 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -185,14 +185,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	struct route_in6 *ro_pmtu = NULL;
 	int hdrsplit = 0;
 	int needipsec = 0;
-#ifdef FAST_IPSEC
-	int needipsectun = 0;
-	struct secpolicy *sp = NULL;
-#endif /* FAST_IPSEC */
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	int needipsectun = 0;
 	struct secpolicy *sp = NULL;
-#endif /* IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 
 	ip6 = mtod(m, struct ip6_hdr *);
 	finaldst = ip6->ip6_dst;
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 00205ff..03b9a41 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -176,25 +176,18 @@ rip6_input(mp, offp, proto)
 		if (last) {
 			struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 			/*
 			 * Check AH/ESP integrity.
 			 */
 			if (n && ipsec6_in_reject(n, last)) {
 				m_freem(n);
+#ifdef IPSEC
 				ipsec6stat.in_polvio++;
-				/* do not inject data into pcb */
-			} else
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-			/*
-			 * Check AH/ESP integrity.
-			 */
-			if (n && ipsec6_in_reject(n, last)) {
-				m_freem(n);
 				/* do not inject data into pcb */
 			} else
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 			if (n) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS ||
 				    last->in6p_socket->so_options & SO_TIMESTAMP)
@@ -215,27 +208,19 @@ rip6_input(mp, offp, proto)
 		}
 		last = in6p;
 	}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	if (last && ipsec6_in_reject(m, last)) {
 		m_freem(m);
+#ifdef IPSEC
 		ipsec6stat.in_polvio++;
-		ip6stat.ip6s_delivered--;
-		/* do not inject data into pcb */
-	} else
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (last && ipsec6_in_reject(m, last)) {
-		m_freem(m);
 		ip6stat.ip6s_delivered--;
 		/* do not inject data into pcb */
 	} else
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 	if (last) {
 		if (last->in6p_flags & IN6P_CONTROLOPTS ||
 		    last->in6p_socket->so_options & SO_TIMESTAMP)
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index f8b4890..530446e 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -239,23 +239,17 @@ udp6_input(mp, offp, proto)
 			if (last != NULL) {
 				struct mbuf *n;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 				/*
 				 * Check AH/ESP integrity.
 				 */
-				if (ipsec6_in_reject(m, last))
+				if (ipsec6_in_reject(m, last)) {
+#ifdef IPSEC
 					ipsec6stat.in_polvio++;
-					/* do not inject data into pcb */
-				else
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-				/*
-				 * Check AH/ESP integrity.
-				 */
-				if (ipsec6_in_reject(m, last))
-					;
-				else
-#endif /* FAST_IPSEC */
+					/* do not inject data into pcb */
+				} else
+#endif /*IPSEC || FAST_IPSEC*/
 				if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
 					/*
 					 * KAME NOTE: do not
@@ -305,23 +299,17 @@ udp6_input(mp, offp, proto)
 			udpstat.udps_noportmcast++;
 			goto bad;
 		}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 		/*
 		 * Check AH/ESP integrity.
 		 */
 		if (ipsec6_in_reject(m, last)) {
+#ifdef IPSEC
 			ipsec6stat.in_polvio++;
-			goto bad;
-		}
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-		/*
-		 * Check AH/ESP integrity.
-		 */
-		if (ipsec6_in_reject(m, last)) {
 			goto bad;
 		}
-#endif /* FAST_IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 		if (last->in6p_flags & IN6P_CONTROLOPTS
 		    || last->in6p_socket->so_options & SO_TIMESTAMP)
 			ip6_savecontrol(last, m, &opts);
@@ -361,23 +349,17 @@ udp6_input(mp, offp, proto)
 		icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0);
 		return IPPROTO_DONE;
 	}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	/*
 	 * Check AH/ESP integrity.
 	 */
 	if (ipsec6_in_reject(m, in6p)) {
+#ifdef IPSEC
 		ipsec6stat.in_polvio++;
-		goto bad;
-	}
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (ipsec6_in_reject(m, in6p)) {
 		goto bad;
 	}
-#endif /* FAST_IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * Construct sockaddr format source address.