diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:44:47 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:57:45 -0500 |
commit | 1d4ff08416e2d5c3184d74a5ea27cfb6951c6995 (patch) | |
tree | a6339f72d7193f6612a6e9c53fc4eeb17a1e4e59 | |
parent | 9dc9b464567f0c80c70bcb682c6b69ee5ff6840a (diff) | |
download | FreeBSD-src-1d4ff08416e2d5c3184d74a5ea27cfb6951c6995.zip FreeBSD-src-1d4ff08416e2d5c3184d74a5ea27cfb6951c6995.tar.gz |
MFC r275710:
Remove flag/flags argument from the following functions:
ipsec_getpolicybyaddr()
ipsec4_checkpolicy()
ip_ipsec_output()
ip6_ipsec_output()
The only flag used here was IP_FORWARDING.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
-rw-r--r-- | sys/netinet/ip_ipsec.c | 10 | ||||
-rw-r--r-- | sys/netinet/ip_ipsec.h | 2 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 2 | ||||
-rw-r--r-- | sys/netinet6/ip6_forward.c | 3 | ||||
-rw-r--r-- | sys/netinet6/ip6_ipsec.c | 11 | ||||
-rw-r--r-- | sys/netinet6/ip6_ipsec.h | 3 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 3 | ||||
-rw-r--r-- | sys/netipsec/ipsec.c | 30 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 5 |
9 files changed, 26 insertions, 43 deletions
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 3721986..b25167a 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -109,8 +109,7 @@ ip_ipsec_fwd(struct mbuf *m) struct secpolicy *sp; int error; - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -141,8 +140,7 @@ ip_ipsec_input(struct mbuf *m, int nxt) * code - like udp/tcp/raw ip. */ if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -184,7 +182,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu) * -1 = packet was reinjected and stop processing packet */ int -ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) +ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error) { struct secpolicy *sp; /* @@ -200,7 +198,7 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error) *error = 0; return (0); } - sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, error, inp); + sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, error, inp); /* * There are four return cases: * sp != NULL apply IPsec policy diff --git a/sys/netinet/ip_ipsec.h b/sys/netinet/ip_ipsec.h index 412b165..f499b74 100644 --- a/sys/netinet/ip_ipsec.h +++ b/sys/netinet/ip_ipsec.h @@ -36,5 +36,5 @@ int ip_ipsec_filtertunnel(struct mbuf *); int ip_ipsec_fwd(struct mbuf *); int ip_ipsec_input(struct mbuf *, int); int ip_ipsec_mtu(struct mbuf *, int); -int ip_ipsec_output(struct mbuf **, struct inpcb *, int *, int *); +int ip_ipsec_output(struct mbuf **, struct inpcb *, int *); #endif diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2db4578..0aee48d 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -482,7 +482,7 @@ again: sendit: #ifdef IPSEC - switch(ip_ipsec_output(&m, inp, &flags, &error)) { + switch(ip_ipsec_output(&m, inp, &error)) { case 1: goto bad; case -1: diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 7325868..a08477f 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -179,8 +179,7 @@ ip6_forward(struct mbuf *m, int srcrt) #ifdef IPSEC /* get a security policy for this packet */ - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, - IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, &error); if (sp == NULL) { IPSEC6STAT_INC(ips_out_inval); IP6STAT_INC(ip6s_cantforward); diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index d756103..f849b71 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -127,8 +127,7 @@ ip6_ipsec_fwd(struct mbuf *m) struct secpolicy *sp; int error; - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -162,8 +161,7 @@ ip6_ipsec_input(struct mbuf *m, int nxt) */ if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && ipsec6_in_reject(m, NULL)) { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); if (sp != NULL) { /* * Check security policy against packet attributes. @@ -189,8 +187,7 @@ ip6_ipsec_input(struct mbuf *m, int nxt) */ int -ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, - struct ifnet **ifp) +ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *error) { #ifdef IPSEC struct secpolicy *sp; @@ -208,7 +205,7 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, *error = 0; return (0); } - sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, *flags, error, inp); + sp = ipsec4_checkpolicy(*m, IPSEC_DIR_OUTBOUND, error, inp); /* * There are four return cases: * sp != NULL apply IPsec policy diff --git a/sys/netinet6/ip6_ipsec.h b/sys/netinet6/ip6_ipsec.h index a65b19a..e335d85 100644 --- a/sys/netinet6/ip6_ipsec.h +++ b/sys/netinet6/ip6_ipsec.h @@ -35,8 +35,7 @@ int ip6_ipsec_filtertunnel(struct mbuf *); int ip6_ipsec_fwd(struct mbuf *); int ip6_ipsec_input(struct mbuf *, int); -int ip6_ipsec_output(struct mbuf **, struct inpcb *, int *, int *, - struct ifnet **); +int ip6_ipsec_output(struct mbuf **, struct inpcb *, int *); #if 0 int ip6_ipsec_mtu(struct mbuf *); #endif diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 4fbac61..09eab20 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -348,8 +348,9 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, /* * IPSec checking which handles several cases. * FAST IPSEC: We re-injected the packet. + * XXX: need scope argument. */ - switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp)) + switch(ip6_ipsec_output(&m, inp, &error)) { case 1: /* Bad packet */ goto freehdrs; diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index f27019d..ecf80a8 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -416,7 +416,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) * others : error occured. */ struct secpolicy * -ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) +ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int *error) { struct secpolicyindex spidx; struct secpolicy *sp; @@ -429,15 +429,13 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) sp = NULL; if (key_havesp(dir)) { /* Make an index to look for a policy. */ - *error = ipsec_setspidx(m, &spidx, - (flag & IP_FORWARDING) ? 0 : 1); + *error = ipsec_setspidx(m, &spidx, 0); if (*error != 0) { - DPRINTF(("%s: setpidx failed, dir %u flag %u\n", - __func__, dir, flag)); + DPRINTF(("%s: setpidx failed, dir %u\n", + __func__, dir)); return (NULL); } spidx.dir = dir; - sp = KEY_ALLOCSP(&spidx, dir); } if (sp == NULL) /* No SP found, use system default. */ @@ -447,14 +445,13 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int flag, int *error) } struct secpolicy * -ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, - struct inpcb *inp) +ipsec4_checkpolicy(struct mbuf *m, u_int dir, int *error, struct inpcb *inp) { struct secpolicy *sp; *error = 0; if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, flag, error); + sp = ipsec_getpolicybyaddr(m, dir, error); else sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { @@ -1275,13 +1272,9 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) IPSEC_ASSERT(m != NULL, ("null mbuf")); - /* - * Get SP for this packet. - * When we are called from ip_forward(), we call - * ipsec_getpolicybyaddr() with IP_FORWARDING flag. - */ + /* Get SP for this packet. */ if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); else sp = ipsec_getpolicybysock(m, IPSEC_DIR_INBOUND, inp, &error); @@ -1407,12 +1400,9 @@ ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) IPSEC_ASSERT(m != NULL, ("null mbuf")); - /* Get SP for this packet. - * When we are called from ip_forward(), we call - * ipsec_getpolicybyaddr() with IP_FORWARDING flag. - */ + /* Get SP for this packet. */ if (inp == NULL) - sp = ipsec_getpolicybyaddr(m, dir, IP_FORWARDING, &error); + sp = ipsec_getpolicybyaddr(m, dir, &error); else sp = ipsec_getpolicybysock(m, dir, inp, &error); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 285860c..436fcf6 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -317,10 +317,9 @@ extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; extern struct secpolicy *ipsec_getpolicy(struct tdb_ident*, u_int); struct inpcb; -extern struct secpolicy *ipsec4_checkpolicy(struct mbuf *, u_int, u_int, +extern struct secpolicy *ipsec4_checkpolicy(struct mbuf *, u_int, int *, struct inpcb *); -extern struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *, u_int, - int, int *); +extern struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *, u_int, int *); struct inpcb; extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **); |