diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 12:30:58 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:33:42 -0500 |
commit | 49d7fe39863f0ffcf4ac6c559ef84589ea42bd0a (patch) | |
tree | 24cdbb3972d1aead1ff420f1e8e4984c8ef906a0 | |
parent | 15988797df0ce562e67d6fa1c912e4cda6194678 (diff) | |
download | FreeBSD-src-49d7fe39863f0ffcf4ac6c559ef84589ea42bd0a.zip FreeBSD-src-49d7fe39863f0ffcf4ac6c559ef84589ea42bd0a.tar.gz |
Revert IPSEC patches.
Revert "Importing pfSense patch ipsec_altq.RELENG_10.diff"
This reverts commit 5b128f054452e56b96564210c998510e0dd45130.
TAG: IPSEC-HEAD
Issue: #4841
-rw-r--r-- | sys/net/if_enc.c | 9 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 12 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 27 | ||||
-rw-r--r-- | sys/netipsec/keydb.h | 2 |
5 files changed, 10 insertions, 42 deletions
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c index ea78088..dcb82f5 100644 --- a/sys/net/if_enc.c +++ b/sys/net/if_enc.c @@ -52,9 +52,6 @@ #include <net/bpf.h> #include <net/vnet.h> -#include <altq/if_altq.h> -#include <netpfil/pf/pf_mtag.h> - #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> @@ -228,11 +225,10 @@ enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) } int -ipsec_filter(struct mbuf **mp, struct secasindex *saidx, int dir, int flags) +ipsec_filter(struct mbuf **mp, int dir, int flags) { int error, i; struct ip *ip; - struct pf_mtag *atag; KASSERT(encif != NULL, ("%s: encif is null", __func__)); KASSERT(flags & (ENC_IN|ENC_OUT), @@ -301,9 +297,6 @@ ipsec_filter(struct mbuf **mp, struct secasindex *saidx, int dir, int flags) if (error != 0) goto bad; - if (saidx && (atag = pf_find_mtag(*mp)) != NULL) - saidx->qid = atag->qid; - return (error); bad: diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e50c401..6da3fc7 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -386,7 +386,7 @@ extern int m_striphdr(struct mbuf *m, int skip, int hlen); #define ENC_AFTER 0x0002 #define ENC_IN 0x0100 #define ENC_OUT 0x0200 -extern int ipsec_filter(struct mbuf **, struct secasindex *, int, int); +extern int ipsec_filter(struct mbuf **, int, int); extern void ipsec_bpf(struct mbuf *, struct secasvar *, int, int); #endif #endif /* _KERNEL */ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 18a9b0c..66de530 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -354,8 +354,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* Pass the mbuf to enc0 for bpf and pfil. */ ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) return (error); #endif /* DEV_ENC */ @@ -499,8 +498,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER); #endif - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0) return (error); #endif /* DEV_ENC */ @@ -655,8 +653,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* Pass the mbuf to enc0 for bpf and pfil. */ ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE); - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) return (error); #endif /* DEV_ENC */ @@ -785,8 +782,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto if (prot == IPPROTO_IPV6) ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER); - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN, - ENC_IN|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0) return (error); #endif /* DEV_ENC */ /* diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 33b84e0..442fb7a 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -43,11 +43,6 @@ #include <sys/errno.h> #include <sys/syslog.h> -#ifdef DEV_ENC -#include <altq/if_altq.h> -#include <netpfil/pf/pf_mtag.h> -#endif - #include <net/if.h> #include <net/pfil.h> #include <net/vnet.h> @@ -103,7 +98,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) struct m_tag *mtag; struct secasvar *sav; struct secasindex *saidx; - struct pf_mtag *atag = NULL; int error; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -195,15 +189,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) } key_sa_recordxfer(sav, m); /* record data transfer */ -#ifdef DEV_ENC - if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) { - atag->qid = saidx->qid; - /* add hints for ecn */ - atag->af = saidx->dst.sa.sa_family; - atag->hdr = NULL; /* This should be safe! */ - } -#endif - /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). SPD lookup will be @@ -470,8 +455,7 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, - ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif @@ -570,8 +554,7 @@ ipsec4_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, sav, sav->sah->saidx.dst.sa.sa_family, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, - ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif @@ -674,8 +657,7 @@ ipsec6_process_packet( /* pass the mbuf to enc0 for bpf processing */ ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, - ENC_OUT|ENC_BEFORE)) != 0) + if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0) goto bad; #endif /* DEV_ENC */ @@ -727,8 +709,7 @@ ipsec6_process_packet( #ifdef DEV_ENC ipsec_bpf(m, isr->sav, dst->sa.sa_family, ENC_OUT|ENC_AFTER); /* pass the mbuf to enc0 for packet filtering */ - if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT, - ENC_OUT|ENC_AFTER)) != 0) + if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0) goto bad; #endif /* DEV_ENC */ diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h index 56f44fc..15dbc9c 100644 --- a/sys/netipsec/keydb.h +++ b/sys/netipsec/keydb.h @@ -58,8 +58,6 @@ struct secasindex { u_int8_t mode; /* mode of protocol, see ipsec.h */ u_int32_t reqid; /* reqid id who owned this SA */ /* see IPSEC_MANUAL_REQID_MAX. */ - u_int32_t qid; /* used for ALTQ shaping inside */ - /* tunnel */ }; /* |