diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2016-05-11 16:36:10 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2016-05-12 11:06:40 -0500 |
| commit | dfc7f0dac12f41732cf342aa9fa1e9faa726796e (patch) | |
| tree | bc2a9c87e187f6cc78c061fe1fdcc5b70ca33d8e | |
| parent | f237619f96f8c4b42beb1ccbdc50e3216dba5ce4 (diff) | |
| download | FreeBSD-src-dfc7f0dac12f41732cf342aa9fa1e9faa726796e.zip FreeBSD-src-dfc7f0dac12f41732cf342aa9fa1e9faa726796e.tar.gz | |
MFC r298398:
Constify mbuf pointer for IPSEC functions where mbuf isn't modified.
TAG: IPSEC-HEAD
(cherry picked from commit 9570d79d4a30dcd428dd55f2f996c1090c777c52)
| -rw-r--r-- | sys/netinet6/ip6_input.c | 4 | ||||
| -rw-r--r-- | sys/netinet6/ip6_var.h | 4 | ||||
| -rw-r--r-- | sys/netipsec/ipsec.c | 67 | ||||
| -rw-r--r-- | sys/netipsec/ipsec.h | 15 | ||||
| -rw-r--r-- | sys/netipsec/ipsec6.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/key_debug.c | 8 | ||||
| -rw-r--r-- | sys/netipsec/key_debug.h | 4 |
7 files changed, 55 insertions, 49 deletions
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index b6602d3..0d1d307 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1730,7 +1730,7 @@ ip6_get_prevhdr(struct mbuf *m, int off) * get next header offset. m will be retained. */ int -ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) +ip6_nexthdr(const struct mbuf *m, int off, int proto, int *nxtp) { struct ip6_hdr ip6; struct ip6_ext ip6e; @@ -1805,7 +1805,7 @@ ip6_nexthdr(struct mbuf *m, int off, int proto, int *nxtp) * get offset for the last header in the chain. m will be kept untainted. */ int -ip6_lasthdr(struct mbuf *m, int off, int proto, int *nxtp) +ip6_lasthdr(const struct mbuf *m, int off, int proto, int *nxtp) { int newoff; int nxt; diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index eba7f1c..a38f719 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -391,8 +391,8 @@ void ip6_freepcbopts(struct ip6_pktopts *); int ip6_unknown_opt(u_int8_t *, struct mbuf *, int); char * ip6_get_prevhdr(struct mbuf *, int); -int ip6_nexthdr(struct mbuf *, int, int, int *); -int ip6_lasthdr(struct mbuf *, int, int, int *); +int ip6_nexthdr(const struct mbuf *, int, int, int *); +int ip6_lasthdr(const struct mbuf *, int, int, int *); #ifdef __notyet__ struct ip6aux *ip6_findaux(struct mbuf *); diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index bf02f93..6738dbf 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -237,14 +237,14 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics."); #endif /* INET6 */ -static int ipsec_in_reject(struct secpolicy *, struct mbuf *); -static int ipsec_setspidx_inpcb(struct mbuf *, struct inpcb *); -static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int); -static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int); -static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); +static int ipsec_in_reject(struct secpolicy *, const struct mbuf *); +static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); +static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); +static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); +static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); #ifdef INET6 -static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int); -static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *); +static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); +static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); #endif static void ipsec_delpcbpolicy(struct inpcbpolicy *); static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src); @@ -321,7 +321,8 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir) * NOTE: IPv6 mapped adddress concern is implemented here. */ static struct secpolicy * -ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) +ipsec_getpolicybysock(const struct mbuf *m, u_int dir, struct inpcb *inp, + int *error) { struct inpcbpolicy *pcbsp; struct secpolicy *currsp = NULL; /* Policy on socket. */ @@ -424,7 +425,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error) * others : error occured. */ struct secpolicy * -ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int *error) +ipsec_getpolicybyaddr(const struct mbuf *m, u_int dir, int *error) { struct secpolicyindex spidx; struct secpolicy *sp; @@ -454,7 +455,8 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int *error) } struct secpolicy * -ipsec4_checkpolicy(struct mbuf *m, u_int dir, int *error, struct inpcb *inp) +ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error, + struct inpcb *inp) { struct secpolicy *sp; @@ -496,7 +498,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, int *error, struct inpcb *inp) } static int -ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp) +ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp) { int error; @@ -525,12 +527,13 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp) * The caller is responsible for error recovery (like clearing up spidx). */ static int -ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) +ipsec_setspidx(const struct mbuf *m, struct secpolicyindex *spidx, + int needport) { - struct ip *ip = NULL; struct ip ipbuf; + const struct ip *ip = NULL; + const struct mbuf *n; u_int v; - struct mbuf *n; int len; int error; @@ -559,7 +562,7 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) } if (m->m_len >= sizeof(*ip)) - ip = mtod(m, struct ip *); + ip = mtod(m, const struct ip *); else { m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); ip = &ipbuf; @@ -595,7 +598,8 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) } static void -ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) +ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, + int needport) { u_int8_t nxt; int off; @@ -605,7 +609,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); if (m->m_len >= sizeof (struct ip)) { - struct ip *ip = mtod(m, struct ip *); + const struct ip *ip = mtod(m, const struct ip *); if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) goto done; off = ip->ip_hl << 2; @@ -670,7 +674,7 @@ done_proto: /* Assumes that m is sane. */ static int -ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) +ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { static const struct sockaddr_in template = { sizeof (struct sockaddr_in), @@ -689,7 +693,7 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) sizeof (struct in_addr), (caddr_t) &spidx->dst.sin.sin_addr); } else { - struct ip *ip = mtod(m, struct ip *); + const struct ip *ip = mtod(m, const struct ip *); spidx->src.sin.sin_addr = ip->ip_src; spidx->dst.sin.sin_addr = ip->ip_dst; } @@ -702,7 +706,8 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) #ifdef INET6 static void -ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) +ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, + int needport) { int off, nxt; struct tcphdr th; @@ -766,14 +771,14 @@ ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) /* Assumes that m is sane. */ static int -ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx) +ipsec6_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { - struct ip6_hdr *ip6 = NULL; struct ip6_hdr ip6buf; + const struct ip6_hdr *ip6 = NULL; struct sockaddr_in6 *sin6; if (m->m_len >= sizeof(*ip6)) - ip6 = mtod(m, struct ip6_hdr *); + ip6 = mtod(m, const struct ip6_hdr *); else { m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf); ip6 = &ip6buf; @@ -1198,7 +1203,7 @@ ipsec_get_reqlevel(struct ipsecrequest *isr) * 1: invalid */ static int -ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) +ipsec_in_reject(struct secpolicy *sp, const struct mbuf *m) { struct ipsecrequest *isr; int need_auth; @@ -1269,7 +1274,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) * Non zero return value means security policy DISCARD or policy violation. */ static int -ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) +ipsec46_in_reject(const struct mbuf *m, struct inpcb *inp) { struct secpolicy *sp; int error; @@ -1301,7 +1306,7 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp) * and {ah,esp}4_input for tunnel mode. */ int -ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) +ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp) { int result; @@ -1319,7 +1324,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) * and {ah,esp}6_input for tunnel mode. */ int -ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) +ipsec6_in_reject(const struct mbuf *m, struct inpcb *inp) { int result; @@ -1399,7 +1404,7 @@ ipsec_hdrsiz_internal(struct secpolicy *sp) * disabled ip6_ipsec_mtu() and ip6_forward(). */ size_t -ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp) +ipsec_hdrsiz(const struct mbuf *m, u_int dir, struct inpcb *inp) { struct secpolicy *sp; int error; @@ -1647,16 +1652,16 @@ ipsec_logsastr(struct secasvar *sav, char *buf, size_t size) } void -ipsec_dumpmbuf(struct mbuf *m) +ipsec_dumpmbuf(const struct mbuf *m) { + const u_char *p; int totlen; int i; - u_char *p; totlen = 0; printf("---\n"); while (m) { - p = mtod(m, u_char *); + p = mtod(m, const u_char *); for (i = 0; i < m->m_len; i++) { printf("%02x ", p[i]); totlen++; diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e6827cb..26c150a 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -306,9 +306,10 @@ extern void ipsec_delisr(struct ipsecrequest *); struct tdb_ident; extern struct secpolicy *ipsec_getpolicy(struct tdb_ident*, u_int); struct inpcb; -extern struct secpolicy *ipsec4_checkpolicy(struct mbuf *, u_int, - int *, struct inpcb *); -extern struct secpolicy * ipsec_getpolicybyaddr(struct mbuf *, u_int, int *); +extern struct secpolicy *ipsec4_checkpolicy(const struct mbuf *, u_int, + int *, struct inpcb *); +extern struct secpolicy * ipsec_getpolicybyaddr(const struct mbuf *, u_int, + int *); struct inpcb; extern int ipsec_init_policy(struct socket *so, struct inpcbpolicy **); @@ -318,23 +319,23 @@ extern u_int ipsec_get_reqlevel(struct ipsecrequest *); extern int ipsec_set_policy(struct inpcb *inp, int optname, caddr_t request, size_t len, struct ucred *cred); extern int ipsec_get_policy(struct inpcb *inpcb, caddr_t request, - size_t len, struct mbuf **mp); + size_t len, struct mbuf **mp); extern int ipsec_delete_pcbpolicy(struct inpcb *); -extern int ipsec4_in_reject(struct mbuf *, struct inpcb *); +extern int ipsec4_in_reject(const struct mbuf *, struct inpcb *); struct secas; struct tcpcb; extern int ipsec_chkreplay(u_int32_t, struct secasvar *); extern int ipsec_updatereplay(u_int32_t, struct secasvar *); -extern size_t ipsec_hdrsiz(struct mbuf *, u_int, struct inpcb *); +extern size_t ipsec_hdrsiz(const struct mbuf *, u_int, struct inpcb *); extern size_t ipsec_hdrsiz_tcp(struct tcpcb *); union sockaddr_union; extern char *ipsec_address(union sockaddr_union *, char *, socklen_t); extern char *ipsec_logsastr(struct secasvar *, char *, size_t); -extern void ipsec_dumpmbuf(struct mbuf *); +extern void ipsec_dumpmbuf(const struct mbuf *); struct m_tag; extern void ah4_input(struct mbuf *m, int off); diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h index 38ac114..02cf025 100644 --- a/sys/netipsec/ipsec6.h +++ b/sys/netipsec/ipsec6.h @@ -59,7 +59,7 @@ VNET_DECLARE(int, ip6_ipsec_ecn); #define V_ip6_ipsec_ecn VNET(ip6_ipsec_ecn) struct inpcb; -extern int ipsec6_in_reject(struct mbuf *, struct inpcb *); +extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *); struct m_tag; extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index c9365e2..ceb9453 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -623,7 +623,7 @@ kdebug_secreplay(struct secreplay *rpl) } void -kdebug_mbufhdr(struct mbuf *m) +kdebug_mbufhdr(const struct mbuf *m) { /* sanity check */ if (m == NULL) @@ -650,9 +650,9 @@ kdebug_mbufhdr(struct mbuf *m) } void -kdebug_mbuf(struct mbuf *m0) +kdebug_mbuf(const struct mbuf *m0) { - struct mbuf *m = m0; + const struct mbuf *m = m0; int i, j; for (j = 0; m; m = m->m_next) { @@ -663,7 +663,7 @@ kdebug_mbuf(struct mbuf *m0) printf("\n"); if (i % 4 == 0) printf(" "); - printf("%02x", mtod(m, u_char *)[i]); + printf("%02x", mtod(m, const u_char *)[i]); j++; } printf("\n"); diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h index 16db921..09576bf 100644 --- a/sys/netipsec/key_debug.h +++ b/sys/netipsec/key_debug.h @@ -76,8 +76,8 @@ extern void kdebug_secpolicy(struct secpolicy *); extern void kdebug_secpolicyindex(struct secpolicyindex *); extern void kdebug_secasindex(struct secasindex *); extern void kdebug_secasv(struct secasvar *); -extern void kdebug_mbufhdr(struct mbuf *); -extern void kdebug_mbuf(struct mbuf *); +extern void kdebug_mbufhdr(const struct mbuf *); +extern void kdebug_mbuf(const struct mbuf *); #endif /*_KERNEL*/ struct sockaddr; |
