Revert IPSEC patches.

Revert "Importing pfSense patch IPSEC_sysctl.RELENG_10.diff" This reverts commit 1a5bcc816de96758225aa0a4d2b5ddc7b88b6b58. TAG: IPSEC-HEAD Issue: #4841
author: Luiz Otavio O Souza <luiz@netgate.com> 2015-09-15 12:30:22 -0500
committer: Luiz Otavio O Souza <luiz@netgate.com> 2015-10-20 11:33:19 -0500
commit: 15988797df0ce562e67d6fa1c912e4cda6194678 (patch)
tree: db88a434d06f9d750cc1b7e8b42a2908a937aafe
parent: e778bc828bb26f886d4405003534b0c83aae21be (diff)
download: FreeBSD-src-15988797df0ce562e67d6fa1c912e4cda6194678.zip
FreeBSD-src-15988797df0ce562e67d6fa1c912e4cda6194678.tar.gz
6 files changed, 63 insertions, 84 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 5ec7ed7..fa4cebe 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -702,8 +702,7 @@ int	getsourcefilter(int, uint32_t, struct sockaddr *, socklen_t,
 #define	IPCTL_FASTFORWARDING	14	/* use fast IP forwarding code */
 #define	IPCTL_KEEPFAITH		15	/* FAITH IPv4->IPv6 translater ctl */
 #define	IPCTL_GIF_TTL		16	/* default TTL for gif encap packet */
-#define	IPCTL_IPSEC_INUSE	17
-#define	IPCTL_MAXID		18
+#define	IPCTL_MAXID		17
 
 #endif /* __BSD_VISIBLE */
 
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 0d6ade9..50334c3 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -97,11 +97,6 @@ SYSCTL_VNET_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW,
     &VNET_NAME(ipforwarding), 0,
     "Enable IP forwarding between interfaces");
 
-VNET_DEFINE(int, ipipsec_in_use);
-SYSCTL_VNET_INT(_net_inet_ip, IPCTL_IPSEC_INUSE, ipsec_in_use, CTLFLAG_RW,
-    &VNET_NAME(ipipsec_in_use), 0,
-    "Enable IPSec processing of packets");
-
 static VNET_DEFINE(int, ipsendredirects) = 1;	/* XXX */
 #define	V_ipsendredirects	VNET(ipsendredirects)
 SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW,
@@ -476,7 +471,7 @@ tooshort:
 	/*
 	 * Bypass packet filtering for packets previously handled by IPsec.
 	 */
-	if (V_ipipsec_in_use && ip_ipsec_filtertunnel(m))
+	if (ip_ipsec_filtertunnel(m))
 		goto passin;
 #endif /* IPSEC */
 
@@ -682,7 +677,7 @@ passin:
 		m_freem(m);
 	} else {
 #ifdef IPSEC
-		if (V_ipipsec_in_use && ip_ipsec_fwd(m))
+		if (ip_ipsec_fwd(m))
 			goto bad;
 #endif /* IPSEC */
 		ip_forward(m, dchg);
@@ -729,7 +724,7 @@ ours:
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if (V_ipipsec_in_use && ip_ipsec_input(m))
+	if (ip_ipsec_input(m))
 		goto bad;
 #endif /* IPSEC */
 
@@ -1528,8 +1523,7 @@ ip_forward(struct mbuf *m, int srcrt)
 		 * If IPsec is configured for this path,
 		 * override any possibly mtu value set by ip_output.
 		 */ 
-		if (V_ipipsec_in_use)
-			mtu = ip_ipsec_mtu(mcopy, mtu);
+		mtu = ip_ipsec_mtu(mcopy, mtu);
 #endif /* IPSEC */
 		/*
 		 * If the MTU was set before make sure we are below the
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index aee6834..2db4578 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -482,20 +482,18 @@ again:
 
 sendit:
 #ifdef IPSEC
-	if (V_ipipsec_in_use) {
-		switch(ip_ipsec_output(&m, inp, &flags, &error)) {
-		case 1:
-			goto bad;
-		case -1:
-			goto done;
-		case 0:
-		default:
-			break;	/* Continue with packet processing. */
-		}
-		/* Update variables that are affected by ipsec4_output(). */
-		ip = mtod(m, struct ip *);
-		hlen = ip->ip_hl << 2;
+	switch(ip_ipsec_output(&m, inp, &flags, &error)) {
+	case 1:
+		goto bad;
+	case -1:
+		goto done;
+	case 0:
+	default:
+		break;	/* Continue with packet processing. */
 	}
+	/* Update variables that are affected by ipsec4_output(). */
+	ip = mtod(m, struct ip *);
+	hlen = ip->ip_hl << 2;
 #endif /* IPSEC */
 
 	/* Jump over all PFIL processing if hooks are not active. */
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index de08849..b2251ac 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -176,7 +176,6 @@ struct sockopt;
 VNET_DECLARE(u_short, ip_id);			/* ip packet ctr, for ids */
 VNET_DECLARE(int, ip_defttl);			/* default IP ttl */
 VNET_DECLARE(int, ipforwarding);		/* ip forwarding */
-VNET_DECLARE(int, ipipsec_in_use);
 #ifdef IPSTEALTH
 VNET_DECLARE(int, ipstealth);			/* stealth forwarding */
 #endif
@@ -192,7 +191,6 @@ extern struct	pr_usrreqs rip_usrreqs;
 #define	V_ip_id			VNET(ip_id)
 #define	V_ip_defttl		VNET(ip_defttl)
 #define	V_ipforwarding		VNET(ipforwarding)
-#define	V_ipipsec_in_use	VNET(ipipsec_in_use)
 #ifdef IPSTEALTH
 #define	V_ipstealth		VNET(ipstealth)
 #endif
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 08f29a0..b6602d3 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -133,7 +133,6 @@ static struct netisr_handler ip6_nh = {
 	.nh_policy = NETISR_POLICY_FLOW,
 };
 
-#define        V_ipipsec_in_use                VNET(ipipsec_in_use)
 VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch);
 #define	V_in6_tmpaddrtimer_ch		VNET(in6_tmpaddrtimer_ch)
 
@@ -1005,7 +1004,6 @@ passin:
 		}
 
 #ifdef IPSEC
-	if (V_ipipsec_in_use) {
 		/*
 		 * enforce IPsec policy checking if we are seeing last header.
 		 * note that we do not visit this with protocols with pcb layer
@@ -1013,7 +1011,6 @@ passin:
 		 */
 		if (ip6_ipsec_input(m, nxt))
 			goto bad;
-	}
 #endif /* IPSEC */
 
 		/*
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index 43c86d9..4fbac61 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -147,7 +147,6 @@ static int ip6_getpmtu(struct route_in6 *, struct route_in6 *,
 	struct ifnet *, struct in6_addr *, u_long *, int *, u_int);
 static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int);
 
-#define		V_ipipsec_in_use	VNET(ipipsec_in_use)
 
 /*
  * Make an extension header from option data.  hp is the source, and
@@ -346,21 +345,19 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt,
 	}
 
 #ifdef IPSEC
-	if (V_ipipsec_in_use) {
-		/*
-		 * IPSec checking which handles several cases.
-		 * FAST IPSEC: We re-injected the packet.
-		 */
-		switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp))
-		{
-		case 1:                 /* Bad packet */
-			goto freehdrs;
-		case -1:                /* IPSec done */
-			goto done;
-		case 0:                 /* No IPSec */
-		default:
-			break;
-		}
+	/*
+	 * IPSec checking which handles several cases.
+	 * FAST IPSEC: We re-injected the packet.
+	 */
+	switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp))
+	{
+	case 1:                 /* Bad packet */
+		goto freehdrs;
+	case -1:                /* IPSec done */
+		goto done;
+	case 0:                 /* No IPSec */
+	default:
+		break;
 	}
 #endif /* IPSEC */
 
@@ -1725,21 +1722,19 @@ do { \
 #ifdef IPSEC
 			case IPV6_IPSEC_POLICY:
 			{
-				if (V_ipipsec_in_use) {
-					caddr_t req;
-					struct mbuf *m;
+				caddr_t req;
+				struct mbuf *m;
 
-					if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
-						break;
-					if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
-						break;
-					req = mtod(m, caddr_t);
-					error = ipsec_set_policy(in6p, optname, req,
-					    m->m_len, (sopt->sopt_td != NULL) ?
-					    sopt->sopt_td->td_ucred : NULL);
-					m_freem(m);
+				if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */
 					break;
-				}
+				if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */
+					break;
+				req = mtod(m, caddr_t);
+				error = ipsec_set_policy(in6p, optname, req,
+				    m->m_len, (sopt->sopt_td != NULL) ?
+				    sopt->sopt_td->td_ucred : NULL);
+				m_freem(m);
+				break;
 			}
 #endif /* IPSEC */
 
@@ -1938,33 +1933,31 @@ do { \
 #ifdef IPSEC
 			case IPV6_IPSEC_POLICY:
 			  {
-				if (V_ipipsec_in_use) {
-					caddr_t req = NULL;
-					size_t len = 0;
-					struct mbuf *m = NULL;
-					struct mbuf **mp = &m;
-					size_t ovalsize = sopt->sopt_valsize;
-					caddr_t oval = (caddr_t)sopt->sopt_val;
-
-					error = soopt_getm(sopt, &m); /* XXX */
-					if (error != 0)
-						break;
-					error = soopt_mcopyin(sopt, m); /* XXX */
-					if (error != 0)
-						break;
-					sopt->sopt_valsize = ovalsize;
-					sopt->sopt_val = oval;
-					if (m) {
-						req = mtod(m, caddr_t);
-						len = m->m_len;
-					}
-					error = ipsec_get_policy(in6p, req, len, mp);
-					if (error == 0)
-						error = soopt_mcopyout(sopt, m); /* XXX */
-					if (error == 0 && m)
-						m_freem(m);
+				caddr_t req = NULL;
+				size_t len = 0;
+				struct mbuf *m = NULL;
+				struct mbuf **mp = &m;
+				size_t ovalsize = sopt->sopt_valsize;
+				caddr_t oval = (caddr_t)sopt->sopt_val;
+
+				error = soopt_getm(sopt, &m); /* XXX */
+				if (error != 0)
+					break;
+				error = soopt_mcopyin(sopt, m); /* XXX */
+				if (error != 0)
 					break;
+				sopt->sopt_valsize = ovalsize;
+				sopt->sopt_val = oval;
+				if (m) {
+					req = mtod(m, caddr_t);
+					len = m->m_len;
 				}
+				error = ipsec_get_policy(in6p, req, len, mp);
+				if (error == 0)
+					error = soopt_mcopyout(sopt, m); /* XXX */
+				if (error == 0 && m)
+					m_freem(m);
+				break;
 			  }
 #endif /* IPSEC */
author	Luiz Otavio O Souza <luiz@netgate.com>	2015-09-15 12:30:22 -0500
committer	Luiz Otavio O Souza <luiz@netgate.com>	2015-10-20 11:33:19 -0500
commit	15988797df0ce562e67d6fa1c912e4cda6194678 (patch)
tree	db88a434d06f9d750cc1b7e8b42a2908a937aafe
parent	e778bc828bb26f886d4405003534b0c83aae21be (diff)
download	FreeBSD-src-15988797df0ce562e67d6fa1c912e4cda6194678.zip FreeBSD-src-15988797df0ce562e67d6fa1c912e4cda6194678.tar.gz