diff options
author | gnn <gnn@FreeBSD.org> | 2007-07-03 12:13:45 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2007-07-03 12:13:45 +0000 |
commit | aeca69ded51d6233029432f2819670cdedc399fa (patch) | |
tree | 33a53f093fb66f940c2ed2dd7aab6c80eeaeafce | |
parent | d5177fc84ed40844713b6dc0352469ffbb12e526 (diff) | |
download | FreeBSD-src-aeca69ded51d6233029432f2819670cdedc399fa.zip FreeBSD-src-aeca69ded51d6233029432f2819670cdedc399fa.tar.gz |
Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC
option is now deprecated, as well as the KAME IPsec code.
What was FAST_IPSEC is now IPSEC.
Approved by: re
Sponsored by: Secure Computing
43 files changed, 209 insertions, 219 deletions
diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 665145c..d5f6bc5 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -495,8 +495,7 @@ options HWPMC_HOOKS # Other necessary kernel hooks # options INET #Internet communications protocols options INET6 #IPv6 communications protocols -#options IPSEC #IP security -#options IPSEC_ESP #IP security (crypto; define w/ IPSEC) +options IPSEC #IP security #options IPSEC_DEBUG #debug for IP security # # Set IPSEC_FILTERGIF to force packets coming through a gif tunnel @@ -509,8 +508,6 @@ options INET6 #IPv6 communications protocols # #options IPSEC_FILTERGIF #filter ipsec packets from a tunnel -options FAST_IPSEC #new IPsec (cannot define w/ IPSEC) - options IPX #IPX/SPX communications protocols options NCP #NetWare Core protocol @@ -786,7 +783,7 @@ device pflog #logging support interface for PF device pfsync #synchronization interface for PF options PF_MPSAFE_UGID #Workaround LOR with user/group rules device carp #Common Address Redundancy Protocol -device enc #IPSec interface (needs FAST_IPSEC) +device enc #IPsec interface device ppp #Point-to-point protocol options PPP_BSDCOMP #PPP BSD-compress support options PPP_DEFLATE #PPP zlib/deflate/gzip support @@ -880,8 +877,8 @@ options ACCEPT_FILTER_HTTP # carried in TCP option 19. This option is commonly used to protect # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. -# This requires the use of 'device crypto', 'options FAST_IPSEC' or 'options -# IPSEC', and 'device cryptodev'. +# This requires the use of 'device crypto', 'options IPSEC' +# or 'device cryptodev'. #options TCP_SIGNATURE #include support for RFC 2385 # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL @@ -2513,7 +2510,7 @@ options DCONS_FORCE_GDB=1 # force to be the gdb device # crypto subsystem # # This is a port of the OpenBSD crypto framework. Include this when -# configuring FAST_IPSEC and when you have a h/w crypto device to accelerate +# configuring IPSEC and when you have a h/w crypto device to accelerate # user applications that link to OpenSSL. # # Drivers are ports from OpenBSD with some simple enhancements that have diff --git a/sys/conf/files b/sys/conf/files index 11c42ca..9826f2c 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -338,12 +338,12 @@ contrib/pf/net/pf_table.c optional pf \ contrib/pf/net/pf_osfp.c optional pf \ compile-with "${NORMAL_C} -I$S/contrib/pf" contrib/pf/netinet/in4_cksum.c optional pf inet -crypto/blowfish/bf_ecb.c optional ipsec ipsec_esp -crypto/blowfish/bf_skey.c optional crypto | ipsec ipsec_esp -crypto/camellia/camellia.c optional crypto | ipsec ipsec_esp -crypto/camellia/camellia-api.c optional crypto | ipsec ipsec_esp -crypto/des/des_ecb.c optional crypto | ipsec ipsec_esp | netsmb -crypto/des/des_setkey.c optional crypto | ipsec ipsec_esp | netsmb +crypto/blowfish/bf_ecb.c optional ipsec +crypto/blowfish/bf_skey.c optional crypto | ipsec +crypto/camellia/camellia.c optional crypto | ipsec +crypto/camellia/camellia-api.c optional crypto | ipsec +crypto/des/des_ecb.c optional crypto | ipsec | netsmb +crypto/des/des_setkey.c optional crypto | ipsec | netsmb crypto/rc4/rc4.c optional netgraph_mppc_encryption crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \ ipsec | random | wlan_ccmp @@ -1829,7 +1829,7 @@ netinet/ip_fw2.c optional ipfirewall netinet/ip_fw_pfil.c optional ipfirewall netinet/ip_icmp.c optional inet netinet/ip_input.c optional inet -netinet/ip_ipsec.c optional fast_ipsec +netinet/ip_ipsec.c optional ipsec netinet/ip_mroute.c optional mrouting inet | mrouting inet6 netinet/ip_options.c optional inet netinet/ip_output.c optional inet @@ -1880,7 +1880,7 @@ netinet6/ip6_id.c optional inet6 netinet6/ip6_input.c optional inet6 netinet6/ip6_mroute.c optional mrouting inet6 netinet6/ip6_output.c optional inet6 -netinet6/ip6_ipsec.c optional inet6 fast_ipsec +netinet6/ip6_ipsec.c optional ipsec netinet6/mld6.c optional inet6 netinet6/nd6.c optional inet6 netinet6/nd6_nbr.c optional inet6 @@ -1891,18 +1891,18 @@ netinet6/scope6.c optional inet6 netinet6/sctp6_usrreq.c optional inet6 sctp netinet6/udp6_output.c optional inet6 netinet6/udp6_usrreq.c optional inet6 -netipsec/ipsec.c optional fast_ipsec -netipsec/ipsec_input.c optional fast_ipsec -netipsec/ipsec_mbuf.c optional fast_ipsec -netipsec/ipsec_output.c optional fast_ipsec -netipsec/key.c optional fast_ipsec -netipsec/key_debug.c optional fast_ipsec -netipsec/keysock.c optional fast_ipsec -netipsec/xform_ah.c optional fast_ipsec -netipsec/xform_esp.c optional fast_ipsec -netipsec/xform_ipcomp.c optional fast_ipsec -netipsec/xform_ipip.c optional fast_ipsec -netipsec/xform_tcp.c optional fast_ipsec tcp_signature +netipsec/ipsec.c optional ipsec +netipsec/ipsec_input.c optional ipsec +netipsec/ipsec_mbuf.c optional ipsec +netipsec/ipsec_output.c optional ipsec +netipsec/key.c optional ipsec +netipsec/key_debug.c optional ipsec +netipsec/keysock.c optional ipsec +netipsec/xform_ah.c optional ipsec +netipsec/xform_esp.c optional ipsec +netipsec/xform_ipcomp.c optional ipsec +netipsec/xform_ipip.c optional ipsec +netipsec/xform_tcp.c optional ipsec tcp_signature netipx/ipx.c optional ipx netipx/ipx_cksum.c optional ipx netipx/ipx_input.c optional ipx @@ -1959,7 +1959,7 @@ nfsserver/nfs_srvcache.c optional nfsserver nfsserver/nfs_srvsubs.c optional nfsserver nfsserver/nfs_syscalls.c optional nfsserver # crypto support -opencrypto/cast.c optional crypto | ipsec ipsec_esp +opencrypto/cast.c optional crypto | ipsec opencrypto/criov.c optional crypto opencrypto/crypto.c optional crypto opencrypto/cryptodev.c optional cryptodev diff --git a/sys/conf/files.amd64 b/sys/conf/files.amd64 index 7c35551..a3c2daf 100644 --- a/sys/conf/files.amd64 +++ b/sys/conf/files.amd64 @@ -135,9 +135,8 @@ amd64/isa/isa_dma.c standard amd64/isa/nmi.c standard amd64/pci/pci_bus.c optional pci amd64/pci/pci_cfgreg.c optional pci -crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp -crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \ - netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb dev/acpica/acpi_if.m standard dev/arcmsr/arcmsr.c optional arcmsr pci dev/atkbdc/atkbd.c optional atkbd atkbdc diff --git a/sys/conf/files.arm b/sys/conf/files.arm index c4001ad..d095889 100644 --- a/sys/conf/files.arm +++ b/sys/conf/files.arm @@ -1,7 +1,6 @@ # $FreeBSD$ -crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp -crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \ - netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb arm/arm/autoconf.c standard arm/arm/bcopy_page.S standard arm/arm/bcopyinout.S standard diff --git a/sys/conf/files.i386 b/sys/conf/files.i386 index 22d75a9..423b515 100644 --- a/sys/conf/files.i386 +++ b/sys/conf/files.i386 @@ -132,11 +132,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci contrib/dev/oltr/trlldbm.c optional oltr contrib/dev/oltr/trlldhm.c optional oltr contrib/dev/oltr/trlldmac.c optional oltr -bf_enc.o optional crypto | ipsec ipsec_esp \ +bf_enc.o optional crypto | ipsec \ dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \ compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \ no-implicit-rule -crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb +crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb crypto/via/padlock.c optional padlock crypto/via/padlock_cipher.c optional padlock crypto/via/padlock_hash.c optional padlock diff --git a/sys/conf/files.ia64 b/sys/conf/files.ia64 index 0ad8ef4..3452716 100644 --- a/sys/conf/files.ia64 +++ b/sys/conf/files.ia64 @@ -42,9 +42,8 @@ contrib/ia64/libuwx/src/uwx_swap.c standard contrib/ia64/libuwx/src/uwx_trace.c standard contrib/ia64/libuwx/src/uwx_uinfo.c standard contrib/ia64/libuwx/src/uwx_utable.c standard -crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp -crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \ - netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb dev/advansys/adv_isa.c optional adv isa dev/aic/aic_isa.c optional aic isa dev/atkbdc/atkbd.c optional atkbd atkbdc diff --git a/sys/conf/files.pc98 b/sys/conf/files.pc98 index 4e8d175..af3765f 100644 --- a/sys/conf/files.pc98 +++ b/sys/conf/files.pc98 @@ -93,11 +93,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci contrib/dev/oltr/trlldbm.c optional oltr contrib/dev/oltr/trlldhm.c optional oltr contrib/dev/oltr/trlldmac.c optional oltr -bf_enc.o optional crypto | ipsec ipsec_esp \ +bf_enc.o optional crypto | ipsec \ dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \ compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \ no-implicit-rule -crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb +crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb dev/aic/aic_cbus.c optional aic isa dev/ar/if_ar.c optional ar dev/ar/if_ar_pci.c optional ar pci diff --git a/sys/conf/files.powerpc b/sys/conf/files.powerpc index d6234f1..2b61481 100644 --- a/sys/conf/files.powerpc +++ b/sys/conf/files.powerpc @@ -75,8 +75,8 @@ powerpc/powerpc/db_interface.c optional ddb powerpc/powerpc/db_hwwatch.c optional ddb powerpc/powerpc/db_trace.c optional ddb -crypto/blowfish/bf_enc.c optional ipsec ipsec_esp -crypto/des/des_enc.c optional ipsec ipsec_esp | netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb dev/ofw/openfirm.c standard dev/ofw/ofw_bus_if.m standard diff --git a/sys/conf/files.sparc64 b/sys/conf/files.sparc64 index b00e383..5f29180 100644 --- a/sys/conf/files.sparc64 +++ b/sys/conf/files.sparc64 @@ -32,9 +32,8 @@ opt_ah.h optional ath_hal \ no-obj no-implicit-rule before-depend \ clean "opt_ah.h" # -crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp -crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \ - netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb dev/atkbdc/atkbd.c optional atkbd atkbdc dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc dev/atkbdc/atkbdc.c optional atkbdc diff --git a/sys/conf/files.sun4v b/sys/conf/files.sun4v index e126035..250d848 100644 --- a/sys/conf/files.sun4v +++ b/sys/conf/files.sun4v @@ -18,9 +18,8 @@ ukbdmap.h optional ukbd_dflt_keymap \ clean "ukbdmap.h" # # -crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp -crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \ - netsmb +crypto/blowfish/bf_enc.c optional crypto | ipsec +crypto/des/des_enc.c optional crypto | ipsec | netsmb dev/ofw/ofw_bus_if.m standard dev/ofw/ofw_bus_subr.c standard dev/ofw/ofw_console.c optional ofw_console diff --git a/sys/conf/options b/sys/conf/options index 160b12b..789b3b6 100644 --- a/sys/conf/options +++ b/sys/conf/options @@ -358,10 +358,8 @@ MROUTING opt_mrouting.h INET opt_inet.h INET6 opt_inet6.h IPSEC opt_ipsec.h -IPSEC_ESP opt_ipsec.h IPSEC_DEBUG opt_ipsec.h IPSEC_FILTERGIF opt_ipsec.h -FAST_IPSEC opt_ipsec.h IPDIVERT DUMMYNET opt_ipdn.h IPFILTER opt_ipfilter.h diff --git a/sys/crypto/via/padlock.c b/sys/crypto/via/padlock.c index 8c3c13f..36e0856 100644 --- a/sys/crypto/via/padlock.c +++ b/sys/crypto/via/padlock.c @@ -199,7 +199,7 @@ padlock_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri) /* * We only support HMAC algorithms to be able to work with - * fast_ipsec(4), so if we are asked only for authentication without + * ipsec(4), so if we are asked only for authentication without * encryption, don't pretend we can accellerate it. */ if (encini == NULL) diff --git a/sys/net/pfkeyv2.h b/sys/net/pfkeyv2.h index 074a947..6158d88 100644 --- a/sys/net/pfkeyv2.h +++ b/sys/net/pfkeyv2.h @@ -328,7 +328,7 @@ struct sadb_x_ipsecrequest { /* private allocations - based on RFC4312/IANA assignment */ #define SADB_X_EALG_CAMELLIACBC 22 /* private allocations should use 249-255 (RFC2407) */ -#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for FAST_IPSEC */ +#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */ #define SADB_X_EALG_AESCTR 250 /*249*/ /* draft-ietf-ipsec-ciph-aes-ctr-03 */ /* private allocations - based on RFC2407/IANA assignment */ diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index edb7702..5e174ea 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -74,10 +74,10 @@ #endif /* INET6 */ -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <security/mac/mac_framework.h> @@ -193,11 +193,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) SOCK_UNLOCK(so); #endif -#ifdef FAST_IPSEC +#ifdef IPSEC error = ipsec_init_policy(so, &inp->inp_sp); if (error != 0) goto out; -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #ifdef INET6 if (INP_SOCKAF(so) == AF_INET6) { inp->inp_vflag |= INP_IPV6PROTO; @@ -215,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) INP_LOCK(inp); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; -#if defined(FAST_IPSEC) || defined(MAC) +#if defined(IPSEC) || defined(MAC) out: if (error != 0) uma_zfree(pcbinfo->ipi_zone, inp); @@ -711,9 +711,9 @@ in_pcbfree(struct inpcb *inp) INP_INFO_WLOCK_ASSERT(ipi); INP_LOCK_ASSERT(inp); -#ifdef FAST_IPSEC +#ifdef IPSEC ipsec4_delete_pcbpolicy(inp); -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ inp->inp_gencnt = ++ipi->ipi_gencnt; in_pcbremlists(inp); if (inp->inp_options) diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index 21d7413..0d08d53 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -69,9 +69,9 @@ static struct pr_usrreqs nousrreqs; -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #ifdef SCTP #include <netinet/in_pcb.h> @@ -210,7 +210,7 @@ struct protosw inetsw[] = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }, -#ifdef FAST_IPSEC +#ifdef IPSEC { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -237,7 +237,7 @@ struct protosw inetsw[] = { .pr_input = ipcomp4_input, .pr_usrreqs = &nousrreqs }, -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -368,14 +368,14 @@ SYSCTL_NODE(_net_inet, IPPROTO_TCP, tcp, CTLFLAG_RW, 0, "TCP"); SYSCTL_NODE(_net_inet, IPPROTO_SCTP, sctp, CTLFLAG_RW, 0, "SCTP"); #endif SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP"); -#ifdef FAST_IPSEC +#ifdef IPSEC /* XXX no protocol # to use, pick something "reserved" */ SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC"); SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH"); SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP"); SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP"); SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP"); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW"); #ifdef DEV_PFSYNC SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC"); diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 367d67c..72c11ac 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -3143,7 +3143,7 @@ check_body: break; case O_IPSEC: -#ifdef FAST_IPSEC +#ifdef IPSEC match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); #endif diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index c1a2ae4..b330699 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -59,7 +59,7 @@ #include <netinet/tcpip.h> #include <netinet/icmp_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> #endif @@ -579,7 +579,7 @@ reflect: (struct sockaddr *)0, RTF_GATEWAY | RTF_HOST, (struct sockaddr *)&icmpgw); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc); -#ifdef FAST_IPSEC +#ifdef IPSEC key_sa_routechange((struct sockaddr *)&icmpsrc); #endif break; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 9a10230..f7a0ed3 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -70,9 +70,9 @@ #ifdef DEV_CARP #include <netinet/ip_carp.h> #endif -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netinet/ip_ipsec.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <sys/socketvar.h> @@ -391,13 +391,13 @@ tooshort: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Bypass packet filtering for packets from a tunnel (gif). */ if (ip_ipsec_filtergif(m)) goto passin; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * Run through list of hooks for input packets. @@ -601,10 +601,10 @@ passin: ipstat.ips_cantforward++; m_freem(m); } else { -#ifdef FAST_IPSEC +#ifdef IPSEC if (ip_ipsec_fwd(m)) goto bad; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ ip_forward(m, dchg); } return; @@ -645,7 +645,7 @@ ours: */ ip->ip_len -= hlen; -#ifdef FAST_IPSEC +#ifdef IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -653,7 +653,7 @@ ours: */ if (ip_ipsec_input(m)) goto bad; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * Switch out to protocol's input routine. @@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt) type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#ifdef FAST_IPSEC +#ifdef IPSEC mtu = ip_ipsec_mtu(m); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * If the MTU wasn't set before use the interface mtu or * fall back to the next smaller mtu step compared to the diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index f240b41..593bb5a 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -55,11 +55,11 @@ #include <machine/in_cksum.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> #include <netipsec/key.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ extern struct protosw inetsw[]; @@ -71,7 +71,7 @@ extern struct protosw inetsw[]; int ip_ipsec_filtergif(struct mbuf *m) { -#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). */ @@ -90,7 +90,7 @@ ip_ipsec_filtergif(struct mbuf *m) int ip_ipsec_fwd(struct mbuf *m) { -#ifdef FAST_IPSEC +#ifdef IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -122,7 +122,7 @@ ip_ipsec_fwd(struct mbuf *m) ipstat.ips_cantforward++; return 1; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } @@ -137,7 +137,7 @@ int ip_ipsec_input(struct mbuf *m) { struct ip *ip = mtod(m, struct ip *); -#ifdef FAST_IPSEC +#ifdef IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -179,7 +179,7 @@ ip_ipsec_input(struct mbuf *m) if (error) return 1; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } @@ -237,14 +237,14 @@ ip_ipsec_mtu(struct mbuf *m) * * Called from ip_output(). * 1 = drop packet, 0 = continue processing packet, - * -1 = packet was reinjected and stop processing packet (FAST_IPSEC only) + * -1 = packet was reinjected and stop processing packet */ int ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, struct route **ro, struct route *iproute, struct sockaddr_in **dst, struct in_ifaddr **ia, struct ifnet **ifp) { -#ifdef FAST_IPSEC +#ifdef IPSEC struct secpolicy *sp = NULL; struct ip *ip = mtod(*m, struct ip *); struct tdb_ident *tdbi; @@ -381,6 +381,6 @@ bad: if (sp != NULL) KEY_FREESP(&sp); return 1; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 90a21ef..a93571d 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -59,10 +59,10 @@ #include <netinet/ip_var.h> #include <netinet/ip_options.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netinet/ip_ipsec.h> #include <netipsec/ipsec.h> -#endif /* FAST_IPSEC*/ +#endif /* IPSEC*/ #include <machine/in_cksum.h> @@ -412,7 +412,7 @@ again: } sendit: -#ifdef FAST_IPSEC +#ifdef IPSEC switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) { case 1: goto bad; @@ -425,7 +425,7 @@ sendit: /* Update variables that are affected by ipsec4_output(). */ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* Jump over all PFIL processing if hooks are not active. */ if (!PFIL_HOOKED(&inet_pfil_hook)) @@ -966,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) INP_UNLOCK(inp); break; -#ifdef FAST_IPSEC +#ifdef IPSEC case IP_IPSEC_POLICY: { caddr_t req; @@ -1000,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ default: error = ENOPROTOOPT; @@ -1104,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) error = inp_getmoptions(inp, sopt); break; -#ifdef FAST_IPSEC +#ifdef IPSEC case IP_IPSEC_POLICY: { struct mbuf *m = NULL; @@ -1122,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ default: error = ENOPROTOOPT; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 1a1b4e0..85b010d 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -66,9 +66,9 @@ #include <netinet/ip_fw.h> #include <netinet/ip_dummynet.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <security/mac/mac_framework.h> @@ -155,12 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) INP_LOCK_ASSERT(last); -#ifdef FAST_IPSEC +#ifdef IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { policyfail = 1; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index 8b1ebce..5f29214 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -4927,7 +4927,7 @@ sctp_skip_csum_4: } else if (stcb == NULL) { refcount_up = 1; } -#ifdef FAST_IPSEC +#ifdef IPSEC /* * I very much doubt any of the IPSEC stuff will work but I have no * idea, so I will leave it in place. diff --git a/sys/netinet/sctp_os_bsd.h b/sys/netinet/sctp_os_bsd.h index b199e10..99d0ce9 100644 --- a/sys/netinet/sctp_os_bsd.h +++ b/sys/netinet/sctp_os_bsd.h @@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$"); #include <netinet/icmp_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> #endif /* IPSEC */ #ifdef INET6 #include <sys/domain.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec6.h> #endif #include <netinet/ip6.h> diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 84b367b..260c628 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -1807,7 +1807,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT; inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT; -#ifdef FAST_IPSEC +#ifdef IPSEC { struct inpcbpolicy *pcb_sp = NULL; @@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) SCTP_INP_INFO_WUNLOCK(); return error; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ SCTP_INCR_EP_COUNT(); inp->ip_inp.inp.inp_ip_ttl = ip_defttl; SCTP_INP_INFO_WUNLOCK(); @@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) */ cnt = 0; if (so) { -#ifdef FAST_IPSEC +#ifdef IPSEC ipsec4_delete_pcbpolicy(ip_pcb); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* Unlocks not needed since the socket is gone now */ } diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index 446036b..a62497c 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -485,7 +485,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p) int error; uint32_t vrf_id = SCTP_DEFAULT_VRFID; -#ifdef FAST_IPSEC +#ifdef IPSEC uint32_t flags; #endif inp = (struct sctp_inpcb *)so->so_pcb; @@ -508,7 +508,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p) ip_inp->inp_vflag |= INP_IPV4; ip_inp->inp_ip_ttl = ip_defttl; -#ifdef FAST_IPSEC +#ifdef IPSEC error = ipsec_init_policy(so, &ip_inp->inp_sp); #ifdef SCTP_LOG_CLOSING sctp_log_closing(inp, NULL, 17); @@ -528,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p) } return error; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ SCTP_INP_WUNLOCK(inp); return 0; } diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 9d31c79..b09b5c4 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -82,10 +82,10 @@ #include <netinet/tcp_debug.h> #endif /* TCPDEBUG */ -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <machine/in_cksum.h> @@ -445,7 +445,7 @@ findpcb: m->m_pkthdr.rcvif); } -#ifdef FAST_IPSEC +#ifdef IPSEC #ifdef INET6 if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; @@ -456,7 +456,7 @@ findpcb: ipsec4stat.in_polvio++; goto dropunlock; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * If the INPCB does not exist then all data in the incoming diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index d80254a..6d552d9 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -72,9 +72,9 @@ #include <netinet/tcp_debug.h> #endif -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <machine/in_cksum.h> @@ -695,7 +695,7 @@ send: offsetof(struct ipoption, ipopt_list); else ipoptlen = 0; -#ifdef FAST_IPSEC +#ifdef IPSEC ipoptlen += ipsec_hdrsiz_tcp(tp); #endif diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 589714f..29ed2f1 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -91,14 +91,14 @@ #endif #include <netinet6/ip6protosw.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> #ifdef INET6 #include <netipsec/ipsec6.h> #endif #include <netipsec/key.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <machine/in_cksum.h> #include <sys/md5.h> @@ -1634,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags) } #endif /* INET6 */ -#ifdef FAST_IPSEC +#ifdef IPSEC /* compute ESP/AH header size for TCP, including outer IP header. */ size_t ipsec_hdrsiz_tcp(struct tcpcb *tp) @@ -1675,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) m_free(m); return (hdrsiz); } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 9e03f32..c1e4beb 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -80,13 +80,13 @@ #include <netinet6/tcp6_var.h> #endif -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #ifdef INET6 #include <netipsec/ipsec6.h> #endif #include <netipsec/key.h> -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <machine/in_cksum.h> @@ -621,7 +621,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m) inp->inp_lport = 0; goto abort; } -#ifdef FAST_IPSEC +#ifdef IPSEC /* Copy old policy into new socket's. */ if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) printf("syncache_socket: could not copy policy\n"); diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index ae03b54..9391f07 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -78,7 +78,7 @@ #include <netinet/udp.h> #include <netinet/udp_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #endif @@ -495,14 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, INP_LOCK_ASSERT(inp); -#ifdef FAST_IPSEC +#ifdef IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { ipsec4stat.in_polvio++; m_freem(n); return; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #ifdef MAC if (mac_check_inpcb_deliver(inp, n) != 0) { m_freem(n); diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 0023c64..f2e56ef 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -99,7 +99,7 @@ #include <netinet6/mld6_var.h> #include <netinet6/nd6.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> #endif @@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off) sdst.sin6_len = sizeof(struct sockaddr_in6); bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr)); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst); -#ifdef FAST_IPSEC +#ifdef IPSEC key_sa_routechange((struct sockaddr *)&sdst); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ } freeit: diff --git a/sys/netinet6/in6.h b/sys/netinet6/in6.h index 432938b..12c9fb4 100644 --- a/sys/netinet6/in6.h +++ b/sys/netinet6/in6.h @@ -409,9 +409,9 @@ struct route_in6 { #define IPV6_BINDV6ONLY IPV6_V6ONLY #endif -#ifdef FAST_IPSEC +#ifdef IPSEC #define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */ -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */ diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c index bae1a07..97a0952 100644 --- a/sys/netinet6/in6_pcb.c +++ b/sys/netinet6/in6_pcb.c @@ -99,11 +99,11 @@ #include <netinet6/in6_pcb.h> #include <netinet6/scope6_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/key.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ struct in6_addr zeroin6_addr; @@ -427,10 +427,10 @@ in6_pcbfree(struct inpcb *inp) INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo); INP_LOCK_ASSERT(inp); -#ifdef FAST_IPSEC +#ifdef IPSEC if (inp->in6p_sp != NULL) ipsec6_delete_pcbpolicy(inp); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ inp->inp_gencnt = ++ipi->ipi_gencnt; in_pcbremlists(inp); ip6_freepcbopts(inp->in6p_outputopts); diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index df20857..08c46bc 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -115,10 +115,10 @@ #include <netinet6/sctp6_var.h> #endif /* SCTP */ -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <netinet6/ip6protosw.h> @@ -252,7 +252,7 @@ struct ip6protosw inet6sw[] = { .pr_input = frag6_input, .pr_usrreqs = &nousrreqs }, -#ifdef FAST_IPSEC +#ifdef IPSEC { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, @@ -278,7 +278,7 @@ struct ip6protosw inet6sw[] = { .pr_input = ipsec6_common_input, .pr_usrreqs = &nousrreqs, }, -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #ifdef INET { .pr_type = SOCK_RAW, @@ -438,9 +438,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6"); #ifdef SCTP SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6"); #endif -#ifdef FAST_IPSEC +#ifdef IPSEC SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6"); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* net.inet6.ip6 */ static int diff --git a/sys/netinet6/ip6_forward.c b/sys/netinet6/ip6_forward.c index 241c275..c0c2a20 100644 --- a/sys/netinet6/ip6_forward.c +++ b/sys/netinet6/ip6_forward.c @@ -65,11 +65,11 @@ #include <netinet/in_pcb.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/key.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <netinet6/ip6protosw.h> @@ -101,7 +101,7 @@ ip6_forward(m, srcrt) struct ifnet *origifp; /* maybe unnecessary */ u_int32_t inzone, outzone; struct in6_addr src_in6, dst_in6; -#ifdef FAST_IPSEC +#ifdef IPSEC struct secpolicy *sp = NULL; int ipsecrt = 0; #endif @@ -109,7 +109,7 @@ ip6_forward(m, srcrt) GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */ -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Check AH/ESP integrity. */ @@ -122,7 +122,7 @@ ip6_forward(m, srcrt) m_freem(m); return; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * Do not forward packets to multicast destination (should be handled @@ -175,7 +175,7 @@ ip6_forward(m, srcrt) */ mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN)); -#ifdef FAST_IPSEC +#ifdef IPSEC /* get a security policy for this packet */ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &error); @@ -346,9 +346,9 @@ ip6_forward(m, srcrt) ipsecrt = 1; } skip_ipsec: -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ -#ifdef FAST_IPSEC +#ifdef IPSEC if (ipsecrt) goto skip_routing; #endif @@ -401,7 +401,7 @@ ip6_forward(m, srcrt) } } rt = ip6_forward_rt.ro_rt; -#ifdef FAST_IPSEC +#ifdef IPSEC skip_routing:; #endif @@ -429,7 +429,7 @@ ip6_forward(m, srcrt) return; } if (inzone != outzone -#ifdef FAST_IPSEC +#ifdef IPSEC && !ipsecrt #endif ) { @@ -475,14 +475,14 @@ ip6_forward(m, srcrt) in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig); if (mcopy) { u_long mtu; -#ifdef FAST_IPSEC +#ifdef IPSEC struct secpolicy *sp; int ipsecerror; size_t ipsechdrsiz; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ mtu = IN6_LINKMTU(rt->rt_ifp); -#ifdef FAST_IPSEC +#ifdef IPSEC /* * When we do IPsec tunnel ingress, we need to play * with the link value (decrement IPsec header size @@ -505,7 +505,7 @@ ip6_forward(m, srcrt) */ if (mtu < IPV6_MMTU) mtu = IPV6_MMTU; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu); } m_freem(m); @@ -525,9 +525,9 @@ ip6_forward(m, srcrt) * modified by a redirect. */ if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt && -#ifdef FAST_IPSEC +#ifdef IPSEC !ipsecrt && -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ (rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) { if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) { /* diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 96e7850..65818cc 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -101,11 +101,11 @@ #include <netinet6/in6_ifattach.h> #include <netinet6/nd6.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netinet6/ip6_ipsec.h> #include <netipsec/ipsec6.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <netinet6/ip6protosw.h> @@ -224,7 +224,7 @@ ip6_input(m) GIANT_REQUIRED; /* XXX for now */ -#ifdef FAST_IPSEC +#ifdef IPSEC /* * should the inner packet be considered authentic? * see comment in ah4_input(). @@ -234,7 +234,7 @@ ip6_input(m) m->m_flags &= ~M_AUTHIPHDR; m->m_flags &= ~M_AUTHIPDGM; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * make sure we don't have onion peering information into m_tag. @@ -761,7 +761,7 @@ passin: goto bad; } -#ifdef FAST_IPSEC +#ifdef IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -769,7 +769,7 @@ passin: */ if (ip6_ipsec_input(m, nxt)) goto bad; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); } return; diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index f1c529f..3eb0155 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -55,7 +55,7 @@ #include <machine/in_cksum.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/xform.h> @@ -65,7 +65,7 @@ #else #define KEYDEBUG(lev,arg) #endif -#endif /*FAST_IPSEC*/ +#endif /*IPSEC*/ #include <netinet6/ip6_ipsec.h> @@ -79,7 +79,7 @@ extern struct protosw inet6sw[]; int ip6_ipsec_filtergif(struct mbuf *m) { -#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). */ @@ -98,7 +98,7 @@ ip6_ipsec_filtergif(struct mbuf *m) int ip6_ipsec_fwd(struct mbuf *m) { -#ifdef FAST_IPSEC +#ifdef IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -129,7 +129,7 @@ ip6_ipsec_fwd(struct mbuf *m) ipstat.ips_cantforward++; return 1; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } @@ -144,7 +144,7 @@ int ip6_ipsec_input(struct mbuf *m, int nxt) { -#ifdef FAST_IPSEC +#ifdef IPSEC struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -188,21 +188,21 @@ ip6_ipsec_input(struct mbuf *m, int nxt) if (error) return 1; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } /* * Called from ip6_output(). * 1 = drop packet, 0 = continue processing packet, - * -1 = packet was reinjected and stop processing packet (FAST_IPSEC only) + * -1 = packet was reinjected and stop processing packet */ int ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, struct ifnet **ifp, struct secpolicy **sp) { -#ifdef FAST_IPSEC +#ifdef IPSEC struct tdb_ident *tdbi; struct m_tag *mtag; int s; @@ -309,7 +309,7 @@ bad: if (*sp != NULL) KEY_FREESP(sp); return 1; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ return 0; } @@ -332,12 +332,12 @@ ip6_ipsec_mtu(struct mbuf *m) int ipsecerror; int ipsechdr; struct route *ro; -#ifdef FAST_IPSEC +#ifdef IPSEC sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(m, @@ -360,9 +360,9 @@ ip6_ipsec_mtu(struct mbuf *m) mtu -= ipsechdr; } } -#ifdef FAST_IPSEC +#ifdef IPSEC KEY_FREESP(&sp); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ } return mtu; } diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index b08862a..01e86b0 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -91,12 +91,12 @@ #include <netinet/tcp_var.h> #include <netinet6/nd6.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> #include <netipsec/key.h> #include <netinet6/ip6_ipsec.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <netinet6/ip6protosw.h> #include <netinet6/scope6_var.h> @@ -208,13 +208,13 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct route_in6 *ro_pmtu = NULL; int hdrsplit = 0; int needipsec = 0; -#ifdef FAST_IPSEC +#ifdef IPSEC struct ipsec_output_state state; struct ip6_rthdr *rh = NULL; int needipsectun = 0; int segleft_org = 0; struct secpolicy *sp = NULL; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ ip6 = mtod(m, struct ip6_hdr *); if (ip6 == NULL) { @@ -253,7 +253,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) * IPSec checking which handles several cases. * FAST IPSEC: We re-injected the packet. */ -#ifdef FAST_IPSEC +#ifdef IPSEC switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp)) { case 1: /* Bad packet */ @@ -264,7 +264,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) default: break; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * Calculate the total length of the extension header chain. @@ -362,7 +362,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp, IPPROTO_ROUTING); -#ifdef FAST_IPSEC +#ifdef IPSEC if (!needipsec) goto skip_ipsec2; @@ -418,7 +418,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) rh->ip6r_segleft = segleft_org; } skip_ipsec2:; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * If there is a routing header, replace the destination address field @@ -522,12 +522,9 @@ again: ip6->ip6_hlim = ip6_defmcasthlim; } -#ifdef FAST_IPSEC +#ifdef IPSEC /* - * Same as similar comment above. - * We only want to do regular IPSEC here and leave this pure - * in the case that we're using FAST_IPSEC which uses - * this code to re-inject packets. + * We may re-inject packets into the stack here. */ if (needipsec && needipsectun) { struct ipsec_output_state state; @@ -586,7 +583,7 @@ again: exthdrs.ip6e_ip6 = m; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* adjust pointer */ ip6 = mtod(m, struct ip6_hdr *); @@ -1774,7 +1771,7 @@ do { \ } break; -#ifdef FAST_IPSEC +#ifdef IPSEC case IPV6_IPSEC_POLICY: { caddr_t req = NULL; @@ -1794,7 +1791,7 @@ do { \ m_freem(m); } break; -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ default: error = ENOPROTOOPT; @@ -1991,7 +1988,7 @@ do { \ } break; -#ifdef FAST_IPSEC +#ifdef IPSEC case IPV6_IPSEC_POLICY: { caddr_t req = NULL; @@ -2020,7 +2017,7 @@ do { \ m_freem(m); break; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ default: error = ENOPROTOOPT; diff --git a/sys/netinet6/nd6.c b/sys/netinet6/nd6.c index 7d6e788..3236fa5 100644 --- a/sys/netinet6/nd6.c +++ b/sys/netinet6/nd6.c @@ -474,7 +474,7 @@ nd6_llinfo_timer(arg) ln->ln_hold = m0; clear_llinfo_pqueue(ln); } - if (rt) + if (rt && rt->rt_llinfo) (void)nd6_free(rt, 0); ln = NULL; } @@ -489,7 +489,8 @@ nd6_llinfo_timer(arg) case ND6_LLINFO_STALE: /* Garbage Collection(RFC 2461 5.3) */ if (!ND6_LLINFO_PERMANENT(ln)) { - (void)nd6_free(rt, 1); + if (rt && rt->rt_llinfo) + (void)nd6_free(rt, 1); ln = NULL; } break; @@ -525,7 +526,8 @@ nd6_llinfo_timer(arg) ln->ln_expire = 0; /* make it permanent */ ln->ln_state = ND6_LLINFO_STALE; } else { - (void)nd6_free(rt, 0); + if (rt && rt->rt_llinfo) + (void)nd6_free(rt, 0); ln = NULL; } break; @@ -2009,7 +2011,7 @@ again: rt = rt->rt_gwroute; RT_LOCK(rt); /* NB: gwroute */ if ((rt->rt_flags & RTF_UP) == 0) { - rtfree(rt); /* unlock gwroute */ + RTFREE_LOCKED(rt); /* unlock gwroute */ rt = rt0; lookup: RT_UNLOCK(rt0); @@ -2322,7 +2324,8 @@ nd6_sysctl_drlist(SYSCTL_HANDLER_ARGS) d->rtaddr.sin6_family = AF_INET6; d->rtaddr.sin6_len = sizeof(d->rtaddr); d->rtaddr.sin6_addr = dr->rtaddr; - sa6_recoverscope(&d->rtaddr); + if (error = sa6_recoverscope(&d->rtaddr) != 0) + return (error); d->flags = dr->flags; d->rtlifetime = dr->rtlifetime; d->expire = dr->expire; diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 3b29375..20c4b36 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -95,10 +95,10 @@ #include <netinet6/raw_ip6.h> #include <netinet6/scope6_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ #include <machine/stdarg.h> @@ -181,7 +181,7 @@ docontinue: if (last) { struct mbuf *n = m_copy(m, 0, (int)M_COPYALL); -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Check AH/ESP integrity. */ @@ -190,7 +190,7 @@ docontinue: ipsec6stat.in_polvio++; /* do not inject data into pcb */ } else -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ if (n) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) @@ -212,7 +212,7 @@ docontinue: } last = in6p; } -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Check AH/ESP integrity. */ @@ -223,7 +223,7 @@ docontinue: /* do not inject data into pcb */ INP_UNLOCK(last); } else -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ if (last) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) diff --git a/sys/netinet6/sctp6_usrreq.c b/sys/netinet6/sctp6_usrreq.c index 58833aa..b19236c 100644 --- a/sys/netinet6/sctp6_usrreq.c +++ b/sys/netinet6/sctp6_usrreq.c @@ -52,12 +52,12 @@ __FBSDID("$FreeBSD$"); #include <netinet/sctp_output.h> #include <netinet/sctp_bsd_addr.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #if defined(INET6) #include <netipsec/ipsec6.h> #endif /* INET6 */ -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ extern struct protosw inetsw[]; @@ -207,7 +207,7 @@ sctp_skip_csum: refcount_up = 1; } in6p_ip = (struct inpcb *)in6p; -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Check AH/ESP integrity. */ @@ -216,7 +216,7 @@ sctp_skip_csum: ipsec6stat.in_polvio++; goto bad; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * CONTROL chunk processing diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 4cf0e13..4832fdb 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -102,10 +102,10 @@ #include <netinet6/udp6_var.h> #include <netinet6/scope6_var.h> -#ifdef FAST_IPSEC +#ifdef IPSEC #include <netipsec/ipsec.h> #include <netipsec/ipsec6.h> -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * UDP protocol inplementation. @@ -124,7 +124,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off, /* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */ -#ifdef FAST_IPSEC +#ifdef IPSEC /* * Check AH/ESP integrity. */ @@ -133,7 +133,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off, ipsec6stat.in_polvio++; return; } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ opts = NULL; if (in6p->in6p_flags & IN6P_CONTROLOPTS || diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 8191009..ff7318e 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -606,7 +606,7 @@ bad: return (error); } -#ifdef FAST_IPSEC +#ifdef IPSEC static int ipe4_init(struct secasvar *sav, struct xformsw *xsp) { @@ -685,4 +685,4 @@ ipe4_attach(void) #endif } SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL); -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ |