diff options
author | ae <ae@FreeBSD.org> | 2015-06-02 03:14:42 +0000 |
---|---|---|
committer | ae <ae@FreeBSD.org> | 2015-06-02 03:14:42 +0000 |
commit | fcbaea954867d54540644ca91c5c45fa835060d6 (patch) | |
tree | 363e3402c6231f65ac872079c15244ba777cd8c8 | |
parent | f780971d9351b1bff9f79ea9876a4eb1d3def6ba (diff) | |
download | FreeBSD-src-fcbaea954867d54540644ca91c5c45fa835060d6.zip FreeBSD-src-fcbaea954867d54540644ca91c5c45fa835060d6.tar.gz |
MFC r275392:
Remove route chaching support from ipsec code. It isn't used for some time.
* remove sa_route_union declaration and route_cache member from struct secashead;
* remove key_sa_routechange() call from ICMP and ICMPv6 code;
* simplify ip_ipsec_mtu();
* remove #include <net/route.h>;
Sponsored by: Yandex LLC
-rw-r--r-- | sys/netinet/ip_icmp.c | 8 | ||||
-rw-r--r-- | sys/netinet/ip_ipsec.c | 31 | ||||
-rw-r--r-- | sys/netinet6/icmp6.c | 9 | ||||
-rw-r--r-- | sys/netinet6/ip6_ipsec.c | 1 | ||||
-rw-r--r-- | sys/netipsec/ipsec.c | 1 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 4 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 1 | ||||
-rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 3 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 1 | ||||
-rw-r--r-- | sys/netipsec/key.c | 25 | ||||
-rw-r--r-- | sys/netipsec/key.h | 1 | ||||
-rw-r--r-- | sys/netipsec/key_debug.c | 1 | ||||
-rw-r--r-- | sys/netipsec/keydb.h | 8 | ||||
-rw-r--r-- | sys/netipsec/keysock.c | 1 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 1 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 1 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 1 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 1 | ||||
-rw-r--r-- | sys/netipsec/xform_tcp.c | 1 |
19 files changed, 5 insertions, 95 deletions
diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index c3dc159..ccc01c8 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -33,7 +33,6 @@ __FBSDID("$FreeBSD$"); #include "opt_inet.h" -#include "opt_ipsec.h" #include <sys/param.h> #include <sys/systm.h> @@ -64,10 +63,6 @@ __FBSDID("$FreeBSD$"); #include <netinet/icmp_var.h> #ifdef INET -#ifdef IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/key.h> -#endif #include <machine/in_cksum.h> @@ -664,9 +659,6 @@ reflect: (struct sockaddr *)&icmpgw, fibnum); } pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc); -#ifdef IPSEC - key_sa_routechange((struct sockaddr *)&icmpsrc); -#endif break; /* diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 28b899d..1550018 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -45,7 +45,6 @@ __FBSDID("$FreeBSD$"); #include <sys/sysctl.h> #include <net/if.h> -#include <net/route.h> #include <net/vnet.h> #include <netinet/in.h> @@ -215,35 +214,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu) * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz * XXX quickhack!!! */ - struct secpolicy *sp = NULL; - int ipsecerror; - int ipsechdr; - struct route *ro; - sp = ipsec_getpolicybyaddr(m, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); - if (sp != NULL) { - /* count IPsec header size */ - ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL); - - /* - * find the correct route for outer IPv4 - * header, compute tunnel MTU. - */ - if (sp->req != NULL && - sp->req->sav != NULL && - sp->req->sav->sah != NULL) { - ro = &sp->req->sav->sah->route_cache.sa_route; - if (ro->ro_rt && ro->ro_rt->rt_ifp) { - mtu = ro->ro_rt->rt_mtu ? ro->ro_rt->rt_mtu : - ro->ro_rt->rt_ifp->if_mtu; - mtu -= ipsechdr; - } - } - KEY_FREESP(&sp); - } - return mtu; + return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL)); } /* diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index abf1a0a..85e29db 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$"); #include "opt_inet.h" #include "opt_inet6.h" -#include "opt_ipsec.h" #include <sys/param.h> #include <sys/domain.h> @@ -107,11 +106,6 @@ __FBSDID("$FreeBSD$"); #include <netinet6/nd6.h> #include <netinet6/send.h> -#ifdef IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/key.h> -#endif - extern struct domain inet6domain; VNET_PCPUSTAT_DEFINE(struct icmp6stat, icmp6stat); @@ -2503,9 +2497,6 @@ icmp6_redirect_input(struct mbuf *m, int off) sdst.sin6_len = sizeof(struct sockaddr_in6); bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr)); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst); -#ifdef IPSEC - key_sa_routechange((struct sockaddr *)&sdst); -#endif /* IPSEC */ } freeit: diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index 2509e09..ea47566 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -47,7 +47,6 @@ __FBSDID("$FreeBSD$"); #include <sys/syslog.h> #include <net/if.h> -#include <net/route.h> #include <net/vnet.h> #include <netinet/in.h> diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 84534f8..6f43a4c 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -55,7 +55,6 @@ #include <sys/proc.h> #include <net/if.h> -#include <net/route.h> #include <net/vnet.h> #include <netinet/in.h> diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 1fca4bb..cc64533 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -47,6 +47,10 @@ #ifdef _KERNEL +#include <sys/_lock.h> +#include <sys/_mutex.h> +#include <sys/_rwlock.h> + #define IPSEC_ASSERT(_c,_m) KASSERT(_c, _m) #define IPSEC_IS_PRIVILEGED_SO(_so) \ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 677ef00..66de530 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -57,7 +57,6 @@ #include <net/if.h> #include <net/pfil.h> -#include <net/route.h> #include <net/netisr.h> #include <net/vnet.h> diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index fb105d4..8e68ffb 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -37,11 +37,8 @@ #include <sys/mbuf.h> #include <sys/socket.h> -#include <net/route.h> #include <net/vnet.h> - #include <netinet/in.h> - #include <netipsec/ipsec.h> /* diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 39a8631..442fb7a 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -45,7 +45,6 @@ #include <net/if.h> #include <net/pfil.h> -#include <net/route.h> #include <net/vnet.h> #include <netinet/in.h> diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 1927373..d93c1a3 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -58,7 +58,6 @@ #include <sys/syslog.h> #include <net/if.h> -#include <net/route.h> #include <net/raw_cb.h> #include <net/vnet.h> @@ -2766,10 +2765,6 @@ key_delsah(sah) /* remove from tree of SA index */ if (__LIST_CHAINED(sah)) LIST_REMOVE(sah, chain); - if (sah->route_cache.sa_route.ro_rt) { - RTFREE(sah->route_cache.sa_route.ro_rt); - sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL; - } free(sah, M_IPSEC_SAH); } } @@ -7893,26 +7888,6 @@ key_sa_recordxfer(sav, m) return; } -/* dumb version */ -void -key_sa_routechange(dst) - struct sockaddr *dst; -{ - struct secashead *sah; - struct route *ro; - - SAHTREE_LOCK(); - LIST_FOREACH(sah, &V_sahtree, chain) { - ro = &sah->route_cache.sa_route; - if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len - && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) { - RTFREE(ro->ro_rt); - ro->ro_rt = (struct rtentry *)NULL; - } - } - SAHTREE_UNLOCK(); -} - static void key_sa_chgstate(struct secasvar *sav, u_int8_t state) { diff --git a/sys/netipsec/key.h b/sys/netipsec/key.h index f246dbc..f3a33fa 100644 --- a/sys/netipsec/key.h +++ b/sys/netipsec/key.h @@ -107,7 +107,6 @@ extern void key_init __P((void)); extern void key_destroy(void); #endif extern void key_sa_recordxfer __P((struct secasvar *, struct mbuf *)); -extern void key_sa_routechange __P((struct sockaddr *)); extern void key_sa_stir_iv __P((struct secasvar *)); #ifdef IPSEC_NAT_T u_int16_t key_portfromsaddr(struct sockaddr *); diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c index da5dd75..7fa0ded 100644 --- a/sys/netipsec/key_debug.c +++ b/sys/netipsec/key_debug.c @@ -45,7 +45,6 @@ #endif #include <sys/socket.h> -#include <net/route.h> #include <net/vnet.h> #include <netipsec/key_var.h> diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h index 7494f5f..63e38b7 100644 --- a/sys/netipsec/keydb.h +++ b/sys/netipsec/keydb.h @@ -85,12 +85,6 @@ struct seclifetime { u_int64_t usetime; }; -union sa_route_union { - struct route sa_route; - struct route sin_route; /* Duplicate for consistency. */ - struct route_in6 sin6_route; -}; - /* Security Association Data Base */ struct secashead { LIST_ENTRY(secashead) chain; @@ -105,8 +99,6 @@ struct secashead { LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1]; /* SA chain */ /* The first of this list is newer SA */ - - union sa_route_union route_cache; }; struct xformsw; diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index c143954..43a5ed1 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -53,7 +53,6 @@ #include <net/if.h> #include <net/raw_cb.h> -#include <net/route.h> #include <net/vnet.h> #include <netinet/in.h> diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 3666b54..afa452c 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -56,7 +56,6 @@ #include <netinet/ip_ecn.h> #include <netinet/ip6.h> -#include <net/route.h> #include <netipsec/ipsec.h> #include <netipsec/ah.h> #include <netipsec/ah_var.h> diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index bb6d1e6..90f6d56 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -56,7 +56,6 @@ #include <netinet/ip_ecn.h> #include <netinet/ip6.h> -#include <net/route.h> #include <netipsec/ipsec.h> #include <netipsec/ah.h> #include <netipsec/ah_var.h> diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 1fa1057..6d95250 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -48,7 +48,6 @@ #include <netinet/ip.h> #include <netinet/ip_var.h> -#include <net/route.h> #include <net/vnet.h> #include <netipsec/ipsec.h> diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index bae8655..9585eef 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -53,7 +53,6 @@ #include <net/if.h> #include <net/pfil.h> -#include <net/route.h> #include <net/netisr.h> #include <net/vnet.h> diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c index a5edb15..267e377 100644 --- a/sys/netipsec/xform_tcp.c +++ b/sys/netipsec/xform_tcp.c @@ -47,7 +47,6 @@ #include <netinet/tcp.h> #include <netinet/tcp_var.h> -#include <net/route.h> #include <net/vnet.h> #include <netipsec/ipsec.h> |