MFC r275392:

  Remove route chaching support from ipsec code. It isn't used for some time.
  * remove sa_route_union declaration and route_cache member from struct secashead;
  * remove key_sa_routechange() call from ICMP and ICMPv6 code;
  * simplify ip_ipsec_mtu();
  * remove #include <net/route.h>;

Sponsored by:	Yandex LLC

19 files changed, 5 insertions, 95 deletions

diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c
index c3dc159..ccc01c8 100644
--- a/sys/netinet/ip_icmp.c
+++ b/sys/netinet/ip_icmp.c
@@ -33,7 +33,6 @@
 __FBSDID("$FreeBSD$");
 
 #include "opt_inet.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -64,10 +63,6 @@ __FBSDID("$FreeBSD$");
 #include <netinet/icmp_var.h>
 
 #ifdef INET
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#include <netipsec/key.h>
-#endif
 
 #include <machine/in_cksum.h>
 
@@ -664,9 +659,6 @@ reflect:
 			  (struct sockaddr *)&icmpgw, fibnum);
 		}
 		pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
-#ifdef IPSEC
-		key_sa_routechange((struct sockaddr *)&icmpsrc);
-#endif
 		break;
 
 	/*
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index 28b899d..1550018 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -45,7 +45,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/sysctl.h>
 
 #include <net/if.h>
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netinet/in.h>
@@ -215,35 +214,7 @@ ip_ipsec_mtu(struct mbuf *m, int mtu)
 	 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
 	 * XXX quickhack!!!
 	 */
-	struct secpolicy *sp = NULL;
-	int ipsecerror;
-	int ipsechdr;
-	struct route *ro;
-	sp = ipsec_getpolicybyaddr(m,
-				   IPSEC_DIR_OUTBOUND,
-				   IP_FORWARDING,
-				   &ipsecerror);
-	if (sp != NULL) {
-		/* count IPsec header size */
-		ipsechdr = ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL);
-
-		/*
-		 * find the correct route for outer IPv4
-		 * header, compute tunnel MTU.
-		 */
-		if (sp->req != NULL &&
-		    sp->req->sav != NULL &&
-		    sp->req->sav->sah != NULL) {
-			ro = &sp->req->sav->sah->route_cache.sa_route;
-			if (ro->ro_rt && ro->ro_rt->rt_ifp) {
-				mtu = ro->ro_rt->rt_mtu ? ro->ro_rt->rt_mtu :
-				    ro->ro_rt->rt_ifp->if_mtu;
-				mtu -= ipsechdr;
-			}
-		}
-		KEY_FREESP(&sp);
-	}
-	return mtu;
+	return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL));
 }
 
 /*
diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c
index abf1a0a..85e29db 100644
--- a/sys/netinet6/icmp6.c
+++ b/sys/netinet6/icmp6.c
@@ -65,7 +65,6 @@ __FBSDID("$FreeBSD$");
 
 #include "opt_inet.h"
 #include "opt_inet6.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/domain.h>
@@ -107,11 +106,6 @@ __FBSDID("$FreeBSD$");
 #include <netinet6/nd6.h>
 #include <netinet6/send.h>
 
-#ifdef IPSEC
-#include <netipsec/ipsec.h>
-#include <netipsec/key.h>
-#endif
-
 extern struct domain inet6domain;
 
 VNET_PCPUSTAT_DEFINE(struct icmp6stat, icmp6stat);
@@ -2503,9 +2497,6 @@ icmp6_redirect_input(struct mbuf *m, int off)
 	sdst.sin6_len = sizeof(struct sockaddr_in6);
 	bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
 	pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
-#ifdef IPSEC
-	key_sa_routechange((struct sockaddr *)&sdst);
-#endif /* IPSEC */
     }
 
  freeit:
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index 2509e09..ea47566 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -47,7 +47,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/syslog.h>
 
 #include <net/if.h>
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netinet/in.h>
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 84534f8..6f43a4c 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -55,7 +55,6 @@
 #include <sys/proc.h>
 
 #include <net/if.h>
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netinet/in.h>
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 1fca4bb..cc64533 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -47,6 +47,10 @@
 
 #ifdef _KERNEL
 
+#include <sys/_lock.h>
+#include <sys/_mutex.h>
+#include <sys/_rwlock.h>
+
 #define	IPSEC_ASSERT(_c,_m) KASSERT(_c, _m)
 
 #define	IPSEC_IS_PRIVILEGED_SO(_so) \
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 677ef00..66de530 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -57,7 +57,6 @@
 
 #include <net/if.h>
 #include <net/pfil.h>
-#include <net/route.h>
 #include <net/netisr.h>
 #include <net/vnet.h>
 
diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c
index fb105d4..8e68ffb 100644
--- a/sys/netipsec/ipsec_mbuf.c
+++ b/sys/netipsec/ipsec_mbuf.c
@@ -37,11 +37,8 @@
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 
-#include <net/route.h>
 #include <net/vnet.h>
-
 #include <netinet/in.h>
-
 #include <netipsec/ipsec.h>
 
 /*
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 39a8631..442fb7a 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -45,7 +45,6 @@
 
 #include <net/if.h>
 #include <net/pfil.h>
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netinet/in.h>
diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c
index 1927373..d93c1a3 100644
--- a/sys/netipsec/key.c
+++ b/sys/netipsec/key.c
@@ -58,7 +58,6 @@
 #include <sys/syslog.h>
 
 #include <net/if.h>
-#include <net/route.h>
 #include <net/raw_cb.h>
 #include <net/vnet.h>
 
@@ -2766,10 +2765,6 @@ key_delsah(sah)
 		/* remove from tree of SA index */
 		if (__LIST_CHAINED(sah))
 			LIST_REMOVE(sah, chain);
-		if (sah->route_cache.sa_route.ro_rt) {
-			RTFREE(sah->route_cache.sa_route.ro_rt);
-			sah->route_cache.sa_route.ro_rt = (struct rtentry *)NULL;
-		}
 		free(sah, M_IPSEC_SAH);
 	}
 }
@@ -7893,26 +7888,6 @@ key_sa_recordxfer(sav, m)
 	return;
 }
 
-/* dumb version */
-void
-key_sa_routechange(dst)
-	struct sockaddr *dst;
-{
-	struct secashead *sah;
-	struct route *ro;
-
-	SAHTREE_LOCK();
-	LIST_FOREACH(sah, &V_sahtree, chain) {
-		ro = &sah->route_cache.sa_route;
-		if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len
-		 && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) {
-			RTFREE(ro->ro_rt);
-			ro->ro_rt = (struct rtentry *)NULL;
-		}
-	}
-	SAHTREE_UNLOCK();
-}
-
 static void
 key_sa_chgstate(struct secasvar *sav, u_int8_t state)
 {
diff --git a/sys/netipsec/key.h b/sys/netipsec/key.h
index f246dbc..f3a33fa 100644
--- a/sys/netipsec/key.h
+++ b/sys/netipsec/key.h
@@ -107,7 +107,6 @@ extern void key_init __P((void));
 extern void key_destroy(void);
 #endif
 extern void key_sa_recordxfer __P((struct secasvar *, struct mbuf *));
-extern void key_sa_routechange __P((struct sockaddr *));
 extern void key_sa_stir_iv __P((struct secasvar *));
 #ifdef IPSEC_NAT_T
 u_int16_t key_portfromsaddr(struct sockaddr *);
diff --git a/sys/netipsec/key_debug.c b/sys/netipsec/key_debug.c
index da5dd75..7fa0ded 100644
--- a/sys/netipsec/key_debug.c
+++ b/sys/netipsec/key_debug.c
@@ -45,7 +45,6 @@
 #endif
 #include <sys/socket.h>
 
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netipsec/key_var.h>
diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h
index 7494f5f..63e38b7 100644
--- a/sys/netipsec/keydb.h
+++ b/sys/netipsec/keydb.h
@@ -85,12 +85,6 @@ struct seclifetime {
 	u_int64_t usetime;
 };
 
-union sa_route_union {
-	struct route		sa_route;
-	struct route		sin_route;	/* Duplicate for consistency. */
-	struct route_in6	sin6_route;
-};
-
 /* Security Association Data Base */
 struct secashead {
 	LIST_ENTRY(secashead) chain;
@@ -105,8 +99,6 @@ struct secashead {
 	LIST_HEAD(_satree, secasvar) savtree[SADB_SASTATE_MAX+1];
 					/* SA chain */
 					/* The first of this list is newer SA */
-
-	union sa_route_union route_cache;
 };
 
 struct xformsw;
diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c
index c143954..43a5ed1 100644
--- a/sys/netipsec/keysock.c
+++ b/sys/netipsec/keysock.c
@@ -53,7 +53,6 @@
 
 #include <net/if.h>
 #include <net/raw_cb.h>
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netinet/in.h>
diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c
index 3666b54..afa452c 100644
--- a/sys/netipsec/xform_ah.c
+++ b/sys/netipsec/xform_ah.c
@@ -56,7 +56,6 @@
 #include <netinet/ip_ecn.h>
 #include <netinet/ip6.h>
 
-#include <net/route.h>
 #include <netipsec/ipsec.h>
 #include <netipsec/ah.h>
 #include <netipsec/ah_var.h>
diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c
index bb6d1e6..90f6d56 100644
--- a/sys/netipsec/xform_esp.c
+++ b/sys/netipsec/xform_esp.c
@@ -56,7 +56,6 @@
 #include <netinet/ip_ecn.h>
 #include <netinet/ip6.h>
 
-#include <net/route.h>
 #include <netipsec/ipsec.h>
 #include <netipsec/ah.h>
 #include <netipsec/ah_var.h>
diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c
index 1fa1057..6d95250 100644
--- a/sys/netipsec/xform_ipcomp.c
+++ b/sys/netipsec/xform_ipcomp.c
@@ -48,7 +48,6 @@
 #include <netinet/ip.h>
 #include <netinet/ip_var.h>
 
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netipsec/ipsec.h>
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index bae8655..9585eef 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -53,7 +53,6 @@
 
 #include <net/if.h>
 #include <net/pfil.h>
-#include <net/route.h>
 #include <net/netisr.h>
 #include <net/vnet.h>
 
diff --git a/sys/netipsec/xform_tcp.c b/sys/netipsec/xform_tcp.c
index a5edb15..267e377 100644
--- a/sys/netipsec/xform_tcp.c
+++ b/sys/netipsec/xform_tcp.c
@@ -47,7 +47,6 @@
 #include <netinet/tcp.h>
 #include <netinet/tcp_var.h>
 
-#include <net/route.h>
 #include <net/vnet.h>
 
 #include <netipsec/ipsec.h>