diff options
| author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:55:12 -0500 |
|---|---|---|
| committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:58:47 -0500 |
| commit | 41f40988afa849dd84147add3a2430fe8d0ba788 (patch) | |
| tree | c86e2f8d6b335aff803fe71ba686fba805e44c69 /sys/netinet6/ip6_ipsec.c | |
| parent | bcdf3f514f78b6c54084da98b13939a24af65a2c (diff) | |
| download | FreeBSD-src-41f40988afa849dd84147add3a2430fe8d0ba788.zip FreeBSD-src-41f40988afa849dd84147add3a2430fe8d0ba788.tar.gz | |
MFC r275715:
Use ipsec6_in_reject() to simplify ip6_ipsec_fwd() and ip6_ipsec_input().
ipsec6_in_reject() does the same things, also it counts policy violation
errors.
Do IPSEC check in the ip6_forward() after addresses checks.
Also use ip6_ipsec_fwd() to make code similar to IPv4 implementation.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys/netinet6/ip6_ipsec.c')
| -rw-r--r-- | sys/netinet6/ip6_ipsec.c | 42 |
1 files changed, 8 insertions, 34 deletions
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index f849b71..66459cf 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -117,28 +117,18 @@ ip6_ipsec_filtertunnel(struct mbuf *m) /* * Check if this packet has an active SA and needs to be dropped instead * of forwarded. - * Called from ip6_input(). + * Called from ip6_forward(). * 1 = drop packet, 0 = forward packet. */ int ip6_ipsec_fwd(struct mbuf *m) { -#ifdef IPSEC - struct secpolicy *sp; - int error; - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } - if (error != 0) - return (1); -#endif /* IPSEC */ +#ifdef IPSEC + return (ipsec6_in_reject(m, NULL)); +#else return (0); +#endif /* !IPSEC */ } /* @@ -151,31 +141,15 @@ ip6_ipsec_fwd(struct mbuf *m) int ip6_ipsec_input(struct mbuf *m, int nxt) { + #ifdef IPSEC - struct secpolicy *sp; - int error; /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && - ipsec6_in_reject(m, NULL)) { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; - DPRINTF(("%s: no SP, packet discarded\n", __func__));/*XXX*/ - } - if (error != 0) - return (1); - } + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0) + return (ipsec6_in_reject(m, NULL)); #endif /* IPSEC */ return (0); } |
