diff options
| author | sam <sam@FreeBSD.org> | 2002-10-16 01:54:46 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2002-10-16 01:54:46 +0000 |
| commit | 2a86be217a6aed33eda6628df2b175e49172cd9f (patch) | |
| tree | b26e1e9f49b40642051748bcd3961cc2a2b5ff1d /sys/netinet6/ipsec.c | |
| parent | 733bfbdd78ddb9efc129532b2c2239d0bacfaf1a (diff) | |
| download | FreeBSD-src-2a86be217a6aed33eda6628df2b175e49172cd9f.zip FreeBSD-src-2a86be217a6aed33eda6628df2b175e49172cd9f.tar.gz | |
Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month
Diffstat (limited to 'sys/netinet6/ipsec.c')
| -rw-r--r-- | sys/netinet6/ipsec.c | 130 |
1 files changed, 15 insertions, 115 deletions
diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c index 5a9e509..b91470e 100644 --- a/sys/netinet6/ipsec.c +++ b/sys/netinet6/ipsec.c @@ -221,9 +221,6 @@ static int ipsec4_encapsulate __P((struct mbuf *, struct secasvar *)); #ifdef INET6 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *)); #endif -static struct mbuf *ipsec_addaux __P((struct mbuf *)); -static struct mbuf *ipsec_findaux __P((struct mbuf *)); -static void ipsec_optaux __P((struct mbuf *, struct mbuf *)); /* * For OUTBOUND packet having a socket. Searching SPD for packet, @@ -3457,91 +3454,14 @@ ipsec_copypkt(m) return(NULL); } -static struct mbuf * -ipsec_addaux(m) - struct mbuf *m; -{ - struct mbuf *n; - - n = m_aux_find(m, AF_INET, IPPROTO_ESP); - if (!n) - n = m_aux_add(m, AF_INET, IPPROTO_ESP); - if (!n) - return n; /* ENOBUFS */ - n->m_len = sizeof(struct socket *); - bzero(mtod(n, void *), n->m_len); - return n; -} - -static struct mbuf * -ipsec_findaux(m) - struct mbuf *m; -{ - struct mbuf *n; - - n = m_aux_find(m, AF_INET, IPPROTO_ESP); -#ifdef DIAGNOSTIC - if (n && n->m_len < sizeof(struct socket *)) - panic("invalid ipsec m_aux"); -#endif - return n; -} - void ipsec_delaux(m) struct mbuf *m; { - struct mbuf *n; - - n = m_aux_find(m, AF_INET, IPPROTO_ESP); - if (n) - m_aux_delete(m, n); -} - -/* if the aux buffer is unnecessary, nuke it. */ -static void -ipsec_optaux(m, n) - struct mbuf *m; - struct mbuf *n; -{ + struct m_tag *tag; - if (!n) - return; - if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **)) - ipsec_delaux(m); -} - -int -ipsec_setsocket(m, so) - struct mbuf *m; - struct socket *so; -{ - struct mbuf *n; - - /* if so == NULL, don't insist on getting the aux mbuf */ - if (so) { - n = ipsec_addaux(m); - if (!n) - return ENOBUFS; - } else - n = ipsec_findaux(m); - if (n && n->m_len >= sizeof(struct socket *)) - *mtod(n, struct socket **) = so; - ipsec_optaux(m, n); - return 0; -} - -struct socket * -ipsec_getsocket(m) - struct mbuf *m; -{ - struct mbuf *n; - - n = ipsec_findaux(m); - if (n && n->m_len >= sizeof(struct socket *)) - return *mtod(n, struct socket **); - else - return NULL; + while ((tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL)) != NULL) + m_tag_delete(m, tag); } int @@ -3550,19 +3470,18 @@ ipsec_addhist(m, proto, spi) int proto; u_int32_t spi; { - struct mbuf *n; + struct m_tag *tag; struct ipsec_history *p; - n = ipsec_addaux(m); - if (!n) + tag = m_tag_get(PACKET_TAG_IPSEC_HISTORY, + sizeof (struct ipsec_history), M_NOWAIT); + if (tag == NULL) return ENOBUFS; - if (M_TRAILINGSPACE(n) < sizeof(*p)) - return ENOSPC; /* XXX */ - p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len); - n->m_len += sizeof(*p); + p = (struct ipsec_history *)(tag+1); bzero(p, sizeof(*p)); p->ih_proto = proto; p->ih_spi = spi; + m_tag_prepend(m, tag); return 0; } @@ -3571,32 +3490,13 @@ ipsec_gethist(m, lenp) struct mbuf *m; int *lenp; { - struct mbuf *n; - int l; + struct m_tag *tag; - n = ipsec_findaux(m); - if (!n) + tag = m_tag_find(m, PACKET_TAG_IPSEC_HISTORY, NULL); + if (tag == NULL) return NULL; - l = n->m_len; - if (sizeof(struct socket *) > l) - return NULL; - if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history)) - return NULL; - /* XXX does it make more sense to divide by sizeof(ipsec_history)? */ + /* XXX NB: noone uses this so fake it */ if (lenp) - *lenp = l - sizeof(struct socket *); - return (struct ipsec_history *) - (mtod(n, caddr_t) + sizeof(struct socket *)); -} - -void -ipsec_clearhist(m) - struct mbuf *m; -{ - struct mbuf *n; - - n = ipsec_findaux(m); - if ((n) && n->m_len > sizeof(struct socket *)) - n->m_len = sizeof(struct socket *); - ipsec_optaux(m, n); + *lenp = sizeof (struct ipsec_history); + return ((struct ipsec_history *)(tag+1)); } |
