Add a TCP TIMEWAIT state which uses less space than a fullblown TCP

control block.  Allow the socket and tcpcb structures to be freed
earlier than inpcb.  Update code to understand an inp w/o a socket.

Reviewed by: hsu, silby, jayanth
Sponsored by: DARPA, NAI Labs

1 files changed, 66 insertions, 59 deletions

diff --git a/sys/netinet6/ipsec.c b/sys/netinet6/ipsec.c
index f898c0a..500f80b 100644
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@@ -235,10 +235,10 @@ static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
  * NOTE: IPv6 mapped adddress concern is implemented here.
  */
 struct secpolicy *
-ipsec4_getpolicybysock(m, dir, so, error)
+ipsec4_getpolicybypcb(m, dir, inp, error)
 	struct mbuf *m;
 	u_int dir;
-	struct socket *so;
+	struct inpcb *inp;
 	int *error;
 {
 	struct inpcbpolicy *pcbsp = NULL;
@@ -246,35 +246,19 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 
 	/* sanity check */
-	if (m == NULL || so == NULL || error == NULL)
+	if (m == NULL || inp == NULL || error == NULL)
 		panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
 
-	switch (so->so_proto->pr_domain->dom_family) {
-	case AF_INET:
-		/* set spidx in pcb */
-		*error = ipsec4_setspidx_inpcb(m, sotoinpcb(so));
-		break;
+	/* set spidx in pcb */
 #ifdef INET6
-	case AF_INET6:
-		/* set spidx in pcb */
-		*error = ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
-		break;
+	if (inp->inp_vflag & INP_IPV6PROTO)
+		*error = ipsec6_setspidx_in6pcb(m, inp);
+	else
 #endif
-	default:
-		panic("ipsec4_getpolicybysock: unsupported address family\n");
-	}
+		*error = ipsec4_setspidx_inpcb(m, inp);
 	if (*error)
 		return NULL;
-	switch (so->so_proto->pr_domain->dom_family) {
-	case AF_INET:
-		pcbsp = sotoinpcb(so)->inp_sp;
-		break;
-#ifdef INET6
-	case AF_INET6:
-		pcbsp = sotoin6pcb(so)->in6p_sp;
-		break;
-#endif
-	}
+	pcbsp = inp->inp_sp;
 
 	/* sanity check */
 	if (pcbsp == NULL)
@@ -390,6 +374,19 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	/* NOTREACHED */
 }
 
+struct secpolicy *
+ipsec4_getpolicybysock(m, dir, so, error)
+	struct mbuf *m;
+	u_int dir;
+	struct socket *so;
+	int *error;
+{
+
+	if (so == NULL)
+		panic("ipsec4_getpolicybysock: NULL pointer was passed.\n");
+	return (ipsec4_getpolicybypcb(m, dir, sotoinpcb(so), error));
+}
+
 /*
  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  * and return a pointer to SP.
@@ -462,10 +459,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
  *	others:	a pointer to SP
  */
 struct secpolicy *
-ipsec6_getpolicybysock(m, dir, so, error)
+ipsec6_getpolicybypcb(m, dir, inp, error)
 	struct mbuf *m;
 	u_int dir;
-	struct socket *so;
+	struct inpcb *inp;
 	int *error;
 {
 	struct inpcbpolicy *pcbsp = NULL;
@@ -473,18 +470,17 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 
 	/* sanity check */
-	if (m == NULL || so == NULL || error == NULL)
+	if (m == NULL || inp == NULL || error == NULL)
 		panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
 
 #ifdef DIAGNOSTIC
-	if (so->so_proto->pr_domain->dom_family != AF_INET6)
+	if ((inp->inp_vflag & INP_IPV6PROTO) == 0)
 		panic("ipsec6_getpolicybysock: socket domain != inet6\n");
 #endif
 
 	/* set spidx in pcb */
-	ipsec6_setspidx_in6pcb(m, sotoin6pcb(so));
-
-	pcbsp = sotoin6pcb(so)->in6p_sp;
+	ipsec6_setspidx_in6pcb(m, inp);
+	pcbsp = inp->in6p_sp;
 
 	/* sanity check */
 	if (pcbsp == NULL)
@@ -601,6 +597,19 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	/* NOTREACHED */
 }
 
+struct secpolicy *
+ipsec6_getpolicybysock(m, dir, so, error)
+	struct mbuf *m;
+	u_int dir;
+	struct socket *so;
+	int *error;
+{
+
+	if (so == NULL)
+		panic("ipsec6_getpolicybysock: NULL pointer was passed.\n");
+	return (ipsec6_getpolicybypcb(m, dir, sotoin6pcb(so), error));
+}
+
 /*
  * For FORWADING packet or OUTBOUND without a socket. Searching SPD for packet,
  * and return a pointer to SP.
@@ -1690,9 +1699,9 @@ ipsec_in_reject(sp, m)
  * and {ah,esp}4_input for tunnel mode
  */
 int
-ipsec4_in_reject_so(m, so)
+ipsec4_in_reject(m, inp)
 	struct mbuf *m;
-	struct socket *so;
+	struct inpcb *inp;
 {
 	struct secpolicy *sp = NULL;
 	int error;
@@ -1706,10 +1715,10 @@ ipsec4_in_reject_so(m, so)
 	 * When we are called from ip_forward(), we call
 	 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
-	if (so == NULL)
+	if (inp == NULL)
 		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
 	else
-		sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
+		sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_INBOUND, inp, &error);
 
 	if (sp == NULL)
 		return 0;	/* XXX should be panic ?
@@ -1724,18 +1733,16 @@ ipsec4_in_reject_so(m, so)
 }
 
 int
-ipsec4_in_reject(m, inp)
+ipsec4_in_reject_so(m, so)
 	struct mbuf *m;
-	struct inpcb *inp;
+	struct socket *so;
 {
-	if (inp == NULL)
-		return ipsec4_in_reject_so(m, NULL);
-	if (inp->inp_socket)
-		return ipsec4_in_reject_so(m, inp->inp_socket);
-	else
-		panic("ipsec4_in_reject: invalid inpcb/socket");
+	if (so == NULL)
+		return ipsec4_in_reject(m, NULL);
+	return ipsec4_in_reject(m, sotoinpcb(so));
 }
 
+
 #ifdef INET6
 /*
  * Check AH/ESP integrity.
@@ -1743,9 +1750,9 @@ ipsec4_in_reject(m, inp)
  * and {ah,esp}6_input for tunnel mode
  */
 int
-ipsec6_in_reject_so(m, so)
+ipsec6_in_reject(m, in6p)
 	struct mbuf *m;
-	struct socket *so;
+	struct in6pcb *in6p;
 {
 	struct secpolicy *sp = NULL;
 	int error;
@@ -1759,33 +1766,30 @@ ipsec6_in_reject_so(m, so)
 	 * When we are called from ip_forward(), we call
 	 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
-	if (so == NULL)
+	if (in6p == NULL)
 		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
 	else
-		sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);
+		sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_INBOUND, in6p, &error);
 
 	if (sp == NULL)
 		return 0;	/* XXX should be panic ? */
 
 	result = ipsec_in_reject(sp, m);
 	KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
-		printf("DP ipsec6_in_reject_so call free SP:%p\n", sp));
+		printf("DP ipsec6_in_reject call free SP:%p\n", sp));
 	key_freesp(sp);
 
 	return result;
 }
 
 int
-ipsec6_in_reject(m, in6p)
+ipsec6_in_reject_so(m, so)
 	struct mbuf *m;
-	struct in6pcb *in6p;
+	struct socket *so;
 {
-	if (in6p == NULL)
-		return ipsec6_in_reject_so(m, NULL);
-	if (in6p->in6p_socket)
-		return ipsec6_in_reject_so(m, in6p->in6p_socket);
-	else
-		panic("ipsec6_in_reject: invalid in6p/socket");
+	if (so == NULL)
+		return ipsec6_in_reject(m, NULL);
+	return ipsec6_in_reject(m, sotoin6pcb(so));
 }
 #endif
 
@@ -1889,7 +1893,7 @@ ipsec4_hdrsiz(m, dir, inp)
 	if (inp == NULL)
 		sp = ipsec4_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 	else
-		sp = ipsec4_getpolicybysock(m, dir, inp->inp_socket, &error);
+		sp = ipsec4_getpolicybypcb(m, dir, inp, &error);
 
 	if (sp == NULL)
 		return 0;	/* XXX should be panic ? */
@@ -1921,15 +1925,18 @@ ipsec6_hdrsiz(m, dir, in6p)
 	/* sanity check */
 	if (m == NULL)
 		return 0;	/* XXX shoud be panic ? */
+#if 0
+	/* this is possible in TIME_WAIT state */
 	if (in6p != NULL && in6p->in6p_socket == NULL)
 		panic("ipsec6_hdrsize: why is socket NULL but there is PCB.");
+#endif
 
 	/* get SP for this packet */
 	/* XXX Is it right to call with IP_FORWARDING. */
 	if (in6p == NULL)
 		sp = ipsec6_getpolicybyaddr(m, dir, IP_FORWARDING, &error);
 	else
-		sp = ipsec6_getpolicybysock(m, dir, in6p->in6p_socket, &error);
+		sp = ipsec6_getpolicybypcb(m, dir, in6p, &error);
 
 	if (sp == NULL)
 		return 0;