diff options
author | gnn <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
---|---|---|
committer | gnn <gnn@FreeBSD.org> | 2007-07-01 11:41:27 +0000 |
commit | 0cd74db89b7c7ca5bface8b05ae8263c0a54217b (patch) | |
tree | 2bcfb09751e29be8d172ae9e835bab3e5c5699f2 /sys/netinet | |
parent | 384e40af76655727c82190f4d5dc6c857583206e (diff) | |
download | FreeBSD-src-0cd74db89b7c7ca5bface8b05ae8263c0a54217b.zip FreeBSD-src-0cd74db89b7c7ca5bface8b05ae8263c0a54217b.tar.gz |
Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes only the kernel files, the rest of the files
will follow in a second commit.
Reviewed by: bz
Approved by: re
Supported by: Secure Computing
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in_pcb.c | 29 | ||||
-rw-r--r-- | sys/netinet/in_pcb.h | 2 | ||||
-rw-r--r-- | sys/netinet/in_proto.c | 43 | ||||
-rw-r--r-- | sys/netinet/ip_fw2.c | 7 | ||||
-rw-r--r-- | sys/netinet/ip_icmp.c | 8 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 20 | ||||
-rw-r--r-- | sys/netinet/ip_ipsec.c | 196 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 29 | ||||
-rw-r--r-- | sys/netinet/raw_ip.c | 12 | ||||
-rw-r--r-- | sys/netinet/sctp_input.c | 4 | ||||
-rw-r--r-- | sys/netinet/sctp_os_bsd.h | 8 | ||||
-rw-r--r-- | sys/netinet/sctp_pcb.c | 10 | ||||
-rw-r--r-- | sys/netinet/sctp_usrreq.c | 9 | ||||
-rw-r--r-- | sys/netinet/tcp_input.c | 16 | ||||
-rw-r--r-- | sys/netinet/tcp_output.c | 7 | ||||
-rw-r--r-- | sys/netinet/tcp_subr.c | 13 | ||||
-rw-r--r-- | sys/netinet/tcp_syncache.c | 12 | ||||
-rw-r--r-- | sys/netinet/udp_usrreq.c | 12 |
18 files changed, 55 insertions, 382 deletions
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index e91ac55..edb7702 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -73,16 +73,8 @@ #include <netinet6/ip6_var.h> #endif /* INET6 */ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif /* IPSEC */ #ifdef FAST_IPSEC -#if defined(IPSEC) || defined(IPSEC_ESP) -#error "Bad idea: don't compile with both IPSEC and FAST_IPSEC!" -#endif - #include <netipsec/ipsec.h> #include <netipsec/key.h> #endif /* FAST_IPSEC */ @@ -200,15 +192,12 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) mac_create_inpcb_from_socket(so, inp); SOCK_UNLOCK(so); #endif -#if defined(IPSEC) || defined(FAST_IPSEC) + #ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); -#else - error = ipsec_init_pcbpolicy(so, &inp->inp_sp); -#endif if (error != 0) goto out; -#endif /*IPSEC*/ +#endif /*FAST_IPSEC*/ #ifdef INET6 if (INP_SOCKAF(so) == AF_INET6) { inp->inp_vflag |= INP_IPV6PROTO; @@ -226,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo) INP_LOCK(inp); inp->inp_gencnt = ++pcbinfo->ipi_gencnt; -#if defined(IPSEC) || defined(FAST_IPSEC) || defined(MAC) +#if defined(FAST_IPSEC) || defined(MAC) out: if (error != 0) uma_zfree(pcbinfo->ipi_zone, inp); @@ -535,10 +524,7 @@ in_pcbconnect(struct inpcb *inp, struct sockaddr *nam, struct ucred *cred) inp->inp_faddr.s_addr = faddr; inp->inp_fport = fport; in_pcbrehash(inp); -#ifdef IPSEC - if (inp->inp_socket->so_type == SOCK_STREAM) - ipsec_pcbconn(inp->inp_sp); -#endif + if (anonport) inp->inp_flags |= INP_ANONPORT; return (0); @@ -698,9 +684,6 @@ in_pcbdisconnect(struct inpcb *inp) inp->inp_faddr.s_addr = INADDR_ANY; inp->inp_fport = 0; in_pcbrehash(inp); -#ifdef IPSEC - ipsec_pcbdisconn(inp->inp_sp); -#endif } /* @@ -728,9 +711,9 @@ in_pcbfree(struct inpcb *inp) INP_INFO_WLOCK_ASSERT(ipi); INP_LOCK_ASSERT(inp); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC ipsec4_delete_pcbpolicy(inp); -#endif /*IPSEC*/ +#endif /*FAST_IPSEC*/ inp->inp_gencnt = ++ipi->ipi_gencnt; in_pcbremlists(inp); if (inp->inp_options) diff --git a/sys/netinet/in_pcb.h b/sys/netinet/in_pcb.h index 1467b6a..0ae913f 100644 --- a/sys/netinet/in_pcb.h +++ b/sys/netinet/in_pcb.h @@ -125,7 +125,7 @@ struct inpcb { struct label *inp_label; /* MAC label */ int inp_flags; /* generic IP/datagram flags */ - struct inpcbpolicy *inp_sp; /* for IPSEC */ + struct inpcbpolicy *inp_sp; /* for IPSEC */ u_char inp_vflag; /* IP version flag (v4/v6) */ #define INP_IPV4 0x1 #define INP_IPV6 0x2 diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index dbf9690..21d7413 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -69,15 +69,6 @@ static struct pr_usrreqs nousrreqs; -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ah.h> -#ifdef IPSEC_ESP -#include <netinet6/esp.h> -#endif -#include <netinet6/ipcomp.h> -#endif /* IPSEC */ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #endif /* FAST_IPSEC */ @@ -219,34 +210,6 @@ struct protosw inetsw[] = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }, -#ifdef IPSEC -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_AH, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ah4_input, - .pr_usrreqs = &nousrreqs -}, -#ifdef IPSEC_ESP -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_ESP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = esp4_input, - .pr_usrreqs = &nousrreqs -}, -#endif -{ - .pr_type = SOCK_RAW, - .pr_domain = &inetdomain, - .pr_protocol = IPPROTO_IPCOMP, - .pr_flags = PR_ATOMIC|PR_ADDR, - .pr_input = ipcomp4_input, - .pr_usrreqs = &nousrreqs -}, -#endif /* IPSEC */ #ifdef FAST_IPSEC { .pr_type = SOCK_RAW, @@ -412,11 +375,7 @@ SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH"); SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP"); SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP"); SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP"); -#else -#ifdef IPSEC -SYSCTL_NODE(_net_inet, IPPROTO_AH, ipsec, CTLFLAG_RW, 0, "IPSEC"); -#endif /* IPSEC */ -#endif /* !FAST_IPSEC */ +#endif /* FAST_IPSEC */ SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW"); #ifdef DEV_PFSYNC SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC"); diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index 1ee1908..367d67c 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -93,10 +93,6 @@ #include <altq/if_altq.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif - #include <netinet/ip6.h> #include <netinet/icmp6.h> #ifdef INET6 @@ -3151,9 +3147,6 @@ check_body: match = (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL); #endif -#ifdef IPSEC - match = (ipsec_getnhist(m) != 0); -#endif /* otherwise no match */ break; diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index 2ccd6bd..c1a2ae4 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -59,15 +59,9 @@ #include <netinet/tcpip.h> #include <netinet/icmp_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/key.h> -#define IPSEC #endif #include <machine/in_cksum.h> @@ -585,7 +579,7 @@ reflect: (struct sockaddr *)0, RTF_GATEWAY | RTF_HOST, (struct sockaddr *)&icmpgw); pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc); -#ifdef IPSEC +#ifdef FAST_IPSEC key_sa_routechange((struct sockaddr *)&icmpsrc); #endif break; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 640bce7..9a10230 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -70,9 +70,9 @@ #ifdef DEV_CARP #include <netinet/ip_carp.h> #endif -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC #include <netinet/ip_ipsec.h> -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ #include <sys/socketvar.h> @@ -391,13 +391,13 @@ tooshort: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * Bypass packet filtering for packets from a tunnel (gif). */ if (ip_ipsec_filtergif(m)) goto passin; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * Run through list of hooks for input packets. @@ -601,10 +601,10 @@ passin: ipstat.ips_cantforward++; m_freem(m); } else { -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC if (ip_ipsec_fwd(m)) goto bad; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ ip_forward(m, dchg); } return; @@ -645,7 +645,7 @@ ours: */ ip->ip_len -= hlen; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -653,7 +653,7 @@ ours: */ if (ip_ipsec_input(m)) goto bad; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * Switch out to protocol's input routine. @@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt) type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC mtu = ip_ipsec_mtu(m); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* * If the MTU wasn't set before use the interface mtu or * fall back to the next smaller mtu step compared to the diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 296da69..f240b41 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -55,16 +55,6 @@ #include <machine/in_cksum.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#ifdef IPSEC_DEBUG -#include <netkey/key_debug.h> -#else -#define KEYDEBUG(lev,arg) -#endif -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -81,13 +71,6 @@ extern struct protosw inetsw[]; int ip_ipsec_filtergif(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) - /* - * Bypass packet filtering for packets from a tunnel (gif). - */ - if (ipsec_getnhist(m)) - return 1; -#endif #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). @@ -112,17 +95,7 @@ ip_ipsec_fwd(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * Enforce inbound IPsec SPD. - */ - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif /* IPSEC */ -#ifdef FAST_IPSEC + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splnet(); if (mtag != NULL) { @@ -169,20 +142,6 @@ ip_ipsec_input(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif -#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -243,17 +202,10 @@ ip_ipsec_mtu(struct mbuf *m) int ipsecerror; int ipsechdr; struct route *ro; -#ifdef IPSEC - sp = ipsec4_getpolicybyaddr(m, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); -#else /* FAST_IPSEC */ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); -#endif if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(m, @@ -276,11 +228,7 @@ ip_ipsec_mtu(struct mbuf *m) mtu -= ipsechdr; } } -#ifdef IPSEC - key_freesp(sp); -#else /* FAST_IPSEC */ KEY_FREESP(&sp); -#endif } return mtu; } @@ -296,152 +244,12 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, struct route **ro, struct route *iproute, struct sockaddr_in **dst, struct in_ifaddr **ia, struct ifnet **ifp) { +#ifdef FAST_IPSEC struct secpolicy *sp = NULL; struct ip *ip = mtod(*m, struct ip *); -#ifdef IPSEC - struct ipsec_output_state state; -#endif -#ifdef FAST_IPSEC struct tdb_ident *tdbi; struct m_tag *mtag; int s; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* get SP for this packet */ - if (inp == NULL) - sp = ipsec4_getpolicybyaddr(*m, IPSEC_DIR_OUTBOUND, - *flags, error); - else - sp = ipsec4_getpolicybypcb(*m, IPSEC_DIR_OUTBOUND, inp, error); - - if (sp == NULL) { - ipsecstat.out_inval++; - goto bad; - } - - /* check policy */ - switch (sp->policy) { - case IPSEC_POLICY_DISCARD: - /* - * This packet is just discarded. - */ - ipsecstat.out_polvio++; - goto bad; - - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - case IPSEC_POLICY_TCP: - /* no need to do IPsec. */ - goto done; - - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) { - /* acquire a policy */ - *error = key_spdacquire(sp); - goto bad; - } - break; - - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: Invalid policy found. %d\n", __func__, sp->policy); - } - - bzero(&state, sizeof(state)); - state.m = *m; - if (*flags & IP_ROUTETOIF) { - state.ro = iproute; - bzero(iproute, sizeof(iproute)); - } else - state.ro = *ro; - state.dst = (struct sockaddr *)(*dst); - - ip->ip_sum = 0; - - /* - * XXX - * delayed checksums are not currently compatible with IPsec - */ - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { - in_delayed_cksum(*m); - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); - - *error = ipsec4_output(&state, sp, *flags); - - *m = state.m; - if (*flags & IP_ROUTETOIF) { - /* - * if we have tunnel mode SA, we may need to ignore - * IP_ROUTETOIF. - */ - if (state.ro != iproute || state.ro->ro_rt != NULL) { - *flags &= ~IP_ROUTETOIF; - *ro = state.ro; - } - } else - *ro = state.ro; - *dst = (struct sockaddr_in *)state.dst; - if (*error != 0) { - /* mbuf is already reclaimed in ipsec4_output. */ - *m = NULL; - switch (*error) { - case EHOSTUNREACH: - case ENETUNREACH: - case EMSGSIZE: - case ENOBUFS: - case ENOMEM: - break; - default: - printf("ip4_output (ipsec): error code %d\n", *error); - /*fall through*/ - case ENOENT: - /* don't show these error codes to the user */ - *error = 0; - break; - } - goto bad; - } - - /* be sure to update variables that are affected by ipsec4_output() */ - if ((*ro)->ro_rt == NULL) { - if ((*flags & IP_ROUTETOIF) == 0) { - printf("ip_output: " - "can't update route after IPsec processing\n"); - *error = EHOSTUNREACH; /*XXX*/ - goto bad; - } - } else { - if (state.encap) { - *ia = ifatoia((*ro)->ro_rt->rt_ifa); - *ifp = (*ro)->ro_rt->rt_ifp; - } - } - ip = mtod(*m, struct ip *); - - /* make it flipped, again. */ - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - -done: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 0; -bad: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 1; -#endif /*IPSEC*/ -#ifdef FAST_IPSEC /* * Check the security policy (SP) for the packet and, if * required, do IPsec-related processing. There are two diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2b800dc..90a21ef 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -59,15 +59,10 @@ #include <netinet/ip_var.h> #include <netinet/ip_options.h> -#if defined(IPSEC) || defined(FAST_IPSEC) -#include <netinet/ip_ipsec.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif #ifdef FAST_IPSEC +#include <netinet/ip_ipsec.h> #include <netipsec/ipsec.h> -#endif -#endif /*IPSEC*/ +#endif /* FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -417,7 +412,7 @@ again: } sendit: -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) { case 1: goto bad; @@ -430,7 +425,7 @@ sendit: /* Update variables that are affected by ipsec4_output(). */ ip = mtod(m, struct ip *); hlen = ip->ip_hl << 2; -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* Jump over all PFIL processing if hooks are not active. */ if (!PFIL_HOOKED(&inet_pfil_hook)) @@ -539,10 +534,6 @@ passout: ia->ia_ifa.if_opackets++; ia->ia_ifa.if_obytes += m->m_pkthdr.len; } -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif #ifdef MBUF_STRESS_TEST if (mbuf_frag_size && m->m_pkthdr.len > mbuf_frag_size) m = m_fragment(m, M_DONTWAIT, mbuf_frag_size); @@ -575,10 +566,6 @@ passout: for (; m; m = m0) { m0 = m->m_nextpkt; m->m_nextpkt = 0; -#ifdef IPSEC - /* clean ipsec history once it goes out of the node */ - ipsec_delaux(m); -#endif if (error == 0) { /* Record statistics for this interface address. */ if (ia != NULL) { @@ -979,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) INP_UNLOCK(inp); break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IP_IPSEC_POLICY: { caddr_t req; @@ -1013,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; @@ -1117,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) error = inp_getmoptions(inp, sopt); break; -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC case IP_IPSEC_POLICY: { struct mbuf *m = NULL; @@ -1135,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt) m_freem(m); break; } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ default: error = ENOPROTOOPT; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 5329c6c..cd0f64a 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -70,10 +70,6 @@ #include <netipsec/ipsec.h> #endif /*FAST_IPSEC*/ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif /*IPSEC*/ - #include <security/mac/mac_framework.h> struct inpcbhead ripcb; @@ -159,16 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) INP_LOCK_ASSERT(last); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { policyfail = 1; -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif /*IPSEC*/ - /* do not inject data to pcb */ } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c index ad2f136..a66369b 100644 --- a/sys/netinet/sctp_input.c +++ b/sys/netinet/sctp_input.c @@ -4878,14 +4878,14 @@ sctp_skip_csum_4: } else if (stcb == NULL) { refcount_up = 1; } -#ifdef IPSEC +#ifdef FAST_IPSEC /* * I very much doubt any of the IPSEC stuff will work but I have no * idea, so I will leave it in place. */ if (inp && ipsec4_in_reject(m, &inp->ip_inp.inp)) { - ipsecstat.in_polvio++; + ipsec4stat.in_polvio++; SCTP_STAT_INCR(sctps_hdrops); goto bad; } diff --git a/sys/netinet/sctp_os_bsd.h b/sys/netinet/sctp_os_bsd.h index a159e98..d3d6064 100644 --- a/sys/netinet/sctp_os_bsd.h +++ b/sys/netinet/sctp_os_bsd.h @@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$"); #include <netinet/icmp_var.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> +#ifdef FAST_IPSEC +#include <netipsec/ipsec.h> +#include <netipsec/key.h> #endif /* IPSEC */ #ifdef INET6 #include <sys/domain.h> -#ifdef IPSEC +#ifdef FAST_IPSEC #include <netinet6/ipsec6.h> #endif #include <netinet/ip6.h> diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c index 6ec0f30..91d509c 100644 --- a/sys/netinet/sctp_pcb.c +++ b/sys/netinet/sctp_pcb.c @@ -1807,11 +1807,11 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT; inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT; -#ifdef IPSEC +#ifdef FAST_IPSEC { struct inpcbpolicy *pcb_sp = NULL; - error = ipsec_init_pcbpolicy(so, &pcb_sp); + error = ipsec_init_policy(so, &pcb_sp); /* Arrange to share the policy */ inp->ip_inp.inp.inp_sp = pcb_sp; ((struct in6pcb *)(&inp->ip_inp.inp))->in6p_sp = pcb_sp; @@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id) SCTP_INP_INFO_WUNLOCK(); return error; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ SCTP_INCR_EP_COUNT(); inp->ip_inp.inp.inp_ip_ttl = ip_defttl; SCTP_INP_INFO_WUNLOCK(); @@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from) */ cnt = 0; if (so) { -#ifdef IPSEC +#ifdef FAST_IPSEC ipsec4_delete_pcbpolicy(ip_pcb); -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ /* Unlocks not needed since the socket is gone now */ } diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c index 39a459e..446036b 100644 --- a/sys/netinet/sctp_usrreq.c +++ b/sys/netinet/sctp_usrreq.c @@ -485,9 +485,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p) int error; uint32_t vrf_id = SCTP_DEFAULT_VRFID; -#ifdef IPSEC +#ifdef FAST_IPSEC uint32_t flags; - #endif inp = (struct sctp_inpcb *)so->so_pcb; if (inp != 0) { @@ -509,8 +508,8 @@ sctp_attach(struct socket *so, int proto, struct thread *p) ip_inp->inp_vflag |= INP_IPV4; ip_inp->inp_ip_ttl = ip_defttl; -#ifdef IPSEC - error = ipsec_init_pcbpolicy(so, &ip_inp->inp_sp); +#ifdef FAST_IPSEC + error = ipsec_init_policy(so, &ip_inp->inp_sp); #ifdef SCTP_LOG_CLOSING sctp_log_closing(inp, NULL, 17); #endif @@ -529,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p) } return error; } -#endif /* IPSEC */ +#endif /* FAST_IPSEC */ SCTP_INP_WUNLOCK(inp); return 0; } diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 82e36db..9d31c79 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -87,12 +87,6 @@ #include <netipsec/ipsec6.h> #endif /*FAST_IPSEC*/ -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netinet6/ipsec6.h> -#include <netkey/key.h> -#endif /*IPSEC*/ - #include <machine/in_cksum.h> #include <security/mac/mac_framework.h> @@ -451,22 +445,18 @@ findpcb: m->m_pkthdr.rcvif); } -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC #ifdef INET6 if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) { -#ifdef IPSEC ipsec6stat.in_polvio++; -#endif goto dropunlock; } else #endif /* INET6 */ if (inp != NULL && ipsec4_in_reject(m, inp)) { -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif + ipsec4stat.in_polvio++; goto dropunlock; } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ /* * If the INPCB does not exist then all data in the incoming diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index da30813..d80254a 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -72,13 +72,8 @@ #include <netinet/tcp_debug.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> -#define IPSEC #endif /*FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -700,7 +695,7 @@ send: offsetof(struct ipoption, ipopt_list); else ipoptlen = 0; -#ifdef IPSEC +#ifdef FAST_IPSEC ipoptlen += ipsec_hdrsiz_tcp(tp); #endif diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 64c5364..589714f 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -91,14 +91,6 @@ #endif #include <netinet6/ip6protosw.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#include <netkey/key.h> -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -106,7 +98,6 @@ #include <netipsec/ipsec6.h> #endif #include <netipsec/key.h> -#define IPSEC #endif /*FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -1643,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags) } #endif /* INET6 */ -#ifdef IPSEC +#ifdef FAST_IPSEC /* compute ESP/AH header size for TCP, including outer IP header. */ size_t ipsec_hdrsiz_tcp(struct tcpcb *tp) @@ -1684,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp) m_free(m); return (hdrsiz); } -#endif /*IPSEC*/ +#endif /* FAST_IPSEC */ /* * TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 9d1d12d..9e03f32 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -80,13 +80,6 @@ #include <netinet6/tcp6_var.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#ifdef INET6 -#include <netinet6/ipsec6.h> -#endif -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #ifdef INET6 @@ -628,11 +621,6 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m) inp->inp_lport = 0; goto abort; } -#ifdef IPSEC - /* Copy old policy into new socket's. */ - if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) - printf("syncache_socket: could not copy policy\n"); -#endif #ifdef FAST_IPSEC /* Copy old policy into new socket's. */ if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 04a4434..ae03b54 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -82,10 +82,6 @@ #include <netipsec/ipsec.h> #endif -#ifdef IPSEC -#include <netinet6/ipsec.h> -#endif - #include <machine/in_cksum.h> #include <security/mac/mac_framework.h> @@ -499,16 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off, INP_LOCK_ASSERT(inp); -#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { -#ifdef IPSEC - ipsecstat.in_polvio++; -#endif + ipsec4stat.in_polvio++; m_freem(n); return; } -#endif /*IPSEC || FAST_IPSEC*/ +#endif /* FAST_IPSEC */ #ifdef MAC if (mac_check_inpcb_deliver(inp, n) != 0) { m_freem(n); |