- cleanup SP refcnt issue.

- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all.  secpolicy no longer contain
  spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy.  assign ID field to
  all SPD entries.  make it possible for racoon to grab SPD entry on
  pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header.  a mode is always needed
  to compare them.
- fixed that the incorrect time was set to
  sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
  because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
  alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
  XXX in theory refcnt should do the right thing, however, we have
  "spdflush" which would touch all SPs.  another solution would be to
  de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion.  ipsec_*_policy ->
  ipsec_*_pcbpolicy.
- avoid variable name confusion.
  (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
  secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
  can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
  "src" of the spidx specifies ICMP type, and the port field in "dst"
  of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
  kernel forwards the packets.

Tested by:	nork
Obtained from:	KAME

5 files changed, 37 insertions, 9 deletions

diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index ec51ad4..e473f2f 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -79,7 +79,6 @@
 
 #include <netipsec/ipsec.h>
 #include <netipsec/key.h>
-#define	IPSEC
 #endif /* FAST_IPSEC */
 
 struct	in_addr zeroin_addr;
@@ -162,7 +161,7 @@ in_pcballoc(so, pcbinfo, td)
 	struct thread *td;
 {
 	register struct inpcb *inp;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	int error;
 #endif
 	inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO);
@@ -171,8 +170,12 @@ in_pcballoc(so, pcbinfo, td)
 	inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
 	inp->inp_pcbinfo = pcbinfo;
 	inp->inp_socket = so;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
+#ifdef FAST_IPSEC
 	error = ipsec_init_policy(so, &inp->inp_sp);
+#else
+	error = ipsec_init_pcbpolicy(so, &inp->inp_sp);
+#endif
 	if (error != 0) {
 		uma_zfree(pcbinfo->ipi_zone, inp);
 		return error;
@@ -473,6 +476,10 @@ in_pcbconnect(inp, nam, td)
 	inp->inp_faddr.s_addr = faddr;
 	inp->inp_fport = fport;
 	in_pcbrehash(inp);
+#ifdef IPSEC
+	if (inp->inp_socket->so_type == SOCK_STREAM)
+		ipsec_pcbconn(inp->inp_sp);
+#endif
 	if (anonport)
 		inp->inp_flags |= INP_ANONPORT;
 	return (0);
@@ -655,6 +662,9 @@ in_pcbdisconnect(inp)
 	in_pcbrehash(inp);
 	if (inp->inp_socket->so_state & SS_NOFDREF)
 		in_pcbdetach(inp);
+#ifdef IPSEC
+	ipsec_pcbdisconn(inp->inp_sp);
+#endif
 }
 
 void
@@ -664,7 +674,7 @@ in_pcbdetach(inp)
 	struct socket *so = inp->inp_socket;
 	struct inpcbinfo *ipi = inp->inp_pcbinfo;
 
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	ipsec4_delete_pcbpolicy(inp);
 #endif /*IPSEC*/
 	inp->inp_gencnt = ++ipi->ipi_gencnt;
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 2518154..09f3f41 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -492,7 +492,7 @@ tooshort:
 	/*
 	 * Bypass packet filtering for packets from a tunnel (gif).
 	 */
-	if (ipsec_gethist(m, NULL))
+	if (ipsec_getnhist(m))
 		goto pass;
 #endif
 #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index aedab7f..0831784 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -144,6 +144,7 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 	struct in_addr pkt_dst;
 #ifdef IPSEC
 	struct route iproute;
+	struct socket *so;
 	struct secpolicy *sp = NULL;
 #endif
 #ifdef FAST_IPSEC
@@ -195,6 +196,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 	}
 	m = m0;
 
+#ifdef IPSEC
+	so = ipsec_getsocket(m);
+	(void)ipsec_setsocket(m, NULL);
+#endif /*IPSEC*/
+
 	M_ASSERTPKTHDR(m);
 #ifndef FAST_IPSEC
 	KASSERT(ro != NULL, ("ip_output: no route, proto %d",
@@ -488,10 +494,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 sendit:
 #ifdef IPSEC
 	/* get SP for this packet */
-	if (inp == NULL)
-		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error);
+	if (so == NULL)
+		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
+		    flags, &error);
 	else
-		sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error);
+		sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
 
 	if (sp == NULL) {
 		ipsecstat.out_inval++;
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index 1267aaf..b7ddc23 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -880,6 +880,13 @@ send:
 					       : NULL);
 
 		/* TODO: IPv6 IP6TOS_ECT bit on */
+#ifdef IPSEC
+		if (ipsec_setsocket(m, so) != 0) {
+			m_freem(m);
+			error = ENOBUFS;
+			goto out;
+		}
+#endif /*IPSEC*/
 		error = ip6_output(m,
 			    tp->t_inpcb->in6p_outputopts,
 			    &tp->t_inpcb->in6p_route,
diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c
index 902e711..c83e9b2 100644
--- a/sys/netinet/tcp_syncache.c
+++ b/sys/netinet/tcp_syncache.c
@@ -96,7 +96,6 @@
 #include <netipsec/ipsec6.h>
 #endif
 #include <netipsec/key.h>
-#define	IPSEC
 #endif /*FAST_IPSEC*/
 
 #include <machine/in_cksum.h>
@@ -621,6 +620,11 @@ syncache_socket(sc, lso, m)
 	}
 #ifdef IPSEC
 	/* copy old policy into new socket's */
+	if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
+		printf("syncache_expand: could not copy policy\n");
+#endif
+#ifdef FAST_IPSEC
+	/* copy old policy into new socket's */
 	if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
 		printf("syncache_expand: could not copy policy\n");
 #endif