pass pcb rather than so. it is expected that per socket policy

works again.

6 files changed, 8 insertions, 21 deletions

diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 733df47..a872c00 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -144,7 +144,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 	struct in_addr pkt_dst;
 	struct route iproute;
 #ifdef IPSEC
-	struct socket *so;
 	struct secpolicy *sp = NULL;
 #endif
 #ifdef FAST_IPSEC
@@ -195,11 +194,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 	}
 	m = m0;
 
-#ifdef IPSEC
-	so = ipsec_getsocket(m);
-	(void)ipsec_setsocket(m, NULL);
-#endif /*IPSEC*/
-
 	M_ASSERTPKTHDR(m);
 
 	if (ro == NULL) {
@@ -481,11 +475,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro,
 sendit:
 #ifdef IPSEC
 	/* get SP for this packet */
-	if (so == NULL)
+	if (inp == NULL)
 		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
 		    flags, &error);
 	else
-		sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error);
+		sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error);
 
 	if (sp == NULL) {
 		ipsecstat.out_inval++;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index bd65e81..eff86d3 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -147,7 +147,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 
 #ifdef IPSEC
 	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject_so(n, last->inp_socket)) {
+	if (ipsec4_in_reject(n, last)) {
 		policyfail = 1;
 		ipsecstat.in_polvio++;
 		/* do not inject data to pcb */
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index eef736c..2b7f99a 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -572,12 +572,12 @@ findpcb:
 
 #ifdef IPSEC
 	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) {
+		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 			ipsec6stat.in_polvio++;
 			goto drop;
 		}
 	} else {
-		if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) {
+		if (inp != NULL && ipsec4_in_reject(m, inp)) {
 			ipsecstat.in_polvio++;
 			goto drop;
 		}
diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c
index c44fa96..f30d6c3 100644
--- a/sys/netinet/tcp_output.c
+++ b/sys/netinet/tcp_output.c
@@ -878,13 +878,6 @@ send:
 		ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL);
 
 		/* TODO: IPv6 IP6TOS_ECT bit on */
-#if defined(IPSEC) && !defined(FAST_IPSEC)
-		if (ipsec_setsocket(m, so) != 0) {
-			m_freem(m);
-			error = ENOBUFS;
-			goto out;
-		}
-#endif /*IPSEC*/
 		error = ip6_output(m,
 			    tp->t_inpcb->in6p_outputopts, NULL,
 			    (so->so_options & SO_DONTROUTE), NULL, NULL,
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index eef736c..2b7f99a 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -572,12 +572,12 @@ findpcb:
 
 #ifdef IPSEC
 	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) {
+		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 			ipsec6stat.in_polvio++;
 			goto drop;
 		}
 	} else {
-		if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) {
+		if (inp != NULL && ipsec4_in_reject(m, inp)) {
 			ipsecstat.in_polvio++;
 			goto drop;
 		}
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 02a0e77..3852583 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -455,7 +455,7 @@ udp_append(last, ip, n, off)
 
 #ifdef IPSEC
 	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject_so(n, last->inp_socket)) {
+	if (ipsec4_in_reject(n, last)) {
 		ipsecstat.in_polvio++;
 		m_freem(n);
 		return;