diff options
| author | sam <sam@FreeBSD.org> | 2002-10-16 01:54:46 +0000 |
|---|---|---|
| committer | sam <sam@FreeBSD.org> | 2002-10-16 01:54:46 +0000 |
| commit | 2a86be217a6aed33eda6628df2b175e49172cd9f (patch) | |
| tree | b26e1e9f49b40642051748bcd3961cc2a2b5ff1d /sys/netinet | |
| parent | 733bfbdd78ddb9efc129532b2c2239d0bacfaf1a (diff) | |
| download | FreeBSD-src-2a86be217a6aed33eda6628df2b175e49172cd9f.zip FreeBSD-src-2a86be217a6aed33eda6628df2b175e49172cd9f.tar.gz | |
Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren
Approved by: julian, silence from everyone else
Obtained from: openbsd (mostly)
MFC after: 1 month
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/igmp.c | 2 | ||||
| -rw-r--r-- | sys/netinet/in_gif.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_divert.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_dummynet.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_encap.c | 36 | ||||
| -rw-r--r-- | sys/netinet/ip_fw2.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_icmp.c | 2 | ||||
| -rw-r--r-- | sys/netinet/ip_input.c | 14 | ||||
| -rw-r--r-- | sys/netinet/ip_mroute.c | 4 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 16 | ||||
| -rw-r--r-- | sys/netinet/ip_var.h | 3 | ||||
| -rw-r--r-- | sys/netinet/raw_ip.c | 9 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 2 | ||||
| -rw-r--r-- | sys/netinet/tcp_output.c | 15 | ||||
| -rw-r--r-- | sys/netinet/tcp_reass.c | 2 | ||||
| -rw-r--r-- | sys/netinet/tcp_subr.c | 11 | ||||
| -rw-r--r-- | sys/netinet/tcp_syncache.c | 14 | ||||
| -rw-r--r-- | sys/netinet/tcp_timewait.c | 11 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 8 |
19 files changed, 51 insertions, 106 deletions
diff --git a/sys/netinet/igmp.c b/sys/netinet/igmp.c index 2cf1e7c..929d456 100644 --- a/sys/netinet/igmp.c +++ b/sys/netinet/igmp.c @@ -487,7 +487,7 @@ igmp_sendpkt(inm, type, addr) * XXX * Do we have to worry about reentrancy here? Don't think so. */ - ip_output(m, router_alert, &igmprt, 0, &imo); + ip_output(m, router_alert, &igmprt, 0, &imo, NULL); ++igmpstat.igps_snd_reports; } diff --git a/sys/netinet/in_gif.c b/sys/netinet/in_gif.c index b7a1cec..ffd877b 100644 --- a/sys/netinet/in_gif.c +++ b/sys/netinet/in_gif.c @@ -197,7 +197,7 @@ in_gif_output(ifp, family, m, rt) #endif } - error = ip_output(m, NULL, &sc->gif_ro, 0, NULL); + error = ip_output(m, NULL, &sc->gif_ro, 0, NULL, NULL); return(error); } diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c index ff246f9..c79ddfa 100644 --- a/sys/netinet/ip_divert.c +++ b/sys/netinet/ip_divert.c @@ -315,7 +315,7 @@ div_output(struct socket *so, struct mbuf *m, inp->inp_options, &inp->inp_route, (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST | IP_RAWOUTPUT, - inp->inp_moptions); + inp->inp_moptions, NULL); } else { if (m->m_pkthdr.rcvif == NULL) { /* diff --git a/sys/netinet/ip_dummynet.c b/sys/netinet/ip_dummynet.c index 3c2ee99..0d3baa6 100644 --- a/sys/netinet/ip_dummynet.c +++ b/sys/netinet/ip_dummynet.c @@ -422,7 +422,7 @@ transmit_event(struct dn_pipe *pipe) */ switch (pkt->dn_dir) { case DN_TO_IP_OUT: - (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL); + (void)ip_output((struct mbuf *)pkt, NULL, NULL, 0, NULL, NULL); rt_unref (pkt->ro.ro_rt) ; break ; diff --git a/sys/netinet/ip_encap.c b/sys/netinet/ip_encap.c index e12f50a..a547c66 100644 --- a/sys/netinet/ip_encap.c +++ b/sys/netinet/ip_encap.c @@ -485,38 +485,26 @@ encap_fillarg(m, ep) struct mbuf *m; const struct encaptab *ep; { -#if 0 - m->m_pkthdr.aux = ep->arg; -#else - struct mbuf *n; + struct m_tag *tag; - n = m_aux_add(m, AF_INET, IPPROTO_IPV4); - if (n) { - *mtod(n, void **) = ep->arg; - n->m_len = sizeof(void *); + tag = m_tag_get(PACKET_TAG_ENCAP, sizeof (void*), M_NOWAIT); + if (tag) { + *(void**)(tag+1) = ep->arg; + m_tag_prepend(m, tag); } -#endif } void * encap_getarg(m) struct mbuf *m; { - void *p; -#if 0 - p = m->m_pkthdr.aux; - m->m_pkthdr.aux = NULL; - return p; -#else - struct mbuf *n; - - p = NULL; - n = m_aux_find(m, AF_INET, IPPROTO_IPV4); - if (n) { - if (n->m_len == sizeof(void *)) - p = *mtod(n, void **); - m_aux_delete(m, n); + void *p = NULL; + struct m_tag *tag; + + tag = m_tag_find(m, PACKET_TAG_ENCAP, NULL); + if (tag) { + p = *(void**)(tag+1); + m_tag_delete(m, tag); } return p; -#endif } diff --git a/sys/netinet/ip_fw2.c b/sys/netinet/ip_fw2.c index ffbe9eb..3714d53 100644 --- a/sys/netinet/ip_fw2.c +++ b/sys/netinet/ip_fw2.c @@ -1124,7 +1124,7 @@ send_pkt(struct ipfw_flow_id *id, u_int32_t seq, u_int32_t ack, int flags) bzero (&sro, sizeof (sro)); ip_rtaddr(ip->ip_dst, &sro); m->m_flags |= M_SKIP_FIREWALL; - ip_output(m, NULL, &sro, 0, NULL); + ip_output(m, NULL, &sro, 0, NULL, NULL); if (sro.ro_rt) RTFREE(sro.ro_rt); } diff --git a/sys/netinet/ip_icmp.c b/sys/netinet/ip_icmp.c index af00849..5dd82ef 100644 --- a/sys/netinet/ip_icmp.c +++ b/sys/netinet/ip_icmp.c @@ -751,7 +751,7 @@ icmp_send(m, opts, rt) buf, inet_ntoa(ip->ip_src)); } #endif - (void) ip_output(m, opts, rt, 0, NULL); + (void) ip_output(m, opts, rt, 0, NULL, NULL); } n_time diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 119021c..1feee4a 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -299,10 +299,10 @@ ip_input(struct mbuf *m) /* Grab info from MT_TAG mbufs prepended to the chain. */ for (; m && m->m_type == MT_TAG; m = m->m_next) { - switch(m->m_tag_id) { + switch(m->_m_tag_id) { default: printf("ip_input: unrecognised MT_TAG tag %d\n", - m->m_tag_id); + m->_m_tag_id); break; case PACKET_TAG_DUMMYNET: @@ -1750,7 +1750,7 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) m = (struct mbuf *)&tag; } error = ip_output(m, (struct mbuf *)0, &ipforward_rt, - IP_FORWARDING, 0); + IP_FORWARDING, 0, NULL); } if (error) ipstat.ips_cantforward++; @@ -1788,10 +1788,7 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) case EMSGSIZE: type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#ifndef IPSEC - if (ipforward_rt.ro_rt) - destifp = ipforward_rt.ro_rt->rt_ifp; -#else +#ifdef IPSEC /* * If the packet is routed over IPsec tunnel, tell the * originator the tunnel MTU. @@ -1842,6 +1839,9 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop) key_freesp(sp); } } +#else + if (ipforward_rt.ro_rt) + destifp = ipforward_rt.ro_rt->rt_ifp; #endif /*IPSEC*/ ipstat.ips_cantfrag++; break; diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c index b0f2eab..72772d3 100644 --- a/sys/netinet/ip_mroute.c +++ b/sys/netinet/ip_mroute.c @@ -1876,7 +1876,7 @@ tbf_send_packet(vifp, m) if (vifp->v_flags & VIFF_TUNNEL) { /* If tunnel options */ ip_output(m, (struct mbuf *)0, &vifp->v_route, - IP_FORWARDING, (struct ip_moptions *)0); + IP_FORWARDING, (struct ip_moptions *)0, NULL); } else { imo.imo_multicast_ifp = vifp->v_ifp; imo.imo_multicast_ttl = mtod(m, struct ip *)->ip_ttl - 1; @@ -1890,7 +1890,7 @@ tbf_send_packet(vifp, m) * the loopback interface, thus preventing looping. */ error = ip_output(m, (struct mbuf *)0, &ro, - IP_FORWARDING, &imo); + IP_FORWARDING, &imo, NULL); if (mrtdebug & DEBUG_XMIT) log(LOG_DEBUG, "phyint_send on vif %d err %d\n", diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2c765eb..e78ef26 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -112,12 +112,13 @@ extern struct protosw inetsw[]; * The mbuf opt, if present, will not be freed. */ int -ip_output(m0, opt, ro, flags, imo) +ip_output(m0, opt, ro, flags, imo, inp) struct mbuf *m0; struct mbuf *opt; struct route *ro; int flags; struct ip_moptions *imo; + struct inpcb *inp; { struct ip *ip, *mhip; struct ifnet *ifp = NULL; /* keep compiler happy */ @@ -130,8 +131,8 @@ ip_output(m0, opt, ro, flags, imo) struct in_addr pkt_dst; #ifdef IPSEC struct route iproute; - struct socket *so = NULL; struct secpolicy *sp = NULL; + struct socket *so = inp ? inp->inp_socket : NULL; #endif struct ip_fw_args args; int src_was_INADDR_ANY = 0; /* as the name says... */ @@ -148,10 +149,10 @@ ip_output(m0, opt, ro, flags, imo) /* Grab info from MT_TAG mbufs prepended to the chain. */ for (; m0 && m0->m_type == MT_TAG; m0 = m0->m_next) { - switch(m0->m_tag_id) { + switch(m0->_m_tag_id) { default: printf("ip_output: unrecognised MT_TAG tag %d\n", - m0->m_tag_id); + m0->_m_tag_id); break; case PACKET_TAG_DUMMYNET: @@ -182,13 +183,6 @@ ip_output(m0, opt, ro, flags, imo) KASSERT(!m || (m->m_flags & M_PKTHDR) != 0, ("ip_output: no HDR")); - KASSERT(ro != NULL, ("ip_output: no route, proto %d", - mtod(m, struct ip *)->ip_p)); - -#ifdef IPSEC - so = ipsec_getsocket(m); - (void)ipsec_setsocket(m, NULL); -#endif if (args.rule != NULL) { /* dummynet already saw us */ ip = mtod(m, struct ip *); hlen = IP_VHL_HL(ip->ip_vhl) << 2 ; diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index e1f8465..43eaa03 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -170,7 +170,8 @@ void ip_init(void); extern int (*ip_mforward)(struct ip *, struct ifnet *, struct mbuf *, struct ip_moptions *); int ip_output(struct mbuf *, - struct mbuf *, struct route *, int, struct ip_moptions *); + struct mbuf *, struct route *, int, struct ip_moptions *, + struct inpcb *); struct in_ifaddr * ip_rtaddr(struct in_addr, struct route *); void ip_savecontrol(struct inpcb *, struct mbuf **, struct ip *, diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 76cdeb6..144554a 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -281,15 +281,8 @@ rip_output(m, so, dst) ipstat.ips_rawout++; } -#ifdef IPSEC - if (ipsec_setsocket(m, so) != 0) { - m_freem(m); - return ENOBUFS; - } -#endif /*IPSEC*/ - return (ip_output(m, inp->inp_options, &inp->inp_route, flags, - inp->inp_moptions)); + inp->inp_moptions, inp)); } /* diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 3e6f589..59cf6ae 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -369,7 +369,7 @@ tcp_input(m, off0) /* Grab info from MT_TAG mbufs prepended to the chain. */ for (;m && m->m_type == MT_TAG; m = m->m_next) { - if (m->m_tag_id == PACKET_TAG_IPFORWARD) + if (m->_m_tag_id == PACKET_TAG_IPFORWARD) next_hop = (struct sockaddr_in *)m->m_hdr.mh_data; } #ifdef INET6 diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 944e7ee..4128be5 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -875,17 +875,11 @@ send: : NULL); /* TODO: IPv6 IP6TOS_ECT bit on */ -#ifdef IPSEC - if (ipsec_setsocket(m, so) != 0) { - m_freem(m); - error = ENOBUFS; - goto out; - } -#endif /*IPSEC*/ error = ip6_output(m, tp->t_inpcb->in6p_outputopts, &tp->t_inpcb->in6p_route, - (so->so_options & SO_DONTROUTE), NULL, NULL); + (so->so_options & SO_DONTROUTE), NULL, NULL, + tp->t_inpcb); } else #endif /* INET6 */ { @@ -914,11 +908,8 @@ send: && !(rt->rt_rmx.rmx_locks & RTV_MTU)) { ip->ip_off |= IP_DF; } -#ifdef IPSEC - ipsec_setsocket(m, so); -#endif /*IPSEC*/ error = ip_output(m, tp->t_inpcb->inp_options, &tp->t_inpcb->inp_route, - (so->so_options & SO_DONTROUTE), 0); + (so->so_options & SO_DONTROUTE), 0, tp->t_inpcb); } if (error) { diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index 3e6f589..59cf6ae 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -369,7 +369,7 @@ tcp_input(m, off0) /* Grab info from MT_TAG mbufs prepended to the chain. */ for (;m && m->m_type == MT_TAG; m = m->m_next) { - if (m->m_tag_id == PACKET_TAG_IPFORWARD) + if (m->_m_tag_id == PACKET_TAG_IPFORWARD) next_hop = (struct sockaddr_in *)m->m_hdr.mh_data; } #ifdef INET6 diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 181996c..d9b3ecf 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -515,15 +515,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) if (tp == NULL || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0); #endif -#ifdef IPSEC - if (ipsec_setsocket(m, tp ? tp->t_inpcb->inp_socket : NULL) != 0) { - m_freem(m); - return; - } -#endif #ifdef INET6 if (isipv6) { - (void)ip6_output(m, NULL, ro6, ipflags, NULL, NULL); + (void)ip6_output(m, NULL, ro6, ipflags, NULL, NULL, + tp ? tp->t_inpcb : NULL); if (ro6 == &sro6 && ro6->ro_rt) { RTFREE(ro6->ro_rt); ro6->ro_rt = NULL; @@ -531,7 +526,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) } else #endif /* INET6 */ { - (void) ip_output(m, NULL, ro, ipflags, NULL); + (void) ip_output(m, NULL, ro, ipflags, NULL, tp ? tp->t_inpcb : NULL); if (ro == &sro && ro->ro_rt) { RTFREE(ro->ro_rt); ro->ro_rt = NULL; diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index d5cc9ad..49197bf 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1104,14 +1104,6 @@ syncache_respond(sc, m) mac_create_mbuf_from_socket(sc->sc_tp->t_inpcb->inp_socket, m); #endif -#ifdef IPSEC - /* use IPsec policy on listening socket to send SYN,ACK */ - if (ipsec_setsocket(m, sc->sc_tp->t_inpcb->inp_socket) != 0) { - m_freem(m); - return (ENOBUFS); - } -#endif - #ifdef INET6 if (sc->sc_inc.inc_isipv6) { ip6 = mtod(m, struct ip6_hdr *); @@ -1213,7 +1205,8 @@ no_options: th->th_sum = in6_cksum(m, IPPROTO_TCP, hlen, tlen - hlen); ip6->ip6_hlim = in6_selecthlim(NULL, ro6->ro_rt ? ro6->ro_rt->rt_ifp : NULL); - error = ip6_output(m, NULL, ro6, 0, NULL, NULL); + error = ip6_output(m, NULL, ro6, 0, NULL, NULL, + sc->sc_tp->t_inpcb); } else #endif { @@ -1221,7 +1214,8 @@ no_options: htons(tlen - hlen + IPPROTO_TCP)); m->m_pkthdr.csum_flags = CSUM_TCP; m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum); - error = ip_output(m, sc->sc_ipopts, &sc->sc_route, 0, NULL); + error = ip_output(m, sc->sc_ipopts, &sc->sc_route, 0, NULL, + sc->sc_tp->t_inpcb); } return (error); } diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 181996c..d9b3ecf 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -515,15 +515,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) if (tp == NULL || (tp->t_inpcb->inp_socket->so_options & SO_DEBUG)) tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0); #endif -#ifdef IPSEC - if (ipsec_setsocket(m, tp ? tp->t_inpcb->inp_socket : NULL) != 0) { - m_freem(m); - return; - } -#endif #ifdef INET6 if (isipv6) { - (void)ip6_output(m, NULL, ro6, ipflags, NULL, NULL); + (void)ip6_output(m, NULL, ro6, ipflags, NULL, NULL, + tp ? tp->t_inpcb : NULL); if (ro6 == &sro6 && ro6->ro_rt) { RTFREE(ro6->ro_rt); ro6->ro_rt = NULL; @@ -531,7 +526,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) } else #endif /* INET6 */ { - (void) ip_output(m, NULL, ro, ipflags, NULL); + (void) ip_output(m, NULL, ro, ipflags, NULL, tp ? tp->t_inpcb : NULL); if (ro == &sro && ro->ro_rt) { RTFREE(ro->ro_rt); ro->ro_rt = NULL; diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 188182f..1a07cea 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -816,15 +816,9 @@ udp_output(inp, m, addr, control, td) ((struct ip *)ui)->ip_tos = inp->inp_ip_tos; /* XXX */ udpstat.udps_opackets++; -#ifdef IPSEC - if (ipsec_setsocket(m, inp->inp_socket) != 0) { - error = ENOBUFS; - goto release; - } -#endif /*IPSEC*/ error = ip_output(m, inp->inp_options, &inp->inp_route, (inp->inp_socket->so_options & (SO_DONTROUTE | SO_BROADCAST)), - inp->inp_moptions); + inp->inp_moptions, inp); if (addr) { in_pcbdisconnect(inp); |
