diff options
author | sam <sam@FreeBSD.org> | 2003-09-29 22:57:43 +0000 |
---|---|---|
committer | sam <sam@FreeBSD.org> | 2003-09-29 22:57:43 +0000 |
commit | 0a6c1d4242d4d23328bf77b152fe0864e2db7f35 (patch) | |
tree | 8a7531562577bbc1732a8f3b1aa8301245449cab /sys/netipsec/ipsec_output.c | |
parent | 9dc7c620e432a011a3fdcfb8183076ad041baeac (diff) | |
download | FreeBSD-src-0a6c1d4242d4d23328bf77b152fe0864e2db7f35.zip FreeBSD-src-0a6c1d4242d4d23328bf77b152fe0864e2db7f35.tar.gz |
MFp4: portability work, general cleanup, locking fixes
change 38496
o add ipsec_osdep.h that holds os-specific definitions for portability
o s/KASSERT/IPSEC_ASSERT/ for portability
o s/SPLASSERT/IPSEC_SPLASSERT/ for portability
o remove function names from ASSERT strings since line#+file pinpints
the location
o use __func__ uniformly to reduce string storage
o convert some random #ifdef DIAGNOSTIC code to assertions
o remove some debuggging assertions no longer needed
change 38498
o replace numerous bogus panic's with equally bogus assertions
that at least go away on a production system
change 38502 + 38530
o change explicit mtx operations to #defines to simplify
future changes to a different lock type
change 38531
o hookup ipv4 ctlinput paths to a noop routine; we should be
handling path mtu changes at least
o correct potential null pointer deref in ipsec4_common_input_cb
chnage 38685
o fix locking for bundled SA's and for when key exchange is required
change 38770
o eliminate recursion on the SAHTREE lock
change 38804
o cleanup some types: long -> time_t
o remove refrence to dead #define
change 38805
o correct some types: long -> time_t
o add scan generation # to secpolicy to deal with locking issues
change 38806
o use LIST_FOREACH_SAFE instead of handrolled code
o change key_flush_spd to drop the sptree lock before purging
an entry to avoid lock recursion and to avoid holding the lock
over a long-running operation
o misc cleanups of tangled and twisty code
There is still much to do here but for now things look to be
working again.
Supported by: FreeBSD Foundation
Diffstat (limited to 'sys/netipsec/ipsec_output.c')
-rw-r--r-- | sys/netipsec/ipsec_output.c | 90 |
1 files changed, 46 insertions, 44 deletions
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 3b66887..8f8c705 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -89,15 +89,13 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) struct secasindex *saidx; int error; -#if 0 - SPLASSERT(net, "ipsec_process_done"); -#endif + IPSEC_SPLASSERT_SOFTNET(__func__); - KASSERT(m != NULL, ("ipsec_process_done: null mbuf")); - KASSERT(isr != NULL, ("ipsec_process_done: null ISR")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(isr != NULL, ("null ISR")); sav = isr->sav; - KASSERT(sav != NULL, ("ipsec_process_done: null SA")); - KASSERT(sav->sah != NULL, ("ipsec_process_done: null SAH")); + IPSEC_ASSERT(sav != NULL, ("null SA")); + IPSEC_ASSERT(sav->sah != NULL, ("null SAH")); saidx = &sav->sah->saidx; switch (saidx->dst.sa.sa_family) { @@ -124,7 +122,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) break; #endif /* INET6 */ default: - DPRINTF(("ipsec_process_done: unknown protocol family %u\n", + DPRINTF(("%s: unknown protocol family %u\n", __func__, saidx->dst.sa.sa_family)); error = ENXIO; goto bad; @@ -137,7 +135,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) mtag = m_tag_get(PACKET_TAG_IPSEC_OUT_DONE, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { - DPRINTF(("ipsec_process_done: could not get packet tag\n")); + DPRINTF(("%s: could not get packet tag\n", __func__)); error = ENOMEM; goto bad; } @@ -205,11 +203,11 @@ ipsec_nextisr( isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) struct secasvar *sav; -#if 0 - SPLASSERT(net, "ipsec_nextisr"); -#endif - KASSERT(af == AF_INET || af == AF_INET6, - ("ipsec_nextisr: invalid address family %u", af)); + IPSEC_SPLASSERT_SOFTNET(__func__); + IPSECREQUEST_LOCK_ASSERT(isr); + + IPSEC_ASSERT(af == AF_INET || af == AF_INET6, + ("invalid address family %u", af)); again: /* * Craft SA index to search for proper SA. Note that @@ -287,15 +285,17 @@ again: } sav = isr->sav; if (sav == NULL) { /* XXX valid return */ - KASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, - ("ipsec_nextisr: no SA found, but required; level %u", + IPSEC_ASSERT(ipsec_get_reqlevel(isr) == IPSEC_LEVEL_USE, + ("no SA found, but required; level %u", ipsec_get_reqlevel(isr))); + IPSECREQUEST_UNLOCK(isr); isr = isr->next; if (isr == NULL) { /*XXXstatistic??*/ *error = EINVAL; /*XXX*/ return isr; } + IPSECREQUEST_LOCK(isr); goto again; } @@ -305,8 +305,8 @@ again: if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) || (isr->saidx.proto == IPPROTO_AH && !ah_enable) || (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) { - DPRINTF(("ipsec_nextisr: IPsec outbound packet dropped due" - " to policy (check your sysctls)\n")); + DPRINTF(("%s: IPsec outbound packet dropped due" + " to policy (check your sysctls)\n", __func__)); IPSEC_OSTAT(espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); *error = EHOSTUNREACH; @@ -318,7 +318,7 @@ again: * before they invoke the xform output method. */ if (sav->tdb_xform == NULL) { - DPRINTF(("ipsec_nextisr: no transform for SA\n")); + DPRINTF(("%s: no transform for SA\n", __func__)); IPSEC_OSTAT(espstat.esps_noxform, ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); *error = EHOSTUNREACH; @@ -326,7 +326,8 @@ again: } return isr; bad: - KASSERT(*error != 0, ("ipsec_nextisr: error return w/ no error code")); + IPSEC_ASSERT(*error != 0, ("error return w/ no error code")); + IPSECREQUEST_UNLOCK(isr); return NULL; #undef IPSEC_OSTAT } @@ -347,10 +348,10 @@ ipsec4_process_packet( struct ip *ip; int error, i, off; - KASSERT(m != NULL, ("ipsec4_process_packet: null mbuf")); - KASSERT(isr != NULL, ("ipsec4_process_packet: null isr")); + IPSEC_ASSERT(m != NULL, ("null mbuf")); + IPSEC_ASSERT(isr != NULL, ("null isr")); - mtx_lock(&isr->lock); /* insure SA contents don't change */ + IPSECREQUEST_LOCK(isr); /* insure SA contents don't change */ isr = ipsec_nextisr(m, isr, AF_INET, &saidx, &error); if (isr == NULL) @@ -420,8 +421,8 @@ ipsec4_process_packet( error = ipip_output(m, isr, &mp, 0, 0); if (mp == NULL && !error) { /* Should never happen. */ - DPRINTF(("ipsec4_process_packet: ipip_output " - "returns no mbuf and no error!")); + DPRINTF(("%s: ipip_output returns no mbuf and " + "no error!", __func__)); error = EFAULT; } if (error) { @@ -469,10 +470,11 @@ ipsec4_process_packet( } else { error = ipsec_process_done(m, isr); } - mtx_unlock(&isr->lock); + IPSECREQUEST_UNLOCK(isr); return error; bad: - mtx_unlock(&isr->lock); + if (isr) + IPSECREQUEST_UNLOCK(isr); if (m) m_freem(m); return error; @@ -490,8 +492,8 @@ ipsec6_splithdr(struct mbuf *m) struct ip6_hdr *ip6; int hlen; - KASSERT(m->m_len >= sizeof (struct ip6_hdr), - ("ipsec6_splithdr: first mbuf too short, len %u", m->m_len)); + IPSEC_ASSERT(m->m_len >= sizeof (struct ip6_hdr), + ("first mbuf too short, len %u", m->m_len)); ip6 = mtod(m, struct ip6_hdr *); hlen = sizeof(struct ip6_hdr); if (m->m_len > hlen) { @@ -533,15 +535,15 @@ ipsec6_output_trans( int error = 0; struct mbuf *m; - KASSERT(state != NULL, ("ipsec6_output: null state")); - KASSERT(state->m != NULL, ("ipsec6_output: null m")); - KASSERT(nexthdrp != NULL, ("ipsec6_output: null nexthdrp")); - KASSERT(mprev != NULL, ("ipsec6_output: null mprev")); - KASSERT(sp != NULL, ("ipsec6_output: null sp")); - KASSERT(tun != NULL, ("ipsec6_output: null tun")); + IPSEC_ASSERT(state != NULL, ("null state")); + IPSEC_ASSERT(state->m != NULL, ("null m")); + IPSEC_ASSERT(nexthdrp != NULL, ("null nexthdrp")); + IPSEC_ASSERT(mprev != NULL, ("null mprev")); + IPSEC_ASSERT(sp != NULL, ("null sp")); + IPSEC_ASSERT(tun != NULL, ("null tun")); KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec6_output_trans: applyed SP\n"); + printf("%s: applyed SP\n", __func__); kdebug_secpolicy(sp)); isr = sp->req; @@ -596,8 +598,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) m_freem(m); return EINVAL; } - KASSERT(m->m_len != sizeof (struct ip6_hdr), - ("ipsec6_encapsulate: mbuf wrong size; len %u", m->m_len)); + IPSEC_ASSERT(m->m_len != sizeof (struct ip6_hdr), + ("mbuf wrong size; len %u", m->m_len)); /* @@ -662,12 +664,12 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int struct sockaddr_in6* dst6; struct mbuf *m; - KASSERT(state != NULL, ("ipsec6_output: null state")); - KASSERT(state->m != NULL, ("ipsec6_output: null m")); - KASSERT(sp != NULL, ("ipsec6_output: null sp")); + IPSEC_ASSERT(state != NULL, ("null state")); + IPSEC_ASSERT(state->m != NULL, ("null m")); + IPSEC_ASSERT(sp != NULL, ("null sp")); KEYDEBUG(KEYDEBUG_IPSEC_DATA, - printf("ipsec6_output_tunnel: applyed SP\n"); + printf("%s: applyed SP\n", __func__); kdebug_secpolicy(sp)); m = state->m; @@ -693,8 +695,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int */ /* XXX should be processed with other familiy */ if (isr->sav->sah->saidx.src.sa.sa_family != AF_INET6) { - ipseclog((LOG_ERR, "ipsec6_output_tunnel: " - "family mismatched between inner and outer, spi=%u\n", + ipseclog((LOG_ERR, "%s: family mismatched between " + "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); newipsecstat.ips_out_inval++; error = EAFNOSUPPORT; |