Revert IPSEC patches.

Revert "Importing pfSense patch ipsec_altq.RELENG_10.diff"

This reverts commit 5b128f054452e56b96564210c998510e0dd45130.

TAG:	IPSEC-HEAD
Issue:	#4841

4 files changed, 9 insertions, 34 deletions

diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index e50c401..6da3fc7 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -386,7 +386,7 @@ extern	int m_striphdr(struct mbuf *m, int skip, int hlen);
 #define	ENC_AFTER	0x0002
 #define	ENC_IN		0x0100
 #define	ENC_OUT		0x0200
-extern	int ipsec_filter(struct mbuf **, struct secasindex *, int, int);
+extern	int ipsec_filter(struct mbuf **, int, int);
 extern	void ipsec_bpf(struct mbuf *, struct secasvar *, int, int);
 #endif
 #endif /* _KERNEL */
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 18a9b0c..66de530 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -354,8 +354,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 
 	/* Pass the mbuf to enc0 for bpf and pfil. */
 	ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
-	    ENC_IN|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
 		return (error);
 #endif /* DEV_ENC */
 
@@ -499,8 +498,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 		ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER);
 #endif
 
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
-	    ENC_IN|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
 		return (error);
 #endif /* DEV_ENC */
 
@@ -655,8 +653,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 
 	/* Pass the mbuf to enc0 for bpf and pfil. */
 	ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE);
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
-	    ENC_IN|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
 		return (error);
 #endif /* DEV_ENC */
 
@@ -785,8 +782,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
 	if (prot == IPPROTO_IPV6)
 		ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_AFTER);
 
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
-	    ENC_IN|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
 		return (error);
 #endif /* DEV_ENC */
 	/*
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 33b84e0..442fb7a 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -43,11 +43,6 @@
 #include <sys/errno.h>
 #include <sys/syslog.h>
 
-#ifdef DEV_ENC
-#include <altq/if_altq.h>
-#include <netpfil/pf/pf_mtag.h>
-#endif
-
 #include <net/if.h>
 #include <net/pfil.h>
 #include <net/vnet.h>
@@ -103,7 +98,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	struct m_tag *mtag;
 	struct secasvar *sav;
 	struct secasindex *saidx;
-	struct pf_mtag *atag = NULL;
 	int error;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
@@ -195,15 +189,6 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	}
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 
-#ifdef DEV_ENC
-	if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) {
-		atag->qid = saidx->qid;
-		/* add hints for ecn */
-		atag->af = saidx->dst.sa.sa_family;
-		atag->hdr = NULL; /* This should be safe! */
-	}
-#endif
-
 	/*
 	 * We're done with IPsec processing, transmit the packet using the
 	 * appropriate network protocol (IP or IPv6). SPD lookup will be
@@ -470,8 +455,7 @@ ipsec4_process_packet(
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
-	    ENC_OUT|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
 #endif
 
@@ -570,8 +554,7 @@ ipsec4_process_packet(
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, sav, sav->sah->saidx.dst.sa.sa_family, ENC_OUT|ENC_AFTER);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
-	    ENC_OUT|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
 		goto bad;
 #endif
 
@@ -674,8 +657,7 @@ ipsec6_process_packet(
 	/* pass the mbuf to enc0 for bpf processing */
 	ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
-	    ENC_OUT|ENC_BEFORE)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
 #endif /* DEV_ENC */
 
@@ -727,8 +709,7 @@ ipsec6_process_packet(
 #ifdef DEV_ENC
 	ipsec_bpf(m, isr->sav, dst->sa.sa_family, ENC_OUT|ENC_AFTER);
 	/* pass the mbuf to enc0 for packet filtering */
-	if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
-	    ENC_OUT|ENC_AFTER)) != 0)
+	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
 		goto bad;
 #endif /* DEV_ENC */
 
diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h
index 56f44fc..15dbc9c 100644
--- a/sys/netipsec/keydb.h
+++ b/sys/netipsec/keydb.h
@@ -58,8 +58,6 @@ struct secasindex {
 	u_int8_t mode;			/* mode of protocol, see ipsec.h */
 	u_int32_t reqid;		/* reqid id who owned this SA */
 					/* see IPSEC_MANUAL_REQID_MAX. */
-	u_int32_t qid;			/* used for ALTQ shaping inside */
-					/* tunnel */
 };
 
 /*