summaryrefslogtreecommitdiffstats
path: root/sys/netipsec
diff options
context:
space:
mode:
authorglebius <glebius@FreeBSD.org>2012-10-22 21:09:03 +0000
committerglebius <glebius@FreeBSD.org>2012-10-22 21:09:03 +0000
commit5cc3ac590262ed14bfbf8392f27f90923b7cc7a1 (patch)
tree6e8c53bf2442763edea3176e3bef68bfec20a183 /sys/netipsec
parentaef46581d91a912fc587677321f83f81ce6df527 (diff)
downloadFreeBSD-src-5cc3ac590262ed14bfbf8392f27f90923b7cc7a1.zip
FreeBSD-src-5cc3ac590262ed14bfbf8392f27f90923b7cc7a1.tar.gz
Switch the entire IPv4 stack to keep the IP packet header
in network byte order. Any host byte order processing is done in local variables and host byte order values are never[1] written to a packet. After this change a packet processed by the stack isn't modified at all[2] except for TTL. After this change a network stack hacker doesn't need to scratch his head trying to figure out what is the byte order at the given place in the stack. [1] One exception still remains. The raw sockets convert host byte order before pass a packet to an application. Probably this would remain for ages for compatibility. [2] The ip_input() still subtructs header len from ip->ip_len, but this is planned to be fixed soon. Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru> Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/ipsec.c5
1 files changed, 2 insertions, 3 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 712040f..6b41f51 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -597,10 +597,9 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
IPSEC_ASSERT(m != NULL, ("null mbuf"));
IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short"));
- /* NB: ip_input() flips it into host endian. XXX Need more checking. */
if (m->m_len >= sizeof (struct ip)) {
struct ip *ip = mtod(m, struct ip *);
- if (ip->ip_off & (IP_MF | IP_OFFMASK))
+ if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
goto done;
#ifdef _IP_VHL
off = _IP_VHL_HL(ip->ip_vhl) << 2;
@@ -612,7 +611,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
struct ip ih;
m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
- if (ih.ip_off & (IP_MF | IP_OFFMASK))
+ if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
goto done;
#ifdef _IP_VHL
off = _IP_VHL_HL(ih.ip_vhl) << 2;
OpenPOWER on IntegriCloud