diff options
author | Luiz Otavio O Souza <luiz@netgate.com> | 2015-09-15 14:53:59 -0500 |
---|---|---|
committer | Luiz Otavio O Souza <luiz@netgate.com> | 2015-10-20 11:58:36 -0500 |
commit | bcdf3f514f78b6c54084da98b13939a24af65a2c (patch) | |
tree | 3f25c9593e622230783151bd47f0be330c4a7532 /sys | |
parent | 63036e9e94b6248ea67c2498d2af01cc0e4d1c91 (diff) | |
download | FreeBSD-src-bcdf3f514f78b6c54084da98b13939a24af65a2c.zip FreeBSD-src-bcdf3f514f78b6c54084da98b13939a24af65a2c.tar.gz |
MFC r275713:
Use ipsec4_in_reject() to simplify ip_ipsec_fwd() and ip_ipsec_input().
ipsec4_in_reject() does the same things, also it counts policy violation
errors.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/ip_ipsec.c | 34 |
1 files changed, 3 insertions, 31 deletions
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index b25167a..9c3d631 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -106,20 +106,8 @@ ip_ipsec_filtertunnel(struct mbuf *m) int ip_ipsec_fwd(struct mbuf *m) { - struct secpolicy *sp; - int error; - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } - if (error != 0) - return (1); - return (0); + return (ipsec4_in_reject(m, NULL)); } /* @@ -132,29 +120,13 @@ ip_ipsec_fwd(struct mbuf *m) int ip_ipsec_input(struct mbuf *m, int nxt) { - struct secpolicy *sp; - int error; /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error); - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; - DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - } - if (error != 0) - return (1); - } + if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) + return (ipsec4_in_reject(m, NULL)); return (0); } |