Commit IPv6 support for FAST_IPSEC to the tree.

This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re

6 files changed, 25 insertions, 80 deletions

diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile
index 19e4c38..d8794d9 100644
--- a/usr.bin/netstat/Makefile
+++ b/usr.bin/netstat/Makefile
@@ -10,7 +10,6 @@ SRCS=	if.c inet.c main.c mbuf.c mcast.c mroute.c route.c \
 WARNS?=	3
 
 CFLAGS+=-DIPSEC
-CFLAGS+=-DFAST_IPSEC
 CFLAGS+=-DSCTP
 
 .if ${MK_INET6_SUPPORT} != "no"
diff --git a/usr.bin/netstat/ipsec.c b/usr.bin/netstat/ipsec.c
index 125be12..2dc6410 100644
--- a/usr.bin/netstat/ipsec.c
+++ b/usr.bin/netstat/ipsec.c
@@ -104,11 +104,7 @@ __FBSDID("$FreeBSD$");
 
 #include <netinet/in.h>
 
-#if defined(IPSEC) && !defined(FAST_IPSEC)
-#include <netinet6/ipsec.h>
-#endif
-
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 #include <netipsec/ipsec.h>
 #include <netipsec/ah_var.h>
 #include <netipsec/esp_var.h>
@@ -250,9 +246,24 @@ print_ipsecstats(const struct ipsecstat *ipsecstat)
 	hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output");
 	p(spdcachelookup, "\t%ju SPD cache lookup%s\n");
 	pes(spdcachemiss, "\t%ju SPD cache miss%s\n");
-#undef p
 #undef pes
 #undef hist
+	p(ips_in_polvio, "\t%ju inbound packet%s violated process "
+		"security policy\n");
+	p(ips_out_polvio, "\t%ju outbound packet%s violated process "
+		"security policy\n");
+	p(ips_out_nosa, "\t%ju outbound packet%s with no SA available\n");
+	p(ips_out_nomem, "\t%ju outbound packet%s failed due to "
+		"insufficient memory\n");
+	p(ips_out_noroute, "\t%ju outbound packet%s with no route "
+		"available\n");
+	p(ips_out_inval, "\t%ju invalid outbound packet%s\n");
+	p(ips_out_bundlesa, "\t%ju outbound packet%s with bundled SAs\n");
+	p(ips_mbcoalesced, "\t%ju mbuf%s coalesced during clone\n");
+	p(ips_clcoalesced, "\t%ju cluster%s coalesced during clone\n");
+	p(ips_clcopied, "\t%ju cluster%s copied during clone\n");
+	p(ips_mbinserted, "\t%ju mbuf%s inserted during makespace\n");
+#undef p
 }
 
 void
@@ -269,11 +280,8 @@ ipsec_stats(u_long off, const char *name, int af1 __unused)
 }
 
 
-#ifdef FAST_IPSEC
-
 static void ipsec_hist_new(const u_int32_t *hist, size_t histmax,
 			   const struct val2str *name, const char *title);
-static void print_newipsecstats(const struct newipsecstat *newipsecstat);
 static void print_ahstats(const struct ahstat *ahstat);
 static void print_espstats(const struct espstat *espstat);
 static void print_ipcompstats(const struct ipcompstat *ipcompstat);
@@ -311,43 +319,6 @@ ipsec_hist_new(const u_int32_t *hist, size_t histmax,
 }
   
 static void
-print_newipsecstats(const struct newipsecstat *newipsecstat)
-{
-#define	p(f, m) if (newipsecstat->f || sflag <= 1) \
-    printf(m, newipsecstat->f, plural(newipsecstat->f))
-
-	p(ips_in_polvio, "\t%u inbound packet%s violated process "
-		"security policy\n");
-	p(ips_out_polvio, "\t%u outbound packet%s violated process "
-		"security policy\n");
-	p(ips_out_nosa, "\t%u outbound packet%s with no SA available\n");
-	p(ips_out_nomem, "\t%u outbound packet%s failed due to "
-		"insufficient memory\n");
-	p(ips_out_noroute, "\t%u outbound packet%s with no route "
-		"available\n");
-	p(ips_out_inval, "\t%u invalid outbound packet%s\n");
-	p(ips_out_bundlesa, "\t%u outbound packet%s with bundled SAs\n");
-	p(ips_mbcoalesced, "\t%u mbuf%s coalesced during clone\n");
-	p(ips_clcoalesced, "\t%u cluster%s coalesced during clone\n");
-	p(ips_clcopied, "\t%u cluster%s copied during clone\n");
-	p(ips_mbinserted, "\t%u mbuf%s inserted during makespace\n");
-#undef p
-}
-  
-void
-ipsec_stats_new(u_long off, const char *name, int family __unused)
-{
-	struct newipsecstat newipsecstat;
-
-	if (off == 0)
-		return;
-  	printf ("%s:\n", name);
-	kread(off, (char *)&newipsecstat, sizeof(newipsecstat));
-
-	print_newipsecstats(&newipsecstat);
-}
-
-static void
 print_ahstats(const struct ahstat *ahstat)
 {
 #define	p32(f, m) if (ahstat->f || sflag <= 1) \
@@ -491,5 +462,4 @@ ipcomp_stats(u_long off, const char *name, int family __unused)
 	print_ipcompstats(&ipcompstat);
 }
 
-#endif /* FAST_IPSEC */
 #endif /*IPSEC*/
diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c
index 766b5ea..434121f8 100644
--- a/usr.bin/netstat/main.c
+++ b/usr.bin/netstat/main.c
@@ -100,7 +100,7 @@ static struct nlist nl[] = {
 #define N_ICMP6STAT	13
 	{ .n_name = "_icmp6stat" },
 #define N_IPSECSTAT	14
-	{ .n_name = "_ipsecstat" },
+	{ .n_name = "_ipsec4stat" },
 #define N_IPSEC6STAT	15
 	{ .n_name = "_ipsec6stat" },
 #define N_PIM6STAT	16
@@ -141,8 +141,6 @@ static struct nlist nl[] = {
 	{ .n_name = "_carpstats" },
 #define N_PFSYNCSTAT	34
 	{ .n_name = "_pfsyncstats" },
-#define	N_FAST_IPSECSTAT 35
-	{ .n_name = "_newipsecstat" },
 #define	N_AHSTAT	36
 	{ .n_name = "_ahstat" },
 #define	N_ESPSTAT	37
@@ -181,19 +179,15 @@ struct protox {
 	{ -1,		-1,		1,	protopr,
 	  igmp_stats,	NULL,		"igmp",	IPPROTO_IGMP },
 #ifdef IPSEC
-	{ -1,		N_IPSECSTAT,	1,	NULL,
+	{ -1,		N_IPSECSTAT,	1,	NULL,	/* keep as compat */
 	  ipsec_stats,	NULL,		"ipsec",	0},
-#ifdef FAST_IPSEC
-	{ -1,		N_FAST_IPSECSTAT, 1,	0,
-	  ipsec_stats_new, NULL,	"fastipsec",	0},
-	{ -1,		N_AHSTAT,	1,	0,
+	{ -1,		N_AHSTAT,	1,	NULL,
 	  ah_stats,	NULL,		"ah",		0},
-	{ -1,		N_ESPSTAT,	1,	0,
+	{ -1,		N_ESPSTAT,	1,	NULL,
 	  esp_stats,	NULL,		"esp",		0},
-	{ -1,		N_IPCOMPSTAT,	1,	0,
+	{ -1,		N_IPCOMPSTAT,	1,	NULL,
 	  ipcomp_stats,	NULL,		"ipcomp",	0},
 #endif
-#endif
 	{ -1,		-1,		1,	protopr,
 	  pim_stats,	NULL,		"pim",	IPPROTO_PIM },
 	{ -1,		N_CARPSTAT,	1,	0,
@@ -526,17 +520,6 @@ main(int argc, char *argv[])
 
 	kread(0, 0, 0);
 	if (tp) {
-#ifdef FAST_IPSEC
-		/*
-		 * HACK: fallback to printing the new FAST IPSEC stats
-		 *	 if the kernel was built with FAST_IPSEC rather
-		 *	 than the KAME IPSEC stack (the two are mutually
-		 *	 exclusive).
-		 */
-		if (nl[tp->pr_sindex].n_value == 0 &&
-		    strcmp(tp->pr_name, "ipsec") == 0)
-			tp = name2protox("fastipsec");
-#endif
 		printproto(tp, tp->pr_name);
 		exit(0);
 	}
diff --git a/usr.bin/netstat/netstat.h b/usr.bin/netstat/netstat.h
index ff8beb4..a2df187 100644
--- a/usr.bin/netstat/netstat.h
+++ b/usr.bin/netstat/netstat.h
@@ -80,13 +80,10 @@ void	carp_stats (u_long, const char *, int);
 void	pfsync_stats (u_long, const char *, int);
 #ifdef IPSEC
 void	ipsec_stats(u_long, const char *, int);
-#ifdef FAST_IPSEC
-void	ipsec_stats_new (u_long, const char *, int);
 void	esp_stats (u_long, const char *, int);
 void	ah_stats (u_long, const char *, int);
 void	ipcomp_stats (u_long, const char *, int);
 #endif
-#endif
 
 #ifdef INET6
 void	ip6_stats(u_long, const char *, int);
diff --git a/usr.bin/netstat/pfkey.c b/usr.bin/netstat/pfkey.c
index ed2c00c..ad22ae8 100644
--- a/usr.bin/netstat/pfkey.c
+++ b/usr.bin/netstat/pfkey.c
@@ -79,11 +79,7 @@ static const char rcsid[] =
 
 #include <netinet/in.h>
 
-#if defined(IPSEC) && !defined(FAST_IPSEC)
-#include <netkey/keysock.h>
-#endif
-
-#ifdef FAST_IPSEC
+#ifdef IPSEC
 #include <netipsec/keysock.h>
 #endif
 
diff --git a/usr.bin/telnet/Makefile b/usr.bin/telnet/Makefile
index c5525b3..14829c1 100644
--- a/usr.bin/telnet/Makefile
+++ b/usr.bin/telnet/Makefile
@@ -23,7 +23,7 @@ DPADD=		${LIBTERMCAP} ${LIBTELNET}
 LDADD=		-ltermcap ${LIBTELNET}
 
 .if !defined(RELEASE_CRUNCH)
-CFLAGS+=	-DIPSEC
+CFLAGS+=	-DIPSEC -DFAST_IPSEC
 DPADD+=		${LIBIPSEC}
 LDADD+=		-lipsec
 .else
@@ -35,7 +35,7 @@ CFLAGS+=	-DHAS_CGETENT
 .if !defined(RELEASE_CRUNCH)
 .if ${MK_OPENSSL} != "no"
 SRCS+=		authenc.c 
-CFLAGS+=	-DENCRYPTION -DAUTHENTICATION -DIPSEC
+CFLAGS+=	-DENCRYPTION -DAUTHENTICATION -DIPSEC -DFAST_IPSEC
 DPADD+=		${LIBMP} ${LIBCRYPTO} ${LIBCRYPT} ${LIBIPSEC} ${LIBPAM}
 LDADD+=		-lmp -lcrypto -lcrypt -lipsec ${MINUSLPAM}
 .endif