diff options
-rw-r--r-- | sys/netipsec/ipsec.c | 12 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 12 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 73 |
3 files changed, 13 insertions, 84 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 4a22f32..84534f8 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -559,11 +559,7 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport) m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf); ip = &ipbuf; } -#ifdef _IP_VHL - v = _IP_VHL_V(ip->ip_vhl); -#else v = ip->ip_v; -#endif switch (v) { case 4: error = ipsec4_setspidx_ipaddr(m, spidx); @@ -607,11 +603,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) struct ip *ip = mtod(m, struct ip *); if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) goto done; -#ifdef _IP_VHL - off = _IP_VHL_HL(ip->ip_vhl) << 2; -#else off = ip->ip_hl << 2; -#endif nxt = ip->ip_p; } else { struct ip ih; @@ -619,11 +611,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih); if (ih.ip_off & htons(IP_MF | IP_OFFMASK)) goto done; -#ifdef _IP_VHL - off = _IP_VHL_HL(ih.ip_vhl) << 2; -#else off = ih.ip_hl << 2; -#endif nxt = ih.ip_p; } diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 19b27ec..a394590 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -205,11 +205,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) */ if (sav->natt_type) { struct ip *ip = mtod(m, struct ip *); -#ifdef _IP_VHL - const int hlen = IP_VHL_HL(ip->ip_vhl); -#else const int hlen = (ip->ip_hl << 2); -#endif int size, off; struct mbuf *mi; struct udphdr *udp; @@ -504,15 +500,7 @@ ipsec4_process_packet( ip = mtod(m, struct ip *); ip->ip_len = htons(m->m_pkthdr.len); ip->ip_sum = 0; -#ifdef _IP_VHL - if (ip->ip_vhl == IP_VHL_BORING) - ip->ip_sum = in_cksum_hdr(ip); - else - ip->ip_sum = in_cksum(m, - _IP_VHL_HL(ip->ip_vhl) << 2); -#else ip->ip_sum = in_cksum(m, ip->ip_hl << 2); -#endif /* Encapsulate the packet */ error = ipip_output(m, isr, &mp, 0, 0); diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 1d2aff2..3e1fc1f 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -64,9 +64,6 @@ #include <netinet/ip_ecn.h> #include <netinet/ip_var.h> #include <netinet/ip_encap.h> -#ifdef MROUTING -#include <netinet/ip_mroute.h> -#endif #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -161,18 +158,11 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { -#ifdef INET - register struct sockaddr_in *sin; -#endif - register struct ifnet *ifp; - register struct ifaddr *ifa; struct ip *ipo; #ifdef INET6 - register struct sockaddr_in6 *sin6; struct ip6_hdr *ip6 = NULL; u_int8_t itos; #endif - u_int8_t nxt; int isr; u_int8_t otos; u_int8_t v; @@ -207,18 +197,8 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) return; } } - ipo = mtod(m, struct ip *); -#ifdef MROUTING - if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) { - if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) { - ipip_mroute_input (m, iphlen); - return; - } - } -#endif /* MROUTING */ - /* Keep outer ecn field. */ switch (v >> 4) { #ifdef INET @@ -287,14 +267,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) #ifdef INET case 4: ipo = mtod(m, struct ip *); - nxt = ipo->ip_p; ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos); break; #endif /* INET */ #ifdef INET6 case 6: ip6 = (struct ip6_hdr *) ipo; - nxt = ip6->ip6_nxt; itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos); ip6->ip6_flow &= ~htonl(0xff << 20); @@ -309,47 +287,22 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if ((m->m_pkthdr.rcvif == NULL || !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && V_ipip_allow != 2) { - IFNET_RLOCK_NOSLEEP(); - TAILQ_FOREACH(ifp, &V_ifnet, if_link) { - TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { #ifdef INET - if (ipo) { - if (ifa->ifa_addr->sa_family != - AF_INET) - continue; - - sin = (struct sockaddr_in *) ifa->ifa_addr; - - if (sin->sin_addr.s_addr == - ipo->ip_src.s_addr) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - } -#endif /* INET */ - + if ((v >> 4) == IPVERSION && + in_localip(ipo->ip_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; + } +#endif #ifdef INET6 - if (ip6) { - if (ifa->ifa_addr->sa_family != - AF_INET6) - continue; - - sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; - - if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - IPIPSTAT_INC(ipips_spoof); - m_freem(m); - IFNET_RUNLOCK_NOSLEEP(); - return; - } - - } -#endif /* INET6 */ - } + if ((v & IPV6_VERSION_MASK) == IPV6_VERSION && + in6_localip(&ip6->ip6_src) != 0) { + IPIPSTAT_INC(ipips_spoof); + m_freem(m); + return; } - IFNET_RUNLOCK_NOSLEEP(); +#endif } /* Statistics */ |