summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--sys/netipsec/ipsec.c12
-rw-r--r--sys/netipsec/ipsec_output.c12
-rw-r--r--sys/netipsec/xform_ipip.c73
3 files changed, 13 insertions, 84 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 4a22f32..84534f8 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -559,11 +559,7 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
ip = &ipbuf;
}
-#ifdef _IP_VHL
- v = _IP_VHL_V(ip->ip_vhl);
-#else
v = ip->ip_v;
-#endif
switch (v) {
case 4:
error = ipsec4_setspidx_ipaddr(m, spidx);
@@ -607,11 +603,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
struct ip *ip = mtod(m, struct ip *);
if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
goto done;
-#ifdef _IP_VHL
- off = _IP_VHL_HL(ip->ip_vhl) << 2;
-#else
off = ip->ip_hl << 2;
-#endif
nxt = ip->ip_p;
} else {
struct ip ih;
@@ -619,11 +611,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
if (ih.ip_off & htons(IP_MF | IP_OFFMASK))
goto done;
-#ifdef _IP_VHL
- off = _IP_VHL_HL(ih.ip_vhl) << 2;
-#else
off = ih.ip_hl << 2;
-#endif
nxt = ih.ip_p;
}
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 19b27ec..a394590 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -205,11 +205,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
*/
if (sav->natt_type) {
struct ip *ip = mtod(m, struct ip *);
-#ifdef _IP_VHL
- const int hlen = IP_VHL_HL(ip->ip_vhl);
-#else
const int hlen = (ip->ip_hl << 2);
-#endif
int size, off;
struct mbuf *mi;
struct udphdr *udp;
@@ -504,15 +500,7 @@ ipsec4_process_packet(
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
ip->ip_sum = 0;
-#ifdef _IP_VHL
- if (ip->ip_vhl == IP_VHL_BORING)
- ip->ip_sum = in_cksum_hdr(ip);
- else
- ip->ip_sum = in_cksum(m,
- _IP_VHL_HL(ip->ip_vhl) << 2);
-#else
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
-#endif
/* Encapsulate the packet */
error = ipip_output(m, isr, &mp, 0, 0);
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 1d2aff2..3e1fc1f 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -64,9 +64,6 @@
#include <netinet/ip_ecn.h>
#include <netinet/ip_var.h>
#include <netinet/ip_encap.h>
-#ifdef MROUTING
-#include <netinet/ip_mroute.h>
-#endif
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@@ -161,18 +158,11 @@ ip4_input(struct mbuf *m, int off)
static void
_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
{
-#ifdef INET
- register struct sockaddr_in *sin;
-#endif
- register struct ifnet *ifp;
- register struct ifaddr *ifa;
struct ip *ipo;
#ifdef INET6
- register struct sockaddr_in6 *sin6;
struct ip6_hdr *ip6 = NULL;
u_int8_t itos;
#endif
- u_int8_t nxt;
int isr;
u_int8_t otos;
u_int8_t v;
@@ -207,18 +197,8 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
return;
}
}
-
ipo = mtod(m, struct ip *);
-#ifdef MROUTING
- if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) {
- if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) {
- ipip_mroute_input (m, iphlen);
- return;
- }
- }
-#endif /* MROUTING */
-
/* Keep outer ecn field. */
switch (v >> 4) {
#ifdef INET
@@ -287,14 +267,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
#ifdef INET
case 4:
ipo = mtod(m, struct ip *);
- nxt = ipo->ip_p;
ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos);
break;
#endif /* INET */
#ifdef INET6
case 6:
ip6 = (struct ip6_hdr *) ipo;
- nxt = ip6->ip6_nxt;
itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos);
ip6->ip6_flow &= ~htonl(0xff << 20);
@@ -309,47 +287,22 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
if ((m->m_pkthdr.rcvif == NULL ||
!(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
V_ipip_allow != 2) {
- IFNET_RLOCK_NOSLEEP();
- TAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
#ifdef INET
- if (ipo) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET)
- continue;
-
- sin = (struct sockaddr_in *) ifa->ifa_addr;
-
- if (sin->sin_addr.s_addr ==
- ipo->ip_src.s_addr) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
- }
-#endif /* INET */
-
+ if ((v >> 4) == IPVERSION &&
+ in_localip(ipo->ip_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
+ }
+#endif
#ifdef INET6
- if (ip6) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET6)
- continue;
-
- sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
-
- if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
-
- }
-#endif /* INET6 */
- }
+ if ((v & IPV6_VERSION_MASK) == IPV6_VERSION &&
+ in6_localip(&ip6->ip6_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
}
- IFNET_RUNLOCK_NOSLEEP();
+#endif
}
/* Statistics */
OpenPOWER on IntegriCloud