diff options
Diffstat (limited to 'sys/netinet/ip_input.c')
| -rw-r--r-- | sys/netinet/ip_input.c | 180 |
1 files changed, 15 insertions, 165 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 3527736..6f1130c 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -71,6 +71,9 @@ #ifdef DEV_CARP #include <netinet/ip_carp.h> #endif +#if defined(IPSEC) || defined(FAST_IPSEC) +#include <netinet/ip_ipsec.h> +#endif /* IPSEC */ #include <sys/socketvar.h> @@ -78,16 +81,6 @@ #include <netinet/ip_fw.h> #include <netinet/ip_dummynet.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#endif - -#ifdef FAST_IPSEC -#include <netipsec/ipsec.h> -#include <netipsec/key.h> -#endif - int rsvp_on = 0; int ipforwarding = 0; @@ -291,15 +284,9 @@ ip_input(struct mbuf *m) u_short sum; int dchg = 0; /* dest changed after fw */ struct in_addr odst; /* original dst address */ -#ifdef FAST_IPSEC - struct m_tag *mtag; - struct tdb_ident *tdbi; - struct secpolicy *sp; - int s, error; -#endif /* FAST_IPSEC */ M_ASSERTPKTHDR(m); - + if (m->m_flags & M_FASTFWD_OURS) { /* * Firewall or NAT changed destination to local. @@ -399,20 +386,13 @@ tooshort: } else m_adj(m, ip->ip_len - m->m_pkthdr.len); } -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) - /* - * Bypass packet filtering for packets from a tunnel (gif). - */ - if (ipsec_getnhist(m)) - goto passin; -#endif -#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Bypass packet filtering for packets from a tunnel (gif). */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (ip_ipsec_filtergif(m)) goto passin; -#endif +#endif /* IPSEC */ /* * Run through list of hooks for input packets. @@ -614,43 +594,10 @@ passin: ipstat.ips_cantforward++; m_freem(m); } else { -#ifdef IPSEC - /* - * Enforce inbound IPsec SPD. - */ - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; +#if defined(IPSEC) || defined(FAST_IPSEC) + if (ip_ipsec_fwd(m)) goto bad; - } #endif /* IPSEC */ -#ifdef FAST_IPSEC - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } - if (sp == NULL) { /* NB: can happen if error */ - splx(s); - /*XXX error stat???*/ - DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ - goto bad; - } - - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - splx(s); - if (error) { - ipstat.ips_cantforward++; - goto bad; - } -#endif /* FAST_IPSEC */ ip_forward(m, dchg); } return; @@ -691,57 +638,15 @@ ours: */ ip->ip_len -= hlen; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; + if (ip_ipsec_input(m)) goto bad; - } -#endif -#ifdef FAST_IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { - /* - * Check if the packet has already had IPsec processing - * done. If so, then just pass it along. This tag gets - * set during AH, ESP, etc. input handling, before the - * packet is returned to the ip input queue for delivery. - */ - mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); - if (mtag != NULL) { - tdbi = (struct tdb_ident *)(mtag + 1); - sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); - } else { - sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, - IP_FORWARDING, &error); - } - if (sp != NULL) { - /* - * Check security policy against packet attributes. - */ - error = ipsec_in_reject(sp, m); - KEY_FREESP(&sp); - } else { - /* XXX error stat??? */ - error = EINVAL; -DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ - goto bad; - } - splx(s); - if (error) - goto bad; - } -#endif /* FAST_IPSEC */ +#endif /* IPSEC */ /* * Switch out to protocol's input routine. @@ -1463,62 +1368,10 @@ ip_forward(struct mbuf *m, int srcrt) case EMSGSIZE: type = ICMP_UNREACH; code = ICMP_UNREACH_NEEDFRAG; -#if defined(IPSEC) || defined(FAST_IPSEC) - /* - * If the packet is routed over IPsec tunnel, tell the - * originator the tunnel MTU. - * tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz - * XXX quickhack!!! - */ - { - struct secpolicy *sp = NULL; - int ipsecerror; - int ipsechdr; - struct route *ro; - -#ifdef IPSEC - sp = ipsec4_getpolicybyaddr(mcopy, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); -#else /* FAST_IPSEC */ - sp = ipsec_getpolicybyaddr(mcopy, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); -#endif - if (sp != NULL) { - /* count IPsec header size */ - ipsechdr = ipsec4_hdrsiz(mcopy, - IPSEC_DIR_OUTBOUND, - NULL); - - /* - * find the correct route for outer IPv4 - * header, compute tunnel MTU. - */ - if (sp->req != NULL - && sp->req->sav != NULL - && sp->req->sav->sah != NULL) { - ro = &sp->req->sav->sah->sa_route; - if (ro->ro_rt && ro->ro_rt->rt_ifp) { - mtu = - ro->ro_rt->rt_rmx.rmx_mtu ? - ro->ro_rt->rt_rmx.rmx_mtu : - ro->ro_rt->rt_ifp->if_mtu; - mtu -= ipsechdr; - } - } -#ifdef IPSEC - key_freesp(sp); -#else /* FAST_IPSEC */ - KEY_FREESP(&sp); -#endif - ipstat.ips_cantfrag++; - break; - } -#endif /*IPSEC || FAST_IPSEC*/ +#if defined(IPSEC) || defined(FAST_IPSEC) + mtu = ip_ipsec_mtu(m); +#endif /* IPSEC */ /* * If the MTU wasn't set before use the interface mtu or * fall back to the next smaller mtu step compared to the @@ -1530,9 +1383,6 @@ ip_forward(struct mbuf *m, int srcrt) else mtu = ip_next_mtu(ip->ip_len, 0); } -#if defined(IPSEC) || defined(FAST_IPSEC) - } -#endif /*IPSEC || FAST_IPSEC*/ ipstat.ips_cantfrag++; break; |
