diff options
Diffstat (limited to 'sys/netinet/ip_ipsec.c')
| -rw-r--r-- | sys/netinet/ip_ipsec.c | 196 |
1 files changed, 2 insertions, 194 deletions
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c index 296da69..f240b41 100644 --- a/sys/netinet/ip_ipsec.c +++ b/sys/netinet/ip_ipsec.c @@ -55,16 +55,6 @@ #include <machine/in_cksum.h> -#ifdef IPSEC -#include <netinet6/ipsec.h> -#include <netkey/key.h> -#ifdef IPSEC_DEBUG -#include <netkey/key_debug.h> -#else -#define KEYDEBUG(lev,arg) -#endif -#endif /*IPSEC*/ - #ifdef FAST_IPSEC #include <netipsec/ipsec.h> #include <netipsec/xform.h> @@ -81,13 +71,6 @@ extern struct protosw inetsw[]; int ip_ipsec_filtergif(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERGIF) - /* - * Bypass packet filtering for packets from a tunnel (gif). - */ - if (ipsec_getnhist(m)) - return 1; -#endif #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) /* * Bypass packet filtering for packets from a tunnel (gif). @@ -112,17 +95,7 @@ ip_ipsec_fwd(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * Enforce inbound IPsec SPD. - */ - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif /* IPSEC */ -#ifdef FAST_IPSEC + mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); s = splnet(); if (mtag != NULL) { @@ -169,20 +142,6 @@ ip_ipsec_input(struct mbuf *m) struct tdb_ident *tdbi; struct secpolicy *sp; int s, error; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* - * enforce IPsec policy checking if we are seeing last header. - * note that we do not visit this with protocols with pcb layer - * code - like udp/tcp/raw ip. - */ - if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 && - ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - return 1; - } -#endif -#ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -243,17 +202,10 @@ ip_ipsec_mtu(struct mbuf *m) int ipsecerror; int ipsechdr; struct route *ro; -#ifdef IPSEC - sp = ipsec4_getpolicybyaddr(m, - IPSEC_DIR_OUTBOUND, - IP_FORWARDING, - &ipsecerror); -#else /* FAST_IPSEC */ sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING, &ipsecerror); -#endif if (sp != NULL) { /* count IPsec header size */ ipsechdr = ipsec4_hdrsiz(m, @@ -276,11 +228,7 @@ ip_ipsec_mtu(struct mbuf *m) mtu -= ipsechdr; } } -#ifdef IPSEC - key_freesp(sp); -#else /* FAST_IPSEC */ KEY_FREESP(&sp); -#endif } return mtu; } @@ -296,152 +244,12 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, struct route **ro, struct route *iproute, struct sockaddr_in **dst, struct in_ifaddr **ia, struct ifnet **ifp) { +#ifdef FAST_IPSEC struct secpolicy *sp = NULL; struct ip *ip = mtod(*m, struct ip *); -#ifdef IPSEC - struct ipsec_output_state state; -#endif -#ifdef FAST_IPSEC struct tdb_ident *tdbi; struct m_tag *mtag; int s; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - /* get SP for this packet */ - if (inp == NULL) - sp = ipsec4_getpolicybyaddr(*m, IPSEC_DIR_OUTBOUND, - *flags, error); - else - sp = ipsec4_getpolicybypcb(*m, IPSEC_DIR_OUTBOUND, inp, error); - - if (sp == NULL) { - ipsecstat.out_inval++; - goto bad; - } - - /* check policy */ - switch (sp->policy) { - case IPSEC_POLICY_DISCARD: - /* - * This packet is just discarded. - */ - ipsecstat.out_polvio++; - goto bad; - - case IPSEC_POLICY_BYPASS: - case IPSEC_POLICY_NONE: - case IPSEC_POLICY_TCP: - /* no need to do IPsec. */ - goto done; - - case IPSEC_POLICY_IPSEC: - if (sp->req == NULL) { - /* acquire a policy */ - *error = key_spdacquire(sp); - goto bad; - } - break; - - case IPSEC_POLICY_ENTRUST: - default: - printf("%s: Invalid policy found. %d\n", __func__, sp->policy); - } - - bzero(&state, sizeof(state)); - state.m = *m; - if (*flags & IP_ROUTETOIF) { - state.ro = iproute; - bzero(iproute, sizeof(iproute)); - } else - state.ro = *ro; - state.dst = (struct sockaddr *)(*dst); - - ip->ip_sum = 0; - - /* - * XXX - * delayed checksums are not currently compatible with IPsec - */ - if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { - in_delayed_cksum(*m); - (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; - } - - ip->ip_len = htons(ip->ip_len); - ip->ip_off = htons(ip->ip_off); - - *error = ipsec4_output(&state, sp, *flags); - - *m = state.m; - if (*flags & IP_ROUTETOIF) { - /* - * if we have tunnel mode SA, we may need to ignore - * IP_ROUTETOIF. - */ - if (state.ro != iproute || state.ro->ro_rt != NULL) { - *flags &= ~IP_ROUTETOIF; - *ro = state.ro; - } - } else - *ro = state.ro; - *dst = (struct sockaddr_in *)state.dst; - if (*error != 0) { - /* mbuf is already reclaimed in ipsec4_output. */ - *m = NULL; - switch (*error) { - case EHOSTUNREACH: - case ENETUNREACH: - case EMSGSIZE: - case ENOBUFS: - case ENOMEM: - break; - default: - printf("ip4_output (ipsec): error code %d\n", *error); - /*fall through*/ - case ENOENT: - /* don't show these error codes to the user */ - *error = 0; - break; - } - goto bad; - } - - /* be sure to update variables that are affected by ipsec4_output() */ - if ((*ro)->ro_rt == NULL) { - if ((*flags & IP_ROUTETOIF) == 0) { - printf("ip_output: " - "can't update route after IPsec processing\n"); - *error = EHOSTUNREACH; /*XXX*/ - goto bad; - } - } else { - if (state.encap) { - *ia = ifatoia((*ro)->ro_rt->rt_ifa); - *ifp = (*ro)->ro_rt->rt_ifp; - } - } - ip = mtod(*m, struct ip *); - - /* make it flipped, again. */ - ip->ip_len = ntohs(ip->ip_len); - ip->ip_off = ntohs(ip->ip_off); - -done: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 0; -bad: - if (sp != NULL) { - KEYDEBUG(KEYDEBUG_IPSEC_STAMP, - printf("DP ip_output call free SP:%p\n", sp)); - key_freesp(sp); - } - return 1; -#endif /*IPSEC*/ -#ifdef FAST_IPSEC /* * Check the security policy (SP) for the packet and, if * required, do IPsec-related processing. There are two |
