diff options
Diffstat (limited to 'sys/netinet6/esp_input.c')
| -rw-r--r-- | sys/netinet6/esp_input.c | 36 |
1 files changed, 10 insertions, 26 deletions
diff --git a/sys/netinet6/esp_input.c b/sys/netinet6/esp_input.c index 6a66450..4351ac5 100644 --- a/sys/netinet6/esp_input.c +++ b/sys/netinet6/esp_input.c @@ -1,5 +1,5 @@ /* $FreeBSD$ */ -/* $KAME: esp_input.c,v 1.55 2001/03/23 08:08:47 itojun Exp $ */ +/* $KAME: esp_input.c,v 1.62 2002/01/07 11:39:57 kjc Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -197,7 +197,7 @@ esp4_input(m, off) * check for sequence number. */ if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) - ; /*okey*/ + ; /* okey */ else { ipsecstat.in_espreplay++; ipseclog((LOG_WARNING, @@ -328,7 +328,7 @@ noreplaycheck: taillen = esptail.esp_padlen + sizeof(esptail); if (m->m_pkthdr.len < taillen - || m->m_pkthdr.len - taillen < hlen) { /*?*/ + || m->m_pkthdr.len - taillen < hlen) { /* ? */ ipseclog((LOG_WARNING, "bad pad length in IPv4 ESP input: %s %s\n", ipsec4_logpacketstr(ip, spi), ipsec_logsastr(sav))); @@ -377,14 +377,6 @@ noreplaycheck: goto bad; } -#if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */ - /* drop it if it does not match the default policy */ - if (ipsec4_in_reject(m, NULL)) { - ipsecstat.in_polvio++; - goto bad; - } -#endif - key_sa_recordxfer(sav, m); if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || ipsec_addhist(m, IPPROTO_IPV4, 0) != 0) { @@ -398,7 +390,7 @@ noreplaycheck: goto bad; } m = NULL; - schednetisr(NETISR_IP); /*can be skipped but to make sure*/ + schednetisr(NETISR_IP); /* can be skipped but to make sure */ nxt = IPPROTO_DONE; } else { /* @@ -560,7 +552,7 @@ esp6_input(mp, offp, proto) * check for sequence number. */ if (ipsec_chkreplay(ntohl(((struct newesp *)esp)->esp_seq), sav)) - ; /*okey*/ + ; /* okey */ else { ipsec6stat.in_espreplay++; ipseclog((LOG_WARNING, @@ -645,7 +637,7 @@ noreplaycheck: } #ifndef PULLDOWN_TEST - IP6_EXTHDR_CHECK(m, off, esplen + ivlen, IPPROTO_DONE); /*XXX*/ + IP6_EXTHDR_CHECK(m, off, esplen + ivlen, IPPROTO_DONE); /* XXX */ #else IP6_EXTHDR_GET(esp, struct esp *, m, off, esplen + ivlen); if (esp == NULL) { @@ -654,7 +646,7 @@ noreplaycheck: goto bad; } #endif - ip6 = mtod(m, struct ip6_hdr *); /*set it again just in case*/ + ip6 = mtod(m, struct ip6_hdr *); /* set it again just in case */ /* * pre-compute and cache intermediate key @@ -690,7 +682,7 @@ noreplaycheck: taillen = esptail.esp_padlen + sizeof(esptail); if (m->m_pkthdr.len < taillen - || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /*?*/ + || m->m_pkthdr.len - taillen < sizeof(struct ip6_hdr)) { /* ? */ ipseclog((LOG_WARNING, "bad pad length in IPv6 ESP input: %s %s\n", ipsec6_logpacketstr(ip6, spi), ipsec_logsastr(sav))); @@ -712,7 +704,7 @@ noreplaycheck: * XXX more sanity checks * XXX relationship with gif? */ - u_int32_t flowinfo; /*net endian*/ + u_int32_t flowinfo; /* net endian */ flowinfo = ip6->ip6_flow; m_adj(m, off + esplen + ivlen); if (m->m_len < sizeof(*ip6)) { @@ -743,14 +735,6 @@ noreplaycheck: goto bad; } -#if 0 /* XXX should call ipfw rather than ipsec_in_reject, shouldn't it ? */ - /* drop it if it does not match the default policy */ - if (ipsec6_in_reject(m, NULL)) { - ipsec6stat.in_polvio++; - goto bad; - } -#endif - key_sa_recordxfer(sav, m); if (ipsec_addhist(m, IPPROTO_ESP, spi) != 0 || ipsec_addhist(m, IPPROTO_IPV6, 0) != 0) { @@ -764,7 +748,7 @@ noreplaycheck: goto bad; } m = NULL; - schednetisr(NETISR_IPV6); /*can be skipped but to make sure*/ + schednetisr(NETISR_IPV6); /* can be skipped but to make sure */ nxt = IPPROTO_DONE; } else { /* |
