summaryrefslogtreecommitdiffstats
path: root/sys/netinet
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/raw_ip.c11
-rw-r--r--sys/netinet/tcp_input.c24
-rw-r--r--sys/netinet/tcp_reass.c24
-rw-r--r--sys/netinet/udp_usrreq.c11
4 files changed, 22 insertions, 48 deletions
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index eff86d3..fb95702 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
{
int policyfail = 0;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, last)) {
policyfail = 1;
+#ifdef IPSEC
ipsecstat.in_polvio++;
- /* do not inject data to pcb */
- }
#endif /*IPSEC*/
-#ifdef FAST_IPSEC
- /* check AH/ESP integrity. */
- if (ipsec4_in_reject(n, last)) {
- policyfail = 1;
/* do not inject data to pcb */
}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
#ifdef MAC
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
policyfail = 1;
diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c
index a868f80..01033ff 100644
--- a/sys/netinet/tcp_input.c
+++ b/sys/netinet/tcp_input.c
@@ -567,29 +567,21 @@ findpcb:
1, m->m_pkthdr.rcvif);
}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
if (isipv6) {
if (inp != NULL && ipsec6_in_reject(m, inp)) {
+#ifdef IPSEC
ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
goto drop;
}
- } else {
- if (inp != NULL && ipsec4_in_reject(m, inp)) {
- ipsecstat.in_polvio++;
- goto drop;
- }
- }
-#endif
-#ifdef FAST_IPSEC
- if (isipv6) {
- if (inp != NULL && ipsec6_in_reject(m, inp)) {
- goto drop;
- }
- } else
- if (inp != NULL && ipsec4_in_reject(m, inp)) {
+ } else if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+ ipsecstat.in_polvio++;
+#endif /*IPSEC*/
goto drop;
}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
/*
* If the state is CLOSED (i.e., TCB does not exist) then
diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c
index a868f80..01033ff 100644
--- a/sys/netinet/tcp_reass.c
+++ b/sys/netinet/tcp_reass.c
@@ -567,29 +567,21 @@ findpcb:
1, m->m_pkthdr.rcvif);
}
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
if (isipv6) {
if (inp != NULL && ipsec6_in_reject(m, inp)) {
+#ifdef IPSEC
ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
goto drop;
}
- } else {
- if (inp != NULL && ipsec4_in_reject(m, inp)) {
- ipsecstat.in_polvio++;
- goto drop;
- }
- }
-#endif
-#ifdef FAST_IPSEC
- if (isipv6) {
- if (inp != NULL && ipsec6_in_reject(m, inp)) {
- goto drop;
- }
- } else
- if (inp != NULL && ipsec4_in_reject(m, inp)) {
+ } else if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+ ipsecstat.in_polvio++;
+#endif /*IPSEC*/
goto drop;
}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
/*
* If the state is CLOSED (i.e., TCB does not exist) then
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 3852583..f0a01b2 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -453,21 +453,16 @@ udp_append(last, ip, n, off)
struct sockaddr *append_sa;
struct mbuf *opts = 0;
-#ifdef IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, last)) {
+#ifdef IPSEC
ipsecstat.in_polvio++;
- m_freem(n);
- return;
- }
#endif /*IPSEC*/
-#ifdef FAST_IPSEC
- /* check AH/ESP integrity. */
- if (ipsec4_in_reject(n, last)) {
m_freem(n);
return;
}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
#ifdef MAC
if (mac_check_inpcb_deliver(last, n) != 0) {
m_freem(n);
OpenPOWER on IntegriCloud