summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/ipsec.c
diff options
context:
space:
mode:
Diffstat (limited to 'sys/netipsec/ipsec.c')
-rw-r--r--sys/netipsec/ipsec.c67
1 files changed, 36 insertions, 31 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index bf02f93..6738dbf 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -237,14 +237,14 @@ SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats,
struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics.");
#endif /* INET6 */
-static int ipsec_in_reject(struct secpolicy *, struct mbuf *);
-static int ipsec_setspidx_inpcb(struct mbuf *, struct inpcb *);
-static int ipsec_setspidx(struct mbuf *, struct secpolicyindex *, int);
-static void ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
-static int ipsec4_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
+static int ipsec_in_reject(struct secpolicy *, const struct mbuf *);
+static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *);
+static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int);
+static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
+static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *);
#ifdef INET6
-static void ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *, int);
-static int ipsec6_setspidx_ipaddr(struct mbuf *, struct secpolicyindex *);
+static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
+static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *);
#endif
static void ipsec_delpcbpolicy(struct inpcbpolicy *);
static struct secpolicy *ipsec_deepcopy_policy(struct secpolicy *src);
@@ -321,7 +321,8 @@ ipsec_getpolicy(struct tdb_ident *tdbi, u_int dir)
* NOTE: IPv6 mapped adddress concern is implemented here.
*/
static struct secpolicy *
-ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
+ipsec_getpolicybysock(const struct mbuf *m, u_int dir, struct inpcb *inp,
+ int *error)
{
struct inpcbpolicy *pcbsp;
struct secpolicy *currsp = NULL; /* Policy on socket. */
@@ -424,7 +425,7 @@ ipsec_getpolicybysock(struct mbuf *m, u_int dir, struct inpcb *inp, int *error)
* others : error occured.
*/
struct secpolicy *
-ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int *error)
+ipsec_getpolicybyaddr(const struct mbuf *m, u_int dir, int *error)
{
struct secpolicyindex spidx;
struct secpolicy *sp;
@@ -454,7 +455,8 @@ ipsec_getpolicybyaddr(struct mbuf *m, u_int dir, int *error)
}
struct secpolicy *
-ipsec4_checkpolicy(struct mbuf *m, u_int dir, int *error, struct inpcb *inp)
+ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error,
+ struct inpcb *inp)
{
struct secpolicy *sp;
@@ -496,7 +498,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, int *error, struct inpcb *inp)
}
static int
-ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp)
+ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp)
{
int error;
@@ -525,12 +527,13 @@ ipsec_setspidx_inpcb(struct mbuf *m, struct inpcb *inp)
* The caller is responsible for error recovery (like clearing up spidx).
*/
static int
-ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
+ipsec_setspidx(const struct mbuf *m, struct secpolicyindex *spidx,
+ int needport)
{
- struct ip *ip = NULL;
struct ip ipbuf;
+ const struct ip *ip = NULL;
+ const struct mbuf *n;
u_int v;
- struct mbuf *n;
int len;
int error;
@@ -559,7 +562,7 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
}
if (m->m_len >= sizeof(*ip))
- ip = mtod(m, struct ip *);
+ ip = mtod(m, const struct ip *);
else {
m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
ip = &ipbuf;
@@ -595,7 +598,8 @@ ipsec_setspidx(struct mbuf *m, struct secpolicyindex *spidx, int needport)
}
static void
-ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
+ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
+ int needport)
{
u_int8_t nxt;
int off;
@@ -605,7 +609,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short"));
if (m->m_len >= sizeof (struct ip)) {
- struct ip *ip = mtod(m, struct ip *);
+ const struct ip *ip = mtod(m, const struct ip *);
if (ip->ip_off & htons(IP_MF | IP_OFFMASK))
goto done;
off = ip->ip_hl << 2;
@@ -670,7 +674,7 @@ done_proto:
/* Assumes that m is sane. */
static int
-ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
+ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx)
{
static const struct sockaddr_in template = {
sizeof (struct sockaddr_in),
@@ -689,7 +693,7 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
sizeof (struct in_addr),
(caddr_t) &spidx->dst.sin.sin_addr);
} else {
- struct ip *ip = mtod(m, struct ip *);
+ const struct ip *ip = mtod(m, const struct ip *);
spidx->src.sin.sin_addr = ip->ip_src;
spidx->dst.sin.sin_addr = ip->ip_dst;
}
@@ -702,7 +706,8 @@ ipsec4_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
#ifdef INET6
static void
-ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
+ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
+ int needport)
{
int off, nxt;
struct tcphdr th;
@@ -766,14 +771,14 @@ ipsec6_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport)
/* Assumes that m is sane. */
static int
-ipsec6_setspidx_ipaddr(struct mbuf *m, struct secpolicyindex *spidx)
+ipsec6_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx)
{
- struct ip6_hdr *ip6 = NULL;
struct ip6_hdr ip6buf;
+ const struct ip6_hdr *ip6 = NULL;
struct sockaddr_in6 *sin6;
if (m->m_len >= sizeof(*ip6))
- ip6 = mtod(m, struct ip6_hdr *);
+ ip6 = mtod(m, const struct ip6_hdr *);
else {
m_copydata(m, 0, sizeof(ip6buf), (caddr_t)&ip6buf);
ip6 = &ip6buf;
@@ -1198,7 +1203,7 @@ ipsec_get_reqlevel(struct ipsecrequest *isr)
* 1: invalid
*/
static int
-ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
+ipsec_in_reject(struct secpolicy *sp, const struct mbuf *m)
{
struct ipsecrequest *isr;
int need_auth;
@@ -1269,7 +1274,7 @@ ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
* Non zero return value means security policy DISCARD or policy violation.
*/
static int
-ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
+ipsec46_in_reject(const struct mbuf *m, struct inpcb *inp)
{
struct secpolicy *sp;
int error;
@@ -1301,7 +1306,7 @@ ipsec46_in_reject(struct mbuf *m, struct inpcb *inp)
* and {ah,esp}4_input for tunnel mode.
*/
int
-ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
+ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp)
{
int result;
@@ -1319,7 +1324,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp)
* and {ah,esp}6_input for tunnel mode.
*/
int
-ipsec6_in_reject(struct mbuf *m, struct inpcb *inp)
+ipsec6_in_reject(const struct mbuf *m, struct inpcb *inp)
{
int result;
@@ -1399,7 +1404,7 @@ ipsec_hdrsiz_internal(struct secpolicy *sp)
* disabled ip6_ipsec_mtu() and ip6_forward().
*/
size_t
-ipsec_hdrsiz(struct mbuf *m, u_int dir, struct inpcb *inp)
+ipsec_hdrsiz(const struct mbuf *m, u_int dir, struct inpcb *inp)
{
struct secpolicy *sp;
int error;
@@ -1647,16 +1652,16 @@ ipsec_logsastr(struct secasvar *sav, char *buf, size_t size)
}
void
-ipsec_dumpmbuf(struct mbuf *m)
+ipsec_dumpmbuf(const struct mbuf *m)
{
+ const u_char *p;
int totlen;
int i;
- u_char *p;
totlen = 0;
printf("---\n");
while (m) {
- p = mtod(m, u_char *);
+ p = mtod(m, const u_char *);
for (i = 0; i < m->m_len; i++) {
printf("%02x ", p[i]);
totlen++;
OpenPOWER on IntegriCloud