diff options
Diffstat (limited to 'sys/netipsec/ipsec_input.c')
-rw-r--r-- | sys/netipsec/ipsec_input.c | 115 |
1 files changed, 58 insertions, 57 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index edd2223..0041698 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -54,6 +54,7 @@ #include <sys/socket.h> #include <sys/errno.h> #include <sys/syslog.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/pfil.h> @@ -117,8 +118,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) u_int32_t spi; int error; - IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, - ipcompstat.ipcomps_input); + IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, + V_ipcompstat.ipcomps_input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -126,19 +127,19 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) sproto == IPPROTO_IPCOMP, ("unexpected security protocol %u", sproto)); - if ((sproto == IPPROTO_ESP && !esp_enable) || - (sproto == IPPROTO_AH && !ah_enable) || - (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { + if ((sproto == IPPROTO_ESP && !V_esp_enable) || + (sproto == IPPROTO_AH && !V_ah_enable) || + (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -183,8 +184,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf, - ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, + V_ipcompstat.ipcomps_nopf); return EPFNOSUPPORT; } @@ -194,8 +195,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb, - ipcompstat.ipcomps_notdb); + IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, + V_ipcompstat.ipcomps_notdb); m_freem(m); return ENOENT; } @@ -204,8 +205,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, + V_ipcompstat.ipcomps_noxform); KEY_FREESAV(&sav); m_freem(m); return ENXIO; @@ -307,8 +308,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, + V_ipcompstat.ipcomps_badkcr); KEY_FREESAV(&sav); return EINVAL; } @@ -319,8 +320,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = ENOBUFS; goto bad; } @@ -341,9 +342,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -372,9 +373,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -385,9 +386,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -414,9 +415,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -437,8 +438,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -478,8 +479,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Re-dispatch via software interrupt. */ if ((error = netisr_queue(NETISR_IP, m))) { - IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull, - ipcompstat.ipcomps_qfull); + IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, + V_ipcompstat.ipcomps_qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); @@ -532,9 +533,9 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto) if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(proto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); m_freem(*mp); *mp = NULL; return IPPROTO_DONE; @@ -579,8 +580,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, + V_ipcompstat.ipcomps_badkcr); error = EINVAL; goto bad; } @@ -593,8 +594,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EACCES; goto bad; } @@ -612,9 +613,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -639,8 +640,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTATsproto, (espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + IPSEC_ISTATsproto, (V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -652,9 +653,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -681,8 +682,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -702,8 +703,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -751,8 +752,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto nest = 0; nxt = nxt8; while (nxt != IPPROTO_DONE) { - if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { - ip6stat.ip6s_toomanyhdr++; + if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { + V_ip6stat.ip6s_toomanyhdr++; error = EINVAL; goto bad; } @@ -762,7 +763,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto * more sanity checks in header chain processing. */ if (m->m_pkthdr.len < skip) { - ip6stat.ip6s_tooshort++; + V_ip6stat.ip6s_tooshort++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); error = EINVAL; goto bad; |