From 92aaace6046096db0cee26a2d09ade66657e9b41 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 17 Feb 2004 14:02:37 +0000 Subject: IPSEC and FAST_IPSEC have the same internal API now; so merge these (IPSEC has an extra ipsecstat) Submitted by: "Bjoern A. Zeeb" --- sys/netinet/raw_ip.c | 11 +++-------- sys/netinet/tcp_input.c | 24 ++++++++---------------- sys/netinet/tcp_reass.c | 24 ++++++++---------------- sys/netinet/udp_usrreq.c | 11 +++-------- sys/netinet6/ip6_output.c | 8 ++------ sys/netinet6/raw_ip6.c | 27 ++++++--------------------- sys/netinet6/udp6_usrreq.c | 42 ++++++++++++------------------------------ 7 files changed, 42 insertions(+), 105 deletions(-) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index eff86d3..fb95702 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) { int policyfail = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { policyfail = 1; +#ifdef IPSEC ipsecstat.in_polvio++; - /* do not inject data to pcb */ - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { - policyfail = 1; /* do not inject data to pcb */ } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index a868f80..01033ff 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) if (isipv6) { if (inp != NULL && ipsec6_in_reject(m, inp)) { +#ifdef IPSEC ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index a868f80..01033ff 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) if (isipv6) { if (inp != NULL && ipsec6_in_reject(m, inp)) { +#ifdef IPSEC ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 3852583..f0a01b2 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -453,21 +453,16 @@ udp_append(last, ip, n, off) struct sockaddr *append_sa; struct mbuf *opts = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { +#ifdef IPSEC ipsecstat.in_polvio++; - m_freem(n); - return; - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { m_freem(n); return; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 1b30fa7..2dd5fc9 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -185,14 +185,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct route_in6 *ro_pmtu = NULL; int hdrsplit = 0; int needipsec = 0; -#ifdef FAST_IPSEC - int needipsectun = 0; - struct secpolicy *sp = NULL; -#endif /* FAST_IPSEC */ -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) int needipsectun = 0; struct secpolicy *sp = NULL; -#endif /* IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ ip6 = mtod(m, struct ip6_hdr *); finaldst = ip6->ip6_dst; diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 00205ff..03b9a41 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -176,25 +176,18 @@ rip6_input(mp, offp, proto) if (last) { struct mbuf *n = m_copy(m, 0, (int)M_COPYALL); -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Check AH/ESP integrity. */ if (n && ipsec6_in_reject(n, last)) { m_freem(n); +#ifdef IPSEC ipsec6stat.in_polvio++; - /* do not inject data into pcb */ - } else #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (n && ipsec6_in_reject(n, last)) { - m_freem(n); /* do not inject data into pcb */ } else -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ if (n) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) @@ -215,27 +208,19 @@ rip6_input(mp, offp, proto) } last = in6p; } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Check AH/ESP integrity. */ if (last && ipsec6_in_reject(m, last)) { m_freem(m); +#ifdef IPSEC ipsec6stat.in_polvio++; - ip6stat.ip6s_delivered--; - /* do not inject data into pcb */ - } else #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (last && ipsec6_in_reject(m, last)) { - m_freem(m); ip6stat.ip6s_delivered--; /* do not inject data into pcb */ } else -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ if (last) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index f8b4890..530446e 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -239,23 +239,17 @@ udp6_input(mp, offp, proto) if (last != NULL) { struct mbuf *n; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject(m, last)) + if (ipsec6_in_reject(m, last)) { +#ifdef IPSEC ipsec6stat.in_polvio++; - /* do not inject data into pcb */ - else #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) - ; - else -#endif /* FAST_IPSEC */ + /* do not inject data into pcb */ + } else +#endif /*IPSEC || FAST_IPSEC*/ if ((n = m_copy(m, 0, M_COPYALL)) != NULL) { /* * KAME NOTE: do not @@ -305,23 +299,17 @@ udp6_input(mp, offp, proto) udpstat.udps_noportmcast++; goto bad; } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Check AH/ESP integrity. */ if (ipsec6_in_reject(m, last)) { +#ifdef IPSEC ipsec6stat.in_polvio++; - goto bad; - } #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) { goto bad; } -#endif /* FAST_IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) ip6_savecontrol(last, m, &opts); @@ -361,23 +349,17 @@ udp6_input(mp, offp, proto) icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); return IPPROTO_DONE; } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* * Check AH/ESP integrity. */ if (ipsec6_in_reject(m, in6p)) { +#ifdef IPSEC ipsec6stat.in_polvio++; - goto bad; - } #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, in6p)) { goto bad; } -#endif /* FAST_IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ /* * Construct sockaddr format source address. -- cgit v1.1