From d28e675043d30fd2673b02842a810b8aec8b1696 Mon Sep 17 00:00:00 2001 From: bz Date: Wed, 27 Apr 2011 19:28:42 +0000 Subject: Make IPsec compile without INET adding appropriate #ifdef checks. Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days --- sys/netinet6/ip6_ipsec.c | 6 +++++ sys/netipsec/ipsec_input.c | 2 ++ sys/netipsec/ipsec_output.c | 24 +++++++++++++++++- sys/netipsec/key.c | 2 +- sys/netipsec/xform_ah.c | 31 +++++++++++++---------- sys/netipsec/xform_esp.c | 29 +++++++++++---------- sys/netipsec/xform_ipcomp.c | 29 +++++++++++---------- sys/netipsec/xform_ipip.c | 62 ++++++++++++++++++++++++++++----------------- 8 files changed, 118 insertions(+), 67 deletions(-) diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c index 96b09ef..8731e12 100644 --- a/sys/netinet6/ip6_ipsec.c +++ b/sys/netinet6/ip6_ipsec.c @@ -30,6 +30,7 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" @@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -291,7 +293,11 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error, * this is done in the normal processing path. */ if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + ipseclog((LOG_DEBUG, + "%s: we do not support IPv4 over IPv6", __func__)); +#ifdef INET in_delayed_cksum(*m); +#endif (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; } diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 9b02247..a004aef 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -119,9 +119,11 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) struct secasvar *sav; u_int32_t spi; int error; +#ifdef INET #ifdef IPSEC_NAT_T struct m_tag *tag; #endif +#endif IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, V_ipcompstat.ipcomps_input); diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 7c21d83..d10523d 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -165,7 +165,29 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) */ if (isr->next) { V_ipsec4stat.ips_out_bundlesa++; - return ipsec4_process_packet(m, isr->next, 0, 0); + sav = isr->next->sav; + saidx = &sav->sah->saidx; + switch (saidx->dst.sa.sa_family) { +#ifdef INET + case AF_INET: + return ipsec4_process_packet(m, isr->next, 0, 0); + /* NOTREACHED */ +#endif +#ifdef notyet +#ifdef INET6 + case AF_INET6: + /* XXX */ + ipsec6_output_trans() + ipsec6_output_tunnel() + /* NOTREACHED */ +#endif /* INET6 */ +#endif + default: + DPRINTF(("%s: unknown protocol family %u\n", __func__, + saidx->dst.sa.sa_family)); + error = ENXIO; + goto bad; + } } key_sa_recordxfer(sav, m); /* record data transfer */ diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index 7329539..2c3f111 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -73,7 +73,7 @@ #include #endif /* INET6 */ -#ifdef INET +#if defined(INET) || defined(INET6) #include #endif #ifdef INET6 diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 726e025..fe53bd0 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -91,6 +91,7 @@ VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ VNET_DEFINE(struct ahstat, ahstat); +#ifdef INET SYSCTL_DECL(_net_inet_ah); SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); @@ -98,6 +99,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); +#endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -724,19 +726,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return ah_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * AH input callback from the crypto driver. */ @@ -873,7 +862,21 @@ ah_input_cb(struct cryptop *crp) goto bad; } - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 97eeefd..d6d1fb9 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -451,19 +451,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return esp_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * ESP input callback from the crypto driver. */ @@ -647,7 +634,21 @@ esp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 41381e7..40ab951 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -213,19 +213,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return crypto_dispatch(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * IPComp input callback from the crypto driver. */ @@ -316,7 +303,21 @@ ipcomp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 78ab097..8639c82 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -412,8 +412,10 @@ ipip_output( u_int8_t tp, otos; struct secasindex *saidx; int error; -#ifdef INET +#if defined(INET) || defined(INET6) u_int8_t itos; +#endif +#ifdef INET struct ip *ipo; #endif /* INET */ #ifdef INET6 @@ -466,7 +468,8 @@ ipip_output( ipo->ip_id = ip_newid(); /* If the inner protocol is IP... */ - if (tp == IPVERSION) { + switch (tp) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_tos), @@ -484,9 +487,10 @@ ipip_output( ipo->ip_off = ntohs(ipo->ip_off); ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); ipo->ip_off = htons(ipo->ip_off); - } + break; #ifdef INET6 - else if (tp == (IPV6_VERSION >> 4)) { + case (IPV6_VERSION >> 4): + { u_int32_t itos32; /* Save ECN notification. */ @@ -496,9 +500,10 @@ ipip_output( itos = ntohl(itos32) >> 20; ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; + break; } #endif /* INET6 */ - else { + default: goto nofamily; } @@ -547,8 +552,9 @@ ipip_output( ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr; + switch (tp) { #ifdef INET - if (tp == IPVERSION) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip, ip_tos), sizeof(u_int8_t), @@ -556,21 +562,23 @@ ipip_output( /* This is really IPVERSION. */ ip6o->ip6_nxt = IPPROTO_IPIP; - } else + break; #endif /* INET */ - if (tp == (IPV6_VERSION >> 4)) { - u_int32_t itos32; - - /* Save ECN notification. */ - m_copydata(m, sizeof(struct ip6_hdr) + - offsetof(struct ip6_hdr, ip6_flow), - sizeof(u_int32_t), (caddr_t) &itos32); - itos = ntohl(itos32) >> 20; - - ip6o->ip6_nxt = IPPROTO_IPV6; - } else { - goto nofamily; - } + case (IPV6_VERSION >> 4): + { + u_int32_t itos32; + + /* Save ECN notification. */ + m_copydata(m, sizeof(struct ip6_hdr) + + offsetof(struct ip6_hdr, ip6_flow), + sizeof(u_int32_t), (caddr_t) &itos32); + itos = ntohl(itos32) >> 20; + + ip6o->ip6_nxt = IPPROTO_IPV6; + } + default: + goto nofamily; + } otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); @@ -622,6 +630,7 @@ bad: } #ifdef IPSEC +#if defined(INET) || defined(INET6) static int ipe4_init(struct secasvar *sav, struct xformsw *xsp) { @@ -652,6 +661,8 @@ static struct xformsw ipe4_xformsw = { }; extern struct domain inetdomain; +#endif /* INET || INET6 */ +#ifdef INET static struct protosw ipe4_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -661,7 +672,8 @@ static struct protosw ipe4_protosw = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#ifdef INET6 +#endif /* INET */ +#if defined(INET6) && defined(INET) static struct ip6protosw ipe6_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -671,8 +683,9 @@ static struct ip6protosw ipe6_protosw = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#endif +#endif /* INET6 && INET */ +#if defined(INET) /* * Check the encapsulated packet to see if we want it */ @@ -687,6 +700,7 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) */ return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } +#endif /* INET */ static void ipe4_attach(void) @@ -695,9 +709,11 @@ ipe4_attach(void) xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ +#ifdef INET (void) encap_attach_func(AF_INET, -1, ipe4_encapcheck, &ipe4_protosw, NULL); -#ifdef INET6 +#endif +#if defined(INET6) && defined(INET) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif -- cgit v1.1