From 373abd94036be0e5643f5134aa9fb8bb694d1624 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 4 Nov 2003 16:02:05 +0000 Subject: - cleanup SP refcnt issue. - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME --- sys/netinet/in_pcb.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) (limited to 'sys/netinet/in_pcb.c') diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index ec51ad4..e473f2f 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -79,7 +79,6 @@ #include #include -#define IPSEC #endif /* FAST_IPSEC */ struct in_addr zeroin_addr; @@ -162,7 +161,7 @@ in_pcballoc(so, pcbinfo, td) struct thread *td; { register struct inpcb *inp; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) int error; #endif inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO); @@ -171,8 +170,12 @@ in_pcballoc(so, pcbinfo, td) inp->inp_gencnt = ++pcbinfo->ipi_gencnt; inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); +#else + error = ipsec_init_pcbpolicy(so, &inp->inp_sp); +#endif if (error != 0) { uma_zfree(pcbinfo->ipi_zone, inp); return error; @@ -473,6 +476,10 @@ in_pcbconnect(inp, nam, td) inp->inp_faddr.s_addr = faddr; inp->inp_fport = fport; in_pcbrehash(inp); +#ifdef IPSEC + if (inp->inp_socket->so_type == SOCK_STREAM) + ipsec_pcbconn(inp->inp_sp); +#endif if (anonport) inp->inp_flags |= INP_ANONPORT; return (0); @@ -655,6 +662,9 @@ in_pcbdisconnect(inp) in_pcbrehash(inp); if (inp->inp_socket->so_state & SS_NOFDREF) in_pcbdetach(inp); +#ifdef IPSEC + ipsec_pcbdisconn(inp->inp_sp); +#endif } void @@ -664,7 +674,7 @@ in_pcbdetach(inp) struct socket *so = inp->inp_socket; struct inpcbinfo *ipi = inp->inp_pcbinfo; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) ipsec4_delete_pcbpolicy(inp); #endif /*IPSEC*/ inp->inp_gencnt = ++ipi->ipi_gencnt; -- cgit v1.1