From 373abd94036be0e5643f5134aa9fb8bb694d1624 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 4 Nov 2003 16:02:05 +0000 Subject: - cleanup SP refcnt issue. - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME --- sys/netinet6/ip6_output.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) (limited to 'sys/netinet6/ip6_output.c') diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index bbb7a43..9665429 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -184,18 +184,21 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct route_in6 *ro_pmtu = NULL; int hdrsplit = 0; int needipsec = 0; +#ifdef FAST_IPSEC + int needipsectun = 0; + struct secpolicy *sp = NULL; +#endif /* FAST_IPSEC */ #ifdef IPSEC int needipsectun = 0; + struct socket *so; struct secpolicy *sp = NULL; - ip6 = mtod(m, struct ip6_hdr *); + /* for AH processing. stupid to have "socket" variable in IP layer... */ + so = ipsec_getsocket(m); + (void)ipsec_setsocket(m, NULL); #endif /* IPSEC */ -#ifdef FAST_IPSEC - int needipsectun = 0; - struct secpolicy *sp = NULL; ip6 = mtod(m, struct ip6_hdr *); -#endif /* FAST_IPSEC */ #define MAKE_EXTHDR(hp, mp) \ do { \ @@ -235,10 +238,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) #ifdef IPSEC /* get a security policy for this packet */ - if (inp == NULL) + if (so == NULL) sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error); else - sp = ipsec6_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); + sp = ipsec6_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); if (sp == NULL) { ipsec6stat.out_inval++; -- cgit v1.1