From 92aaace6046096db0cee26a2d09ade66657e9b41 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 17 Feb 2004 14:02:37 +0000 Subject: IPSEC and FAST_IPSEC have the same internal API now; so merge these (IPSEC has an extra ipsecstat) Submitted by: "Bjoern A. Zeeb" --- sys/netinet/raw_ip.c | 11 +++-------- sys/netinet/tcp_input.c | 24 ++++++++---------------- sys/netinet/tcp_reass.c | 24 ++++++++---------------- sys/netinet/udp_usrreq.c | 11 +++-------- 4 files changed, 22 insertions(+), 48 deletions(-) (limited to 'sys/netinet') diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index eff86d3..fb95702 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) { int policyfail = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { policyfail = 1; +#ifdef IPSEC ipsecstat.in_polvio++; - /* do not inject data to pcb */ - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { - policyfail = 1; /* do not inject data to pcb */ } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index a868f80..01033ff 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) if (isipv6) { if (inp != NULL && ipsec6_in_reject(m, inp)) { +#ifdef IPSEC ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index a868f80..01033ff 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) if (isipv6) { if (inp != NULL && ipsec6_in_reject(m, inp)) { +#ifdef IPSEC ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 3852583..f0a01b2 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -453,21 +453,16 @@ udp_append(last, ip, n, off) struct sockaddr *append_sa; struct mbuf *opts = 0; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, last)) { +#ifdef IPSEC ipsecstat.in_polvio++; - m_freem(n); - return; - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { m_freem(n); return; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); -- cgit v1.1