From de3407d02868da17b84be20a37bee2f9d4b5ad99 Mon Sep 17 00:00:00 2001 From: ume Date: Tue, 3 Feb 2004 18:20:55 +0000 Subject: pass pcb rather than so. it is expected that per socket policy works again. --- sys/netinet/ip_output.c | 10 ++-------- sys/netinet/raw_ip.c | 2 +- sys/netinet/tcp_input.c | 4 ++-- sys/netinet/tcp_output.c | 7 ------- sys/netinet/tcp_reass.c | 4 ++-- sys/netinet/udp_usrreq.c | 2 +- 6 files changed, 8 insertions(+), 21 deletions(-) (limited to 'sys/netinet') diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 733df47..a872c00 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -144,7 +144,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, struct in_addr pkt_dst; struct route iproute; #ifdef IPSEC - struct socket *so; struct secpolicy *sp = NULL; #endif #ifdef FAST_IPSEC @@ -195,11 +194,6 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, } m = m0; -#ifdef IPSEC - so = ipsec_getsocket(m); - (void)ipsec_setsocket(m, NULL); -#endif /*IPSEC*/ - M_ASSERTPKTHDR(m); if (ro == NULL) { @@ -481,11 +475,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, sendit: #ifdef IPSEC /* get SP for this packet */ - if (so == NULL) + if (inp == NULL) sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error); else - sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); + sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); if (sp == NULL) { ipsecstat.out_inval++; diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index bd65e81..eff86d3 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -147,7 +147,7 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) #ifdef IPSEC /* check AH/ESP integrity. */ - if (ipsec4_in_reject_so(n, last->inp_socket)) { + if (ipsec4_in_reject(n, last)) { policyfail = 1; ipsecstat.in_polvio++; /* do not inject data to pcb */ diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index eef736c..2b7f99a 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -572,12 +572,12 @@ findpcb: #ifdef IPSEC if (isipv6) { - if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; goto drop; } } else { - if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec4_in_reject(m, inp)) { ipsecstat.in_polvio++; goto drop; } diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index c44fa96..f30d6c3 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -878,13 +878,6 @@ send: ip6->ip6_hlim = in6_selecthlim(tp->t_inpcb, NULL); /* TODO: IPv6 IP6TOS_ECT bit on */ -#if defined(IPSEC) && !defined(FAST_IPSEC) - if (ipsec_setsocket(m, so) != 0) { - m_freem(m); - error = ENOBUFS; - goto out; - } -#endif /*IPSEC*/ error = ip6_output(m, tp->t_inpcb->in6p_outputopts, NULL, (so->so_options & SO_DONTROUTE), NULL, NULL, diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index eef736c..2b7f99a 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -572,12 +572,12 @@ findpcb: #ifdef IPSEC if (isipv6) { - if (inp != NULL && ipsec6_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; goto drop; } } else { - if (inp != NULL && ipsec4_in_reject_so(m, inp->inp_socket)) { + if (inp != NULL && ipsec4_in_reject(m, inp)) { ipsecstat.in_polvio++; goto drop; } diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 02a0e77..3852583 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -455,7 +455,7 @@ udp_append(last, ip, n, off) #ifdef IPSEC /* check AH/ESP integrity. */ - if (ipsec4_in_reject_so(n, last->inp_socket)) { + if (ipsec4_in_reject(n, last)) { ipsecstat.in_polvio++; m_freem(n); return; -- cgit v1.1