Merge ipsec4_input and ipsec6_input into ipsec_ip_input. Make the argument

a bool for clarity. Optimize the function: if M_CANFASTFWD is not there
(because already removed by the firewall) leave now.

Makes it easier to see that M_CANFASTFWD is not removed on IPv6.

sys/netinet/ip_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.382 2018/05/10 05:08:53 maxv Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.383 2018/05/14 17:34:26 maxv Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.382 2018/05/10 05:08:53 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.383 2018/05/14 17:34:26 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -729,7 +729,7 @@ ip_input(struct mbuf *m)
 #ifdef IPSEC
 		/* Check the security policy (SP) for the packet */
 		if (ipsec_used) {
-			if (ipsec4_input(m, IP_FORWARDING) != 0) {
+			if (ipsec_ip_input(m, true) != 0) {
 				goto out;
 			}
 		}
@@ -776,7 +776,7 @@ ours:
 	 */
 	if (ipsec_used &&
 	    (inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
-		if (ipsec4_input(m, 0) != 0) {
+		if (ipsec_ip_input(m, false) != 0) {
 			goto out;
 		}
 	}

sys/netinet6/ip6_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.201 2018/05/01 07:21:39 maxv Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.202 2018/05/14 17:34:26 maxv Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.201 2018/05/01 07:21:39 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.202 2018/05/14 17:34:26 maxv Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -742,7 +742,7 @@ hbhcheck:
 			    & PR_LASTHDR) != 0) {
 				int error;
 
-				error = ipsec6_input(m);
+				error = ipsec_ip_input(m, false);
 				if (error)
 					goto bad;
 			}

sys/netipsec/ipsec.c

@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $ */
+/* $NetBSD: ipsec.c,v 1.164 2018/05/14 17:34:26 maxv Exp $ */
 /* $FreeBSD: ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
 /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.163 2018/05/10 05:15:14 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.164 2018/05/14 17:34:26 maxv Exp $");
 
 /*
  * IPsec controller part.
@@ -697,7 +697,7 @@ ipsec4_output(struct mbuf *m, struct inpcb *inp, int flags,
 }
 
 int
-ipsec4_input(struct mbuf *m, int flags)
+ipsec_ip_input(struct mbuf *m, bool forward)
 {
 	struct secpolicy *sp;
 	int error, s;
@@ -709,8 +709,7 @@ ipsec4_input(struct mbuf *m, int flags)
 		return EINVAL;
 	}
 
-	if (flags == 0) {
-		/* We are done. */
+	if (!forward || !(m->m_flags & M_CANFASTFWD)) {
 		return 0;
 	}
 
@@ -719,12 +718,14 @@ ipsec4_input(struct mbuf *m, int flags)
 	 * it is a Fast Forward candidate.
 	 */
 	s = splsoftnet();
-	sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags, &error, NULL);
+	sp = ipsec_checkpolicy(m, IPSEC_DIR_OUTBOUND, IP_FORWARDING,
+	    &error, NULL);
 	if (sp != NULL) {
 		m->m_flags &= ~M_CANFASTFWD;
 		KEY_SP_UNREF(&sp);
 	}
 	splx(s);
+
 	return 0;
 }
 
@@ -1828,21 +1829,6 @@ skippolicycheck:
 	*needipsecp = needipsec;
 	return sp;
 }
-
-int
-ipsec6_input(struct mbuf *m)
-{
-	int s, error;
-
-	s = splsoftnet();
-	error = ipsec_in_reject(m, NULL);
-	splx(s);
-	if (error) {
-		return EINVAL;
-	}
-
-	return 0;
-}
 #endif /* INET6 */
 
 /*

sys/netipsec/ipsec.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.81 2018/05/10 05:08:53 maxv Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.82 2018/05/14 17:34:26 maxv Exp $	*/
 /*	$FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -256,8 +256,8 @@ void ipsec_invalpcbcacheall(void);
 
 struct inpcb;
 int ipsec4_output(struct mbuf *, struct inpcb *, int, u_long *, bool *, bool *);
-int ipsec4_input(struct mbuf *, int);
 
+int ipsec_ip_input(struct mbuf *, bool);
 void ipsec_mtu(struct mbuf *, int *);
 
 struct inpcb;

sys/netipsec/ipsec6.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec6.h,v 1.28 2018/04/28 14:25:56 maxv Exp $	*/
+/*	$NetBSD: ipsec6.h,v 1.29 2018/05/14 17:34:26 maxv Exp $	*/
 /*	$FreeBSD: ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $	*/
 /*	$KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $	*/
 
@@ -60,7 +60,6 @@ struct m_tag;
 int ipsec6_common_input(struct mbuf **, int *, int);
 int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
 int ipsec6_process_packet(struct mbuf *, const struct ipsecrequest *);
-int ipsec6_input(struct mbuf *);
 #endif /*_KERNEL*/
 
 #endif /* !_NETIPSEC_IPSEC6_H_ */

sys/rump/librump/rumpnet/net_stub.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: net_stub.c,v 1.35 2018/05/10 05:08:53 maxv Exp $	*/
+/*	$NetBSD: net_stub.c,v 1.36 2018/05/14 17:34:26 maxv Exp $	*/
 
 /*
  * Copyright (c) 2008 Antti Kantee.  All Rights Reserved.
@@ -26,7 +26,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.35 2018/05/10 05:08:53 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: net_stub.c,v 1.36 2018/05/14 17:34:26 maxv Exp $");
 
 #include <sys/mutex.h>
 #include <sys/param.h>
@@ -97,12 +97,11 @@ __weak_alias(esp4_ctlinput,rumpnet_stub);
 __weak_alias(esp6_ctlinput,rumpnet_stub);
 __weak_alias(ipsec4_output,rumpnet_stub);
 __weak_alias(ipsec4_common_input,rumpnet_stub);
-__weak_alias(ipsec4_input,rumpnet_stub);
 __weak_alias(ipsec6_common_input,rumpnet_stub);
-__weak_alias(ipsec6_input,rumpnet_stub);
 __weak_alias(ipsec6_check_policy,rumpnet_stub);
 __weak_alias(ipsec6_process_packet,rumpnet_stub);
 __weak_alias(ipsec_mtu,rumpnet_stub);
+__weak_alias(ipsec_ip_input,rumpnet_stub);
 __weak_alias(ipsec_set_policy,rumpnet_stub);
 __weak_alias(ipsec_get_policy,rumpnet_stub);
 __weak_alias(ipsec_delete_pcbpolicy,rumpnet_stub);