introduce m->m_pkthdr.aux to hold random data which needs to be passed

between protocol handlers.

ipsec socket pointers, ipsec decryption/auth information, tunnel
decapsulation information are in my mind - there can be several other usage.
at this moment, we use this for ipsec socket pointer passing.  this will
avoid reuse of m->m_pkthdr.rcvif in ipsec code.

due to the change, MHLEN will be decreased by sizeof(void *) - for example,
for i386, MHLEN was 100 bytes, but is now 96 bytes.
we may want to increase MSIZE from 128 to 256 for some of our architectures.

take caution if you use it for keeping some data item for long period
of time - use extra caution on M_PREPEND() or m_adj(), as they may result
in loss of m->m_pkthdr.aux pointer (and mbuf leak).

this will bump kernel version.

(as discussed in tech-net, tested in kame tree)

sys/kern/uipc_mbuf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.44 1999/10/27 14:23:27 itojun Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.45 2000/03/01 12:49:28 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -350,6 +350,10 @@ m_freem(m)
 
 	if (m == NULL)
 		return;
+	if ((m->m_flags & M_PKTHDR) != 0 && m->m_pkthdr.aux) {
+		m_freem(m->m_pkthdr.aux);
+		m->m_pkthdr.aux = NULL;
+	}
 	do {
 		MFREE(m, n);
 		m = n;

sys/kern/uipc_mbuf2.c

@@ -1,4 +1,5 @@
-/*	$NetBSD: uipc_mbuf2.c,v 1.3 2000/02/06 12:49:51 itojun Exp $	*/
+/*	$NetBSD: uipc_mbuf2.c,v 1.4 2000/03/01 12:49:29 itojun Exp $	*/
+/*	$KAME: uipc_mbuf2.c,v 1.15 2000/02/22 14:01:37 itojun Exp $	*/
 
 /*
  * Copyright (C) 1999 WIDE Project.
@@ -103,6 +104,10 @@ m_pulldown(m, off, len, offp)
 	struct mbuf *n, *o;
 	int hlen, tlen, olen;
 	int sharedcluster;
+#if defined(PULLDOWN_STAT) && defined(INET6)
+	static struct mbuf *prev = NULL;
+	int prevlen = 0, prevmlen = 0;
+#endif
 
 	/* check invalid arguments. */
 	if (m == NULL)
@@ -116,6 +121,68 @@ m_pulldown(m, off, len, offp)
 	ip6stat.ip6s_pulldown++;
 #endif
 
+#if defined(PULLDOWN_STAT) && defined(INET6)
+	/* statistics for m_pullup */
+	ip6stat.ip6s_pullup++;
+	if (off + len > MHLEN)
+		ip6stat.ip6s_pullup_fail++;
+	else {
+		int dlen, mlen;
+
+		dlen = (prev == m) ? prevlen : m->m_len;
+		mlen = (prev == m) ? prevmlen : m->m_len + M_TRAILINGSPACE(m);
+
+		if (dlen >= off + len)
+			ip6stat.ip6s_pullup--; /* call will not be made! */
+		else if ((m->m_flags & M_EXT) != 0) {
+			ip6stat.ip6s_pullup_alloc++;
+			ip6stat.ip6s_pullup_copy++;
+		} else {
+			if (mlen >= off + len)
+				ip6stat.ip6s_pullup_copy++;
+			else {
+				ip6stat.ip6s_pullup_alloc++;
+				ip6stat.ip6s_pullup_copy++;
+			}
+		}
+
+		prevlen = off + len;
+		prevmlen = MHLEN;
+	}
+
+	/* statistics for m_pullup2 */
+	ip6stat.ip6s_pullup2++;
+	if (off + len > MCLBYTES)
+		ip6stat.ip6s_pullup2_fail++;
+	else {
+		int dlen, mlen;
+
+		dlen = (prev == m) ? prevlen : m->m_len;
+		mlen = (prev == m) ? prevmlen : m->m_len + M_TRAILINGSPACE(m);
+		prevlen = off + len;
+		prevmlen = mlen;
+
+		if (dlen >= off + len)
+			ip6stat.ip6s_pullup2--; /* call will not be made! */
+		else if ((m->m_flags & M_EXT) != 0) {
+			ip6stat.ip6s_pullup2_alloc++;
+			ip6stat.ip6s_pullup2_copy++;
+			prevmlen = (off + len > MHLEN) ? MCLBYTES : MHLEN;
+		} else {
+			if (mlen >= off + len)
+				ip6stat.ip6s_pullup2_copy++;
+			else {
+				ip6stat.ip6s_pullup2_alloc++;
+				ip6stat.ip6s_pullup2_copy++;
+				prevmlen = (off + len > MHLEN) ? MCLBYTES
+							       : MHLEN;
+			}
+		}
+	}
+
+	prev = m;
+#endif
+
 #ifdef PULLDOWN_DEBUG
     {
 	struct mbuf *t;
@@ -132,6 +199,9 @@ m_pulldown(m, off, len, offp)
 		off -= n->m_len;
 		n = n->m_next;
 	}
+	/* be sure to point non-empty mbuf */
+	while (n != NULL && n->m_len == 0)
+		n = n->m_next;
 	if (!n) {
 		m_freem(m);
 		return NULL;	/* mbuf chain too short */
@@ -275,3 +345,84 @@ ok:
 		*offp = off;
 	return n;
 }
+
+/*
+ * pkthdr.aux chain manipulation.
+ * we don't allow clusters at this moment. 
+ */
+struct mbuf *
+m_aux_add(m, af, type)
+	struct mbuf *m;
+	int af, type;
+{
+	struct mbuf *n;
+	struct mauxtag *t;
+
+	if ((m->m_flags & M_PKTHDR) == 0)
+		return NULL;
+
+	n = m_aux_find(m, af, type);
+	if (n)
+		return n;
+
+	MGET(n, M_DONTWAIT, m->m_type);
+	if (n == NULL)
+		return NULL;
+
+	t = mtod(n, struct mauxtag *);
+	t->af = af;
+	t->type = type;
+	n->m_data += sizeof(struct mauxtag);
+	n->m_len = 0;
+	n->m_next = m->m_pkthdr.aux;
+	m->m_pkthdr.aux = n;
+	return n;
+}
+
+struct mbuf *
+m_aux_find(m, af, type)
+	struct mbuf *m;
+	int af, type;
+{
+	struct mbuf *n;
+	struct mauxtag *t;
+
+	if ((m->m_flags & M_PKTHDR) == 0)
+		return NULL;
+
+	for (n = m->m_pkthdr.aux; n; n = n->m_next) {
+		t = (struct mauxtag *)n->m_dat;
+		if (t->af == af && t->type == type)
+			return n;
+	}
+	return NULL;
+}
+
+void
+m_aux_delete(m, victim)
+	struct mbuf *m;
+	struct mbuf *victim;
+{
+	struct mbuf *n, *prev, *next;
+	struct mauxtag *t;
+
+	if ((m->m_flags & M_PKTHDR) == 0)
+		return;
+
+	prev = NULL;
+	n = m->m_pkthdr.aux;
+	while (n) {
+		t = (struct mauxtag *)n->m_dat;
+		next = n->m_next;
+		if (n == victim) {
+			if (prev)
+				prev->m_next = n->m_next;
+			else
+				m->m_pkthdr.aux = n->m_next;
+			n->m_next = NULL;
+			m_free(n);
+		} else
+			prev = n;
+		n = next;
+	}
+}

sys/netinet/igmp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: igmp.c,v 1.22 1999/07/09 22:57:16 thorpej Exp $	*/
+/*	$NetBSD: igmp.c,v 1.23 2000/03/01 12:49:30 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -39,7 +39,6 @@
  * MULTICAST Revision: 1.3
  */
 
-#include "opt_ipsec.h"
 #include "opt_mrouting.h"
 
 #include <sys/param.h>
@@ -555,9 +554,6 @@ igmp_sendpkt(inm, type)
 	imo.imo_multicast_loop = 0;
 #endif /* MROUTING */
 
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
 	ip_output(m, (struct mbuf *)0, (struct route *)0, IP_MULTICASTOPTS,
 	    &imo);
 

sys/netinet/in_gif.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: in_gif.c,v 1.9 2000/02/07 06:15:16 itojun Exp $	*/
+/*	$NetBSD: in_gif.c,v 1.10 2000/03/01 12:49:31 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -34,7 +34,6 @@
  */
 
 #include "opt_inet.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -212,11 +211,6 @@ in_gif_output(ifp, family, m, rt)
 #endif 
 	}
 	
-#ifdef IPSEC
-#ifndef __OpenBSD__	/*KAME IPSEC*/
-	m->m_pkthdr.rcvif = NULL;
-#endif
-#endif /*IPSEC*/
 #ifndef __OpenBSD__
 	error = ip_output(m, NULL, &sc->gif_ro, 0, NULL);
 #else

sys/netinet/ip_fil.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_fil.c,v 1.42 2000/02/20 00:56:39 darrenr Exp $	*/
+/*	$NetBSD: ip_fil.c,v 1.43 2000/03/01 12:49:31 itojun Exp $	*/
 
 /*
  * Copyright (C) 1993-1998 by Darren Reed.
@@ -9,21 +9,13 @@
  */
 #if !defined(lint)
 #if defined(__NetBSD__)
-static const char rcsid[] = "$NetBSD: ip_fil.c,v 1.42 2000/02/20 00:56:39 darrenr Exp $";
+static const char rcsid[] = "$NetBSD: ip_fil.c,v 1.43 2000/03/01 12:49:31 itojun Exp $";
 #else
 static const char sccsid[] = "@(#)ip_fil.c	2.41 6/5/96 (C) 1993-1995 Darren Reed";
 static const char rcsid[] = "@(#)Id: ip_fil.c,v 2.4.2.16 2000/01/16 10:12:42 darrenr Exp";
 #endif
 #endif
 
-#if defined(__NetBSD__) && defined(_KERNEL)
-# ifdef _LKM
-#  define IPSEC
-# else
-#  include "opt_ipsec.h"
-# endif
-#endif
-
 #ifndef	SOLARIS
 #define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
 #endif
@@ -952,9 +944,6 @@ ip_t *ip;
 	ip->ip_ttl = ip_defttl;
 # endif
 
-# ifdef	IPSEC
-	m->m_pkthdr.rcvif = NULL;
-# endif
 # if defined(__FreeBSD_version) && (__FreeBSD_version >= 220000)
 	{
 	int err;

sys/netinet/ip_icmp.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_icmp.c,v 1.42 2000/02/24 09:54:49 itojun Exp $	*/
+/*	$NetBSD: ip_icmp.c,v 1.43 2000/03/01 12:49:32 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -766,8 +766,9 @@ icmp_send(m, opts)
 		printf("icmp_send dst %x src %x\n", ip->ip_dst, ip->ip_src);
 #endif
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
+	/* Don't lookup socket */
+	ipsec_setsocket(m, NULL);
+#endif
 	(void) ip_output(m, opts, NULL, 0, NULL);
 }
 

sys/netinet/ip_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.102 2000/02/20 00:56:39 darrenr Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.103 2000/03/01 12:49:33 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1403,8 +1403,9 @@ ip_forward(m, srcrt)
 	}
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
+	/* Don't lookup socket in forwading case */
+	ipsec_setsocket(m, NULL);
+#endif
 	error = ip_output(m, (struct mbuf *)0, &ipforward_rt,
 	    (IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0);
 	if (error)

sys/netinet/ip_ipip.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_ipip.c,v 1.8 1999/12/13 15:17:20 itojun Exp $	*/
+/*	$NetBSD: ip_ipip.c,v 1.9 2000/03/01 12:49:34 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -45,7 +45,6 @@
 
 #include "ipip.h"
 #include "opt_mrouting.h"
-#include "opt_ipsec.h"
 
 #if NIPIP > 0 || defined(MROUTING)
 
@@ -274,9 +273,6 @@ ipip_output(ifp, m0, dst, rt)
 	ifp->if_opackets++;
 	ifp->if_obytes += m0->m_pkthdr.len;
 
-#ifdef IPSEC
-	m0->m_pkthdr.rcvif = NULL;
-#endif
 	error = ip_output(m0, NULL, &sc->sc_route, 0, NULL);
 	if (error)
 		ifp->if_oerrors++;

sys/netinet/ip_mroute.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_mroute.c,v 1.45 2000/02/01 00:07:50 thorpej Exp $	*/
+/*	$NetBSD: ip_mroute.c,v 1.46 2000/03/01 12:49:34 itojun Exp $	*/
 
 /*
  * IP multicast forwarding procedures
@@ -1680,7 +1680,8 @@ tbf_send_packet(vifp, m)
 	if (vifp->v_flags & VIFF_TUNNEL) {
 		/* If tunnel options */
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = NULL;
+		/* Don't lookup socket in forwading case */
+		ipsec_setsocket(m, NULL);
 #endif
 		ip_output(m, (struct mbuf *)0, &vifp->v_route,
 			  IP_FORWARDING, (struct ip_moptions *)0);
@@ -1696,7 +1697,8 @@ tbf_send_packet(vifp, m)
 #endif
 
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = NULL;
+		/* Don't lookup socket in forwading case */
+		ipsec_setsocket(m, NULL);
 #endif
 		error = ip_output(m, (struct mbuf *)0, (struct route *)0,
 				  IP_FORWARDING|IP_MULTICASTOPTS, &imo);

sys/netinet/ip_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_output.c,v 1.68 2000/02/20 00:56:40 darrenr Exp $	*/
+/*	$NetBSD: ip_output.c,v 1.69 2000/03/01 12:49:35 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -183,7 +183,7 @@ ip_output(m0, va_alist)
 	int rv;
 #endif /* PFIL_HOOKS */
 #ifdef IPSEC
-	struct socket *so = (struct socket *)m->m_pkthdr.rcvif;
+	struct socket *so;
 	struct secpolicy *sp = NULL;
 #endif /*IPSEC*/
 
@@ -199,7 +199,8 @@ ip_output(m0, va_alist)
 	va_end(ap);
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
+	so = ipsec_getsocket(m);
+	ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 #ifdef	DIAGNOSTIC

sys/netinet/raw_ip.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip.c,v 1.51 2000/02/17 10:59:36 darrenr Exp $	*/
+/*	$NetBSD: raw_ip.c,v 1.52 2000/03/01 12:49:36 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -279,7 +279,7 @@ rip_output(m, va_alist)
 		ipstat.ips_rawout++;
 	}
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = (struct ifnet *)inp->inp_socket;	/*XXX*/
+	ipsec_setsocket(m, inp->inp_socket);
 #endif /*IPSEC*/
 	return (ip_output(m, opts, &inp->inp_route, flags, inp->inp_moptions, &inp->inp_errormtu));
 }

sys/netinet/tcp_input.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_input.c,v 1.104 2000/02/15 19:54:12 thorpej Exp $	*/
+/*	$NetBSD: tcp_input.c,v 1.105 2000/03/01 12:49:37 itojun Exp $	*/
 
 /*
 %%% portions-copyright-nrl-95
@@ -3377,10 +3377,8 @@ syn_cache_respond(sc, m)
 		else
 			so = NULL;
 		/* use IPsec policy on listening socket, on SYN ACK */
-		m->m_pkthdr.rcvif = (struct ifnet *)so;
+		ipsec_setsocket(m, so);
 	}
-#else
-	m->m_pkthdr.rcvif = NULL;
 #endif
 	memset(mtod(m, u_char *), 0, tlen);
 

sys/netinet/tcp_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_output.c,v 1.54 2000/02/09 00:50:40 itojun Exp $	*/
+/*	$NetBSD: tcp_output.c,v 1.55 2000/03/01 12:49:41 itojun Exp $	*/
 
 /*
 %%% portions-copyright-nrl-95
@@ -1024,7 +1024,7 @@ send:
 		}
 	}
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = (struct ifnet *)so;
+	ipsec_setsocket(m, so);
 #endif /*IPSEC*/
 
 	switch (af) {

sys/netinet/tcp_subr.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tcp_subr.c,v 1.88 2000/02/29 05:25:49 itojun Exp $	*/
+/*	$NetBSD: tcp_subr.c,v 1.89 2000/03/01 12:49:42 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -555,7 +555,7 @@ tcp_respond(tp, template, m, th0, ack, seq, flags)
 	}
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
+	ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 	/*
@@ -569,7 +569,7 @@ tcp_respond(tp, template, m, th0, ack, seq, flags)
 	if (tp != NULL && tp->t_inpcb != NULL) {
 		ro = &tp->t_inpcb->inp_route;
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = (struct ifnet *)tp->t_inpcb->inp_socket;
+		ipsec_setsocket(m, tp->t_inpcb->inp_socket);
 #endif
 #ifdef DIAGNOSTIC
 		if (family != AF_INET)
@@ -585,7 +585,7 @@ tcp_respond(tp, template, m, th0, ack, seq, flags)
 	else if (tp != NULL && tp->t_in6pcb != NULL) {
 		ro = (struct route *)&tp->t_in6pcb->in6p_route;
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = (struct ifnet *)tp->t_in6pcb->in6p_socket;
+		ipsec_setsocket(m, tp->t_in6pcb->in6p_socket);
 #endif
 #ifdef DIAGNOSTIC
 		if (family == AF_INET) {

sys/netinet/udp_usrreq.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: udp_usrreq.c,v 1.62 2000/02/29 16:21:56 itojun Exp $	*/
+/*	$NetBSD: udp_usrreq.c,v 1.63 2000/03/01 12:49:42 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -1252,7 +1252,7 @@ udp_output(m, va_alist)
 	udpstat.udps_opackets++;
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = (struct ifnet *)inp->inp_socket;
+	ipsec_setsocket(m, inp->inp_socket);
 #endif /*IPSEC*/
 
 	return (ip_output(m, inp->inp_options, &inp->inp_route,

sys/netinet6/icmp6.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: icmp6.c,v 1.25 2000/02/28 14:30:36 itojun Exp $	*/
+/*	$NetBSD: icmp6.c,v 1.26 2000/03/01 12:49:44 itojun Exp $	*/
 /*	$KAME: icmp6.c,v 1.71 2000/02/28 09:25:42 jinmei Exp $	*/
 
 /*
@@ -1579,7 +1579,8 @@ icmp6_reflect(m, off)
 
 	m->m_flags &= ~(M_BCAST|M_MCAST);
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
+	/* Don't lookup socket */
+	ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 
 #ifdef COMPAT_RFC1885
@@ -2075,7 +2076,8 @@ noredhdropt:;
 
 	/* send the packet to outside... */
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
+	/* Don't lookup socket */
+	ipsec_setsocket(m, NULL);
 #endif /*IPSEC*/
 	ip6_output(m, NULL, NULL, 0, NULL, &outif);
 	if (outif) {

sys/netinet6/in6_gif.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: in6_gif.c,v 1.12 2000/02/07 06:15:17 itojun Exp $	*/
+/*	$NetBSD: in6_gif.c,v 1.13 2000/03/01 12:49:45 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -34,7 +34,6 @@
  */
 
 #include "opt_inet.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -201,9 +200,6 @@ in6_gif_output(ifp, family, m, rt)
 #endif
 	}
 	
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
 	return(ip6_output(m, 0, &sc->gif_ro6, 0, 0, NULL));
 }
 

sys/netinet6/ip6_output.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_output.c,v 1.16 2000/02/20 00:56:43 darrenr Exp $	*/
+/*	$NetBSD: ip6_output.c,v 1.17 2000/03/01 12:49:46 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -169,8 +169,8 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp)
 	struct secpolicy *sp = NULL;
 
 	/* for AH processing. stupid to have "socket" variable in IP layer... */
-	so = (struct socket *)m->m_pkthdr.rcvif;
-	m->m_pkthdr.rcvif = NULL;
+	so = ipsec_getsocket(m);
+	ipsec_setsocket(m, NULL);
 	ip6 = mtod(m, struct ip6_hdr *);
 #endif /* IPSEC */
 

sys/netinet6/ipsec.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.17 2000/02/28 12:08:23 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.18 2000/03/01 12:49:47 itojun Exp $	*/
 /*	$KAME: ipsec.c,v 1.49 2000/02/23 08:52:52 jinmei Exp $	*/
 
 /*
@@ -3136,6 +3136,14 @@ ipsec_copypkt(m)
 					if (mnew == NULL)
 						goto fail;
 					mnew->m_pkthdr = n->m_pkthdr;
+#if 0
+					if (n->m_pkthdr.aux) {
+						mnew->m_pkthdr.aux =
+						    m_copym(n->m_pkthdr.aux,
+						    0, M_COPYALL, M_DONTWAIT);
+					}
+#endif
+					M_COPY_PKTHDR(mnew, n);
 					mnew->m_flags = n->m_flags & M_COPYFLAGS;
 				}
 				else {
@@ -3209,6 +3217,42 @@ ipsec_copypkt(m)
 	return(NULL);
 }
 
+void
+ipsec_setsocket(m, so)
+	struct mbuf *m;
+	struct socket *so;
+{
+	struct mbuf *n;
+
+	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+	if (so && !n)
+		n = m_aux_add(m, AF_INET, IPPROTO_ESP);
+	if (n) {
+		if (so) {
+			*mtod(n, struct socket **) = so;
+			/*
+			 * XXX think again about it when we put decryption
+			 * histrory into aux mbuf
+			 */
+			n->m_len = sizeof(struct socket *);
+		} else
+			m_aux_delete(m, n);
+	}
+}
+
+struct socket *
+ipsec_getsocket(m)
+	struct mbuf *m;
+{
+	struct mbuf *n;
+
+	n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+	if (n && n->m_len >= sizeof(struct socket *))
+		return *mtod(n, struct socket **);
+	else
+		return NULL;
+}
+
 /*
  * System control for IPSEC
  */

sys/netinet6/ipsec.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.11 2000/02/28 12:08:24 itojun Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.12 2000/03/01 12:49:48 itojun Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -358,6 +358,9 @@ extern int ipsec6_tunnel_validate __P((struct ip6_hdr *, u_int,
 #endif
 extern struct mbuf *ipsec_copypkt __P((struct mbuf *));
 
+extern void ipsec_setsocket __P((struct mbuf *, struct socket *));
+extern struct socket *ipsec_getsocket __P((struct mbuf *));
+
 extern int ipsec_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
 extern int ipsec6_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
 

sys/netinet6/mld6.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: mld6.c,v 1.11 2000/02/26 08:39:20 itojun Exp $	*/
+/*	$NetBSD: mld6.c,v 1.12 2000/03/01 12:49:48 itojun Exp $	*/
 /*	$KAME: mld6.c,v 1.16 2000/02/22 14:04:27 itojun Exp $	*/
 
 /*
@@ -70,7 +70,6 @@
  */
 
 #include "opt_inet.h"
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -406,9 +405,6 @@ mld6_sendpkt(in6m, type, dst)
 	}
 	mh->m_next = md;
 
-#ifdef IPSEC
-	mh->m_pkthdr.rcvif = NULL;
-#endif 
 	mh->m_pkthdr.len = sizeof(struct ip6_hdr) + sizeof(struct mld6_hdr);
 	mh->m_len = sizeof(struct ip6_hdr);
 	MH_ALIGN(mh, sizeof(struct ip6_hdr));

sys/netinet6/nd6_nbr.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: nd6_nbr.c,v 1.17 2000/02/28 12:08:24 itojun Exp $	*/
+/*	$NetBSD: nd6_nbr.c,v 1.18 2000/03/01 12:49:49 itojun Exp $	*/
 /*	$KAME: nd6_nbr.c,v 1.28 2000/02/26 06:53:11 itojun Exp $	*/
 
 /*
@@ -59,6 +59,10 @@
 #include <netinet6/nd6.h>
 #include <netinet/icmp6.h>
 
+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <net/net_osdep.h>
 
 #define SDL(s) ((struct sockaddr_dl *)s)
@@ -487,8 +491,9 @@ nd6_ns_output(ifp, daddr6, taddr6, ln, dad)
 		= in6_cksum(m, IPPROTO_ICMPV6, sizeof(*ip6), icmp6len);
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
+	/* Don't lookup socket */
+	ipsec_setsocket(m, NULL);
+#endif
 	ip6_output(m, NULL, NULL, dad ? IPV6_DADOUTPUT : 0, &im6o, &outif);
 	if (outif) {
 		icmp6_ifstat_inc(outif, ifs6_out_msg);
@@ -902,8 +907,9 @@ nd6_na_output(ifp, daddr6, taddr6, flags, tlladdr, sdl0)
 		in6_cksum(m, IPPROTO_ICMPV6, sizeof(struct ip6_hdr), icmp6len);
 
 #ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif /*IPSEC*/
+	/* Don't lookup socket */
+	ipsec_setsocket(m, NULL);
+#endif
 	ip6_output(m, NULL, NULL, 0, &im6o, &outif);
 	if (outif) {
 		icmp6_ifstat_inc(outif, ifs6_out_msg);

sys/netinet6/raw_ip6.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: raw_ip6.c,v 1.21 2000/02/28 16:10:52 itojun Exp $	*/
+/*	$NetBSD: raw_ip6.c,v 1.22 2000/03/01 12:49:50 itojun Exp $	*/
 /*	$KAME: raw_ip6.c,v 1.24 2000/02/28 15:44:12 itojun Exp $	*/
 
 /*
@@ -458,10 +458,6 @@ rip6_output(m, va_alist)
 		*p = in6_cksum(m, ip6->ip6_nxt, sizeof(*ip6), plen);
 	}
 
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = (struct ifnet *)so;
-#endif /*IPSEC*/
-	
 	error = ip6_output(m, optp, &in6p->in6p_route, 0, in6p->in6p_moptions,
 			   &oifp);
 	if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {

sys/netinet6/udp6_usrreq.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: udp6_usrreq.c,v 1.25 2000/02/28 16:10:52 itojun Exp $	*/
+/*	$NetBSD: udp6_usrreq.c,v 1.26 2000/03/01 12:49:50 itojun Exp $	*/
 /*	$KAME: udp6_usrreq.c,v 1.40 2000/02/28 15:44:13 itojun Exp $	*/
 
 /*
@@ -722,7 +722,7 @@ udp6_output(in6p, m, addr6, control)
 
 		udp6stat.udp6s_opackets++;
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = (struct ifnet *)in6p->in6p_socket;
+		ipsec_setsocket(m, in6p->in6p_socket);
 #endif /*IPSEC*/
 		error = ip6_output(m, in6p->in6p_outputopts, &in6p->in6p_route,
 			    0, in6p->in6p_moptions, NULL);
@@ -750,7 +750,7 @@ udp6_output(in6p, m, addr6, control)
 
 		udpstat.udps_opackets++;
 #ifdef IPSEC
-		m->m_pkthdr.rcvif = NULL;	/*XXX*/
+		ipsec_setsocket(m, NULL);	/*XXX*/
 #endif /*IPSEC*/
 		error = ip_output(m, NULL, &in6p->in6p_route, 0 /*XXX*/);
 		break;

sys/netiso/if_eon.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: if_eon.c,v 1.27 1999/12/24 05:01:33 itojun Exp $	*/
+/*	$NetBSD: if_eon.c,v 1.28 2000/03/01 12:49:51 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -71,7 +71,6 @@ SOFTWARE.
  */
 
 #include "opt_eon.h"
-#include "opt_ipsec.h"
 
 #ifdef EON
 #define NEON 1
@@ -442,9 +441,6 @@ send:
 	}
 #endif
 
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif
 	error = ip_output(m, (struct mbuf *) 0, ro, 0, NULL);
 	m = 0;
 	if (error) {

sys/netiso/tp_inet.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: tp_inet.c,v 1.17 1999/12/24 05:01:33 itojun Exp $	*/
+/*	$NetBSD: tp_inet.c,v 1.18 2000/03/01 12:49:52 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -77,7 +77,6 @@ SOFTWARE.
  */
 
 #include "opt_inet.h"
-#include "opt_ipsec.h"
 #include "opt_iso.h"
 
 #ifdef INET
@@ -482,9 +481,6 @@ tpip_output_dg(m0, va_alist)
 	}
 #endif
 
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif
 	error = ip_output(m, (struct mbuf *) 0, ro, IP_ALLOWBROADCAST, NULL);
 
 #ifdef ARGO_DEBUG

sys/netns/ns_ip.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ns_ip.c,v 1.24 1999/12/24 05:01:34 itojun Exp $	*/
+/*	$NetBSD: ns_ip.c,v 1.25 2000/03/01 12:49:53 itojun Exp $	*/
 
 /*
  * Copyright (c) 1984, 1985, 1986, 1987, 1993
@@ -40,7 +40,6 @@
  */
 
 #include "opt_ns.h"		/* options NSIP, needed by ns_if.h */
-#include "opt_ipsec.h"
 
 #include <sys/param.h>
 #include <sys/systm.h>
@@ -326,9 +325,6 @@ nsipoutput(ifp, m, dst, rt)
 	/*
 	 * Output final datagram.
 	 */
-#ifdef IPSEC
-	m->m_pkthdr.rcvif = NULL;
-#endif
 	error =  (ip_output(m, (struct mbuf *)0, ro, SO_BROADCAST, NULL));
 	if (error) {
 		ifn->ifen_ifnet.if_oerrors++;

sys/sys/mbuf.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: mbuf.h,v 1.48 1999/12/13 15:17:24 itojun Exp $	*/
+/*	$NetBSD: mbuf.h,v 1.49 2000/03/01 12:49:27 itojun Exp $	*/
 
 /*-
  * Copyright (c) 1996, 1997, 1999 The NetBSD Foundation, Inc.
@@ -120,6 +120,7 @@ struct m_hdr {
 struct	pkthdr {
 	struct	ifnet *rcvif;		/* rcv interface */
 	int	len;			/* total packet length */
+	struct mbuf *aux;		/* extra data buffer; ipsec/others */
 };
 
 /* description of external storage mapped into mbuf, valid if M_EXT set */
@@ -250,6 +251,7 @@ struct mbuf {
 		(m)->m_nextpkt = (struct mbuf *)NULL; \
 		(m)->m_data = (m)->m_pktdat; \
 		(m)->m_flags = M_PKTHDR; \
+		(m)->m_pkthdr.aux = (struct mbuf *)NULL; \
 	} else \
 		(m) = m_retryhdr((how), (type)); \
 } while (0)
@@ -407,9 +409,11 @@ do {									\
 /*
  * Copy mbuf pkthdr from `from' to `to'.
  * `from' must have M_PKTHDR set, and `to' must be empty.
+ * aux pointer will be moved to `to'.
  */
 #define	M_COPY_PKTHDR(to, from) do { \
 	(to)->m_pkthdr = (from)->m_pkthdr; \
+	(from)->m_pkthdr.aux = (struct mbuf *)NULL; \
 	(to)->m_flags = (from)->m_flags & M_COPYFLAGS; \
 	(to)->m_data = (to)->m_pktdat; \
 } while (0)
@@ -480,6 +484,14 @@ do {									\
 #define	M_GETCTX(m, t)		((t) (m)->m_pkthdr.rcvif + 0)
 #define	M_SETCTX(m, c)		((void) ((m)->m_pkthdr.rcvif = (void *) (c)))
 
+/*
+ * pkthdr.aux type tags.
+ */
+struct mauxtag {
+	int af;
+	int type;
+};
+
 /*
  * Mbuf statistics.
  * For statistics related to mbuf and cluster allocations, see also the
@@ -554,6 +566,10 @@ void	m_freem __P((struct mbuf *));
 void	m_reclaim __P((int));
 void	mbinit __P((void));
 
+struct mbuf *m_aux_add __P((struct mbuf *, int, int));
+struct mbuf *m_aux_find __P((struct mbuf *, int, int));
+void m_aux_delete __P((struct mbuf *, struct mbuf *));
+
 #ifdef MBTYPES
 const int mbtypes[] = {				/* XXX */
 	M_FREE,		/* MT_FREE	0	should be on free list */