make synchronization w/ PF tag support code easier
This commit is contained in:
parent
0843b985d1
commit
a84539ea9e
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipsec.c,v 1.79 2003/09/12 07:38:12 itojun Exp $ */
|
||||
/* $NetBSD: ipsec.c,v 1.80 2003/09/12 07:53:29 itojun Exp $ */
|
||||
/* $KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $ */
|
||||
|
||||
/*
|
||||
|
@ -35,7 +35,7 @@
|
|||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.79 2003/09/12 07:38:12 itojun Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.80 2003/09/12 07:53:29 itojun Exp $");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
@ -120,6 +120,9 @@ int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
|
|||
|
||||
#endif /* INET6 */
|
||||
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
|
||||
#endif
|
||||
static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
|
||||
struct inpcbpolicy *, int));
|
||||
static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
|
||||
|
@ -322,6 +325,20 @@ ipsec_invalpcbcacheall()
|
|||
return 0;
|
||||
}
|
||||
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
static struct pf_tag *
|
||||
ipsec_get_tag(m)
|
||||
struct mbuf *m;
|
||||
{
|
||||
struct m_tag *mtag;
|
||||
|
||||
if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
|
||||
return ((struct pf_tag *)(mtag + 1));
|
||||
else
|
||||
return (NULL);
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* For OUTBOUND packet having a socket. Searching SPD for packet,
|
||||
* and return a pointer to SP.
|
||||
|
@ -345,6 +362,10 @@ ipsec4_getpolicybysock(m, dir, so, error)
|
|||
struct secpolicy *currsp = NULL; /* policy on socket */
|
||||
struct secpolicy *kernsp = NULL; /* policy on kernel */
|
||||
struct secpolicyindex spidx;
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
struct pf_tag *t;
|
||||
#endif
|
||||
u_int16_t tag;
|
||||
|
||||
/* sanity check */
|
||||
if (m == NULL || so == NULL || error == NULL)
|
||||
|
@ -368,6 +389,13 @@ ipsec4_getpolicybysock(m, dir, so, error)
|
|||
panic("ipsec4_getpolicybysock: pcbsp is NULL.");
|
||||
#endif
|
||||
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
t = ipsec_get_tag(m);
|
||||
tag = t ? t->tag : 0;
|
||||
#else
|
||||
tag = 0;
|
||||
#endif
|
||||
|
||||
/* if we have a cached entry, and if it is still valid, use it. */
|
||||
ipsecstat.spdcachelookup++;
|
||||
currsp = ipsec_checkpcbcache(m, pcbsp, dir);
|
||||
|
@ -404,7 +432,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
|
|||
case IPSEC_POLICY_ENTRUST:
|
||||
/* look for a policy in SPD */
|
||||
if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
|
||||
(kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
|
||||
(kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
|
||||
/* SP found */
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ipsec4_getpolicybysock called "
|
||||
|
@ -438,7 +466,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
|
|||
/* when non-privilieged socket */
|
||||
/* look for a policy in SPD */
|
||||
if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
|
||||
(kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
|
||||
(kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
|
||||
/* SP found */
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ipsec4_getpolicybysock called "
|
||||
|
@ -496,6 +524,10 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
|
|||
int *error;
|
||||
{
|
||||
struct secpolicy *sp = NULL;
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
struct pf_tag *t;
|
||||
#endif
|
||||
u_int16_t tag;
|
||||
|
||||
/* sanity check */
|
||||
if (m == NULL || error == NULL)
|
||||
|
@ -514,7 +546,14 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
|
|||
if (*error != 0)
|
||||
return NULL;
|
||||
|
||||
sp = key_allocsp(0, &spidx, dir);
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
t = ipsec_get_tag(m);
|
||||
tag = t ? t->tag : 0;
|
||||
#else
|
||||
tag = 0;
|
||||
#endif
|
||||
|
||||
sp = key_allocsp(tag, &spidx, dir);
|
||||
}
|
||||
|
||||
/* SP found */
|
||||
|
@ -554,6 +593,11 @@ ipsec6_getpolicybysock(m, dir, so, error)
|
|||
struct secpolicy *currsp = NULL; /* policy on socket */
|
||||
struct secpolicy *kernsp = NULL; /* policy on kernel */
|
||||
struct secpolicyindex spidx;
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
struct pf_tag *t;
|
||||
#endif
|
||||
u_int16_t tag;
|
||||
|
||||
|
||||
/* sanity check */
|
||||
if (m == NULL || so == NULL || error == NULL)
|
||||
|
@ -571,6 +615,13 @@ ipsec6_getpolicybysock(m, dir, so, error)
|
|||
panic("ipsec6_getpolicybysock: pcbsp is NULL.");
|
||||
#endif
|
||||
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
t = ipsec_get_tag(m);
|
||||
tag = t ? t->tag : 0;
|
||||
#else
|
||||
tag = 0;
|
||||
#endif
|
||||
|
||||
/* if we have a cached entry, and if it is still valid, use it. */
|
||||
ipsec6stat.spdcachelookup++;
|
||||
currsp = ipsec_checkpcbcache(m, pcbsp, dir);
|
||||
|
@ -607,7 +658,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
|
|||
case IPSEC_POLICY_ENTRUST:
|
||||
/* look for a policy in SPD */
|
||||
if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
|
||||
(kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
|
||||
(kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
|
||||
/* SP found */
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ipsec6_getpolicybysock called "
|
||||
|
@ -641,7 +692,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
|
|||
/* when non-privilieged socket */
|
||||
/* look for a policy in SPD */
|
||||
if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
|
||||
(kernsp = key_allocsp(0, &spidx, dir)) != NULL) {
|
||||
(kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
|
||||
/* SP found */
|
||||
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
|
||||
printf("DP ipsec6_getpolicybysock called "
|
||||
|
@ -706,6 +757,10 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
|
|||
int *error;
|
||||
{
|
||||
struct secpolicy *sp = NULL;
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
struct pf_tag *t;
|
||||
#endif
|
||||
u_int16_t tag;
|
||||
|
||||
/* sanity check */
|
||||
if (m == NULL || error == NULL)
|
||||
|
@ -724,7 +779,14 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
|
|||
if (*error != 0)
|
||||
return NULL;
|
||||
|
||||
sp = key_allocsp(0, &spidx, dir);
|
||||
#ifdef SADB_X_EXT_TAG
|
||||
t = ipsec_get_tag(m);
|
||||
tag = t ? t->tag : 0;
|
||||
#else
|
||||
tag = 0;
|
||||
#endif
|
||||
|
||||
sp = key_allocsp(tag, &spidx, dir);
|
||||
}
|
||||
|
||||
/* SP found */
|
||||
|
|
Loading…
Reference in New Issue