correct comment

2003-09-06 04:13:50 +00:00 · 2003-09-06 04:13:50 +00:00 · bce24b4a3e
commit bce24b4a3e
parent b0b5b07f8a
4 changed files with 62 additions and 23 deletions
--- a/sys/netinet6/in6_ifattach.c
+++ b/sys/netinet6/in6_ifattach.c
@ -1,4 +1,4 @@
-/*	$NetBSD: in6_ifattach.c,v 1.55 2003/07/08 10:20:45 itojun Exp $	*/
+/*	$NetBSD: in6_ifattach.c,v 1.56 2003/09/06 04:13:50 itojun Exp $	*/
 /*	$KAME: in6_ifattach.c,v 1.124 2001/07/18 08:32:51 jinmei Exp $	*/

 /*
@ -31,7 +31,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.55 2003/07/08 10:20:45 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_ifattach.c,v 1.56 2003/09/06 04:13:50 itojun Exp $");

 #include <sys/param.h>
 #include <sys/systm.h>
@ -580,6 +580,8 @@ in6_ifattach(ifp, altifp)
 	/* some of the interfaces are inherently not IPv6 capable */
 	switch (ifp->if_type) {
 	case IFT_BRIDGE:
+	case IFT_PFLOG:
+	case IFT_PFSYNC:
 		return;
 	}

--- a/sys/netinet6/ip6_id.c
+++ b/sys/netinet6/ip6_id.c
@ -1,5 +1,5 @@
-/*	$NetBSD: ip6_id.c,v 1.2 2003/09/06 03:55:35 itojun Exp $	*/
-/*	$KAME: ip6_id.c,v 1.5 2003/09/06 03:54:11 itojun Exp $	*/
+/*	$NetBSD: ip6_id.c,v 1.3 2003/09/06 04:13:51 itojun Exp $	*/
+/*	$KAME: ip6_id.c,v 1.6 2003/09/06 04:12:32 itojun Exp $	*/
 /*	$OpenBSD: ip_id.c,v 1.6 2002/03/15 18:19:52 millert Exp $	*/

 /*
@ -87,7 +87,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_id.c,v 1.2 2003/09/06 03:55:35 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_id.c,v 1.3 2003/09/06 04:13:51 itojun Exp $");

 #include <sys/types.h>
 #include <sys/param.h>
@ -104,9 +104,9 @@ struct randomtab {
 	const long	ru_out;	/* Time after wich will be reseeded */
 	const u_int32_t ru_max;	/* Uniq cycle, avoid blackjack prediction */
 	const u_int32_t ru_gen;	/* Starting generator */
-	const u_int32_t ru_n;	/* RU_N-1 = 2^2*3^2*59652323 */
-	const u_int32_t ru_agen; /* determine ru_a as RU_AGEN^(2*rand) */
-	const u_int32_t ru_m;	/* RU_M = 2^7*3^15 - don't change */
+	const u_int32_t ru_n;	/* ru_n: prime, ru_n - 1: product of pfacts[] */
+	const u_int32_t ru_agen; /* determine ru_a as ru_agen^(2*rand) */
+	const u_int32_t ru_m;	/* ru_m = 2^x*3^y */
 	const u_int32_t pfacts[4];	/* factors of ru_n */

 	u_int32_t ru_counter;
--- a/sys/netinet6/ipsec.c
+++ b/sys/netinet6/ipsec.c
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.c,v 1.74 2003/09/06 03:36:33 itojun Exp $	*/
+/*	$NetBSD: ipsec.c,v 1.75 2003/09/06 04:13:51 itojun Exp $	*/
 /*	$KAME: ipsec.c,v 1.136 2002/05/19 00:36:39 itojun Exp $	*/

 /*
@ -35,7 +35,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.74 2003/09/06 03:36:33 itojun Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.75 2003/09/06 04:13:51 itojun Exp $");

 #include "opt_inet.h"
 #include "opt_ipsec.h"
@ -120,6 +120,7 @@ int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */

 #endif /* INET6 */

+static struct pf_tag *ipsec_get_tag __P((struct mbuf *));
 static struct secpolicy *ipsec_checkpcbcache __P((struct mbuf *,
 	struct inpcbpolicy *, int));
 static int ipsec_fillpcbcache __P((struct inpcbpolicy *, struct mbuf *,
@ -322,6 +323,18 @@ ipsec_invalpcbcacheall()
 	return 0;
 }

+static struct pf_tag *
+ipsec_get_tag(m)
+	struct mbuf *m;
+{
+	struct m_tag	*mtag;
+
+	if ((mtag = m_tag_find(m, PACKET_TAG_PF_TAG, NULL)) != NULL)
+		return ((struct pf_tag *)(mtag + 1));
+	else
+		return (NULL);
+}
+
 /*
 * For OUTBOUND packet having a socket. Searching SPD for packet,
 * and return a pointer to SP.
@ -345,6 +358,8 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 	struct secpolicyindex spidx;
+	struct pf_tag *t;
+	u_int16_t tag;

 	/* sanity check */
 	if (m == NULL || so == NULL || error == NULL)
@ -368,6 +383,9 @@ ipsec4_getpolicybysock(m, dir, so, error)
 		panic("ipsec4_getpolicybysock: pcbsp is NULL.");
 #endif

+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+
 	/* if we have a cached entry, and if it is still valid, use it. */
 	ipsecstat.spdcachelookup++;
 	currsp = ipsec_checkpcbcache(m, pcbsp, dir);
@ -404,7 +422,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
 			if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
-			    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
+			    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 					printf("DP ipsec4_getpolicybysock called "
@ -438,7 +456,7 @@ ipsec4_getpolicybysock(m, dir, so, error)
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
 	if (ipsec_setspidx_mbuf(&spidx, AF_INET, m, 1) == 0 &&
-	    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
+	    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 			printf("DP ipsec4_getpolicybysock called "
@ -496,6 +514,8 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)
 	int *error;
 {
 	struct secpolicy *sp = NULL;
+	struct pf_tag *t;
+	u_int16_t tag;

 	/* sanity check */
 	if (m == NULL || error == NULL)
@ -507,14 +527,17 @@ ipsec4_getpolicybyaddr(m, dir, flag, error)

 	bzero(&spidx, sizeof(spidx));

-	/* make a index to look for a policy */
+	/* make an index to look for a policy */
 	*error = ipsec_setspidx_mbuf(&spidx, AF_INET, m,
 	    (flag & IP_FORWARDING) ? 0 : 1);

 	if (*error != 0)
 		return NULL;

-	sp = key_allocsp(&spidx, dir);
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+
+	sp = key_allocsp(tag, &spidx, dir);
    }

 	/* SP found */
@ -554,6 +577,9 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	struct secpolicy *currsp = NULL;	/* policy on socket */
 	struct secpolicy *kernsp = NULL;	/* policy on kernel */
 	struct secpolicyindex spidx;
+	struct pf_tag *t;
+	u_int16_t tag;
+

 	/* sanity check */
 	if (m == NULL || so == NULL || error == NULL)
@ -571,6 +597,9 @@ ipsec6_getpolicybysock(m, dir, so, error)
 		panic("ipsec6_getpolicybysock: pcbsp is NULL.");
 #endif

+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+
 	/* if we have a cached entry, and if it is still valid, use it. */
 	ipsec6stat.spdcachelookup++;
 	currsp = ipsec_checkpcbcache(m, pcbsp, dir);
@ -607,7 +636,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
 		case IPSEC_POLICY_ENTRUST:
 			/* look for a policy in SPD */
 			if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
-			    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
+			    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 				/* SP found */
 				KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 					printf("DP ipsec6_getpolicybysock called "
@ -641,7 +670,7 @@ ipsec6_getpolicybysock(m, dir, so, error)
 	/* when non-privilieged socket */
 	/* look for a policy in SPD */
 	if (ipsec_setspidx_mbuf(&spidx, AF_INET6, m, 1) == 0 &&
-	    (kernsp = key_allocsp(&spidx, dir)) != NULL) {
+	    (kernsp = key_allocsp(tag, &spidx, dir)) != NULL) {
 		/* SP found */
 		KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
 			printf("DP ipsec6_getpolicybysock called "
@ -706,6 +735,8 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)
 	int *error;
 {
 	struct secpolicy *sp = NULL;
+	struct pf_tag *t;
+	u_int16_t tag;

 	/* sanity check */
 	if (m == NULL || error == NULL)
@ -717,14 +748,17 @@ ipsec6_getpolicybyaddr(m, dir, flag, error)

 	bzero(&spidx, sizeof(spidx));

-	/* make a index to look for a policy */
+	/* make an index to look for a policy */
 	*error = ipsec_setspidx_mbuf(&spidx, AF_INET6, m,
 	    (flag & IP_FORWARDING) ? 0 : 1);

 	if (*error != 0)
 		return NULL;

-	sp = key_allocsp(&spidx, dir);
+	t = ipsec_get_tag(m);
+	tag = t ? t->tag : 0;
+
+	sp = key_allocsp(tag, &spidx, dir);
    }

 	/* SP found */
@ -1733,7 +1767,8 @@ ipsec4_in_reject_so(m, so)
 	 * ipsec4_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
 	if (so == NULL)
-		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
+		sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 	else
 		sp = ipsec4_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);

@ -1786,7 +1821,8 @@ ipsec6_in_reject_so(m, so)
 	 * ipsec6_getpolicybyaddr() with IP_FORWARDING flag.
 	 */
 	if (so == NULL)
-		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND, IP_FORWARDING, &error);
+		sp = ipsec6_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
+		    IP_FORWARDING, &error);
 	else
 		sp = ipsec6_getpolicybysock(m, IPSEC_DIR_INBOUND, so, &error);

--- a/sys/netinet6/ipsec.h
+++ b/sys/netinet6/ipsec.h
@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.35 2003/08/22 22:00:40 itojun Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.36 2003/09/06 04:13:52 itojun Exp $	*/
 /*	$KAME: ipsec.h,v 1.51 2001/08/05 04:52:58 itojun Exp $	*/

 /*
@ -76,7 +76,8 @@ struct secpolicy {
 	int readonly;			/* write prohibited */
 	int refcnt;			/* reference count */
 	struct secpolicyindex *spidx;	/* selector - NULL if not valid */
-	u_int32_t id;			/* It's unique number on the system. */
+	u_int16_t tag;			/* PF tag */
+	u_int32_t id;			/* it identifies a policy in the SPD. */
 #define IPSEC_MANUAL_POLICYID_MAX	0x3fff
 				/*
 				 * 1 - 0x3fff are reserved for user operation.
@ -352,7 +353,7 @@ struct inpcb;
 #ifdef INET6
 struct in6pcb;
 #endif
-extern int ipsec_init_pcbpolicy __P((struct socket *so, struct inpcbpolicy **));
+extern int ipsec_init_pcbpolicy __P((struct socket *, struct inpcbpolicy **));
 extern int ipsec_copy_pcbpolicy
 	__P((struct inpcbpolicy *, struct inpcbpolicy *));
 extern u_int ipsec_get_reqlevel __P((struct ipsecrequest *, int));