Pull out ipsec routines from ip6_input
This change reduces symbol references from netinet6 to netipsec and improves modularity of netipsec. No functional change is intended.
This commit is contained in:
parent
45b7377f9c
commit
eefc30d59b
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $ */
|
||||
/* $NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $ */
|
||||
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
|
||||
|
||||
/*
|
||||
@ -62,7 +62,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.150 2015/01/20 21:27:36 roy Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.151 2015/04/01 02:49:44 ozaki-r Exp $");
|
||||
|
||||
#include "opt_gateway.h"
|
||||
#include "opt_inet.h"
|
||||
@ -748,11 +748,6 @@ ip6_input(struct mbuf *m)
|
||||
|
||||
#ifdef IPSEC
|
||||
if (ipsec_used) {
|
||||
struct m_tag *mtag;
|
||||
struct tdb_ident *tdbi;
|
||||
struct secpolicy *sp;
|
||||
int s, error;
|
||||
|
||||
/*
|
||||
* enforce IPsec policy checking if we are seeing last
|
||||
* header. note that we do not visit this with
|
||||
@ -760,39 +755,7 @@ ip6_input(struct mbuf *m)
|
||||
*/
|
||||
if ((inet6sw[ip_protox[nxt]].pr_flags
|
||||
& PR_LASTHDR) != 0) {
|
||||
/*
|
||||
* Check if the packet has already had IPsec
|
||||
* processing done. If so, then just pass it
|
||||
* along. This tag gets set during AH, ESP,
|
||||
* etc. input handling, before the packet is
|
||||
* returned to the ip input queue for delivery.
|
||||
*/
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
|
||||
NULL);
|
||||
s = splsoftnet();
|
||||
if (mtag != NULL) {
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
sp = ipsec_getpolicy(tdbi,
|
||||
IPSEC_DIR_INBOUND);
|
||||
} else {
|
||||
sp = ipsec_getpolicybyaddr(m,
|
||||
IPSEC_DIR_INBOUND, IP_FORWARDING,
|
||||
&error);
|
||||
}
|
||||
if (sp != NULL) {
|
||||
/*
|
||||
* Check security policy against packet
|
||||
* attributes.
|
||||
*/
|
||||
error = ipsec_in_reject(sp, m);
|
||||
KEY_FREESP(&sp);
|
||||
} else {
|
||||
/* XXX error stat??? */
|
||||
error = EINVAL;
|
||||
DPRINTF(("ip6_input: no SP, packet"
|
||||
" discarded\n"));/*XXX*/
|
||||
}
|
||||
splx(s);
|
||||
int error = ipsec6_input(m);
|
||||
if (error)
|
||||
goto bad;
|
||||
}
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $ */
|
||||
/* $NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $ */
|
||||
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.c,v 1.2.2.2 2003/07/01 01:38:13 sam Exp $ */
|
||||
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
|
||||
|
||||
@ -32,7 +32,7 @@
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.65 2015/04/01 01:44:56 ozaki-r Exp $");
|
||||
__KERNEL_RCSID(0, "$NetBSD: ipsec.c,v 1.66 2015/04/01 02:49:44 ozaki-r Exp $");
|
||||
|
||||
/*
|
||||
* IPsec controller part.
|
||||
@ -2425,7 +2425,52 @@ skippolicycheck:;
|
||||
*needipsecp = needipsec;
|
||||
return sp;
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
ipsec6_input(struct mbuf *m)
|
||||
{
|
||||
struct m_tag *mtag;
|
||||
struct tdb_ident *tdbi;
|
||||
struct secpolicy *sp;
|
||||
int s, error;
|
||||
|
||||
/*
|
||||
* Check if the packet has already had IPsec
|
||||
* processing done. If so, then just pass it
|
||||
* along. This tag gets set during AH, ESP,
|
||||
* etc. input handling, before the packet is
|
||||
* returned to the ip input queue for delivery.
|
||||
*/
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE,
|
||||
NULL);
|
||||
s = splsoftnet();
|
||||
if (mtag != NULL) {
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
sp = ipsec_getpolicy(tdbi,
|
||||
IPSEC_DIR_INBOUND);
|
||||
} else {
|
||||
sp = ipsec_getpolicybyaddr(m,
|
||||
IPSEC_DIR_INBOUND, IP_FORWARDING,
|
||||
&error);
|
||||
}
|
||||
if (sp != NULL) {
|
||||
/*
|
||||
* Check security policy against packet
|
||||
* attributes.
|
||||
*/
|
||||
error = ipsec_in_reject(sp, m);
|
||||
KEY_FREESP(&sp);
|
||||
} else {
|
||||
/* XXX error stat??? */
|
||||
error = EINVAL;
|
||||
DPRINTF(("ip6_input: no SP, packet"
|
||||
" discarded\n"));/*XXX*/
|
||||
}
|
||||
splx(s);
|
||||
|
||||
return error;
|
||||
}
|
||||
#endif /* INET6 */
|
||||
|
||||
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: ipsec.h,v 1.36 2014/09/05 09:26:44 matt Exp $ */
|
||||
/* $NetBSD: ipsec.h,v 1.37 2015/04/01 02:49:44 ozaki-r Exp $ */
|
||||
/* $FreeBSD: /usr/local/www/cvsroot/FreeBSD/src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
|
||||
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
|
||||
|
||||
@ -260,6 +260,9 @@ int ipsec4_output(struct mbuf *, struct socket *, int,
|
||||
struct secpolicy **, u_long *, bool *, bool *);
|
||||
int ipsec4_input(struct mbuf *, int);
|
||||
int ipsec4_forward(struct mbuf *, int *);
|
||||
#ifdef INET6
|
||||
int ipsec6_input(struct mbuf *);
|
||||
#endif
|
||||
|
||||
static __inline struct secpolicy*
|
||||
ipsec4_getpolicybysock(
|
||||
|
Loading…
Reference in New Issue
Block a user