Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix per-PCB IPsec policy cache for FAST_IPSEC:

Browse Source 
The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header.  So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined.  ``Make it so''.

We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
This commit is contained in:
jonathan 2004-04-26 01:53:59 +00:00
parent e06794e93a
commit f7abb16323
1 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
sys/netinet6/in6_pcb.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: in6_pcb.c,v 1.63 2004/04/25 16:42:42 simonb Exp $ */
/* $NetBSD: in6_pcb.c,v 1.64 2004/04/26 01:53:59 jonathan Exp $ */
/* $KAME: in6_pcb.c,v 1.84 2001/02/08 18:02:08 itojun Exp $ */
/*
@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.63 2004/04/25 16:42:42 simonb Exp $");
__KERNEL_RCSID(0, "$NetBSD: in6_pcb.c,v 1.64 2004/04/26 01:53:59 jonathan Exp $");
#include "opt_inet.h"
#include "opt_ipsec.h"
@ -101,6 +101,12 @@ extern struct ifnet loif[NLOOP];
#include <netkey/key.h>
#endif /* IPSEC */
#ifdef FAST_IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#endif /* FAST_IPSEC */
struct in6_addr zeroin6_addr;
#define IN6PCBHASH_PORT(table, lport) \
@ -143,7 +149,7 @@ in6_pcballoc(so, v)
struct inpcbtable *table = v;
struct in6pcb *in6p;
int s;
#ifdef IPSEC
#if defined(IPSEC) || defined(FAST_IPSEC)
int error;
#endif
@ -156,7 +162,7 @@ in6_pcballoc(so, v)
in6p->in6p_socket = so;
in6p->in6p_hops = -1; /* use kernel default */
in6p->in6p_icmp6filt = NULL;
#ifdef IPSEC
#if defined(IPSEC) || defined(FAST_IPSEC)
error = ipsec_init_pcbpolicy(so, &in6p->in6p_sp);
if (error != 0) {
pool_put(&in6pcb_pool, in6p);
@ -457,7 +463,7 @@ in6_pcbconnect(v, nam)
if (ip6_auto_flowlabel)
in6p->in6p_flowinfo |=
(htonl(ip6_randomflowlabel()) & IPV6_FLOWLABEL_MASK);
#ifdef IPSEC
#if defined(IPSEC) || defined(FAST_IPSEC)
if (in6p->in6p_socket->so_type == SOCK_STREAM)
ipsec_pcbconn(in6p->in6p_sp);
#endif
@ -472,7 +478,7 @@ in6_pcbdisconnect(in6p)
in6p->in6p_fport = 0;
in6_pcbstate(in6p, IN6P_BOUND);
in6p->in6p_flowinfo &= ~IPV6_FLOWLABEL_MASK;
#ifdef IPSEC
#if defined(IPSEC) || defined(FAST_IPSEC)
ipsec_pcbdisconn(in6p->in6p_sp);
#endif
if (in6p->in6p_socket->so_state & SS_NOFDREF)
@ -489,7 +495,7 @@ in6_pcbdetach(in6p)
if (in6p->in6p_af != AF_INET6)
return;
#ifdef IPSEC
#if defined(IPSEC) || defined(FAST_IPSEC)
ipsec6_delete_pcbpolicy(in6p);
#endif /* IPSEC */
sotoin6pcb(so) = 0;