Tie new "Fast IPsec" code into the build. This involves the usual
configuration stuff as well as conditional code in the IPv4 and IPv6 areas. Everything is conditional on FAST_IPSEC which is mutually exclusive with IPSEC (KAME IPsec implmentation). As noted previously, don't use FAST_IPSEC with INET6 at the moment. Reviewed by: KAME, rwatson Approved by: silence Supported by: Vernier Networks
This commit is contained in:
parent
c919ec4b66
commit
b9234fafa0
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=105199
@ -343,6 +343,8 @@ options IPSEC #IP security
|
||||
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
|
||||
options IPSEC_DEBUG #debug for IP security
|
||||
|
||||
#options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
|
||||
|
||||
options IPX #IPX/SPX communications protocols
|
||||
options IPXIP #IPX in IP encapsulation (not available)
|
||||
options IPTUNNEL #IP in IPX encapsulation (not available)
|
||||
|
@ -1303,6 +1303,17 @@ netinet6/route6.c optional inet6
|
||||
netinet6/scope6.c optional inet6
|
||||
netinet6/udp6_output.c optional inet6
|
||||
netinet6/udp6_usrreq.c optional inet6
|
||||
netipsec/ipsec.c optional fast_ipsec
|
||||
netipsec/ipsec_input.c optional fast_ipsec
|
||||
netipsec/ipsec_mbuf.c optional fast_ipsec
|
||||
netipsec/ipsec_output.c optional fast_ipsec
|
||||
netipsec/key.c optional fast_ipsec
|
||||
netipsec/key_debug.c optional fast_ipsec
|
||||
netipsec/keysock.c optional fast_ipsec
|
||||
netipsec/xform_ah.c optional fast_ipsec
|
||||
netipsec/xform_esp.c optional fast_ipsec
|
||||
netipsec/xform_ipcomp.c optional fast_ipsec
|
||||
netipsec/xform_ipip.c optional fast_ipsec
|
||||
netipx/ipx.c optional ipx
|
||||
netipx/ipx_cksum.c optional ipx
|
||||
netipx/ipx_input.c optional ipx
|
||||
|
@ -312,6 +312,7 @@ INET6 opt_inet6.h
|
||||
IPSEC opt_ipsec.h
|
||||
IPSEC_ESP opt_ipsec.h
|
||||
IPSEC_DEBUG opt_ipsec.h
|
||||
FAST_IPSEC opt_ipsec.h
|
||||
IPDIVERT
|
||||
DUMMYNET opt_ipdn.h
|
||||
IPFILTER opt_ipfilter.h
|
||||
|
@ -72,6 +72,16 @@
|
||||
#include <netkey/key.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#if defined(IPSEC) || defined(IPSEC_ESP)
|
||||
#error "Bad idea: don't compile with both IPSEC and FAST_IPSEC!"
|
||||
#endif
|
||||
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
struct in_addr zeroin_addr;
|
||||
|
||||
/*
|
||||
|
@ -42,10 +42,10 @@
|
||||
#include <sys/_mutex.h>
|
||||
|
||||
#include <net/route.h>
|
||||
#include <netinet6/ipsec.h> /* for IPSEC */
|
||||
|
||||
#define in6pcb inpcb /* for KAME src sync over BSD*'s */
|
||||
#define in6p_sp inp_sp /* for KAME src sync over BSD*'s */
|
||||
struct inpcbpolicy;
|
||||
|
||||
/*
|
||||
* Common structure pcb for internet protocol implementation.
|
||||
|
@ -76,6 +76,14 @@
|
||||
#include <netinet6/ipcomp.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPESC
|
||||
#include <netipsec/ipsec.h>
|
||||
#define ah4_input ipsec4_common_input
|
||||
#define esp4_input ipsec4_common_input
|
||||
#define ipcomp4_input ipsec4_common_input
|
||||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#ifdef IPXIP
|
||||
#include <netipx/ipx_ip.h>
|
||||
#endif
|
||||
@ -232,9 +240,18 @@ SYSCTL_NODE(_net_inet, IPPROTO_ICMP, icmp, CTLFLAG_RW, 0, "ICMP");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_UDP, udp, CTLFLAG_RW, 0, "UDP");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_TCP, tcp, CTLFLAG_RW, 0, "TCP");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP");
|
||||
#ifdef FAST_IPSEC
|
||||
/* XXX no protocol # to use, pick something "reserved" */
|
||||
SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP");
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP");
|
||||
#else
|
||||
#ifdef IPSEC
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_AH, ipsec, CTLFLAG_RW, 0, "IPSEC");
|
||||
#endif /* IPSEC */
|
||||
#endif /* !FAST_IPSEC */
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW");
|
||||
#ifdef IPDIVERT
|
||||
SYSCTL_NODE(_net_inet, IPPROTO_DIVERT, divert, CTLFLAG_RW, 0, "DIVERT");
|
||||
|
@ -65,6 +65,12 @@
|
||||
#include <netkey/key.h>
|
||||
#endif
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
|
||||
/*
|
||||
|
@ -88,6 +88,11 @@
|
||||
#include <netkey/key.h>
|
||||
#endif
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/key.h>
|
||||
#endif
|
||||
|
||||
int rsvp_on = 0;
|
||||
|
||||
int ipforwarding = 0;
|
||||
@ -290,6 +295,12 @@ ip_input(struct mbuf *m)
|
||||
struct mbuf *m0;
|
||||
int rv;
|
||||
#endif /* PFIL_HOOKS */
|
||||
#ifdef FAST_IPSEC
|
||||
struct m_tag *mtag;
|
||||
struct tdb_ident *tdbi;
|
||||
struct secpolicy *sp;
|
||||
int s, error;
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
args.eh = NULL;
|
||||
args.oif = NULL;
|
||||
@ -656,6 +667,34 @@ ip_input(struct mbuf *m)
|
||||
goto bad;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
|
||||
s = splnet();
|
||||
if (mtag != NULL) {
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
|
||||
} else {
|
||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
|
||||
IP_FORWARDING, &error);
|
||||
}
|
||||
if (sp == NULL) { /* NB: can happen if error */
|
||||
splx(s);
|
||||
/*XXX error stat???*/
|
||||
DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/
|
||||
goto bad;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check security policy against packet attributes.
|
||||
*/
|
||||
error = ipsec_in_reject(sp, m);
|
||||
KEY_FREESP(&sp);
|
||||
splx(s);
|
||||
if (error) {
|
||||
ipstat.ips_cantforward++;
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
ip_forward(m, 0, args.next_hop);
|
||||
}
|
||||
return;
|
||||
@ -825,6 +864,45 @@ ip_input(struct mbuf *m)
|
||||
goto bad;
|
||||
}
|
||||
#endif
|
||||
#if FAST_IPSEC
|
||||
/*
|
||||
* enforce IPsec policy checking if we are seeing last header.
|
||||
* note that we do not visit this with protocols with pcb layer
|
||||
* code - like udp/tcp/raw ip.
|
||||
*/
|
||||
if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) {
|
||||
/*
|
||||
* Check if the packet has already had IPsec processing
|
||||
* done. If so, then just pass it along. This tag gets
|
||||
* set during AH, ESP, etc. input handling, before the
|
||||
* packet is returned to the ip input queue for delivery.
|
||||
*/
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
|
||||
s = splnet();
|
||||
if (mtag != NULL) {
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND);
|
||||
} else {
|
||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND,
|
||||
IP_FORWARDING, &error);
|
||||
}
|
||||
if (sp != NULL) {
|
||||
/*
|
||||
* Check security policy against packet attributes.
|
||||
*/
|
||||
error = ipsec_in_reject(sp, m);
|
||||
KEY_FREESP(&sp);
|
||||
} else {
|
||||
/* XXX error stat??? */
|
||||
error = EINVAL;
|
||||
DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
|
||||
goto bad;
|
||||
}
|
||||
splx(s);
|
||||
if (error)
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
/*
|
||||
* Switch out to protocol's input routine.
|
||||
@ -1625,7 +1703,7 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop)
|
||||
n_long dest;
|
||||
struct in_addr pkt_dst;
|
||||
struct ifnet *destifp;
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
struct ifnet dummyifp;
|
||||
#endif
|
||||
|
||||
@ -1839,7 +1917,58 @@ ip_forward(struct mbuf *m, int srcrt, struct sockaddr_in *next_hop)
|
||||
key_freesp(sp);
|
||||
}
|
||||
}
|
||||
#else
|
||||
#elif FAST_IPSEC
|
||||
/*
|
||||
* If the packet is routed over IPsec tunnel, tell the
|
||||
* originator the tunnel MTU.
|
||||
* tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
|
||||
* XXX quickhack!!!
|
||||
*/
|
||||
if (ipforward_rt.ro_rt) {
|
||||
struct secpolicy *sp = NULL;
|
||||
int ipsecerror;
|
||||
int ipsechdr;
|
||||
struct route *ro;
|
||||
|
||||
sp = ipsec_getpolicybyaddr(mcopy,
|
||||
IPSEC_DIR_OUTBOUND,
|
||||
IP_FORWARDING,
|
||||
&ipsecerror);
|
||||
|
||||
if (sp == NULL)
|
||||
destifp = ipforward_rt.ro_rt->rt_ifp;
|
||||
else {
|
||||
/* count IPsec header size */
|
||||
ipsechdr = ipsec4_hdrsiz(mcopy,
|
||||
IPSEC_DIR_OUTBOUND,
|
||||
NULL);
|
||||
|
||||
/*
|
||||
* find the correct route for outer IPv4
|
||||
* header, compute tunnel MTU.
|
||||
*
|
||||
* XXX BUG ALERT
|
||||
* The "dummyifp" code relies upon the fact
|
||||
* that icmp_error() touches only ifp->if_mtu.
|
||||
*/
|
||||
/*XXX*/
|
||||
destifp = NULL;
|
||||
if (sp->req != NULL
|
||||
&& sp->req->sav != NULL
|
||||
&& sp->req->sav->sah != NULL) {
|
||||
ro = &sp->req->sav->sah->sa_route;
|
||||
if (ro->ro_rt && ro->ro_rt->rt_ifp) {
|
||||
dummyifp.if_mtu =
|
||||
ro->ro_rt->rt_ifp->if_mtu;
|
||||
dummyifp.if_mtu -= ipsechdr;
|
||||
destifp = &dummyifp;
|
||||
}
|
||||
}
|
||||
|
||||
KEY_FREESP(&sp);
|
||||
}
|
||||
}
|
||||
#else /* !IPSEC && !FAST_IPSEC */
|
||||
if (ipforward_rt.ro_rt)
|
||||
destifp = ipforward_rt.ro_rt->rt_ifp;
|
||||
#endif /*IPSEC*/
|
||||
|
@ -79,6 +79,12 @@ static MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options");
|
||||
#endif
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/xform.h>
|
||||
#include <netipsec/key.h>
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#include <netinet/ip_fw.h>
|
||||
#include <netinet/ip_dummynet.h>
|
||||
|
||||
@ -134,6 +140,13 @@ ip_output(m0, opt, ro, flags, imo, inp)
|
||||
struct secpolicy *sp = NULL;
|
||||
struct socket *so = inp ? inp->inp_socket : NULL;
|
||||
#endif
|
||||
#ifdef FAST_IPSEC
|
||||
struct route iproute;
|
||||
struct m_tag *mtag;
|
||||
struct secpolicy *sp = NULL;
|
||||
struct tdb_ident *tdbi;
|
||||
int s;
|
||||
#endif /* FAST_IPSEC */
|
||||
struct ip_fw_args args;
|
||||
int src_was_INADDR_ANY = 0; /* as the name says... */
|
||||
#ifdef PFIL_HOOKS
|
||||
@ -182,6 +195,10 @@ ip_output(m0, opt, ro, flags, imo, inp)
|
||||
m = m0;
|
||||
|
||||
KASSERT(!m || (m->m_flags & M_PKTHDR) != 0, ("ip_output: no HDR"));
|
||||
#ifndef FAST_IPSEC
|
||||
KASSERT(ro != NULL, ("ip_output: no route, proto %d",
|
||||
mtod(m, struct ip *)->ip_p));
|
||||
#endif
|
||||
|
||||
if (args.rule != NULL) { /* dummynet already saw us */
|
||||
ip = mtod(m, struct ip *);
|
||||
@ -216,6 +233,12 @@ ip_output(m0, opt, ro, flags, imo, inp)
|
||||
hlen = IP_VHL_HL(ip->ip_vhl) << 2;
|
||||
}
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
if (ro == NULL) {
|
||||
ro = &iproute;
|
||||
bzero(ro, sizeof (*ro));
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
dst = (struct sockaddr_in *)&ro->ro_dst;
|
||||
/*
|
||||
* If there is a cached route,
|
||||
@ -569,6 +592,119 @@ ip_output(m0, opt, ro, flags, imo, inp)
|
||||
ip->ip_off = ntohs(ip->ip_off);
|
||||
skip_ipsec:
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check the security policy (SP) for the packet and, if
|
||||
* required, do IPsec-related processing. There are two
|
||||
* cases here; the first time a packet is sent through
|
||||
* it will be untagged and handled by ipsec4_checkpolicy.
|
||||
* If the packet is resubmitted to ip_output (e.g. after
|
||||
* AH, ESP, etc. processing), there will be a tag to bypass
|
||||
* the lookup and related policy checking.
|
||||
*/
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL);
|
||||
s = splnet();
|
||||
if (mtag != NULL) {
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_OUTBOUND);
|
||||
if (sp == NULL)
|
||||
error = -EINVAL; /* force silent drop */
|
||||
m_tag_delete(m, mtag);
|
||||
} else {
|
||||
sp = ipsec4_checkpolicy(m, IPSEC_DIR_OUTBOUND, flags,
|
||||
&error, inp);
|
||||
}
|
||||
/*
|
||||
* There are four return cases:
|
||||
* sp != NULL apply IPsec policy
|
||||
* sp == NULL, error == 0 no IPsec handling needed
|
||||
* sp == NULL, error == -EINVAL discard packet w/o error
|
||||
* sp == NULL, error != 0 discard packet, report error
|
||||
*/
|
||||
if (sp != NULL) {
|
||||
/* Loop detection, check if ipsec processing already done */
|
||||
KASSERT(sp->req != NULL, ("ip_output: no ipsec request"));
|
||||
for (mtag = m_tag_first(m); mtag != NULL;
|
||||
mtag = m_tag_next(m, mtag)) {
|
||||
if (mtag->m_tag_cookie != MTAG_ABI_COMPAT)
|
||||
continue;
|
||||
if (mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_DONE &&
|
||||
mtag->m_tag_id != PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED)
|
||||
continue;
|
||||
/*
|
||||
* Check if policy has an SA associated with it.
|
||||
* This can happen when an SP has yet to acquire
|
||||
* an SA; e.g. on first reference. If it occurs,
|
||||
* then we let ipsec4_process_packet do its thing.
|
||||
*/
|
||||
if (sp->req->sav == NULL)
|
||||
break;
|
||||
tdbi = (struct tdb_ident *)(mtag + 1);
|
||||
if (tdbi->spi == sp->req->sav->spi &&
|
||||
tdbi->proto == sp->req->sav->sah->saidx.proto &&
|
||||
bcmp(&tdbi->dst, &sp->spidx.dst,
|
||||
sizeof (union sockaddr_union)) == 0) {
|
||||
/*
|
||||
* No IPsec processing is needed, free
|
||||
* reference to SP.
|
||||
*
|
||||
* NB: null pointer to avoid free at
|
||||
* done: below.
|
||||
*/
|
||||
KEY_FREESP(&sp), sp = NULL;
|
||||
splx(s);
|
||||
goto spd_done;
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Do delayed checksums now because we send before
|
||||
* this is done in the normal processing path.
|
||||
*/
|
||||
if (m->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
|
||||
in_delayed_cksum(m);
|
||||
m->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
|
||||
}
|
||||
|
||||
ip->ip_len = htons(ip->ip_len);
|
||||
ip->ip_off = htons(ip->ip_off);
|
||||
|
||||
/* NB: callee frees mbuf */
|
||||
error = ipsec4_process_packet(m, sp->req, flags, 0);
|
||||
splx(s);
|
||||
goto done;
|
||||
} else {
|
||||
splx(s);
|
||||
|
||||
if (error != 0) {
|
||||
/*
|
||||
* Hack: -EINVAL is used to signal that a packet
|
||||
* should be silently discarded. This is typically
|
||||
* because we asked key management for an SA and
|
||||
* it was delayed (e.g. kicked up to IKE).
|
||||
*/
|
||||
if (error == -EINVAL)
|
||||
error = 0;
|
||||
goto bad;
|
||||
} else {
|
||||
/* No IPsec processing for this packet. */
|
||||
}
|
||||
#ifdef notyet
|
||||
/*
|
||||
* If deferred crypto processing is needed, check that
|
||||
* the interface supports it.
|
||||
*/
|
||||
mtag = m_tag_find(m, PACKET_TAG_IPSEC_OUT_CRYPTO_NEEDED, NULL);
|
||||
if (mtag != NULL && (ifp->if_capenable & IFCAP_IPSEC) == 0) {
|
||||
/* notify IPsec to do its own crypto */
|
||||
ipsp_skipcrypto_unmark((struct tdb_ident *)(mtag + 1));
|
||||
error = EHOSTUNREACH;
|
||||
goto bad;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
spd_done:
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
/*
|
||||
* IpHack's section.
|
||||
@ -1078,6 +1214,14 @@ ip_output(m0, opt, ro, flags, imo, inp)
|
||||
key_freesp(sp);
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
if (ro == &iproute && ro->ro_rt) {
|
||||
RTFREE(ro->ro_rt);
|
||||
ro->ro_rt = NULL;
|
||||
}
|
||||
if (sp != NULL)
|
||||
KEY_FREESP(&sp);
|
||||
#endif /* FAST_IPSEC */
|
||||
return (error);
|
||||
bad:
|
||||
m_freem(m);
|
||||
@ -1340,7 +1484,7 @@ ip_ctloutput(so, sopt)
|
||||
}
|
||||
break;
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
case IP_IPSEC_POLICY:
|
||||
{
|
||||
caddr_t req;
|
||||
@ -1444,7 +1588,7 @@ ip_ctloutput(so, sopt)
|
||||
error = ip_getmoptions(sopt, inp->inp_moptions);
|
||||
break;
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
case IP_IPSEC_POLICY:
|
||||
{
|
||||
struct mbuf *m = NULL;
|
||||
|
@ -71,6 +71,10 @@
|
||||
#include <netinet/ip_fw.h>
|
||||
#include <netinet/ip_dummynet.h>
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#ifdef IPSEC
|
||||
#include <netinet6/ipsec.h>
|
||||
#endif /*IPSEC*/
|
||||
@ -157,6 +161,13 @@ rip_input(m, off)
|
||||
/* do not inject data to pcb */
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
policyfail = 1;
|
||||
/* do not inject data to pcb */
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#ifdef MAC
|
||||
if (policyfail == 0 &&
|
||||
mac_check_socket_deliver(last->inp_socket,
|
||||
@ -195,6 +206,15 @@ rip_input(m, off)
|
||||
return;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(m, last)) {
|
||||
m_freem(m);
|
||||
ipstat.ips_delivered--;
|
||||
/* do not inject data to pcb */
|
||||
return;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#ifdef MAC
|
||||
if (mac_check_socket_deliver(last->inp_socket, m) != 0) {
|
||||
m_freem(m);
|
||||
|
@ -84,6 +84,13 @@
|
||||
#include <netinet/tcp_debug.h>
|
||||
#endif /* TCPDEBUG */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#ifdef IPSEC
|
||||
#include <netinet6/ipsec.h>
|
||||
#include <netinet6/ipsec6.h>
|
||||
@ -566,6 +573,18 @@ tcp_input(m, off0)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef FAST_IPSEC
|
||||
#ifdef INET6
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
} else
|
||||
#endif /* INET6 */
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
/*
|
||||
* If the state is CLOSED (i.e., TCB does not exist) then
|
||||
|
@ -79,6 +79,11 @@
|
||||
#include <netinet6/ipsec.h>
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#define IPSEC
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
|
||||
#ifdef notyet
|
||||
|
@ -84,6 +84,13 @@
|
||||
#include <netinet/tcp_debug.h>
|
||||
#endif /* TCPDEBUG */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#ifdef IPSEC
|
||||
#include <netinet6/ipsec.h>
|
||||
#include <netinet6/ipsec6.h>
|
||||
@ -566,6 +573,18 @@ tcp_input(m, off0)
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef FAST_IPSEC
|
||||
#ifdef INET6
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
} else
|
||||
#endif /* INET6 */
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
/*
|
||||
* If the state is CLOSED (i.e., TCB does not exist) then
|
||||
|
@ -99,6 +99,14 @@
|
||||
#endif
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif
|
||||
#define IPSEC
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
#include <sys/md5.h>
|
||||
|
||||
|
@ -81,9 +81,17 @@
|
||||
#ifdef INET6
|
||||
#include <netinet6/ipsec6.h>
|
||||
#endif
|
||||
#include <netkey/key.h>
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
#include <vm/uma.h>
|
||||
|
||||
|
@ -99,6 +99,14 @@
|
||||
#endif
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#ifdef INET6
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif
|
||||
#define IPSEC
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#include <machine/in_cksum.h>
|
||||
#include <sys/md5.h>
|
||||
|
||||
|
@ -78,6 +78,10 @@
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/udp_var.h>
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#endif /*FAST_IPSEC*/
|
||||
|
||||
#ifdef IPSEC
|
||||
#include <netinet6/ipsec.h>
|
||||
#endif /*IPSEC*/
|
||||
@ -167,10 +171,6 @@ udp_input(m, off)
|
||||
struct mbuf *opts = 0;
|
||||
int len;
|
||||
struct ip save_ip;
|
||||
struct sockaddr *append_sa;
|
||||
#ifdef MAC
|
||||
int error;
|
||||
#endif
|
||||
|
||||
udpstat.udps_ipackets++;
|
||||
|
||||
@ -202,6 +202,16 @@ udp_input(m, off)
|
||||
if (uh->uh_dport == 0)
|
||||
goto badunlocked;
|
||||
|
||||
/*
|
||||
* Construct sockaddr format source address.
|
||||
* Stuff source address and datagram in user buffer.
|
||||
*/
|
||||
udp_in.sin_port = uh->uh_sport;
|
||||
udp_in.sin_addr = ip->ip_src;
|
||||
#ifdef INET6
|
||||
udp_in6.uin6_init_done = udp_ip6.uip6_init_done = 0;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Make mbuf data length reflect UDP length.
|
||||
* If not enough data to reflect UDP length, drop.
|
||||
@ -271,19 +281,11 @@ udp_input(m, off)
|
||||
* fixing the interface. Maybe 4.5BSD will remedy this?)
|
||||
*/
|
||||
|
||||
/*
|
||||
* Construct sockaddr format source address.
|
||||
*/
|
||||
udp_in.sin_port = uh->uh_sport;
|
||||
udp_in.sin_addr = ip->ip_src;
|
||||
/*
|
||||
* Locate pcb(s) for datagram.
|
||||
* (Algorithm copied from raw_intr().)
|
||||
*/
|
||||
last = NULL;
|
||||
#ifdef INET6
|
||||
udp_in6.uin6_init_done = udp_ip6.uip6_init_done = 0;
|
||||
#endif
|
||||
LIST_FOREACH(inp, &udb, inp_list) {
|
||||
INP_LOCK(inp);
|
||||
if (inp->inp_lport != uh->uh_dport) {
|
||||
@ -308,29 +310,12 @@ udp_input(m, off)
|
||||
|
||||
if (last != NULL) {
|
||||
struct mbuf *n;
|
||||
int policyfail;
|
||||
|
||||
policyfail = 0;
|
||||
#ifdef IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject_so(m, last->inp_socket)) {
|
||||
ipsecstat.in_polvio++;
|
||||
policyfail = 1;
|
||||
/* do not inject data to pcb */
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef MAC
|
||||
if (mac_check_socket_deliver(last->inp_socket,
|
||||
m) != 0)
|
||||
policyfail = 1;
|
||||
#endif
|
||||
if (!policyfail) {
|
||||
n = m_copy(m, 0, M_COPYALL);
|
||||
if (n != NULL)
|
||||
udp_append(last, ip, n,
|
||||
n = m_copy(m, 0, M_COPYALL);
|
||||
if (n != NULL)
|
||||
udp_append(last, ip, n,
|
||||
iphlen +
|
||||
sizeof(struct udphdr));
|
||||
}
|
||||
INP_UNLOCK(last);
|
||||
}
|
||||
last = inp;
|
||||
@ -355,13 +340,6 @@ udp_input(m, off)
|
||||
udpstat.udps_noportbcast++;
|
||||
goto badheadlocked;
|
||||
}
|
||||
#ifdef IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject_so(m, last->inp_socket)) {
|
||||
ipsecstat.in_polvio++;
|
||||
goto badheadlocked;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
INP_UNLOCK(last);
|
||||
INP_INFO_RUNLOCK(&udbinfo);
|
||||
udp_append(last, ip, m, iphlen + sizeof(struct udphdr));
|
||||
@ -399,58 +377,12 @@ udp_input(m, off)
|
||||
}
|
||||
INP_LOCK(inp);
|
||||
INP_INFO_RUNLOCK(&udbinfo);
|
||||
#ifdef IPSEC
|
||||
if (ipsec4_in_reject_so(m, inp->inp_socket)) {
|
||||
ipsecstat.in_polvio++;
|
||||
goto bad;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef MAC
|
||||
error = mac_check_socket_deliver(inp->inp_socket, m);
|
||||
if (error)
|
||||
goto bad;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Construct sockaddr format source address.
|
||||
* Stuff source address and datagram in user buffer.
|
||||
*/
|
||||
udp_in.sin_port = uh->uh_sport;
|
||||
udp_in.sin_addr = ip->ip_src;
|
||||
if (inp->inp_flags & INP_CONTROLOPTS
|
||||
|| inp->inp_socket->so_options & SO_TIMESTAMP) {
|
||||
#ifdef INET6
|
||||
if (inp->inp_vflag & INP_IPV6) {
|
||||
int savedflags;
|
||||
|
||||
ip_2_ip6_hdr(&udp_ip6.uip6_ip6, ip);
|
||||
savedflags = inp->inp_flags;
|
||||
inp->inp_flags &= ~INP_UNMAPPABLEOPTS;
|
||||
ip6_savecontrol(inp, &opts, &udp_ip6.uip6_ip6, m);
|
||||
inp->inp_flags = savedflags;
|
||||
} else
|
||||
#endif
|
||||
ip_savecontrol(inp, &opts, ip, m);
|
||||
}
|
||||
m_adj(m, iphlen + sizeof(struct udphdr));
|
||||
#ifdef INET6
|
||||
if (inp->inp_vflag & INP_IPV6) {
|
||||
in6_sin_2_v4mapsin6(&udp_in, &udp_in6.uin6_sin);
|
||||
append_sa = (struct sockaddr *)&udp_in6;
|
||||
} else
|
||||
#endif
|
||||
append_sa = (struct sockaddr *)&udp_in;
|
||||
if (sbappendaddr(&inp->inp_socket->so_rcv, append_sa, m, opts) == 0) {
|
||||
udpstat.udps_fullsock++;
|
||||
goto bad;
|
||||
}
|
||||
sorwakeup(inp->inp_socket);
|
||||
udp_append(inp, ip, m, iphlen + sizeof(struct udphdr));
|
||||
INP_UNLOCK(inp);
|
||||
return;
|
||||
|
||||
badheadlocked:
|
||||
INP_INFO_RUNLOCK(&udbinfo);
|
||||
bad:
|
||||
if (inp)
|
||||
INP_UNLOCK(inp);
|
||||
badunlocked:
|
||||
@ -493,6 +425,27 @@ udp_append(last, ip, n, off)
|
||||
struct sockaddr *append_sa;
|
||||
struct mbuf *opts = 0;
|
||||
|
||||
#ifdef IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject_so(n, last->inp_socket)) {
|
||||
ipsecstat.in_polvio++;
|
||||
m_freem(n);
|
||||
return;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
return;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#ifdef MAC
|
||||
if (mac_check_socket_deliver(last->inp_socket, n) != 0) {
|
||||
m_freem(n);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
if (last->inp_flags & INP_CONTROLOPTS ||
|
||||
last->inp_socket->so_options & SO_TIMESTAMP) {
|
||||
#ifdef INET6
|
||||
|
@ -106,6 +106,12 @@
|
||||
#include <netkey/key.h>
|
||||
#endif
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
||||
#ifdef HAVE_NRL_INPCB
|
||||
|
@ -113,6 +113,13 @@
|
||||
#include <netkey/key.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
struct in6_addr zeroin6_addr;
|
||||
|
||||
int
|
||||
|
@ -126,6 +126,15 @@
|
||||
#endif
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec6.h>
|
||||
#define IPSEC
|
||||
#define IPSEC_ESP
|
||||
#define ah6_input ipsec6_common_input
|
||||
#define esp6_input ipsec6_common_input
|
||||
#define ipcomp6_input ipsec6_common_input
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6protosw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
|
@ -74,6 +74,13 @@
|
||||
#include <netkey/key.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#include <netipsec/key.h>
|
||||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
@ -124,7 +131,9 @@ ip6_forward(m, srcrt)
|
||||
* before forwarding packet actually.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, NULL)) {
|
||||
#if !defined(FAST_IPSEC)
|
||||
ipsec6stat.in_polvio++;
|
||||
#endif
|
||||
m_freem(m);
|
||||
return;
|
||||
}
|
||||
|
@ -117,6 +117,12 @@
|
||||
#endif
|
||||
#endif
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#define IPSEC
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <netinet6/ip6protosw.h>
|
||||
|
@ -105,6 +105,12 @@
|
||||
#include <netkey/key.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#include <netipsec/key.h>
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <netinet6/ip6_fw.h>
|
||||
|
||||
#include <net/net_osdep.h>
|
||||
@ -179,6 +185,12 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
int needipsectun = 0;
|
||||
struct secpolicy *sp = NULL;
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#define MAKE_EXTHDR(hp, mp) \
|
||||
do { \
|
||||
@ -247,6 +259,49 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
||||
printf("ip6_output: Invalid policy found. %d\n", sp->policy);
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/* get a security policy for this packet */
|
||||
if (inp == NULL)
|
||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, 0, &error);
|
||||
else
|
||||
sp = ipsec_getpolicybysock(m, IPSEC_DIR_OUTBOUND, inp, &error);
|
||||
|
||||
if (sp == NULL) {
|
||||
newipsecstat.ips_out_inval++;
|
||||
goto freehdrs;
|
||||
}
|
||||
|
||||
error = 0;
|
||||
|
||||
/* check policy */
|
||||
switch (sp->policy) {
|
||||
case IPSEC_POLICY_DISCARD:
|
||||
/*
|
||||
* This packet is just discarded.
|
||||
*/
|
||||
newipsecstat.ips_out_polvio++;
|
||||
goto freehdrs;
|
||||
|
||||
case IPSEC_POLICY_BYPASS:
|
||||
case IPSEC_POLICY_NONE:
|
||||
/* no need to do IPsec. */
|
||||
needipsec = 0;
|
||||
break;
|
||||
|
||||
case IPSEC_POLICY_IPSEC:
|
||||
if (sp->req == NULL) {
|
||||
/* acquire a policy */
|
||||
error = key_spdacquire(sp);
|
||||
goto freehdrs;
|
||||
}
|
||||
needipsec = 1;
|
||||
break;
|
||||
|
||||
case IPSEC_POLICY_ENTRUST:
|
||||
default:
|
||||
printf("ip6_output: Invalid policy found. %d\n", sp->policy);
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
/*
|
||||
* Calculate the total length of the extension header chain.
|
||||
@ -354,7 +409,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
||||
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev,
|
||||
nexthdrp, IPPROTO_ROUTING);
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
if (!needipsec)
|
||||
goto skip_ipsec2;
|
||||
|
||||
@ -485,7 +540,7 @@ skip_ipsec2:;
|
||||
dst->sin6_scope_id = ntohs(dst->sin6_addr.s6_addr16[1]);
|
||||
#endif
|
||||
}
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
if (needipsec && needipsectun) {
|
||||
struct ipsec_output_state state;
|
||||
|
||||
@ -1069,6 +1124,10 @@ skip_ipsec2:;
|
||||
if (sp != NULL)
|
||||
key_freesp(sp);
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
if (sp != NULL)
|
||||
KEY_FREESP(&sp);
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
return(error);
|
||||
|
||||
@ -1480,7 +1539,7 @@ do { \
|
||||
}
|
||||
break;
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
case IPV6_IPSEC_POLICY:
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
@ -1635,7 +1694,7 @@ do { \
|
||||
}
|
||||
break;
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
case IPV6_IPSEC_POLICY:
|
||||
{
|
||||
caddr_t req = NULL;
|
||||
|
@ -105,6 +105,11 @@
|
||||
#include <netinet6/ipsec6.h>
|
||||
#endif /*IPSEC*/
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
#include <machine/stdarg.h>
|
||||
|
||||
#define satosin6(sa) ((struct sockaddr_in6 *)(sa))
|
||||
@ -181,6 +186,15 @@ rip6_input(mp, offp, proto)
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (n && ipsec6_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*FAST_IPSEC*/
|
||||
if (n) {
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
@ -212,6 +226,16 @@ rip6_input(mp, offp, proto)
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (last && ipsec6_in_reject(m, last)) {
|
||||
m_freem(m);
|
||||
ip6stat.ip6s_delivered--;
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*FAST_IPSEC*/
|
||||
if (last) {
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
|
@ -109,6 +109,11 @@
|
||||
#include <netinet6/ipsec6.h>
|
||||
#endif /* IPSEC */
|
||||
|
||||
#ifdef FAST_IPSEC
|
||||
#include <netipsec/ipsec.h>
|
||||
#include <netipsec/ipsec6.h>
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
/*
|
||||
* UDP protocol inplementation.
|
||||
* Per RFC 768, August, 1980.
|
||||
@ -261,6 +266,14 @@ udp6_input(mp, offp, proto)
|
||||
/* do not inject data into pcb */
|
||||
else
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last))
|
||||
;
|
||||
else
|
||||
#endif /* FAST_IPSEC */
|
||||
if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
|
||||
/*
|
||||
* KAME NOTE: do not
|
||||
@ -320,6 +333,14 @@ udp6_input(mp, offp, proto)
|
||||
goto bad;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last)) {
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS
|
||||
|| last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
ip6_savecontrol(last, &opts, ip6, m);
|
||||
@ -368,6 +389,14 @@ udp6_input(mp, offp, proto)
|
||||
goto bad;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, in6p)) {
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
|
||||
/*
|
||||
* Construct sockaddr format source address.
|
||||
|
Loading…
Reference in New Issue
Block a user