Make IPsec compile without INET adding appropriate #ifdef checks.

Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c
to not need three different versions depending on INET, INET6 or both.

Mark two places preparing for not yet supported functionality with IPv6.

Reviewed by:	gnn
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	4 days

sys/netinet6/ip6_ipsec.c

@@ -30,6 +30,7 @@
 #include <sys/cdefs.h>
 __FBSDID("$FreeBSD$");
 
+#include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
 
@@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/sysctl.h>
+#include <sys/syslog.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -291,7 +293,11 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
 		 * this is done in the normal processing path.
 		 */
 		if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
+			ipseclog((LOG_DEBUG,
+			    "%s: we do not support IPv4 over IPv6", __func__));
+#ifdef INET
 			in_delayed_cksum(*m);
+#endif
 			(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
 		}
 

sys/netipsec/ipsec_input.c

@@ -119,8 +119,10 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
 	struct secasvar *sav;
 	u_int32_t spi;
 	int error;
+#ifdef INET
 #ifdef IPSEC_NAT_T
 	struct m_tag *tag;
+#endif
 #endif
 
 	IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,

sys/netipsec/ipsec_output.c

@@ -165,7 +165,29 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 	 */
 	if (isr->next) {
 		V_ipsec4stat.ips_out_bundlesa++;
-		return ipsec4_process_packet(m, isr->next, 0, 0);
+		sav = isr->next->sav;
+		saidx = &sav->sah->saidx;
+		switch (saidx->dst.sa.sa_family) {
+#ifdef INET
+		case AF_INET:
+			return ipsec4_process_packet(m, isr->next, 0, 0);
+			/* NOTREACHED */
+#endif
+#ifdef notyet
+#ifdef INET6
+		case AF_INET6:
+			/* XXX */
+			ipsec6_output_trans()
+			ipsec6_output_tunnel()
+			/* NOTREACHED */
+#endif /* INET6 */
+#endif
+		default:
+			DPRINTF(("%s: unknown protocol family %u\n", __func__,
+			    saidx->dst.sa.sa_family));
+			error = ENXIO;
+			goto bad;
+		}
 	}
 	key_sa_recordxfer(sav, m);		/* record data transfer */
 

sys/netipsec/key.c

@@ -73,7 +73,7 @@
 #include <netinet6/ip6_var.h>
 #endif /* INET6 */
 
-#ifdef INET
+#if defined(INET) || defined(INET6)
 #include <netinet/in_pcb.h>
 #endif
 #ifdef INET6

sys/netipsec/xform_ah.c

@@ -91,6 +91,7 @@ VNET_DEFINE(int, ah_enable) = 1;	/* control flow of packets with AH */
 VNET_DEFINE(int, ah_cleartos) = 1;	/* clear ip_tos when doing AH calc */
 VNET_DEFINE(struct ahstat, ahstat);
 
+#ifdef INET
 SYSCTL_DECL(_net_inet_ah);
 SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
 	ah_enable,	CTLFLAG_RW,	&VNET_NAME(ah_enable),	0, "");
@@ -98,6 +99,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
 	ah_cleartos,	CTLFLAG_RW,	&VNET_NAME(ah_cleartos), 0, "");
 SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS,
 	stats,		CTLFLAG_RD,	&VNET_NAME(ahstat), ahstat, "");
+#endif
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 
@@ -724,19 +726,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		return ah_input_cb(crp);
 }
 
-#ifdef INET6
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {		     \
-	if (saidx->dst.sa.sa_family == AF_INET6) {			     \
-		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
-	} else {							     \
-		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
-	}								     \
-} while (0)
-#else
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)		     \
-	(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
 /*
  * AH input callback from the crypto driver.
  */
@@ -873,7 +862,21 @@ ah_input_cb(struct cryptop *crp)
 		goto bad;
 	}
 
-	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+	switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+	case AF_INET6:
+		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+		break;
+#endif
+#ifdef INET
+	case AF_INET:
+		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+		break;
+#endif
+	default:
+		panic("%s: Unexpected address family: %d saidx=%p", __func__,
+		    saidx->dst.sa.sa_family, saidx);
+	}
 
 	KEY_FREESAV(&sav);
 	return error;

sys/netipsec/xform_esp.c

@@ -451,19 +451,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 		return esp_input_cb(crp);
 }
 
-#ifdef INET6
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {		     \
-	if (saidx->dst.sa.sa_family == AF_INET6) {			     \
-		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
-	} else {							     \
-		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
-	}								     \
-} while (0)
-#else
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)		     \
-	(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
 /*
  * ESP input callback from the crypto driver.
  */
@@ -647,7 +634,21 @@ esp_input_cb(struct cryptop *crp)
 	/* Restore the Next Protocol field */
 	m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
 
-	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
+	switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+	case AF_INET6:
+		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
+		break;
+#endif
+#ifdef INET
+	case AF_INET:
+		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
+		break;
+#endif
+	default:
+		panic("%s: Unexpected address family: %d saidx=%p", __func__,
+		    saidx->dst.sa.sa_family, saidx);
+	}
 
 	KEY_FREESAV(&sav);
 	return error;

sys/netipsec/xform_ipcomp.c

@@ -213,19 +213,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
 	return crypto_dispatch(crp);
 }
 
-#ifdef INET6
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do {		     \
-	if (saidx->dst.sa.sa_family == AF_INET6) {			     \
-		error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
-	} else {							     \
-		error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
-	}								     \
-} while (0)
-#else
-#define	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag)		     \
-	(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
-#endif
-
 /*
  * IPComp input callback from the crypto driver.
  */
@@ -316,7 +303,21 @@ ipcomp_input_cb(struct cryptop *crp)
 	/* Restore the Next Protocol field */
 	m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
 
-	IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL);
+	switch (saidx->dst.sa.sa_family) {
+#ifdef INET6
+	case AF_INET6:
+		error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
+		break;
+#endif
+#ifdef INET
+	case AF_INET:
+		error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
+		break;
+#endif
+	default:
+		panic("%s: Unexpected address family: %d saidx=%p", __func__,
+		    saidx->dst.sa.sa_family, saidx);
+	}
 
 	KEY_FREESAV(&sav);
 	return error;

sys/netipsec/xform_ipip.c

@@ -412,8 +412,10 @@ ipip_output(
 	u_int8_t tp, otos;
 	struct secasindex *saidx;
 	int error;
-#ifdef INET
+#if defined(INET) || defined(INET6)
 	u_int8_t itos;
+#endif
+#ifdef INET
 	struct ip *ipo;
 #endif /* INET */
 #ifdef INET6
@@ -466,7 +468,8 @@ ipip_output(
 		ipo->ip_id = ip_newid();
 
 		/* If the inner protocol is IP... */
-		if (tp == IPVERSION) {
+		switch (tp) {
+		case IPVERSION:
 			/* Save ECN notification */
 			m_copydata(m, sizeof(struct ip) +
 			    offsetof(struct ip, ip_tos),
@@ -484,9 +487,10 @@ ipip_output(
 			ipo->ip_off = ntohs(ipo->ip_off);
 			ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
 			ipo->ip_off = htons(ipo->ip_off);
-		}
+			break;
 #ifdef INET6
-		else if (tp == (IPV6_VERSION >> 4)) {
+		case (IPV6_VERSION >> 4):
+		{
 			u_int32_t itos32;
 
 			/* Save ECN notification. */
@@ -496,9 +500,10 @@ ipip_output(
 			itos = ntohl(itos32) >> 20;
 			ipo->ip_p = IPPROTO_IPV6;
 			ipo->ip_off = 0;
+			break;
 		}
 #endif /* INET6 */
-		else {
+		default:
 			goto nofamily;
 		}
 
@@ -547,8 +552,9 @@ ipip_output(
 		ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
 		ip6o->ip6_src = saidx->src.sin6.sin6_addr;
 
+		switch (tp) {
 #ifdef INET
-		if (tp == IPVERSION) {
+		case IPVERSION:
 			/* Save ECN notification */
 			m_copydata(m, sizeof(struct ip6_hdr) +
 			    offsetof(struct ip, ip_tos), sizeof(u_int8_t),
@@ -556,21 +562,23 @@ ipip_output(
 
 			/* This is really IPVERSION. */
 			ip6o->ip6_nxt = IPPROTO_IPIP;
-		} else
+			break;
 #endif /* INET */
-			if (tp == (IPV6_VERSION >> 4)) {
-				u_int32_t itos32;
+		case (IPV6_VERSION >> 4):
+		{
+			u_int32_t itos32;
 
-				/* Save ECN notification. */
-				m_copydata(m, sizeof(struct ip6_hdr) +
-				    offsetof(struct ip6_hdr, ip6_flow),
-				    sizeof(u_int32_t), (caddr_t) &itos32);
-				itos = ntohl(itos32) >> 20;
+			/* Save ECN notification. */
+			m_copydata(m, sizeof(struct ip6_hdr) +
+			    offsetof(struct ip6_hdr, ip6_flow),
+			    sizeof(u_int32_t), (caddr_t) &itos32);
+			itos = ntohl(itos32) >> 20;
 
-				ip6o->ip6_nxt = IPPROTO_IPV6;
-			} else {
-				goto nofamily;
-			}
+			ip6o->ip6_nxt = IPPROTO_IPV6;
+		}
+		default:
+			goto nofamily;
+		}
 
 		otos = 0;
 		ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
@@ -622,6 +630,7 @@ ipip_output(
 }
 
 #ifdef IPSEC
+#if defined(INET) || defined(INET6)
 static int
 ipe4_init(struct secasvar *sav, struct xformsw *xsp)
 {
@@ -652,6 +661,8 @@ static struct xformsw ipe4_xformsw = {
 };
 
 extern struct domain inetdomain;
+#endif /* INET || INET6 */
+#ifdef INET
 static struct protosw ipe4_protosw = {
 	.pr_type =	SOCK_RAW,
 	.pr_domain =	&inetdomain,
@@ -661,7 +672,8 @@ static struct protosw ipe4_protosw = {
 	.pr_ctloutput =	rip_ctloutput,
 	.pr_usrreqs =	&rip_usrreqs
 };
-#ifdef INET6
+#endif /* INET */
+#if defined(INET6) && defined(INET)
 static struct ip6protosw ipe6_protosw = {
 	.pr_type =	SOCK_RAW,
 	.pr_domain =	&inetdomain,
@@ -671,8 +683,9 @@ static struct ip6protosw ipe6_protosw = {
 	.pr_ctloutput =	rip_ctloutput,
 	.pr_usrreqs =	&rip_usrreqs
 };
-#endif
+#endif /* INET6 && INET */
 
+#if defined(INET)
 /*
  * Check the encapsulated packet to see if we want it
  */
@@ -687,6 +700,7 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
 	 */
 	return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
 }
+#endif /* INET */
 
 static void
 ipe4_attach(void)
@@ -695,9 +709,11 @@ ipe4_attach(void)
 	xform_register(&ipe4_xformsw);
 	/* attach to encapsulation framework */
 	/* XXX save return cookie for detach on module remove */
+#ifdef INET
 	(void) encap_attach_func(AF_INET, -1,
 		ipe4_encapcheck, &ipe4_protosw, NULL);
-#ifdef INET6
+#endif
+#if defined(INET6) && defined(INET)
 	(void) encap_attach_func(AF_INET6, -1,
 		ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
 #endif