From 619764beab3a499a132e311e96c6456944b389a8 Mon Sep 17 00:00:00 2001
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Thu, 11 Dec 2014 17:34:49 +0000
Subject: [PATCH] Remove flags and tunalready arguments from
 ipsec4_process_packet() and make its prototype similar to
 ipsec6_process_packet. The flags argument isn't used here, tunalready is
 always zero.

Obtained from:	Yandex LLC
Sponsored by:	Yandex LLC
---
 sys/netinet/ip_ipsec.c      |   2 +-
 sys/netipsec/ipsec.h        |   3 +-
 sys/netipsec/ipsec_output.c | 143 +++++++++++++-----------------------
 3 files changed, 54 insertions(+), 94 deletions(-)

diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index 22bbba357673..2452ec3abac6 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -228,7 +228,7 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error)
 #endif
 
 		/* NB: callee frees mbuf */
-		*error = ipsec4_process_packet(*m, sp->req, *flags, 0);
+		*error = ipsec4_process_packet(*m, sp->req);
 		if (*error == EJUSTRETURN) {
 			/*
 			 * We had a SP with a level of 'use' and no SA. We
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 26d15a973c28..fa86f2d0bcd6 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -354,8 +354,7 @@ extern int ipcomp4_input(struct mbuf **mp, int *offp, int proto);
 extern int ipsec4_common_input(struct mbuf *m, ...);
 extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff);
-extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *,
-			int, int);
+extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
 extern int ipsec_process_done(struct mbuf *, struct ipsecrequest *);
 
 extern struct mbuf *ipsec_copypkt(struct mbuf *);
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index b159f2d3d2dd..8e65005a76ea 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -169,7 +169,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
 #ifdef INET
 		case AF_INET:
 			IPSECSTAT_INC(ips_out_bundlesa);
-			return ipsec4_process_packet(m, isr->next, 0, 0);
+			return ipsec4_process_packet(m, isr->next);
 			/* NOTREACHED */
 #endif
 #ifdef notyet
@@ -424,16 +424,13 @@ ipsec_nextisr(
  * IPsec output logic for IPv4.
  */
 int
-ipsec4_process_packet(
-	struct mbuf *m,
-	struct ipsecrequest *isr,
-	int flags,
-	int tunalready)
+ipsec4_process_packet(struct mbuf *m, struct ipsecrequest *isr)
 {
+	union sockaddr_union *dst;
 	struct secasindex saidx;
 	struct secasvar *sav;
 	struct ip *ip;
-	int error, i, off;
+	int error, i, off, setdf;
 
 	IPSEC_ASSERT(m != NULL, ("null mbuf"));
 	IPSEC_ASSERT(isr != NULL, ("null isr"));
@@ -448,7 +445,13 @@ ipsec4_process_packet(
 	}
 
 	sav = isr->sav;
-
+	if (m->m_len < sizeof(struct ip) &&
+	    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
+		error = ENOBUFS;
+		goto bad;
+	}
+	ip = mtod(m, struct ip *);
+	dst = &sav->sah->saidx.dst;
 #ifdef DEV_ENC
 	if_inc_counter(encif, IFCOUNTER_OPACKETS, 1);
 	if_inc_counter(encif, IFCOUNTER_OBYTES, m->m_pkthdr.len);
@@ -459,95 +462,53 @@ ipsec4_process_packet(
 	if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
 		goto bad;
 #endif
-
-	if (!tunalready) {
-		union sockaddr_union *dst = &sav->sah->saidx.dst;
-		int setdf;
-
-		/*
-		 * Collect IP_DF state from the outer header.
-		 */
-		if (dst->sa.sa_family == AF_INET) {
-			if (m->m_len < sizeof (struct ip) &&
-			    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
-				error = ENOBUFS;
-				goto bad;
-			}
-			ip = mtod(m, struct ip *);
-			/* Honor system-wide control of how to handle IP_DF */
-			switch (V_ip4_ipsec_dfbit) {
-			case 0:			/* clear in outer header */
-			case 1:			/* set in outer header */
-				setdf = V_ip4_ipsec_dfbit;
-				break;
-			default:		/* propagate to outer header */
-				setdf = ntohs(ip->ip_off & IP_DF);
-				break;
-			}
-		} else {
-			ip = NULL;		/* keep compiler happy */
-			setdf = 0;
-		}
-		/* Do the appropriate encapsulation, if necessary */
-		if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
-		    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
+	/* Do the appropriate encapsulation, if necessary */
+	if (isr->saidx.mode == IPSEC_MODE_TUNNEL || /* Tunnel requ'd */
+	    dst->sa.sa_family != AF_INET ||	    /* PF mismatch */
 #if 0
 		    (sav->flags & SADB_X_SAFLAGS_TUNNEL) || /* Tunnel requ'd */
 		    sav->tdb_xform->xf_type == XF_IP4 ||    /* ditto */
 #endif
-		    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
-		     dst->sin.sin_addr.s_addr != INADDR_ANY &&
-		     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
-			struct mbuf *mp;
+	    (dst->sa.sa_family == AF_INET &&	    /* Proxy */
+	     dst->sin.sin_addr.s_addr != INADDR_ANY &&
+	     dst->sin.sin_addr.s_addr != ip->ip_dst.s_addr)) {
+		struct mbuf *mp;
 
-			/* Fix IPv4 header checksum and length */
-			if (m->m_len < sizeof (struct ip) &&
-			    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
-				error = ENOBUFS;
-				goto bad;
-			}
+		/* Fix IPv4 header checksum and length */
+		ip->ip_len = htons(m->m_pkthdr.len);
+		ip->ip_sum = 0;
+		ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
+		/*
+		 * Collect IP_DF state from the outer header
+		 * and honor system-wide control of how to handle it.
+		 */
+		switch (V_ip4_ipsec_dfbit) {
+		case 0:			/* clear in outer header */
+		case 1:			/* set in outer header */
+			setdf = V_ip4_ipsec_dfbit;
+			break;
+		default:		/* propagate to outer header */
+			setdf = ntohs(ip->ip_off & IP_DF);
+		}
+		/* Encapsulate the packet */
+		error = ipip_output(m, isr, &mp, 0, 0);
+		if (error != 0) {
+			m = NULL; /* ipip_output() already freed it */
+			goto bad;
+		}
+		m = mp;
+		/*
+		 * ipip_output clears IP_DF in the new header.  If
+		 * we need to propagate IP_DF from the outer header,
+		 * then we have to do it here.
+		 *
+		 * XXX shouldn't assume what ipip_output does.
+		 */
+		if (dst->sa.sa_family == AF_INET && setdf) {
 			ip = mtod(m, struct ip *);
-			if (ip->ip_v == IPVERSION) {
-				ip->ip_len = htons(m->m_pkthdr.len);
-				ip->ip_sum = 0;
-				ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
-			}
-
-			/* Encapsulate the packet */
-			error = ipip_output(m, isr, &mp, 0, 0);
-			if (mp == NULL && !error) {
-				/* Should never happen. */
-				DPRINTF(("%s: ipip_output returns no mbuf and "
-					"no error!", __func__));
-				error = EFAULT;
-			}
-			if (error) {
-				if (mp) {
-					/* XXX: Should never happen! */
-					m_freem(mp);
-				}
-				m = NULL; /* ipip_output() already freed it */
-				goto bad;
-			}
-			m = mp, mp = NULL;
-			/*
-			 * ipip_output clears IP_DF in the new header.  If
-			 * we need to propagate IP_DF from the outer header,
-			 * then we have to do it here.
-			 *
-			 * XXX shouldn't assume what ipip_output does.
-			 */
-			if (dst->sa.sa_family == AF_INET && setdf) {
-				if (m->m_len < sizeof (struct ip) &&
-				    (m = m_pullup(m, sizeof (struct ip))) == NULL) {
-					error = ENOBUFS;
-					goto bad;
-				}
-				ip = mtod(m, struct ip *);
-				ip->ip_off = ntohs(ip->ip_off);
-				ip->ip_off |= IP_DF;
-				ip->ip_off = htons(ip->ip_off);
-			}
+			ip->ip_off = ntohs(ip->ip_off);
+			ip->ip_off |= IP_DF;
+			ip->ip_off = htons(ip->ip_off);
 		}
 	}