d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC

Browse Source 
option is now deprecated, as well as the KAME IPsec code.
What was FAST_IPSEC is now IPSEC.

Approved by: re
Sponsored by: Secure Computing
This commit is contained in:
George V. Neville-Neil 2007-07-03 12:13:45 +00:00
parent 25929d7851
commit b2630c2934
43 changed files with 209 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
sys/conf/NOTES
View File

@ -495,8 +495,7 @@ options HWPMC_HOOKS # Other necessary kernel hooks
#
options INET #Internet communications protocols
options INET6 #IPv6 communications protocols
#options IPSEC #IP security
#options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC #IP security
#options IPSEC_DEBUG #debug for IP security
#
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
@ -509,8 +508,6 @@ options INET6 #IPv6 communications protocols
#
#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
options IPX #IPX/SPX communications protocols
options NCP #NetWare Core protocol
@ -786,7 +783,7 @@ device pflog #logging support interface for PF
device pfsync #synchronization interface for PF
options PF_MPSAFE_UGID #Workaround LOR with user/group rules
device carp #Common Address Redundancy Protocol
device enc #IPSec interface (needs FAST_IPSEC)
device enc #IPsec interface
device ppp #Point-to-point protocol
options PPP_BSDCOMP #PPP BSD-compress support
options PPP_DEFLATE #PPP zlib/deflate/gzip support
@ -880,8 +877,8 @@ options ACCEPT_FILTER_HTTP
# carried in TCP option 19. This option is commonly used to protect
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
# This requires the use of 'device crypto', 'options FAST_IPSEC' or 'options
# IPSEC', and 'device cryptodev'.
# This requires the use of 'device crypto', 'options IPSEC'
# or 'device cryptodev'.
#options TCP_SIGNATURE #include support for RFC 2385
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
@ -2513,7 +2510,7 @@ options DCONS_FORCE_GDB=1 # force to be the gdb device
# crypto subsystem
#
# This is a port of the OpenBSD crypto framework. Include this when
# configuring FAST_IPSEC and when you have a h/w crypto device to accelerate
# configuring IPSEC and when you have a h/w crypto device to accelerate
# user applications that link to OpenSSL.
#
# Drivers are ports from OpenBSD with some simple enhancements that have

42
sys/conf/files
View File

@ -338,12 +338,12 @@ contrib/pf/net/pf_table.c optional pf \
contrib/pf/net/pf_osfp.c optional pf \
compile-with "${NORMAL_C} -I$S/contrib/pf"
contrib/pf/netinet/in4_cksum.c optional pf inet
crypto/blowfish/bf_ecb.c optional ipsec ipsec_esp
crypto/blowfish/bf_skey.c optional crypto | ipsec ipsec_esp
crypto/camellia/camellia.c optional crypto | ipsec ipsec_esp
crypto/camellia/camellia-api.c optional crypto | ipsec ipsec_esp
crypto/des/des_ecb.c optional crypto | ipsec ipsec_esp | netsmb
crypto/des/des_setkey.c optional crypto | ipsec ipsec_esp | netsmb
crypto/blowfish/bf_ecb.c optional ipsec
crypto/blowfish/bf_skey.c optional crypto | ipsec
crypto/camellia/camellia.c optional crypto | ipsec
crypto/camellia/camellia-api.c optional crypto | ipsec
crypto/des/des_ecb.c optional crypto | ipsec | netsmb
crypto/des/des_setkey.c optional crypto | ipsec | netsmb
crypto/rc4/rc4.c optional netgraph_mppc_encryption
crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
ipsec | random | wlan_ccmp
@ -1829,7 +1829,7 @@ netinet/ip_fw2.c optional ipfirewall
netinet/ip_fw_pfil.c optional ipfirewall
netinet/ip_icmp.c optional inet
netinet/ip_input.c optional inet
netinet/ip_ipsec.c optional fast_ipsec
netinet/ip_ipsec.c optional ipsec
netinet/ip_mroute.c optional mrouting inet | mrouting inet6
netinet/ip_options.c optional inet
netinet/ip_output.c optional inet
@ -1880,7 +1880,7 @@ netinet6/ip6_id.c optional inet6
netinet6/ip6_input.c optional inet6
netinet6/ip6_mroute.c optional mrouting inet6
netinet6/ip6_output.c optional inet6
netinet6/ip6_ipsec.c optional inet6 fast_ipsec
netinet6/ip6_ipsec.c optional ipsec
netinet6/mld6.c optional inet6
netinet6/nd6.c optional inet6
netinet6/nd6_nbr.c optional inet6
@ -1891,18 +1891,18 @@ netinet6/scope6.c optional inet6
netinet6/sctp6_usrreq.c optional inet6 sctp
netinet6/udp6_output.c optional inet6
netinet6/udp6_usrreq.c optional inet6
netipsec/ipsec.c optional fast_ipsec
netipsec/ipsec_input.c optional fast_ipsec
netipsec/ipsec_mbuf.c optional fast_ipsec
netipsec/ipsec_output.c optional fast_ipsec
netipsec/key.c optional fast_ipsec
netipsec/key_debug.c optional fast_ipsec
netipsec/keysock.c optional fast_ipsec
netipsec/xform_ah.c optional fast_ipsec
netipsec/xform_esp.c optional fast_ipsec
netipsec/xform_ipcomp.c optional fast_ipsec
netipsec/xform_ipip.c optional fast_ipsec
netipsec/xform_tcp.c optional fast_ipsec tcp_signature
netipsec/ipsec.c optional ipsec
netipsec/ipsec_input.c optional ipsec
netipsec/ipsec_mbuf.c optional ipsec
netipsec/ipsec_output.c optional ipsec
netipsec/key.c optional ipsec
netipsec/key_debug.c optional ipsec
netipsec/keysock.c optional ipsec
netipsec/xform_ah.c optional ipsec
netipsec/xform_esp.c optional ipsec
netipsec/xform_ipcomp.c optional ipsec
netipsec/xform_ipip.c optional ipsec
netipsec/xform_tcp.c optional ipsec tcp_signature
netipx/ipx.c optional ipx
netipx/ipx_cksum.c optional ipx
netipx/ipx_input.c optional ipx
@ -1959,7 +1959,7 @@ nfsserver/nfs_srvcache.c optional nfsserver
nfsserver/nfs_srvsubs.c optional nfsserver
nfsserver/nfs_syscalls.c optional nfsserver
# crypto support
opencrypto/cast.c optional crypto | ipsec ipsec_esp
opencrypto/cast.c optional crypto | ipsec
opencrypto/criov.c optional crypto
opencrypto/crypto.c optional crypto
opencrypto/cryptodev.c optional cryptodev

5
sys/conf/files.amd64
View File

@ -135,9 +135,8 @@ amd64/isa/isa_dma.c standard
amd64/isa/nmi.c standard
amd64/pci/pci_bus.c optional pci
amd64/pci/pci_cfgreg.c optional pci
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
dev/acpica/acpi_if.m standard
dev/arcmsr/arcmsr.c optional arcmsr pci
dev/atkbdc/atkbd.c optional atkbd atkbdc

5
sys/conf/files.arm
View File

@ -1,7 +1,6 @@
# $FreeBSD$
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
arm/arm/autoconf.c standard
arm/arm/bcopy_page.S standard
arm/arm/bcopyinout.S standard

4
sys/conf/files.i386
View File

@ -132,11 +132,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci
contrib/dev/oltr/trlldbm.c optional oltr
contrib/dev/oltr/trlldhm.c optional oltr
contrib/dev/oltr/trlldmac.c optional oltr
bf_enc.o optional crypto | ipsec ipsec_esp \
bf_enc.o optional crypto | ipsec \
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
no-implicit-rule
crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb
crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
crypto/via/padlock.c optional padlock
crypto/via/padlock_cipher.c optional padlock
crypto/via/padlock_hash.c optional padlock

5
sys/conf/files.ia64
View File

@ -42,9 +42,8 @@ contrib/ia64/libuwx/src/uwx_swap.c standard
contrib/ia64/libuwx/src/uwx_trace.c standard
contrib/ia64/libuwx/src/uwx_uinfo.c standard
contrib/ia64/libuwx/src/uwx_utable.c standard
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
dev/advansys/adv_isa.c optional adv isa
dev/aic/aic_isa.c optional aic isa
dev/atkbdc/atkbd.c optional atkbd atkbdc

4
sys/conf/files.pc98
View File

@ -93,11 +93,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci
contrib/dev/oltr/trlldbm.c optional oltr
contrib/dev/oltr/trlldhm.c optional oltr
contrib/dev/oltr/trlldmac.c optional oltr
bf_enc.o optional crypto | ipsec ipsec_esp \
bf_enc.o optional crypto | ipsec \
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
no-implicit-rule
crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb
crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
dev/aic/aic_cbus.c optional aic isa
dev/ar/if_ar.c optional ar
dev/ar/if_ar_pci.c optional ar pci

4
sys/conf/files.powerpc
View File

@ -75,8 +75,8 @@ powerpc/powerpc/db_interface.c optional ddb
powerpc/powerpc/db_hwwatch.c optional ddb
powerpc/powerpc/db_trace.c optional ddb
crypto/blowfish/bf_enc.c optional ipsec ipsec_esp
crypto/des/des_enc.c optional ipsec ipsec_esp | netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
dev/ofw/openfirm.c standard
dev/ofw/ofw_bus_if.m standard

5
sys/conf/files.sparc64
View File

@ -32,9 +32,8 @@ opt_ah.h optional ath_hal \
no-obj no-implicit-rule before-depend \
clean "opt_ah.h"
#
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
dev/atkbdc/atkbd.c optional atkbd atkbdc
dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc
dev/atkbdc/atkbdc.c optional atkbdc

5
sys/conf/files.sun4v
View File

@ -18,9 +18,8 @@ ukbdmap.h optional ukbd_dflt_keymap \
clean "ukbdmap.h"
#
#
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
netsmb
crypto/blowfish/bf_enc.c optional crypto | ipsec
crypto/des/des_enc.c optional crypto | ipsec | netsmb
dev/ofw/ofw_bus_if.m standard
dev/ofw/ofw_bus_subr.c standard
dev/ofw/ofw_console.c optional ofw_console

2
sys/conf/options
View File

@ -358,10 +358,8 @@ MROUTING opt_mrouting.h
INET opt_inet.h
INET6 opt_inet6.h
IPSEC opt_ipsec.h
IPSEC_ESP opt_ipsec.h
IPSEC_DEBUG opt_ipsec.h
IPSEC_FILTERGIF opt_ipsec.h
FAST_IPSEC opt_ipsec.h
IPDIVERT
DUMMYNET opt_ipdn.h
IPFILTER opt_ipfilter.h

2
sys/crypto/via/padlock.c
View File

@ -199,7 +199,7 @@ padlock_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri)
/*
* We only support HMAC algorithms to be able to work with
* fast_ipsec(4), so if we are asked only for authentication without
* ipsec(4), so if we are asked only for authentication without
* encryption, don't pretend we can accellerate it.
*/
if (encini == NULL)

2
sys/net/pfkeyv2.h
View File

@ -328,7 +328,7 @@ struct sadb_x_ipsecrequest {
/* private allocations - based on RFC4312/IANA assignment */
#define SADB_X_EALG_CAMELLIACBC 22
/* private allocations should use 249-255 (RFC2407) */
#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for FAST_IPSEC */
#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */
#define SADB_X_EALG_AESCTR 250 /*249*/ /* draft-ietf-ipsec-ciph-aes-ctr-03 */
/* private allocations - based on RFC2407/IANA assignment */

14
sys/netinet/in_pcb.c
View File

@ -74,10 +74,10 @@
#endif /* INET6 */
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <security/mac/mac_framework.h>
@ -193,11 +193,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
SOCK_UNLOCK(so);
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
error = ipsec_init_policy(so, &inp->inp_sp);
if (error != 0)
goto out;
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#ifdef INET6
if (INP_SOCKAF(so) == AF_INET6) {
inp->inp_vflag |= INP_IPV6PROTO;
@ -215,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
INP_LOCK(inp);
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
#if defined(FAST_IPSEC) || defined(MAC)
#if defined(IPSEC) || defined(MAC)
out:
if (error != 0)
uma_zfree(pcbinfo->ipi_zone, inp);
@ -711,9 +711,9 @@ in_pcbfree(struct inpcb *inp)
INP_INFO_WLOCK_ASSERT(ipi);
INP_LOCK_ASSERT(inp);
#ifdef FAST_IPSEC
#ifdef IPSEC
ipsec4_delete_pcbpolicy(inp);
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
inp->inp_gencnt = ++ipi->ipi_gencnt;
in_pcbremlists(inp);
if (inp->inp_options)

12
sys/netinet/in_proto.c
View File

@ -69,9 +69,9 @@
static struct pr_usrreqs nousrreqs;
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#ifdef SCTP
#include <netinet/in_pcb.h>
@ -210,7 +210,7 @@ struct protosw inetsw[] = {
.pr_ctloutput = rip_ctloutput,
.pr_usrreqs = &rip_usrreqs
},
#ifdef FAST_IPSEC
#ifdef IPSEC
{
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
@ -237,7 +237,7 @@ struct protosw inetsw[] = {
.pr_input = ipcomp4_input,
.pr_usrreqs = &nousrreqs
},
#endif /* FAST_IPSEC */
#endif /* IPSEC */
{
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
@ -368,14 +368,14 @@ SYSCTL_NODE(_net_inet, IPPROTO_TCP, tcp, CTLFLAG_RW, 0, "TCP");
SYSCTL_NODE(_net_inet, IPPROTO_SCTP, sctp, CTLFLAG_RW, 0, "SCTP");
#endif
SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP");
#ifdef FAST_IPSEC
#ifdef IPSEC
/* XXX no protocol # to use, pick something "reserved" */
SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC");
SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH");
SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP");
SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP");
SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP");
#endif /* FAST_IPSEC */
#endif /* IPSEC */
SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW");
#ifdef DEV_PFSYNC
SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC");

2
sys/netinet/ip_fw2.c
View File

@ -3143,7 +3143,7 @@ do { \
break;
case O_IPSEC:
#ifdef FAST_IPSEC
#ifdef IPSEC
match = (m_tag_find(m,
PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
#endif

4
sys/netinet/ip_icmp.c
View File

@ -59,7 +59,7 @@
#include <netinet/tcpip.h>
#include <netinet/icmp_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif
@ -579,7 +579,7 @@ icmp_input(struct mbuf *m, int off)
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
(struct sockaddr *)&icmpgw);
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
#ifdef FAST_IPSEC
#ifdef IPSEC
key_sa_routechange((struct sockaddr *)&icmpsrc);
#endif
break;

20
sys/netinet/ip_input.c
View File

@ -70,9 +70,9 @@
#ifdef DEV_CARP
#include <netinet/ip_carp.h>
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netinet/ip_ipsec.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <sys/socketvar.h>
@ -391,13 +391,13 @@ ip_input(struct mbuf *m)
} else
m_adj(m, ip->ip_len - m->m_pkthdr.len);
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
if (ip_ipsec_filtergif(m))
goto passin;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* Run through list of hooks for input packets.
@ -601,10 +601,10 @@ ip_input(struct mbuf *m)
ipstat.ips_cantforward++;
m_freem(m);
} else {
#ifdef FAST_IPSEC
#ifdef IPSEC
if (ip_ipsec_fwd(m))
goto bad;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
ip_forward(m, dchg);
}
return;
@ -645,7 +645,7 @@ ip_input(struct mbuf *m)
*/
ip->ip_len -= hlen;
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
@ -653,7 +653,7 @@ ip_input(struct mbuf *m)
*/
if (ip_ipsec_input(m))
goto bad;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* Switch out to protocol's input routine.
@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt)
type = ICMP_UNREACH;
code = ICMP_UNREACH_NEEDFRAG;
#ifdef FAST_IPSEC
#ifdef IPSEC
mtu = ip_ipsec_mtu(m);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* If the MTU wasn't set before use the interface mtu or
* fall back to the next smaller mtu step compared to the

20
sys/netinet/ip_ipsec.c
View File

@ -55,11 +55,11 @@
#include <machine/in_cksum.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
#include <netipsec/key.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
extern struct protosw inetsw[];
@ -71,7 +71,7 @@ extern struct protosw inetsw[];
int
ip_ipsec_filtergif(struct mbuf *m)
{
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
@ -90,7 +90,7 @@ ip_ipsec_filtergif(struct mbuf *m)
int
ip_ipsec_fwd(struct mbuf *m)
{
#ifdef FAST_IPSEC
#ifdef IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@ -122,7 +122,7 @@ ip_ipsec_fwd(struct mbuf *m)
ipstat.ips_cantforward++;
return 1;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}
@ -137,7 +137,7 @@ int
ip_ipsec_input(struct mbuf *m)
{
struct ip *ip = mtod(m, struct ip *);
#ifdef FAST_IPSEC
#ifdef IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@ -179,7 +179,7 @@ ip_ipsec_input(struct mbuf *m)
if (error)
return 1;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}
@ -237,14 +237,14 @@ ip_ipsec_mtu(struct mbuf *m)
*
* Called from ip_output().
* 1 = drop packet, 0 = continue processing packet,
* -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
* -1 = packet was reinjected and stop processing packet
*/
int
ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
struct route **ro, struct route *iproute, struct sockaddr_in **dst,
struct in_ifaddr **ia, struct ifnet **ifp)
{
#ifdef FAST_IPSEC
#ifdef IPSEC
struct secpolicy *sp = NULL;
struct ip *ip = mtod(*m, struct ip *);
struct tdb_ident *tdbi;
@ -381,6 +381,6 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
if (sp != NULL)
KEY_FREESP(&sp);
return 1;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}

16
sys/netinet/ip_output.c
View File

@ -59,10 +59,10 @@
#include <netinet/ip_var.h>
#include <netinet/ip_options.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netinet/ip_ipsec.h>
#include <netipsec/ipsec.h>
#endif /* FAST_IPSEC*/
#endif /* IPSEC*/
#include <machine/in_cksum.h>
@ -412,7 +412,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
}
sendit:
#ifdef FAST_IPSEC
#ifdef IPSEC
switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) {
case 1:
goto bad;
@ -425,7 +425,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
/* Update variables that are affected by ipsec4_output(). */
ip = mtod(m, struct ip *);
hlen = ip->ip_hl << 2;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/* Jump over all PFIL processing if hooks are not active. */
if (!PFIL_HOOKED(&inet_pfil_hook))
@ -966,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
INP_UNLOCK(inp);
break;
#ifdef FAST_IPSEC
#ifdef IPSEC
case IP_IPSEC_POLICY:
{
caddr_t req;
@ -1000,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
m_freem(m);
break;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
default:
error = ENOPROTOOPT;
@ -1104,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
error = inp_getmoptions(inp, sopt);
break;
#ifdef FAST_IPSEC
#ifdef IPSEC
case IP_IPSEC_POLICY:
{
struct mbuf *m = NULL;
@ -1122,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
m_freem(m);
break;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
default:
error = ENOPROTOOPT;

8
sys/netinet/raw_ip.c
View File

@ -66,9 +66,9 @@
#include <netinet/ip_fw.h>
#include <netinet/ip_dummynet.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <security/mac/mac_framework.h>
@ -155,12 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
INP_LOCK_ASSERT(last);
#ifdef FAST_IPSEC
#ifdef IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, last)) {
policyfail = 1;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#ifdef MAC
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
policyfail = 1;

2
sys/netinet/sctp_input.c
View File

@ -4927,7 +4927,7 @@ sctp_input(i_pak, off)
} else if (stcb == NULL) {
refcount_up = 1;
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* I very much doubt any of the IPSEC stuff will work but I have no
* idea, so I will leave it in place.

4
sys/netinet/sctp_os_bsd.h
View File

@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$");
#include <netinet/icmp_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif /* IPSEC */
#ifdef INET6
#include <sys/domain.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec6.h>
#endif
#include <netinet/ip6.h>

8
sys/netinet/sctp_pcb.c
View File

@ -1807,7 +1807,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT;
#ifdef FAST_IPSEC
#ifdef IPSEC
{
struct inpcbpolicy *pcb_sp = NULL;
@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
SCTP_INP_INFO_WUNLOCK();
return error;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
SCTP_INCR_EP_COUNT();
inp->ip_inp.inp.inp_ip_ttl = ip_defttl;
SCTP_INP_INFO_WUNLOCK();
@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
*/
cnt = 0;
if (so) {
#ifdef FAST_IPSEC
#ifdef IPSEC
ipsec4_delete_pcbpolicy(ip_pcb);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/* Unlocks not needed since the socket is gone now */
}

6
sys/netinet/sctp_usrreq.c
View File

@ -485,7 +485,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
int error;
uint32_t vrf_id = SCTP_DEFAULT_VRFID;
#ifdef FAST_IPSEC
#ifdef IPSEC
uint32_t flags;
#endif
inp = (struct sctp_inpcb *)so->so_pcb;
@ -508,7 +508,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
ip_inp->inp_vflag |= INP_IPV4;
ip_inp->inp_ip_ttl = ip_defttl;
#ifdef FAST_IPSEC
#ifdef IPSEC
error = ipsec_init_policy(so, &ip_inp->inp_sp);
#ifdef SCTP_LOG_CLOSING
sctp_log_closing(inp, NULL, 17);
@ -528,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
}
return error;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
SCTP_INP_WUNLOCK(inp);
return 0;
}

8
sys/netinet/tcp_input.c
View File

@ -82,10 +82,10 @@
#include <netinet/tcp_debug.h>
#endif /* TCPDEBUG */
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <machine/in_cksum.h>
@ -445,7 +445,7 @@ tcp_input(struct mbuf *m, int off0)
m->m_pkthdr.rcvif);
}
#ifdef FAST_IPSEC
#ifdef IPSEC
#ifdef INET6
if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) {
ipsec6stat.in_polvio++;
@ -456,7 +456,7 @@ tcp_input(struct mbuf *m, int off0)
ipsec4stat.in_polvio++;
goto dropunlock;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* If the INPCB does not exist then all data in the incoming

6
sys/netinet/tcp_output.c
View File

@ -72,9 +72,9 @@
#include <netinet/tcp_debug.h>
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <machine/in_cksum.h>
@ -695,7 +695,7 @@ tcp_output(struct tcpcb *tp)
offsetof(struct ipoption, ipopt_list);
else
ipoptlen = 0;
#ifdef FAST_IPSEC
#ifdef IPSEC
ipoptlen += ipsec_hdrsiz_tcp(tp);
#endif

8
sys/netinet/tcp_subr.c
View File

@ -91,14 +91,14 @@
#endif
#include <netinet6/ip6protosw.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
#ifdef INET6
#include <netipsec/ipsec6.h>
#endif
#include <netipsec/key.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <machine/in_cksum.h>
#include <sys/md5.h>
@ -1634,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags)
}
#endif /* INET6 */
#ifdef FAST_IPSEC
#ifdef IPSEC
/* compute ESP/AH header size for TCP, including outer IP header. */
size_t
ipsec_hdrsiz_tcp(struct tcpcb *tp)
@ -1675,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
m_free(m);
return (hdrsiz);
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING

6
sys/netinet/tcp_syncache.c
View File

@ -80,13 +80,13 @@
#include <netinet6/tcp6_var.h>
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#ifdef INET6
#include <netipsec/ipsec6.h>
#endif
#include <netipsec/key.h>
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <machine/in_cksum.h>
@ -621,7 +621,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
inp->inp_lport = 0;
goto abort;
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/* Copy old policy into new socket's. */
if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
printf("syncache_socket: could not copy policy\n");

6
sys/netinet/udp_usrreq.c
View File

@ -78,7 +78,7 @@
#include <netinet/udp.h>
#include <netinet/udp_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#endif
@ -495,14 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
INP_LOCK_ASSERT(inp);
#ifdef FAST_IPSEC
#ifdef IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, inp)) {
ipsec4stat.in_polvio++;
m_freem(n);
return;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#ifdef MAC
if (mac_check_inpcb_deliver(inp, n) != 0) {
m_freem(n);

6
sys/netinet6/icmp6.c
View File

@ -99,7 +99,7 @@
#include <netinet6/mld6_var.h>
#include <netinet6/nd6.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/key.h>
#endif
@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off)
sdst.sin6_len = sizeof(struct sockaddr_in6);
bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
#ifdef FAST_IPSEC
#ifdef IPSEC
key_sa_routechange((struct sockaddr *)&sdst);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
}
freeit:

4
sys/netinet6/in6.h
View File

@ -409,9 +409,9 @@ struct route_in6 {
#define IPV6_BINDV6ONLY IPV6_V6ONLY
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */

8
sys/netinet6/in6_pcb.c
View File

@ -99,11 +99,11 @@
#include <netinet6/in6_pcb.h>
#include <netinet6/scope6_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
struct in6_addr zeroin6_addr;
@ -427,10 +427,10 @@ in6_pcbfree(struct inpcb *inp)
INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
INP_LOCK_ASSERT(inp);
#ifdef FAST_IPSEC
#ifdef IPSEC
if (inp->in6p_sp != NULL)
ipsec6_delete_pcbpolicy(inp);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
inp->inp_gencnt = ++ipi->ipi_gencnt;
in_pcbremlists(inp);
ip6_freepcbopts(inp->in6p_outputopts);

12
sys/netinet6/in6_proto.c
View File

@ -115,10 +115,10 @@
#include <netinet6/sctp6_var.h>
#endif /* SCTP */
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <netinet6/ip6protosw.h>
@ -252,7 +252,7 @@ struct ip6protosw inet6sw[] = {
.pr_input = frag6_input,
.pr_usrreqs = &nousrreqs
},
#ifdef FAST_IPSEC
#ifdef IPSEC
{
.pr_type = SOCK_RAW,
.pr_domain = &inet6domain,
@ -278,7 +278,7 @@ struct ip6protosw inet6sw[] = {
.pr_input = ipsec6_common_input,
.pr_usrreqs = &nousrreqs,
},
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#ifdef INET
{
.pr_type = SOCK_RAW,
@ -438,9 +438,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6");
#ifdef SCTP
SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6");
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6");
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/* net.inet6.ip6 */
static int

32
sys/netinet6/ip6_forward.c
View File

@ -65,11 +65,11 @@
#include <netinet/in_pcb.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <netinet6/ip6protosw.h>
@ -101,7 +101,7 @@ ip6_forward(m, srcrt)
struct ifnet *origifp; /* maybe unnecessary */
u_int32_t inzone, outzone;
struct in6_addr src_in6, dst_in6;
#ifdef FAST_IPSEC
#ifdef IPSEC
struct secpolicy *sp = NULL;
int ipsecrt = 0;
#endif
@ -109,7 +109,7 @@ ip6_forward(m, srcrt)
GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
@ -122,7 +122,7 @@ ip6_forward(m, srcrt)
m_freem(m);
return;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* Do not forward packets to multicast destination (should be handled
@ -175,7 +175,7 @@ ip6_forward(m, srcrt)
*/
mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
#ifdef FAST_IPSEC
#ifdef IPSEC
/* get a security policy for this packet */
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
IP_FORWARDING, &error);
@ -346,9 +346,9 @@ ip6_forward(m, srcrt)
ipsecrt = 1;
}
skip_ipsec:
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#ifdef FAST_IPSEC
#ifdef IPSEC
if (ipsecrt)
goto skip_routing;
#endif
@ -401,7 +401,7 @@ ip6_forward(m, srcrt)
}
}
rt = ip6_forward_rt.ro_rt;
#ifdef FAST_IPSEC
#ifdef IPSEC
skip_routing:;
#endif
@ -429,7 +429,7 @@ ip6_forward(m, srcrt)
return;
}
if (inzone != outzone
#ifdef FAST_IPSEC
#ifdef IPSEC
&& !ipsecrt
#endif
) {
@ -475,14 +475,14 @@ ip6_forward(m, srcrt)
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
if (mcopy) {
u_long mtu;
#ifdef FAST_IPSEC
#ifdef IPSEC
struct secpolicy *sp;
int ipsecerror;
size_t ipsechdrsiz;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
mtu = IN6_LINKMTU(rt->rt_ifp);
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* When we do IPsec tunnel ingress, we need to play
* with the link value (decrement IPsec header size
@ -505,7 +505,7 @@ ip6_forward(m, srcrt)
*/
if (mtu < IPV6_MMTU)
mtu = IPV6_MMTU;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
}
m_freem(m);
@ -525,9 +525,9 @@ ip6_forward(m, srcrt)
* modified by a redirect.
*/
if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
#ifdef FAST_IPSEC
#ifdef IPSEC
!ipsecrt &&
#endif /* FAST_IPSEC */
#endif /* IPSEC */
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
/*

12
sys/netinet6/ip6_input.c
View File

@ -101,11 +101,11 @@
#include <netinet6/in6_ifattach.h>
#include <netinet6/nd6.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netinet6/ip6_ipsec.h>
#include <netipsec/ipsec6.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <netinet6/ip6protosw.h>
@ -224,7 +224,7 @@ ip6_input(m)
GIANT_REQUIRED; /* XXX for now */
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* should the inner packet be considered authentic?
* see comment in ah4_input().
@ -234,7 +234,7 @@ ip6_input(m)
m->m_flags &= ~M_AUTHIPHDR;
m->m_flags &= ~M_AUTHIPDGM;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* make sure we don't have onion peering information into m_tag.
@ -761,7 +761,7 @@ ip6_input(m)
goto bad;
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
@ -769,7 +769,7 @@ ip6_input(m)
*/
if (ip6_ipsec_input(m, nxt))
goto bad;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
}
return;

28
sys/netinet6/ip6_ipsec.c
View File

@ -55,7 +55,7 @@
#include <machine/in_cksum.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/xform.h>
@ -65,7 +65,7 @@
#else
#define KEYDEBUG(lev,arg)
#endif
#endif /*FAST_IPSEC*/
#endif /*IPSEC*/
#include <netinet6/ip6_ipsec.h>
@ -79,7 +79,7 @@ extern struct protosw inet6sw[];
int
ip6_ipsec_filtergif(struct mbuf *m)
{
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
/*
* Bypass packet filtering for packets from a tunnel (gif).
*/
@ -98,7 +98,7 @@ ip6_ipsec_filtergif(struct mbuf *m)
int
ip6_ipsec_fwd(struct mbuf *m)
{
#ifdef FAST_IPSEC
#ifdef IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@ -129,7 +129,7 @@ ip6_ipsec_fwd(struct mbuf *m)
ipstat.ips_cantforward++;
return 1;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}
@ -144,7 +144,7 @@ int
ip6_ipsec_input(struct mbuf *m, int nxt)
{
#ifdef FAST_IPSEC
#ifdef IPSEC
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@ -188,21 +188,21 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
if (error)
return 1;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}
/*
* Called from ip6_output().
* 1 = drop packet, 0 = continue processing packet,
* -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
* -1 = packet was reinjected and stop processing packet
*/
int
ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
struct ifnet **ifp, struct secpolicy **sp)
{
#ifdef FAST_IPSEC
#ifdef IPSEC
struct tdb_ident *tdbi;
struct m_tag *mtag;
int s;
@ -309,7 +309,7 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
if (*sp != NULL)
KEY_FREESP(sp);
return 1;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
return 0;
}
@ -332,12 +332,12 @@ ip6_ipsec_mtu(struct mbuf *m)
int ipsecerror;
int ipsechdr;
struct route *ro;
#ifdef FAST_IPSEC
#ifdef IPSEC
sp = ipsec_getpolicybyaddr(m,
IPSEC_DIR_OUTBOUND,
IP_FORWARDING,
&ipsecerror);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
if (sp != NULL) {
/* count IPsec header size */
ipsechdr = ipsec4_hdrsiz(m,
@ -360,9 +360,9 @@ ip6_ipsec_mtu(struct mbuf *m)
mtu -= ipsechdr;
}
}
#ifdef FAST_IPSEC
#ifdef IPSEC
KEY_FREESP(&sp);
#endif /* FAST_IPSEC */
#endif /* IPSEC */
}
return mtu;
}

33
sys/netinet6/ip6_output.c
View File

@ -91,12 +91,12 @@
#include <netinet/tcp_var.h>
#include <netinet6/nd6.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#include <netipsec/key.h>
#include <netinet6/ip6_ipsec.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <netinet6/ip6protosw.h>
#include <netinet6/scope6_var.h>
@ -208,13 +208,13 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
struct route_in6 *ro_pmtu = NULL;
int hdrsplit = 0;
int needipsec = 0;
#ifdef FAST_IPSEC
#ifdef IPSEC
struct ipsec_output_state state;
struct ip6_rthdr *rh = NULL;
int needipsectun = 0;
int segleft_org = 0;
struct secpolicy *sp = NULL;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
ip6 = mtod(m, struct ip6_hdr *);
if (ip6 == NULL) {
@ -253,7 +253,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
* IPSec checking which handles several cases.
* FAST IPSEC: We re-injected the packet.
*/
#ifdef FAST_IPSEC
#ifdef IPSEC
switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp))
{
case 1: /* Bad packet */
@ -264,7 +264,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
default:
break;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* Calculate the total length of the extension header chain.
@ -362,7 +362,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
IPPROTO_ROUTING);
#ifdef FAST_IPSEC
#ifdef IPSEC
if (!needipsec)
goto skip_ipsec2;
@ -418,7 +418,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
rh->ip6r_segleft = segleft_org;
}
skip_ipsec2:;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* If there is a routing header, replace the destination address field
@ -522,12 +522,9 @@ skip_ipsec2:;
ip6->ip6_hlim = ip6_defmcasthlim;
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Same as similar comment above.
* We only want to do regular IPSEC here and leave this pure
* in the case that we're using FAST_IPSEC which uses
* this code to re-inject packets.
* We may re-inject packets into the stack here.
*/
if (needipsec && needipsectun) {
struct ipsec_output_state state;
@ -586,7 +583,7 @@ skip_ipsec2:;
exthdrs.ip6e_ip6 = m;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/* adjust pointer */
ip6 = mtod(m, struct ip6_hdr *);
@ -1774,7 +1771,7 @@ do { \
}
break;
#ifdef FAST_IPSEC
#ifdef IPSEC
case IPV6_IPSEC_POLICY:
{
caddr_t req = NULL;
@ -1794,7 +1791,7 @@ do { \
m_freem(m);
}
break;
#endif /* FAST_IPSEC */
#endif /* IPSEC */
default:
error = ENOPROTOOPT;
@ -1991,7 +1988,7 @@ do { \
}
break;
#ifdef FAST_IPSEC
#ifdef IPSEC
case IPV6_IPSEC_POLICY:
{
caddr_t req = NULL;
@ -2020,7 +2017,7 @@ do { \
m_freem(m);
break;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
default:
error = ENOPROTOOPT;

13
sys/netinet6/nd6.c
View File

@ -474,7 +474,7 @@ nd6_llinfo_timer(arg)
ln->ln_hold = m0;
clear_llinfo_pqueue(ln);
}
if (rt)
if (rt && rt->rt_llinfo)
(void)nd6_free(rt, 0);
ln = NULL;
}
@ -489,7 +489,8 @@ nd6_llinfo_timer(arg)
case ND6_LLINFO_STALE:
/* Garbage Collection(RFC 2461 5.3) */
if (!ND6_LLINFO_PERMANENT(ln)) {
(void)nd6_free(rt, 1);
if (rt && rt->rt_llinfo)
(void)nd6_free(rt, 1);
ln = NULL;
}
break;
@ -525,7 +526,8 @@ nd6_llinfo_timer(arg)
ln->ln_expire = 0; /* make it permanent */
ln->ln_state = ND6_LLINFO_STALE;
} else {
(void)nd6_free(rt, 0);
if (rt && rt->rt_llinfo)
(void)nd6_free(rt, 0);
ln = NULL;
}
break;
@ -2009,7 +2011,7 @@ nd6_output(ifp, origifp, m0, dst, rt0)
rt = rt->rt_gwroute;
RT_LOCK(rt); /* NB: gwroute */
if ((rt->rt_flags & RTF_UP) == 0) {
rtfree(rt); /* unlock gwroute */
RTFREE_LOCKED(rt); /* unlock gwroute */
rt = rt0;
lookup:
RT_UNLOCK(rt0);
@ -2322,7 +2324,8 @@ nd6_sysctl_drlist(SYSCTL_HANDLER_ARGS)
d->rtaddr.sin6_family = AF_INET6;
d->rtaddr.sin6_len = sizeof(d->rtaddr);
d->rtaddr.sin6_addr = dr->rtaddr;
sa6_recoverscope(&d->rtaddr);
if (error = sa6_recoverscope(&d->rtaddr) != 0)
return (error);
d->flags = dr->flags;
d->rtlifetime = dr->rtlifetime;
d->expire = dr->expire;

12
sys/netinet6/raw_ip6.c
View File

@ -95,10 +95,10 @@
#include <netinet6/raw_ip6.h>
#include <netinet6/scope6_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
#include <machine/stdarg.h>
@ -181,7 +181,7 @@ rip6_input(mp, offp, proto)
if (last) {
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
@ -190,7 +190,7 @@ rip6_input(mp, offp, proto)
ipsec6stat.in_polvio++;
/* do not inject data into pcb */
} else
#endif /* FAST_IPSEC */
#endif /* IPSEC */
if (n) {
if (last->in6p_flags & IN6P_CONTROLOPTS ||
last->in6p_socket->so_options & SO_TIMESTAMP)
@ -212,7 +212,7 @@ rip6_input(mp, offp, proto)
}
last = in6p;
}
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
@ -223,7 +223,7 @@ rip6_input(mp, offp, proto)
/* do not inject data into pcb */
INP_UNLOCK(last);
} else
#endif /* FAST_IPSEC */
#endif /* IPSEC */
if (last) {
if (last->in6p_flags & IN6P_CONTROLOPTS ||
last->in6p_socket->so_options & SO_TIMESTAMP)

8
sys/netinet6/sctp6_usrreq.c
View File

@ -52,12 +52,12 @@ __FBSDID("$FreeBSD$");
#include <netinet/sctp_output.h>
#include <netinet/sctp_bsd_addr.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#if defined(INET6)
#include <netipsec/ipsec6.h>
#endif /* INET6 */
#endif /* FAST_IPSEC */
#endif /* IPSEC */
extern struct protosw inetsw[];
@ -207,7 +207,7 @@ sctp6_input(i_pak, offp, proto)
refcount_up = 1;
}
in6p_ip = (struct inpcb *)in6p;
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
@ -216,7 +216,7 @@ sctp6_input(i_pak, offp, proto)
ipsec6stat.in_polvio++;
goto bad;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* CONTROL chunk processing

8
sys/netinet6/udp6_usrreq.c
View File

@ -102,10 +102,10 @@
#include <netinet6/udp6_var.h>
#include <netinet6/scope6_var.h>
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
#endif /* FAST_IPSEC */
#endif /* IPSEC */
/*
* UDP protocol inplementation.
@ -124,7 +124,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
/* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */
#ifdef FAST_IPSEC
#ifdef IPSEC
/*
* Check AH/ESP integrity.
*/
@ -133,7 +133,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
ipsec6stat.in_polvio++;
return;
}
#endif /* FAST_IPSEC */
#endif /* IPSEC */
opts = NULL;
if (in6p->in6p_flags & IN6P_CONTROLOPTS ||

4
sys/netipsec/xform_ipip.c
View File

@ -606,7 +606,7 @@ ipip_output(
return (error);
}
#ifdef FAST_IPSEC
#ifdef IPSEC
static int
ipe4_init(struct secasvar *sav, struct xformsw *xsp)
{
@ -685,4 +685,4 @@ ipe4_attach(void)
#endif
}
SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
#endif /* FAST_IPSEC */
#endif /* IPSEC */