IPSEC and FAST_IPSEC have the same internal API now;
so merge these (IPSEC has an extra ipsecstat) Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
This commit is contained in:
parent
ad1218e35e
commit
da0f40995d
@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
|
||||
{
|
||||
int policyfail = 0;
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
policyfail = 1;
|
||||
#ifdef IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
policyfail = 1;
|
||||
ipsecstat.in_polvio++;
|
||||
/* do not inject data to pcb */
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
policyfail = 1;
|
||||
/* do not inject data to pcb */
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
#ifdef MAC
|
||||
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
|
||||
policyfail = 1;
|
||||
|
@ -567,29 +567,21 @@ tcp_input(m, off0)
|
||||
1, m->m_pkthdr.rcvif);
|
||||
}
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
#ifdef IPSEC
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
ipsec6stat.in_polvio++;
|
||||
#endif /*IPSEC*/
|
||||
goto drop;
|
||||
}
|
||||
} else {
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
} else if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
#ifdef IPSEC
|
||||
ipsecstat.in_polvio++;
|
||||
#endif /*IPSEC*/
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef FAST_IPSEC
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
} else
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
|
||||
/*
|
||||
* If the state is CLOSED (i.e., TCB does not exist) then
|
||||
|
@ -567,29 +567,21 @@ tcp_input(m, off0)
|
||||
1, m->m_pkthdr.rcvif);
|
||||
}
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
#ifdef IPSEC
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
ipsec6stat.in_polvio++;
|
||||
#endif /*IPSEC*/
|
||||
goto drop;
|
||||
}
|
||||
} else {
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
} else if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
#ifdef IPSEC
|
||||
ipsecstat.in_polvio++;
|
||||
#endif /*IPSEC*/
|
||||
goto drop;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
#ifdef FAST_IPSEC
|
||||
if (isipv6) {
|
||||
if (inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
} else
|
||||
if (inp != NULL && ipsec4_in_reject(m, inp)) {
|
||||
goto drop;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
|
||||
/*
|
||||
* If the state is CLOSED (i.e., TCB does not exist) then
|
||||
|
@ -453,21 +453,16 @@ udp_append(last, ip, n, off)
|
||||
struct sockaddr *append_sa;
|
||||
struct mbuf *opts = 0;
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
#ifdef IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
ipsecstat.in_polvio++;
|
||||
m_freem(n);
|
||||
return;
|
||||
}
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/* check AH/ESP integrity. */
|
||||
if (ipsec4_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
return;
|
||||
}
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
#ifdef MAC
|
||||
if (mac_check_inpcb_deliver(last, n) != 0) {
|
||||
m_freem(n);
|
||||
|
@ -185,14 +185,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
||||
struct route_in6 *ro_pmtu = NULL;
|
||||
int hdrsplit = 0;
|
||||
int needipsec = 0;
|
||||
#ifdef FAST_IPSEC
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
int needipsectun = 0;
|
||||
struct secpolicy *sp = NULL;
|
||||
#endif /* FAST_IPSEC */
|
||||
#ifdef IPSEC
|
||||
int needipsectun = 0;
|
||||
struct secpolicy *sp = NULL;
|
||||
#endif /* IPSEC */
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
|
||||
ip6 = mtod(m, struct ip6_hdr *);
|
||||
finaldst = ip6->ip6_dst;
|
||||
|
@ -176,25 +176,18 @@ rip6_input(mp, offp, proto)
|
||||
if (last) {
|
||||
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (n && ipsec6_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (n && ipsec6_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
ipsec6stat.in_polvio++;
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (n && ipsec6_in_reject(n, last)) {
|
||||
m_freem(n);
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
if (n) {
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
@ -215,27 +208,19 @@ rip6_input(mp, offp, proto)
|
||||
}
|
||||
last = in6p;
|
||||
}
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (last && ipsec6_in_reject(m, last)) {
|
||||
m_freem(m);
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (last && ipsec6_in_reject(m, last)) {
|
||||
m_freem(m);
|
||||
ipsec6stat.in_polvio++;
|
||||
ip6stat.ip6s_delivered--;
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*IPSEC*/
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (last && ipsec6_in_reject(m, last)) {
|
||||
m_freem(m);
|
||||
ip6stat.ip6s_delivered--;
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*FAST_IPSEC*/
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
if (last) {
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
|
@ -239,23 +239,17 @@ udp6_input(mp, offp, proto)
|
||||
if (last != NULL) {
|
||||
struct mbuf *n;
|
||||
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last)) {
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last))
|
||||
ipsec6stat.in_polvio++;
|
||||
/* do not inject data into pcb */
|
||||
else
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last))
|
||||
;
|
||||
else
|
||||
#endif /* FAST_IPSEC */
|
||||
/* do not inject data into pcb */
|
||||
} else
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
|
||||
/*
|
||||
* KAME NOTE: do not
|
||||
@ -305,23 +299,17 @@ udp6_input(mp, offp, proto)
|
||||
udpstat.udps_noportmcast++;
|
||||
goto bad;
|
||||
}
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last)) {
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last)) {
|
||||
ipsec6stat.in_polvio++;
|
||||
goto bad;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, last)) {
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
if (last->in6p_flags & IN6P_CONTROLOPTS
|
||||
|| last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||
ip6_savecontrol(last, m, &opts);
|
||||
@ -361,23 +349,17 @@ udp6_input(mp, offp, proto)
|
||||
icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0);
|
||||
return IPPROTO_DONE;
|
||||
}
|
||||
#if defined(IPSEC) || defined(FAST_IPSEC)
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, in6p)) {
|
||||
#ifdef IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, in6p)) {
|
||||
ipsec6stat.in_polvio++;
|
||||
goto bad;
|
||||
}
|
||||
#endif /* IPSEC */
|
||||
#ifdef FAST_IPSEC
|
||||
/*
|
||||
* Check AH/ESP integrity.
|
||||
*/
|
||||
if (ipsec6_in_reject(m, in6p)) {
|
||||
goto bad;
|
||||
}
|
||||
#endif /* FAST_IPSEC */
|
||||
#endif /*IPSEC || FAST_IPSEC*/
|
||||
|
||||
/*
|
||||
* Construct sockaddr format source address.
|
||||
|
Loading…
Reference in New Issue
Block a user