Attachment #183913 for bug #220217

View | Details | Raw Unified | Return to bug 220217
Collapse All | Expand All

Lines 253-260 struct ipsecstat { Link Here

(-)sys/netipsec/ipsec.h (-1 / +2 lines)
253	#include <sys/counter.h>	253	#include <sys/counter.h>
254		254
255	struct ipsec_ctx_data;	255	struct ipsec_ctx_data;
256	#define IPSEC_INIT_CTX(_ctx, _mp, _sav, _af, _enc) do { \	256	#define IPSEC_INIT_CTX(_ctx, _mp, _inp, _sav, _af, _enc) do { \
257	(_ctx)->mp = (_mp); \	257	(_ctx)->mp = (_mp); \
		258	(_ctx)->inp = (_inp); \
258	(_ctx)->sav = (_sav); \	259	(_ctx)->sav = (_sav); \
259	(_ctx)->af = (_af); \	260	(_ctx)->af = (_af); \
260	(_ctx)->enc = (_enc); \	261	(_ctx)->enc = (_enc); \




	    (prot == IPPROTO_UDP || prot == IPPROTO_TCP))
		udp_ipsec_adjust_cksum(m, sav, prot, skip);

	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
		goto bad;
	ip = mtod(m, struct ip *);	/* update pointer */

		goto bad;
	}

	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
		goto bad;


		goto bad;
	}

	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
		goto bad;


	else
#endif
		af = AF_INET6;
	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
		goto bad;
	if (skip == 0) {




 * IPsec output logic for IPv4.
 */
static int
ipsec4_perform_request(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp, u_int idx)
{
	struct ipsec_ctx_data ctx;
	union sockaddr_union *dst;

	/*
	 * XXXAE: most likely ip_sum at this point is wrong.
	 */
	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;


			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
			goto bad;
		}
		inp = NULL;
	}

	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;


    struct inpcb *inp)
{

	return (ipsec4_perform_request(m, sp, inp, 0));
}

static int

 * IPsec output logic for IPv6.
 */
static int
ipsec6_perform_request(struct mbuf *m, struct secpolicy *sp,
    struct inpcb *inp, u_int idx)
{
	struct ipsec_ctx_data ctx;
	union sockaddr_union *dst;

	ip6 = mtod(m, struct ip6_hdr *);
	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));

	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;


			/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
			goto bad;
		}
		inp = NULL;
	}

	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
		goto bad;


    struct inpcb *inp)
{

	return (ipsec6_perform_request(m, sp, inp, 0));
}

static int

		case AF_INET:
			key_freesav(&sav);
			IPSECSTAT_INC(ips_out_bundlesa);
			return (ipsec4_perform_request(m, sp, NULL, idx));
			/* NOTREACHED */
#endif
#ifdef INET6

		case AF_INET6:
			key_freesav(&sav);
			IPSEC6STAT_INC(ips_out_bundlesa);
			return (ipsec6_perform_request(m, sp, NULL, idx));
			/* NOTREACHED */
#endif /* INET6 */
		default:

Lines 284-290 enc_hhook(int32_t hhook_type, int32_t hhook_id, vo Link Here

(-)sys/net/if_enc.c (-1 / +1 lines)
284	/* Make a packet looks like it was received on enc(4) */	284	/* Make a packet looks like it was received on enc(4) */
285	rcvif = (*ctx->mp)->m_pkthdr.rcvif;	285	rcvif = (*ctx->mp)->m_pkthdr.rcvif;
286	(*ctx->mp)->m_pkthdr.rcvif = ifp;	286	(*ctx->mp)->m_pkthdr.rcvif = ifp;
287	if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, NULL) != 0 \|\|	287	if (pfil_run_hooks(ph, ctx->mp, ifp, pdir, ctx->inp) != 0 \|\|
288	*ctx->mp == NULL) {	288	*ctx->mp == NULL) {
289	ctx->mp = NULL; / consumed by filter */	289	ctx->mp = NULL; / consumed by filter */
290	return (EACCES);	290	return (EACCES);

Lines 33-38 Link Here

(-)sys/net/if_enc.h (+1 lines)
33	struct ipsec_ctx_data {	33	struct ipsec_ctx_data {
34	struct mbuf **mp;	34	struct mbuf **mp;
35	struct secasvar *sav;	35	struct secasvar *sav;
		36	struct inpcb *inp;
36	uint8_t af;	37	uint8_t af;
37	#define IPSEC_ENC_BEFORE 0x01	38	#define IPSEC_ENC_BEFORE 0x01
38	#define IPSEC_ENC_AFTER 0x02	39	#define IPSEC_ENC_AFTER 0x02

Return to bug 220217

Lines 325-331 ipsec4_common_input_cb(struct mbuf *m, struct seca Link Here

(-)sys/netipsec/ipsec_input.c (-4 / +4 lines)
325	(prot == IPPROTO_UDP \|\| prot == IPPROTO_TCP))	325	(prot == IPPROTO_UDP \|\| prot == IPPROTO_TCP))
326	udp_ipsec_adjust_cksum(m, sav, prot, skip);	326	udp_ipsec_adjust_cksum(m, sav, prot, skip);
327		327
328	IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE);	328	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
329	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)	329	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
330	goto bad;	330	goto bad;
331	ip = mtod(m, struct ip ); / update pointer */	331	ip = mtod(m, struct ip ); / update pointer */
Lines 416-422 ipsec4_common_input_cb(struct mbuf *m, struct seca Link Here
416	goto bad;	416	goto bad;
417	}	417	}
418		418
419	IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER);	419	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
420	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)	420	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
421	goto bad;	421	goto bad;
422		422
Lines 522-528 ipsec6_common_input_cb(struct mbuf *m, struct seca Link Here
522	goto bad;	522	goto bad;
523	}	523	}
524		524
525	IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_BEFORE);	525	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
526	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)	526	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
527	goto bad;	527	goto bad;
528		528
Lines 593-599 ipsec6_common_input_cb(struct mbuf *m, struct seca Link Here
593	else	593	else
594	#endif	594	#endif
595	af = AF_INET6;	595	af = AF_INET6;
596	IPSEC_INIT_CTX(&ctx, &m, sav, af, IPSEC_ENC_AFTER);	596	IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
597	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)	597	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_IN)) != 0)
598	goto bad;	598	goto bad;
599	if (skip == 0) {	599	if (skip == 0) {

Lines 181-187 next: Link Here

(-)sys/netipsec/ipsec_output.c (-10 / +14 lines)
181	* IPsec output logic for IPv4.	181	* IPsec output logic for IPv4.
182	*/	182	*/
183	static int	183	static int
184	ipsec4_perform_request(struct mbuf m, struct secpolicy sp, u_int idx)	184	ipsec4_perform_request(struct mbuf m, struct secpolicy sp,
		185	struct inpcb *inp, u_int idx)
185	{	186	{
186	struct ipsec_ctx_data ctx;	187	struct ipsec_ctx_data ctx;
187	union sockaddr_union *dst;	188	union sockaddr_union *dst;
Lines 211-217 static int Link Here
211	/*	212	/*
212	* XXXAE: most likely ip_sum at this point is wrong.	213	* XXXAE: most likely ip_sum at this point is wrong.
213	*/	214	*/
214	IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET, IPSEC_ENC_BEFORE);	215	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET, IPSEC_ENC_BEFORE);
215	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)	216	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
216	goto bad;	217	goto bad;
217		218
Lines 235-243 static int Link Here
235	/* XXXAE: IPSEC_OSTAT_INC(tunnel); */	236	/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
236	goto bad;	237	goto bad;
237	}	238	}
		239	inp = NULL;
238	}	240	}
239		241
240	IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);	242	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
241	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)	243	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
242	goto bad;	244	goto bad;
243		245
Lines 285-291 ipsec4_process_packet(struct mbuf *m, struct secpo Link Here
285	struct inpcb *inp)	287	struct inpcb *inp)
286	{	288	{
287		289
288	return (ipsec4_perform_request(m, sp, 0));	290	return (ipsec4_perform_request(m, sp, inp, 0));
289	}	291	}
290		292
291	static int	293	static int
Lines 491-497 next: Link Here
491	* IPsec output logic for IPv6.	493	* IPsec output logic for IPv6.
492	*/	494	*/
493	static int	495	static int
494	ipsec6_perform_request(struct mbuf m, struct secpolicy sp, u_int idx)	496	ipsec6_perform_request(struct mbuf m, struct secpolicy sp,
		497	struct inpcb *inp, u_int idx)
495	{	498	{
496	struct ipsec_ctx_data ctx;	499	struct ipsec_ctx_data ctx;
497	union sockaddr_union *dst;	500	union sockaddr_union *dst;
Lines 514-520 static int Link Here
514	ip6 = mtod(m, struct ip6_hdr *);	517	ip6 = mtod(m, struct ip6_hdr *);
515	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));	518	ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(*ip6));
516		519
517	IPSEC_INIT_CTX(&ctx, &m, sav, AF_INET6, IPSEC_ENC_BEFORE);	520	IPSEC_INIT_CTX(&ctx, &m, inp, sav, AF_INET6, IPSEC_ENC_BEFORE);
518	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)	521	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
519	goto bad;	522	goto bad;
520		523
Lines 540-548 static int Link Here
540	/* XXXAE: IPSEC_OSTAT_INC(tunnel); */	543	/* XXXAE: IPSEC_OSTAT_INC(tunnel); */
541	goto bad;	544	goto bad;
542	}	545	}
		546	inp = NULL;
543	}	547	}
544		548
545	IPSEC_INIT_CTX(&ctx, &m, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);	549	IPSEC_INIT_CTX(&ctx, &m, inp, sav, dst->sa.sa_family, IPSEC_ENC_AFTER);
546	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)	550	if ((error = ipsec_run_hhooks(&ctx, HHOOK_TYPE_IPSEC_OUT)) != 0)
547	goto bad;	551	goto bad;
548		552
Lines 585-591 ipsec6_process_packet(struct mbuf *m, struct secpo Link Here
585	struct inpcb *inp)	589	struct inpcb *inp)
586	{	590	{
587		591
588	return (ipsec6_perform_request(m, sp, 0));	592	return (ipsec6_perform_request(m, sp, inp, 0));
589	}	593	}
590		594
591	static int	595	static int
Lines 750-756 ipsec_process_done(struct mbuf *m, struct secpolic Link Here
750	case AF_INET:	754	case AF_INET:
751	key_freesav(&sav);	755	key_freesav(&sav);
752	IPSECSTAT_INC(ips_out_bundlesa);	756	IPSECSTAT_INC(ips_out_bundlesa);
753	return (ipsec4_perform_request(m, sp, idx));	757	return (ipsec4_perform_request(m, sp, NULL, idx));
754	/* NOTREACHED */	758	/* NOTREACHED */
755	#endif	759	#endif
756	#ifdef INET6	760	#ifdef INET6
Lines 757-763 ipsec_process_done(struct mbuf *m, struct secpolic Link Here
757	case AF_INET6:	761	case AF_INET6:
758	key_freesav(&sav);	762	key_freesav(&sav);
759	IPSEC6STAT_INC(ips_out_bundlesa);	763	IPSEC6STAT_INC(ips_out_bundlesa);
760	return (ipsec6_perform_request(m, sp, idx));	764	return (ipsec6_perform_request(m, sp, NULL, idx));
761	/* NOTREACHED */	765	/* NOTREACHED */
762	#endif /* INET6 */	766	#endif /* INET6 */
763	default:	767	default: