diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2013-07-31 15:41:53 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2013-07-31 15:41:53 +0000 |
| commit | 724996ee0143c6a67691eb78c4e0a56971e01b50 (patch) | |
| tree | 194d76edb311cc1640cb4b56c59942e7c6f4da24 /sys/netinet | |
| parent | c0a8ad9b4d0dc619b0a1fa0b99ccb2bee7be70fe (diff) | |
Move bridge_broadcast and subsequently all IPsec SPD lookup code out
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
Diffstat (limited to 'sys/netinet')
| -rw-r--r-- | sys/netinet/ip_input.c | 10 | ||||
| -rw-r--r-- | sys/netinet/ip_output.c | 20 | ||||
| -rw-r--r-- | sys/netinet/tcp_input.c | 10 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 8 |
4 files changed, 9 insertions, 39 deletions
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 664afbfce34..da49a5ba33e 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_input.c,v 1.214 2013/07/04 08:22:19 mpi Exp $ */ +/* $OpenBSD: ip_input.c,v 1.215 2013/07/31 15:41:51 mikeb Exp $ */ /* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */ /* @@ -245,7 +245,7 @@ ipv4_input(struct mbuf *m) int hlen, len; in_addr_t pfrdr = 0; #ifdef IPSEC - int error, s; + int error; struct tdb *tdb; struct tdb_ident *tdbi; struct m_tag *mtag; @@ -454,7 +454,6 @@ ipv4_input(struct mbuf *m) * inner-most IPsec SA used. */ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); if (mtag != NULL) { tdbi = (struct tdb_ident *)(mtag + 1); tdb = gettdb(tdbi->rdomain, tdbi->spi, @@ -463,7 +462,6 @@ ipv4_input(struct mbuf *m) tdb = NULL; ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); - splx(s); /* Error or otherwise drop-packet indication */ if (error) { @@ -497,7 +495,7 @@ ip_ours(struct mbuf *m) struct ipqent *ipqe; int mff, hlen; #ifdef IPSEC - int error, s; + int error; struct tdb *tdb; struct tdb_ident *tdbi; struct m_tag *mtag; @@ -639,7 +637,6 @@ found: * that's needed in the real world (who uses bundles anyway ?). */ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); if (mtag) { tdbi = (struct tdb_ident *)(mtag + 1); tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, @@ -648,7 +645,6 @@ found: tdb = NULL; ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); - splx(s); /* Error or otherwise drop-packet indication. */ if (error) { diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index e0e6b7d73f3..7d236446019 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_output.c,v 1.243 2013/07/04 19:10:40 sf Exp $ */ +/* $OpenBSD: ip_output.c,v 1.244 2013/07/31 15:41:52 mikeb Exp $ */ /* $NetBSD: ip_output.c,v 1.28 1996/02/13 23:43:07 christos Exp $ */ /* @@ -109,7 +109,6 @@ ip_output(struct mbuf *m0, ...) struct inpcb *inp; struct tdb *tdb; u_int32_t ipsecflowinfo; - int s; #if NPF > 0 struct ifnet *encif; #endif @@ -256,12 +255,6 @@ reroute: if (!ipsec_in_use && inp == NULL) goto done_spd; - /* - * splnet is chosen over splsoftnet because we are not allowed to - * lower the level, and udp_output calls us in splnet(). - */ - s = splnet(); - /* Do we have any pending SAs to apply ? */ mtag = m_tag_find(m, PACKET_TAG_IPSEC_PENDING_TDB, NULL); if (mtag != NULL) { @@ -282,8 +275,6 @@ reroute: IPSP_DIRECTION_OUT, NULL, inp, ipsecflowinfo); if (tdb == NULL) { - splx(s); - if (error == 0) { /* * No IPsec processing required, we'll just send the @@ -318,7 +309,6 @@ reroute: tdbi->rdomain == tdb->tdb_rdomain && !bcmp(&tdbi->dst, &tdb->tdb_dst, sizeof(union sockaddr_union))) { - splx(s); sproto = 0; /* mark as no-IPsec-needed */ goto done_spd; } @@ -328,7 +318,6 @@ reroute: bcopy(&tdb->tdb_dst, &sdst, sizeof(sdst)); sspi = tdb->tdb_spi; sproto = tdb->tdb_sproto; - splx(s); /* * If it needs TCP/UDP hardware-checksumming, do the @@ -575,14 +564,11 @@ sendit: * Check if the packet needs encapsulation. */ if (sproto != 0) { - s = splnet(); - tdb = gettdb(rtable_l2(m->m_pkthdr.rdomain), sspi, &sdst, sproto); if (tdb == NULL) { DPRINTF(("ip_output: unknown TDB")); error = EHOSTUNREACH; - splx(s); m_freem(m); goto done; } @@ -595,12 +581,10 @@ sendit: tdb->tdb_tap)) == NULL || pf_test(AF_INET, PF_OUT, encif, &m, NULL) != PF_PASS) { error = EACCES; - splx(s); m_freem(m); goto done; } if (m == NULL) { - splx(s); goto done; } ip = mtod(m, struct ip *); @@ -627,7 +611,6 @@ sendit: (tdb->tdb_dst.sin.sin_addr.s_addr == ip->ip_dst.s_addr); icmp_mtu = tdb->tdb_mtu; - splx(s); /* Find a host route to store the mtu in */ if (ro != NULL) @@ -667,7 +650,6 @@ sendit: /* Callee frees mbuf */ error = ipsp_process_packet(m, tdb, AF_INET, 0); - splx(s); return error; /* Nothing more to be done */ } diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index 4e39e7f1f6f..734ae46c916 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tcp_input.c,v 1.265 2013/07/01 10:53:52 bluhm Exp $ */ +/* $OpenBSD: tcp_input.c,v 1.266 2013/07/31 15:41:52 mikeb Exp $ */ /* $NetBSD: tcp_input.c,v 1.23 1996/02/13 23:43:44 christos Exp $ */ /* @@ -378,7 +378,7 @@ tcp_input(struct mbuf *m, ...) struct m_tag *mtag; struct tdb_ident *tdbi; struct tdb *tdb; - int error, s; + int error; #endif /* IPSEC */ int af; #ifdef TCP_ECN @@ -886,7 +886,6 @@ findpcb: #ifdef IPSEC /* Find most recent IPsec tag */ mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); if (mtag != NULL) { tdbi = (struct tdb_ident *)(mtag + 1); tdb = gettdb(tdbi->rdomain, tdbi->spi, @@ -897,7 +896,6 @@ findpcb: tdb, inp, 0); if (error) { tcpstat.tcps_rcvnosec++; - splx(s); goto drop; } @@ -909,7 +907,6 @@ findpcb: inp->inp_ipo = ipsec_add_policy(inp, af, IPSP_DIRECTION_OUT); if (inp->inp_ipo == NULL) { - splx(s); goto drop; } } @@ -936,7 +933,6 @@ findpcb: inp->inp_tdb_in = NULL; } } - splx(s); #endif /* IPSEC */ /* @@ -969,7 +965,7 @@ findpcb: /* subtract out the tcp timestamp modulator */ opti.ts_ecr -= tp->ts_modulate; - + /* make sure ts_ecr is sensible */ rtt_test = tcp_now - opti.ts_ecr; if (rtt_test < 0 || rtt_test > TCP_RTT_MAX) diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 2b5623f1430..89bd8b8be3c 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.164 2013/06/09 22:03:06 yasuoka Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.165 2013/07/31 15:41:52 mikeb Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -178,7 +178,7 @@ udp_input(struct mbuf *m, ...) struct m_tag *mtag; struct tdb_ident *tdbi; struct tdb *tdb; - int error, s; + int error; u_int32_t ipsecflowinfo = 0; #endif /* IPSEC */ @@ -600,7 +600,6 @@ udp_input(struct mbuf *m, ...) #ifdef IPSEC mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); - s = splnet(); if (mtag != NULL) { tdbi = (struct tdb_ident *)(mtag + 1); tdb = gettdb(tdbi->rdomain, tdbi->spi, @@ -611,7 +610,6 @@ udp_input(struct mbuf *m, ...) IPSP_DIRECTION_IN, tdb, inp, 0); if (error) { udpstat.udps_nosec++; - splx(s); goto bad; } @@ -624,7 +622,6 @@ udp_input(struct mbuf *m, ...) inp->inp_ipo = ipsec_add_policy(inp, srcsa.sa.sa_family, IPSP_DIRECTION_OUT); if (inp->inp_ipo == NULL) { - splx(s); goto bad; } } @@ -655,7 +652,6 @@ udp_input(struct mbuf *m, ...) if (tdb) ipsecflowinfo = tdb->tdb_spi; - splx(s); #endif /*IPSEC */ opts = NULL; |