diff options
author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-08 12:37:44 +0000 |
---|---|---|
committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2017-02-08 12:37:44 +0000 |
commit | 3b83ff825f1e26f84eeaa4528c6df7b8195d68c8 (patch) | |
tree | a5027b6453a0a9801a2e52eede11728712602153 /sys | |
parent | 22bc98ee2ef01d51a1434aa92916f37ba88c2aa5 (diff) |
Remove the ipsec protocol callbacks which all do the same. Implement
it in ipsec_common_input_cb() instead. The code that was copied
to ah6_input_cb() is now in ip6_ours() so we can call it directly.
OK mpi@
Diffstat (limited to 'sys')
-rw-r--r-- | sys/netinet/ipsec_input.c | 171 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 3 | ||||
-rw-r--r-- | sys/netinet6/ip6_var.h | 3 |
3 files changed, 25 insertions, 152 deletions
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index eed08af823c..110e4cf2583 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.143 2017/02/07 22:28:37 bluhm Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.144 2017/02/08 12:37:43 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -80,15 +80,6 @@ #include "bpfilter.h" void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int); -void ah4_input_cb(struct mbuf *, ...); -void esp4_input_cb(struct mbuf *, ...); -void ipcomp4_input_cb(struct mbuf *, ...); - -#ifdef INET6 -void ah6_input_cb(struct mbuf *, int, int); -void esp6_input_cb(struct mbuf *, int, int); -void ipcomp6_input_cb(struct mbuf *, int, int); -#endif #ifdef ENCDEBUG #define DPRINTF(x) if (encdebug) printf x @@ -325,7 +316,7 @@ void ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) { int af, sproto; - u_char prot; + u_int8_t prot; #if NBPFILTER > 0 struct ifnet *encif; @@ -577,49 +568,33 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff) } #endif + switch (sproto) { + case IPPROTO_ESP: + case IPPROTO_AH: + case IPPROTO_IPCOMP: + break; + default: + DPRINTF(("ipsec_common_input_cb(): unknown/unsupported" + " security protocol %d\n", sproto)); + m_freem(m); + return; + } + /* Call the appropriate IPsec transform callback. */ switch (af) { case AF_INET: - switch (sproto) - { - case IPPROTO_ESP: - esp4_input_cb(m); - return; - case IPPROTO_AH: - ah4_input_cb(m); - return; - case IPPROTO_IPCOMP: - ipcomp4_input_cb(m); - return; - default: - DPRINTF(("ipsec_common_input_cb(): unknown/unsupported" - " security protocol %d\n", sproto)); - m_freem(m); - return; + if (niq_enqueue(&ipintrq, m) != 0) { + DPRINTF(("ipsec_common_input_cb(): dropped packet " + "because of full IP queue\n")); + IPSEC_ISTAT(espstat.esps_qfull, ahstat.ahs_qfull, + ipcompstat.ipcomps_qfull); } - break; - + return; #ifdef INET6 case AF_INET6: - switch (sproto) { - case IPPROTO_ESP: - esp6_input_cb(m, skip, protoff); - return; - case IPPROTO_AH: - ah6_input_cb(m, skip, protoff); - return; - case IPPROTO_IPCOMP: - ipcomp6_input_cb(m, skip, protoff); - return; - default: - DPRINTF(("ipsec_common_input_cb(): unknown/unsupported" - " security protocol %d\n", sproto)); - m_freem(m); - return; - } - break; + ip6_ours(m, skip, prot); + return; #endif /* INET6 */ - default: DPRINTF(("ipsec_common_input_cb(): unknown/unsupported " "protocol family %d\n", af)); @@ -704,24 +679,6 @@ ah4_input(struct mbuf **mp, int *offp, int proto) return IPPROTO_DONE; } -/* IPv4 AH callback. */ -void -ah4_input_cb(struct mbuf *m, ...) -{ - /* - * Interface pointer is already in first mbuf; chop off the - * `outer' header and reschedule. - */ - - if (niq_enqueue(&ipintrq, m) != 0) { - ahstat.ahs_qfull++; - DPRINTF(("ah4_input_cb(): dropped packet because of full " - "IP queue\n")); - return; - } -} - - /* XXX rdomain */ void ah4_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) @@ -742,22 +699,6 @@ esp4_input(struct mbuf **mp, int *offp, int proto) return IPPROTO_DONE; } -/* IPv4 ESP callback. */ -void -esp4_input_cb(struct mbuf *m, ...) -{ - /* - * Interface pointer is already in first mbuf; chop off the - * `outer' header and reschedule. - */ - if (niq_enqueue(&ipintrq, m) != 0) { - espstat.esps_qfull++; - DPRINTF(("esp4_input_cb(): dropped packet because of full " - "IP queue\n")); - return; - } -} - /* IPv4 IPCOMP wrapper */ int ipcomp4_input(struct mbuf **mp, int *offp, int proto) @@ -767,21 +708,6 @@ ipcomp4_input(struct mbuf **mp, int *offp, int proto) return IPPROTO_DONE; } -/* IPv4 IPCOMP callback */ -void -ipcomp4_input_cb(struct mbuf *m, ...) -{ - /* - * Interface pointer is already in first mbuf; chop off the - * `outer' header and reschedule. - */ - if (niq_enqueue(&ipintrq, m) != 0) { - ipcompstat.ipcomps_qfull++; - DPRINTF(("ipcomp4_input_cb(): dropped packet because of full IP queue\n")); - return; - } -} - void ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, void *v, int proto) @@ -961,44 +887,6 @@ ah6_input(struct mbuf **mp, int *offp, int proto) return IPPROTO_DONE; } -/* IPv6 AH callback. */ -void -ah6_input_cb(struct mbuf *m, int off, int protoff) -{ - int nxt; - u_int8_t nxt8; - int nest = 0; - - /* Retrieve new protocol */ - m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8); - nxt = nxt8; - - /* - * see the end of ip6_input for this logic. - * IPPROTO_IPV[46] case will be processed just like other ones - */ - while (nxt != IPPROTO_DONE) { - if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { - ip6stat_inc(ip6s_toomanyhdr); - goto bad; - } - - /* - * Protection against faulty packet - there should be - * more sanity checks in header chain processing. - */ - if (m->m_pkthdr.len < off) { - ip6stat_inc(ip6s_tooshort); - goto bad; - } - nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); - } - return; - - bad: - m_freem(m); -} - /* IPv6 ESP wrapper. */ int esp6_input(struct mbuf **mp, int *offp, int proto) @@ -1052,13 +940,6 @@ esp6_input(struct mbuf **mp, int *offp, int proto) } -/* IPv6 ESP callback */ -void -esp6_input_cb(struct mbuf *m, int skip, int protoff) -{ - ah6_input_cb(m, skip, protoff); -} - /* IPv6 IPcomp wrapper */ int ipcomp6_input(struct mbuf **mp, int *offp, int proto) @@ -1110,12 +991,4 @@ ipcomp6_input(struct mbuf **mp, int *offp, int proto) ipsec_common_input(*mp, *offp, protoff, AF_INET6, proto, 0); return IPPROTO_DONE; } - -/* IPv6 IPcomp callback */ -void -ipcomp6_input_cb(struct mbuf *m, int skip, int protoff) -{ - ah6_input_cb(m, skip, protoff); -} - #endif /* INET6 */ diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 8cc803a431d..4b0c4adf100 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_input.c,v 1.178 2017/02/06 16:01:25 bluhm Exp $ */ +/* $OpenBSD: ip6_input.c,v 1.179 2017/02/08 12:37:43 bluhm Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -122,7 +122,6 @@ struct cpumem *ip6counters; int ip6_check_rh0hdr(struct mbuf *, int *); int ip6_hbhchcheck(struct mbuf *, int *, int *, int *); int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); -void ip6_ours(struct mbuf *, int, int); struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static struct mbuf_queue ip6send_mq; diff --git a/sys/netinet6/ip6_var.h b/sys/netinet6/ip6_var.h index 24af0456d50..9c3c3ccc3c9 100644 --- a/sys/netinet6/ip6_var.h +++ b/sys/netinet6/ip6_var.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip6_var.h,v 1.67 2017/02/05 16:04:14 jca Exp $ */ +/* $OpenBSD: ip6_var.h,v 1.68 2017/02/08 12:37:43 bluhm Exp $ */ /* $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $ */ /* @@ -304,6 +304,7 @@ int icmp6_ctloutput(int, struct socket *, int, int, struct mbuf *); void ip6_init(void); void ip6intr(void); void ip6_input(struct mbuf *); +void ip6_ours(struct mbuf *, int, int); void ip6_freepcbopts(struct ip6_pktopts *); void ip6_freemoptions(struct ip6_moptions *); int ip6_unknown_opt(u_int8_t *, struct mbuf *, int); |