PERFORCE change 123605 for review
Ana Kukec
anchie at FreeBSD.org
Mon Jul 16 17:57:34 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=123605
Change 123605 by anchie at anchie_malimis on 2007/07/16 17:57:31
Added support for IPcomp algorithm.
Affected files ...
.. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#7 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#7 edit
.. //depot/projects/vimage/src/sys/netipsec/vipsec.h#4 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#3 edit
.. //depot/projects/vimage/src/sys/sys/vimage.h#21 edit
Differences ...
==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#7 (text+ko) ====
@@ -117,7 +117,7 @@
int error;
IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
- ipcompstat.ipcomps_input);
+ V_ipcompstat.ipcomps_input);
IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -127,17 +127,17 @@
if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
(sproto == IPPROTO_AH && !V_ah_enable) ||
- (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
+ (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
- ipcompstat.ipcomps_pdrops);
+ V_ipcompstat.ipcomps_pdrops);
return EOPNOTSUPP;
}
if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
}
@@ -183,7 +183,7 @@
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
- ipcompstat.ipcomps_nopf);
+ V_ipcompstat.ipcomps_nopf);
return EPFNOSUPPORT;
}
@@ -194,7 +194,7 @@
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
- ipcompstat.ipcomps_notdb);
+ V_ipcompstat.ipcomps_notdb);
m_freem(m);
return ENOENT;
}
@@ -204,7 +204,7 @@
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
- ipcompstat.ipcomps_noxform);
+ V_ipcompstat.ipcomps_noxform);
KEY_FREESAV(&sav);
m_freem(m);
return ENXIO;
@@ -310,7 +310,7 @@
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
- ipcompstat.ipcomps_badkcr);
+ V_ipcompstat.ipcomps_badkcr);
KEY_FREESAV(&sav);
return EINVAL;
}
@@ -322,7 +322,7 @@
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = ENOBUFS;
goto bad;
}
@@ -345,7 +345,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
@@ -376,7 +376,7 @@
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops,
- ipcompstat.ipcomps_pdrops);
+ V_ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -389,7 +389,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
@@ -418,7 +418,7 @@
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
V_ahstat.ahs_pdrops,
- ipcompstat.ipcomps_pdrops);
+ V_ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -440,7 +440,7 @@
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+ V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
@@ -475,7 +475,7 @@
*/
if ((error = netisr_queue(NETISR_IP, m))) {
IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
- ipcompstat.ipcomps_qfull);
+ V_ipcompstat.ipcomps_qfull);
DPRINTF(("%s: queue full; proto %u packet dropped\n",
__func__, sproto));
@@ -531,7 +531,7 @@
"l %u, off %u\n", __func__, protoff, l, *offp));
IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
m_freem(*mp);
*mp = NULL;
return IPPROTO_DONE;
@@ -579,7 +579,7 @@
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
- ipcompstat.ipcomps_badkcr);
+ V_ipcompstat.ipcomps_badkcr);
error = EINVAL;
goto bad;
}
@@ -593,7 +593,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = EACCES;
goto bad;
}
@@ -613,7 +613,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
@@ -639,7 +639,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+ V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -653,7 +653,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
V_ahstat.ahs_hdrops,
- ipcompstat.ipcomps_hdrops);
+ V_ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
}
@@ -681,7 +681,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+ V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -702,7 +702,7 @@
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+ V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#7 (text+ko) ====
@@ -311,11 +311,11 @@
*/
if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
(isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
- (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
+ (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) {
DPRINTF(("%s: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n", __func__));
IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
- ipcompstat.ipcomps_pdrops);
+ V_ipcompstat.ipcomps_pdrops);
*error = EHOSTUNREACH;
goto bad;
}
@@ -327,7 +327,7 @@
if (sav->tdb_xform == NULL) {
DPRINTF(("%s: no transform for SA\n", __func__));
IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
- ipcompstat.ipcomps_noxform);
+ V_ipcompstat.ipcomps_noxform);
*error = EHOSTUNREACH;
goto bad;
}
==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#4 (text+ko) ====
@@ -42,6 +42,7 @@
#include <netipsec/ipsec.h>
#include <netipsec/esp_var.h>
#include <netipsec/ah_var.h>
+#include <netipsec/ipcomp_var.h>
#include <netipsec/ipip_var.h>
#include <net/if.h>
@@ -102,7 +103,10 @@
int _ah_enable;
int _ah_cleartos;
- struct ahstat _ahstat;
+ struct ahstat _ahstat;
+
+ int _ipcomp_enable;
+ struct ipcompstat _ipcompstat;
};
extern struct vnet_ipsec vnet_ipsec_0;
@@ -162,4 +166,6 @@
#define V_ah_enable VNET_IPSEC(ah_enable)
#define V_ah_cleartos VNET_IPSEC(ah_cleartos)
#define V_ahstat VNET_IPSEC(ahstat)
+#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable)
+#define V_ipcompstat VNET_IPSEC(ipcompstat)
#endif /* !_NETIPSEC_VIPSEC_H_ */
==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#5 (text+ko) ====
@@ -109,7 +109,7 @@
#ifdef VIMAGE
static struct vnet_modinfo vnet_ah_modinfo = {
.id = VNET_MOD_AH,
- .name = "esp",
+ .name = "ah",
.symmap = NULL,
.i_attach = ah_iattach,
.i_detach = NULL,
==== //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#3 (text+ko) ====
@@ -69,14 +69,28 @@
#include <opencrypto/deflate.h>
#include <opencrypto/xform.h>
+#ifndef VIMAGE
int ipcomp_enable = 0;
struct ipcompstat ipcompstat;
+#endif
SYSCTL_DECL(_net_inet_ipcomp);
-SYSCTL_INT(_net_inet_ipcomp, OID_AUTO,
- ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, "");
-SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS,
- stats, CTLFLAG_RD, &ipcompstat, ipcompstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO,
+ ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, ipcompstat, ipcompstat, "");
+
+static int ipcomp_iattach(void *);
+
+#ifdef VIMAGE
+static struct vnet_modinfo vnet_ipcomp_modinfo = {
+ .id = VNET_MOD_IPCOMP,
+ .name = "ipcomp",
+ .symmap = NULL,
+ .i_attach = ipcomp_iattach,
+ .i_detach = NULL,
+};
+#endif
static int ipcomp_input_cb(struct cryptop *crp);
static int ipcomp_output_cb(struct cryptop *crp);
@@ -153,7 +167,7 @@
if (crp == NULL) {
m_freem(m);
DPRINTF(("%s: no crypto descriptors\n", __func__));
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
return ENOBUFS;
}
/* Get IPsec-specific opaque pointer */
@@ -162,7 +176,7 @@
m_freem(m);
crypto_freereq(crp);
DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__));
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
return ENOBUFS;
}
crdc = crp->crp_desc;
@@ -238,7 +252,7 @@
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
- ipcompstat.ipcomps_notdb++;
+ V_ipcompstat.ipcomps_notdb++;
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -262,19 +276,19 @@
return error;
}
- ipcompstat.ipcomps_noxform++;
+ V_ipcompstat.ipcomps_noxform++;
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
DPRINTF(("%s: null mbuf returned from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- ipcompstat.ipcomps_hist[sav->alg_comp]++;
+ V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
clen = crp->crp_olen; /* Length of data after processing */
@@ -286,7 +300,7 @@
m->m_pkthdr.len = clen + hlen + skip;
if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) {
- ipcompstat.ipcomps_hdrops++; /*XXX*/
+ V_ipcompstat.ipcomps_hdrops++; /*XXX*/
DPRINTF(("%s: m_pullup failed\n", __func__));
error = EINVAL; /*XXX*/
goto bad;
@@ -299,7 +313,7 @@
/* Remove the IPCOMP header */
error = m_striphdr(m, skip, hlen);
if (error) {
- ipcompstat.ipcomps_hdrops++;
+ V_ipcompstat.ipcomps_hdrops++;
DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -360,7 +374,7 @@
ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */
hlen = IPCOMP_HLENGTH;
- ipcompstat.ipcomps_output++;
+ V_ipcompstat.ipcomps_output++;
/* Check for maximum packet size violations. */
switch (sav->sah->saidx.dst.sa.sa_family) {
@@ -375,7 +389,7 @@
break;
#endif /* INET6 */
default:
- ipcompstat.ipcomps_nopf++;
+ V_ipcompstat.ipcomps_nopf++;
DPRINTF(("%s: unknown/unsupported protocol family %d, "
"IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@@ -385,7 +399,7 @@
goto bad;
}
if (skip + hlen + ralen > maxpacketsize) {
- ipcompstat.ipcomps_toobig++;
+ V_ipcompstat.ipcomps_toobig++;
DPRINTF(("%s: packet in IPCA %s/%08lx got too big "
"(len %u, max len %u)\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
@@ -396,11 +410,11 @@
}
/* Update the counters */
- ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
+ V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip;
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
- ipcompstat.ipcomps_hdrops++;
+ V_ipcompstat.ipcomps_hdrops++;
DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -411,7 +425,7 @@
/* Inject IPCOMP header */
mo = m_makespace(m, skip, hlen, &roff);
if (mo == NULL) {
- ipcompstat.ipcomps_wrap++;
+ V_ipcompstat.ipcomps_wrap++;
DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
@@ -446,7 +460,7 @@
/* Get crypto descriptors */
crp = crypto_getreq(1);
if (crp == NULL) {
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
error = ENOBUFS;
goto bad;
@@ -466,7 +480,7 @@
tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto),
M_XDATA, M_NOWAIT|M_ZERO);
if (tc == NULL) {
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
crypto_freereq(crp);
error = ENOBUFS;
@@ -519,7 +533,7 @@
IPSECREQUEST_LOCK(isr);
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
- ipcompstat.ipcomps_notdb++;
+ V_ipcompstat.ipcomps_notdb++;
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -539,19 +553,19 @@
NET_UNLOCK_GIANT();
return error;
}
- ipcompstat.ipcomps_noxform++;
+ V_ipcompstat.ipcomps_noxform++;
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
}
/* Shouldn't happen... */
if (m == NULL) {
- ipcompstat.ipcomps_crypto++;
+ V_ipcompstat.ipcomps_crypto++;
DPRINTF(("%s: bogus return buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- ipcompstat.ipcomps_hist[sav->alg_comp]++;
+ V_ipcompstat.ipcomps_hist[sav->alg_comp]++;
if (rlen > crp->crp_olen) {
/* Adjust the length in the IP header */
@@ -568,7 +582,7 @@
break;
#endif /* INET6 */
default:
- ipcompstat.ipcomps_nopf++;
+ V_ipcompstat.ipcomps_nopf++;
DPRINTF(("%s: unknown/unsupported protocol "
"family %d, IPCA %s/%08lx\n", __func__,
sav->sah->saidx.dst.sa.sa_family,
@@ -610,9 +624,26 @@
ipcomp_output
};
+static int
+ipcomp_iattach(unused)
+ void *unused;
+{
+ INIT_VNET_IPSEC(curvnet);
+
+ V_ipcomp_enable = 0;
+
+ xform_register(&ipcomp_xformsw);
+
+ return 0;
+}
+
static void
ipcomp_attach(void)
{
- xform_register(&ipcomp_xformsw);
+#ifdef VIMAGE
+ vnet_mod_register(&vnet_ipcomp_modinfo);
+#else
+ ipcomp_iattach(NULL);
+#endif
}
SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL);
==== //depot/projects/vimage/src/sys/sys/vimage.h#21 (text+ko) ====
@@ -80,6 +80,7 @@
#define VNET_MOD_IPIP 14
#define VNET_MOD_AH 15
#define VNET_MOD_GIF 16
+#define VNET_MOD_IPCOMP 17
#define VNET_MOD_ARP 28
#define VNET_MOD_RTABLE 29
#define VNET_MOD_LOIF 30
More information about the p4-projects
mailing list