svn commit: r275715 - head/sys/netinet6

Thu Dec 11 19:09:59 UTC 2014

Author: ae
Date: Thu Dec 11 19:09:57 2014
New Revision: 275715
URL: https://svnweb.freebsd.org/changeset/base/275715

Log:
  Use ipsec6_in_reject() to simplify ip6_ipsec_fwd() and ip6_ipsec_input().
  ipsec6_in_reject() does the same things, also it counts policy violation
  errors.
  
  Do IPSEC check in the ip6_forward() after addresses checks.
  Also use ip6_ipsec_fwd() to make code similar to IPv4 implementation.
  
  Obtained from:	Yandex LLC
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netinet6/ip6_forward.c
  head/sys/netinet6/ip6_ipsec.c

Modified: head/sys/netinet6/ip6_forward.c
==============================================================================

--- head/sys/netinet6/ip6_forward.c	Thu Dec 11 18:58:22 2014	(r275714)
+++ head/sys/netinet6/ip6_forward.c	Thu Dec 11 19:09:57 2014	(r275715)
@@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
 #include <netinet/in_pcb.h>
 
 #ifdef IPSEC
+#include <netinet6/ip6_ipsec.h>
 #include <netipsec/ipsec.h>
 #include <netipsec/ipsec6.h>
 #include <netipsec/key.h>
@@ -109,21 +110,6 @@ ip6_forward(struct mbuf *m, int srcrt)
 	struct m_tag *fwd_tag;
 	char ip6bufs[INET6_ADDRSTRLEN], ip6bufd[INET6_ADDRSTRLEN];
 
-#ifdef IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	/*
-	 * Don't increment ip6s_cantforward because this is the check
-	 * before forwarding packet actually.
-	 */
-	if (ipsec6_in_reject(m, NULL)) {
-		IPSEC6STAT_INC(ips_in_polvio);
-		m_freem(m);
-		return;
-	}
-#endif /* IPSEC */
-
 	/*
 	 * Do not forward packets to multicast destination (should be handled
 	 * by ip6_mforward().
@@ -148,6 +134,17 @@ ip6_forward(struct mbuf *m, int srcrt)
 		m_freem(m);
 		return;
 	}
+#ifdef IPSEC
+	/*
+	 * Check if this packet has an active SA and needs to be dropped
+	 * instead of forwarded.
+	 */
+	if (ip6_ipsec_fwd(m) != 0) {
+		IP6STAT_INC(ip6s_cantforward);
+		m_freem(m);
+		return;
+	}
+#endif /* IPSEC */
 
 #ifdef IPSTEALTH
 	if (!V_ip6stealth) {

Modified: head/sys/netinet6/ip6_ipsec.c
==============================================================================
--- head/sys/netinet6/ip6_ipsec.c	Thu Dec 11 18:58:22 2014	(r275714)
+++ head/sys/netinet6/ip6_ipsec.c	Thu Dec 11 19:09:57 2014	(r275715)
@@ -118,28 +118,18 @@ ip6_ipsec_filtertunnel(struct mbuf *m)
 /*
  * Check if this packet has an active SA and needs to be dropped instead
  * of forwarded.
- * Called from ip6_input().
+ * Called from ip6_forward().
  * 1 = drop packet, 0 = forward packet.
  */
 int
 ip6_ipsec_fwd(struct mbuf *m)
 {
-#ifdef IPSEC
-	struct secpolicy *sp;
-	int error;
 
-	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-	if (sp != NULL) {
-		/*
-		 * Check security policy against packet attributes.
-		 */
-		error = ipsec_in_reject(sp, m);
-		KEY_FREESP(&sp);
-	}
-	if (error != 0)
-		return (1);
-#endif /* IPSEC */
+#ifdef IPSEC
+	return (ipsec6_in_reject(m, NULL));
+#else
 	return (0);
+#endif /* !IPSEC */
 }
 
 /*
@@ -152,31 +142,15 @@ ip6_ipsec_fwd(struct mbuf *m)
 int
 ip6_ipsec_input(struct mbuf *m, int nxt)
 {
+
 #ifdef IPSEC
-	struct secpolicy *sp;
-	int error;
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
-	    ipsec6_in_reject(m, NULL)) {
-		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-		if (sp != NULL) {
-			/*
-			 * Check security policy against packet attributes.
-			 */
-			error = ipsec_in_reject(sp, m);
-			KEY_FREESP(&sp);
-		} else {
-			/* XXX error stat??? */
-			error = EINVAL;
-			DPRINTF(("%s: no SP, packet discarded\n", __func__));/*XXX*/
-		}
-		if (error != 0)
-			return (1);
-	}
+	if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0)
+		return (ipsec6_in_reject(m, NULL));
 #endif /* IPSEC */
 	return (0);
 }
