diff options
author | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2013-11-06 16:20:21 +0100 |
---|---|---|
committer | Sebastian Huber <sebastian.huber@embedded-brains.de> | 2013-11-11 10:08:08 +0100 |
commit | 66659ff1ad6831b0ea7425fa6ecd8a8687523658 (patch) | |
tree | 48e22b475fa8854128e0861a33fed6f78c8094b5 /freebsd/sys/netipsec | |
parent | Define __GLOBL1() and __GLOBL() (diff) | |
download | rtems-libbsd-66659ff1ad6831b0ea7425fa6ecd8a8687523658.tar.bz2 |
Update to FreeBSD 9.2
Diffstat (limited to 'freebsd/sys/netipsec')
-rw-r--r-- | freebsd/sys/netipsec/ah_var.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/esp_var.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipcomp_var.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipip_var.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec.c | 10 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec.h | 3 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec6.h | 1 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec_input.c | 94 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec_mbuf.c | 8 | ||||
-rw-r--r-- | freebsd/sys/netipsec/ipsec_output.c | 55 | ||||
-rw-r--r-- | freebsd/sys/netipsec/key.c | 65 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keydb.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keysock.c | 48 | ||||
-rw-r--r-- | freebsd/sys/netipsec/keysock.h | 2 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ah.c | 83 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_esp.c | 95 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ipcomp.c | 78 | ||||
-rw-r--r-- | freebsd/sys/netipsec/xform_ipip.c | 108 |
18 files changed, 351 insertions, 309 deletions
diff --git a/freebsd/sys/netipsec/ah_var.h b/freebsd/sys/netipsec/ah_var.h index 6145dba9..812fe2dc 100644 --- a/freebsd/sys/netipsec/ah_var.h +++ b/freebsd/sys/netipsec/ah_var.h @@ -75,6 +75,8 @@ VNET_DECLARE(int, ah_enable); VNET_DECLARE(int, ah_cleartos); VNET_DECLARE(struct ahstat, ahstat); +#define AHSTAT_ADD(name, val) V_ahstat.name += (val) +#define AHSTAT_INC(name) AHSTAT_ADD(name, 1) #define V_ah_enable VNET(ah_enable) #define V_ah_cleartos VNET(ah_cleartos) #define V_ahstat VNET(ahstat) diff --git a/freebsd/sys/netipsec/esp_var.h b/freebsd/sys/netipsec/esp_var.h index 477dcbf5..c6133614 100644 --- a/freebsd/sys/netipsec/esp_var.h +++ b/freebsd/sys/netipsec/esp_var.h @@ -75,6 +75,8 @@ struct espstat { VNET_DECLARE(int, esp_enable); VNET_DECLARE(struct espstat, espstat); +#define ESPSTAT_ADD(name, val) V_espstat.name += (val) +#define ESPSTAT_INC(name) ESPSTAT_ADD(name, 1) #define V_esp_enable VNET(esp_enable) #define V_espstat VNET(espstat) #endif /* _KERNEL */ diff --git a/freebsd/sys/netipsec/ipcomp_var.h b/freebsd/sys/netipsec/ipcomp_var.h index c99a3be7..ee15598f 100644 --- a/freebsd/sys/netipsec/ipcomp_var.h +++ b/freebsd/sys/netipsec/ipcomp_var.h @@ -68,6 +68,8 @@ struct ipcompstat { VNET_DECLARE(int, ipcomp_enable); VNET_DECLARE(struct ipcompstat, ipcompstat); +#define IPCOMPSTAT_ADD(name, val) V_ipcompstat.name += (val) +#define IPCOMPSTAT_INC(name) IPCOMPSTAT_ADD(name, 1) #define V_ipcomp_enable VNET(ipcomp_enable) #define V_ipcompstat VNET(ipcompstat) #endif /* _KERNEL */ diff --git a/freebsd/sys/netipsec/ipip_var.h b/freebsd/sys/netipsec/ipip_var.h index 3c8c3974..415d5c10 100644 --- a/freebsd/sys/netipsec/ipip_var.h +++ b/freebsd/sys/netipsec/ipip_var.h @@ -62,6 +62,8 @@ struct ipipstat VNET_DECLARE(int, ipip_allow); VNET_DECLARE(struct ipipstat, ipipstat); +#define IPIPSTAT_ADD(name, val) V_ipipstat.name += (val) +#define IPIPSTAT_INC(name) IPIPSTAT_ADD(name, 1) #define V_ipip_allow VNET(ipip_allow) #define V_ipipstat VNET(ipipstat) #endif /* _KERNEL */ diff --git a/freebsd/sys/netipsec/ipsec.c b/freebsd/sys/netipsec/ipsec.c index dcf40918..853292c5 100644 --- a/freebsd/sys/netipsec/ipsec.c +++ b/freebsd/sys/netipsec/ipsec.c @@ -456,7 +456,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - V_ipsec4stat.ips_out_inval++; + IPSECSTAT_INC(ips_out_inval); return (NULL); } IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); @@ -466,7 +466,7 @@ ipsec4_checkpolicy(struct mbuf *m, u_int dir, u_int flag, int *error, printf("%s: invalid policy %u\n", __func__, sp->policy); /* FALLTHROUGH */ case IPSEC_POLICY_DISCARD: - V_ipsec4stat.ips_out_polvio++; + IPSECSTAT_INC(ips_out_polvio); *error = -EINVAL; /* Packet is discarded by caller. */ break; case IPSEC_POLICY_BYPASS: @@ -600,7 +600,7 @@ ipsec4_get_ulp(struct mbuf *m, struct secpolicyindex *spidx, int needport) IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); /* NB: ip_input() flips it into host endian. XXX Need more checking. */ - if (m->m_len < sizeof (struct ip)) { + if (m->m_len >= sizeof (struct ip)) { struct ip *ip = mtod(m, struct ip *); if (ip->ip_off & (IP_MF | IP_OFFMASK)) goto done; @@ -1317,7 +1317,7 @@ ipsec4_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec46_in_reject(m, inp); if (result) - V_ipsec4stat.ips_in_polvio++; + IPSECSTAT_INC(ips_in_polvio); return (result); } @@ -1335,7 +1335,7 @@ ipsec6_in_reject(struct mbuf *m, struct inpcb *inp) result = ipsec46_in_reject(m, inp); if (result) - V_ipsec6stat.ips_in_polvio++; + IPSEC6STAT_INC(ips_in_polvio); return (result); } diff --git a/freebsd/sys/netipsec/ipsec.h b/freebsd/sys/netipsec/ipsec.h index fb987ad2..f3415872 100644 --- a/freebsd/sys/netipsec/ipsec.h +++ b/freebsd/sys/netipsec/ipsec.h @@ -61,7 +61,7 @@ * specifies ICMPv6 type, and the port field in "dst" specifies ICMPv6 code. */ struct secpolicyindex { - u_int8_t dir; /* direction of packet flow, see blow */ + u_int8_t dir; /* direction of packet flow, see below */ union sockaddr_union src; /* IP src address for SP */ union sockaddr_union dst; /* IP dst address for SP */ u_int8_t prefs; /* prefix length in bits for src */ @@ -359,6 +359,7 @@ VNET_DECLARE(int, ip4_ipsec_ecn); VNET_DECLARE(int, ip4_esp_randpad); VNET_DECLARE(int, crypto_support); +#define IPSECSTAT_INC(name) V_ipsec4stat.name += 1 #define V_ipsec4stat VNET(ipsec4stat) #define V_ip4_def_policy VNET(ip4_def_policy) #define V_ip4_esp_trans_deflev VNET(ip4_esp_trans_deflev) diff --git a/freebsd/sys/netipsec/ipsec6.h b/freebsd/sys/netipsec/ipsec6.h index c004220e..21ec6b36 100644 --- a/freebsd/sys/netipsec/ipsec6.h +++ b/freebsd/sys/netipsec/ipsec6.h @@ -48,6 +48,7 @@ VNET_DECLARE(int, ip6_ah_trans_deflev); VNET_DECLARE(int, ip6_ah_net_deflev); VNET_DECLARE(int, ip6_ipsec_ecn); +#define IPSEC6STAT_INC(name) V_ipsec6stat.name += 1 #define V_ipsec6stat VNET(ipsec6stat) #define V_ip6_esp_trans_deflev VNET(ip6_esp_trans_deflev) #define V_ip6_esp_net_deflev VNET(ip6_esp_net_deflev) diff --git a/freebsd/sys/netipsec/ipsec_input.c b/freebsd/sys/netipsec/ipsec_input.c index 9a491d41..d910de71 100644 --- a/freebsd/sys/netipsec/ipsec_input.c +++ b/freebsd/sys/netipsec/ipsec_input.c @@ -101,8 +101,14 @@ #endif -#define IPSEC_ISTAT(p,x,y,z) ((p) == IPPROTO_ESP ? (x)++ : \ - (p) == IPPROTO_AH ? (y)++ : (z)++) +#define IPSEC_ISTAT(proto, name) do { \ + if ((proto) == IPPROTO_ESP) \ + ESPSTAT_INC(esps_##name); \ + else if ((proto) == IPPROTO_AH) \ + AHSTAT_INC(ahs_##name); \ + else \ + IPCOMPSTAT_INC(ipcomps_##name); \ +} while (0) #ifdef INET static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); @@ -110,7 +116,7 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); /* * ipsec_common_input gets called when an IPsec-protected packet - * is received by IPv4 or IPv6. It's job is to find the right SA + * is received by IPv4 or IPv6. Its job is to find the right SA * and call the appropriate transform. The transform callback * takes care of further processing (like ingress filtering). */ @@ -121,12 +127,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) struct secasvar *sav; u_int32_t spi; int error; +#ifdef INET #ifdef IPSEC_NAT_T struct m_tag *tag; #endif +#endif - IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, - V_ipcompstat.ipcomps_input); + IPSEC_ISTAT(sproto, input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -138,15 +145,13 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) (sproto == IPPROTO_AH && !V_ah_enable) || (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -197,8 +202,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, - V_ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(sproto, nopf); return EPFNOSUPPORT; } @@ -208,8 +212,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, - V_ipcompstat.ipcomps_notdb); + IPSEC_ISTAT(sproto, notdb); m_freem(m); return ENOENT; } @@ -218,8 +221,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, - V_ipcompstat.ipcomps_noxform); + IPSEC_ISTAT(sproto, noxform); KEY_FREESAV(&sav); m_freem(m); return ENXIO; @@ -321,8 +323,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - V_ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, badkcr); KEY_FREESAV(&sav); return EINVAL; } @@ -333,8 +334,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOBUFS; goto bad; } @@ -355,9 +355,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -386,9 +384,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -399,9 +395,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -428,9 +422,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -451,8 +443,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOMEM; goto bad; } @@ -473,6 +464,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, key_sa_recordxfer(sav, m); /* record data transfer */ + m_addr_changed(m); + #ifdef DEV_ENC encif->if_ipackets++; encif->if_ibytes += m->m_pkthdr.len; @@ -492,9 +485,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Re-dispatch via software interrupt. */ if ((error = netisr_queue_src(NETISR_IP, (uintptr_t)sav->spi, m))) { - IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, - V_ipcompstat.ipcomps_qfull); - + IPSEC_ISTAT(sproto, qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); return error; @@ -546,9 +537,7 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto) if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(proto, hdrops); m_freem(*mp); *mp = NULL; return IPPROTO_DONE; @@ -593,8 +582,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - V_ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, badkcr); error = EINVAL; goto bad; } @@ -607,8 +595,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EACCES; goto bad; } @@ -626,9 +613,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -653,8 +638,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTATsproto, (V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -666,9 +650,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, - V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = EINVAL; goto bad; } @@ -695,8 +677,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, pdrops); error = EACCES; goto bad; } @@ -716,8 +697,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, hdrops); error = ENOMEM; goto bad; } @@ -766,7 +746,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto nxt = nxt8; while (nxt != IPPROTO_DONE) { if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { - V_ip6stat.ip6s_toomanyhdr++; + IP6STAT_INC(ip6s_toomanyhdr); error = EINVAL; goto bad; } @@ -776,7 +756,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto * more sanity checks in header chain processing. */ if (m->m_pkthdr.len < skip) { - V_ip6stat.ip6s_tooshort++; + IP6STAT_INC(ip6s_tooshort); in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); error = EINVAL; goto bad; diff --git a/freebsd/sys/netipsec/ipsec_mbuf.c b/freebsd/sys/netipsec/ipsec_mbuf.c index 43a24b0a..2cafe058 100644 --- a/freebsd/sys/netipsec/ipsec_mbuf.c +++ b/freebsd/sys/netipsec/ipsec_mbuf.c @@ -137,7 +137,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) m = n; /* header is at front ... */ *off = 0; /* ... of new mbuf */ } - V_ipsec4stat.ips_mbinserted++; + IPSECSTAT_INC(ips_mbinserted); } else { /* * Copy the remainder to the back of the mbuf @@ -243,7 +243,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) /* Remove the header and associated data from the mbuf. */ if (roff == 0) { /* The header was at the beginning of the mbuf */ - V_ipsec4stat.ips_input_front++; + IPSECSTAT_INC(ips_input_front); m_adj(m1, hlen); if ((m1->m_flags & M_PKTHDR) == 0) m->m_pkthdr.len -= hlen; @@ -255,7 +255,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * so first let's remove the remainder of the header from * the beginning of the remainder of the mbuf chain, if any. */ - V_ipsec4stat.ips_input_end++; + IPSECSTAT_INC(ips_input_end); if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); @@ -280,7 +280,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * The header lies in the "middle" of the mbuf; copy * the remainder of the mbuf down over the header. */ - V_ipsec4stat.ips_input_middle++; + IPSECSTAT_INC(ips_input_middle); bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); diff --git a/freebsd/sys/netipsec/ipsec_output.c b/freebsd/sys/netipsec/ipsec_output.c index b4ad609f..a02b6ce2 100644 --- a/freebsd/sys/netipsec/ipsec_output.c +++ b/freebsd/sys/netipsec/ipsec_output.c @@ -166,11 +166,34 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) * doing further processing. */ if (isr->next) { - V_ipsec4stat.ips_out_bundlesa++; - return ipsec4_process_packet(m, isr->next, 0, 0); + IPSECSTAT_INC(ips_out_bundlesa); + /* XXX-BZ currently only support same AF bundles. */ + switch (saidx->dst.sa.sa_family) { +#ifdef INET + case AF_INET: + return ipsec4_process_packet(m, isr->next, 0, 0); + /* NOTREACHED */ +#endif +#ifdef notyet +#ifdef INET6 + case AF_INET6: + /* XXX */ + ipsec6_output_trans() + ipsec6_output_tunnel() + /* NOTREACHED */ +#endif /* INET6 */ +#endif + default: + DPRINTF(("%s: unknown protocol family %u\n", __func__, + saidx->dst.sa.sa_family)); + error = ENXIO; + goto bad; + } } key_sa_recordxfer(sav, m); /* record data transfer */ + m_addr_changed(m); + /* * We're done with IPsec processing, transmit the packet using the * appropriate network protocol (IP or IPv6). SPD lookup will be @@ -261,8 +284,14 @@ ipsec_nextisr( int *error ) { -#define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \ - isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) +#define IPSEC_OSTAT(name) do { \ + if (isr->saidx.proto == IPPROTO_ESP) \ + ESPSTAT_INC(esps_##name); \ + else if (isr->saidx.proto == IPPROTO_AH)\ + AHSTAT_INC(ahs_##name); \ + else \ + IPCOMPSTAT_INC(ipcomps_##name); \ +} while (0) struct secasvar *sav; IPSECREQUEST_LOCK_ASSERT(isr); @@ -341,7 +370,7 @@ again: * this packet because it is responsibility for * upper layer to retransmit the packet. */ - V_ipsec4stat.ips_out_nosa++; + IPSECSTAT_INC(ips_out_nosa); goto bad; } sav = isr->sav; @@ -370,8 +399,7 @@ again: (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { DPRINTF(("%s: IPsec outbound packet dropped due" " to policy (check your sysctls)\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - V_ipcompstat.ipcomps_pdrops); + IPSEC_OSTAT(pdrops); *error = EHOSTUNREACH; goto bad; } @@ -382,8 +410,7 @@ again: */ if (sav->tdb_xform == NULL) { DPRINTF(("%s: no transform for SA\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform, - V_ipcompstat.ipcomps_noxform); + IPSEC_OSTAT(noxform); *error = EHOSTUNREACH; goto bad; } @@ -812,14 +839,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); - V_ipsec6stat.ips_out_inval++; + IPSEC6STAT_INC(ips_out_inval); error = EAFNOSUPPORT; goto bad; } m = ipsec6_splithdr(m); if (!m) { - V_ipsec6stat.ips_out_nomem++; + IPSEC6STAT_INC(ips_out_nomem); error = ENOMEM; goto bad; } @@ -848,8 +875,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int rtalloc_ign_fib(state->ro, 0UL, M_GETFIB(m)); } if (state->ro->ro_rt == NULL) { - V_ip6stat.ip6s_noroute++; - V_ipsec6stat.ips_out_noroute++; + IP6STAT_INC(ip6s_noroute); + IPSEC6STAT_INC(ips_out_noroute); error = EHOSTUNREACH; goto bad; } @@ -861,7 +888,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int m = ipsec6_splithdr(m); if (!m) { - V_ipsec6stat.ips_out_nomem++; + IPSEC6STAT_INC(ips_out_nomem); error = ENOMEM; goto bad; } diff --git a/freebsd/sys/netipsec/key.c b/freebsd/sys/netipsec/key.c index 57e8714e..50a90af8 100644 --- a/freebsd/sys/netipsec/key.c +++ b/freebsd/sys/netipsec/key.c @@ -75,7 +75,7 @@ #include <netinet6/ip6_var.h> #endif /* INET6 */ -#ifdef INET +#if defined(INET) || defined(INET6) #include <netinet/in_pcb.h> #endif #ifdef INET6 @@ -896,6 +896,9 @@ key_allocsa_policy(const struct secasindex *saidx) u_int stateidx, arraysize; const u_int *state_valid; + state_valid = NULL; /* silence gcc */ + arraysize = 0; /* silence gcc */ + SAHTREE_LOCK(); LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) @@ -908,15 +911,13 @@ key_allocsa_policy(const struct secasindex *saidx) state_valid = saorder_state_valid_prefer_new; arraysize = N(saorder_state_valid_prefer_new); } - SAHTREE_UNLOCK(); - goto found; + break; } } SAHTREE_UNLOCK(); + if (sah == NULL) + return NULL; - return NULL; - - found: /* search valid state */ for (stateidx = 0; stateidx < arraysize; stateidx++) { sav = key_do_allocsa_policy(sah, state_valid[stateidx]); @@ -1927,18 +1928,8 @@ key_spdadd(so, m, mhp) return key_senderror(so, m, EINVAL); } #if 1 - if (newsp->req && newsp->req->saidx.src.sa.sa_family) { - struct sockaddr *sa; - sa = (struct sockaddr *)(src0 + 1); - if (sa->sa_family != newsp->req->saidx.src.sa.sa_family) { - _key_delsp(newsp); - return key_senderror(so, m, EINVAL); - } - } - if (newsp->req && newsp->req->saidx.dst.sa.sa_family) { - struct sockaddr *sa; - sa = (struct sockaddr *)(dst0 + 1); - if (sa->sa_family != newsp->req->saidx.dst.sa.sa_family) { + if (newsp->req && newsp->req->saidx.src.sa.sa_family && newsp->req->saidx.dst.sa.sa_family) { + if (newsp->req->saidx.src.sa.sa_family != newsp->req->saidx.dst.sa.sa_family) { _key_delsp(newsp); return key_senderror(so, m, EINVAL); } @@ -7351,7 +7342,7 @@ key_parse(m, so) if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != m->m_pkthdr.len) { ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); error = EINVAL; goto senderror; } @@ -7359,7 +7350,7 @@ key_parse(m, so) if (msg->sadb_msg_version != PF_KEY_V2) { ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", __func__, msg->sadb_msg_version)); - V_pfkeystat.out_invver++; + PFKEYSTAT_INC(out_invver); error = EINVAL; goto senderror; } @@ -7367,7 +7358,7 @@ key_parse(m, so) if (msg->sadb_msg_type > SADB_MAX) { ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invmsgtype++; + PFKEYSTAT_INC(out_invmsgtype); error = EINVAL; goto senderror; } @@ -7420,7 +7411,7 @@ key_parse(m, so) ipseclog((LOG_DEBUG, "%s: must specify satype " "when msg type=%u.\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7440,7 +7431,7 @@ key_parse(m, so) case SADB_X_SPDDELETE2: ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", __func__, msg->sadb_msg_type)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7451,7 +7442,7 @@ key_parse(m, so) case SADB_SATYPE_MIP: ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", __func__, msg->sadb_msg_satype)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EOPNOTSUPP; goto senderror; case 1: /* XXX: What does it do? */ @@ -7461,7 +7452,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_satype)); - V_pfkeystat.out_invsatype++; + PFKEYSTAT_INC(out_invsatype); error = EINVAL; goto senderror; } @@ -7479,7 +7470,7 @@ key_parse(m, so) if (src0->sadb_address_proto != dst0->sadb_address_proto) { ipseclog((LOG_DEBUG, "%s: upper layer protocol " "mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7489,7 +7480,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_family) { ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7497,7 +7488,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_len) { ipseclog((LOG_DEBUG, "%s: address struct size " "mismatched.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7506,7 +7497,7 @@ key_parse(m, so) case AF_INET: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in)) { - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7514,7 +7505,7 @@ key_parse(m, so) case AF_INET6: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in6)) { - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7522,7 +7513,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: unsupported address family\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EAFNOSUPPORT; goto senderror; } @@ -7544,7 +7535,7 @@ key_parse(m, so) dst0->sadb_address_prefixlen > plen) { ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", __func__)); - V_pfkeystat.out_invaddr++; + PFKEYSTAT_INC(out_invaddr); error = EINVAL; goto senderror; } @@ -7557,7 +7548,7 @@ key_parse(m, so) if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) || key_typesw[msg->sadb_msg_type] == NULL) { - V_pfkeystat.out_invmsgtype++; + PFKEYSTAT_INC(out_invmsgtype); error = EINVAL; goto senderror; } @@ -7659,7 +7650,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: duplicate ext_type " "%u\n", __func__, ext->sadb_ext_type)); m_freem(m); - V_pfkeystat.out_dupext++; + PFKEYSTAT_INC(out_dupext); return EINVAL; } break; @@ -7667,7 +7658,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", __func__, ext->sadb_ext_type)); m_freem(m); - V_pfkeystat.out_invexttype++; + PFKEYSTAT_INC(out_invexttype); return EINVAL; } @@ -7675,7 +7666,7 @@ key_align(m, mhp) if (key_validate_ext(ext, extlen)) { m_freem(m); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); return EINVAL; } @@ -7693,7 +7684,7 @@ key_align(m, mhp) if (off != end) { m_freem(m); - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); return EINVAL; } diff --git a/freebsd/sys/netipsec/keydb.h b/freebsd/sys/netipsec/keydb.h index f16d1ea2..7494f5f4 100644 --- a/freebsd/sys/netipsec/keydb.h +++ b/freebsd/sys/netipsec/keydb.h @@ -52,7 +52,7 @@ union sockaddr_union { /* Security Assocciation Index */ /* NOTE: Ensure to be same address family */ struct secasindex { - union sockaddr_union src; /* srouce address for SA */ + union sockaddr_union src; /* source address for SA */ union sockaddr_union dst; /* destination address for SA */ u_int16_t proto; /* IPPROTO_ESP or IPPROTO_AH */ u_int8_t mode; /* mode of protocol, see ipsec.h */ diff --git a/freebsd/sys/netipsec/keysock.c b/freebsd/sys/netipsec/keysock.c index e3ebc49a..8af9512b 100644 --- a/freebsd/sys/netipsec/keysock.c +++ b/freebsd/sys/netipsec/keysock.c @@ -93,19 +93,19 @@ key_output(struct mbuf *m, struct socket *so) if (m == 0) panic("%s: NULL pointer was passed.\n", __func__); - V_pfkeystat.out_total++; - V_pfkeystat.out_bytes += m->m_pkthdr.len; + PFKEYSTAT_INC(out_total); + PFKEYSTAT_ADD(out_bytes, m->m_pkthdr.len); len = m->m_pkthdr.len; if (len < sizeof(struct sadb_msg)) { - V_pfkeystat.out_tooshort++; + PFKEYSTAT_INC(out_tooshort); error = EINVAL; goto end; } if (m->m_len < sizeof(struct sadb_msg)) { if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) { - V_pfkeystat.out_nomem++; + PFKEYSTAT_INC(out_nomem); error = ENOBUFS; goto end; } @@ -116,9 +116,9 @@ key_output(struct mbuf *m, struct socket *so) KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m)); msg = mtod(m, struct sadb_msg *); - V_pfkeystat.out_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(out_msgtype[msg->sadb_msg_type]); if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) { - V_pfkeystat.out_invlen++; + PFKEYSTAT_INC(out_invlen); error = EINVAL; goto end; } @@ -149,7 +149,7 @@ key_sendup0(rp, m, promisc) if (m && m->m_len < sizeof(struct sadb_msg)) m = m_pullup(m, sizeof(struct sadb_msg)); if (!m) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); m_freem(m); return ENOBUFS; } @@ -162,12 +162,12 @@ key_sendup0(rp, m, promisc) pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); /* pid and seq? */ - V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++; + PFKEYSTAT_INC(in_msgtype[pmsg->sadb_msg_type]); } if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src, m, NULL)) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); m_freem(m); error = ENOBUFS; } else @@ -199,9 +199,9 @@ key_sendup(so, msg, len, target) * we increment statistics here, just in case we have ENOBUFS * in this function. */ - V_pfkeystat.in_total++; - V_pfkeystat.in_bytes += len; - V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(in_total); + PFKEYSTAT_ADD(in_bytes, len); + PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); /* * Get mbuf chain whenever possible (not clusters), @@ -218,14 +218,14 @@ key_sendup(so, msg, len, target) if (tlen == len) { MGETHDR(n, M_DONTWAIT, MT_DATA); if (n == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MHLEN; } else { MGET(n, M_DONTWAIT, MT_DATA); if (n == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MLEN; @@ -235,7 +235,7 @@ key_sendup(so, msg, len, target) if ((n->m_flags & M_EXT) == 0) { m_free(n); m_freem(m); - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } n->m_len = MCLBYTES; @@ -258,9 +258,9 @@ key_sendup(so, msg, len, target) m_copyback(m, 0, len, (caddr_t)msg); /* avoid duplicated statistics */ - V_pfkeystat.in_total--; - V_pfkeystat.in_bytes -= len; - V_pfkeystat.in_msgtype[msg->sadb_msg_type]--; + PFKEYSTAT_ADD(in_total, -1); + PFKEYSTAT_ADD(in_bytes, -len); + PFKEYSTAT_ADD(in_msgtype[msg->sadb_msg_type], -1); return key_sendup_mbuf(so, m, target); } @@ -283,19 +283,19 @@ key_sendup_mbuf(so, m, target) if (so == NULL && target == KEY_SENDUP_ONE) panic("%s: NULL pointer was passed.\n", __func__); - V_pfkeystat.in_total++; - V_pfkeystat.in_bytes += m->m_pkthdr.len; + PFKEYSTAT_INC(in_total); + PFKEYSTAT_ADD(in_bytes, m->m_pkthdr.len); if (m->m_len < sizeof(struct sadb_msg)) { m = m_pullup(m, sizeof(struct sadb_msg)); if (m == NULL) { - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); return ENOBUFS; } } if (m->m_len >= sizeof(struct sadb_msg)) { struct sadb_msg *msg; msg = mtod(m, struct sadb_msg *); - V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; + PFKEYSTAT_INC(in_msgtype[msg->sadb_msg_type]); } mtx_lock(&rawcb_mtx); LIST_FOREACH(rp, &V_rawcb_list, list) @@ -340,14 +340,14 @@ key_sendup_mbuf(so, m, target) sendup++; break; } - V_pfkeystat.in_msgtarget[target]++; + PFKEYSTAT_INC(in_msgtarget[target]); if (!sendup) continue; if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { m_freem(m); - V_pfkeystat.in_nomem++; + PFKEYSTAT_INC(in_nomem); mtx_unlock(&rawcb_mtx); return ENOBUFS; } diff --git a/freebsd/sys/netipsec/keysock.h b/freebsd/sys/netipsec/keysock.h index 3c0cc8b8..6039dbba 100644 --- a/freebsd/sys/netipsec/keysock.h +++ b/freebsd/sys/netipsec/keysock.h @@ -70,6 +70,8 @@ struct keycb { }; VNET_DECLARE(struct pfkeystat, pfkeystat); +#define PFKEYSTAT_ADD(name, val) V_pfkeystat.name += (val) +#define PFKEYSTAT_INC(name) PFKEYSTAT_ADD(name, 1) #define V_pfkeystat VNET(pfkeystat) extern int key_output(struct mbuf *m, struct socket *so); diff --git a/freebsd/sys/netipsec/xform_ah.c b/freebsd/sys/netipsec/xform_ah.c index cf4fa37a..f1304c24 100644 --- a/freebsd/sys/netipsec/xform_ah.c +++ b/freebsd/sys/netipsec/xform_ah.c @@ -93,6 +93,7 @@ VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */ VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ VNET_DEFINE(struct ahstat, ahstat); +#ifdef INET SYSCTL_DECL(_net_inet_ah); SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); @@ -100,6 +101,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); +#endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -596,14 +598,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { DPRINTF(("ah_input: cannot pullup header\n")); - V_ahstat.ahs_hdrops++; /*XXX*/ + AHSTAT_INC(ahs_hdrops); /*XXX*/ m_freem(m); return ENOBUFS; } /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { - V_ahstat.ahs_replay++; + AHSTAT_INC(ahs_replay); DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav))); m_freem(m); @@ -620,17 +622,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) hl, (u_long) (authsize + rplen - sizeof (struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_badauthl++; + AHSTAT_INC(ahs_badauthl); m_freem(m); return EACCES; } - V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; + AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); m_freem(m); return ENOBUFS; } @@ -670,7 +672,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) } if (tc == NULL) { DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); crypto_freereq(crp); m_freem(m); return ENOBUFS; @@ -694,7 +696,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) skip, ahx->type, 0); if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); free(tc, M_XDATA); crypto_freereq(crp); return error; @@ -726,19 +728,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return ah_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * AH input callback from the crypto driver. */ @@ -788,19 +777,19 @@ ah_input_cb(struct cryptop *crp) return error; } - V_ahstat.ahs_noxform++; + AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } else { - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); crypto_freereq(crp); /* No longer needed. */ crp = NULL; } /* Shouldn't happen... */ if (m == NULL) { - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; @@ -826,7 +815,7 @@ ah_input_cb(struct cryptop *crp) "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_badauth++; + AHSTAT_INC(ahs_badauth); error = EACCES; goto bad; } @@ -857,7 +846,7 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { - V_ahstat.ahs_replay++; + AHSTAT_INC(ahs_replay); error = ENOBUFS; /*XXX as above*/ goto bad; } @@ -871,11 +860,25 @@ ah_input_cb(struct cryptop *crp) DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); goto bad; } - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; @@ -918,7 +921,7 @@ ah_output( ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); - V_ahstat.ahs_output++; + AHSTAT_INC(ahs_output); /* Figure out header size. */ rplen = HDRSIZE(sav); @@ -941,7 +944,7 @@ ah_output( sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_nopf++; + AHSTAT_INC(ahs_nopf); error = EPFNOSUPPORT; goto bad; } @@ -952,20 +955,20 @@ ah_output( ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); - V_ahstat.ahs_toobig++; + AHSTAT_INC(ahs_toobig); error = EMSGSIZE; goto bad; } /* Update the counters. */ - V_ahstat.ahs_obytes += m->m_pkthdr.len - skip; + AHSTAT_ADD(ahs_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; + AHSTAT_INC(ahs_hdrops); error = ENOBUFS; goto bad; } @@ -978,7 +981,7 @@ ah_output( rplen + authsize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */ + AHSTAT_INC(ahs_hdrops); /*XXX differs from openbsd */ error = ENOBUFS; goto bad; } @@ -1006,7 +1009,7 @@ ah_output( __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_ahstat.ahs_wrap++; + AHSTAT_INC(ahs_wrap); error = EINVAL; goto bad; } @@ -1023,7 +1026,7 @@ ah_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); error = ENOBUFS; goto bad; } @@ -1045,7 +1048,7 @@ ah_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); error = ENOBUFS; goto bad; } @@ -1150,7 +1153,7 @@ ah_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_ahstat.ahs_notdb++; + AHSTAT_INC(ahs_notdb); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -1167,7 +1170,7 @@ ah_output_cb(struct cryptop *crp) return error; } - V_ahstat.ahs_noxform++; + AHSTAT_INC(ahs_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -1175,12 +1178,12 @@ ah_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_ahstat.ahs_crypto++; + AHSTAT_INC(ahs_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); /* * Copy original headers (with the new protocol number) back diff --git a/freebsd/sys/netipsec/xform_esp.c b/freebsd/sys/netipsec/xform_esp.c index 9d4df589..20790d0d 100644 --- a/freebsd/sys/netipsec/xform_esp.c +++ b/freebsd/sys/netipsec/xform_esp.c @@ -283,9 +283,15 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IPSEC_ASSERT(sav != NULL, ("null SA")); IPSEC_ASSERT(sav->tdb_encalgxform != NULL, ("null encoding xform")); - IPSEC_ASSERT((skip&3) == 0 && (m->m_pkthdr.len&3) == 0, - ("misaligned packet, skip %u pkt len %u", - skip, m->m_pkthdr.len)); + + /* Valid IP Packet length ? */ + if ( (skip&3) || (m->m_pkthdr.len&3) ){ + DPRINTF(("%s: misaligned packet, skip %u pkt len %u", + __func__, skip, m->m_pkthdr.len)); + ESPSTAT_INC(esps_badilen); + m_freem(m); + return EINVAL; + } /* XXX don't pullup, just copy header */ IP6_EXTHDR_GET(esp, struct newesp *, m, skip, sizeof (struct newesp)); @@ -328,7 +334,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); m_freem(m); return EINVAL; } @@ -339,13 +345,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); /*XXX*/ - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); m_freem(m); return ENOBUFS; /*XXX*/ } /* Update the counters */ - V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); + ESPSTAT_ADD(esps_ibytes, m->m_pkthdr.len - (skip + hlen + alen)); /* Find out if we've already done crypto */ for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); @@ -364,7 +370,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -379,7 +385,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); m_freem(m); return ENOBUFS; } @@ -447,19 +453,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return esp_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * ESP input callback from the crypto driver. */ @@ -510,7 +503,7 @@ esp_input_cb(struct cryptop *crp) return error; } - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -518,12 +511,12 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); /* If authentication was performed, check now. */ if (esph != NULL) { @@ -542,7 +535,7 @@ esp_input_cb(struct cryptop *crp) * the verification for us. Otherwise we need to * check the authentication calculation. */ - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - alen, @@ -557,7 +550,7 @@ esp_input_cb(struct cryptop *crp) __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_badauth++; + ESPSTAT_INC(esps_badauth); error = EACCES; goto bad; } @@ -587,7 +580,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updatereplay(ntohl(seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); - V_espstat.esps_replay++; + ESPSTAT_INC(esps_replay); error = ENOBUFS; goto bad; } @@ -602,7 +595,7 @@ esp_input_cb(struct cryptop *crp) /* Remove the ESP header and IV from the mbuf. */ error = m_striphdr(m, skip, hlen); if (error) { - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -614,7 +607,7 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { - V_espstat.esps_badilen++; + ESPSTAT_INC(esps_badilen); DPRINTF(("%s: invalid padding length %d for %u byte packet " "in SA %s/%08lx\n", __func__, lastthree[1], m->m_pkthdr.len - skip, @@ -627,7 +620,7 @@ esp_input_cb(struct cryptop *crp) /* Verify correct decryption by checking the last padding bytes */ if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { - V_espstat.esps_badenc++; + ESPSTAT_INC(esps_badenc); DPRINTF(("%s: decryption failed for packet in " "SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -643,7 +636,21 @@ esp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; @@ -721,7 +728,7 @@ esp_output( else alen = 0; - V_espstat.esps_output++; + ESPSTAT_INC(esps_output); saidx = &sav->sah->saidx; /* Check for maximum packet size violations. */ @@ -741,7 +748,7 @@ esp_output( "family %d, SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_nopf++; + ESPSTAT_INC(esps_nopf); error = EPFNOSUPPORT; goto bad; } @@ -750,19 +757,19 @@ esp_output( "(len %u, max len %u)\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); - V_espstat.esps_toobig++; + ESPSTAT_INC(esps_toobig); error = EMSGSIZE; goto bad; } /* Update the counters. */ - V_espstat.esps_obytes += m->m_pkthdr.len - skip; + ESPSTAT_ADD(esps_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; + ESPSTAT_INC(esps_hdrops); error = ENOBUFS; goto bad; } @@ -773,7 +780,7 @@ esp_output( DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_espstat.esps_hdrops++; /* XXX diffs from openbsd */ + ESPSTAT_INC(esps_hdrops); /* XXX diffs from openbsd */ error = ENOBUFS; goto bad; } @@ -837,7 +844,7 @@ esp_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -866,7 +873,7 @@ esp_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); error = ENOBUFS; goto bad; } @@ -927,7 +934,7 @@ esp_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_espstat.esps_notdb++; + ESPSTAT_INC(esps_notdb); DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); @@ -947,7 +954,7 @@ esp_output_cb(struct cryptop *crp) return error; } - V_espstat.esps_noxform++; + ESPSTAT_INC(esps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -955,14 +962,14 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - V_espstat.esps_crypto++; + ESPSTAT_INC(esps_crypto); DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_espstat.esps_hist[sav->alg_enc]++; + ESPSTAT_INC(esps_hist[sav->alg_enc]); if (sav->tdb_authalgxform != NULL) - V_ahstat.ahs_hist[sav->alg_auth]++; + AHSTAT_INC(ahs_hist[sav->alg_auth]); /* Release crypto descriptors. */ free(tc, M_XDATA); diff --git a/freebsd/sys/netipsec/xform_ipcomp.c b/freebsd/sys/netipsec/xform_ipcomp.c index c3134bdf..2478c948 100644 --- a/freebsd/sys/netipsec/xform_ipcomp.c +++ b/freebsd/sys/netipsec/xform_ipcomp.c @@ -154,7 +154,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) * compression it means someone is playing tricks on us. */ if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == NULL) { - V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); return (ENOBUFS); } @@ -162,7 +162,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) ipcomp = (struct ipcomp *)addr; if (ipcomp->comp_nxt == IPPROTO_IPCOMP) { m_freem(m); - V_ipcompstat.ipcomps_pdrops++; /* XXX have our own stats? */ + IPCOMPSTAT_INC(ipcomps_pdrops); /* XXX have our own stats? */ DPRINTF(("%s: recursive compression detected\n", __func__)); return (EINVAL); } @@ -172,7 +172,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { m_freem(m); DPRINTF(("%s: no crypto descriptors\n", __func__)); - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); return ENOBUFS; } /* Get IPsec-specific opaque pointer */ @@ -181,7 +181,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); return ENOBUFS; } crdc = crp->crp_desc; @@ -215,19 +215,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) return crypto_dispatch(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * IPComp input callback from the crypto driver. */ @@ -271,19 +258,19 @@ ipcomp_input_cb(struct cryptop *crp) if (crp->crp_etype == EAGAIN) { return crypto_dispatch(crp); } - V_ipcompstat.ipcomps_noxform++; + IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ipcompstat.ipcomps_hist[sav->alg_comp]++; + IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); clen = crp->crp_olen; /* Length of data after processing */ @@ -295,7 +282,7 @@ ipcomp_input_cb(struct cryptop *crp) m->m_pkthdr.len = clen + hlen + skip; if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { - V_ipcompstat.ipcomps_hdrops++; /*XXX*/ + IPCOMPSTAT_INC(ipcomps_hdrops); /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; /*XXX*/ goto bad; @@ -308,7 +295,7 @@ ipcomp_input_cb(struct cryptop *crp) /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { - V_ipcompstat.ipcomps_hdrops++; + IPCOMPSTAT_INC(ipcomps_hdrops); DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -318,7 +305,21 @@ ipcomp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; @@ -365,12 +366,12 @@ ipcomp_output( * See RFC 3173, 2.2. Non-Expansion Policy. */ if (m->m_pkthdr.len <= ipcompx->minlen) { - V_ipcompstat.ipcomps_threshold++; + IPCOMPSTAT_INC(ipcomps_threshold); return ipsec_process_done(m, isr); } ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ - V_ipcompstat.ipcomps_output++; + IPCOMPSTAT_INC(ipcomps_output); /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { @@ -385,7 +386,7 @@ ipcomp_output( break; #endif /* INET6 */ default: - V_ipcompstat.ipcomps_nopf++; + IPCOMPSTAT_INC(ipcomps_nopf); DPRINTF(("%s: unknown/unsupported protocol family %d, " "IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -395,7 +396,7 @@ ipcomp_output( goto bad; } if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) { - V_ipcompstat.ipcomps_toobig++; + IPCOMPSTAT_INC(ipcomps_toobig); DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -406,11 +407,11 @@ ipcomp_output( } /* Update the counters */ - V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; + IPCOMPSTAT_ADD(ipcomps_obytes, m->m_pkthdr.len - skip); m = m_unshare(m, M_NOWAIT); if (m == NULL) { - V_ipcompstat.ipcomps_hdrops++; + IPCOMPSTAT_INC(ipcomps_hdrops); DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -423,7 +424,7 @@ ipcomp_output( /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); error = ENOBUFS; goto bad; @@ -443,7 +444,7 @@ ipcomp_output( tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); crypto_freereq(crp); error = ENOBUFS; @@ -496,7 +497,7 @@ ipcomp_output_cb(struct cryptop *crp) sav = tc->tc_sav; /* With the isr lock released SA pointer can be updated. */ if (sav != isr->sav) { - V_ipcompstat.ipcomps_notdb++; + IPCOMPSTAT_INC(ipcomps_notdb); DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -512,19 +513,19 @@ ipcomp_output_cb(struct cryptop *crp) IPSECREQUEST_UNLOCK(isr); return crypto_dispatch(crp); } - V_ipcompstat.ipcomps_noxform++; + IPCOMPSTAT_INC(ipcomps_noxform); DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - V_ipcompstat.ipcomps_crypto++; + IPCOMPSTAT_INC(ipcomps_crypto); DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - V_ipcompstat.ipcomps_hist[sav->alg_comp]++; + IPCOMPSTAT_INC(ipcomps_hist[sav->alg_comp]); if (crp->crp_ilen - skip > crp->crp_olen) { struct mbuf *mo; @@ -535,7 +536,7 @@ ipcomp_output_cb(struct cryptop *crp) /* Compression helped, inject IPCOMP header. */ mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); if (mo == NULL) { - V_ipcompstat.ipcomps_wrap++; + IPCOMPSTAT_INC(ipcomps_wrap); DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -580,7 +581,7 @@ ipcomp_output_cb(struct cryptop *crp) break; #endif /* INET6 */ default: - V_ipcompstat.ipcomps_nopf++; + IPCOMPSTAT_INC(ipcomps_nopf); DPRINTF(("%s: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -591,7 +592,7 @@ ipcomp_output_cb(struct cryptop *crp) } } else { /* Compression was useless, we have lost time. */ - V_ipcompstat.ipcomps_uncompr++; + IPCOMPSTAT_INC(ipcomps_uncompr); DPRINTF(("%s: compressions was useless %d - %d <= %d\n", __func__, crp->crp_ilen, skip, crp->crp_olen)); /* XXX remember state to not compress the next couple @@ -637,6 +638,7 @@ static void vnet_ipcomp_attach(const void *unused __unused) { + /* XXX */ V_ipcompstat.version = IPCOMPSTAT_VERSION; } diff --git a/freebsd/sys/netipsec/xform_ipip.c b/freebsd/sys/netipsec/xform_ipip.c index ece6cbc7..b7234be9 100644 --- a/freebsd/sys/netipsec/xform_ipip.c +++ b/freebsd/sys/netipsec/xform_ipip.c @@ -117,7 +117,7 @@ ip4_input6(struct mbuf **m, int *offp, int proto) /* If we do not accept IP-in-IP explicitly, drop. */ if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - V_ipipstat.ipips_pdrops++; + IPIPSTAT_INC(ipips_pdrops); m_freem(*m); return IPPROTO_DONE; } @@ -138,7 +138,7 @@ ip4_input(struct mbuf *m, int off) /* If we do not accept IP-in-IP explicitly, drop. */ if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - V_ipipstat.ipips_pdrops++; + IPIPSTAT_INC(ipips_pdrops); m_freem(m); return; } @@ -174,7 +174,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) u_int8_t v; int hlen; - V_ipipstat.ipips_ipackets++; + IPIPSTAT_INC(ipips_ipackets); m_copydata(m, 0, 1, &v); @@ -190,7 +190,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); m_freem(m); return /* EAFNOSUPPORT */; } @@ -199,7 +199,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (1) failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); return; } } @@ -236,7 +236,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Sanity check */ if (m->m_pkthdr.len < sizeof(struct ip)) { - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); m_freem(m); return; } @@ -256,7 +256,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); m_freem(m); return; /* EAFNOSUPPORT */ } @@ -267,7 +267,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (2) failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); return; } } @@ -318,7 +318,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (sin->sin_addr.s_addr == ipo->ip_src.s_addr) { - V_ipipstat.ipips_spoof++; + IPIPSTAT_INC(ipips_spoof); m_freem(m); IFNET_RUNLOCK_NOSLEEP(); return; @@ -335,7 +335,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - V_ipipstat.ipips_spoof++; + IPIPSTAT_INC(ipips_spoof); m_freem(m); IFNET_RUNLOCK_NOSLEEP(); return; @@ -349,7 +349,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } /* Statistics */ - V_ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; + IPIPSTAT_ADD(ipips_ibytes, m->m_pkthdr.len - iphlen); #ifdef DEV_ENC switch (v >> 4) { @@ -394,8 +394,10 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) panic("%s: bogus ip version %u", __func__, v>>4); } + m_addr_changed(m); + if (netisr_queue(isr, m)) { /* (0) on success. */ - V_ipipstat.ipips_qfull++; + IPIPSTAT_INC(ipips_qfull); DPRINTF(("%s: packet dropped because of full queue\n", __func__)); } @@ -414,8 +416,10 @@ ipip_output( u_int8_t tp, otos; struct secasindex *saidx; int error; -#ifdef INET +#if defined(INET) || defined(INET6) u_int8_t itos; +#endif +#ifdef INET struct ip *ipo; #endif /* INET */ #ifdef INET6 @@ -442,7 +446,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ipipstat.ipips_unspec++; + IPIPSTAT_INC(ipips_unspec); error = EINVAL; goto bad; } @@ -450,7 +454,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -468,7 +472,8 @@ ipip_output( ipo->ip_id = ip_newid(); /* If the inner protocol is IP... */ - if (tp == IPVERSION) { + switch (tp) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_tos), @@ -486,9 +491,10 @@ ipip_output( ipo->ip_off = ntohs(ipo->ip_off); ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); ipo->ip_off = htons(ipo->ip_off); - } + break; #ifdef INET6 - else if (tp == (IPV6_VERSION >> 4)) { + case (IPV6_VERSION >> 4): + { u_int32_t itos32; /* Save ECN notification. */ @@ -498,9 +504,10 @@ ipip_output( itos = ntohl(itos32) >> 20; ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; + break; } #endif /* INET6 */ - else { + default: goto nofamily; } @@ -519,7 +526,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - V_ipipstat.ipips_unspec++; + IPIPSTAT_INC(ipips_unspec); error = ENOBUFS; goto bad; } @@ -534,7 +541,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - V_ipipstat.ipips_hdrops++; + IPIPSTAT_INC(ipips_hdrops); error = ENOBUFS; goto bad; } @@ -549,8 +556,9 @@ ipip_output( ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr; + switch (tp) { #ifdef INET - if (tp == IPVERSION) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip, ip_tos), sizeof(u_int8_t), @@ -558,21 +566,24 @@ ipip_output( /* This is really IPVERSION. */ ip6o->ip6_nxt = IPPROTO_IPIP; - } else + break; #endif /* INET */ - if (tp == (IPV6_VERSION >> 4)) { - u_int32_t itos32; - - /* Save ECN notification. */ - m_copydata(m, sizeof(struct ip6_hdr) + - offsetof(struct ip6_hdr, ip6_flow), - sizeof(u_int32_t), (caddr_t) &itos32); - itos = ntohl(itos32) >> 20; - - ip6o->ip6_nxt = IPPROTO_IPV6; - } else { - goto nofamily; - } + case (IPV6_VERSION >> 4): + { + u_int32_t itos32; + + /* Save ECN notification. */ + m_copydata(m, sizeof(struct ip6_hdr) + + offsetof(struct ip6_hdr, ip6_flow), + sizeof(u_int32_t), (caddr_t) &itos32); + itos = ntohl(itos32) >> 20; + + ip6o->ip6_nxt = IPPROTO_IPV6; + break; + } + default: + goto nofamily; + } otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); @@ -584,12 +595,12 @@ ipip_output( nofamily: DPRINTF(("%s: unsupported protocol family %u\n", __func__, saidx->dst.sa.sa_family)); - V_ipipstat.ipips_family++; + IPIPSTAT_INC(ipips_family); error = EAFNOSUPPORT; /* XXX diffs from openbsd */ goto bad; } - V_ipipstat.ipips_opackets++; + IPIPSTAT_INC(ipips_opackets); *mp = m; #ifdef INET @@ -599,7 +610,8 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip); #endif - V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); + IPIPSTAT_ADD(ipips_obytes, + m->m_pkthdr.len - sizeof(struct ip)); } #endif /* INET */ @@ -610,8 +622,8 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); #endif - V_ipipstat.ipips_obytes += - m->m_pkthdr.len - sizeof(struct ip6_hdr); + IPIPSTAT_ADD(ipips_obytes, + m->m_pkthdr.len - sizeof(struct ip6_hdr)); } #endif /* INET6 */ @@ -624,6 +636,7 @@ bad: } #ifdef IPSEC +#if defined(INET) || defined(INET6) static int ipe4_init(struct secasvar *sav, struct xformsw *xsp) { @@ -654,6 +667,8 @@ static struct xformsw ipe4_xformsw = { }; extern struct domain inetdomain; +#endif /* INET || INET6 */ +#ifdef INET static struct protosw ipe4_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -663,7 +678,8 @@ static struct protosw ipe4_protosw = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#ifdef INET6 +#endif /* INET */ +#if defined(INET6) && defined(INET) static struct ip6protosw ipe6_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -673,8 +689,9 @@ static struct ip6protosw ipe6_protosw = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#endif +#endif /* INET6 && INET */ +#if defined(INET) /* * Check the encapsulated packet to see if we want it */ @@ -689,6 +706,7 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg) */ return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } +#endif /* INET */ static void ipe4_attach(void) @@ -697,9 +715,11 @@ ipe4_attach(void) xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ +#ifdef INET (void) encap_attach_func(AF_INET, -1, ipe4_encapcheck, &ipe4_protosw, NULL); -#ifdef INET6 +#endif +#if defined(INET6) && defined(INET) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif |