Date: Mon, 16 Jul 2007 17:57:33 GMT From: Ana Kukec <anchie@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 123605 for review Message-ID: <200707161757.l6GHvX4E027472@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=123605 Change 123605 by anchie@anchie_malimis on 2007/07/16 17:57:31 Added support for IPcomp algorithm. Affected files ... .. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#7 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#7 edit .. //depot/projects/vimage/src/sys/netipsec/vipsec.h#4 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#5 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#3 edit .. //depot/projects/vimage/src/sys/sys/vimage.h#21 edit Differences ... ==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#7 (text+ko) ==== @@ -117,7 +117,7 @@ int error; IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, - ipcompstat.ipcomps_input); + V_ipcompstat.ipcomps_input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -127,17 +127,17 @@ if ((sproto == IPPROTO_ESP && !V_esp_enable) || (sproto == IPPROTO_AH && !V_ah_enable) || - (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { + (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { m_freem(m); IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + V_ipcompstat.ipcomps_pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -183,7 +183,7 @@ DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, - ipcompstat.ipcomps_nopf); + V_ipcompstat.ipcomps_nopf); return EPFNOSUPPORT; } @@ -194,7 +194,7 @@ __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, - ipcompstat.ipcomps_notdb); + V_ipcompstat.ipcomps_notdb); m_freem(m); return ENOENT; } @@ -204,7 +204,7 @@ __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + V_ipcompstat.ipcomps_noxform); KEY_FREESAV(&sav); m_freem(m); return ENXIO; @@ -310,7 +310,7 @@ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + V_ipcompstat.ipcomps_badkcr); KEY_FREESAV(&sav); return EINVAL; } @@ -322,7 +322,7 @@ __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = ENOBUFS; goto bad; } @@ -345,7 +345,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -376,7 +376,7 @@ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -389,7 +389,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -418,7 +418,7 @@ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -440,7 +440,7 @@ if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -475,7 +475,7 @@ */ if ((error = netisr_queue(NETISR_IP, m))) { IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, - ipcompstat.ipcomps_qfull); + V_ipcompstat.ipcomps_qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); @@ -531,7 +531,7 @@ "l %u, off %u\n", __func__, protoff, l, *offp)); IPSEC_ISTAT(proto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); m_freem(*mp); *mp = NULL; return IPPROTO_DONE; @@ -579,7 +579,7 @@ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + V_ipcompstat.ipcomps_badkcr); error = EINVAL; goto bad; } @@ -593,7 +593,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = EACCES; goto bad; } @@ -613,7 +613,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -639,7 +639,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTATsproto, (V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -653,7 +653,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -681,7 +681,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -702,7 +702,7 @@ if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } ==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#7 (text+ko) ==== @@ -311,11 +311,11 @@ */ if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || - (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) { + (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { DPRINTF(("%s: IPsec outbound packet dropped due" " to policy (check your sysctls)\n", __func__)); IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + V_ipcompstat.ipcomps_pdrops); *error = EHOSTUNREACH; goto bad; } @@ -327,7 +327,7 @@ if (sav->tdb_xform == NULL) { DPRINTF(("%s: no transform for SA\n", __func__)); IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + V_ipcompstat.ipcomps_noxform); *error = EHOSTUNREACH; goto bad; } ==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#4 (text+ko) ==== @@ -42,6 +42,7 @@ #include <netipsec/ipsec.h> #include <netipsec/esp_var.h> #include <netipsec/ah_var.h> +#include <netipsec/ipcomp_var.h> #include <netipsec/ipip_var.h> #include <net/if.h> @@ -102,7 +103,10 @@ int _ah_enable; int _ah_cleartos; - struct ahstat _ahstat; + struct ahstat _ahstat; + + int _ipcomp_enable; + struct ipcompstat _ipcompstat; }; extern struct vnet_ipsec vnet_ipsec_0; @@ -162,4 +166,6 @@ #define V_ah_enable VNET_IPSEC(ah_enable) #define V_ah_cleartos VNET_IPSEC(ah_cleartos) #define V_ahstat VNET_IPSEC(ahstat) +#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) +#define V_ipcompstat VNET_IPSEC(ipcompstat) #endif /* !_NETIPSEC_VIPSEC_H_ */ ==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#5 (text+ko) ==== @@ -109,7 +109,7 @@ #ifdef VIMAGE static struct vnet_modinfo vnet_ah_modinfo = { .id = VNET_MOD_AH, - .name = "esp", + .name = "ah", .symmap = NULL, .i_attach = ah_iattach, .i_detach = NULL, ==== //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#3 (text+ko) ==== @@ -69,14 +69,28 @@ #include <opencrypto/deflate.h> #include <opencrypto/xform.h> +#ifndef VIMAGE int ipcomp_enable = 0; struct ipcompstat ipcompstat; +#endif SYSCTL_DECL(_net_inet_ipcomp); -SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, - ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, ""); -SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, - stats, CTLFLAG_RD, &ipcompstat, ipcompstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, + ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS, + stats, CTLFLAG_RD, ipcompstat, ipcompstat, ""); + +static int ipcomp_iattach(void *); + +#ifdef VIMAGE +static struct vnet_modinfo vnet_ipcomp_modinfo = { + .id = VNET_MOD_IPCOMP, + .name = "ipcomp", + .symmap = NULL, + .i_attach = ipcomp_iattach, + .i_detach = NULL, +}; +#endif static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); @@ -153,7 +167,7 @@ if (crp == NULL) { m_freem(m); DPRINTF(("%s: no crypto descriptors\n", __func__)); - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; return ENOBUFS; } /* Get IPsec-specific opaque pointer */ @@ -162,7 +176,7 @@ m_freem(m); crypto_freereq(crp); DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; return ENOBUFS; } crdc = crp->crp_desc; @@ -238,7 +252,7 @@ sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ipcompstat.ipcomps_notdb++; + V_ipcompstat.ipcomps_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -262,19 +276,19 @@ return error; } - ipcompstat.ipcomps_noxform++; + V_ipcompstat.ipcomps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } - ipcompstat.ipcomps_hist[sav->alg_comp]++; + V_ipcompstat.ipcomps_hist[sav->alg_comp]++; clen = crp->crp_olen; /* Length of data after processing */ @@ -286,7 +300,7 @@ m->m_pkthdr.len = clen + hlen + skip; if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { - ipcompstat.ipcomps_hdrops++; /*XXX*/ + V_ipcompstat.ipcomps_hdrops++; /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; /*XXX*/ goto bad; @@ -299,7 +313,7 @@ /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { - ipcompstat.ipcomps_hdrops++; + V_ipcompstat.ipcomps_hdrops++; DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -360,7 +374,7 @@ ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ hlen = IPCOMP_HLENGTH; - ipcompstat.ipcomps_output++; + V_ipcompstat.ipcomps_output++; /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { @@ -375,7 +389,7 @@ break; #endif /* INET6 */ default: - ipcompstat.ipcomps_nopf++; + V_ipcompstat.ipcomps_nopf++; DPRINTF(("%s: unknown/unsupported protocol family %d, " "IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -385,7 +399,7 @@ goto bad; } if (skip + hlen + ralen > maxpacketsize) { - ipcompstat.ipcomps_toobig++; + V_ipcompstat.ipcomps_toobig++; DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -396,11 +410,11 @@ } /* Update the counters */ - ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; + V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { - ipcompstat.ipcomps_hdrops++; + V_ipcompstat.ipcomps_hdrops++; DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -411,7 +425,7 @@ /* Inject IPCOMP header */ mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { - ipcompstat.ipcomps_wrap++; + V_ipcompstat.ipcomps_wrap++; DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -446,7 +460,7 @@ /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); error = ENOBUFS; goto bad; @@ -466,7 +480,7 @@ tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); crypto_freereq(crp); error = ENOBUFS; @@ -519,7 +533,7 @@ IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ipcompstat.ipcomps_notdb++; + V_ipcompstat.ipcomps_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -539,19 +553,19 @@ NET_UNLOCK_GIANT(); return error; } - ipcompstat.ipcomps_noxform++; + V_ipcompstat.ipcomps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - ipcompstat.ipcomps_hist[sav->alg_comp]++; + V_ipcompstat.ipcomps_hist[sav->alg_comp]++; if (rlen > crp->crp_olen) { /* Adjust the length in the IP header */ @@ -568,7 +582,7 @@ break; #endif /* INET6 */ default: - ipcompstat.ipcomps_nopf++; + V_ipcompstat.ipcomps_nopf++; DPRINTF(("%s: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -610,9 +624,26 @@ ipcomp_output }; +static int +ipcomp_iattach(unused) + void *unused; +{ + INIT_VNET_IPSEC(curvnet); + + V_ipcomp_enable = 0; + + xform_register(&ipcomp_xformsw); + + return 0; +} + static void ipcomp_attach(void) { - xform_register(&ipcomp_xformsw); +#ifdef VIMAGE + vnet_mod_register(&vnet_ipcomp_modinfo); +#else + ipcomp_iattach(NULL); +#endif } SYSINIT(ipcomp_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipcomp_attach, NULL); ==== //depot/projects/vimage/src/sys/sys/vimage.h#21 (text+ko) ==== @@ -80,6 +80,7 @@ #define VNET_MOD_IPIP 14 #define VNET_MOD_AH 15 #define VNET_MOD_GIF 16 +#define VNET_MOD_IPCOMP 17 #define VNET_MOD_ARP 28 #define VNET_MOD_RTABLE 29 #define VNET_MOD_LOIF 30
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707161757.l6GHvX4E027472>