From owner-svn-src-stable@FreeBSD.ORG Mon Jan 4 15:01:18 2010 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C7E1D106566B; Mon, 4 Jan 2010 15:01:18 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id B55E48FC1D; Mon, 4 Jan 2010 15:01:18 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o04F1IpY092231; Mon, 4 Jan 2010 15:01:18 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o04F1IqZ092229; Mon, 4 Jan 2010 15:01:18 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201001041501.o04F1IqZ092229@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Mon, 4 Jan 2010 15:01:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-6@freebsd.org X-SVN-Group: stable-6 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r201505 - stable/6/sys/netipsec X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2010 15:01:18 -0000 Author: bz Date: Mon Jan 4 15:01:18 2010 New Revision: 201505 URL: http://svn.freebsd.org/changeset/base/201505 Log: MFC r199899: Only add the IPcomp header if crypto reported success and we have a lower payload size. Before we had always added the header, no matter if we actually send out compressed data or not. With this, after the opencrypto/deflate changes, IPcomp starts to work apart from edge cases. Leave it disabled by default until those are fixed as well. PR: kern/123587 Modified: stable/6/sys/netipsec/xform_ipcomp.c Directory Properties: stable/6/sys/ (props changed) stable/6/sys/contrib/pf/ (props changed) stable/6/sys/dev/cxgb/ (props changed) Modified: stable/6/sys/netipsec/xform_ipcomp.c ============================================================================== --- stable/6/sys/netipsec/xform_ipcomp.c Mon Jan 4 14:58:41 2010 (r201504) +++ stable/6/sys/netipsec/xform_ipcomp.c Mon Jan 4 15:01:18 2010 (r201505) @@ -335,13 +335,10 @@ ipcomp_output( { struct secasvar *sav; struct comp_algo *ipcompx; - int error, ralen, hlen, maxpacketsize, roff; - u_int8_t prot; + int error, ralen, maxpacketsize; struct cryptodesc *crdc; struct cryptop *crp; struct tdb_crypto *tc; - struct mbuf *mo; - struct ipcomp *ipcomp; IPSEC_SPLASSERT_SOFTNET(__func__); @@ -362,8 +359,6 @@ ipcomp_output( } ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ - hlen = IPCOMP_HLENGTH; - ipcompstat.ipcomps_output++; /* Check for maximum packet size violations. */ @@ -388,13 +383,13 @@ ipcomp_output( error = EPFNOSUPPORT; goto bad; } - if (skip + hlen + ralen > maxpacketsize) { + if (ralen + skip + IPCOMP_HLENGTH > maxpacketsize) { ipcompstat.ipcomps_toobig++; DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), - skip + hlen + ralen, maxpacketsize)); + ralen + skip + IPCOMP_HLENGTH, maxpacketsize)); error = EMSGSIZE; goto bad; } @@ -412,40 +407,7 @@ ipcomp_output( goto bad; } - /* Inject IPCOMP header */ - mo = m_makespace(m, skip, hlen, &roff); - if (mo == NULL) { - ipcompstat.ipcomps_wrap++; - DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", - __func__, ipsec_address(&sav->sah->saidx.dst), - (u_long) ntohl(sav->spi))); - error = ENOBUFS; - goto bad; - } - ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); - - /* Initialize the IPCOMP header */ - /* XXX alignment always correct? */ - switch (sav->sah->saidx.dst.sa.sa_family) { -#ifdef INET - case AF_INET: - ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; - break; -#endif /* INET */ -#ifdef INET6 - case AF_INET6: - ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; - break; -#endif - } - ipcomp->comp_flags = 0; - ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi)); - - /* Fix Next Protocol in IPv4/IPv6 header */ - prot = IPPROTO_IPCOMP; - m_copyback(m, protoff, sizeof(u_int8_t), (u_char *) &prot); - - /* Ok now, we can pass to the crypto processing */ + /* Ok now, we can pass to the crypto processing. */ /* Get crypto descriptors */ crp = crypto_getreq(1); @@ -458,10 +420,10 @@ ipcomp_output( crdc = crp->crp_desc; /* Compression descriptor */ - crdc->crd_skip = skip + hlen; - crdc->crd_len = m->m_pkthdr.len - (skip + hlen); + crdc->crd_skip = skip; + crdc->crd_len = ralen; crdc->crd_flags = CRD_F_COMP; - crdc->crd_inject = skip + hlen; + crdc->crd_inject = skip; /* Compression operation */ crdc->crd_alg = ipcompx->type; @@ -481,7 +443,8 @@ ipcomp_output( tc->tc_spi = sav->spi; tc->tc_dst = sav->sah->saidx.dst; tc->tc_proto = sav->sah->saidx.proto; - tc->tc_skip = skip + hlen; + tc->tc_protoff = protoff; + tc->tc_skip = skip; /* Crypto operation descriptor */ crp->crp_ilen = m->m_pkthdr.len; /* Total input length */ @@ -508,7 +471,7 @@ ipcomp_output_cb(struct cryptop *crp) struct ipsecrequest *isr; struct secasvar *sav; struct mbuf *m; - int error, skip, rlen; + int error, skip; NET_LOCK_GIANT(); @@ -516,7 +479,6 @@ ipcomp_output_cb(struct cryptop *crp) IPSEC_ASSERT(tc != NULL, ("null opaque data area!")); m = (struct mbuf *) crp->crp_buf; skip = tc->tc_skip; - rlen = crp->crp_ilen - skip; isr = tc->tc_isr; IPSECREQUEST_LOCK(isr); @@ -556,7 +518,46 @@ ipcomp_output_cb(struct cryptop *crp) } ipcompstat.ipcomps_hist[sav->alg_comp]++; - if (rlen > crp->crp_olen) { + if (crp->crp_ilen - skip > crp->crp_olen) { + struct mbuf *mo; + struct ipcomp *ipcomp; + int roff; + uint8_t prot; + + /* Compression helped, inject IPCOMP header. */ + mo = m_makespace(m, skip, IPCOMP_HLENGTH, &roff); + if (mo == NULL) { + ipcompstat.ipcomps_wrap++; + DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", + __func__, ipsec_address(&sav->sah->saidx.dst), + (u_long) ntohl(sav->spi))); + error = ENOBUFS; + goto bad; + } + ipcomp = (struct ipcomp *)(mtod(mo, caddr_t) + roff); + + /* Initialize the IPCOMP header */ + /* XXX alignment always correct? */ + switch (sav->sah->saidx.dst.sa.sa_family) { +#ifdef INET + case AF_INET: + ipcomp->comp_nxt = mtod(m, struct ip *)->ip_p; + break; +#endif /* INET */ +#ifdef INET6 + case AF_INET6: + ipcomp->comp_nxt = mtod(m, struct ip6_hdr *)->ip6_nxt; + break; +#endif + } + ipcomp->comp_flags = 0; + ipcomp->comp_cpi = htons((u_int16_t) ntohl(sav->spi)); + + /* Fix Next Protocol in IPv4/IPv6 header */ + prot = IPPROTO_IPCOMP; + m_copyback(m, tc->tc_protoff, sizeof(u_int8_t), + (u_char *)&prot); + /* Adjust the length in the IP header */ switch (sav->sah->saidx.dst.sa.sa_family) { #ifdef INET @@ -583,6 +584,8 @@ ipcomp_output_cb(struct cryptop *crp) } else { /* compression was useless, we have lost time */ /* XXX add statistic */ + /* XXX remember state to not compress the next couple + * of packets, RFC 3173, 2.2. Non-Expansion Policy */ } /* Release the crypto descriptor */