Date: Sun, 20 Nov 2016 11:57:35 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308882 - projects/ipsec/sys/netipsec Message-ID: <201611201157.uAKBvZTD042851@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Sun Nov 20 11:57:34 2016 New Revision: 308882 URL: https://svnweb.freebsd.org/changeset/base/308882 Log: Add ipsec4_getpolicy() function. It returns security policy that matches with give IPv4 packet. First of it uses SP from inpcb. If there is no PCB, or PCB has not cached SP, it fills secpolicyindex using info from given mbuf. Then it does SP lookup using this secpolicyindex. And if SP is not found, it returns default security policy. Modify ipsec4_setspidx_ipaddr() to not return any values, since it never fails. Also move ipsec4_get_ulp() and ipsec4_setspidx_ipaddr() under #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:36:54 2016 (r308881) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 11:57:34 2016 (r308882) @@ -244,7 +244,8 @@ static int ipsec_in_reject(struct secpol static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *); static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int); static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); -static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); +static void ipsec4_setspidx_ipaddr(const struct mbuf *, + struct secpolicyindex *); #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int); static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *); @@ -645,16 +646,17 @@ ipsec_setspidx(const struct mbuf *m, str } } +#ifdef INET static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx, int needport) { - u_int8_t nxt; + uint8_t nxt; int off; /* Sanity check. */ - IPSEC_ASSERT(m != NULL, ("null mbuf")); - IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short")); + IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip), + ("packet too short")); if (m->m_len >= sizeof (struct ip)) { const struct ip *ip = mtod(m, const struct ip *); @@ -718,10 +720,12 @@ done: done_proto: spidx->src.sin.sin_port = IPSEC_PORT_ANY; spidx->dst.sin.sin_port = IPSEC_PORT_ANY; + KEYDBG(IPSEC_DUMP, + printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL)); } /* Assumes that m is sane. */ -static int +static void ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx) { static const struct sockaddr_in template = { @@ -748,10 +752,30 @@ ipsec4_setspidx_ipaddr(const struct mbuf spidx->prefs = sizeof(struct in_addr) << 3; spidx->prefd = sizeof(struct in_addr) << 3; +} - return (0); +static struct secpolicy * +ipsec4_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir) +{ + struct secpolicyindex spidx; + struct secpolicy *sp; + + sp = ipsec_getpcbpolicy(inp, dir); + if (sp == NULL && key_havesp(dir)) { + /* Make an index to look for a policy. */ + ipsec4_setspidx_ipaddr(m, &spidx); + /* Fill ports in spidx if we have inpcb. */ + ipsec4_get_ulp(m, &spidx, inp != NULL); + spidx.dir = dir; + sp = key_allocsp(&spidx, dir); + } + if (sp == NULL) /* No SP found, use system default. */ + sp = key_allocsp_default(); + return (sp); } +#endif /* INET */ + #ifdef INET6 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611201157.uAKBvZTD042851>