Date: Sun, 20 Nov 2016 15:51:59 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r308888 - projects/ipsec/sys/netipsec Message-ID: <201611201551.uAKFpxcO039274@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Sun Nov 20 15:51:58 2016 New Revision: 308888 URL: https://svnweb.freebsd.org/changeset/base/308888 Log: Modify ipsec4_in_reject() to use ipsec4_getpolicy() and ipsec_in_reject(). Also move it under #ifdef INET. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 14:00:50 2016 (r308887) +++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 15:51:58 2016 (r308888) @@ -808,6 +808,25 @@ ipsec4_checkpolicy(const struct mbuf *m, return (sp); } +/* + * Check IPv4 packet against *INBOUND* security policy. + * This function is called from tcp_input(), udp_input(), + * rip_input() and sctp_input(). + */ +int +ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp) +{ + struct secpolicy *sp; + int result; + + sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_INBOUND); + result = ipsec_in_reject(sp, inp, m); + key_freesp(&sp); + if (result != 0) + IPSECSTAT_INC(ips_in_polvio); + return (result); +} + #endif /* INET */ #ifdef INET6 @@ -1492,23 +1511,6 @@ ipsec46_in_reject(const struct mbuf *m, return (result); } -/* - * Check AH/ESP integrity. - * This function is called from tcp_input(), udp_input(), - * and {ah,esp}4_input for tunnel mode. - */ -int -ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp) -{ - int result; - - result = ipsec46_in_reject(m, inp); - if (result) - IPSECSTAT_INC(ips_in_polvio); - - return (result); -} - #ifdef INET6 /* * Check AH/ESP integrity.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201611201551.uAKFpxcO039274>