From owner-svn-src-head@FreeBSD.ORG Wed Apr 27 19:28:43 2011 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 543B7106567A; Wed, 27 Apr 2011 19:28:43 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 441AF8FC16; Wed, 27 Apr 2011 19:28:43 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id p3RJShF3085722; Wed, 27 Apr 2011 19:28:43 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id p3RJShEB085713; Wed, 27 Apr 2011 19:28:43 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <201104271928.p3RJShEB085713@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Wed, 27 Apr 2011 19:28:43 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r221129 - in head/sys: netinet6 netipsec X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Apr 2011 19:28:43 -0000 Author: bz Date: Wed Apr 27 19:28:42 2011 New Revision: 221129 URL: http://svn.freebsd.org/changeset/base/221129 Log: Make IPsec compile without INET adding appropriate #ifdef checks. Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days Modified: head/sys/netinet6/ip6_ipsec.c head/sys/netipsec/ipsec_input.c head/sys/netipsec/ipsec_output.c head/sys/netipsec/key.c head/sys/netipsec/xform_ah.c head/sys/netipsec/xform_esp.c head/sys/netipsec/xform_ipcomp.c head/sys/netipsec/xform_ipip.c Modified: head/sys/netinet6/ip6_ipsec.c ============================================================================== --- head/sys/netinet6/ip6_ipsec.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netinet6/ip6_ipsec.c Wed Apr 27 19:28:42 2011 (r221129) @@ -30,6 +30,7 @@ #include __FBSDID("$FreeBSD$"); +#include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" @@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #include @@ -291,7 +293,11 @@ ip6_ipsec_output(struct mbuf **m, struct * this is done in the normal processing path. */ if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) { + ipseclog((LOG_DEBUG, + "%s: we do not support IPv4 over IPv6", __func__)); +#ifdef INET in_delayed_cksum(*m); +#endif (*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA; } Modified: head/sys/netipsec/ipsec_input.c ============================================================================== --- head/sys/netipsec/ipsec_input.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/ipsec_input.c Wed Apr 27 19:28:42 2011 (r221129) @@ -119,9 +119,11 @@ ipsec_common_input(struct mbuf *m, int s struct secasvar *sav; u_int32_t spi; int error; +#ifdef INET #ifdef IPSEC_NAT_T struct m_tag *tag; #endif +#endif IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, V_ipcompstat.ipcomps_input); Modified: head/sys/netipsec/ipsec_output.c ============================================================================== --- head/sys/netipsec/ipsec_output.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/ipsec_output.c Wed Apr 27 19:28:42 2011 (r221129) @@ -165,7 +165,29 @@ ipsec_process_done(struct mbuf *m, struc */ if (isr->next) { V_ipsec4stat.ips_out_bundlesa++; - return ipsec4_process_packet(m, isr->next, 0, 0); + sav = isr->next->sav; + saidx = &sav->sah->saidx; + switch (saidx->dst.sa.sa_family) { +#ifdef INET + case AF_INET: + return ipsec4_process_packet(m, isr->next, 0, 0); + /* NOTREACHED */ +#endif +#ifdef notyet +#ifdef INET6 + case AF_INET6: + /* XXX */ + ipsec6_output_trans() + ipsec6_output_tunnel() + /* NOTREACHED */ +#endif /* INET6 */ +#endif + default: + DPRINTF(("%s: unknown protocol family %u\n", __func__, + saidx->dst.sa.sa_family)); + error = ENXIO; + goto bad; + } } key_sa_recordxfer(sav, m); /* record data transfer */ Modified: head/sys/netipsec/key.c ============================================================================== --- head/sys/netipsec/key.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/key.c Wed Apr 27 19:28:42 2011 (r221129) @@ -73,7 +73,7 @@ #include #endif /* INET6 */ -#ifdef INET +#if defined(INET) || defined(INET6) #include #endif #ifdef INET6 Modified: head/sys/netipsec/xform_ah.c ============================================================================== --- head/sys/netipsec/xform_ah.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/xform_ah.c Wed Apr 27 19:28:42 2011 (r221129) @@ -91,6 +91,7 @@ VNET_DEFINE(int, ah_enable) = 1; /* cont VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */ VNET_DEFINE(struct ahstat, ahstat); +#ifdef INET SYSCTL_DECL(_net_inet_ah); SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, ""); @@ -98,6 +99,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO, ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, ""); SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS, stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, ""); +#endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -724,19 +726,6 @@ ah_input(struct mbuf *m, struct secasvar return ah_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * AH input callback from the crypto driver. */ @@ -873,7 +862,21 @@ ah_input_cb(struct cryptop *crp) goto bad; } - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; Modified: head/sys/netipsec/xform_esp.c ============================================================================== --- head/sys/netipsec/xform_esp.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/xform_esp.c Wed Apr 27 19:28:42 2011 (r221129) @@ -451,19 +451,6 @@ esp_input(struct mbuf *m, struct secasva return esp_input_cb(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * ESP input callback from the crypto driver. */ @@ -647,7 +634,21 @@ esp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; Modified: head/sys/netipsec/xform_ipcomp.c ============================================================================== --- head/sys/netipsec/xform_ipcomp.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/xform_ipcomp.c Wed Apr 27 19:28:42 2011 (r221129) @@ -213,19 +213,6 @@ ipcomp_input(struct mbuf *m, struct seca return crypto_dispatch(crp); } -#ifdef INET6 -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \ - if (saidx->dst.sa.sa_family == AF_INET6) { \ - error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \ - } else { \ - error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \ - } \ -} while (0) -#else -#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \ - (error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag)) -#endif - /* * IPComp input callback from the crypto driver. */ @@ -316,7 +303,21 @@ ipcomp_input_cb(struct cryptop *crp) /* Restore the Next Protocol field */ m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto); - IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL); + switch (saidx->dst.sa.sa_family) { +#ifdef INET6 + case AF_INET6: + error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif +#ifdef INET + case AF_INET: + error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL); + break; +#endif + default: + panic("%s: Unexpected address family: %d saidx=%p", __func__, + saidx->dst.sa.sa_family, saidx); + } KEY_FREESAV(&sav); return error; Modified: head/sys/netipsec/xform_ipip.c ============================================================================== --- head/sys/netipsec/xform_ipip.c Wed Apr 27 18:25:35 2011 (r221128) +++ head/sys/netipsec/xform_ipip.c Wed Apr 27 19:28:42 2011 (r221129) @@ -412,8 +412,10 @@ ipip_output( u_int8_t tp, otos; struct secasindex *saidx; int error; -#ifdef INET +#if defined(INET) || defined(INET6) u_int8_t itos; +#endif +#ifdef INET struct ip *ipo; #endif /* INET */ #ifdef INET6 @@ -466,7 +468,8 @@ ipip_output( ipo->ip_id = ip_newid(); /* If the inner protocol is IP... */ - if (tp == IPVERSION) { + switch (tp) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip) + offsetof(struct ip, ip_tos), @@ -484,9 +487,10 @@ ipip_output( ipo->ip_off = ntohs(ipo->ip_off); ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK); ipo->ip_off = htons(ipo->ip_off); - } + break; #ifdef INET6 - else if (tp == (IPV6_VERSION >> 4)) { + case (IPV6_VERSION >> 4): + { u_int32_t itos32; /* Save ECN notification. */ @@ -496,9 +500,10 @@ ipip_output( itos = ntohl(itos32) >> 20; ipo->ip_p = IPPROTO_IPV6; ipo->ip_off = 0; + break; } #endif /* INET6 */ - else { + default: goto nofamily; } @@ -547,8 +552,9 @@ ipip_output( ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr; + switch (tp) { #ifdef INET - if (tp == IPVERSION) { + case IPVERSION: /* Save ECN notification */ m_copydata(m, sizeof(struct ip6_hdr) + offsetof(struct ip, ip_tos), sizeof(u_int8_t), @@ -556,21 +562,23 @@ ipip_output( /* This is really IPVERSION. */ ip6o->ip6_nxt = IPPROTO_IPIP; - } else + break; #endif /* INET */ - if (tp == (IPV6_VERSION >> 4)) { - u_int32_t itos32; + case (IPV6_VERSION >> 4): + { + u_int32_t itos32; + + /* Save ECN notification. */ + m_copydata(m, sizeof(struct ip6_hdr) + + offsetof(struct ip6_hdr, ip6_flow), + sizeof(u_int32_t), (caddr_t) &itos32); + itos = ntohl(itos32) >> 20; - /* Save ECN notification. */ - m_copydata(m, sizeof(struct ip6_hdr) + - offsetof(struct ip6_hdr, ip6_flow), - sizeof(u_int32_t), (caddr_t) &itos32); - itos = ntohl(itos32) >> 20; - - ip6o->ip6_nxt = IPPROTO_IPV6; - } else { - goto nofamily; - } + ip6o->ip6_nxt = IPPROTO_IPV6; + } + default: + goto nofamily; + } otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); @@ -622,6 +630,7 @@ bad: } #ifdef IPSEC +#if defined(INET) || defined(INET6) static int ipe4_init(struct secasvar *sav, struct xformsw *xsp) { @@ -652,6 +661,8 @@ static struct xformsw ipe4_xformsw = { }; extern struct domain inetdomain; +#endif /* INET || INET6 */ +#ifdef INET static struct protosw ipe4_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -661,7 +672,8 @@ static struct protosw ipe4_protosw = { .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#ifdef INET6 +#endif /* INET */ +#if defined(INET6) && defined(INET) static struct ip6protosw ipe6_protosw = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, @@ -671,8 +683,9 @@ static struct ip6protosw ipe6_protosw = .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs }; -#endif +#endif /* INET6 && INET */ +#if defined(INET) /* * Check the encapsulated packet to see if we want it */ @@ -687,6 +700,7 @@ ipe4_encapcheck(const struct mbuf *m, in */ return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0); } +#endif /* INET */ static void ipe4_attach(void) @@ -695,9 +709,11 @@ ipe4_attach(void) xform_register(&ipe4_xformsw); /* attach to encapsulation framework */ /* XXX save return cookie for detach on module remove */ +#ifdef INET (void) encap_attach_func(AF_INET, -1, ipe4_encapcheck, &ipe4_protosw, NULL); -#ifdef INET6 +#endif +#if defined(INET6) && defined(INET) (void) encap_attach_func(AF_INET6, -1, ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL); #endif