svn commit: r275713 - head/sys/netinet
Andrey V. Elsukov
ae at FreeBSD.org
Thu Dec 11 18:55:56 UTC 2014
Author: ae
Date: Thu Dec 11 18:55:54 2014
New Revision: 275713
URL: https://svnweb.freebsd.org/changeset/base/275713
Log:
Use ipsec4_in_reject() to simplify ip_ipsec_fwd() and ip_ipsec_input().
ipsec4_in_reject() does the same things, also it counts policy violation
errors.
Obtained from: Yandex LLC
Sponsored by: Yandex LLC
Modified:
head/sys/netinet/ip_ipsec.c
Modified: head/sys/netinet/ip_ipsec.c
==============================================================================
--- head/sys/netinet/ip_ipsec.c Thu Dec 11 18:46:11 2014 (r275712)
+++ head/sys/netinet/ip_ipsec.c Thu Dec 11 18:55:54 2014 (r275713)
@@ -107,20 +107,8 @@ ip_ipsec_filtertunnel(struct mbuf *m)
int
ip_ipsec_fwd(struct mbuf *m)
{
- struct secpolicy *sp;
- int error;
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
- if (sp != NULL) {
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- }
- if (error != 0)
- return (1);
- return (0);
+ return (ipsec4_in_reject(m, NULL));
}
/*
@@ -133,29 +121,13 @@ ip_ipsec_fwd(struct mbuf *m)
int
ip_ipsec_input(struct mbuf *m, int nxt)
{
- struct secpolicy *sp;
- int error;
/*
* enforce IPsec policy checking if we are seeing last header.
* note that we do not visit this with protocols with pcb layer
* code - like udp/tcp/raw ip.
*/
- if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
- sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
- if (sp != NULL) {
- /*
- * Check security policy against packet attributes.
- */
- error = ipsec_in_reject(sp, m);
- KEY_FREESP(&sp);
- } else {
- /* XXX error stat??? */
- error = EINVAL;
- DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
- }
- if (error != 0)
- return (1);
- }
+ if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0)
+ return (ipsec4_in_reject(m, NULL));
return (0);
}
More information about the svn-src-all
mailing list