svn commit: r308882 - projects/ipsec/sys/netipsec

Sun Nov 20 11:57:36 UTC 2016

Author: ae
Date: Sun Nov 20 11:57:34 2016
New Revision: 308882
URL: https://svnweb.freebsd.org/changeset/base/308882

Log:
  Add ipsec4_getpolicy() function.
  
  It returns security policy that matches with give IPv4 packet.
  First of it uses SP from inpcb. If there is no PCB, or PCB has not
  cached SP, it fills secpolicyindex using info from given mbuf.
  Then it does SP lookup using this secpolicyindex. And if SP is not
  found, it returns default security policy.
  Modify ipsec4_setspidx_ipaddr() to not return any values, since it never
  fails. Also move ipsec4_get_ulp() and ipsec4_setspidx_ipaddr() under
  #ifdef INET.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================

--- projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 11:36:54 2016	(r308881)
+++ projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 11:57:34 2016	(r308882)
@@ -244,7 +244,8 @@ static int ipsec_in_reject(struct secpol
 static int ipsec_setspidx_inpcb(const struct mbuf *, struct inpcb *);
 static int ipsec_setspidx(const struct mbuf *, struct secpolicyindex *, int);
 static void ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
-static int ipsec4_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *);
+static void ipsec4_setspidx_ipaddr(const struct mbuf *,
+    struct secpolicyindex *);
 #ifdef INET6
 static void ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *, int);
 static int ipsec6_setspidx_ipaddr(const struct mbuf *, struct secpolicyindex *);
@@ -645,16 +646,17 @@ ipsec_setspidx(const struct mbuf *m, str
 	}
 }
 
+#ifdef INET
 static void
 ipsec4_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
     int needport)
 {
-	u_int8_t nxt;
+	uint8_t nxt;
 	int off;
 
 	/* Sanity check. */
-	IPSEC_ASSERT(m != NULL, ("null mbuf"));
-	IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),("packet too short"));
+	IPSEC_ASSERT(m->m_pkthdr.len >= sizeof(struct ip),
+	    ("packet too short"));
 
 	if (m->m_len >= sizeof (struct ip)) {
 		const struct ip *ip = mtod(m, const struct ip *);
@@ -718,10 +720,12 @@ done:
 done_proto:
 	spidx->src.sin.sin_port = IPSEC_PORT_ANY;
 	spidx->dst.sin.sin_port = IPSEC_PORT_ANY;
+	KEYDBG(IPSEC_DUMP,
+	    printf("%s: ", __func__); kdebug_secpolicyindex(spidx, NULL));
 }
 
 /* Assumes that m is sane. */
-static int
+static void
 ipsec4_setspidx_ipaddr(const struct mbuf *m, struct secpolicyindex *spidx)
 {
 	static const struct sockaddr_in template = {
@@ -748,10 +752,30 @@ ipsec4_setspidx_ipaddr(const struct mbuf
 
 	spidx->prefs = sizeof(struct in_addr) << 3;
 	spidx->prefd = sizeof(struct in_addr) << 3;
+}
 
-	return (0);
+static struct secpolicy *
+ipsec4_getpolicy(const struct mbuf *m, struct inpcb *inp, u_int dir)
+{
+	struct secpolicyindex spidx;
+	struct secpolicy *sp;
+
+	sp = ipsec_getpcbpolicy(inp, dir);
+	if (sp == NULL && key_havesp(dir)) {
+		/* Make an index to look for a policy. */
+		ipsec4_setspidx_ipaddr(m, &spidx);
+		/* Fill ports in spidx if we have inpcb. */
+		ipsec4_get_ulp(m, &spidx, inp != NULL);
+		spidx.dir = dir;
+		sp = key_allocsp(&spidx, dir);
+	}
+	if (sp == NULL)		/* No SP found, use system default. */
+		sp = key_allocsp_default();
+	return (sp);
 }
 
+#endif /* INET */
+
 #ifdef INET6
 static void
 ipsec6_get_ulp(const struct mbuf *m, struct secpolicyindex *spidx,
