svn commit: r308884 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Nov 20 12:25:15 UTC 2016
Author: ae
Date: Sun Nov 20 12:25:14 2016
New Revision: 308884
URL: https://svnweb.freebsd.org/changeset/base/308884
Log:
Modify ipsec4_checkpolicy() to use ipsec4_getpolicy() and
ipsec_checkpolicy().
Move it under #ifdef INET. Also count errors from ipsec_checkpolicy
in corresponding IPSECSTAT counters.
Modified:
projects/ipsec/sys/netipsec/ipsec.c
Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:18:10 2016 (r308883)
+++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 12:25:14 2016 (r308884)
@@ -546,49 +546,6 @@ ipsec_getpolicybyaddr(const struct mbuf
return (sp);
}
-struct secpolicy *
-ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error,
- struct inpcb *inp)
-{
- struct secpolicy *sp;
-
- *error = 0;
- if (inp == NULL)
- sp = ipsec_getpolicybyaddr(m, dir, error);
- else
- sp = ipsec_getpolicybysock(m, dir, inp, error);
- if (sp == NULL) {
- IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
- IPSECSTAT_INC(ips_out_inval);
- return (NULL);
- }
- IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
- switch (sp->policy) {
- case IPSEC_POLICY_ENTRUST:
- default:
- printf("%s: invalid policy %u\n", __func__, sp->policy);
- /* FALLTHROUGH */
- case IPSEC_POLICY_DISCARD:
- IPSECSTAT_INC(ips_out_polvio);
- *error = -EINVAL; /* Packet is discarded by caller. */
- break;
- case IPSEC_POLICY_BYPASS:
- case IPSEC_POLICY_NONE:
- KEY_FREESP(&sp);
- sp = NULL; /* NB: force NULL result. */
- break;
- case IPSEC_POLICY_IPSEC:
- if (sp->req == NULL) /* Acquire a SA. */
- *error = key_spdacquire(sp);
- break;
- }
- if (*error != 0) {
- KEY_FREESP(&sp);
- sp = NULL;
- }
- return (sp);
-}
-
static int
ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp)
{
@@ -817,6 +774,36 @@ ipsec4_getpolicy(const struct mbuf *m, s
return (sp);
}
+/*
+ * Check security policy for *OUTBOUND* IPv4 packet.
+ */
+struct secpolicy *
+ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error)
+{
+ struct secpolicy *sp;
+
+ *error = 0;
+ sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND);
+ if (sp != NULL)
+ sp = ipsec_checkpolicy(sp, inp, error);
+ if (sp == NULL) {
+ switch (*error) {
+ case 0: /* No IPsec required: BYPASS or NONE */
+ break;
+ case -EINVAL:
+ IPSECSTAT_INC(ips_out_polvio);
+ break;
+ default:
+ IPSECSTAT_INC(ips_out_inval);
+ }
+ }
+ KEYDBG(IPSEC_STAMP,
+ printf("%s: using SP(%p), error %d\n", __func__, sp, *error));
+ if (sp != NULL)
+ KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
+ return (sp);
+}
+
#endif /* INET */
#ifdef INET6
More information about the svn-src-projects
mailing list