svn commit: r308884 - projects/ipsec/sys/netipsec

Sun Nov 20 12:25:15 UTC 2016

Author: ae
Date: Sun Nov 20 12:25:14 2016
New Revision: 308884
URL: https://svnweb.freebsd.org/changeset/base/308884

Log:
  Modify ipsec4_checkpolicy() to use ipsec4_getpolicy() and
  ipsec_checkpolicy().
  
  Move it under #ifdef INET. Also count errors from ipsec_checkpolicy
  in corresponding IPSECSTAT counters.

Modified:
  projects/ipsec/sys/netipsec/ipsec.c

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================

--- projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 12:18:10 2016	(r308883)
+++ projects/ipsec/sys/netipsec/ipsec.c	Sun Nov 20 12:25:14 2016	(r308884)
@@ -546,49 +546,6 @@ ipsec_getpolicybyaddr(const struct mbuf 
 	return (sp);
 }
 
-struct secpolicy *
-ipsec4_checkpolicy(const struct mbuf *m, u_int dir, int *error,
-    struct inpcb *inp)
-{
-	struct secpolicy *sp;
-
-	*error = 0;
-	if (inp == NULL)
-		sp = ipsec_getpolicybyaddr(m, dir, error);
-	else
-		sp = ipsec_getpolicybysock(m, dir, inp, error);
-	if (sp == NULL) {
-		IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
-		IPSECSTAT_INC(ips_out_inval);
-		return (NULL);
-	}
-	IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
-	switch (sp->policy) {
-	case IPSEC_POLICY_ENTRUST:
-	default:
-		printf("%s: invalid policy %u\n", __func__, sp->policy);
-		/* FALLTHROUGH */
-	case IPSEC_POLICY_DISCARD:
-		IPSECSTAT_INC(ips_out_polvio);
-		*error = -EINVAL;	/* Packet is discarded by caller. */
-		break;
-	case IPSEC_POLICY_BYPASS:
-	case IPSEC_POLICY_NONE:
-		KEY_FREESP(&sp);
-		sp = NULL;		/* NB: force NULL result. */
-		break;
-	case IPSEC_POLICY_IPSEC:
-		if (sp->req == NULL)	/* Acquire a SA. */
-			*error = key_spdacquire(sp);
-		break;
-	}
-	if (*error != 0) {
-		KEY_FREESP(&sp);
-		sp = NULL;
-	}
-	return (sp);
-}
-
 static int
 ipsec_setspidx_inpcb(const struct mbuf *m, struct inpcb *inp)
 {
@@ -817,6 +774,36 @@ ipsec4_getpolicy(const struct mbuf *m, s
 	return (sp);
 }
 
+/*
+ * Check security policy for *OUTBOUND* IPv4 packet.
+ */
+struct secpolicy *
+ipsec4_checkpolicy(const struct mbuf *m, struct inpcb *inp, int *error)
+{
+	struct secpolicy *sp;
+
+	*error = 0;
+	sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_OUTBOUND);
+	if (sp != NULL)
+		sp = ipsec_checkpolicy(sp, inp, error);
+	if (sp == NULL) {
+		switch (*error) {
+		case 0: /* No IPsec required: BYPASS or NONE */
+			break;
+		case -EINVAL:
+			IPSECSTAT_INC(ips_out_polvio);
+			break;
+		default:
+			IPSECSTAT_INC(ips_out_inval);
+		}
+	}
+	KEYDBG(IPSEC_STAMP,
+	    printf("%s: using SP(%p), error %d\n", __func__, sp, *error));
+	if (sp != NULL)
+		KEYDBG(IPSEC_DATA, kdebug_secpolicy(sp));
+	return (sp);
+}
+
 #endif /* INET */
 
 #ifdef INET6
