svn commit: r308888 - projects/ipsec/sys/netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Sun Nov 20 15:52:00 UTC 2016
Author: ae
Date: Sun Nov 20 15:51:58 2016
New Revision: 308888
URL: https://svnweb.freebsd.org/changeset/base/308888
Log:
Modify ipsec4_in_reject() to use ipsec4_getpolicy() and ipsec_in_reject().
Also move it under #ifdef INET.
Modified:
projects/ipsec/sys/netipsec/ipsec.c
Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 14:00:50 2016 (r308887)
+++ projects/ipsec/sys/netipsec/ipsec.c Sun Nov 20 15:51:58 2016 (r308888)
@@ -808,6 +808,25 @@ ipsec4_checkpolicy(const struct mbuf *m,
return (sp);
}
+/*
+ * Check IPv4 packet against *INBOUND* security policy.
+ * This function is called from tcp_input(), udp_input(),
+ * rip_input() and sctp_input().
+ */
+int
+ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp)
+{
+ struct secpolicy *sp;
+ int result;
+
+ sp = ipsec4_getpolicy(m, inp, IPSEC_DIR_INBOUND);
+ result = ipsec_in_reject(sp, inp, m);
+ key_freesp(&sp);
+ if (result != 0)
+ IPSECSTAT_INC(ips_in_polvio);
+ return (result);
+}
+
#endif /* INET */
#ifdef INET6
@@ -1492,23 +1511,6 @@ ipsec46_in_reject(const struct mbuf *m,
return (result);
}
-/*
- * Check AH/ESP integrity.
- * This function is called from tcp_input(), udp_input(),
- * and {ah,esp}4_input for tunnel mode.
- */
-int
-ipsec4_in_reject(const struct mbuf *m, struct inpcb *inp)
-{
- int result;
-
- result = ipsec46_in_reject(m, inp);
- if (result)
- IPSECSTAT_INC(ips_in_polvio);
-
- return (result);
-}
-
#ifdef INET6
/*
* Check AH/ESP integrity.
More information about the svn-src-projects
mailing list