svn commit: r309110 - in projects/ipsec/sys: netinet netipsec

Thu Nov 24 17:07:18 UTC 2016

Author: ae
Date: Thu Nov 24 17:07:15 2016
New Revision: 309110
URL: https://svnweb.freebsd.org/changeset/base/309110

Log:
  GC some now unused functions and macros.
  Update functions declarations, add needed includes. Fix the build.

Modified:
  projects/ipsec/sys/netinet/ip_input.c
  projects/ipsec/sys/netinet/ip_ipsec.c
  projects/ipsec/sys/netinet/ip_ipsec.h
  projects/ipsec/sys/netinet/tcp_subr.c
  projects/ipsec/sys/netipsec/ipsec.c
  projects/ipsec/sys/netipsec/ipsec.h
  projects/ipsec/sys/netipsec/ipsec6.h
  projects/ipsec/sys/netipsec/key.c
  projects/ipsec/sys/netipsec/key.h
  projects/ipsec/sys/netipsec/xform_ah.c
  projects/ipsec/sys/netipsec/xform_esp.c
  projects/ipsec/sys/netipsec/xform_ipcomp.c

Modified: projects/ipsec/sys/netinet/ip_input.c
==============================================================================

--- projects/ipsec/sys/netinet/ip_input.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netinet/ip_input.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -78,6 +78,8 @@ __FBSDID("$FreeBSD$");
 #include <machine/in_cksum.h>
 #include <netinet/ip_carp.h>
 #ifdef IPSEC
+#include <netipsec/ipsec.h>
+#include <netipsec/key.h>
 #include <netinet/ip_ipsec.h>
 #endif /* IPSEC */
 #include <netinet/in_rss.h>

Modified: projects/ipsec/sys/netinet/ip_ipsec.c
==============================================================================
--- projects/ipsec/sys/netinet/ip_ipsec.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netinet/ip_ipsec.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -115,23 +115,6 @@ ip_ipsec_input(struct mbuf *m, int nxt)
 }
 
 /*
- * Compute the MTU for a forwarded packet that gets IPSEC encapsulated.
- * Called from ip_forward().
- * Returns MTU suggestion for ICMP needfrag reply.
- */
-int
-ip_ipsec_mtu(struct mbuf *m, int mtu)
-{
-	/*
-	 * If the packet is routed over IPsec tunnel, tell the
-	 * originator the tunnel MTU.
-	 *	tunnel MTU = if MTU - sizeof(IP) - ESP/AH hdrsiz
-	 * XXX quickhack!!!
-	 */
-	return (mtu - ipsec_hdrsiz(m, IPSEC_DIR_OUTBOUND, NULL));
-}
-
-/*
  * Called from ip_output().
  * 0 = continue processing packet
  * 1 = packet was consumed, stop processing

Modified: projects/ipsec/sys/netinet/ip_ipsec.h
==============================================================================
--- projects/ipsec/sys/netinet/ip_ipsec.h	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netinet/ip_ipsec.h	Thu Nov 24 17:07:15 2016	(r309110)
@@ -38,7 +38,6 @@
 
 int	ip_ipsec_filtertunnel(struct mbuf *);
 int	ip_ipsec_input(struct mbuf *, int);
-int	ip_ipsec_mtu(struct mbuf *, int);
 int	ip_ipsec_forward(struct mbuf *, int *);
 int	ip_ipsec_output(struct mbuf *, struct inpcb *, int *);
 int	ip_ipsec_pcbctl(struct inpcb *, struct sockopt *);

Modified: projects/ipsec/sys/netinet/tcp_subr.c
==============================================================================
--- projects/ipsec/sys/netinet/tcp_subr.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netinet/tcp_subr.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -2587,7 +2587,7 @@ tcp_get_sav(struct mbuf *m, u_int direct
 	}
 
 	/* Look up an SADB entry which matches the address of the peer. */
-	sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
+	sav = key_allocsa(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
 	if (sav == NULL) {
 		ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__,
 		    (ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) :
@@ -2708,7 +2708,7 @@ tcp_signature_do_compute(struct mbuf *m,
 		break;
 #endif
 	default:
-		KEY_FREESAV(&sav);
+		key_freesav(&sav);
 		return (-1);
 		/* NOTREACHED */
 		break;
@@ -2738,7 +2738,7 @@ tcp_signature_do_compute(struct mbuf *m,
 	MD5Final(buf, &ctx);
 
 	key_sa_recordxfer(sav, m);
-	KEY_FREESAV(&sav);
+	key_freesav(&sav);
 	return (0);
 }
 

Modified: projects/ipsec/sys/netipsec/ipsec.c
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/ipsec.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -124,6 +124,8 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IP
 VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
 VNET_DEFINE(int, ip4_esp_randpad) = -1;
 
+static VNET_DEFINE(int, check_policy_history) = 0;
+#define	V_check_policy_history	VNET(check_policy_history)
 static VNET_DEFINE(struct secpolicy, def_policy);
 #define	V_def_policy	VNET(def_policy)
 /*
@@ -1417,43 +1419,6 @@ ipsec_hdrsiz_inpcb(struct inpcb *inp)
 	return (sz);
 }
 
-/* 
- * This function is called from ipsec_hdrsiz_tcp(), ip_ipsec_mtu(),
- * disabled ip6_ipsec_mtu() and ip6_forward().
- */
-size_t
-ipsec_hdrsiz(const struct mbuf *m, u_int dir, struct inpcb *inp)
-{
-	struct secpolicy *sp;
-	int error;
-	size_t size;
-
-	if (!key_havesp(dir))
-		return 0;
-
-	IPSEC_ASSERT(m != NULL, ("null mbuf"));
-
-	/* Get SP for this packet. */
-	if (inp == NULL)
-		sp = ipsec_getpolicybyaddr(m, dir, &error);
-	else
-		sp = ipsec_getpolicybysock(m, dir, inp, &error);
-
-	if (sp != NULL) {
-		size = ipsec_hdrsiz_internal(sp);
-		KEYDEBUG(KEYDEBUG_IPSEC_DATA,
-			printf("%s: size:%lu.\n", __func__,
-				(unsigned long)size));
-
-		KEY_FREESP(&sp);
-	} else {
-		size = 0;	/* XXX Should be panic?
-				 * -> No, we are called w/o knowing if
-				 *    IPsec processing is needed. */
-	}
-	return (size);
-}
-
 /*
  * Check the variable replay window.
  * ipsec_chkreplay() performs replay check before ICV verification.
@@ -1683,7 +1648,7 @@ vshiftl(unsigned char *bitmap, int nbit,
 
 /* Return a printable string for the address. */
 char*
-ipsec_address(union sockaddr_union* sa, char *buf, socklen_t size)
+ipsec_address(const union sockaddr_union* sa, char *buf, socklen_t size)
 {
 
 	switch (sa->sa.sa_family) {

Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/ipsec.h	Thu Nov 24 17:07:15 2016	(r309110)
@@ -53,11 +53,6 @@
 
 #define	IPSEC_ASSERT(_c,_m) KASSERT(_c, _m)
 
-#define	IPSEC_IS_PRIVILEGED_SO(_so) \
-	((_so)->so_cred != NULL && \
-	 priv_check_cred((_so)->so_cred, PRIV_NETINET_IPSEC, 0) \
-	 == 0)
-
 /*
  * Security Policy Index
  * Ensure that both address families in the "src" and "dst" are same.
@@ -299,8 +294,10 @@ VNET_DECLARE(int, crypto_support);
 #define	DPRINTF(x)	do { if (V_ipsec_debug) printf x; } while (0)
 
 struct inpcb;
+struct m_tag;
 struct secasvar;
 struct sockopt;
+union sockaddr_union;
 
 struct ipsecrequest *ipsec_newisr(void);
 void ipsec_delisr(struct ipsecrequest *);
@@ -316,18 +313,15 @@ int ipsec_delete_pcbpolicy(struct inpcb 
 int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *);
 int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *);
 
-extern int ipsec_chkreplay(u_int32_t, struct secasvar *);
-extern int ipsec_updatereplay(u_int32_t, struct secasvar *);
+int ipsec_chkreplay(uint32_t, struct secasvar *);
+int ipsec_updatereplay(uint32_t, struct secasvar *);
+int ipsec_updateid(struct secasvar *, uint64_t *, uint64_t *);
 
-extern size_t ipsec_hdrsiz(const struct mbuf *, u_int, struct inpcb *);
-
-union sockaddr_union;
-extern char *ipsec_address(union sockaddr_union *, char *, socklen_t);
-extern char *ipsec_logsastr(struct secasvar *, char *, size_t);
+char *ipsec_address(const union sockaddr_union *, char *, socklen_t);
+char *ipsec_logsastr(struct secasvar *, char *, size_t);
 
 extern void ipsec_dumpmbuf(const struct mbuf *);
 
-struct m_tag;
 extern int ah4_input(struct mbuf **mp, int *offp, int proto);
 extern void ah4_ctlinput(int cmd, struct sockaddr *sa, void *);
 extern int esp4_input(struct mbuf **mp, int *offp, int proto);
@@ -336,8 +330,10 @@ extern int ipcomp4_input(struct mbuf **m
 extern int ipsec_common_input(struct mbuf *m, int, int, int, int); 
 extern int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff);
-extern int ipsec4_process_packet(struct mbuf *, struct ipsecrequest *);
-extern int ipsec_process_done(struct mbuf *, struct ipsecrequest *);
+extern int ipsec4_process_packet(struct mbuf *, struct secpolicy *,
+    struct inpcb *);
+extern int ipsec_process_done(struct mbuf *, struct secpolicy *,
+    struct secasvar *, u_int);
 
 extern	void m_checkalignment(const char* where, struct mbuf *m0,
 		int off, int len);

Modified: projects/ipsec/sys/netipsec/ipsec6.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec6.h	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/ipsec6.h	Thu Nov 24 17:07:15 2016	(r309110)
@@ -60,13 +60,16 @@ VNET_DECLARE(int, ip6_ipsec_ecn);
 
 struct inpcb;
 extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *);
+struct secpolicy *ipsec6_checkpolicy(const struct mbuf *,
+    struct inpcb *, int *);
 
 struct m_tag;
 extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto);
 extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav,
 			int skip, int protoff);
 extern void esp6_ctlinput(int, struct sockaddr *, void *);
-extern int ipsec6_process_packet(struct mbuf *, struct ipsecrequest *);
+int ipsec6_process_packet(struct mbuf *, struct secpolicy *,
+    struct inpcb *);
 #endif /*_KERNEL*/
 
 #endif /*_NETIPSEC_IPSEC6_H_*/

Modified: projects/ipsec/sys/netipsec/key.c
==============================================================================
--- projects/ipsec/sys/netipsec/key.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/key.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -548,9 +548,6 @@ static struct seckey *key_dup_keymsg(con
     struct malloc_type *);
 static struct seclifetime *key_dup_lifemsg(const struct sadb_lifetime *src,
     struct malloc_type *);
-#ifdef INET6
-static int key_ismyaddr6(struct sockaddr_in6 *);
-#endif
 
 /* flags for key_cmpsaidx() */
 #define CMP_HEAD	1	/* protocol, addresses. */
@@ -1016,16 +1013,6 @@ done:
 	V_sp_genid++;
 }
 
-void
-key_addrefsa(struct secasvar *sav, const char* where, int tag)
-{
-
-	IPSEC_ASSERT(sav != NULL, ("null sav"));
-	IPSEC_ASSERT(sav->refcnt > 0, ("refcount must exist"));
-
-	SAV_ADDREF(sav);
-}
-
 /*
  * Must be called after calling key_allocsa().
  * This function is called by key_freesp() to free some SA allocated
@@ -2168,7 +2155,7 @@ key_spdflush(struct socket *so, struct m
 	sp = TAILQ_FIRST(&drainq);
 	while (sp != NULL) {
 		nextsp = TAILQ_NEXT(sp, chain);
-		KEY_FREESP(&sp);
+		key_freesp(&sp);
 		sp = nextsp;
 	}
 
@@ -2273,7 +2260,7 @@ key_setdumpsp(struct secpolicy *sp, u_in
 		goto fail;
 	m_cat(result, m);
 
-	m = key_sp2msg(sp);
+	m = key_sp2mbuf(sp);
 	if (!m)
 		goto fail;
 	m_cat(result, m);
@@ -2316,7 +2303,6 @@ fail:
 	m_freem(result);
 	return NULL;
 }
-
 /*
  * get PFKEY message length for security policy and request.
  */
@@ -3554,29 +3540,29 @@ key_setsadbxpolicy(u_int16_t type, u_int
  * OUT: NULL no more memory
  */
 struct seckey *
-key_dup_keymsg(const struct sadb_key *src, u_int len,
+key_dup_keymsg(const struct sadb_key *src, size_t len,
     struct malloc_type *type)
 {
 	struct seckey *dst;
-	dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT);
+
+	dst = malloc(sizeof(*dst), type, M_NOWAIT);
 	if (dst != NULL) {
 		dst->bits = src->sadb_key_bits;
-		dst->key_data = (char *)malloc(len, type, M_NOWAIT);
+		dst->key_data = malloc(len, type, M_NOWAIT);
 		if (dst->key_data != NULL) {
-			bcopy((const char *)src + sizeof(struct sadb_key), 
-			      dst->key_data, len);
+			bcopy((const char *)(src + 1), dst->key_data, len);
 		} else {
-			ipseclog((LOG_DEBUG, "%s: No more memory.\n", 
-				  __func__));
+			ipseclog((LOG_DEBUG, "%s: No more memory.\n",
+			    __func__));
 			free(dst, type);
 			dst = NULL;
 		}
 	} else {
-		ipseclog((LOG_DEBUG, "%s: No more memory.\n", 
-			  __func__));
+		ipseclog((LOG_DEBUG, "%s: No more memory.\n",
+		    __func__));
 
 	}
-	return dst;
+	return (dst);
 }
 
 /* Take a lifetime message (sadb_lifetime) passed in on a socket and
@@ -3603,50 +3589,6 @@ key_dup_lifemsg(const struct sadb_lifeti
 	return (dst);
 }
 
-/* compare my own address
- * OUT:	1: true, i.e. my address.
- *	0: false
- */
-int
-key_ismyaddr(struct sockaddr *sa)
-{
-
-	IPSEC_ASSERT(sa != NULL, ("null sockaddr"));
-	switch (sa->sa_family) {
-#ifdef INET
-	case AF_INET:
-		return (in_localip(satosin(sa)->sin_addr));
-#endif
-#ifdef INET6
-	case AF_INET6:
-		return key_ismyaddr6((struct sockaddr_in6 *)sa);
-#endif
-	}
-
-	return 0;
-}
-
-#ifdef INET6
-/*
- * compare my own address for IPv6.
- * 1: ours
- * 0: other
- */
-static int
-key_ismyaddr6(struct sockaddr_in6 *sin6)
-{
-	struct in6_addr in6;
-
-	if (!IN6_IS_SCOPE_LINKLOCAL(&sin6->sin6_addr))
-		return (in6_localip(&sin6->sin6_addr));
-
-	/* Convert address into kernel-internal form */
-	in6 = sin6->sin6_addr;
-	in6.s6_addr16[1] = htons(sin6->sin6_scope_id & 0xffff);
-	return (in6_localip(&in6));
-}
-#endif /*INET6*/
-
 /*
  * compare two secasindex structure.
  * flag can specify to compare 2 saidxes.
@@ -3868,7 +3810,7 @@ key_cmpspidx_withmask(struct secpolicyin
 #endif
 #define satosin6(s) ((const struct sockaddr_in6 *)s)
 /* returns 0 on match */
-static int
+int
 key_sockaddrcmp(const struct sockaddr *sa1, const struct sockaddr *sa2,
     int port)
 {
@@ -5962,32 +5904,6 @@ key_acquire(const struct secasindex *sai
 	return error;
 }
 
-static struct secacq *
-key_newacq(const struct secasindex *saidx)
-{
-	struct secacq *newacq;
-
-	/* get new entry */
-	newacq = malloc(sizeof(struct secacq), M_IPSEC_SAQ, M_NOWAIT|M_ZERO);
-	if (newacq == NULL) {
-		ipseclog((LOG_DEBUG, "%s: No more memory.\n", __func__));
-		return NULL;
-	}
-
-	/* copy secindex */
-	bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx));
-	newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq);
-	newacq->created = time_second;
-	newacq->count = 0;
-
-	/* add to acqtree */
-	ACQ_LOCK();
-	LIST_INSERT_HEAD(&V_acqtree, newacq, chain);
-	ACQ_UNLOCK();
-
-	return newacq;
-}
-
 static uint32_t
 key_newacq(const struct secasindex *saidx, int *perror)
 {
@@ -7449,7 +7365,7 @@ key_destroy(void)
 	sp = TAILQ_FIRST(&drainq);
 	while (sp != NULL) {
 		nextsp = TAILQ_NEXT(sp, chain);
-		KEY_FREESP(&sp);
+		key_freesp(&sp);
 		sp = nextsp;
 	}
 

Modified: projects/ipsec/sys/netipsec/key.h
==============================================================================
--- projects/ipsec/sys/netipsec/key.h	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/key.h	Thu Nov 24 17:07:15 2016	(r309110)
@@ -37,7 +37,6 @@
 
 struct secpolicy;
 struct secpolicyindex;
-struct ipsecrequest;
 struct secasvar;
 struct sockaddr;
 struct socket;
@@ -46,64 +45,28 @@ struct sadb_x_policy;
 struct secasindex;
 union sockaddr_union;
 
+struct secpolicy *key_newsp(void);
+struct secpolicy *key_allocsp(struct secpolicyindex *, u_int);
+struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *);
+int key_sp2msg(struct secpolicy *, void *, size_t *);
+void key_addref(struct secpolicy *);
+void key_freesp(struct secpolicy **);
+int key_spdacquire(struct secpolicy *);
+int key_havesp(u_int);
 uint32_t key_getspgen(void);
+uint32_t key_newreqid(void);
 
-extern void key_addref(struct secpolicy *sp);
-extern	int key_havesp(u_int dir);
-extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int,
-	const char*, int);
-extern struct secpolicy *key_allocsp2(u_int32_t spi, union sockaddr_union *dst,
-	u_int8_t proto, u_int dir, const char*, int);
-extern struct secpolicy *key_newsp(const char*, int);
-#if 0
-extern struct secpolicy *key_gettunnel(const struct sockaddr *,
-	const struct sockaddr *, const struct sockaddr *,
-	const struct sockaddr *, const char*, int);
-#endif
-/* NB: prepend with _ for KAME IPv6 compatbility */
-extern void _key_freesp(struct secpolicy **, const char*, int);
-
-#define	KEY_ALLOCSP(spidx, dir)					\
-	key_allocsp(spidx, dir, __FILE__, __LINE__)
-#define	KEY_ALLOCSP2(spi, dst, proto, dir)			\
-	key_allocsp2(spi, dst, proto, dir, __FILE__, __LINE__)
-#define	KEY_NEWSP()						\
-	key_newsp(__FILE__, __LINE__)
-#if 0
-#define	KEY_GETTUNNEL(osrc, odst, isrc, idst)			\
-	key_gettunnel(osrc, odst, isrc, idst, __FILE__, __LINE__)
-#endif
-#define	KEY_FREESP(spp)						\
-	_key_freesp(spp, __FILE__, __LINE__)
-
-extern struct secasvar *key_allocsa(union sockaddr_union *, u_int, u_int32_t,
-	const char*, int);
-extern struct secasvar *key_allocsa_tunnel(union sockaddr_union *,
-    union sockaddr_union *, u_int, const char*, int);
-extern void key_addrefsa(struct secasvar *, const char*, int);
-extern void key_freesav(struct secasvar **, const char*, int);
-
-#define	KEY_ALLOCSA(dst, proto, spi)				\
-	key_allocsa(dst, proto, spi, __FILE__, __LINE__)
-#define	KEY_ALLOCSA_TUNNEL(src, dst, proto)				\
-	key_allocsa_tunnel(src, dst, proto, __FILE__, __LINE__)
-#define	KEY_ADDREFSA(sav)					\
-	key_addrefsa(sav, __FILE__, __LINE__)
-#define	KEY_FREESAV(psav)					\
-	key_freesav(psav, __FILE__, __LINE__)
-
-extern void key_freeso(struct socket *);
-extern int key_checktunnelsanity(struct secasvar *, u_int,
-    caddr_t, caddr_t);
-extern int key_checkrequest(struct ipsecrequest *isr,
-    const struct secasindex *);
-extern struct secpolicy *key_msg2sp(struct sadb_x_policy *,
-    size_t, int *);
-
-int key_sp2msg(struct secpolicy *, void *request, size_t *len);
+struct secasvar *key_allocsa(union sockaddr_union *, uint8_t, uint32_t);
+struct secasvar *key_allocsa_tunnel(union sockaddr_union *,
+    union sockaddr_union *, uint8_t);
+struct secasvar *key_allocsa_policy(struct secpolicy *,
+    const struct secasindex *, int *);
+void key_freesav(struct secasvar **);
+
+int key_sockaddrcmp(const struct sockaddr *, const struct sockaddr *, int);
+int key_sockaddrcmp_withmask(const struct sockaddr *, const struct sockaddr *,
+    size_t);
 
-extern int key_ismyaddr(struct sockaddr *);
-extern int key_spdacquire(struct secpolicy *);
 extern u_long key_random(void);
 extern void key_randomfill(void *, size_t);
 extern void key_freereg(struct socket *);
@@ -114,9 +77,7 @@ extern void key_destroy(void);
 #endif
 extern void key_sa_recordxfer(struct secasvar *, struct mbuf *);
 #ifdef IPSEC_NAT_T
-u_int16_t key_portfromsaddr(struct sockaddr *);
-#define	KEY_PORTFROMSADDR(saddr)				\
-	key_portfromsaddr((struct sockaddr *)(saddr))
+uint16_t key_portfromsaddr(struct sockaddr *);
 #endif
 
 #ifdef MALLOC_DECLARE

Modified: projects/ipsec/sys/netipsec/xform_ah.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_ah.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/xform_ah.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -46,7 +46,7 @@
 #include <sys/syslog.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
-#include <sys/rwlock.h>
+#include <sys/mutex.h>
 #include <sys/sysctl.h>
 
 #include <net/if.h>

Modified: projects/ipsec/sys/netipsec/xform_esp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_esp.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/xform_esp.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -46,7 +46,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/random.h>
-#include <sys/rwlock.h>
+#include <sys/mutex.h>
 #include <sys/sysctl.h>
 #include <sys/mutex.h>
 #include <machine/atomic.h>

Modified: projects/ipsec/sys/netipsec/xform_ipcomp.c
==============================================================================
--- projects/ipsec/sys/netipsec/xform_ipcomp.c	Thu Nov 24 14:50:21 2016	(r309109)
+++ projects/ipsec/sys/netipsec/xform_ipcomp.c	Thu Nov 24 17:07:15 2016	(r309110)
@@ -37,7 +37,6 @@
 #include <sys/mbuf.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
-#include <sys/rwlock.h>
 #include <sys/socket.h>
 #include <sys/kernel.h>
 #include <sys/protosw.h>
