mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-15 21:05:08 +00:00
Make IPsec compile without INET adding appropriate #ifdef checks.
Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
This commit is contained in:
parent
bbfe24fbf2
commit
db178eb816
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=221129
|
@ -30,6 +30,7 @@
|
|||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#include "opt_inet.h"
|
||||
#include "opt_inet6.h"
|
||||
#include "opt_ipsec.h"
|
||||
|
||||
|
@ -43,6 +44,7 @@ __FBSDID("$FreeBSD$");
|
|||
#include <sys/socket.h>
|
||||
#include <sys/socketvar.h>
|
||||
#include <sys/sysctl.h>
|
||||
#include <sys/syslog.h>
|
||||
|
||||
#include <net/if.h>
|
||||
#include <net/route.h>
|
||||
|
@ -291,7 +293,11 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
|||
* this is done in the normal processing path.
|
||||
*/
|
||||
if ((*m)->m_pkthdr.csum_flags & CSUM_DELAY_DATA) {
|
||||
ipseclog((LOG_DEBUG,
|
||||
"%s: we do not support IPv4 over IPv6", __func__));
|
||||
#ifdef INET
|
||||
in_delayed_cksum(*m);
|
||||
#endif
|
||||
(*m)->m_pkthdr.csum_flags &= ~CSUM_DELAY_DATA;
|
||||
}
|
||||
|
||||
|
|
|
@ -119,8 +119,10 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
|
|||
struct secasvar *sav;
|
||||
u_int32_t spi;
|
||||
int error;
|
||||
#ifdef INET
|
||||
#ifdef IPSEC_NAT_T
|
||||
struct m_tag *tag;
|
||||
#endif
|
||||
#endif
|
||||
|
||||
IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
|
||||
|
|
|
@ -165,7 +165,29 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
|||
*/
|
||||
if (isr->next) {
|
||||
V_ipsec4stat.ips_out_bundlesa++;
|
||||
return ipsec4_process_packet(m, isr->next, 0, 0);
|
||||
sav = isr->next->sav;
|
||||
saidx = &sav->sah->saidx;
|
||||
switch (saidx->dst.sa.sa_family) {
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
return ipsec4_process_packet(m, isr->next, 0, 0);
|
||||
/* NOTREACHED */
|
||||
#endif
|
||||
#ifdef notyet
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
/* XXX */
|
||||
ipsec6_output_trans()
|
||||
ipsec6_output_tunnel()
|
||||
/* NOTREACHED */
|
||||
#endif /* INET6 */
|
||||
#endif
|
||||
default:
|
||||
DPRINTF(("%s: unknown protocol family %u\n", __func__,
|
||||
saidx->dst.sa.sa_family));
|
||||
error = ENXIO;
|
||||
goto bad;
|
||||
}
|
||||
}
|
||||
key_sa_recordxfer(sav, m); /* record data transfer */
|
||||
|
||||
|
|
|
@ -73,7 +73,7 @@
|
|||
#include <netinet6/ip6_var.h>
|
||||
#endif /* INET6 */
|
||||
|
||||
#ifdef INET
|
||||
#if defined(INET) || defined(INET6)
|
||||
#include <netinet/in_pcb.h>
|
||||
#endif
|
||||
#ifdef INET6
|
||||
|
|
|
@ -91,6 +91,7 @@ VNET_DEFINE(int, ah_enable) = 1; /* control flow of packets with AH */
|
|||
VNET_DEFINE(int, ah_cleartos) = 1; /* clear ip_tos when doing AH calc */
|
||||
VNET_DEFINE(struct ahstat, ahstat);
|
||||
|
||||
#ifdef INET
|
||||
SYSCTL_DECL(_net_inet_ah);
|
||||
SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
|
||||
ah_enable, CTLFLAG_RW, &VNET_NAME(ah_enable), 0, "");
|
||||
|
@ -98,6 +99,7 @@ SYSCTL_VNET_INT(_net_inet_ah, OID_AUTO,
|
|||
ah_cleartos, CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "");
|
||||
SYSCTL_VNET_STRUCT(_net_inet_ah, IPSECCTL_STATS,
|
||||
stats, CTLFLAG_RD, &VNET_NAME(ahstat), ahstat, "");
|
||||
#endif
|
||||
|
||||
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
|
||||
|
||||
|
@ -724,19 +726,6 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|||
return ah_input_cb(crp);
|
||||
}
|
||||
|
||||
#ifdef INET6
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
|
||||
if (saidx->dst.sa.sa_family == AF_INET6) { \
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} else { \
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} \
|
||||
} while (0)
|
||||
#else
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
|
||||
(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
|
||||
#endif
|
||||
|
||||
/*
|
||||
* AH input callback from the crypto driver.
|
||||
*/
|
||||
|
@ -873,7 +862,21 @@ ah_input_cb(struct cryptop *crp)
|
|||
goto bad;
|
||||
}
|
||||
|
||||
IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
|
||||
switch (saidx->dst.sa.sa_family) {
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
panic("%s: Unexpected address family: %d saidx=%p", __func__,
|
||||
saidx->dst.sa.sa_family, saidx);
|
||||
}
|
||||
|
||||
KEY_FREESAV(&sav);
|
||||
return error;
|
||||
|
|
|
@ -451,19 +451,6 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|||
return esp_input_cb(crp);
|
||||
}
|
||||
|
||||
#ifdef INET6
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
|
||||
if (saidx->dst.sa.sa_family == AF_INET6) { \
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} else { \
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} \
|
||||
} while (0)
|
||||
#else
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
|
||||
(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
|
||||
#endif
|
||||
|
||||
/*
|
||||
* ESP input callback from the crypto driver.
|
||||
*/
|
||||
|
@ -647,7 +634,21 @@ esp_input_cb(struct cryptop *crp)
|
|||
/* Restore the Next Protocol field */
|
||||
m_copyback(m, protoff, sizeof (u_int8_t), lastthree + 2);
|
||||
|
||||
IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag);
|
||||
switch (saidx->dst.sa.sa_family) {
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag);
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
panic("%s: Unexpected address family: %d saidx=%p", __func__,
|
||||
saidx->dst.sa.sa_family, saidx);
|
||||
}
|
||||
|
||||
KEY_FREESAV(&sav);
|
||||
return error;
|
||||
|
|
|
@ -213,19 +213,6 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff)
|
|||
return crypto_dispatch(crp);
|
||||
}
|
||||
|
||||
#ifdef INET6
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) do { \
|
||||
if (saidx->dst.sa.sa_family == AF_INET6) { \
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} else { \
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag); \
|
||||
} \
|
||||
} while (0)
|
||||
#else
|
||||
#define IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, mtag) \
|
||||
(error = ipsec4_common_input_cb(m, sav, skip, protoff, mtag))
|
||||
#endif
|
||||
|
||||
/*
|
||||
* IPComp input callback from the crypto driver.
|
||||
*/
|
||||
|
@ -316,7 +303,21 @@ ipcomp_input_cb(struct cryptop *crp)
|
|||
/* Restore the Next Protocol field */
|
||||
m_copyback(m, protoff, sizeof (u_int8_t), (u_int8_t *) &nproto);
|
||||
|
||||
IPSEC_COMMON_INPUT_CB(m, sav, skip, protoff, NULL);
|
||||
switch (saidx->dst.sa.sa_family) {
|
||||
#ifdef INET6
|
||||
case AF_INET6:
|
||||
error = ipsec6_common_input_cb(m, sav, skip, protoff, NULL);
|
||||
break;
|
||||
#endif
|
||||
#ifdef INET
|
||||
case AF_INET:
|
||||
error = ipsec4_common_input_cb(m, sav, skip, protoff, NULL);
|
||||
break;
|
||||
#endif
|
||||
default:
|
||||
panic("%s: Unexpected address family: %d saidx=%p", __func__,
|
||||
saidx->dst.sa.sa_family, saidx);
|
||||
}
|
||||
|
||||
KEY_FREESAV(&sav);
|
||||
return error;
|
||||
|
|
|
@ -412,8 +412,10 @@ ipip_output(
|
|||
u_int8_t tp, otos;
|
||||
struct secasindex *saidx;
|
||||
int error;
|
||||
#ifdef INET
|
||||
#if defined(INET) || defined(INET6)
|
||||
u_int8_t itos;
|
||||
#endif
|
||||
#ifdef INET
|
||||
struct ip *ipo;
|
||||
#endif /* INET */
|
||||
#ifdef INET6
|
||||
|
@ -466,7 +468,8 @@ ipip_output(
|
|||
ipo->ip_id = ip_newid();
|
||||
|
||||
/* If the inner protocol is IP... */
|
||||
if (tp == IPVERSION) {
|
||||
switch (tp) {
|
||||
case IPVERSION:
|
||||
/* Save ECN notification */
|
||||
m_copydata(m, sizeof(struct ip) +
|
||||
offsetof(struct ip, ip_tos),
|
||||
|
@ -484,9 +487,10 @@ ipip_output(
|
|||
ipo->ip_off = ntohs(ipo->ip_off);
|
||||
ipo->ip_off &= ~(IP_DF | IP_MF | IP_OFFMASK);
|
||||
ipo->ip_off = htons(ipo->ip_off);
|
||||
}
|
||||
break;
|
||||
#ifdef INET6
|
||||
else if (tp == (IPV6_VERSION >> 4)) {
|
||||
case (IPV6_VERSION >> 4):
|
||||
{
|
||||
u_int32_t itos32;
|
||||
|
||||
/* Save ECN notification. */
|
||||
|
@ -496,9 +500,10 @@ ipip_output(
|
|||
itos = ntohl(itos32) >> 20;
|
||||
ipo->ip_p = IPPROTO_IPV6;
|
||||
ipo->ip_off = 0;
|
||||
break;
|
||||
}
|
||||
#endif /* INET6 */
|
||||
else {
|
||||
default:
|
||||
goto nofamily;
|
||||
}
|
||||
|
||||
|
@ -547,8 +552,9 @@ ipip_output(
|
|||
ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
|
||||
ip6o->ip6_src = saidx->src.sin6.sin6_addr;
|
||||
|
||||
switch (tp) {
|
||||
#ifdef INET
|
||||
if (tp == IPVERSION) {
|
||||
case IPVERSION:
|
||||
/* Save ECN notification */
|
||||
m_copydata(m, sizeof(struct ip6_hdr) +
|
||||
offsetof(struct ip, ip_tos), sizeof(u_int8_t),
|
||||
|
@ -556,21 +562,23 @@ ipip_output(
|
|||
|
||||
/* This is really IPVERSION. */
|
||||
ip6o->ip6_nxt = IPPROTO_IPIP;
|
||||
} else
|
||||
break;
|
||||
#endif /* INET */
|
||||
if (tp == (IPV6_VERSION >> 4)) {
|
||||
u_int32_t itos32;
|
||||
case (IPV6_VERSION >> 4):
|
||||
{
|
||||
u_int32_t itos32;
|
||||
|
||||
/* Save ECN notification. */
|
||||
m_copydata(m, sizeof(struct ip6_hdr) +
|
||||
offsetof(struct ip6_hdr, ip6_flow),
|
||||
sizeof(u_int32_t), (caddr_t) &itos32);
|
||||
itos = ntohl(itos32) >> 20;
|
||||
/* Save ECN notification. */
|
||||
m_copydata(m, sizeof(struct ip6_hdr) +
|
||||
offsetof(struct ip6_hdr, ip6_flow),
|
||||
sizeof(u_int32_t), (caddr_t) &itos32);
|
||||
itos = ntohl(itos32) >> 20;
|
||||
|
||||
ip6o->ip6_nxt = IPPROTO_IPV6;
|
||||
} else {
|
||||
goto nofamily;
|
||||
}
|
||||
ip6o->ip6_nxt = IPPROTO_IPV6;
|
||||
}
|
||||
default:
|
||||
goto nofamily;
|
||||
}
|
||||
|
||||
otos = 0;
|
||||
ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
|
||||
|
@ -622,6 +630,7 @@ ipip_output(
|
|||
}
|
||||
|
||||
#ifdef IPSEC
|
||||
#if defined(INET) || defined(INET6)
|
||||
static int
|
||||
ipe4_init(struct secasvar *sav, struct xformsw *xsp)
|
||||
{
|
||||
|
@ -652,6 +661,8 @@ static struct xformsw ipe4_xformsw = {
|
|||
};
|
||||
|
||||
extern struct domain inetdomain;
|
||||
#endif /* INET || INET6 */
|
||||
#ifdef INET
|
||||
static struct protosw ipe4_protosw = {
|
||||
.pr_type = SOCK_RAW,
|
||||
.pr_domain = &inetdomain,
|
||||
|
@ -661,7 +672,8 @@ static struct protosw ipe4_protosw = {
|
|||
.pr_ctloutput = rip_ctloutput,
|
||||
.pr_usrreqs = &rip_usrreqs
|
||||
};
|
||||
#ifdef INET6
|
||||
#endif /* INET */
|
||||
#if defined(INET6) && defined(INET)
|
||||
static struct ip6protosw ipe6_protosw = {
|
||||
.pr_type = SOCK_RAW,
|
||||
.pr_domain = &inetdomain,
|
||||
|
@ -671,8 +683,9 @@ static struct ip6protosw ipe6_protosw = {
|
|||
.pr_ctloutput = rip_ctloutput,
|
||||
.pr_usrreqs = &rip_usrreqs
|
||||
};
|
||||
#endif
|
||||
#endif /* INET6 && INET */
|
||||
|
||||
#if defined(INET)
|
||||
/*
|
||||
* Check the encapsulated packet to see if we want it
|
||||
*/
|
||||
|
@ -687,6 +700,7 @@ ipe4_encapcheck(const struct mbuf *m, int off, int proto, void *arg)
|
|||
*/
|
||||
return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
|
||||
}
|
||||
#endif /* INET */
|
||||
|
||||
static void
|
||||
ipe4_attach(void)
|
||||
|
@ -695,9 +709,11 @@ ipe4_attach(void)
|
|||
xform_register(&ipe4_xformsw);
|
||||
/* attach to encapsulation framework */
|
||||
/* XXX save return cookie for detach on module remove */
|
||||
#ifdef INET
|
||||
(void) encap_attach_func(AF_INET, -1,
|
||||
ipe4_encapcheck, &ipe4_protosw, NULL);
|
||||
#ifdef INET6
|
||||
#endif
|
||||
#if defined(INET6) && defined(INET)
|
||||
(void) encap_attach_func(AF_INET6, -1,
|
||||
ipe4_encapcheck, (struct protosw *)&ipe6_protosw, NULL);
|
||||
#endif
|
||||
|
|
Loading…
Reference in a new issue