version 1.78.2.2, 2006/12/30 20:50:38 |
version 1.78.2.3, 2007/02/26 09:11:52 |
Line 112 __KERNEL_RCSID(0, "$NetBSD$"); |
|
Line 112 __KERNEL_RCSID(0, "$NetBSD$"); |
|
#include <netinet6/ipsec.h> |
#include <netinet6/ipsec.h> |
#endif |
#endif |
|
|
|
#ifdef FAST_IPSEC |
|
#include <netipsec/ipsec.h> |
|
#include <netipsec/ipsec6.h> |
|
#include <netipsec/key.h> |
|
#endif /* FAST_IPSEC */ |
|
|
#include <netinet6/ip6protosw.h> |
#include <netinet6/ip6protosw.h> |
|
|
#include "faith.h" |
#include "faith.h" |
|
|
extern struct route_in6 ip6_forward_rt; |
extern struct route_in6 ip6_forward_rt; |
|
|
void |
void |
ip6_input(m) |
ip6_input(struct mbuf *m) |
struct mbuf *m; |
|
{ |
{ |
struct ip6_hdr *ip6; |
struct ip6_hdr *ip6; |
int off = sizeof(struct ip6_hdr), nest; |
int off = sizeof(struct ip6_hdr), nest; |
|
|
int nxt, ours = 0; |
int nxt, ours = 0; |
struct ifnet *deliverifp = NULL; |
struct ifnet *deliverifp = NULL; |
int srcrt = 0; |
int srcrt = 0; |
|
#ifdef FAST_IPSEC |
|
struct m_tag *mtag; |
|
struct tdb_ident *tdbi; |
|
struct secpolicy *sp; |
|
int s, error; |
|
#endif |
|
|
#ifdef IPSEC |
#ifdef IPSEC |
/* |
/* |
|
|
else |
else |
ip6stat.ip6s_mext1++; |
ip6stat.ip6s_mext1++; |
} else { |
} else { |
#define M2MMAX (sizeof(ip6stat.ip6s_m2m)/sizeof(ip6stat.ip6s_m2m[0])) |
#define M2MMAX __arraycount(ip6stat.ip6s_m2m) |
if (m->m_next) { |
if (m->m_next) { |
if (m->m_flags & M_LOOP) { |
if (m->m_flags & M_LOOP) { |
ip6stat.ip6s_m2m[lo0ifp->if_index]++; /* XXX */ |
ip6stat.ip6s_m2m[lo0ifp->if_index]++; /* XXX */ |
|
|
*/ |
*/ |
#ifdef IPSEC |
#ifdef IPSEC |
if (!ipsec_getnhist(m)) |
if (!ipsec_getnhist(m)) |
|
#elif defined(FAST_IPSEC) |
|
if (!ipsec_indone(m)) |
#else |
#else |
if (1) |
if (1) |
#endif |
#endif |
|
|
* Unicast check |
* Unicast check |
*/ |
*/ |
if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, |
if (!IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, |
&((struct sockaddr_in6 *)(&ip6_forward_rt.ro_dst))->sin6_addr)) |
&((const struct sockaddr_in6 *)rtcache_getdst((const struct route *)&ip6_forward_rt))->sin6_addr)) |
rtcache_free((struct route *)&ip6_forward_rt); |
rtcache_free((struct route *)&ip6_forward_rt); |
else |
else |
rtcache_check((struct route *)&ip6_forward_rt); |
rtcache_check((struct route *)&ip6_forward_rt); |
|
|
|
|
ip6stat.ip6s_forward_cachemiss++; |
ip6stat.ip6s_forward_cachemiss++; |
|
|
bzero(&ip6_forward_rt.ro_dst, sizeof(struct sockaddr_in6)); |
dst6 = &ip6_forward_rt.ro_dst; |
dst6 = (struct sockaddr_in6 *)&ip6_forward_rt.ro_dst; |
memset(dst6, 0, sizeof(*dst6)); |
dst6->sin6_len = sizeof(struct sockaddr_in6); |
dst6->sin6_len = sizeof(struct sockaddr_in6); |
dst6->sin6_family = AF_INET6; |
dst6->sin6_family = AF_INET6; |
dst6->sin6_addr = ip6->ip6_dst; |
dst6->sin6_addr = ip6->ip6_dst; |
|
|
goto bad; |
goto bad; |
} |
} |
#endif |
#endif |
|
#ifdef FAST_IPSEC |
|
/* |
|
* enforce IPsec policy checking if we are seeing last header. |
|
* note that we do not visit this with protocols with pcb layer |
|
* code - like udp/tcp/raw ip. |
|
*/ |
|
if ((inet6sw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) { |
|
/* |
|
* Check if the packet has already had IPsec processing |
|
* done. If so, then just pass it along. This tag gets |
|
* set during AH, ESP, etc. input handling, before the |
|
* packet is returned to the ip input queue for delivery. |
|
*/ |
|
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); |
|
s = splsoftnet(); |
|
if (mtag != NULL) { |
|
tdbi = (struct tdb_ident *)(mtag + 1); |
|
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); |
|
} else { |
|
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
|
IP_FORWARDING, &error); |
|
} |
|
if (sp != NULL) { |
|
/* |
|
* Check security policy against packet attributes. |
|
*/ |
|
error = ipsec_in_reject(sp, m); |
|
KEY_FREESP(&sp); |
|
} else { |
|
/* XXX error stat??? */ |
|
error = EINVAL; |
|
DPRINTF(("ip6_input: no SP, packet discarded\n"));/*XXX*/ |
|
goto bad; |
|
} |
|
splx(s); |
|
if (error) |
|
goto bad; |
|
} |
|
#endif /* FAST_IPSEC */ |
|
|
|
|
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt); |
} |
} |
Line 1244 ip6_savecontrol(in6p, mp, ip6, m) |
|
Line 1297 ip6_savecontrol(in6p, mp, ip6, m) |
|
|
|
|
|
void |
void |
ip6_notify_pmtu(struct in6pcb *in6p, struct sockaddr_in6 *dst, uint32_t *mtu) |
ip6_notify_pmtu(struct in6pcb *in6p, const struct sockaddr_in6 *dst, |
|
uint32_t *mtu) |
{ |
{ |
struct socket *so; |
struct socket *so; |
struct mbuf *m_mtu; |
struct mbuf *m_mtu; |
Line 1270 ip6_notify_pmtu(struct in6pcb *in6p, str |
|
Line 1324 ip6_notify_pmtu(struct in6pcb *in6p, str |
|
IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) |
IPV6_PATHMTU, IPPROTO_IPV6)) == NULL) |
return; |
return; |
|
|
if (sbappendaddr(&so->so_rcv, (struct sockaddr *)dst, NULL, m_mtu) |
if (sbappendaddr(&so->so_rcv, (const struct sockaddr *)dst, NULL, m_mtu) |
== 0) { |
== 0) { |
m_freem(m_mtu); |
m_freem(m_mtu); |
/* XXX: should count statistics */ |
/* XXX: should count statistics */ |