[src/netbsd-1-5]: src/sys/netinet6 Pull up revision 1.32 (requested by itojun):

[he <he%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/5fddb5d2238d
branches:  netbsd-1-5
changeset: 491206:5fddb5d2238d
user:      he <he%NetBSD.org@localhost>
date:      Fri Apr 06 00:28:34 2001 +0000

description:
Pull up revision 1.32 (requested by itojun):
  Record IPsec packet history in m_aux structure.  Let ipfilter
  look at wire-format packet only (not the decapsulated ones), so
  that VPN setting can work with NAT/ipfilter settings.

diffstat:

 sys/netinet6/ipsec.c |  145 +++++++++++++++++++++++++++++++++++++++++++++-----
 1 files changed, 128 insertions(+), 17 deletions(-)

diffs (186 lines):

diff -r 614544ec1036 -r 5fddb5d2238d sys/netinet6/ipsec.c
--- a/sys/netinet6/ipsec.c      Fri Apr 06 00:28:20 2001 +0000
+++ b/sys/netinet6/ipsec.c      Fri Apr 06 00:28:34 2001 +0000
@@ -1,5 +1,5 @@
-/*     $NetBSD: ipsec.c,v 1.23.2.3 2000/11/10 01:15:26 tv Exp $        */
-/*     $KAME: ipsec.c,v 1.83 2000/11/09 17:45:30 itojun Exp $  */
+/*     $NetBSD: ipsec.c,v 1.23.2.4 2001/04/06 00:28:34 he Exp $        */
+/*     $KAME: ipsec.c,v 1.87 2001/01/23 08:59:38 itojun Exp $  */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -152,6 +152,9 @@
 #ifdef INET6
 static int ipsec6_encapsulate __P((struct mbuf *, struct secasvar *));
 #endif
+static struct mbuf *ipsec_addaux __P((struct mbuf *));
+static struct mbuf *ipsec_findaux __P((struct mbuf *));
+static void ipsec_optaux __P((struct mbuf *, struct mbuf *));
 
 /*
  * For OUTBOUND packet having a socket. Searching SPD for packet,
@@ -3258,27 +3261,78 @@
        return(NULL);
 }
 
+static struct mbuf *
+ipsec_addaux(m)
+       struct mbuf *m;
+{
+       struct mbuf *n;
+
+       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+       if (!n)
+               n = m_aux_add(m, AF_INET, IPPROTO_ESP);
+       if (!n)
+               return n;       /* ENOBUFS */
+       n->m_len = sizeof(struct socket *);
+       bzero(mtod(n, void *), n->m_len);
+       return n;
+}
+
+static struct mbuf *
+ipsec_findaux(m)
+       struct mbuf *m;
+{
+       struct mbuf *n;
+
+       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+#ifdef DIAGNOSTIC
+       if (n && n->m_len < sizeof(struct socket *))
+               panic("invalid ipsec m_aux");
+#endif
+       return n;
+}
+
 void
+ipsec_delaux(m)
+       struct mbuf *m;
+{
+       struct mbuf *n;
+
+       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+       if (n)
+               m_aux_delete(m, n);
+}
+
+/* if the aux buffer is unnecessary, nuke it. */
+static void
+ipsec_optaux(m, n)
+       struct mbuf *m;
+       struct mbuf *n;
+{
+
+       if (!n)
+               return;
+       if (n->m_len == sizeof(struct socket *) && !*mtod(n, struct socket **))
+               ipsec_delaux(m);
+}
+
+int
 ipsec_setsocket(m, so)
        struct mbuf *m;
        struct socket *so;
 {
        struct mbuf *n;
 
-       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
-       if (so && !n)
-               n = m_aux_add(m, AF_INET, IPPROTO_ESP);
-       if (n) {
-               if (so) {
-                       *mtod(n, struct socket **) = so;
-                       /*
-                        * XXX think again about it when we put decryption
-                        * histrory into aux mbuf
-                        */
-                       n->m_len = sizeof(struct socket *);
-               } else
-                       m_aux_delete(m, n);
-       }
+       /* if so == NULL, don't insist on getting the aux mbuf */
+       if (so) {
+               n = ipsec_addaux(m);
+               if (!n)
+                       return ENOBUFS;
+       } else
+               n = ipsec_findaux(m);
+       if (n && n->m_len >= sizeof(struct socket *))
+               *mtod(n, struct socket **) = so;
+       ipsec_optaux(m, n);
+       return 0;
 }
 
 struct socket *
@@ -3287,13 +3341,70 @@
 {
        struct mbuf *n;
 
-       n = m_aux_find(m, AF_INET, IPPROTO_ESP);
+       n = ipsec_findaux(m);
        if (n && n->m_len >= sizeof(struct socket *))
                return *mtod(n, struct socket **);
        else
                return NULL;
 }
 
+int
+ipsec_addhist(m, proto, spi)
+       struct mbuf *m;
+       int proto;
+       u_int32_t spi;
+{
+       struct mbuf *n;
+       struct ipsec_history *p;
+
+       n = ipsec_addaux(m);
+       if (!n)
+               return ENOBUFS;
+       if (M_TRAILINGSPACE(n) < sizeof(*p))
+               return ENOSPC;  /*XXX*/
+       p = (struct ipsec_history *)(mtod(n, caddr_t) + n->m_len);
+       n->m_len += sizeof(*p);
+       bzero(p, sizeof(*p));
+       p->ih_proto = proto;
+       p->ih_spi = spi;
+       return 0;
+}
+
+struct ipsec_history *
+ipsec_gethist(m, lenp)
+       struct mbuf *m;
+       int *lenp;
+{
+       struct mbuf *n;
+       int l;
+
+       n = ipsec_findaux(m);
+       if (!n)
+               return NULL;
+       l = n->m_len;
+       if (sizeof(struct socket *) > l)
+               return NULL;
+       if ((l - sizeof(struct socket *)) % sizeof(struct ipsec_history))
+               return NULL;
+       /* XXX does it make more sense to divide by sizeof(ipsec_history)? */
+       if (lenp)
+               *lenp = l - sizeof(struct socket *);
+       return (struct ipsec_history *)
+           (mtod(n, caddr_t) + sizeof(struct socket *));
+}
+
+void
+ipsec_clearhist(m)
+       struct mbuf *m;
+{
+       struct mbuf *n;
+
+       n = ipsec_findaux(m);
+       if ((n) && n->m_len > sizeof(struct socket *))
+               n->m_len = sizeof(struct socket *);
+       ipsec_optaux(m, n);
+}
+
 /*
  * System control for IPSEC
  */