Author: ae
Date: Wed Apr 23 12:05:53 2014
New Revision: 264815
URL: http://svnweb.freebsd.org/changeset/base/264815
Log:
MFC r264124:
Remove dead code.
MFC r264125:
Remove unused variable.
MFC r264126:
The check for local address spoofing lacks ifaddr locking.
Remove these loops and use in_localip() and in6_localip()
functions instead.
MFC r264520:
Remove _IP_VHL* macros and related ifdefs.
Modified:
stable/9/sys/netipsec/ipsec.c
stable/9/sys/netipsec/ipsec_output.c
stable/9/sys/netipsec/xform_ipip.c
Directory Properties:
stable/9/sys/ (props changed)
Modified: stable/9/sys/netipsec/ipsec.c
==============================================================================
--- stable/9/sys/netipsec/ipsec.c Wed Apr 23 11:22:54 2014
(r264814)
+++ stable/9/sys/netipsec/ipsec.c Wed Apr 23 12:05:53 2014
(r264815)
@@ -553,11 +553,7 @@ ipsec_setspidx(struct mbuf *m, struct se
m_copydata(m, 0, sizeof(ipbuf), (caddr_t)&ipbuf);
ip = &ipbuf;
}
-#ifdef _IP_VHL
- v = _IP_VHL_V(ip->ip_vhl);
-#else
v = ip->ip_v;
-#endif
switch (v) {
case 4:
error = ipsec4_setspidx_ipaddr(m, spidx);
@@ -602,11 +598,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se
struct ip *ip = mtod(m, struct ip *);
if (ip->ip_off & (IP_MF | IP_OFFMASK))
goto done;
-#ifdef _IP_VHL
- off = _IP_VHL_HL(ip->ip_vhl) << 2;
-#else
off = ip->ip_hl << 2;
-#endif
nxt = ip->ip_p;
} else {
struct ip ih;
@@ -614,11 +606,7 @@ ipsec4_get_ulp(struct mbuf *m, struct se
m_copydata(m, 0, sizeof (struct ip), (caddr_t) &ih);
if (ih.ip_off & (IP_MF | IP_OFFMASK))
goto done;
-#ifdef _IP_VHL
- off = _IP_VHL_HL(ih.ip_vhl) << 2;
-#else
off = ih.ip_hl << 2;
-#endif
nxt = ih.ip_p;
}
Modified: stable/9/sys/netipsec/ipsec_output.c
==============================================================================
--- stable/9/sys/netipsec/ipsec_output.c Wed Apr 23 11:22:54 2014
(r264814)
+++ stable/9/sys/netipsec/ipsec_output.c Wed Apr 23 12:05:53 2014
(r264815)
@@ -211,11 +211,7 @@ ipsec_process_done(struct mbuf *m, struc
* insert UDP encapsulation header after IP header.
*/
if (sav->natt_type) {
-#ifdef _IP_VHL
- const int hlen = IP_VHL_HL(ip->ip_vhl);
-#else
const int hlen = (ip->ip_hl << 2);
-#endif
int size, off;
struct mbuf *mi;
struct udphdr *udp;
@@ -510,15 +506,7 @@ ipsec4_process_packet(
ip = mtod(m, struct ip *);
ip->ip_len = htons(m->m_pkthdr.len);
ip->ip_sum = 0;
-#ifdef _IP_VHL
- if (ip->ip_vhl == IP_VHL_BORING)
- ip->ip_sum = in_cksum_hdr(ip);
- else
- ip->ip_sum = in_cksum(m,
- _IP_VHL_HL(ip->ip_vhl) << 2);
-#else
ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
-#endif
/* Encapsulate the packet */
error = ipip_output(m, isr, &mp, 0, 0);
Modified: stable/9/sys/netipsec/xform_ipip.c
==============================================================================
--- stable/9/sys/netipsec/xform_ipip.c Wed Apr 23 11:22:54 2014
(r264814)
+++ stable/9/sys/netipsec/xform_ipip.c Wed Apr 23 12:05:53 2014
(r264815)
@@ -64,9 +64,6 @@
#include <netinet/ip_ecn.h>
#include <netinet/ip_var.h>
#include <netinet/ip_encap.h>
-#ifdef MROUTING
-#include <netinet/ip_mroute.h>
-#endif
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
@@ -155,18 +152,11 @@ ip4_input(struct mbuf *m, int off)
static void
_ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
{
-#ifdef INET
- register struct sockaddr_in *sin;
-#endif
- register struct ifnet *ifp;
- register struct ifaddr *ifa;
struct ip *ipo;
#ifdef INET6
- register struct sockaddr_in6 *sin6;
struct ip6_hdr *ip6 = NULL;
u_int8_t itos;
#endif
- u_int8_t nxt;
int isr;
u_int8_t otos;
u_int8_t v;
@@ -201,18 +191,8 @@ _ipip_input(struct mbuf *m, int iphlen,
return;
}
}
-
ipo = mtod(m, struct ip *);
-#ifdef MROUTING
- if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) {
- if (IN_MULTICAST(((struct ip *)((char *) ipo +
iphlen))->ip_dst.s_addr)) {
- ipip_mroute_input (m, iphlen);
- return;
- }
- }
-#endif /* MROUTING */
-
/* Keep outer ecn field. */
switch (v >> 4) {
#ifdef INET
@@ -281,14 +261,12 @@ _ipip_input(struct mbuf *m, int iphlen,
#ifdef INET
case 4:
ipo = mtod(m, struct ip *);
- nxt = ipo->ip_p;
ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos);
break;
#endif /* INET */
#ifdef INET6
case 6:
ip6 = (struct ip6_hdr *) ipo;
- nxt = ip6->ip6_nxt;
itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos);
ip6->ip6_flow &= ~htonl(0xff << 20);
@@ -303,47 +281,22 @@ _ipip_input(struct mbuf *m, int iphlen,
if ((m->m_pkthdr.rcvif == NULL ||
!(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
V_ipip_allow != 2) {
- IFNET_RLOCK_NOSLEEP();
- TAILQ_FOREACH(ifp, &V_ifnet, if_link) {
- TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) {
-#ifdef INET
- if (ipo) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET)
- continue;
-
- sin = (struct sockaddr_in *)
ifa->ifa_addr;
-
- if (sin->sin_addr.s_addr ==
- ipo->ip_src.s_addr) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
- }
-#endif /* INET */
-
+#ifdef INET
+ if ((v >> 4) == IPVERSION &&
+ in_localip(ipo->ip_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
+ }
+#endif
#ifdef INET6
- if (ip6) {
- if (ifa->ifa_addr->sa_family !=
- AF_INET6)
- continue;
-
- sin6 = (struct sockaddr_in6 *)
ifa->ifa_addr;
-
- if
(IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
- IPIPSTAT_INC(ipips_spoof);
- m_freem(m);
- IFNET_RUNLOCK_NOSLEEP();
- return;
- }
-
- }
-#endif /* INET6 */
- }
+ if ((v & IPV6_VERSION_MASK) == IPV6_VERSION &&
+ in6_localip(&ip6->ip6_src) != 0) {
+ IPIPSTAT_INC(ipips_spoof);
+ m_freem(m);
+ return;
}
- IFNET_RUNLOCK_NOSLEEP();
+#endif
}
/* Statistics */
_______________________________________________
svn-src-stable-9@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-stable-9
To unsubscribe, send any mail to "svn-src-stable-9-unsubscr...@freebsd.org"
