Use ipsec4_in_reject() to simplify ip_ipsec_fwd() and ip_ipsec_input().

ipsec4_in_reject() does the same things, also it counts policy violation errors. Obtained from: Yandex LLC Sponsored by: Yandex LLC
svn path=/head/; revision=275713
2025-01-02 12:20:51 +00:00 · 2014-12-11 18:55:54 +00:00 · 2014-12-11 18:55:54 +00:00 · 0332a55f0f · 2020-12-20 02:59:44 +00:00
commit 0332a55f0f
parent a91150da31
1 changed files with 3 additions and 31 deletions
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@ -107,20 +107,8 @@ ip_ipsec_filtertunnel(struct mbuf *m)
 int
 ip_ipsec_fwd(struct mbuf *m)
 {
-	struct secpolicy *sp;
-	int error;

-	sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-	if (sp != NULL) {
-		/*
-		 * Check security policy against packet attributes.
-		 */
-		error = ipsec_in_reject(sp, m);
-		KEY_FREESP(&sp);
-	}
-	if (error != 0)
-		return (1);
-	return (0);
+	return (ipsec4_in_reject(m, NULL));
 }

 /*
@ -133,29 +121,13 @@ ip_ipsec_fwd(struct mbuf *m)
 int
 ip_ipsec_input(struct mbuf *m, int nxt)
 {
-	struct secpolicy *sp;
-	int error;
 	/*
 	 * enforce IPsec policy checking if we are seeing last header.
 	 * note that we do not visit this with protocols with pcb layer
 	 * code - like udp/tcp/raw ip.
 	 */
-	if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0) {
-		sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, &error);
-		if (sp != NULL) {
-			/*
-			 * Check security policy against packet attributes.
-			 */
-			error = ipsec_in_reject(sp, m);
-			KEY_FREESP(&sp);
-		} else {
-			/* XXX error stat??? */
-			error = EINVAL;
-			DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/
-		}
-		if (error != 0)
-			return (1);
-	}
+	if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0)
+		return (ipsec4_in_reject(m, NULL));
 	return (0);
 }