IPSEC and FAST_IPSEC have the same internal API now;

so merge these (IPSEC has an extra ipsecstat)

Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>

sys/netinet/raw_ip.c

@@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
 {
 	int policyfail = 0;
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	/* check AH/ESP integrity. */
+	if (ipsec4_in_reject(n, last)) {
+		policyfail = 1;
 #ifdef IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
-		policyfail = 1;
 		ipsecstat.in_polvio++;
-		/* do not inject data to pcb */
-	}
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
-		policyfail = 1;
 		/* do not inject data to pcb */
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 #ifdef MAC
 	if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
 		policyfail = 1;

sys/netinet/tcp_input.c

@@ -567,29 +567,21 @@ findpcb:
 						1, m->m_pkthdr.rcvif);
       }
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	if (isipv6) {
+		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 #ifdef IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 			ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
 			goto drop;
 		}
-	} else {
-		if (inp != NULL && ipsec4_in_reject(m, inp)) {
-			ipsecstat.in_polvio++;
-			goto drop;
-		}
-	}
-#endif
-#ifdef FAST_IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
-			goto drop;
-		}
-	} else
-	if (inp != NULL && ipsec4_in_reject(m, inp)) {
+	} else  if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+		ipsecstat.in_polvio++;
+#endif /*IPSEC*/
 		goto drop;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * If the state is CLOSED (i.e., TCB does not exist) then

sys/netinet/tcp_reass.c

@@ -567,29 +567,21 @@ findpcb:
 						1, m->m_pkthdr.rcvif);
       }
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	if (isipv6) {
+		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 #ifdef IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
 			ipsec6stat.in_polvio++;
+#endif /*IPSEC*/
 			goto drop;
 		}
-	} else {
-		if (inp != NULL && ipsec4_in_reject(m, inp)) {
-			ipsecstat.in_polvio++;
-			goto drop;
-		}
-	}
-#endif
-#ifdef FAST_IPSEC
-	if (isipv6) {
-		if (inp != NULL && ipsec6_in_reject(m, inp)) {
-			goto drop;
-		}
-	} else
-	if (inp != NULL && ipsec4_in_reject(m, inp)) {
+	} else  if (inp != NULL && ipsec4_in_reject(m, inp)) {
+#ifdef IPSEC
+		ipsecstat.in_polvio++;
+#endif /*IPSEC*/
 		goto drop;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * If the state is CLOSED (i.e., TCB does not exist) then

sys/netinet/udp_usrreq.c

@@ -453,21 +453,16 @@ udp_append(last, ip, n, off)
 	struct sockaddr *append_sa;
 	struct mbuf *opts = 0;
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	/* check AH/ESP integrity. */
+	if (ipsec4_in_reject(n, last)) {
 #ifdef IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
 		ipsecstat.in_polvio++;
-		m_freem(n);
-		return;
-	}
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/* check AH/ESP integrity. */
-	if (ipsec4_in_reject(n, last)) {
 		m_freem(n);
 		return;
 	}
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 #ifdef MAC
 	if (mac_check_inpcb_deliver(last, n) != 0) {
 		m_freem(n);

sys/netinet6/ip6_output.c

@@ -185,14 +185,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
 	struct route_in6 *ro_pmtu = NULL;
 	int hdrsplit = 0;
 	int needipsec = 0;
-#ifdef FAST_IPSEC
+#if defined(IPSEC) || defined(FAST_IPSEC)
 	int needipsectun = 0;
 	struct secpolicy *sp = NULL;
-#endif /* FAST_IPSEC */
-#ifdef IPSEC
-	int needipsectun = 0;
-	struct secpolicy *sp = NULL;
-#endif /* IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 
 	ip6 = mtod(m, struct ip6_hdr *);
 	finaldst = ip6->ip6_dst;

sys/netinet6/raw_ip6.c

@@ -176,25 +176,18 @@ rip6_input(mp, offp, proto)
 		if (last) {
 			struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+			/*
+			 * Check AH/ESP integrity.
+			 */
+			if (n && ipsec6_in_reject(n, last)) {
+				m_freem(n);
 #ifdef IPSEC
-			/*
-			 * Check AH/ESP integrity.
-			 */
-			if (n && ipsec6_in_reject(n, last)) {
-				m_freem(n);
 				ipsec6stat.in_polvio++;
-				/* do not inject data into pcb */
-			} else
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-			/*
-			 * Check AH/ESP integrity.
-			 */
-			if (n && ipsec6_in_reject(n, last)) {
-				m_freem(n);
 				/* do not inject data into pcb */
 			} else
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 			if (n) {
 				if (last->in6p_flags & IN6P_CONTROLOPTS ||
 				    last->in6p_socket->so_options & SO_TIMESTAMP)
@@ -215,27 +208,19 @@ rip6_input(mp, offp, proto)
 		}
 		last = in6p;
 	}
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	/*
+	 * Check AH/ESP integrity.
+	 */
+	if (last && ipsec6_in_reject(m, last)) {
+		m_freem(m);
 #ifdef IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (last && ipsec6_in_reject(m, last)) {
-		m_freem(m);
 		ipsec6stat.in_polvio++;
-		ip6stat.ip6s_delivered--;
-		/* do not inject data into pcb */
-	} else
 #endif /*IPSEC*/
-#ifdef FAST_IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (last && ipsec6_in_reject(m, last)) {
-		m_freem(m);
 		ip6stat.ip6s_delivered--;
 		/* do not inject data into pcb */
 	} else
-#endif /*FAST_IPSEC*/
+#endif /*IPSEC || FAST_IPSEC*/
 	if (last) {
 		if (last->in6p_flags & IN6P_CONTROLOPTS ||
 		    last->in6p_socket->so_options & SO_TIMESTAMP)

sys/netinet6/udp6_usrreq.c

@@ -239,23 +239,17 @@ udp6_input(mp, offp, proto)
 			if (last != NULL) {
 				struct mbuf *n;
 
+#if defined(IPSEC) || defined(FAST_IPSEC)
+				/*
+				 * Check AH/ESP integrity.
+				 */
+				if (ipsec6_in_reject(m, last)) {
 #ifdef IPSEC
-				/*
-				 * Check AH/ESP integrity.
-				 */
-				if (ipsec6_in_reject(m, last))
 					ipsec6stat.in_polvio++;
-					/* do not inject data into pcb */
-				else
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-				/*
-				 * Check AH/ESP integrity.
-				 */
-				if (ipsec6_in_reject(m, last))
-					;
-				else
-#endif /* FAST_IPSEC */
+					/* do not inject data into pcb */
+				} else
+#endif /*IPSEC || FAST_IPSEC*/
 				if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
 					/*
 					 * KAME NOTE: do not
@@ -305,23 +299,17 @@ udp6_input(mp, offp, proto)
 			udpstat.udps_noportmcast++;
 			goto bad;
 		}
+#if defined(IPSEC) || defined(FAST_IPSEC)
+		/*
+		 * Check AH/ESP integrity.
+		 */
+		if (ipsec6_in_reject(m, last)) {
 #ifdef IPSEC
-		/*
-		 * Check AH/ESP integrity.
-		 */
-		if (ipsec6_in_reject(m, last)) {
 			ipsec6stat.in_polvio++;
-			goto bad;
-		}
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-		/*
-		 * Check AH/ESP integrity.
-		 */
-		if (ipsec6_in_reject(m, last)) {
 			goto bad;
 		}
-#endif /* FAST_IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 		if (last->in6p_flags & IN6P_CONTROLOPTS
 		    || last->in6p_socket->so_options & SO_TIMESTAMP)
 			ip6_savecontrol(last, m, &opts);
@@ -361,23 +349,17 @@ udp6_input(mp, offp, proto)
 		icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0);
 		return IPPROTO_DONE;
 	}
+#if defined(IPSEC) || defined(FAST_IPSEC)
+	/*
+	 * Check AH/ESP integrity.
+	 */
+	if (ipsec6_in_reject(m, in6p)) {
 #ifdef IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (ipsec6_in_reject(m, in6p)) {
 		ipsec6stat.in_polvio++;
-		goto bad;
-	}
 #endif /* IPSEC */
-#ifdef FAST_IPSEC
-	/*
-	 * Check AH/ESP integrity.
-	 */
-	if (ipsec6_in_reject(m, in6p)) {
 		goto bad;
 	}
-#endif /* FAST_IPSEC */
+#endif /*IPSEC || FAST_IPSEC*/
 
 	/*
 	 * Construct sockaddr format source address.