diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index eff86d3677b..fb957027609 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -145,21 +145,16 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n) { int policyfail = 0; +#if defined(IPSEC) || defined(FAST_IPSEC) + /* check AH/ESP integrity. */ + if (ipsec4_in_reject(n, last)) { + policyfail = 1; #ifdef IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { - policyfail = 1; ipsecstat.in_polvio++; - /* do not inject data to pcb */ - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { - policyfail = 1; /* do not inject data to pcb */ } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (!policyfail && mac_check_inpcb_deliver(last, n) != 0) policyfail = 1; diff --git a/sys/netinet/tcp_input.c b/sys/netinet/tcp_input.c index a868f801153..01033ffb1f7 100644 --- a/sys/netinet/tcp_input.c +++ b/sys/netinet/tcp_input.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } +#if defined(IPSEC) || defined(FAST_IPSEC) + if (isipv6) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { #ifdef IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/tcp_reass.c b/sys/netinet/tcp_reass.c index a868f801153..01033ffb1f7 100644 --- a/sys/netinet/tcp_reass.c +++ b/sys/netinet/tcp_reass.c @@ -567,29 +567,21 @@ findpcb: 1, m->m_pkthdr.rcvif); } +#if defined(IPSEC) || defined(FAST_IPSEC) + if (isipv6) { + if (inp != NULL && ipsec6_in_reject(m, inp)) { #ifdef IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { ipsec6stat.in_polvio++; +#endif /*IPSEC*/ goto drop; } - } else { - if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsecstat.in_polvio++; - goto drop; - } - } -#endif -#ifdef FAST_IPSEC - if (isipv6) { - if (inp != NULL && ipsec6_in_reject(m, inp)) { - goto drop; - } - } else - if (inp != NULL && ipsec4_in_reject(m, inp)) { + } else if (inp != NULL && ipsec4_in_reject(m, inp)) { +#ifdef IPSEC + ipsecstat.in_polvio++; +#endif /*IPSEC*/ goto drop; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ /* * If the state is CLOSED (i.e., TCB does not exist) then diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 38525832c76..f0a01b2bdcb 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -453,21 +453,16 @@ udp_append(last, ip, n, off) struct sockaddr *append_sa; struct mbuf *opts = 0; +#if defined(IPSEC) || defined(FAST_IPSEC) + /* check AH/ESP integrity. */ + if (ipsec4_in_reject(n, last)) { #ifdef IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { ipsecstat.in_polvio++; - m_freem(n); - return; - } #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* check AH/ESP integrity. */ - if (ipsec4_in_reject(n, last)) { m_freem(n); return; } -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ #ifdef MAC if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 1b30fa795ab..2dd5fc9963f 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -185,14 +185,10 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp) struct route_in6 *ro_pmtu = NULL; int hdrsplit = 0; int needipsec = 0; -#ifdef FAST_IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) int needipsectun = 0; struct secpolicy *sp = NULL; -#endif /* FAST_IPSEC */ -#ifdef IPSEC - int needipsectun = 0; - struct secpolicy *sp = NULL; -#endif /* IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ ip6 = mtod(m, struct ip6_hdr *); finaldst = ip6->ip6_dst; diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c index 00205ff01c6..03b9a41b580 100644 --- a/sys/netinet6/raw_ip6.c +++ b/sys/netinet6/raw_ip6.c @@ -176,25 +176,18 @@ rip6_input(mp, offp, proto) if (last) { struct mbuf *n = m_copy(m, 0, (int)M_COPYALL); +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * Check AH/ESP integrity. + */ + if (n && ipsec6_in_reject(n, last)) { + m_freem(n); #ifdef IPSEC - /* - * Check AH/ESP integrity. - */ - if (n && ipsec6_in_reject(n, last)) { - m_freem(n); ipsec6stat.in_polvio++; - /* do not inject data into pcb */ - } else #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (n && ipsec6_in_reject(n, last)) { - m_freem(n); /* do not inject data into pcb */ } else -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ if (n) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) @@ -215,27 +208,19 @@ rip6_input(mp, offp, proto) } last = in6p; } +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * Check AH/ESP integrity. + */ + if (last && ipsec6_in_reject(m, last)) { + m_freem(m); #ifdef IPSEC - /* - * Check AH/ESP integrity. - */ - if (last && ipsec6_in_reject(m, last)) { - m_freem(m); ipsec6stat.in_polvio++; - ip6stat.ip6s_delivered--; - /* do not inject data into pcb */ - } else #endif /*IPSEC*/ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (last && ipsec6_in_reject(m, last)) { - m_freem(m); ip6stat.ip6s_delivered--; /* do not inject data into pcb */ } else -#endif /*FAST_IPSEC*/ +#endif /*IPSEC || FAST_IPSEC*/ if (last) { if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index f8b4890e0f1..530446e288b 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -239,23 +239,17 @@ udp6_input(mp, offp, proto) if (last != NULL) { struct mbuf *n; +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * Check AH/ESP integrity. + */ + if (ipsec6_in_reject(m, last)) { #ifdef IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) ipsec6stat.in_polvio++; - /* do not inject data into pcb */ - else #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) - ; - else -#endif /* FAST_IPSEC */ + /* do not inject data into pcb */ + } else +#endif /*IPSEC || FAST_IPSEC*/ if ((n = m_copy(m, 0, M_COPYALL)) != NULL) { /* * KAME NOTE: do not @@ -305,23 +299,17 @@ udp6_input(mp, offp, proto) udpstat.udps_noportmcast++; goto bad; } +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * Check AH/ESP integrity. + */ + if (ipsec6_in_reject(m, last)) { #ifdef IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) { ipsec6stat.in_polvio++; - goto bad; - } #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, last)) { goto bad; } -#endif /* FAST_IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ if (last->in6p_flags & IN6P_CONTROLOPTS || last->in6p_socket->so_options & SO_TIMESTAMP) ip6_savecontrol(last, m, &opts); @@ -361,23 +349,17 @@ udp6_input(mp, offp, proto) icmp6_error(m, ICMP6_DST_UNREACH, ICMP6_DST_UNREACH_NOPORT, 0); return IPPROTO_DONE; } +#if defined(IPSEC) || defined(FAST_IPSEC) + /* + * Check AH/ESP integrity. + */ + if (ipsec6_in_reject(m, in6p)) { #ifdef IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, in6p)) { ipsec6stat.in_polvio++; - goto bad; - } #endif /* IPSEC */ -#ifdef FAST_IPSEC - /* - * Check AH/ESP integrity. - */ - if (ipsec6_in_reject(m, in6p)) { goto bad; } -#endif /* FAST_IPSEC */ +#endif /*IPSEC || FAST_IPSEC*/ /* * Construct sockaddr format source address.