Move setting ipsec mtu into a function. The NULL and invalid check

in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu()
does that anyway.  udpencap_ctlinput() did not work for bundled SA,
this also needs the loop in ipsec_set_mtu().
OK sthen@

diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index ab38673..a7009e6 100644 (file)
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ip_ipsp.h,v 1.207 2021/09/29 22:08:13 bluhm Exp $     */
+/*     $OpenBSD: ip_ipsp.h,v 1.208 2021/10/05 11:34:34 bluhm Exp $     */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -650,6 +650,7 @@ int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
 int    ipsec_delete_policy(struct ipsec_policy *);
 ssize_t        ipsec_hdrsz(struct tdb *);
 void   ipsec_adjust_mtu(struct mbuf *, u_int32_t);
+void   ipsec_set_mtu(struct tdb *, u_int32_t);
 struct ipsec_acquire *ipsec_get_acquire(u_int32_t);
 int    ipsec_forward_check(struct mbuf *, int, int);
 int    ipsec_local_check(struct mbuf *, int, int, int);

diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index e079fa2..3267a3b 100644 (file)
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: ipsec_input.c,v 1.180 2021/09/29 22:08:13 bluhm Exp $ */
+/*     $OpenBSD: ipsec_input.c,v 1.181 2021/10/05 11:34:35 bluhm Exp $ */
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -949,6 +949,29 @@ ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af)
        return IPPROTO_DONE;
 }
 
+void
+ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu)
+{
+       ssize_t adjust;
+
+       NET_ASSERT_LOCKED();
+
+       /* Walk the chain backwards to the first tdb */
+       for (; tdbp != NULL; tdbp = tdbp->tdb_inext) {
+               if (tdbp->tdb_flags & TDBF_INVALID ||
+                   (adjust = ipsec_hdrsz(tdbp)) == -1)
+                       return;
+
+               mtu -= adjust;
+
+               /* Store adjusted MTU in tdb */
+               tdbp->tdb_mtu = mtu;
+               tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout;
+               DPRINTF("spi %08x mtu %d adjust %ld",
+                   ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust);
+       }
+}
+
 void
 ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa,
     void *v, int proto)
@@ -961,7 +984,6 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa,
                struct icmp *icp;
                int hlen = ip->ip_hl << 2;
                u_int32_t spi, mtu;
-               ssize_t adjust;
 
                /* Find the right MTU. */
                icp = (struct icmp *)((caddr_t) ip -
@@ -984,25 +1006,7 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa,
 
                tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst,
                    proto);
-               if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID)
-                       return;
-
-               /* Walk the chain backwards to the first tdb */
-               NET_ASSERT_LOCKED();
-               for (; tdbp; tdbp = tdbp->tdb_inext) {
-                       if (tdbp->tdb_flags & TDBF_INVALID ||
-                           (adjust = ipsec_hdrsz(tdbp)) == -1)
-                               return;
-
-                       mtu -= adjust;
-
-                       /* Store adjusted MTU in tdb */
-                       tdbp->tdb_mtu = mtu;
-                       tdbp->tdb_mtutimeout = gettime() +
-                           ip_mtudisc_timeout;
-                       DPRINTF("spi %08x mtu %d adjust %ld",
-                           ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust);
-               }
+               ipsec_set_mtu(tdbp, mtu);
        }
 }
 
@@ -1013,7 +1017,6 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v)
        struct tdb *tdbp;
        struct icmp *icp;
        u_int32_t mtu;
-       ssize_t adjust;
        struct sockaddr_in dst, src;
        union sockaddr_union *su_dst, *su_src;
 
@@ -1049,15 +1052,7 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v)
                    TDBF_UDPENCAP) &&
                    !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) &&
                    !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) {
-                       if ((adjust = ipsec_hdrsz(tdbp)) != -1) {
-                               /* Store adjusted MTU in tdb */
-                               tdbp->tdb_mtu = mtu - adjust;
-                               tdbp->tdb_mtutimeout = gettime() +
-                                   ip_mtudisc_timeout;
-                               DPRINTF("spi %08x mtu %d adjust %ld",
-                                   ntohl(tdbp->tdb_spi), tdbp->tdb_mtu,
-                                   adjust);
-                       }
+                       ipsec_set_mtu(tdbp, mtu);
                }
        }
 }