From: bluhm Date: Tue, 5 Oct 2021 11:45:26 +0000 (+0000) Subject: Cleanup the error handling in ipsec ipip_output() and consistently X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=e4b51ed24439364044b5082eea907a9c175c84db;p=openbsd Cleanup the error handling in ipsec ipip_output() and consistently goto drop instead of return. An ENOBUFS should be EINVAL in IPv6 case. Also use combined packet and byte counter. OK sthen@ dlg@ --- diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index baaff9ef231..04a22479ae2 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.93 2021/07/08 21:07:19 bluhm Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.94 2021/10/05 11:45:26 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -343,6 +343,7 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, #ifdef ENCDEBUG char buf[INET6_ADDRSTRLEN]; #endif + int error; /* XXX Deal with empty TDB source/destination addresses. */ @@ -361,17 +362,16 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, ntohl(tdb->tdb_spi)); ipipstat_inc(ipips_unspec); - m_freem(m); - *mp = NULL; - return EINVAL; + error = EINVAL; + goto drop; } M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); if (m == NULL) { DPRINTF("M_PREPEND failed"); ipipstat_inc(ipips_hdrops); - *mp = NULL; - return ENOBUFS; + error = ENOBUFS; + goto drop; } ipo = mtod(m, struct ip *); @@ -424,15 +424,18 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, } #endif /* INET6 */ else { - m_freem(m); - *mp = NULL; ipipstat_inc(ipips_family); - return EAFNOSUPPORT; + error = EAFNOSUPPORT; + goto drop; } otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); ipo->ip_tos = otos; + + obytes = m->m_pkthdr.len - sizeof(struct ip); + if (tdb->tdb_xform->xf_type == XF_IP4) + tdb->tdb_cur_bytes += obytes; break; #ifdef INET6 @@ -447,9 +450,8 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, ntohl(tdb->tdb_spi)); ipipstat_inc(ipips_unspec); - m_freem(m); - *mp = NULL; - return ENOBUFS; + error = EINVAL; + goto drop; } /* If the inner protocol is IPv6, clear link local scope */ @@ -466,8 +468,8 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, if (m == NULL) { DPRINTF("M_PREPEND failed"); ipipstat_inc(ipips_hdrops); - *mp = NULL; - return ENOBUFS; + error = ENOBUFS; + goto drop; } /* Initialize IPv6 header */ @@ -501,49 +503,37 @@ ipip_output(struct mbuf *m, struct tdb *tdb, struct mbuf **mp, int dummy, ip6o->ip6_nxt = IPPROTO_IPV6; } else { - m_freem(m); - *mp = NULL; ipipstat_inc(ipips_family); - return EAFNOSUPPORT; + error = EAFNOSUPPORT; + goto drop; } otos = 0; ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); ip6o->ip6_flow |= htonl((u_int32_t) otos << 20); + + obytes = m->m_pkthdr.len - sizeof(struct ip6_hdr); + if (tdb->tdb_xform->xf_type == XF_IP4) + tdb->tdb_cur_bytes += obytes; break; #endif /* INET6 */ default: DPRINTF("unsupported protocol family %d", tdb->tdb_dst.sa.sa_family); - m_freem(m); - *mp = NULL; ipipstat_inc(ipips_family); - return EAFNOSUPPORT; + error = EAFNOSUPPORT; + goto drop; } - ipipstat_inc(ipips_opackets); *mp = m; - - if (tdb->tdb_dst.sa.sa_family == AF_INET) { - obytes = m->m_pkthdr.len - sizeof(struct ip); - if (tdb->tdb_xform->xf_type == XF_IP4) - tdb->tdb_cur_bytes += obytes; - - ipipstat_add(ipips_obytes, obytes); - } - -#ifdef INET6 - if (tdb->tdb_dst.sa.sa_family == AF_INET6) { - obytes = m->m_pkthdr.len - sizeof(struct ip6_hdr); - if (tdb->tdb_xform->xf_type == XF_IP4) - tdb->tdb_cur_bytes += obytes; - - ipipstat_add(ipips_obytes, obytes); - } -#endif /* INET6 */ - + ipipstat_pkt(ipips_opackets, ipips_obytes, obytes); return 0; + + drop: + m_freem(m); + *mp = NULL; + return error; } #ifdef IPSEC diff --git a/sys/netinet/ip_ipip.h b/sys/netinet/ip_ipip.h index 87807dab457..a45e88df24a 100644 --- a/sys/netinet/ip_ipip.h +++ b/sys/netinet/ip_ipip.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.h,v 1.11 2019/10/04 05:00:49 dlg Exp $ */ +/* $OpenBSD: ip_ipip.h,v 1.12 2021/10/05 11:45:26 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -104,6 +104,12 @@ ipipstat_add(enum ipipstat_counters c, uint64_t v) counters_add(ipipcounters, c, v); } +static inline void +ipipstat_pkt(enum ipipstat_counters p, enum ipipstat_counters b, uint64_t v) +{ + counters_pkt(ipipcounters, p, b, v); +} + struct tdb; void ipip_init(void); diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index a7009e6edeb..f1b236568f3 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.208 2021/10/05 11:34:34 bluhm Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.209 2021/10/05 11:45:26 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -191,6 +191,12 @@ ipsecstat_add(enum ipsec_counters c, uint64_t v) counters_add(ipseccounters, c, v); } +static inline void +ipsecstat_pkt(enum ipsec_counters p, enum ipsec_counters b, uint64_t v) +{ + counters_pkt(ipseccounters, p, b, v); +} + struct m_tag; #define sen_data Sen.Data diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index 3267a3b6c5b..815a20893d9 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.181 2021/10/05 11:34:35 bluhm Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.182 2021/10/05 11:45:26 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -200,8 +200,7 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, NET_ASSERT_LOCKED(); - ipsecstat_inc(ipsec_ipackets); - ipsecstat_add(ipsec_ibytes, m->m_pkthdr.len); + ipsecstat_pkt(ipsec_ipackets, ipsec_ibytes, m->m_pkthdr.len); IPSEC_ISTAT(esps_input, ahs_input, ipcomps_input); if (m == NULL) { diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c index 9fb432a7c25..3792d7f65fb 100644 --- a/sys/netinet/ipsec_output.c +++ b/sys/netinet/ipsec_output.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_output.c,v 1.86 2021/07/27 17:13:03 mvs Exp $ */ +/* $OpenBSD: ipsec_output.c,v 1.87 2021/10/05 11:45:26 bluhm Exp $ */ /* * The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu) * @@ -583,8 +583,7 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb) m_tag_prepend(m, mtag); - ipsecstat_inc(ipsec_opackets); - ipsecstat_add(ipsec_obytes, m->m_pkthdr.len); + ipsecstat_pkt(ipsec_opackets, ipsec_obytes, m->m_pkthdr.len); tdb->tdb_opackets++; tdb->tdb_obytes += m->m_pkthdr.len;