From 7407a37d8f835fe093253761c1f55fbb93e08267 Mon Sep 17 00:00:00 2001 From: bluhm Date: Tue, 5 Oct 2021 11:34:34 +0000 Subject: [PATCH] Move setting ipsec mtu into a function. The NULL and invalid check in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu() does that anyway. udpencap_ctlinput() did not work for bundled SA, this also needs the loop in ipsec_set_mtu(). OK sthen@ --- sys/netinet/ip_ipsp.h | 3 ++- sys/netinet/ipsec_input.c | 57 ++++++++++++++++++--------------------- 2 files changed, 28 insertions(+), 32 deletions(-) diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h index ab38673996f..a7009e6edeb 100644 --- a/sys/netinet/ip_ipsp.h +++ b/sys/netinet/ip_ipsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipsp.h,v 1.207 2021/09/29 22:08:13 bluhm Exp $ */ +/* $OpenBSD: ip_ipsp.h,v 1.208 2021/10/05 11:34:34 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr), @@ -650,6 +650,7 @@ int ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); int ipsec_delete_policy(struct ipsec_policy *); ssize_t ipsec_hdrsz(struct tdb *); void ipsec_adjust_mtu(struct mbuf *, u_int32_t); +void ipsec_set_mtu(struct tdb *, u_int32_t); struct ipsec_acquire *ipsec_get_acquire(u_int32_t); int ipsec_forward_check(struct mbuf *, int, int); int ipsec_local_check(struct mbuf *, int, int, int); diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index e079fa2abfe..3267a3b6c5b 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.180 2021/09/29 22:08:13 bluhm Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.181 2021/10/05 11:34:35 bluhm Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -949,6 +949,29 @@ ipcomp4_input(struct mbuf **mp, int *offp, int proto, int af) return IPPROTO_DONE; } +void +ipsec_set_mtu(struct tdb *tdbp, u_int32_t mtu) +{ + ssize_t adjust; + + NET_ASSERT_LOCKED(); + + /* Walk the chain backwards to the first tdb */ + for (; tdbp != NULL; tdbp = tdbp->tdb_inext) { + if (tdbp->tdb_flags & TDBF_INVALID || + (adjust = ipsec_hdrsz(tdbp)) == -1) + return; + + mtu -= adjust; + + /* Store adjusted MTU in tdb */ + tdbp->tdb_mtu = mtu; + tdbp->tdb_mtutimeout = gettime() + ip_mtudisc_timeout; + DPRINTF("spi %08x mtu %d adjust %ld", + ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); + } +} + void ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, void *v, int proto) @@ -961,7 +984,6 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, struct icmp *icp; int hlen = ip->ip_hl << 2; u_int32_t spi, mtu; - ssize_t adjust; /* Find the right MTU. */ icp = (struct icmp *)((caddr_t) ip - @@ -984,25 +1006,7 @@ ipsec_common_ctlinput(u_int rdomain, int cmd, struct sockaddr *sa, tdbp = gettdb_rev(rdomain, spi, (union sockaddr_union *)&dst, proto); - if (tdbp == NULL || tdbp->tdb_flags & TDBF_INVALID) - return; - - /* Walk the chain backwards to the first tdb */ - NET_ASSERT_LOCKED(); - for (; tdbp; tdbp = tdbp->tdb_inext) { - if (tdbp->tdb_flags & TDBF_INVALID || - (adjust = ipsec_hdrsz(tdbp)) == -1) - return; - - mtu -= adjust; - - /* Store adjusted MTU in tdb */ - tdbp->tdb_mtu = mtu; - tdbp->tdb_mtutimeout = gettime() + - ip_mtudisc_timeout; - DPRINTF("spi %08x mtu %d adjust %ld", - ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, adjust); - } + ipsec_set_mtu(tdbp, mtu); } } @@ -1013,7 +1017,6 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) struct tdb *tdbp; struct icmp *icp; u_int32_t mtu; - ssize_t adjust; struct sockaddr_in dst, src; union sockaddr_union *su_dst, *su_src; @@ -1049,15 +1052,7 @@ udpencap_ctlinput(int cmd, struct sockaddr *sa, u_int rdomain, void *v) TDBF_UDPENCAP) && !memcmp(&tdbp->tdb_dst, &dst, su_dst->sa.sa_len) && !memcmp(&tdbp->tdb_src, &src, su_src->sa.sa_len)) { - if ((adjust = ipsec_hdrsz(tdbp)) != -1) { - /* Store adjusted MTU in tdb */ - tdbp->tdb_mtu = mtu - adjust; - tdbp->tdb_mtutimeout = gettime() + - ip_mtudisc_timeout; - DPRINTF("spi %08x mtu %d adjust %ld", - ntohl(tdbp->tdb_spi), tdbp->tdb_mtu, - adjust); - } + ipsec_set_mtu(tdbp, mtu); } } } -- 2.20.1