Lines Matching +full:m +full:- +full:mode
2 /*-
5 * Niels Provos (provos@physnet.uni-hamburg.de).
114 * ipsec_common_input gets called when an IPsec-protected packet
120 ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
130 IPSEC_ASSERT(m != NULL, ("null packet"));
139 m_freem(m);
144 if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
145 m_freem(m);
153 m_copydata(m, skip, sizeof(u_int32_t), (caddr_t) &spi);
155 m_copydata(m, skip + sizeof(u_int32_t), sizeof(u_int32_t),
159 m_copydata(m, skip + sizeof(u_int16_t), sizeof(u_int16_t),
175 m_copydata(m, offsetof(struct ip, ip_dst),
183 m_copydata(m, offsetof(struct ip6_hdr, ip6_dst),
197 m_freem(m);
209 m_freem(m);
213 if (sav->tdb_xform == NULL) {
219 m_freem(m);
224 * Call appropriate transform and return -- callback takes care of
227 error = (*sav->tdb_xform->xf_input)(m, sav, skip, protoff);
234 * 0 - Permitted by inbound security policy for further processing.
235 * EACCES - Forbidden by inbound security policy.
236 * EINPROGRESS - consumed by IPsec.
239 ipsec4_input(struct mbuf *m, int offset, int proto)
243 error = ipsec_accel_input(m, offset, proto);
252 ipsec_common_input(m, offset,
279 if (ipsec4_in_reject(m, NULL) != 0) {
281 m_freem(m);
291 struct ip *ip = &icp->icmp_ip;
295 .sin_addr = ip->ip_dst,
303 pmtu = ntohs(icp->icmp_nextmtu);
308 proto = ip->ip_p;
313 memcpy(&spi, (caddr_t)ip + (ip->ip_hl << 2), sizeof(spi));
321 inc.inc_faddr = ip->ip_dst;
341 ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
354 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
355 saidx = &sav->sah->saidx;
356 af = saidx->dst.sa.sa_family;
358 sproto = saidx->proto;
367 if (m->m_len < skip && (m = m_pullup(m, skip)) == NULL) {
369 __func__, ipsec_address(&sav->sah->saidx.dst,
370 buf, sizeof(buf)), (u_long) ntohl(sav->spi)));
376 ip = mtod(m, struct ip *);
377 ip->ip_len = htons(m->m_pkthdr.len);
378 ip->ip_sum = 0;
379 ip->ip_sum = in_cksum(m, ip->ip_hl << 2);
381 ip = mtod(m, struct ip *);
383 prot = ip->ip_p;
385 * Check that we have NAT-T enabled and apply transport mode
389 if (sav->natt != NULL &&
391 udp_ipsec_adjust_cksum(m, sav, prot, skip);
398 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, AF_INET, IPSEC_ENC_BEFORE);
401 ip = mtod(m, struct ip *); /* update pointer */
403 /* IP-in-IP encapsulation */
405 saidx->mode != IPSEC_MODE_TRANSPORT) {
406 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
412 m_striphdr(m, 0, ip->ip_hl << 2);
415 /* IPv6-in-IP encapsulation. */
417 saidx->mode != IPSEC_MODE_TRANSPORT) {
418 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
424 m_striphdr(m, 0, ip->ip_hl << 2);
427 else if (prot != IPPROTO_IPV6 && saidx->mode == IPSEC_MODE_ANY) {
429 * When mode is wildcard, inner protocol is IPv6 and
430 * we have no INET6 support - drop this packet a bit later.
431 * In other cases we assume transport mode. Set prot to
452 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
453 xh->spi = sav->spi;
454 xh->proto = sproto;
455 xh->mode = saidx->mode;
456 m_tag_prepend(m, mtag);
459 key_sa_recordxfer(sav, m); /* record data transfer */
462 * In transport mode requeue decrypted mbuf back to IPv4 protocol
465 if (saidx->mode == IPSEC_MODE_TRANSPORT)
468 * Re-dispatch via software interrupt.
489 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
494 if (saidx->mode == IPSEC_MODE_TUNNEL)
495 error = ipsec_if_input(m, sav, af);
497 error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
511 if (m != NULL)
512 m_freem(m);
538 * 0 - Permitted by inbound security policy for further processing.
539 * EACCES - Forbidden by inbound security policy.
540 * EINPROGRESS - consumed by IPsec.
543 ipsec6_input(struct mbuf *m, int offset, int proto)
547 error = ipsec_accel_input(m, offset, proto);
556 ipsec_common_input(m, offset,
571 if (ipsec6_in_reject(m, NULL) != 0) {
573 m_freem(m);
592 ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
608 IPSEC_ASSERT(sav->sah != NULL, ("null SAH"));
609 saidx = &sav->sah->saidx;
610 af = saidx->dst.sa.sa_family;
612 sproto = saidx->proto;
620 if (m->m_len < sizeof(struct ip6_hdr) &&
621 (m = m_pullup(m, sizeof(struct ip6_hdr))) == NULL) {
623 __func__, ipsec_address(&sav->sah->saidx.dst, buf,
624 sizeof(buf)), (u_long) ntohl(sav->spi)));
631 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_BEFORE);
635 ip6 = mtod(m, struct ip6_hdr *);
636 ip6->ip6_plen = htons(m->m_pkthdr.len - sizeof(struct ip6_hdr));
639 m_copydata(m, protoff, 1, &nxt8);
643 * Check that we have NAT-T enabled and apply transport mode
647 if (sav->natt != NULL &&
649 udp_ipsec_adjust_cksum(m, sav, prot, skip);
651 /* IPv6-in-IP encapsulation */
653 saidx->mode != IPSEC_MODE_TRANSPORT) {
654 if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
660 m_striphdr(m, 0, skip);
664 /* IP-in-IP encapsulation */
666 saidx->mode != IPSEC_MODE_TRANSPORT) {
667 if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
673 m_striphdr(m, 0, skip);
696 bcopy(&saidx->dst, &xh->dst, saidx->dst.sa.sa_len);
697 xh->spi = sav->spi;
698 xh->proto = sproto;
699 xh->mode = saidx->mode;
700 m_tag_prepend(m, mtag);
703 key_sa_recordxfer(sav, m);
711 IPSEC_INIT_CTX(&ctx, &m, NULL, sav, af, IPSEC_ENC_AFTER);
736 if (saidx->mode == IPSEC_MODE_TUNNEL)
737 error = ipsec_if_input(m, sav, af);
740 (uintptr_t)sav->spi, m);
765 * Protection against faulty packet - there should be
768 if (m->m_pkthdr.len < skip) {
770 in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated);
777 * code - like udp/tcp/raw ip.
779 if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) {
783 nxt = ip6_protox[nxt](&m, &skip, nxt);
791 if (m)
792 m_freem(m);