Print this page
First attempt at further IPsec cluster cleanup
@@ -1373,11 +1373,11 @@
/*
* Randomly generate a proposed SPI value
*/
(void) random_get_pseudo_bytes((uint8_t *)&newspi, sizeof (uint32_t));
newbie = sadb_getspi(ksi, newspi, &diagnostic,
- espstack->ipsecesp_netstack, IPPROTO_ESP);
+ espstack->ipsecesp_netstack);
if (newbie == NULL) {
sadb_pfkey_error(espstack->esp_pfkey_q, mp, ENOMEM, diagnostic,
ksi->ks_in_serial);
return;
@@ -1566,17 +1566,16 @@
#endif
static void
esp_port_freshness(uint32_t ports, ipsa_t *assoc)
{
uint16_t remote = FIRST_16(ports);
- uint16_t local = NEXT_16(ports);
ipsa_t *outbound_peer;
isaf_t *bucket;
ipsecesp_stack_t *espstack = assoc->ipsa_netstack->netstack_ipsecesp;
/* We found a conn_t, therefore local != 0. */
- ASSERT(local != 0);
+ ASSERT(NEXT_16(ports) != 0);
/* Assume an IPv4 SA. */
ASSERT(assoc->ipsa_addrfam == AF_INET);
/*
* On-the-wire rport == 0 means something's very wrong.
@@ -1751,19 +1750,10 @@
}
}
if (is_natt)
return (esp_fix_natt_checksums(data_mp, assoc));
- if (assoc->ipsa_state == IPSA_STATE_IDLE) {
- /*
- * Cluster buffering case. Tell caller that we're
- * handling the packet.
- */
- sadb_buf_pkt(assoc, data_mp, ira);
- return (NULL);
- }
-
return (data_mp);
}
esp1dbg(espstack, ("esp_in_done: esp_strip_header() failed\n"));
drop_and_bail:
@@ -3618,12 +3608,11 @@
natt_rem6 = (struct sockaddr_in6 *)(nttext_rem + 1);
/* Sundry ADD-specific reality checks. */
/* XXX STATS : Logging/stats here? */
- if ((assoc->sadb_sa_state != SADB_SASTATE_MATURE) &&
- (assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE_ELSEWHERE)) {
+ if (assoc->sadb_sa_state != SADB_SASTATE_MATURE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_SASTATE;
return (EINVAL);
}
if (assoc->sadb_sa_encrypt == SADB_EALG_NONE) {
*diagnostic = SADB_X_DIAGNOSTIC_BAD_EALG;
@@ -3788,35 +3777,21 @@
*/
static int
esp_update_sa(mblk_t *mp, keysock_in_t *ksi, int *diagnostic,
ipsecesp_stack_t *espstack, uint8_t sadb_msg_type)
{
- sadb_sa_t *assoc = (sadb_sa_t *)ksi->ks_in_extv[SADB_EXT_SA];
- mblk_t *buf_pkt;
- int rcode;
-
sadb_address_t *dstext =
(sadb_address_t *)ksi->ks_in_extv[SADB_EXT_ADDRESS_DST];
if (dstext == NULL) {
*diagnostic = SADB_X_DIAGNOSTIC_MISSING_DST;
return (EINVAL);
}
- rcode = sadb_update_sa(mp, ksi, &buf_pkt, &espstack->esp_sadb,
- diagnostic, espstack->esp_pfkey_q, esp_add_sa,
- espstack->ipsecesp_netstack, sadb_msg_type);
-
- if ((assoc->sadb_sa_state != SADB_X_SASTATE_ACTIVE) ||
- (rcode != 0)) {
- return (rcode);
- }
-
- HANDLE_BUF_PKT(esp_taskq, espstack->ipsecesp_netstack->netstack_ipsec,
- espstack->esp_dropper, buf_pkt);
-
- return (rcode);
+ return (sadb_update_sa(mp, ksi, &espstack->esp_sadb, diagnostic,
+ espstack->esp_pfkey_q, esp_add_sa, espstack->ipsecesp_netstack,
+ sadb_msg_type));
}
/* XXX refactor me */
/*
* Delete a security association. This is REALLY likely to be code common to
@@ -3953,11 +3928,10 @@
}
/* else esp_add_sa() took care of things. */
break;
case SADB_DELETE:
case SADB_X_DELPAIR:
- case SADB_X_DELPAIR_STATE:
error = esp_del_sa(mp, ksi, &diagnostic, espstack,
samsg->sadb_msg_type);
if (error != 0) {
sadb_pfkey_error(espstack->esp_pfkey_q, mp, error,
diagnostic, ksi->ks_in_serial);