Download raw body.
inpcb struct ipsec_level
Hi,
Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels. This gives better type safety.
struct inpcb is globally visible for netstat, so put struct ipsec_level
outside of #ifdef _KERNEL.
ok?
bluhm
Index: sys/netinet/in_pcb.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.c,v
diff -u -p -r1.300 in_pcb.c
--- sys/netinet/in_pcb.c 12 Apr 2024 16:07:09 -0000 1.300
+++ sys/netinet/in_pcb.c 17 Apr 2024 12:58:43 -0000
@@ -240,10 +240,10 @@ in_pcballoc(struct socket *so, struct in
inp->inp_socket = so;
refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB);
mtx_init(&inp->inp_mtx, IPL_SOFTNET);
- inp->inp_seclevel[SL_AUTH] = IPSEC_AUTH_LEVEL_DEFAULT;
- inp->inp_seclevel[SL_ESP_TRANS] = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
- inp->inp_seclevel[SL_ESP_NETWORK] = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
- inp->inp_seclevel[SL_IPCOMP] = IPSEC_IPCOMP_LEVEL_DEFAULT;
+ inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT;
+ inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
+ inp->inp_seclevel.sl_esp_network = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
+ inp->inp_seclevel.sl_ipcomp = IPSEC_IPCOMP_LEVEL_DEFAULT;
inp->inp_rtableid = curproc->p_p->ps_rtableid;
inp->inp_hops = -1;
#ifdef INET6
Index: sys/netinet/in_pcb.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.h,v
diff -u -p -r1.155 in_pcb.h
--- sys/netinet/in_pcb.h 15 Apr 2024 18:31:04 -0000 1.155
+++ sys/netinet/in_pcb.h 17 Apr 2024 12:58:43 -0000
@@ -166,11 +166,7 @@ struct inpcb {
} inp_mou;
#define inp_moptions inp_mou.mou_mo /* [N] IPv4 multicast options */
#define inp_moptions6 inp_mou.mou_mo6 /* [N] IPv6 multicast options */
- u_char inp_seclevel[4]; /* [N] IPsec level of socket */
-#define SL_AUTH 0 /* Authentication level */
-#define SL_ESP_TRANS 1 /* ESP transport level */
-#define SL_ESP_NETWORK 2 /* ESP network (encapsulation) level */
-#define SL_IPCOMP 3 /* Compression level */
+ struct ipsec_level inp_seclevel; /* [N] IPsec level of socket */
u_char inp_ip_minttl; /* minimum TTL or drop */
#define inp_ip6_minhlim inp_ip_minttl /* minimum Hop Limit or drop */
#define inp_flowinfo inp_hu.hu_ipv6.ip6_flow
Index: sys/netinet/ip_ipsp.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.h,v
diff -u -p -r1.244 ip_ipsp.h
--- sys/netinet/ip_ipsp.h 26 Nov 2023 22:08:10 -0000 1.244
+++ sys/netinet/ip_ipsp.h 17 Apr 2024 13:00:40 -0000
@@ -149,6 +149,13 @@ struct ipsecstat {
uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */
};
+struct ipsec_level {
+ u_char sl_auth; /* Authentication level */
+ u_char sl_esp_trans; /* ESP transport level */
+ u_char sl_esp_network; /* ESP network (encapsulation) level */
+ u_char sl_ipcomp; /* Compression level */
+};
+
#ifdef _KERNEL
#include <sys/timeout.h>
@@ -671,7 +678,7 @@ int checkreplaywindow(struct tdb *, u_in
int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
int ipsp_process_done(struct mbuf *, struct tdb *);
int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
- const u_char[], struct tdb **, struct ipsec_ids *);
+ const struct ipsec_level *, struct tdb **, struct ipsec_ids *);
int ipsp_is_unspecified(union sockaddr_union);
int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
struct sockaddr_encap *, struct sockaddr_encap *);
Index: sys/netinet/ip_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
diff -u -p -r1.397 ip_output.c
--- sys/netinet/ip_output.c 9 Apr 2024 11:05:05 -0000 1.397
+++ sys/netinet/ip_output.c 17 Apr 2024 12:58:43 -0000
@@ -84,8 +84,8 @@ void ip_mloopback(struct ifnet *, struct
static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
void in_delayed_cksum(struct mbuf *);
-int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
- struct tdb **, int ipsecflowinfo);
+int ip_output_ipsec_lookup(struct mbuf *m, int hlen,
+ const struct ipsec_level *seclevel, struct tdb **, int ipsecflowinfo);
void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
int, int);
int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
@@ -98,7 +98,8 @@ int ip_output_ipsec_send(struct tdb *, s
*/
int
ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
- struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
+ struct ip_moptions *imo, const struct ipsec_level *seclevel,
+ u_int32_t ipsecflowinfo)
{
struct ip *ip;
struct ifnet *ifp = NULL;
@@ -498,8 +499,8 @@ bad:
#ifdef IPSEC
int
-ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
- struct tdb **tdbout, int ipsecflowinfo)
+ip_output_ipsec_lookup(struct mbuf *m, int hlen,
+ const struct ipsec_level *seclevel, struct tdb **tdbout, int ipsecflowinfo)
{
struct m_tag *mtag;
struct tdb_ident *tdbi;
@@ -1019,7 +1020,7 @@ ip_ctloutput(int op, struct socket *so,
error = EACCES;
break;
}
- inp->inp_seclevel[SL_AUTH] = optval;
+ inp->inp_seclevel.sl_auth = optval;
break;
case IP_ESP_TRANS_LEVEL:
@@ -1028,7 +1029,7 @@ ip_ctloutput(int op, struct socket *so,
error = EACCES;
break;
}
- inp->inp_seclevel[SL_ESP_TRANS] = optval;
+ inp->inp_seclevel.sl_esp_trans = optval;
break;
case IP_ESP_NETWORK_LEVEL:
@@ -1037,7 +1038,7 @@ ip_ctloutput(int op, struct socket *so,
error = EACCES;
break;
}
- inp->inp_seclevel[SL_ESP_NETWORK] = optval;
+ inp->inp_seclevel.sl_esp_network = optval;
break;
case IP_IPCOMP_LEVEL:
if (optval < IPSEC_IPCOMP_LEVEL_DEFAULT &&
@@ -1045,7 +1046,7 @@ ip_ctloutput(int op, struct socket *so,
error = EACCES;
break;
}
- inp->inp_seclevel[SL_IPCOMP] = optval;
+ inp->inp_seclevel.sl_ipcomp = optval;
break;
}
#endif
@@ -1189,18 +1190,18 @@ ip_ctloutput(int op, struct socket *so,
m->m_len = sizeof(int);
switch (optname) {
case IP_AUTH_LEVEL:
- optval = inp->inp_seclevel[SL_AUTH];
+ optval = inp->inp_seclevel.sl_auth;
break;
case IP_ESP_TRANS_LEVEL:
- optval = inp->inp_seclevel[SL_ESP_TRANS];
+ optval = inp->inp_seclevel.sl_esp_trans;
break;
case IP_ESP_NETWORK_LEVEL:
- optval = inp->inp_seclevel[SL_ESP_NETWORK];
+ optval = inp->inp_seclevel.sl_esp_network;
break;
case IP_IPCOMP_LEVEL:
- optval = inp->inp_seclevel[SL_IPCOMP];
+ optval = inp->inp_seclevel.sl_ipcomp;
break;
}
*mtod(m, int *) = optval;
Index: sys/netinet/ip_spd.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_spd.c,v
diff -u -p -r1.119 ip_spd.c
--- sys/netinet/ip_spd.c 26 Nov 2023 22:08:10 -0000 1.119
+++ sys/netinet/ip_spd.c 17 Apr 2024 12:58:43 -0000
@@ -39,8 +39,8 @@
#include <netinet/ip_ipsp.h>
#include <net/pfkeyv2.h>
-int ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
- struct tdb **);
+int ipsp_spd_inp(struct mbuf *, const struct ipsec_level *,
+ struct ipsec_policy *, struct tdb **);
int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
int ipsp_pending_acquire(struct ipsec_policy *, union sockaddr_union *);
@@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid,
*/
int
ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
- struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
+ struct tdb *tdbin, const struct ipsec_level *seclevel, struct tdb **tdbout,
struct ipsec_ids *ipsecflowinfo_ids)
{
struct radix_node_head *rnh;
@@ -178,9 +178,9 @@ ipsp_spd_lookup(struct mbuf *m, int af,
* If an input packet is destined to a BYPASS socket, just accept it.
*/
if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
- (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
- (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
+ (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
+ (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
if (tdbout != NULL)
*tdbout = NULL;
return 0;
@@ -385,9 +385,9 @@ ipsp_spd_lookup(struct mbuf *m, int af,
* option set, skip IPsec processing.
*/
if ((seclevel != NULL) &&
- (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
- (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
- (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
+ (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
+ (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
+ (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
/* Direct match. */
if (dignore ||
!memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
@@ -904,8 +904,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo
* Deal with PCB security requirements.
*/
int
-ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
- struct tdb **tdbout)
+ipsp_spd_inp(struct mbuf *m, const struct ipsec_level *seclevel,
+ struct ipsec_policy *ipo, struct tdb **tdbout)
{
/* Sanity check. */
if (seclevel == NULL)
@@ -913,14 +913,14 @@ ipsp_spd_inp(struct mbuf *m, const u_cha
/* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
- if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
- seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
- seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
+ if (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS &&
+ seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS &&
+ seclevel->sl_auth == IPSEC_LEVEL_BYPASS)
goto justreturn;
- if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
- seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
- seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
+ if (seclevel->sl_esp_trans == IPSEC_LEVEL_AVAIL &&
+ seclevel->sl_esp_network == IPSEC_LEVEL_AVAIL &&
+ seclevel->sl_auth == IPSEC_LEVEL_AVAIL)
goto justreturn;
return -EINVAL; /* Silently drop packet. */
Index: sys/netinet/ip_var.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v
diff -u -p -r1.116 ip_var.h
--- sys/netinet/ip_var.h 16 Apr 2024 12:56:39 -0000 1.116
+++ sys/netinet/ip_var.h 17 Apr 2024 12:58:43 -0000
@@ -235,6 +235,7 @@ extern struct pool ipqent_pool;
struct rtentry;
struct route;
struct inpcb;
+struct ipsec_level;
int ip_ctloutput(int, struct socket *, int, int, struct mbuf *);
int ip_fragment(struct mbuf *, struct mbuf_list *, struct ifnet *, u_long);
@@ -246,7 +247,7 @@ struct mbuf*
int ip_mforward(struct mbuf *, struct ifnet *);
int ip_optcopy(struct ip *, struct ip *);
int ip_output(struct mbuf *, struct mbuf *, struct route *, int,
- struct ip_moptions *, const u_char[], u_int32_t);
+ struct ip_moptions *, const struct ipsec_level *, u_int32_t);
u_int16_t
ip_randomid(void);
void ip_send(struct mbuf *);
Index: sys/netinet/raw_ip.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v
diff -u -p -r1.158 raw_ip.c
--- sys/netinet/raw_ip.c 12 Apr 2024 12:25:58 -0000 1.158
+++ sys/netinet/raw_ip.c 17 Apr 2024 12:58:43 -0000
@@ -332,7 +332,7 @@ rip_output(struct mbuf *m, struct socket
#endif
error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
- inp->inp_moptions, inp->inp_seclevel, 0);
+ inp->inp_moptions, &inp->inp_seclevel, 0);
return (error);
}
Index: sys/netinet/tcp_input.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v
diff -u -p -r1.404 tcp_input.c
--- sys/netinet/tcp_input.c 13 Apr 2024 23:44:11 -0000 1.404
+++ sys/netinet/tcp_input.c 17 Apr 2024 12:58:43 -0000
@@ -590,7 +590,7 @@ findpcb:
&tdbi->dst, tdbi->proto);
}
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
+ tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
tdb_unref(tdb);
if (error) {
tcpstat_inc(tcps_rcvnosec);
@@ -3541,8 +3541,7 @@ syn_cache_get(struct sockaddr *src, stru
* from the old pcb. Ditto for any other
* IPsec-related information.
*/
- memcpy(inp->inp_seclevel, oldinp->inp_seclevel,
- sizeof(oldinp->inp_seclevel));
+ inp->inp_seclevel = oldinp->inp_seclevel;
#endif /* IPSEC */
#ifdef INET6
if (ISSET(inp->inp_flags, INP_IPV6)) {
@@ -4150,7 +4149,7 @@ syn_cache_respond(struct syn_cache *sc,
error = ip_output(m, sc->sc_ipopts, &sc->sc_route,
(ip_mtudisc ? IP_MTUDISC : 0), NULL,
- inp ? inp->inp_seclevel : NULL, 0);
+ inp ? &inp->inp_seclevel : NULL, 0);
break;
#ifdef INET6
case AF_INET6:
@@ -4161,7 +4160,7 @@ syn_cache_respond(struct syn_cache *sc,
/* leave flowlabel = 0, it is legal and require no state mgmt */
error = ip6_output(m, NULL /*XXX*/, &sc->sc_route, 0,
- NULL, inp ? inp->inp_seclevel : NULL);
+ NULL, inp ? &inp->inp_seclevel : NULL);
break;
#endif
}
Index: sys/netinet/tcp_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_output.c,v
diff -u -p -r1.143 tcp_output.c
--- sys/netinet/tcp_output.c 13 Feb 2024 12:22:09 -0000 1.143
+++ sys/netinet/tcp_output.c 17 Apr 2024 12:58:43 -0000
@@ -1090,7 +1090,7 @@ send:
error = ip_output(m, tp->t_inpcb->inp_options,
&tp->t_inpcb->inp_route,
(ip_mtudisc ? IP_MTUDISC : 0), NULL,
- tp->t_inpcb->inp_seclevel, 0);
+ &tp->t_inpcb->inp_seclevel, 0);
break;
#ifdef INET6
case AF_INET6:
@@ -1110,7 +1110,7 @@ send:
}
error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
&tp->t_inpcb->inp_route, 0, NULL,
- tp->t_inpcb->inp_seclevel);
+ &tp->t_inpcb->inp_seclevel);
break;
#endif /* INET6 */
}
Index: sys/netinet/tcp_subr.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_subr.c,v
diff -u -p -r1.200 tcp_subr.c
--- sys/netinet/tcp_subr.c 12 Apr 2024 16:07:09 -0000 1.200
+++ sys/netinet/tcp_subr.c 17 Apr 2024 12:58:43 -0000
@@ -406,7 +406,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te
ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
tp ? &tp->t_inpcb->inp_route : NULL,
0, NULL,
- tp ? tp->t_inpcb->inp_seclevel : NULL);
+ tp ? &tp->t_inpcb->inp_seclevel : NULL);
break;
#endif /* INET6 */
case AF_INET:
@@ -416,7 +416,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te
ip_output(m, NULL,
tp ? &tp->t_inpcb->inp_route : NULL,
ip_mtudisc ? IP_MTUDISC : 0, NULL,
- tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
+ tp ? &tp->t_inpcb->inp_seclevel : NULL, 0);
break;
}
}
Index: sys/netinet/udp_usrreq.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v
diff -u -p -r1.319 udp_usrreq.c
--- sys/netinet/udp_usrreq.c 12 Apr 2024 16:07:09 -0000 1.319
+++ sys/netinet/udp_usrreq.c 17 Apr 2024 12:58:43 -0000
@@ -562,7 +562,7 @@ udp_input(struct mbuf **mp, int *offp, i
} else
tdb = NULL;
error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
- tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
+ tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
if (error) {
udpstat_inc(udps_nosec);
tdb_unref(tdb);
@@ -1084,7 +1084,7 @@ udp_output(struct inpcb *inp, struct mbu
error = ip_output(m, inp->inp_options, &inp->inp_route,
(inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
- inp->inp_seclevel, ipsecflowinfo);
+ &inp->inp_seclevel, ipsecflowinfo);
bail:
m_freem(control);
Index: sys/netinet6/ip6_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
diff -u -p -r1.290 ip6_output.c
--- sys/netinet6/ip6_output.c 16 Apr 2024 12:56:39 -0000 1.290
+++ sys/netinet6/ip6_output.c 17 Apr 2024 12:58:43 -0000
@@ -161,7 +161,7 @@ struct idgen32_ctx ip6_id_ctx;
*/
int
ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route *ro,
- int flags, struct ip6_moptions *im6o, const u_char seclevel[])
+ int flags, struct ip6_moptions *im6o, const struct ipsec_level *seclevel)
{
struct ip6_hdr *ip6;
struct ifnet *ifp = NULL;
@@ -1326,7 +1326,7 @@ do { \
error = EACCES;
break;
}
- inp->inp_seclevel[SL_AUTH] = optval;
+ inp->inp_seclevel.sl_auth = optval;
break;
case IPV6_ESP_TRANS_LEVEL:
@@ -1335,7 +1335,7 @@ do { \
error = EACCES;
break;
}
- inp->inp_seclevel[SL_ESP_TRANS] = optval;
+ inp->inp_seclevel.sl_esp_trans = optval;
break;
case IPV6_ESP_NETWORK_LEVEL:
@@ -1344,7 +1344,7 @@ do { \
error = EACCES;
break;
}
- inp->inp_seclevel[SL_ESP_NETWORK] = optval;
+ inp->inp_seclevel.sl_esp_network = optval;
break;
case IPV6_IPCOMP_LEVEL:
@@ -1353,7 +1353,7 @@ do { \
error = EACCES;
break;
}
- inp->inp_seclevel[SL_IPCOMP] = optval;
+ inp->inp_seclevel.sl_ipcomp = optval;
break;
}
#endif
@@ -1548,21 +1548,21 @@ do { \
m->m_len = sizeof(int);
switch (optname) {
case IPV6_AUTH_LEVEL:
- optval = inp->inp_seclevel[SL_AUTH];
+ optval = inp->inp_seclevel.sl_auth;
break;
case IPV6_ESP_TRANS_LEVEL:
optval =
- inp->inp_seclevel[SL_ESP_TRANS];
+ inp->inp_seclevel.sl_esp_trans;
break;
case IPV6_ESP_NETWORK_LEVEL:
optval =
- inp->inp_seclevel[SL_ESP_NETWORK];
+ inp->inp_seclevel.sl_esp_network;
break;
case IPV6_IPCOMP_LEVEL:
- optval = inp->inp_seclevel[SL_IPCOMP];
+ optval = inp->inp_seclevel.sl_ipcomp;
break;
}
*mtod(m, int *) = optval;
@@ -2730,7 +2730,7 @@ in6_proto_cksum_out(struct mbuf *m, stru
#ifdef IPSEC
int
-ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[],
+ip6_output_ipsec_lookup(struct mbuf *m, const struct ipsec_level *seclevel,
struct tdb **tdbout)
{
struct tdb *tdb;
Index: sys/netinet6/ip6_var.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_var.h,v
diff -u -p -r1.115 ip6_var.h
--- sys/netinet6/ip6_var.h 16 Apr 2024 12:56:39 -0000 1.115
+++ sys/netinet6/ip6_var.h 17 Apr 2024 12:58:43 -0000
@@ -302,6 +302,7 @@ extern uint8_t ip6_soiikey[IP6_SOIIKEY_L
extern const struct pr_usrreqs rip6_usrreqs;
struct inpcb;
+struct ipsec_level;
int icmp6_ctloutput(int, struct socket *, int, int, struct mbuf *);
@@ -324,7 +325,7 @@ void ip6_forward(struct mbuf *, struct r
void ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *);
int ip6_output(struct mbuf *, struct ip6_pktopts *, struct route *, int,
- struct ip6_moptions *, const u_char[]);
+ struct ip6_moptions *, const struct ipsec_level *);
int ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long);
int ip6_ctloutput(int, struct socket *, int, int, struct mbuf *);
int ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *);
@@ -376,7 +377,8 @@ u_int32_t ip6_randomflowlabel(void);
#ifdef IPSEC
struct tdb;
-int ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **);
+int ip6_output_ipsec_lookup(struct mbuf *, const struct ipsec_level *,
+ struct tdb **);
int ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route *,
int, int);
#endif /* IPSEC */
Index: sys/netinet6/raw_ip6.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v
diff -u -p -r1.183 raw_ip6.c
--- sys/netinet6/raw_ip6.c 16 Apr 2024 12:40:40 -0000 1.183
+++ sys/netinet6/raw_ip6.c 17 Apr 2024 12:58:43 -0000
@@ -521,7 +521,7 @@ rip6_output(struct mbuf *m, struct socke
#endif
error = ip6_output(m, optp, &inp->inp_route, flags,
- inp->inp_moptions6, inp->inp_seclevel);
+ inp->inp_moptions6, &inp->inp_seclevel);
if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
icmp6stat_inc(icp6s_outhist + type);
} else
Index: sys/netinet6/udp6_output.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/udp6_output.c,v
diff -u -p -r1.64 udp6_output.c
--- sys/netinet6/udp6_output.c 13 Feb 2024 12:22:09 -0000 1.64
+++ sys/netinet6/udp6_output.c 17 Apr 2024 12:58:43 -0000
@@ -233,7 +233,7 @@ udp6_output(struct inpcb *inp, struct mb
#endif
error = ip6_output(m, optp, &inp->inp_route,
- flags, inp->inp_moptions6, inp->inp_seclevel);
+ flags, inp->inp_moptions6, &inp->inp_seclevel);
goto releaseopt;
release:
Index: usr.bin/netstat/inet.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/usr.bin/netstat/inet.c,v
diff -u -p -r1.181 inet.c
--- usr.bin/netstat/inet.c 13 Feb 2024 12:22:09 -0000 1.181
+++ usr.bin/netstat/inet.c 16 Apr 2024 19:56:43 -0000
@@ -1489,10 +1489,10 @@ inpcb_dump(u_long off, short protocol, i
printf("ro_dst %s\n ", raddr);
p("%#.8x", inp_flags, "\n ");
p("%d", inp_hops, "\n ");
- p("%u", inp_seclevel[0], ", ");
- p("%u", inp_seclevel[1], ", ");
- p("%u", inp_seclevel[2], ", ");
- p("%u", inp_seclevel[3], "\n ");
+ p("%u", inp_seclevel.sl_auth, ", ");
+ p("%u", inp_seclevel.sl_esp_trans, ", ");
+ p("%u", inp_seclevel.sl_esp_network, ", ");
+ p("%u", inp_seclevel.sl_ipcomp, "\n ");
p("%u", inp_ip_minttl, "\n ");
p("%d", inp_cksum6, "\n ");
pp("%p", inp_icmp6filt, "\n ");
inpcb struct ipsec_level