Download raw body.
inpcb struct ipsec_level
On Wed, Apr 17, 2024 at 03:08:11PM +0200, Alexander Bluhm wrote:
> Hi,
>
> Instead of passing around u_char[4], introduce struct ipsec_level
> that contains 4 ipsec levels. This gives better type safety.
>
> struct inpcb is globally visible for netstat, so put struct ipsec_level
> outside of #ifdef _KERNEL.
>
> ok?
>
ok mvs
> bluhm
>
> Index: sys/netinet/in_pcb.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.c,v
> diff -u -p -r1.300 in_pcb.c
> --- sys/netinet/in_pcb.c 12 Apr 2024 16:07:09 -0000 1.300
> +++ sys/netinet/in_pcb.c 17 Apr 2024 12:58:43 -0000
> @@ -240,10 +240,10 @@ in_pcballoc(struct socket *so, struct in
> inp->inp_socket = so;
> refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB);
> mtx_init(&inp->inp_mtx, IPL_SOFTNET);
> - inp->inp_seclevel[SL_AUTH] = IPSEC_AUTH_LEVEL_DEFAULT;
> - inp->inp_seclevel[SL_ESP_TRANS] = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
> - inp->inp_seclevel[SL_ESP_NETWORK] = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
> - inp->inp_seclevel[SL_IPCOMP] = IPSEC_IPCOMP_LEVEL_DEFAULT;
> + inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT;
> + inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT;
> + inp->inp_seclevel.sl_esp_network = IPSEC_ESP_NETWORK_LEVEL_DEFAULT;
> + inp->inp_seclevel.sl_ipcomp = IPSEC_IPCOMP_LEVEL_DEFAULT;
> inp->inp_rtableid = curproc->p_p->ps_rtableid;
> inp->inp_hops = -1;
> #ifdef INET6
> Index: sys/netinet/in_pcb.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.h,v
> diff -u -p -r1.155 in_pcb.h
> --- sys/netinet/in_pcb.h 15 Apr 2024 18:31:04 -0000 1.155
> +++ sys/netinet/in_pcb.h 17 Apr 2024 12:58:43 -0000
> @@ -166,11 +166,7 @@ struct inpcb {
> } inp_mou;
> #define inp_moptions inp_mou.mou_mo /* [N] IPv4 multicast options */
> #define inp_moptions6 inp_mou.mou_mo6 /* [N] IPv6 multicast options */
> - u_char inp_seclevel[4]; /* [N] IPsec level of socket */
> -#define SL_AUTH 0 /* Authentication level */
> -#define SL_ESP_TRANS 1 /* ESP transport level */
> -#define SL_ESP_NETWORK 2 /* ESP network (encapsulation) level */
> -#define SL_IPCOMP 3 /* Compression level */
> + struct ipsec_level inp_seclevel; /* [N] IPsec level of socket */
> u_char inp_ip_minttl; /* minimum TTL or drop */
> #define inp_ip6_minhlim inp_ip_minttl /* minimum Hop Limit or drop */
> #define inp_flowinfo inp_hu.hu_ipv6.ip6_flow
> Index: sys/netinet/ip_ipsp.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.h,v
> diff -u -p -r1.244 ip_ipsp.h
> --- sys/netinet/ip_ipsp.h 26 Nov 2023 22:08:10 -0000 1.244
> +++ sys/netinet/ip_ipsp.h 17 Apr 2024 13:00:40 -0000
> @@ -149,6 +149,13 @@ struct ipsecstat {
> uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */
> };
>
> +struct ipsec_level {
> + u_char sl_auth; /* Authentication level */
> + u_char sl_esp_trans; /* ESP transport level */
> + u_char sl_esp_network; /* ESP network (encapsulation) level */
> + u_char sl_ipcomp; /* Compression level */
> +};
> +
> #ifdef _KERNEL
>
> #include <sys/timeout.h>
> @@ -671,7 +678,7 @@ int checkreplaywindow(struct tdb *, u_in
> int ipsp_process_packet(struct mbuf *, struct tdb *, int, int);
> int ipsp_process_done(struct mbuf *, struct tdb *);
> int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *,
> - const u_char[], struct tdb **, struct ipsec_ids *);
> + const struct ipsec_level *, struct tdb **, struct ipsec_ids *);
> int ipsp_is_unspecified(union sockaddr_union);
> int ipsp_aux_match(struct tdb *, struct ipsec_ids *,
> struct sockaddr_encap *, struct sockaddr_encap *);
> Index: sys/netinet/ip_output.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v
> diff -u -p -r1.397 ip_output.c
> --- sys/netinet/ip_output.c 9 Apr 2024 11:05:05 -0000 1.397
> +++ sys/netinet/ip_output.c 17 Apr 2024 12:58:43 -0000
> @@ -84,8 +84,8 @@ void ip_mloopback(struct ifnet *, struct
> static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t);
> void in_delayed_cksum(struct mbuf *);
>
> -int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
> - struct tdb **, int ipsecflowinfo);
> +int ip_output_ipsec_lookup(struct mbuf *m, int hlen,
> + const struct ipsec_level *seclevel, struct tdb **, int ipsecflowinfo);
> void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr,
> int, int);
> int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int);
> @@ -98,7 +98,8 @@ int ip_output_ipsec_send(struct tdb *, s
> */
> int
> ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
> - struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo)
> + struct ip_moptions *imo, const struct ipsec_level *seclevel,
> + u_int32_t ipsecflowinfo)
> {
> struct ip *ip;
> struct ifnet *ifp = NULL;
> @@ -498,8 +499,8 @@ bad:
>
> #ifdef IPSEC
> int
> -ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[],
> - struct tdb **tdbout, int ipsecflowinfo)
> +ip_output_ipsec_lookup(struct mbuf *m, int hlen,
> + const struct ipsec_level *seclevel, struct tdb **tdbout, int ipsecflowinfo)
> {
> struct m_tag *mtag;
> struct tdb_ident *tdbi;
> @@ -1019,7 +1020,7 @@ ip_ctloutput(int op, struct socket *so,
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_AUTH] = optval;
> + inp->inp_seclevel.sl_auth = optval;
> break;
>
> case IP_ESP_TRANS_LEVEL:
> @@ -1028,7 +1029,7 @@ ip_ctloutput(int op, struct socket *so,
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_ESP_TRANS] = optval;
> + inp->inp_seclevel.sl_esp_trans = optval;
> break;
>
> case IP_ESP_NETWORK_LEVEL:
> @@ -1037,7 +1038,7 @@ ip_ctloutput(int op, struct socket *so,
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_ESP_NETWORK] = optval;
> + inp->inp_seclevel.sl_esp_network = optval;
> break;
> case IP_IPCOMP_LEVEL:
> if (optval < IPSEC_IPCOMP_LEVEL_DEFAULT &&
> @@ -1045,7 +1046,7 @@ ip_ctloutput(int op, struct socket *so,
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_IPCOMP] = optval;
> + inp->inp_seclevel.sl_ipcomp = optval;
> break;
> }
> #endif
> @@ -1189,18 +1190,18 @@ ip_ctloutput(int op, struct socket *so,
> m->m_len = sizeof(int);
> switch (optname) {
> case IP_AUTH_LEVEL:
> - optval = inp->inp_seclevel[SL_AUTH];
> + optval = inp->inp_seclevel.sl_auth;
> break;
>
> case IP_ESP_TRANS_LEVEL:
> - optval = inp->inp_seclevel[SL_ESP_TRANS];
> + optval = inp->inp_seclevel.sl_esp_trans;
> break;
>
> case IP_ESP_NETWORK_LEVEL:
> - optval = inp->inp_seclevel[SL_ESP_NETWORK];
> + optval = inp->inp_seclevel.sl_esp_network;
> break;
> case IP_IPCOMP_LEVEL:
> - optval = inp->inp_seclevel[SL_IPCOMP];
> + optval = inp->inp_seclevel.sl_ipcomp;
> break;
> }
> *mtod(m, int *) = optval;
> Index: sys/netinet/ip_spd.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_spd.c,v
> diff -u -p -r1.119 ip_spd.c
> --- sys/netinet/ip_spd.c 26 Nov 2023 22:08:10 -0000 1.119
> +++ sys/netinet/ip_spd.c 17 Apr 2024 12:58:43 -0000
> @@ -39,8 +39,8 @@
> #include <netinet/ip_ipsp.h>
> #include <net/pfkeyv2.h>
>
> -int ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *,
> - struct tdb **);
> +int ipsp_spd_inp(struct mbuf *, const struct ipsec_level *,
> + struct ipsec_policy *, struct tdb **);
> int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *,
> union sockaddr_union *, struct sockaddr_encap *, struct mbuf *);
> int ipsp_pending_acquire(struct ipsec_policy *, union sockaddr_union *);
> @@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid,
> */
> int
> ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction,
> - struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout,
> + struct tdb *tdbin, const struct ipsec_level *seclevel, struct tdb **tdbout,
> struct ipsec_ids *ipsecflowinfo_ids)
> {
> struct radix_node_head *rnh;
> @@ -178,9 +178,9 @@ ipsp_spd_lookup(struct mbuf *m, int af,
> * If an input packet is destined to a BYPASS socket, just accept it.
> */
> if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) &&
> - (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
> - (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
> - (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
> + (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
> + (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
> + (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
> if (tdbout != NULL)
> *tdbout = NULL;
> return 0;
> @@ -385,9 +385,9 @@ ipsp_spd_lookup(struct mbuf *m, int af,
> * option set, skip IPsec processing.
> */
> if ((seclevel != NULL) &&
> - (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) &&
> - (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) &&
> - (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) {
> + (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) &&
> + (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) &&
> + (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) {
> /* Direct match. */
> if (dignore ||
> !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) {
> @@ -904,8 +904,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo
> * Deal with PCB security requirements.
> */
> int
> -ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo,
> - struct tdb **tdbout)
> +ipsp_spd_inp(struct mbuf *m, const struct ipsec_level *seclevel,
> + struct ipsec_policy *ipo, struct tdb **tdbout)
> {
> /* Sanity check. */
> if (seclevel == NULL)
> @@ -913,14 +913,14 @@ ipsp_spd_inp(struct mbuf *m, const u_cha
>
> /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */
>
> - if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS &&
> - seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS &&
> - seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)
> + if (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS &&
> + seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS &&
> + seclevel->sl_auth == IPSEC_LEVEL_BYPASS)
> goto justreturn;
>
> - if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL &&
> - seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL &&
> - seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL)
> + if (seclevel->sl_esp_trans == IPSEC_LEVEL_AVAIL &&
> + seclevel->sl_esp_network == IPSEC_LEVEL_AVAIL &&
> + seclevel->sl_auth == IPSEC_LEVEL_AVAIL)
> goto justreturn;
>
> return -EINVAL; /* Silently drop packet. */
> Index: sys/netinet/ip_var.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v
> diff -u -p -r1.116 ip_var.h
> --- sys/netinet/ip_var.h 16 Apr 2024 12:56:39 -0000 1.116
> +++ sys/netinet/ip_var.h 17 Apr 2024 12:58:43 -0000
> @@ -235,6 +235,7 @@ extern struct pool ipqent_pool;
> struct rtentry;
> struct route;
> struct inpcb;
> +struct ipsec_level;
>
> int ip_ctloutput(int, struct socket *, int, int, struct mbuf *);
> int ip_fragment(struct mbuf *, struct mbuf_list *, struct ifnet *, u_long);
> @@ -246,7 +247,7 @@ struct mbuf*
> int ip_mforward(struct mbuf *, struct ifnet *);
> int ip_optcopy(struct ip *, struct ip *);
> int ip_output(struct mbuf *, struct mbuf *, struct route *, int,
> - struct ip_moptions *, const u_char[], u_int32_t);
> + struct ip_moptions *, const struct ipsec_level *, u_int32_t);
> u_int16_t
> ip_randomid(void);
> void ip_send(struct mbuf *);
> Index: sys/netinet/raw_ip.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v
> diff -u -p -r1.158 raw_ip.c
> --- sys/netinet/raw_ip.c 12 Apr 2024 12:25:58 -0000 1.158
> +++ sys/netinet/raw_ip.c 17 Apr 2024 12:58:43 -0000
> @@ -332,7 +332,7 @@ rip_output(struct mbuf *m, struct socket
> #endif
>
> error = ip_output(m, inp->inp_options, &inp->inp_route, flags,
> - inp->inp_moptions, inp->inp_seclevel, 0);
> + inp->inp_moptions, &inp->inp_seclevel, 0);
> return (error);
> }
>
> Index: sys/netinet/tcp_input.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v
> diff -u -p -r1.404 tcp_input.c
> --- sys/netinet/tcp_input.c 13 Apr 2024 23:44:11 -0000 1.404
> +++ sys/netinet/tcp_input.c 17 Apr 2024 12:58:43 -0000
> @@ -590,7 +590,7 @@ findpcb:
> &tdbi->dst, tdbi->proto);
> }
> error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
> - tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
> + tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
> tdb_unref(tdb);
> if (error) {
> tcpstat_inc(tcps_rcvnosec);
> @@ -3541,8 +3541,7 @@ syn_cache_get(struct sockaddr *src, stru
> * from the old pcb. Ditto for any other
> * IPsec-related information.
> */
> - memcpy(inp->inp_seclevel, oldinp->inp_seclevel,
> - sizeof(oldinp->inp_seclevel));
> + inp->inp_seclevel = oldinp->inp_seclevel;
> #endif /* IPSEC */
> #ifdef INET6
> if (ISSET(inp->inp_flags, INP_IPV6)) {
> @@ -4150,7 +4149,7 @@ syn_cache_respond(struct syn_cache *sc,
>
> error = ip_output(m, sc->sc_ipopts, &sc->sc_route,
> (ip_mtudisc ? IP_MTUDISC : 0), NULL,
> - inp ? inp->inp_seclevel : NULL, 0);
> + inp ? &inp->inp_seclevel : NULL, 0);
> break;
> #ifdef INET6
> case AF_INET6:
> @@ -4161,7 +4160,7 @@ syn_cache_respond(struct syn_cache *sc,
> /* leave flowlabel = 0, it is legal and require no state mgmt */
>
> error = ip6_output(m, NULL /*XXX*/, &sc->sc_route, 0,
> - NULL, inp ? inp->inp_seclevel : NULL);
> + NULL, inp ? &inp->inp_seclevel : NULL);
> break;
> #endif
> }
> Index: sys/netinet/tcp_output.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_output.c,v
> diff -u -p -r1.143 tcp_output.c
> --- sys/netinet/tcp_output.c 13 Feb 2024 12:22:09 -0000 1.143
> +++ sys/netinet/tcp_output.c 17 Apr 2024 12:58:43 -0000
> @@ -1090,7 +1090,7 @@ send:
> error = ip_output(m, tp->t_inpcb->inp_options,
> &tp->t_inpcb->inp_route,
> (ip_mtudisc ? IP_MTUDISC : 0), NULL,
> - tp->t_inpcb->inp_seclevel, 0);
> + &tp->t_inpcb->inp_seclevel, 0);
> break;
> #ifdef INET6
> case AF_INET6:
> @@ -1110,7 +1110,7 @@ send:
> }
> error = ip6_output(m, tp->t_inpcb->inp_outputopts6,
> &tp->t_inpcb->inp_route, 0, NULL,
> - tp->t_inpcb->inp_seclevel);
> + &tp->t_inpcb->inp_seclevel);
> break;
> #endif /* INET6 */
> }
> Index: sys/netinet/tcp_subr.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_subr.c,v
> diff -u -p -r1.200 tcp_subr.c
> --- sys/netinet/tcp_subr.c 12 Apr 2024 16:07:09 -0000 1.200
> +++ sys/netinet/tcp_subr.c 17 Apr 2024 12:58:43 -0000
> @@ -406,7 +406,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te
> ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL,
> tp ? &tp->t_inpcb->inp_route : NULL,
> 0, NULL,
> - tp ? tp->t_inpcb->inp_seclevel : NULL);
> + tp ? &tp->t_inpcb->inp_seclevel : NULL);
> break;
> #endif /* INET6 */
> case AF_INET:
> @@ -416,7 +416,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te
> ip_output(m, NULL,
> tp ? &tp->t_inpcb->inp_route : NULL,
> ip_mtudisc ? IP_MTUDISC : 0, NULL,
> - tp ? tp->t_inpcb->inp_seclevel : NULL, 0);
> + tp ? &tp->t_inpcb->inp_seclevel : NULL, 0);
> break;
> }
> }
> Index: sys/netinet/udp_usrreq.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v
> diff -u -p -r1.319 udp_usrreq.c
> --- sys/netinet/udp_usrreq.c 12 Apr 2024 16:07:09 -0000 1.319
> +++ sys/netinet/udp_usrreq.c 17 Apr 2024 12:58:43 -0000
> @@ -562,7 +562,7 @@ udp_input(struct mbuf **mp, int *offp, i
> } else
> tdb = NULL;
> error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN,
> - tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL);
> + tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL);
> if (error) {
> udpstat_inc(udps_nosec);
> tdb_unref(tdb);
> @@ -1084,7 +1084,7 @@ udp_output(struct inpcb *inp, struct mbu
>
> error = ip_output(m, inp->inp_options, &inp->inp_route,
> (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions,
> - inp->inp_seclevel, ipsecflowinfo);
> + &inp->inp_seclevel, ipsecflowinfo);
>
> bail:
> m_freem(control);
> Index: sys/netinet6/ip6_output.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v
> diff -u -p -r1.290 ip6_output.c
> --- sys/netinet6/ip6_output.c 16 Apr 2024 12:56:39 -0000 1.290
> +++ sys/netinet6/ip6_output.c 17 Apr 2024 12:58:43 -0000
> @@ -161,7 +161,7 @@ struct idgen32_ctx ip6_id_ctx;
> */
> int
> ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route *ro,
> - int flags, struct ip6_moptions *im6o, const u_char seclevel[])
> + int flags, struct ip6_moptions *im6o, const struct ipsec_level *seclevel)
> {
> struct ip6_hdr *ip6;
> struct ifnet *ifp = NULL;
> @@ -1326,7 +1326,7 @@ do { \
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_AUTH] = optval;
> + inp->inp_seclevel.sl_auth = optval;
> break;
>
> case IPV6_ESP_TRANS_LEVEL:
> @@ -1335,7 +1335,7 @@ do { \
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_ESP_TRANS] = optval;
> + inp->inp_seclevel.sl_esp_trans = optval;
> break;
>
> case IPV6_ESP_NETWORK_LEVEL:
> @@ -1344,7 +1344,7 @@ do { \
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_ESP_NETWORK] = optval;
> + inp->inp_seclevel.sl_esp_network = optval;
> break;
>
> case IPV6_IPCOMP_LEVEL:
> @@ -1353,7 +1353,7 @@ do { \
> error = EACCES;
> break;
> }
> - inp->inp_seclevel[SL_IPCOMP] = optval;
> + inp->inp_seclevel.sl_ipcomp = optval;
> break;
> }
> #endif
> @@ -1548,21 +1548,21 @@ do { \
> m->m_len = sizeof(int);
> switch (optname) {
> case IPV6_AUTH_LEVEL:
> - optval = inp->inp_seclevel[SL_AUTH];
> + optval = inp->inp_seclevel.sl_auth;
> break;
>
> case IPV6_ESP_TRANS_LEVEL:
> optval =
> - inp->inp_seclevel[SL_ESP_TRANS];
> + inp->inp_seclevel.sl_esp_trans;
> break;
>
> case IPV6_ESP_NETWORK_LEVEL:
> optval =
> - inp->inp_seclevel[SL_ESP_NETWORK];
> + inp->inp_seclevel.sl_esp_network;
> break;
>
> case IPV6_IPCOMP_LEVEL:
> - optval = inp->inp_seclevel[SL_IPCOMP];
> + optval = inp->inp_seclevel.sl_ipcomp;
> break;
> }
> *mtod(m, int *) = optval;
> @@ -2730,7 +2730,7 @@ in6_proto_cksum_out(struct mbuf *m, stru
>
> #ifdef IPSEC
> int
> -ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[],
> +ip6_output_ipsec_lookup(struct mbuf *m, const struct ipsec_level *seclevel,
> struct tdb **tdbout)
> {
> struct tdb *tdb;
> Index: sys/netinet6/ip6_var.h
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_var.h,v
> diff -u -p -r1.115 ip6_var.h
> --- sys/netinet6/ip6_var.h 16 Apr 2024 12:56:39 -0000 1.115
> +++ sys/netinet6/ip6_var.h 17 Apr 2024 12:58:43 -0000
> @@ -302,6 +302,7 @@ extern uint8_t ip6_soiikey[IP6_SOIIKEY_L
> extern const struct pr_usrreqs rip6_usrreqs;
>
> struct inpcb;
> +struct ipsec_level;
>
> int icmp6_ctloutput(int, struct socket *, int, int, struct mbuf *);
>
> @@ -324,7 +325,7 @@ void ip6_forward(struct mbuf *, struct r
>
> void ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *);
> int ip6_output(struct mbuf *, struct ip6_pktopts *, struct route *, int,
> - struct ip6_moptions *, const u_char[]);
> + struct ip6_moptions *, const struct ipsec_level *);
> int ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long);
> int ip6_ctloutput(int, struct socket *, int, int, struct mbuf *);
> int ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *);
> @@ -376,7 +377,8 @@ u_int32_t ip6_randomflowlabel(void);
>
> #ifdef IPSEC
> struct tdb;
> -int ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **);
> +int ip6_output_ipsec_lookup(struct mbuf *, const struct ipsec_level *,
> + struct tdb **);
> int ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route *,
> int, int);
> #endif /* IPSEC */
> Index: sys/netinet6/raw_ip6.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v
> diff -u -p -r1.183 raw_ip6.c
> --- sys/netinet6/raw_ip6.c 16 Apr 2024 12:40:40 -0000 1.183
> +++ sys/netinet6/raw_ip6.c 17 Apr 2024 12:58:43 -0000
> @@ -521,7 +521,7 @@ rip6_output(struct mbuf *m, struct socke
> #endif
>
> error = ip6_output(m, optp, &inp->inp_route, flags,
> - inp->inp_moptions6, inp->inp_seclevel);
> + inp->inp_moptions6, &inp->inp_seclevel);
> if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) {
> icmp6stat_inc(icp6s_outhist + type);
> } else
> Index: sys/netinet6/udp6_output.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/udp6_output.c,v
> diff -u -p -r1.64 udp6_output.c
> --- sys/netinet6/udp6_output.c 13 Feb 2024 12:22:09 -0000 1.64
> +++ sys/netinet6/udp6_output.c 17 Apr 2024 12:58:43 -0000
> @@ -233,7 +233,7 @@ udp6_output(struct inpcb *inp, struct mb
> #endif
>
> error = ip6_output(m, optp, &inp->inp_route,
> - flags, inp->inp_moptions6, inp->inp_seclevel);
> + flags, inp->inp_moptions6, &inp->inp_seclevel);
> goto releaseopt;
>
> release:
> Index: usr.bin/netstat/inet.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/usr.bin/netstat/inet.c,v
> diff -u -p -r1.181 inet.c
> --- usr.bin/netstat/inet.c 13 Feb 2024 12:22:09 -0000 1.181
> +++ usr.bin/netstat/inet.c 16 Apr 2024 19:56:43 -0000
> @@ -1489,10 +1489,10 @@ inpcb_dump(u_long off, short protocol, i
> printf("ro_dst %s\n ", raddr);
> p("%#.8x", inp_flags, "\n ");
> p("%d", inp_hops, "\n ");
> - p("%u", inp_seclevel[0], ", ");
> - p("%u", inp_seclevel[1], ", ");
> - p("%u", inp_seclevel[2], ", ");
> - p("%u", inp_seclevel[3], "\n ");
> + p("%u", inp_seclevel.sl_auth, ", ");
> + p("%u", inp_seclevel.sl_esp_trans, ", ");
> + p("%u", inp_seclevel.sl_esp_network, ", ");
> + p("%u", inp_seclevel.sl_ipcomp, "\n ");
> p("%u", inp_ip_minttl, "\n ");
> p("%d", inp_cksum6, "\n ");
> pp("%p", inp_icmp6filt, "\n ");
>
inpcb struct ipsec_level