From: Vitaliy Makkoveev Subject: Re: inpcb struct ipsec_level To: Alexander Bluhm Cc: tech@openbsd.org Date: Wed, 17 Apr 2024 18:46:50 +0300 On Wed, Apr 17, 2024 at 03:08:11PM +0200, Alexander Bluhm wrote: > Hi, > > Instead of passing around u_char[4], introduce struct ipsec_level > that contains 4 ipsec levels. This gives better type safety. > > struct inpcb is globally visible for netstat, so put struct ipsec_level > outside of #ifdef _KERNEL. > > ok? > ok mvs > bluhm > > Index: sys/netinet/in_pcb.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.c,v > diff -u -p -r1.300 in_pcb.c > --- sys/netinet/in_pcb.c 12 Apr 2024 16:07:09 -0000 1.300 > +++ sys/netinet/in_pcb.c 17 Apr 2024 12:58:43 -0000 > @@ -240,10 +240,10 @@ in_pcballoc(struct socket *so, struct in > inp->inp_socket = so; > refcnt_init_trace(&inp->inp_refcnt, DT_REFCNT_IDX_INPCB); > mtx_init(&inp->inp_mtx, IPL_SOFTNET); > - inp->inp_seclevel[SL_AUTH] = IPSEC_AUTH_LEVEL_DEFAULT; > - inp->inp_seclevel[SL_ESP_TRANS] = IPSEC_ESP_TRANS_LEVEL_DEFAULT; > - inp->inp_seclevel[SL_ESP_NETWORK] = IPSEC_ESP_NETWORK_LEVEL_DEFAULT; > - inp->inp_seclevel[SL_IPCOMP] = IPSEC_IPCOMP_LEVEL_DEFAULT; > + inp->inp_seclevel.sl_auth = IPSEC_AUTH_LEVEL_DEFAULT; > + inp->inp_seclevel.sl_esp_trans = IPSEC_ESP_TRANS_LEVEL_DEFAULT; > + inp->inp_seclevel.sl_esp_network = IPSEC_ESP_NETWORK_LEVEL_DEFAULT; > + inp->inp_seclevel.sl_ipcomp = IPSEC_IPCOMP_LEVEL_DEFAULT; > inp->inp_rtableid = curproc->p_p->ps_rtableid; > inp->inp_hops = -1; > #ifdef INET6 > Index: sys/netinet/in_pcb.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/in_pcb.h,v > diff -u -p -r1.155 in_pcb.h > --- sys/netinet/in_pcb.h 15 Apr 2024 18:31:04 -0000 1.155 > +++ sys/netinet/in_pcb.h 17 Apr 2024 12:58:43 -0000 > @@ -166,11 +166,7 @@ struct inpcb { > } inp_mou; > #define inp_moptions inp_mou.mou_mo /* [N] IPv4 multicast options */ > #define inp_moptions6 inp_mou.mou_mo6 /* [N] IPv6 multicast options */ > - u_char inp_seclevel[4]; /* [N] IPsec level of socket */ > -#define SL_AUTH 0 /* Authentication level */ > -#define SL_ESP_TRANS 1 /* ESP transport level */ > -#define SL_ESP_NETWORK 2 /* ESP network (encapsulation) level */ > -#define SL_IPCOMP 3 /* Compression level */ > + struct ipsec_level inp_seclevel; /* [N] IPsec level of socket */ > u_char inp_ip_minttl; /* minimum TTL or drop */ > #define inp_ip6_minhlim inp_ip_minttl /* minimum Hop Limit or drop */ > #define inp_flowinfo inp_hu.hu_ipv6.ip6_flow > Index: sys/netinet/ip_ipsp.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_ipsp.h,v > diff -u -p -r1.244 ip_ipsp.h > --- sys/netinet/ip_ipsp.h 26 Nov 2023 22:08:10 -0000 1.244 > +++ sys/netinet/ip_ipsp.h 17 Apr 2024 13:00:40 -0000 > @@ -149,6 +149,13 @@ struct ipsecstat { > uint64_t ipsec_exctdb; /* TDBs with hardlimit excess */ > }; > > +struct ipsec_level { > + u_char sl_auth; /* Authentication level */ > + u_char sl_esp_trans; /* ESP transport level */ > + u_char sl_esp_network; /* ESP network (encapsulation) level */ > + u_char sl_ipcomp; /* Compression level */ > +}; > + > #ifdef _KERNEL > > #include > @@ -671,7 +678,7 @@ int checkreplaywindow(struct tdb *, u_in > int ipsp_process_packet(struct mbuf *, struct tdb *, int, int); > int ipsp_process_done(struct mbuf *, struct tdb *); > int ipsp_spd_lookup(struct mbuf *, int, int, int, struct tdb *, > - const u_char[], struct tdb **, struct ipsec_ids *); > + const struct ipsec_level *, struct tdb **, struct ipsec_ids *); > int ipsp_is_unspecified(union sockaddr_union); > int ipsp_aux_match(struct tdb *, struct ipsec_ids *, > struct sockaddr_encap *, struct sockaddr_encap *); > Index: sys/netinet/ip_output.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_output.c,v > diff -u -p -r1.397 ip_output.c > --- sys/netinet/ip_output.c 9 Apr 2024 11:05:05 -0000 1.397 > +++ sys/netinet/ip_output.c 17 Apr 2024 12:58:43 -0000 > @@ -84,8 +84,8 @@ void ip_mloopback(struct ifnet *, struct > static u_int16_t in_cksum_phdr(u_int32_t, u_int32_t, u_int32_t); > void in_delayed_cksum(struct mbuf *); > > -int ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[], > - struct tdb **, int ipsecflowinfo); > +int ip_output_ipsec_lookup(struct mbuf *m, int hlen, > + const struct ipsec_level *seclevel, struct tdb **, int ipsecflowinfo); > void ip_output_ipsec_pmtu_update(struct tdb *, struct route *, struct in_addr, > int, int); > int ip_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, int); > @@ -98,7 +98,8 @@ int ip_output_ipsec_send(struct tdb *, s > */ > int > ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags, > - struct ip_moptions *imo, const u_char seclevel[], u_int32_t ipsecflowinfo) > + struct ip_moptions *imo, const struct ipsec_level *seclevel, > + u_int32_t ipsecflowinfo) > { > struct ip *ip; > struct ifnet *ifp = NULL; > @@ -498,8 +499,8 @@ bad: > > #ifdef IPSEC > int > -ip_output_ipsec_lookup(struct mbuf *m, int hlen, const u_char seclevel[], > - struct tdb **tdbout, int ipsecflowinfo) > +ip_output_ipsec_lookup(struct mbuf *m, int hlen, > + const struct ipsec_level *seclevel, struct tdb **tdbout, int ipsecflowinfo) > { > struct m_tag *mtag; > struct tdb_ident *tdbi; > @@ -1019,7 +1020,7 @@ ip_ctloutput(int op, struct socket *so, > error = EACCES; > break; > } > - inp->inp_seclevel[SL_AUTH] = optval; > + inp->inp_seclevel.sl_auth = optval; > break; > > case IP_ESP_TRANS_LEVEL: > @@ -1028,7 +1029,7 @@ ip_ctloutput(int op, struct socket *so, > error = EACCES; > break; > } > - inp->inp_seclevel[SL_ESP_TRANS] = optval; > + inp->inp_seclevel.sl_esp_trans = optval; > break; > > case IP_ESP_NETWORK_LEVEL: > @@ -1037,7 +1038,7 @@ ip_ctloutput(int op, struct socket *so, > error = EACCES; > break; > } > - inp->inp_seclevel[SL_ESP_NETWORK] = optval; > + inp->inp_seclevel.sl_esp_network = optval; > break; > case IP_IPCOMP_LEVEL: > if (optval < IPSEC_IPCOMP_LEVEL_DEFAULT && > @@ -1045,7 +1046,7 @@ ip_ctloutput(int op, struct socket *so, > error = EACCES; > break; > } > - inp->inp_seclevel[SL_IPCOMP] = optval; > + inp->inp_seclevel.sl_ipcomp = optval; > break; > } > #endif > @@ -1189,18 +1190,18 @@ ip_ctloutput(int op, struct socket *so, > m->m_len = sizeof(int); > switch (optname) { > case IP_AUTH_LEVEL: > - optval = inp->inp_seclevel[SL_AUTH]; > + optval = inp->inp_seclevel.sl_auth; > break; > > case IP_ESP_TRANS_LEVEL: > - optval = inp->inp_seclevel[SL_ESP_TRANS]; > + optval = inp->inp_seclevel.sl_esp_trans; > break; > > case IP_ESP_NETWORK_LEVEL: > - optval = inp->inp_seclevel[SL_ESP_NETWORK]; > + optval = inp->inp_seclevel.sl_esp_network; > break; > case IP_IPCOMP_LEVEL: > - optval = inp->inp_seclevel[SL_IPCOMP]; > + optval = inp->inp_seclevel.sl_ipcomp; > break; > } > *mtod(m, int *) = optval; > Index: sys/netinet/ip_spd.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_spd.c,v > diff -u -p -r1.119 ip_spd.c > --- sys/netinet/ip_spd.c 26 Nov 2023 22:08:10 -0000 1.119 > +++ sys/netinet/ip_spd.c 17 Apr 2024 12:58:43 -0000 > @@ -39,8 +39,8 @@ > #include > #include > > -int ipsp_spd_inp(struct mbuf *, const u_char *, struct ipsec_policy *, > - struct tdb **); > +int ipsp_spd_inp(struct mbuf *, const struct ipsec_level *, > + struct ipsec_policy *, struct tdb **); > int ipsp_acquire_sa(struct ipsec_policy *, union sockaddr_union *, > union sockaddr_union *, struct sockaddr_encap *, struct mbuf *); > int ipsp_pending_acquire(struct ipsec_policy *, union sockaddr_union *); > @@ -153,7 +153,7 @@ spd_table_walk(unsigned int rtableid, > */ > int > ipsp_spd_lookup(struct mbuf *m, int af, int hlen, int direction, > - struct tdb *tdbin, const u_char seclevel[], struct tdb **tdbout, > + struct tdb *tdbin, const struct ipsec_level *seclevel, struct tdb **tdbout, > struct ipsec_ids *ipsecflowinfo_ids) > { > struct radix_node_head *rnh; > @@ -178,9 +178,9 @@ ipsp_spd_lookup(struct mbuf *m, int af, > * If an input packet is destined to a BYPASS socket, just accept it. > */ > if ((seclevel != NULL) && (direction == IPSP_DIRECTION_IN) && > - (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && > - (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && > - (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { > + (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) && > + (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) && > + (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) { > if (tdbout != NULL) > *tdbout = NULL; > return 0; > @@ -385,9 +385,9 @@ ipsp_spd_lookup(struct mbuf *m, int af, > * option set, skip IPsec processing. > */ > if ((seclevel != NULL) && > - (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS) && > - (seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS) && > - (seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS)) { > + (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS) && > + (seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS) && > + (seclevel->sl_auth == IPSEC_LEVEL_BYPASS)) { > /* Direct match. */ > if (dignore || > !memcmp(&sdst, &ipo->ipo_dst, sdst.sa.sa_len)) { > @@ -904,8 +904,8 @@ ipsp_acquire_sa(struct ipsec_policy *ipo > * Deal with PCB security requirements. > */ > int > -ipsp_spd_inp(struct mbuf *m, const u_char seclevel[], struct ipsec_policy *ipo, > - struct tdb **tdbout) > +ipsp_spd_inp(struct mbuf *m, const struct ipsec_level *seclevel, > + struct ipsec_policy *ipo, struct tdb **tdbout) > { > /* Sanity check. */ > if (seclevel == NULL) > @@ -913,14 +913,14 @@ ipsp_spd_inp(struct mbuf *m, const u_cha > > /* We only support IPSEC_LEVEL_BYPASS or IPSEC_LEVEL_AVAIL */ > > - if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_BYPASS && > - seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_BYPASS && > - seclevel[SL_AUTH] == IPSEC_LEVEL_BYPASS) > + if (seclevel->sl_esp_trans == IPSEC_LEVEL_BYPASS && > + seclevel->sl_esp_network == IPSEC_LEVEL_BYPASS && > + seclevel->sl_auth == IPSEC_LEVEL_BYPASS) > goto justreturn; > > - if (seclevel[SL_ESP_TRANS] == IPSEC_LEVEL_AVAIL && > - seclevel[SL_ESP_NETWORK] == IPSEC_LEVEL_AVAIL && > - seclevel[SL_AUTH] == IPSEC_LEVEL_AVAIL) > + if (seclevel->sl_esp_trans == IPSEC_LEVEL_AVAIL && > + seclevel->sl_esp_network == IPSEC_LEVEL_AVAIL && > + seclevel->sl_auth == IPSEC_LEVEL_AVAIL) > goto justreturn; > > return -EINVAL; /* Silently drop packet. */ > Index: sys/netinet/ip_var.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v > diff -u -p -r1.116 ip_var.h > --- sys/netinet/ip_var.h 16 Apr 2024 12:56:39 -0000 1.116 > +++ sys/netinet/ip_var.h 17 Apr 2024 12:58:43 -0000 > @@ -235,6 +235,7 @@ extern struct pool ipqent_pool; > struct rtentry; > struct route; > struct inpcb; > +struct ipsec_level; > > int ip_ctloutput(int, struct socket *, int, int, struct mbuf *); > int ip_fragment(struct mbuf *, struct mbuf_list *, struct ifnet *, u_long); > @@ -246,7 +247,7 @@ struct mbuf* > int ip_mforward(struct mbuf *, struct ifnet *); > int ip_optcopy(struct ip *, struct ip *); > int ip_output(struct mbuf *, struct mbuf *, struct route *, int, > - struct ip_moptions *, const u_char[], u_int32_t); > + struct ip_moptions *, const struct ipsec_level *, u_int32_t); > u_int16_t > ip_randomid(void); > void ip_send(struct mbuf *); > Index: sys/netinet/raw_ip.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/raw_ip.c,v > diff -u -p -r1.158 raw_ip.c > --- sys/netinet/raw_ip.c 12 Apr 2024 12:25:58 -0000 1.158 > +++ sys/netinet/raw_ip.c 17 Apr 2024 12:58:43 -0000 > @@ -332,7 +332,7 @@ rip_output(struct mbuf *m, struct socket > #endif > > error = ip_output(m, inp->inp_options, &inp->inp_route, flags, > - inp->inp_moptions, inp->inp_seclevel, 0); > + inp->inp_moptions, &inp->inp_seclevel, 0); > return (error); > } > > Index: sys/netinet/tcp_input.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_input.c,v > diff -u -p -r1.404 tcp_input.c > --- sys/netinet/tcp_input.c 13 Apr 2024 23:44:11 -0000 1.404 > +++ sys/netinet/tcp_input.c 17 Apr 2024 12:58:43 -0000 > @@ -590,7 +590,7 @@ findpcb: > &tdbi->dst, tdbi->proto); > } > error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN, > - tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL); > + tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL); > tdb_unref(tdb); > if (error) { > tcpstat_inc(tcps_rcvnosec); > @@ -3541,8 +3541,7 @@ syn_cache_get(struct sockaddr *src, stru > * from the old pcb. Ditto for any other > * IPsec-related information. > */ > - memcpy(inp->inp_seclevel, oldinp->inp_seclevel, > - sizeof(oldinp->inp_seclevel)); > + inp->inp_seclevel = oldinp->inp_seclevel; > #endif /* IPSEC */ > #ifdef INET6 > if (ISSET(inp->inp_flags, INP_IPV6)) { > @@ -4150,7 +4149,7 @@ syn_cache_respond(struct syn_cache *sc, > > error = ip_output(m, sc->sc_ipopts, &sc->sc_route, > (ip_mtudisc ? IP_MTUDISC : 0), NULL, > - inp ? inp->inp_seclevel : NULL, 0); > + inp ? &inp->inp_seclevel : NULL, 0); > break; > #ifdef INET6 > case AF_INET6: > @@ -4161,7 +4160,7 @@ syn_cache_respond(struct syn_cache *sc, > /* leave flowlabel = 0, it is legal and require no state mgmt */ > > error = ip6_output(m, NULL /*XXX*/, &sc->sc_route, 0, > - NULL, inp ? inp->inp_seclevel : NULL); > + NULL, inp ? &inp->inp_seclevel : NULL); > break; > #endif > } > Index: sys/netinet/tcp_output.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_output.c,v > diff -u -p -r1.143 tcp_output.c > --- sys/netinet/tcp_output.c 13 Feb 2024 12:22:09 -0000 1.143 > +++ sys/netinet/tcp_output.c 17 Apr 2024 12:58:43 -0000 > @@ -1090,7 +1090,7 @@ send: > error = ip_output(m, tp->t_inpcb->inp_options, > &tp->t_inpcb->inp_route, > (ip_mtudisc ? IP_MTUDISC : 0), NULL, > - tp->t_inpcb->inp_seclevel, 0); > + &tp->t_inpcb->inp_seclevel, 0); > break; > #ifdef INET6 > case AF_INET6: > @@ -1110,7 +1110,7 @@ send: > } > error = ip6_output(m, tp->t_inpcb->inp_outputopts6, > &tp->t_inpcb->inp_route, 0, NULL, > - tp->t_inpcb->inp_seclevel); > + &tp->t_inpcb->inp_seclevel); > break; > #endif /* INET6 */ > } > Index: sys/netinet/tcp_subr.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/tcp_subr.c,v > diff -u -p -r1.200 tcp_subr.c > --- sys/netinet/tcp_subr.c 12 Apr 2024 16:07:09 -0000 1.200 > +++ sys/netinet/tcp_subr.c 17 Apr 2024 12:58:43 -0000 > @@ -406,7 +406,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te > ip6_output(m, tp ? tp->t_inpcb->inp_outputopts6 : NULL, > tp ? &tp->t_inpcb->inp_route : NULL, > 0, NULL, > - tp ? tp->t_inpcb->inp_seclevel : NULL); > + tp ? &tp->t_inpcb->inp_seclevel : NULL); > break; > #endif /* INET6 */ > case AF_INET: > @@ -416,7 +416,7 @@ tcp_respond(struct tcpcb *tp, caddr_t te > ip_output(m, NULL, > tp ? &tp->t_inpcb->inp_route : NULL, > ip_mtudisc ? IP_MTUDISC : 0, NULL, > - tp ? tp->t_inpcb->inp_seclevel : NULL, 0); > + tp ? &tp->t_inpcb->inp_seclevel : NULL, 0); > break; > } > } > Index: sys/netinet/udp_usrreq.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/udp_usrreq.c,v > diff -u -p -r1.319 udp_usrreq.c > --- sys/netinet/udp_usrreq.c 12 Apr 2024 16:07:09 -0000 1.319 > +++ sys/netinet/udp_usrreq.c 17 Apr 2024 12:58:43 -0000 > @@ -562,7 +562,7 @@ udp_input(struct mbuf **mp, int *offp, i > } else > tdb = NULL; > error = ipsp_spd_lookup(m, af, iphlen, IPSP_DIRECTION_IN, > - tdb, inp ? inp->inp_seclevel : NULL, NULL, NULL); > + tdb, inp ? &inp->inp_seclevel : NULL, NULL, NULL); > if (error) { > udpstat_inc(udps_nosec); > tdb_unref(tdb); > @@ -1084,7 +1084,7 @@ udp_output(struct inpcb *inp, struct mbu > > error = ip_output(m, inp->inp_options, &inp->inp_route, > (inp->inp_socket->so_options & SO_BROADCAST), inp->inp_moptions, > - inp->inp_seclevel, ipsecflowinfo); > + &inp->inp_seclevel, ipsecflowinfo); > > bail: > m_freem(control); > Index: sys/netinet6/ip6_output.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_output.c,v > diff -u -p -r1.290 ip6_output.c > --- sys/netinet6/ip6_output.c 16 Apr 2024 12:56:39 -0000 1.290 > +++ sys/netinet6/ip6_output.c 17 Apr 2024 12:58:43 -0000 > @@ -161,7 +161,7 @@ struct idgen32_ctx ip6_id_ctx; > */ > int > ip6_output(struct mbuf *m, struct ip6_pktopts *opt, struct route *ro, > - int flags, struct ip6_moptions *im6o, const u_char seclevel[]) > + int flags, struct ip6_moptions *im6o, const struct ipsec_level *seclevel) > { > struct ip6_hdr *ip6; > struct ifnet *ifp = NULL; > @@ -1326,7 +1326,7 @@ do { \ > error = EACCES; > break; > } > - inp->inp_seclevel[SL_AUTH] = optval; > + inp->inp_seclevel.sl_auth = optval; > break; > > case IPV6_ESP_TRANS_LEVEL: > @@ -1335,7 +1335,7 @@ do { \ > error = EACCES; > break; > } > - inp->inp_seclevel[SL_ESP_TRANS] = optval; > + inp->inp_seclevel.sl_esp_trans = optval; > break; > > case IPV6_ESP_NETWORK_LEVEL: > @@ -1344,7 +1344,7 @@ do { \ > error = EACCES; > break; > } > - inp->inp_seclevel[SL_ESP_NETWORK] = optval; > + inp->inp_seclevel.sl_esp_network = optval; > break; > > case IPV6_IPCOMP_LEVEL: > @@ -1353,7 +1353,7 @@ do { \ > error = EACCES; > break; > } > - inp->inp_seclevel[SL_IPCOMP] = optval; > + inp->inp_seclevel.sl_ipcomp = optval; > break; > } > #endif > @@ -1548,21 +1548,21 @@ do { \ > m->m_len = sizeof(int); > switch (optname) { > case IPV6_AUTH_LEVEL: > - optval = inp->inp_seclevel[SL_AUTH]; > + optval = inp->inp_seclevel.sl_auth; > break; > > case IPV6_ESP_TRANS_LEVEL: > optval = > - inp->inp_seclevel[SL_ESP_TRANS]; > + inp->inp_seclevel.sl_esp_trans; > break; > > case IPV6_ESP_NETWORK_LEVEL: > optval = > - inp->inp_seclevel[SL_ESP_NETWORK]; > + inp->inp_seclevel.sl_esp_network; > break; > > case IPV6_IPCOMP_LEVEL: > - optval = inp->inp_seclevel[SL_IPCOMP]; > + optval = inp->inp_seclevel.sl_ipcomp; > break; > } > *mtod(m, int *) = optval; > @@ -2730,7 +2730,7 @@ in6_proto_cksum_out(struct mbuf *m, stru > > #ifdef IPSEC > int > -ip6_output_ipsec_lookup(struct mbuf *m, const u_char seclevel[], > +ip6_output_ipsec_lookup(struct mbuf *m, const struct ipsec_level *seclevel, > struct tdb **tdbout) > { > struct tdb *tdb; > Index: sys/netinet6/ip6_var.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_var.h,v > diff -u -p -r1.115 ip6_var.h > --- sys/netinet6/ip6_var.h 16 Apr 2024 12:56:39 -0000 1.115 > +++ sys/netinet6/ip6_var.h 17 Apr 2024 12:58:43 -0000 > @@ -302,6 +302,7 @@ extern uint8_t ip6_soiikey[IP6_SOIIKEY_L > extern const struct pr_usrreqs rip6_usrreqs; > > struct inpcb; > +struct ipsec_level; > > int icmp6_ctloutput(int, struct socket *, int, int, struct mbuf *); > > @@ -324,7 +325,7 @@ void ip6_forward(struct mbuf *, struct r > > void ip6_mloopback(struct ifnet *, struct mbuf *, struct sockaddr_in6 *); > int ip6_output(struct mbuf *, struct ip6_pktopts *, struct route *, int, > - struct ip6_moptions *, const u_char[]); > + struct ip6_moptions *, const struct ipsec_level *); > int ip6_fragment(struct mbuf *, struct mbuf_list *, int, u_char, u_long); > int ip6_ctloutput(int, struct socket *, int, int, struct mbuf *); > int ip6_raw_ctloutput(int, struct socket *, int, int, struct mbuf *); > @@ -376,7 +377,8 @@ u_int32_t ip6_randomflowlabel(void); > > #ifdef IPSEC > struct tdb; > -int ip6_output_ipsec_lookup(struct mbuf *, const u_char[], struct tdb **); > +int ip6_output_ipsec_lookup(struct mbuf *, const struct ipsec_level *, > + struct tdb **); > int ip6_output_ipsec_send(struct tdb *, struct mbuf *, struct route *, > int, int); > #endif /* IPSEC */ > Index: sys/netinet6/raw_ip6.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/raw_ip6.c,v > diff -u -p -r1.183 raw_ip6.c > --- sys/netinet6/raw_ip6.c 16 Apr 2024 12:40:40 -0000 1.183 > +++ sys/netinet6/raw_ip6.c 17 Apr 2024 12:58:43 -0000 > @@ -521,7 +521,7 @@ rip6_output(struct mbuf *m, struct socke > #endif > > error = ip6_output(m, optp, &inp->inp_route, flags, > - inp->inp_moptions6, inp->inp_seclevel); > + inp->inp_moptions6, &inp->inp_seclevel); > if (so->so_proto->pr_protocol == IPPROTO_ICMPV6) { > icmp6stat_inc(icp6s_outhist + type); > } else > Index: sys/netinet6/udp6_output.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/udp6_output.c,v > diff -u -p -r1.64 udp6_output.c > --- sys/netinet6/udp6_output.c 13 Feb 2024 12:22:09 -0000 1.64 > +++ sys/netinet6/udp6_output.c 17 Apr 2024 12:58:43 -0000 > @@ -233,7 +233,7 @@ udp6_output(struct inpcb *inp, struct mb > #endif > > error = ip6_output(m, optp, &inp->inp_route, > - flags, inp->inp_moptions6, inp->inp_seclevel); > + flags, inp->inp_moptions6, &inp->inp_seclevel); > goto releaseopt; > > release: > Index: usr.bin/netstat/inet.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/usr.bin/netstat/inet.c,v > diff -u -p -r1.181 inet.c > --- usr.bin/netstat/inet.c 13 Feb 2024 12:22:09 -0000 1.181 > +++ usr.bin/netstat/inet.c 16 Apr 2024 19:56:43 -0000 > @@ -1489,10 +1489,10 @@ inpcb_dump(u_long off, short protocol, i > printf("ro_dst %s\n ", raddr); > p("%#.8x", inp_flags, "\n "); > p("%d", inp_hops, "\n "); > - p("%u", inp_seclevel[0], ", "); > - p("%u", inp_seclevel[1], ", "); > - p("%u", inp_seclevel[2], ", "); > - p("%u", inp_seclevel[3], "\n "); > + p("%u", inp_seclevel.sl_auth, ", "); > + p("%u", inp_seclevel.sl_esp_trans, ", "); > + p("%u", inp_seclevel.sl_esp_network, ", "); > + p("%u", inp_seclevel.sl_ipcomp, "\n "); > p("%u", inp_ip_minttl, "\n "); > p("%d", inp_cksum6, "\n "); > pp("%p", inp_icmp6filt, "\n "); >