Use the IPsec policy check from ipv4_input() also when forwarding

in ip6_input().  While there avoid an ugly #ifdef in ipv4_input().
OK mikeb@

3 files changed, 29 insertions, 11 deletions

diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 7cee58e8816..0cb0036968c 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.299 2017/05/11 11:36:20 bluhm Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.300 2017/05/12 14:04:09 bluhm Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -130,7 +130,6 @@ void	ip_ours(struct mbuf *);
 int	ip_dooptions(struct mbuf *, struct ifnet *);
 int	in_ouraddr(struct mbuf *, struct ifnet *, struct rtentry **);
 #ifdef IPSEC
-int	ip_input_ipsec_fwd_check(struct mbuf *, int);
 int	ip_input_ipsec_ours_check(struct mbuf *, int);
 #endif /* IPSEC */
 
@@ -241,9 +240,6 @@ ipv4_input(struct mbuf *m)
 	struct rtentry	*rt = NULL;
 	struct ip	*ip;
 	int hlen, len;
-#if defined(MROUTING) || defined(IPSEC)
-	int rv;
-#endif
 	in_addr_t pfrdr = 0;
 
 	ifp = if_get(m->m_pkthdr.ph_ifidx);
@@ -377,6 +373,8 @@ ipv4_input(struct mbuf *m)
 
 #ifdef MROUTING
 		if (ipmforwarding && ip_mrouter[ifp->if_rdomain]) {
+			int rv;
+
 			if (m->m_flags & M_EXT) {
 				if ((m = m_pullup(m, hlen)) == NULL) {
 					ipstat_inc(ips_toosmall);
@@ -444,8 +442,10 @@ ipv4_input(struct mbuf *m)
 	}
 #ifdef IPSEC
 	if (ipsec_in_use) {
+		int rv;
+
 		KERNEL_LOCK();
-		rv = ip_input_ipsec_fwd_check(m, hlen);
+		rv = ip_input_ipsec_fwd_check(m, hlen, AF_INET);
 		KERNEL_UNLOCK();
 		if (rv != 0) {
 			ipstat_inc(ips_cantforward);
@@ -675,7 +675,7 @@ in_ouraddr(struct mbuf *m, struct ifnet *ifp, struct rtentry **prt)
 
 #ifdef IPSEC
 int
-ip_input_ipsec_fwd_check(struct mbuf *m, int hlen)
+ip_input_ipsec_fwd_check(struct mbuf *m, int hlen, int af)
 {
 	struct tdb *tdb;
 	struct tdb_ident *tdbi;
@@ -692,8 +692,7 @@ ip_input_ipsec_fwd_check(struct mbuf *m, int hlen)
 		tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto);
 	} else
 		tdb = NULL;
-	ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL,
-	    0);
+	ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0);
 
 	return error;
 }
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
index 9a4232f6157..09a2b0dd042 100644
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_var.h,v 1.71 2017/04/14 20:46:31 bluhm Exp $	*/
+/*	$OpenBSD: ip_var.h,v 1.72 2017/05/12 14:04:09 bluhm Exp $	*/
 /*	$NetBSD: ip_var.h,v 1.16 1996/02/13 23:43:20 christos Exp $	*/
 
 /*
@@ -250,6 +250,7 @@ void	 ip_savecontrol(struct inpcb *, struct mbuf **, struct ip *,
 void	 ipintr(void);
 void	 ipv4_input(struct mbuf *);
 void	 ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int);
+int	 ip_input_ipsec_fwd_check(struct mbuf *, int, int);
 int	 rip_ctloutput(int, struct socket *, int, int, struct mbuf *);
 void	 rip_init(void);
 int	 rip_input(struct mbuf **, int *, int, int);
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index 47f422fa7ec..79371e89813 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip6_input.c,v 1.185 2017/05/11 11:36:20 bluhm Exp $	*/
+/*	$OpenBSD: ip6_input.c,v 1.186 2017/05/12 14:04:09 bluhm Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -470,6 +470,24 @@ ip6_input(struct mbuf *m)
 		goto out;
 	}
 
+#ifdef IPSEC
+	if (ipsec_in_use) {
+		int rv;
+
+		KERNEL_LOCK();
+		rv = ip_input_ipsec_fwd_check(m, off, AF_INET6);
+		KERNEL_UNLOCK();
+		if (rv != 0) {
+			ipstat_inc(ips_cantforward);
+			goto bad;
+		}
+		/*
+		 * Fall through, forward packet. Outbound IPsec policy
+		 * checking will occur in ip6_forward().
+		 */
+	}
+#endif /* IPSEC */
+
 	ip6_forward(m, rt, srcrt);
 	if_put(ifp);
 	return;