Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-8]: src Pull up following revision(s) (requested by ozaki-r in ti...
details: https://anonhg.NetBSD.org/src/rev/eb7d31243222
branches: netbsd-8
changeset: 434394:eb7d31243222
user: snj <snj%NetBSD.org@localhost>
date: Fri Nov 17 20:43:10 2017 +0000
description:
Pull up following revision(s) (requested by ozaki-r in ticket #357):
distrib/sets/lists/debug/mi: 1.228
distrib/sets/lists/tests/mi: 1.765-1.766
etc/mtree/NetBSD.dist.tests: 1.149
sys/net/npf/npf_ctl.c: 1.49
tests/net/ipsec/Makefile: 1.10
tests/net/ipsec/algorithms.sh: 1.6
tests/net/ipsec/natt_terminator.c: 1.1
tests/net/ipsec/t_ipsec_natt.sh: 1.1
tests/net/net_common.sh: 1.23-1.24
usr.sbin/npf/npfctl/npfctl.c: 1.54
Handle esp-udp for NAT-T
--
Fix npfclt reload on rump kernels
It fails because npfctl cannot get an errno when it calls ioctl to the (rump)
kernel; npfctl (libnpf) expects that an errno is returned via proplib,
however, the rump library of npf doesn't so. It happens because of mishandlings
of complicate npf kernel options.
PR kern/52643
--
Fix showing translated port (ntohs-ed twice wrongly)
--
Add test cases of NAT-T (transport mode)
A small C program is added to make a special socket (UDP_ENCAP_ESPINUDP)
and keep it to handle UDP-encapsulated ESP packets.
--
Add net/ipsec debug lib directory
--
Add ./usr/libdata/debug/usr/tests/net/ipsec
--
Stop using bpfjit
Because most architectures don't support it and npf still works without it.
diffstat:
distrib/sets/lists/debug/mi | 3 +-
distrib/sets/lists/tests/mi | 5 +-
etc/mtree/NetBSD.dist.tests | 3 +-
sys/net/npf/npf_ctl.c | 34 ++-
tests/net/ipsec/Makefile | 10 +-
tests/net/ipsec/algorithms.sh | 4 +-
tests/net/ipsec/natt_terminator.c | 108 ++++++++++
tests/net/ipsec/t_ipsec_natt.sh | 376 ++++++++++++++++++++++++++++++++++++++
tests/net/net_common.sh | 21 ++-
usr.sbin/npf/npfctl/npfctl.c | 6 +-
10 files changed, 549 insertions(+), 21 deletions(-)
diffs (truncated from 728 to 300 lines):
diff -r ce3981670c79 -r eb7d31243222 distrib/sets/lists/debug/mi
--- a/distrib/sets/lists/debug/mi Fri Nov 17 20:35:57 2017 +0000
+++ b/distrib/sets/lists/debug/mi Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.216.2.4 2017/10/02 13:21:41 martin Exp $
+# $NetBSD: mi,v 1.216.2.5 2017/11/17 20:43:10 snj Exp $
./etc/mtree/set.debug comp-sys-root
./usr/lib comp-sys-usr compatdir
./usr/lib/i18n/libBIG5_g.a comp-c-debuglib debuglib,compatfile
@@ -2276,6 +2276,7 @@
./usr/libdata/debug/usr/tests/net/if/t_compat.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/if_loop/t_pr.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/in_cksum/in_cksum.debug tests-net-debug debug,atf,compattestfile
+./usr/libdata/debug/usr/tests/net/ipsec/natt_terminator.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/mcast/mcast.debug tests-net-debug debug,atf,rump
./usr/libdata/debug/usr/tests/net/mcast/t_mcast.debug tests-obsolete debug,atf,rump,obsolete
./usr/libdata/debug/usr/tests/net/net/t_pktinfo.debug tests-net-debug debug,atf,compattestfile
diff -r ce3981670c79 -r eb7d31243222 distrib/sets/lists/tests/mi
--- a/distrib/sets/lists/tests/mi Fri Nov 17 20:35:57 2017 +0000
+++ b/distrib/sets/lists/tests/mi Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.752.2.5 2017/10/24 08:55:55 snj Exp $
+# $NetBSD: mi,v 1.752.2.6 2017/11/17 20:43:10 snj Exp $
#
# Note: don't delete entries from here - mark them as "obsolete" instead.
#
@@ -162,6 +162,7 @@
./usr/libdata/debug/usr/tests/net/if tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/if_loop tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/in_cksum tests-net-debug compattestfile,atf
+./usr/libdata/debug/usr/tests/net/ipsec tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/mcast tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/net tests-net-debug compattestfile,atf
./usr/libdata/debug/usr/tests/net/sys tests-net-debug compattestfile,atf
@@ -3316,11 +3317,13 @@
./usr/tests/net/ipsec tests-net-tests compattestfile,atf
./usr/tests/net/ipsec/Atffile tests-net-tests atf,rump
./usr/tests/net/ipsec/Kyuafile tests-net-tests atf,rump,kyua
+./usr/tests/net/ipsec/natt_terminator tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_ah_keys tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_esp_keys tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_gif tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_l2tp tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_misc tests-net-tests atf,rump
+./usr/tests/net/ipsec/t_ipsec_natt tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_sockopt tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_sysctl tests-net-tests atf,rump
./usr/tests/net/ipsec/t_ipsec_tcp tests-net-tests atf,rump
diff -r ce3981670c79 -r eb7d31243222 etc/mtree/NetBSD.dist.tests
--- a/etc/mtree/NetBSD.dist.tests Fri Nov 17 20:35:57 2017 +0000
+++ b/etc/mtree/NetBSD.dist.tests Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: NetBSD.dist.tests,v 1.147.2.1 2017/07/05 20:01:01 snj Exp $
+# $NetBSD: NetBSD.dist.tests,v 1.147.2.2 2017/11/17 20:43:11 snj Exp $
./usr/libdata/debug/usr/tests
./usr/libdata/debug/usr/tests/atf
@@ -142,6 +142,7 @@
./usr/libdata/debug/usr/tests/net/if
./usr/libdata/debug/usr/tests/net/if_loop
./usr/libdata/debug/usr/tests/net/in_cksum
+./usr/libdata/debug/usr/tests/net/ipsec
./usr/libdata/debug/usr/tests/net/mcast
./usr/libdata/debug/usr/tests/net/net
./usr/libdata/debug/usr/tests/net/sys
diff -r ce3981670c79 -r eb7d31243222 sys/net/npf/npf_ctl.c
--- a/sys/net/npf/npf_ctl.c Fri Nov 17 20:35:57 2017 +0000
+++ b/sys/net/npf/npf_ctl.c Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: npf_ctl.c,v 1.48 2017/05/17 18:56:12 christos Exp $ */
+/* $NetBSD: npf_ctl.c,v 1.48.2.1 2017/11/17 20:43:11 snj Exp $ */
/*-
* Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
@@ -38,7 +38,7 @@
#ifdef _KERNEL
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.48 2017/05/17 18:56:12 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: npf_ctl.c,v 1.48.2.1 2017/11/17 20:43:11 snj Exp $");
#include <sys/param.h>
#include <sys/conf.h>
@@ -630,15 +630,31 @@
if (tblset) {
npf_tableset_destroy(tblset);
}
- prop_object_release(npf_dict);
+#if defined(_NPF_TESTING) || defined(_NPF_STANDALONE)
+ /* Free only if allocated by prop_dictionary_copyin_ioctl_size. */
+ if (!npfctl_testing)
+#endif
+ prop_object_release(npf_dict);
- /* Error report. */
-#if !defined(_NPF_TESTING) && !defined(_NPF_STANDALONE)
- prop_dictionary_set_int32(errdict, "errno", error);
- prop_dictionary_copyout_ioctl(pref, cmd, errdict);
+ /*
+ * - _NPF_STANDALONE doesn't require to set prop.
+ * - For _NPF_TESTING, if npfctl_testing, setting prop isn't needed,
+ * otherwise it's needed.
+ */
+#ifndef _NPF_STANDALONE
+#ifdef _NPF_TESTING
+ if (!npfctl_testing) {
+#endif
+ /* Error report. */
+ prop_dictionary_set_int32(errdict, "errno", error);
+ prop_dictionary_copyout_ioctl(pref, cmd, errdict);
+ error = 0;
+#ifdef _NPF_TESTING
+ }
+#endif
+#endif /* _NPF_STANDALONE */
prop_object_release(errdict);
- error = 0;
-#endif
+
return error;
}
diff -r ce3981670c79 -r eb7d31243222 tests/net/ipsec/Makefile
--- a/tests/net/ipsec/Makefile Fri Nov 17 20:35:57 2017 +0000
+++ b/tests/net/ipsec/Makefile Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.6.2.1 2017/10/21 19:43:55 snj Exp $
+# $NetBSD: Makefile,v 1.6.2.2 2017/11/17 20:43:11 snj Exp $
#
.include <bsd.own.mk>
@@ -6,11 +6,15 @@
TESTSDIR= ${TESTSBASE}/net/ipsec
.for name in ipsec_ah_keys ipsec_esp_keys ipsec_gif ipsec_l2tp ipsec_misc \
- ipsec_sockopt ipsec_sysctl ipsec_tcp ipsec_transport ipsec_tunnel \
- ipsec_tunnel_ipcomp ipsec_tunnel_odd
+ ipsec_natt ipsec_sockopt ipsec_sysctl ipsec_tcp ipsec_transport \
+ ipsec_tunnel ipsec_tunnel_ipcomp ipsec_tunnel_odd
TESTS_SH+= t_${name}
TESTS_SH_SRC_t_${name}= ../net_common.sh ./common.sh ./algorithms.sh \
t_${name}.sh
.endfor
+PROGS= natt_terminator
+MAN.natt_terminator= # empty
+BINDIR.natt_terminator= ${TESTSDIR}
+
.include <bsd.test.mk>
diff -r ce3981670c79 -r eb7d31243222 tests/net/ipsec/algorithms.sh
--- a/tests/net/ipsec/algorithms.sh Fri Nov 17 20:35:57 2017 +0000
+++ b/tests/net/ipsec/algorithms.sh Fri Nov 17 20:43:10 2017 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: algorithms.sh,v 1.4.2.1 2017/10/21 19:43:55 snj Exp $
+# $NetBSD: algorithms.sh,v 1.4.2.2 2017/11/17 20:43:11 snj Exp $
#
# Copyright (c) 2017 Internet Initiative Japan Inc.
# All rights reserved.
@@ -174,7 +174,7 @@
local keylen=$(get_one_valid_keylen $algo)
local key=$(generate_key $keylen)
- if [ $proto = esp ]; then
+ if [ $proto = esp -o $proto = "esp-udp" ]; then
echo "-E $algo $key"
elif [ $proto = ah ]; then
echo "-A $algo $key"
diff -r ce3981670c79 -r eb7d31243222 tests/net/ipsec/natt_terminator.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/natt_terminator.c Fri Nov 17 20:43:10 2017 +0000
@@ -0,0 +1,108 @@
+/* $NetBSD: natt_terminator.c,v 1.1.2.2 2017/11/17 20:43:11 snj Exp $ */
+
+/*-
+ * Copyright (c) 2017 Internet Initiative Japan Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <sys/time.h>
+
+#include <netinet/in.h>
+#include <netinet/udp.h>
+
+#include <stdio.h>
+#include <err.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int
+main(int argc, char **argv)
+{
+ struct addrinfo hints;
+ struct addrinfo *res;
+ int s, e;
+ const char *addr, *port;
+ int option;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage: %s <addr> <port>\n", argv[0]);
+ return 1;
+ }
+
+ addr = argv[1];
+ port = argv[2];
+
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_INET;
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_protocol = IPPROTO_UDP;
+ hints.ai_flags = 0;
+
+ e = getaddrinfo(addr, port, &hints, &res);
+ if (e != 0)
+ errx(EXIT_FAILURE, "getaddrinfo failed: %s", gai_strerror(e));
+
+ s = socket(res->ai_family, res->ai_socktype, res->ai_protocol);
+ if (s == -1)
+ err(EXIT_FAILURE, "socket");
+
+ /*
+ * Set the option to tell the kernel that the socket can handle
+ * UDP-encapsulated ESP packets for NAT-T.
+ */
+ option = UDP_ENCAP_ESPINUDP;
+ e = setsockopt(s, IPPROTO_UDP, UDP_ENCAP, &option, sizeof(option));
+ if (e == -1)
+ err(EXIT_FAILURE, "setsockopt(UDP_ENCAP)");
+
+ e = bind(s, res->ai_addr, res->ai_addrlen);
+ if (e == -1)
+ err(EXIT_FAILURE, "bind");
+
+ /* Receiving a packet make the NAPT create a mapping. */
+ {
+ char buf[64];
+ struct sockaddr_storage z;
+ socklen_t len = sizeof(z);
+
+ e = recvfrom(s, buf, 64, MSG_PEEK,
+ (struct sockaddr *)&z, &len);
+ if (e == -1)
+ err(EXIT_FAILURE, "recvfrom");
+ }
+
+ /*
+ * Keep the socket in the kernel to handle UDP-encapsulated ESP packets.
+ */
+ pause();
+
+ close(s);
+
+ return 0;
+}
diff -r ce3981670c79 -r eb7d31243222 tests/net/ipsec/t_ipsec_natt.sh
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/tests/net/ipsec/t_ipsec_natt.sh Fri Nov 17 20:43:10 2017 +0000
@@ -0,0 +1,376 @@
+# $NetBSD: t_ipsec_natt.sh,v 1.1.2.2 2017/11/17 20:43:11 snj Exp $
+#
+# Copyright (c) 2017 Internet Initiative Japan Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
Home |
Main Index |
Thread Index |
Old Index