Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys Fix ipsecif(4) cannot apply input direction packet filte...
details: https://anonhg.NetBSD.org/src/rev/3f7ca45cd802
branches: trunk
changeset: 996039:3f7ca45cd802
user: knakahara <knakahara%NetBSD.org@localhost>
date: Thu Jan 17 02:47:15 2019 +0000
description:
Fix ipsecif(4) cannot apply input direction packet filter. Reviewed by ozaki-r@n.o and ryo@n.o.
Add ATF later.
diffstat:
sys/kern/uipc_mbuf.c | 5 +++--
sys/netinet/ip_input.c | 6 +++---
sys/netinet6/ip6_input.c | 6 +++---
sys/netipsec/ipsec.h | 18 +++++++++++++++++-
sys/netipsec/ipsec_input.c | 20 ++++++++++++++++++--
sys/sys/mbuf.h | 5 +++--
6 files changed, 47 insertions(+), 13 deletions(-)
diffs (179 lines):
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/kern/uipc_mbuf.c
--- a/sys/kern/uipc_mbuf.c Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/kern/uipc_mbuf.c Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $ */
/*
* Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT
#include "opt_mbuftrace.h"
@@ -567,6 +567,7 @@
m->m_pkthdr.csum_data = 0;
m->m_pkthdr.segsz = 0;
m->m_pkthdr.ether_vtag = 0;
+ m->m_pkthdr.pkthdr_flags = 0;
SLIST_INIT(&m->m_pkthdr.tags);
m->m_pkthdr.pattr_class = NULL;
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netinet/ip_input.c Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $ */
+/* $NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -567,7 +567,7 @@
* IPsec (encapsulated, tunnel mode).
*/
#if defined(IPSEC)
- if (!ipsec_used || !ipsec_indone(m))
+ if (!ipsec_used || !ipsec_skip_pfil(m))
#else
if (1)
#endif
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netinet6/ip6_input.c Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $ */
+/* $NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/*
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT
#include "opt_gateway.h"
@@ -342,7 +342,7 @@
* IPsec (encapsulated, tunnel mode).
*/
#if defined(IPSEC)
- if (!ipsec_used || !ipsec_indone(m))
+ if (!ipsec_used || !ipsec_skip_pfil(m))
#else
if (1)
#endif
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netipsec/ipsec.h Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec.h,v 1.86 2018/11/22 04:48:34 knakahara Exp $ */
+/* $NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $ */
/* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@@ -250,6 +250,22 @@
#define ipsec_outdone(m) \
(m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
+static __inline bool
+ipsec_skip_pfil(struct mbuf *m)
+{
+ bool rv;
+
+ if (ipsec_indone(m) &&
+ ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
+ m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+ rv = true;
+ } else {
+ rv = false;
+ }
+
+ return rv;
+}
+
void ipsec_pcbconn(struct inpcbpolicy *);
void ipsec_pcbdisconn(struct inpcbpolicy *);
void ipsec_invalpcbcacheall(void);
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netipsec/ipsec_input.c Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $ */
+/* $NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $ */
/* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $");
/*
* IPsec input processing.
@@ -386,6 +386,14 @@
error = EINVAL;
goto bad;
}
+
+ /*
+ * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+ * so we cannot write filtering rule to the inner packet.
+ */
+ if (saidx->mode == IPSEC_MODE_TUNNEL)
+ m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
(*inetsw[ip_protox[prot]].pr_input)(m, skip, prot);
return 0;
@@ -533,6 +541,14 @@
error = EINVAL;
goto bad;
}
+
+ /*
+ * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+ * so we cannot write filtering rule to the inner packet.
+ */
+ if (saidx->mode == IPSEC_MODE_TUNNEL)
+ m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
}
return 0;
diff -r edbf6f49e1df -r 3f7ca45cd802 sys/sys/mbuf.h
--- a/sys/sys/mbuf.h Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/sys/mbuf.h Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mbuf.h,v 1.218 2018/12/27 14:24:11 maxv Exp $ */
+/* $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $ */
/*
* Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@@ -193,7 +193,8 @@
uint32_t csum_data; /* checksum data */
u_int segsz; /* segment size */
uint16_t ether_vtag; /* ethernet 802.1p+q vlan tag */
- uint16_t pad0; /* padding */
+ uint16_t pkthdr_flags; /* flags for pkthdr, see blow */
+#define PKTHDR_FLAG_IPSEC_SKIP_PFIL 0x0001 /* skip pfil_run_hooks() after ipsec decrypt */
/*
* Following three fields are open-coded struct altq_pktattr
Home |
Main Index |
Thread Index |
Old Index