Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys Fix ipsecif(4) IPV6_MINMTU does not work correctly.



details:   https://anonhg.NetBSD.org/src/rev/1642f4429d3a
branches:  trunk
changeset: 1004529:1642f4429d3a
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Fri Nov 01 04:23:21 2019 +0000

description:
Fix ipsecif(4) IPV6_MINMTU does not work correctly.

diffstat:

 sys/netinet6/ip6_forward.c  |   6 +++---
 sys/netinet6/ip6_output.c   |   6 +++---
 sys/netipsec/ipsec.h        |   4 ++--
 sys/netipsec/ipsec6.h       |   4 ++--
 sys/netipsec/ipsec_output.c |  26 +++++++++++++-------------
 sys/netipsec/xform.h        |   5 +++--
 sys/netipsec/xform_ah.c     |  12 +++++++-----
 sys/netipsec/xform_esp.c    |  12 +++++++-----
 sys/netipsec/xform_ipcomp.c |  14 ++++++++------
 sys/netipsec/xform_ipip.c   |   6 +++---
 sys/netipsec/xform_tcp.c    |   6 +++---
 11 files changed, 54 insertions(+), 47 deletions(-)

diffs (truncated from 471 to 300 lines):

diff -r 5a876247989b -r 1642f4429d3a sys/netinet6/ip6_forward.c
--- a/sys/netinet6/ip6_forward.c        Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netinet6/ip6_forward.c        Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_forward.c,v 1.97 2019/09/19 04:08:29 ozaki-r Exp $ */
+/*     $NetBSD: ip6_forward.c,v 1.98 2019/11/01 04:23:21 knakahara Exp $       */
 /*     $KAME: ip6_forward.c,v 1.109 2002/09/11 08:10:17 sakane Exp $   */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.97 2019/09/19 04:08:29 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_forward.c,v 1.98 2019/11/01 04:23:21 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -261,7 +261,7 @@
         */
        if (needipsec) {
                int s = splsoftnet();
-               error = ipsec6_process_packet(m, sp->req);
+               error = ipsec6_process_packet(m, sp->req, 0);
                splx(s);
                /* m is freed */
                if (mcopy)
diff -r 5a876247989b -r 1642f4429d3a sys/netinet6/ip6_output.c
--- a/sys/netinet6/ip6_output.c Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netinet6/ip6_output.c Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_output.c,v 1.220 2019/05/15 02:59:18 ozaki-r Exp $ */
+/*     $NetBSD: ip6_output.c,v 1.221 2019/11/01 04:23:21 knakahara Exp $       */
 /*     $KAME: ip6_output.c,v 1.172 2001/03/25 09:55:56 itojun Exp $    */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.220 2019/05/15 02:59:18 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_output.c,v 1.221 2019/11/01 04:23:21 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -477,7 +477,7 @@
 #ifdef IPSEC
        if (needipsec) {
                int s = splsoftnet();
-               error = ipsec6_process_packet(m, sp->req);
+               error = ipsec6_process_packet(m, sp->req, flags);
                splx(s);
 
                /*
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/ipsec.h      Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.88 2019/06/12 22:23:50 christos Exp $      */
+/*     $NetBSD: ipsec.h,v 1.89 2019/11/01 04:23:21 knakahara Exp $     */
 /*     $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -318,7 +318,7 @@
 int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
 int ipsec4_process_packet(struct mbuf *, const struct ipsecrequest *, u_long *);
 int ipsec_process_done(struct mbuf *, const struct ipsecrequest *,
-    struct secasvar *);
+    struct secasvar *, int);
 
 struct mbuf *m_clone(struct mbuf *);
 struct mbuf *m_makespace(struct mbuf *, int, int, int *);
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/ipsec6.h
--- a/sys/netipsec/ipsec6.h     Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/ipsec6.h     Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec6.h,v 1.29 2018/05/14 17:34:26 maxv Exp $ */
+/*     $NetBSD: ipsec6.h,v 1.30 2019/11/01 04:23:21 knakahara Exp $    */
 /*     $FreeBSD: ipsec6.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $      */
 /*     $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $  */
 
@@ -59,7 +59,7 @@
 struct m_tag;
 int ipsec6_common_input(struct mbuf **, int *, int);
 int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
-int ipsec6_process_packet(struct mbuf *, const struct ipsecrequest *);
+int ipsec6_process_packet(struct mbuf *, const struct ipsecrequest *, int);
 #endif /*_KERNEL*/
 
 #endif /* !_NETIPSEC_IPSEC6_H_ */
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c       Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/ipsec_output.c       Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_output.c,v 1.83 2019/09/19 04:08:30 ozaki-r Exp $        */
+/*     $NetBSD: ipsec_output.c,v 1.84 2019/11/01 04:23:21 knakahara Exp $      */
 
 /*
  * Copyright (c) 2002, 2003 Sam Leffler, Errno Consulting
@@ -29,7 +29,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.83 2019/09/19 04:08:30 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_output.c,v 1.84 2019/11/01 04:23:21 knakahara Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -105,7 +105,7 @@
 }
 
 static int
-ipsec_reinject_ipstack(struct mbuf *m, int af)
+ipsec_reinject_ipstack(struct mbuf *m, int af, int flags)
 {
        int rv = -1;
        struct route *ro;
@@ -127,7 +127,7 @@
                 * We don't need massage, IPv6 header fields are always in
                 * net endian.
                 */
-               rv = ip6_output(m, NULL, ro, 0, NULL, NULL, NULL);
+               rv = ip6_output(m, NULL, ro, flags, NULL, NULL, NULL);
                break;
 #endif
        }
@@ -139,7 +139,7 @@
 
 int
 ipsec_process_done(struct mbuf *m, const struct ipsecrequest *isr,
-    struct secasvar *sav)
+    struct secasvar *sav, int flags)
 {
        struct secasindex *saidx;
        int error;
@@ -259,7 +259,7 @@
 #endif
 #ifdef INET6
                case AF_INET6:
-                       return ipsec6_process_packet(m, isr->next);
+                       return ipsec6_process_packet(m, isr->next, flags);
 #endif
                default:
                        IPSECLOG(LOG_DEBUG, "unknown protocol family %u\n",
@@ -278,7 +278,7 @@
        if (ipsec_register_done(m, &error) < 0)
                goto bad;
 
-       return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family);
+       return ipsec_reinject_ipstack(m, saidx->dst.sa.sa_family, flags);
 
 bad:
        m_freem(m);
@@ -507,7 +507,7 @@
                                goto bad;
 
                        splx(s);
-                       return ipsec_reinject_ipstack(m, AF_INET);
+                       return ipsec_reinject_ipstack(m, AF_INET, 0);
                }
        }
        KASSERT(sav != NULL);
@@ -628,9 +628,9 @@
                        i = sizeof(struct ip6_hdr);
                        off = offsetof(struct ip6_hdr, ip6_nxt);
                }
-               error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off);
+               error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off, 0);
        } else {
-               error = ipsec_process_done(m, isr, sav);
+               error = ipsec_process_done(m, isr, sav, 0);
        }
        KEY_SA_UNREF(&sav);
        splx(s);
@@ -734,7 +734,7 @@
 }
 
 int
-ipsec6_process_packet(struct mbuf *m, const struct ipsecrequest *isr)
+ipsec6_process_packet(struct mbuf *m, const struct ipsecrequest *isr, int flags)
 {
        struct secasvar *sav = NULL;
        struct ip6_hdr *ip6;
@@ -757,7 +757,7 @@
                                goto bad;
 
                        splx(s);
-                       return ipsec_reinject_ipstack(m, AF_INET6);
+                       return ipsec_reinject_ipstack(m, AF_INET6, flags);
                }
        }
 
@@ -821,7 +821,7 @@
                if (error)
                        goto unrefsav;
        }
-       error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off);
+       error = (*sav->tdb_xform->xf_output)(m, isr, sav, i, off, flags);
        KEY_SA_UNREF(&sav);
        splx(s);
        return error;
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/xform.h
--- a/sys/netipsec/xform.h      Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/xform.h      Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform.h,v 1.20 2018/05/30 17:17:11 maxv Exp $  */
+/*     $NetBSD: xform.h,v 1.21 2019/11/01 04:23:21 knakahara Exp $     */
 /*     $FreeBSD: xform.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $       */
 /*     $OpenBSD: ip_ipsp.h,v 1.119 2002/03/14 01:27:11 millert Exp $   */
 /*
@@ -58,6 +58,7 @@
        u_int8_t                tc_nxt;         /* next protocol, e.g. IPV4 */
        int                     tc_protoff;     /* current protocol offset */
        int                     tc_skip;        /* data offset */
+       int                     tc_flags;       /* outer protocol flags, e.g. IPV6_MINMTU */
        struct secasvar         *tc_sav;        /* ipsec SA */
 };
 
@@ -79,7 +80,7 @@
        int (*xf_zeroize)(struct secasvar *);
        int (*xf_input)(struct mbuf *, struct secasvar *, int, int);
        int (*xf_output)(struct mbuf *, const struct ipsecrequest *,
-           struct secasvar *, int, int);
+           struct secasvar *, int, int, int);
        struct xformsw *xf_next;        /* list of registered xforms */
 };
 
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/xform_ah.c
--- a/sys/netipsec/xform_ah.c   Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/xform_ah.c   Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_ah.c,v 1.108 2019/06/12 22:23:50 christos Exp $  */
+/*     $NetBSD: xform_ah.c,v 1.109 2019/11/01 04:23:21 knakahara Exp $ */
 /*     $FreeBSD: xform_ah.c,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $    */
 /*     $OpenBSD: ip_ah.c,v 1.63 2001/06/26 06:18:58 angelos Exp $ */
 /*
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.108 2019/06/12 22:23:50 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ah.c,v 1.109 2019/11/01 04:23:21 knakahara Exp $");
 
 #if defined(_KERNEL_OPT)
 #include "opt_inet.h"
@@ -891,7 +891,7 @@
  */
 static int
 ah_output(struct mbuf *m, const struct ipsecrequest *isr, struct secasvar *sav,
-    int skip, int protoff)
+    int skip, int protoff, int flags)
 {
        char buf[IPSEC_ADDRSTRLEN];
        const struct auth_hash *ahx;
@@ -1114,6 +1114,7 @@
        tc->tc_proto = sav->sah->saidx.proto;
        tc->tc_skip = skip;
        tc->tc_protoff = protoff;
+       tc->tc_flags = flags;
        tc->tc_sav = sav;
 
        return crypto_dispatch(crp);
@@ -1143,7 +1144,7 @@
        struct secasvar *sav;
        struct mbuf *m;
        void *ptr;
-       int err;
+       int err, flags;
        size_t size;
        bool pool_used;
        IPSEC_DECLARE_LOCK_VARIABLE;
@@ -1185,6 +1186,7 @@
         */
        m_copyback(m, 0, skip, ptr);
 
+       flags = tc->tc_flags;
        /* No longer needed. */
        if (__predict_true(pool_used))
                pool_cache_put(ah_tdb_crypto_pool_cache, tc);
@@ -1207,7 +1209,7 @@
 #endif
 
        /* NB: m is reclaimed by ipsec_process_done. */
-       err = ipsec_process_done(m, isr, sav);
+       err = ipsec_process_done(m, isr, sav, flags);
        KEY_SA_UNREF(&sav);
        KEY_SP_UNREF(&isr->sp);
        IPSEC_RELEASE_GLOBAL_LOCKS();
diff -r 5a876247989b -r 1642f4429d3a sys/netipsec/xform_esp.c
--- a/sys/netipsec/xform_esp.c  Fri Nov 01 02:58:50 2019 +0000
+++ b/sys/netipsec/xform_esp.c  Fri Nov 01 04:23:21 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: xform_esp.c,v 1.98 2019/06/12 22:23:50 christos Exp $  */
+/*     $NetBSD: xform_esp.c,v 1.99 2019/11/01 04:23:21 knakahara Exp $ */
 /*     $FreeBSD: xform_esp.c,v 1.2.2.1 2003/01/24 05:11:36 sam Exp $   */
 /*     $OpenBSD: ip_esp.c,v 1.69 2001/06/26 06:18:59 angelos Exp $ */
 
@@ -39,7 +39,7 @@
  */
 



Home | Main Index | Thread Index | Old Index