On Thu, May 11, 2017 at 13:11 +0200, Alexander Bluhm wrote: > Hi, > > ipv4_input() checks the IPsec policy for forwarding and local > delivery. Such code is missing in IPv6, the behavior is different. > > Start using the forwarding check also in ip6_input(). While there > avoid an ugly #ifdef in ipv4_input(). > > ok? >
Maybe we should move ip_input_ipsec_fwd_check into the ipsec_input.c and give it a better name like ipsec_forward_check? This function doesn't do any IPv4 or IPv6 specific dances anyways. But I agree with you in principle. > bluhm > > Index: netinet/ip_input.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.298 > diff -u -p -r1.298 ip_input.c > --- netinet/ip_input.c 19 Apr 2017 15:21:54 -0000 1.298 > +++ netinet/ip_input.c 10 May 2017 23:55:42 -0000 > @@ -130,7 +130,6 @@ void ip_ours(struct mbuf *); > int ip_dooptions(struct mbuf *, struct ifnet *); > int in_ouraddr(struct mbuf *, struct ifnet *, struct rtentry **); > #ifdef IPSEC > -int ip_input_ipsec_fwd_check(struct mbuf *, int); > int ip_input_ipsec_ours_check(struct mbuf *, int); > #endif /* IPSEC */ > > @@ -241,9 +240,6 @@ ipv4_input(struct mbuf *m) > struct rtentry *rt = NULL; > struct ip *ip; > int hlen, len; > -#if defined(MROUTING) || defined(IPSEC) > - int rv; > -#endif > in_addr_t pfrdr = 0; > > ifp = if_get(m->m_pkthdr.ph_ifidx); > @@ -377,6 +373,8 @@ ipv4_input(struct mbuf *m) > > #ifdef MROUTING > if (ipmforwarding && ip_mrouter[ifp->if_rdomain]) { > + int rv; > + > if (m->m_flags & M_EXT) { > if ((m = m_pullup(m, hlen)) == NULL) { > ipstat_inc(ips_toosmall); > @@ -444,8 +442,10 @@ ipv4_input(struct mbuf *m) > } > #ifdef IPSEC > if (ipsec_in_use) { > + int rv; > + > KERNEL_LOCK(); > - rv = ip_input_ipsec_fwd_check(m, hlen); > + rv = ip_input_ipsec_fwd_check(m, hlen, AF_INET); > KERNEL_UNLOCK(); > if (rv != 0) { > ipstat_inc(ips_cantforward); > @@ -675,7 +675,7 @@ in_ouraddr(struct mbuf *m, struct ifnet > > #ifdef IPSEC > int > -ip_input_ipsec_fwd_check(struct mbuf *m, int hlen) > +ip_input_ipsec_fwd_check(struct mbuf *m, int hlen, int af) > { > struct tdb *tdb; > struct tdb_ident *tdbi; > @@ -692,8 +692,7 @@ ip_input_ipsec_fwd_check(struct mbuf *m, > tdb = gettdb(tdbi->rdomain, tdbi->spi, &tdbi->dst, tdbi->proto); > } else > tdb = NULL; > - ipsp_spd_lookup(m, AF_INET, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, > - 0); > + ipsp_spd_lookup(m, af, hlen, &error, IPSP_DIRECTION_IN, tdb, NULL, 0); > > return error; > } > Index: netinet/ip_var.h > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet/ip_var.h,v > retrieving revision 1.71 > diff -u -p -r1.71 ip_var.h > --- netinet/ip_var.h 14 Apr 2017 20:46:31 -0000 1.71 > +++ netinet/ip_var.h 10 May 2017 23:12:25 -0000 > @@ -250,6 +250,7 @@ void ip_savecontrol(struct inpcb *, str > void ipintr(void); > void ipv4_input(struct mbuf *); > void ip_forward(struct mbuf *, struct ifnet *, struct rtentry *, int); > +int ip_input_ipsec_fwd_check(struct mbuf *, int, int); > int rip_ctloutput(int, struct socket *, int, int, struct mbuf *); > void rip_init(void); > int rip_input(struct mbuf **, int *, int, int); > Index: netinet6/ip6_input.c > =================================================================== > RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/ip6_input.c,v > retrieving revision 1.184 > diff -u -p -r1.184 ip6_input.c > --- netinet6/ip6_input.c 8 May 2017 08:46:39 -0000 1.184 > +++ netinet6/ip6_input.c 10 May 2017 23:21:00 -0000 > @@ -470,6 +470,24 @@ ip6_input(struct mbuf *m) > goto out; > } > > +#ifdef IPSEC > + if (ipsec_in_use) { > + int rv; > + > + KERNEL_LOCK(); > + rv = ip_input_ipsec_fwd_check(m, off, AF_INET6); > + KERNEL_UNLOCK(); > + if (rv != 0) { > + ipstat_inc(ips_cantforward); > + goto bad; > + } > + /* > + * Fall through, forward packet. Outbound IPsec policy > + * checking will occur in ip6_forward(). > + */ > + } > +#endif /* IPSEC */ > + > ip6_forward(m, rt, srcrt); > if_put(ifp); > return; >