Re: Call for testing: IPsec diff (update)
On Wed, Jul 07, 2010 at 05:26:22PM +, Christian Weisgerber wrote: Reyk Floeter r...@openbsd.org wrote: --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 3 Jul 2010 17:22:52 - @@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif -intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *); +intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *, +struct ether_header *); (1) I think a number of unrelated changes in if_bridge.c, like the one above, snuck in. oh, sorry. ignore this part. but i double-checked the diff and the if_bridge.c part is the only thing that doesn't belong to ipsec rdomains. (2) Works for me. ok, thanks. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Call for testing: IPsec diff (update)
Reyk Floeter r...@openbsd.org wrote: --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 3 Jul 2010 17:22:52 - @@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif -int bridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *); +int bridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *, +struct ether_header *); (1) I think a number of unrelated changes in if_bridge.c, like the one above, snuck in. (2) Works for me. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Call for testing: IPsec diff (update)
On Fri, Jul 02, 2010 at 10:49:52PM +0200, Reyk Floeter wrote:
I need people to test the following IPsec diff on existing setups
running -current. This diff will add some cool features for the next
release but I first need regression testing with plain old setups
(ipsec.conf with static keying or isakmpd); preferrably on IPsecs that
are running closely to production. This diff depends on -current and
my latest changes on enc(4) from earlier this week.
here is an updated diff that will apply to -current.
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.181
diff -u -p -r1.181 if_bridge.c
--- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181
+++ net/if_bridge.c 3 Jul 2010 17:22:52 -
@@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he
struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *,
struct ether_header *, struct mbuf *m);
#endif
-intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *);
+intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *,
+struct ether_header *);
void bridge_fragment(struct bridge_softc *, struct ifnet *,
struct ether_header *, struct mbuf *);
#ifdef INET
@@ -1143,7 +1144,7 @@ bridge_output(struct ifnet *ifp, struct
mc = m1;
}
- error = bridge_ifenqueue(sc, dst_if, mc);
+ error = bridge_ifenqueue(sc, dst_if, mc, eh);
if (error)
continue;
}
@@ -1160,7 +1161,7 @@ sendunicast:
splx(s);
return (ENETDOWN);
}
- bridge_ifenqueue(sc, dst_if, m);
+ bridge_ifenqueue(sc, dst_if, m, eh);
splx(s);
return (0);
}
@@ -1372,7 +1373,7 @@ bridgeintr_frame(struct bridge_softc *sc
bridge_fragment(sc, dst_if, eh, m);
else {
s = splnet();
- bridge_ifenqueue(sc, dst_if, m);
+ bridge_ifenqueue(sc, dst_if, m, eh);
splx(s);
}
}
@@ -1665,7 +1666,7 @@ bridge_broadcast(struct bridge_softc *sc
if ((len - ETHER_HDR_LEN) dst_if-if_mtu)
bridge_fragment(sc, dst_if, eh, mc);
else {
- bridge_ifenqueue(sc, dst_if, mc);
+ bridge_ifenqueue(sc, dst_if, mc, eh);
}
}
@@ -1757,7 +1758,7 @@ bridge_span(struct bridge_softc *sc, str
continue;
}
- error = bridge_ifenqueue(sc, ifp, mc);
+ error = bridge_ifenqueue(sc, ifp, mc, eh);
if (error)
continue;
}
@@ -2402,7 +2403,7 @@ bridge_ipsec(struct bridge_softc *sc, st
s = spltdb();
- tdb = gettdb(spi, dst, proto);
+ tdb = gettdb(ifp-if_rdomain, spi, dst, proto);
if (tdb != NULL (tdb-tdb_flags TDBF_INVALID) == 0
tdb-tdb_xform != NULL) {
if (tdb-tdb_first_use == 0) {
@@ -2457,7 +2458,7 @@ bridge_ipsec(struct bridge_softc *sc, st
switch (af) {
#ifdef INET
case AF_INET:
- if ((encif = enc_getif(0,
+ if ((encif = enc_getif(tdb-tdb_rdomain,
tdb-tdb_tap)) == NULL ||
pf_test(dir, encif,
m, NULL) != PF_PASS) {
@@ -2468,7 +2469,7 @@ bridge_ipsec(struct bridge_softc *sc, st
#endif /* INET */
#ifdef INET6
case AF_INET6:
- if ((encif = enc_getif(0,
+ if ((encif = enc_getif(tdb-tdb_rdomain,
tdb-tdb_tap)) == NULL ||
pf_test6(dir, encif,
m, NULL) != PF_PASS) {
@@ -2720,7 +2721,7 @@ bridge_fragment(struct bridge_softc *sc,
if ((ifp-if_capabilities IFCAP_VLAN_MTU)
(len - sizeof(struct ether_vlan_header) = ifp-if_mtu)) {
s = splnet();
- bridge_ifenqueue(sc, ifp, m);
+ bridge_ifenqueue(sc, ifp, m, eh);
splx(s);
return;
}
@@ -2790,7 +2791,7 @@ bridge_fragment(struct bridge_softc *sc,
}
bcopy(eh, mtod(m, caddr_t), sizeof(*eh));
s = splnet();
- error = bridge_ifenqueue(sc, ifp, m);
+ error = bridge_ifenqueue(sc, ifp, m, eh);
if (error) {
splx(s);
Call for testing: IPsec diff
Hi!
I need people to test the following IPsec diff on existing setups
running -current. This diff will add some cool features for the next
release but I first need regression testing with plain old setups
(ipsec.conf with static keying or isakmpd); preferrably on IPsecs that
are running closely to production. This diff depends on -current and
my latest changes on enc(4) from earlier this week.
reyk
Index: net/if_bridge.c
===
RCS file: /cvs/src/sys/net/if_bridge.c,v
retrieving revision 1.181
diff -u -p -r1.181 if_bridge.c
--- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181
+++ net/if_bridge.c 2 Jul 2010 20:22:04 -
@@ -2402,7 +2402,7 @@ bridge_ipsec(struct bridge_softc *sc, st
s = spltdb();
- tdb = gettdb(spi, dst, proto);
+ tdb = gettdb(ifp-if_rdomain, spi, dst, proto);
if (tdb != NULL (tdb-tdb_flags TDBF_INVALID) == 0
tdb-tdb_xform != NULL) {
if (tdb-tdb_first_use == 0) {
@@ -2457,7 +2457,7 @@ bridge_ipsec(struct bridge_softc *sc, st
switch (af) {
#ifdef INET
case AF_INET:
- if ((encif = enc_getif(0,
+ if ((encif = enc_getif(tdb-tdb_rdomain,
tdb-tdb_tap)) == NULL ||
pf_test(dir, encif,
m, NULL) != PF_PASS) {
@@ -2468,7 +2468,7 @@ bridge_ipsec(struct bridge_softc *sc, st
#endif /* INET */
#ifdef INET6
case AF_INET6:
- if ((encif = enc_getif(0,
+ if ((encif = enc_getif(tdb-tdb_rdomain,
tdb-tdb_tap)) == NULL ||
pf_test6(dir, encif,
m, NULL) != PF_PASS) {
Index: net/if_pfsync.c
===
RCS file: /cvs/src/sys/net/if_pfsync.c,v
retrieving revision 1.147
diff -u -p -r1.147 if_pfsync.c
--- net/if_pfsync.c 24 May 2010 02:11:04 - 1.147
+++ net/if_pfsync.c 2 Jul 2010 20:22:05 -
@@ -1239,7 +1239,7 @@ pfsync_update_net_tdb(struct pfsync_tdb
goto bad;
s = spltdb();
- tdb = gettdb(pt-spi, pt-dst, pt-sproto);
+ tdb = gettdb(ntohs(pt-rdomain), pt-spi, pt-dst, pt-sproto);
if (tdb) {
pt-rpl = ntohl(pt-rpl);
pt-cur_bytes = betoh64(pt-cur_bytes);
@@ -2162,6 +2162,7 @@ pfsync_out_tdb(struct tdb *t, void *buf)
RPL_INCR : 0));
ut-cur_bytes = htobe64(t-tdb_cur_bytes);
ut-sproto = t-tdb_sproto;
+ ut-rdomain = htons(t-tdb_rdomain);
}
void
Index: net/if_pfsync.h
===
RCS file: /cvs/src/sys/net/if_pfsync.h,v
retrieving revision 1.42
diff -u -p -r1.42 if_pfsync.h
--- net/if_pfsync.h 12 Jan 2010 23:38:02 - 1.42
+++ net/if_pfsync.h 2 Jul 2010 20:22:05 -
@@ -216,7 +216,7 @@ struct pfsync_tdb {
u_int64_t cur_bytes;
u_int8_tsproto;
u_int8_tupdates;
- u_int8_t_pad[2];
+ u_int16_t rdomain;
} __packed;
/*
Index: net/pfkeyv2.c
===
RCS file: /cvs/src/sys/net/pfkeyv2.c,v
retrieving revision 1.120
diff -u -p -r1.120 pfkeyv2.c
--- net/pfkeyv2.c 1 Jul 2010 02:09:45 - 1.120
+++ net/pfkeyv2.c 2 Jul 2010 20:22:05 -
@@ -159,6 +159,12 @@ pfkeyv2_create(struct socket *socket)
pfkeyv2_socket-socket = socket;
pfkeyv2_socket-pid = curproc-p_pid;
+ /*
+* XXX we should get this from the socket instead but
+* XXX rawcb doesn't store the rdomain like inpcb does.
+*/
+ pfkeyv2_socket-rdomain = rtable_l2(curproc-p_p-ps_rdomain);
+
pfkeyv2_sockets = pfkeyv2_socket;
return (0);
@@ -201,7 +207,7 @@ pfkeyv2_release(struct socket *socket)
*/
int
pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket,
-u_int8_t satype, int count)
+u_int8_t satype, int count, u_int rdomain)
{
int i, j, rval;
void *p, *buffer = NULL;
@@ -272,7 +278,8 @@ pfkeyv2_sendmessage(void **headers, int
*/
for (s = pfkeyv2_sockets; s; s = s-next)
if ((s-flags PFKEYV2_SOCKETFLAGS_PROMISC)
- (s-socket != socket))
+ (s-socket != socket)
+ (s-rdomain == rdomain))
pfkey_sendup(s-socket, packet, 1);
/* Done, let's be a bit paranoid */
@@ -286,7 +293,8 @@ pfkeyv2_sendmessage(void **headers,
Re: Call for testing: IPsec diff
Hi, updating one side should be enough. reyk On Sat, Jul 03, 2010 at 01:15:50AM +0400, Vadim Zhukov wrote: 2010/7/3 Reyk Floeter r...@openbsd.org: Hi! I need people to test the following IPsec diff on existing setups running -current. ??This diff will add some cool features for the next release but I first need regression testing with plain old setups (ipsec.conf with static keying or isakmpd); preferrably on IPsecs that are running closely to production. ??This diff depends on -current and my latest changes on enc(4) from earlier this week. Hi. Possibly stupid question: does this change require updating both sides? I assume no but want to be on a safe side. I have a few IPSec tunnels set up that are not used that much now, so I can experiment freely, but only on my own side. -- WBR, Vadim Zhukov
