Re: Call for testing: IPsec diff (update)
On Wed, Jul 07, 2010 at 05:26:22PM +, Christian Weisgerber wrote: Reyk Floeter r...@openbsd.org wrote: --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 3 Jul 2010 17:22:52 - @@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif -intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *); +intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *, +struct ether_header *); (1) I think a number of unrelated changes in if_bridge.c, like the one above, snuck in. oh, sorry. ignore this part. but i double-checked the diff and the if_bridge.c part is the only thing that doesn't belong to ipsec rdomains. (2) Works for me. ok, thanks. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Call for testing: IPsec diff (update)
Reyk Floeter r...@openbsd.org wrote: --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 3 Jul 2010 17:22:52 - @@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif -int bridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *); +int bridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *, +struct ether_header *); (1) I think a number of unrelated changes in if_bridge.c, like the one above, snuck in. (2) Works for me. -- Christian naddy Weisgerber na...@mips.inka.de
Re: Call for testing: IPsec diff (update)
On Fri, Jul 02, 2010 at 10:49:52PM +0200, Reyk Floeter wrote: I need people to test the following IPsec diff on existing setups running -current. This diff will add some cool features for the next release but I first need regression testing with plain old setups (ipsec.conf with static keying or isakmpd); preferrably on IPsecs that are running closely to production. This diff depends on -current and my latest changes on enc(4) from earlier this week. here is an updated diff that will apply to -current. Index: net/if_bridge.c === RCS file: /cvs/src/sys/net/if_bridge.c,v retrieving revision 1.181 diff -u -p -r1.181 if_bridge.c --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 3 Jul 2010 17:22:52 - @@ -152,7 +152,8 @@ u_int8_t bridge_filterrule(struct brl_he struct mbuf *bridge_filter(struct bridge_softc *, int, struct ifnet *, struct ether_header *, struct mbuf *m); #endif -intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *); +intbridge_ifenqueue(struct bridge_softc *, struct ifnet *, struct mbuf *, +struct ether_header *); void bridge_fragment(struct bridge_softc *, struct ifnet *, struct ether_header *, struct mbuf *); #ifdef INET @@ -1143,7 +1144,7 @@ bridge_output(struct ifnet *ifp, struct mc = m1; } - error = bridge_ifenqueue(sc, dst_if, mc); + error = bridge_ifenqueue(sc, dst_if, mc, eh); if (error) continue; } @@ -1160,7 +1161,7 @@ sendunicast: splx(s); return (ENETDOWN); } - bridge_ifenqueue(sc, dst_if, m); + bridge_ifenqueue(sc, dst_if, m, eh); splx(s); return (0); } @@ -1372,7 +1373,7 @@ bridgeintr_frame(struct bridge_softc *sc bridge_fragment(sc, dst_if, eh, m); else { s = splnet(); - bridge_ifenqueue(sc, dst_if, m); + bridge_ifenqueue(sc, dst_if, m, eh); splx(s); } } @@ -1665,7 +1666,7 @@ bridge_broadcast(struct bridge_softc *sc if ((len - ETHER_HDR_LEN) dst_if-if_mtu) bridge_fragment(sc, dst_if, eh, mc); else { - bridge_ifenqueue(sc, dst_if, mc); + bridge_ifenqueue(sc, dst_if, mc, eh); } } @@ -1757,7 +1758,7 @@ bridge_span(struct bridge_softc *sc, str continue; } - error = bridge_ifenqueue(sc, ifp, mc); + error = bridge_ifenqueue(sc, ifp, mc, eh); if (error) continue; } @@ -2402,7 +2403,7 @@ bridge_ipsec(struct bridge_softc *sc, st s = spltdb(); - tdb = gettdb(spi, dst, proto); + tdb = gettdb(ifp-if_rdomain, spi, dst, proto); if (tdb != NULL (tdb-tdb_flags TDBF_INVALID) == 0 tdb-tdb_xform != NULL) { if (tdb-tdb_first_use == 0) { @@ -2457,7 +2458,7 @@ bridge_ipsec(struct bridge_softc *sc, st switch (af) { #ifdef INET case AF_INET: - if ((encif = enc_getif(0, + if ((encif = enc_getif(tdb-tdb_rdomain, tdb-tdb_tap)) == NULL || pf_test(dir, encif, m, NULL) != PF_PASS) { @@ -2468,7 +2469,7 @@ bridge_ipsec(struct bridge_softc *sc, st #endif /* INET */ #ifdef INET6 case AF_INET6: - if ((encif = enc_getif(0, + if ((encif = enc_getif(tdb-tdb_rdomain, tdb-tdb_tap)) == NULL || pf_test6(dir, encif, m, NULL) != PF_PASS) { @@ -2720,7 +2721,7 @@ bridge_fragment(struct bridge_softc *sc, if ((ifp-if_capabilities IFCAP_VLAN_MTU) (len - sizeof(struct ether_vlan_header) = ifp-if_mtu)) { s = splnet(); - bridge_ifenqueue(sc, ifp, m); + bridge_ifenqueue(sc, ifp, m, eh); splx(s); return; } @@ -2790,7 +2791,7 @@ bridge_fragment(struct bridge_softc *sc, } bcopy(eh, mtod(m, caddr_t), sizeof(*eh)); s = splnet(); - error = bridge_ifenqueue(sc, ifp, m); + error = bridge_ifenqueue(sc, ifp, m, eh); if (error) { splx(s);
Call for testing: IPsec diff
Hi! I need people to test the following IPsec diff on existing setups running -current. This diff will add some cool features for the next release but I first need regression testing with plain old setups (ipsec.conf with static keying or isakmpd); preferrably on IPsecs that are running closely to production. This diff depends on -current and my latest changes on enc(4) from earlier this week. reyk Index: net/if_bridge.c === RCS file: /cvs/src/sys/net/if_bridge.c,v retrieving revision 1.181 diff -u -p -r1.181 if_bridge.c --- net/if_bridge.c 2 Jul 2010 02:40:16 - 1.181 +++ net/if_bridge.c 2 Jul 2010 20:22:04 - @@ -2402,7 +2402,7 @@ bridge_ipsec(struct bridge_softc *sc, st s = spltdb(); - tdb = gettdb(spi, dst, proto); + tdb = gettdb(ifp-if_rdomain, spi, dst, proto); if (tdb != NULL (tdb-tdb_flags TDBF_INVALID) == 0 tdb-tdb_xform != NULL) { if (tdb-tdb_first_use == 0) { @@ -2457,7 +2457,7 @@ bridge_ipsec(struct bridge_softc *sc, st switch (af) { #ifdef INET case AF_INET: - if ((encif = enc_getif(0, + if ((encif = enc_getif(tdb-tdb_rdomain, tdb-tdb_tap)) == NULL || pf_test(dir, encif, m, NULL) != PF_PASS) { @@ -2468,7 +2468,7 @@ bridge_ipsec(struct bridge_softc *sc, st #endif /* INET */ #ifdef INET6 case AF_INET6: - if ((encif = enc_getif(0, + if ((encif = enc_getif(tdb-tdb_rdomain, tdb-tdb_tap)) == NULL || pf_test6(dir, encif, m, NULL) != PF_PASS) { Index: net/if_pfsync.c === RCS file: /cvs/src/sys/net/if_pfsync.c,v retrieving revision 1.147 diff -u -p -r1.147 if_pfsync.c --- net/if_pfsync.c 24 May 2010 02:11:04 - 1.147 +++ net/if_pfsync.c 2 Jul 2010 20:22:05 - @@ -1239,7 +1239,7 @@ pfsync_update_net_tdb(struct pfsync_tdb goto bad; s = spltdb(); - tdb = gettdb(pt-spi, pt-dst, pt-sproto); + tdb = gettdb(ntohs(pt-rdomain), pt-spi, pt-dst, pt-sproto); if (tdb) { pt-rpl = ntohl(pt-rpl); pt-cur_bytes = betoh64(pt-cur_bytes); @@ -2162,6 +2162,7 @@ pfsync_out_tdb(struct tdb *t, void *buf) RPL_INCR : 0)); ut-cur_bytes = htobe64(t-tdb_cur_bytes); ut-sproto = t-tdb_sproto; + ut-rdomain = htons(t-tdb_rdomain); } void Index: net/if_pfsync.h === RCS file: /cvs/src/sys/net/if_pfsync.h,v retrieving revision 1.42 diff -u -p -r1.42 if_pfsync.h --- net/if_pfsync.h 12 Jan 2010 23:38:02 - 1.42 +++ net/if_pfsync.h 2 Jul 2010 20:22:05 - @@ -216,7 +216,7 @@ struct pfsync_tdb { u_int64_t cur_bytes; u_int8_tsproto; u_int8_tupdates; - u_int8_t_pad[2]; + u_int16_t rdomain; } __packed; /* Index: net/pfkeyv2.c === RCS file: /cvs/src/sys/net/pfkeyv2.c,v retrieving revision 1.120 diff -u -p -r1.120 pfkeyv2.c --- net/pfkeyv2.c 1 Jul 2010 02:09:45 - 1.120 +++ net/pfkeyv2.c 2 Jul 2010 20:22:05 - @@ -159,6 +159,12 @@ pfkeyv2_create(struct socket *socket) pfkeyv2_socket-socket = socket; pfkeyv2_socket-pid = curproc-p_pid; + /* +* XXX we should get this from the socket instead but +* XXX rawcb doesn't store the rdomain like inpcb does. +*/ + pfkeyv2_socket-rdomain = rtable_l2(curproc-p_p-ps_rdomain); + pfkeyv2_sockets = pfkeyv2_socket; return (0); @@ -201,7 +207,7 @@ pfkeyv2_release(struct socket *socket) */ int pfkeyv2_sendmessage(void **headers, int mode, struct socket *socket, -u_int8_t satype, int count) +u_int8_t satype, int count, u_int rdomain) { int i, j, rval; void *p, *buffer = NULL; @@ -272,7 +278,8 @@ pfkeyv2_sendmessage(void **headers, int */ for (s = pfkeyv2_sockets; s; s = s-next) if ((s-flags PFKEYV2_SOCKETFLAGS_PROMISC) - (s-socket != socket)) + (s-socket != socket) + (s-rdomain == rdomain)) pfkey_sendup(s-socket, packet, 1); /* Done, let's be a bit paranoid */ @@ -286,7 +293,8 @@ pfkeyv2_sendmessage(void **headers,
Re: Call for testing: IPsec diff
Hi, updating one side should be enough. reyk On Sat, Jul 03, 2010 at 01:15:50AM +0400, Vadim Zhukov wrote: 2010/7/3 Reyk Floeter r...@openbsd.org: Hi! I need people to test the following IPsec diff on existing setups running -current. ??This diff will add some cool features for the next release but I first need regression testing with plain old setups (ipsec.conf with static keying or isakmpd); preferrably on IPsecs that are running closely to production. ??This diff depends on -current and my latest changes on enc(4) from earlier this week. Hi. Possibly stupid question: does this change require updating both sides? I assume no but want to be on a safe side. I have a few IPSec tunnels set up that are not used that much now, so I can experiment freely, but only on my own side. -- WBR, Vadim Zhukov