CVS commit: src/sys

Wed, 16 Jan 2019 18:47:35 -0800 

Module Name:    src
Committed By:   knakahara
Date:           Thu Jan 17 02:47:15 UTC 2019

Modified Files:
        src/sys/kern: uipc_mbuf.c
        src/sys/netinet: ip_input.c
        src/sys/netinet6: ip6_input.c
        src/sys/netipsec: ipsec.h ipsec_input.c
        src/sys/sys: mbuf.h

Log Message:
Fix ipsecif(4) cannot apply input direction packet filter. Reviewed by 
ozaki-r@n.o and ryo@n.o.

Add ATF later.


To generate a diff of this commit:
cvs rdiff -u -r1.231 -r1.232 src/sys/kern/uipc_mbuf.c
cvs rdiff -u -r1.387 -r1.388 src/sys/netinet/ip_input.c
cvs rdiff -u -r1.206 -r1.207 src/sys/netinet6/ip6_input.c
cvs rdiff -u -r1.86 -r1.87 src/sys/netipsec/ipsec.h
cvs rdiff -u -r1.73 -r1.74 src/sys/netipsec/ipsec_input.c
cvs rdiff -u -r1.218 -r1.219 src/sys/sys/mbuf.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.231 src/sys/kern/uipc_mbuf.c:1.232
--- src/sys/kern/uipc_mbuf.c:1.231	Wed Jan 16 01:50:25 2019
+++ src/sys/kern/uipc_mbuf.c	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $	*/
 
 /*
  * Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_mbuftrace.h"
@@ -567,6 +567,7 @@ m_gethdr(int how, int type)
 	m->m_pkthdr.csum_data = 0;
 	m->m_pkthdr.segsz = 0;
 	m->m_pkthdr.ether_vtag = 0;
+	m->m_pkthdr.pkthdr_flags = 0;
 	SLIST_INIT(&m->m_pkthdr.tags);
 
 	m->m_pkthdr.pattr_class = NULL;

Index: src/sys/netinet/ip_input.c
diff -u src/sys/netinet/ip_input.c:1.387 src/sys/netinet/ip_input.c:1.388
--- src/sys/netinet/ip_input.c:1.387	Thu Nov 15 10:23:56 2018
+++ src/sys/netinet/ip_input.c	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $	*/
+/*	$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $	*/
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -567,7 +567,7 @@ ip_input(struct mbuf *m)
 	 * IPsec (encapsulated, tunnel mode).
 	 */
 #if defined(IPSEC)
-	if (!ipsec_used || !ipsec_indone(m))
+	if (!ipsec_used || !ipsec_skip_pfil(m))
 #else
 	if (1)
 #endif

Index: src/sys/netinet6/ip6_input.c
diff -u src/sys/netinet6/ip6_input.c:1.206 src/sys/netinet6/ip6_input.c:1.207
--- src/sys/netinet6/ip6_input.c:1.206	Mon Jan 14 18:51:15 2019
+++ src/sys/netinet6/ip6_input.c	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $	*/
+/*	$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $	*/
 /*	$KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $	*/
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -342,7 +342,7 @@ ip6_input(struct mbuf *m, struct ifnet *
 	 * IPsec (encapsulated, tunnel mode).
 	 */
 #if defined(IPSEC)
-	if (!ipsec_used || !ipsec_indone(m))
+	if (!ipsec_used || !ipsec_skip_pfil(m))
 #else
 	if (1)
 #endif

Index: src/sys/netipsec/ipsec.h
diff -u src/sys/netipsec/ipsec.h:1.86 src/sys/netipsec/ipsec.h:1.87
--- src/sys/netipsec/ipsec.h:1.86	Thu Nov 22 04:48:34 2018
+++ src/sys/netipsec/ipsec.h	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec.h,v 1.86 2018/11/22 04:48:34 knakahara Exp $	*/
+/*	$NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $	*/
 /*	$FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $	*/
 /*	$KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $	*/
 
@@ -250,6 +250,22 @@ extern int crypto_support;
 #define ipsec_outdone(m) \
 	(m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
 
+static __inline bool
+ipsec_skip_pfil(struct mbuf *m)
+{
+	bool rv;
+
+	if (ipsec_indone(m) &&
+	    ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
+		m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+		rv = true;
+	} else {
+		rv = false;
+	}
+
+	return rv;
+}
+
 void ipsec_pcbconn(struct inpcbpolicy *);
 void ipsec_pcbdisconn(struct inpcbpolicy *);
 void ipsec_invalpcbcacheall(void);

Index: src/sys/netipsec/ipsec_input.c
diff -u src/sys/netipsec/ipsec_input.c:1.73 src/sys/netipsec/ipsec_input.c:1.74
--- src/sys/netipsec/ipsec_input.c:1.73	Thu Nov 15 10:23:56 2018
+++ src/sys/netipsec/ipsec_input.c	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $	*/
+/*	$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $	*/
 /*	$FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $	*/
 /*	$OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $	*/
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $");
 
 /*
  * IPsec input processing.
@@ -386,6 +386,14 @@ cantpull:
 		error = EINVAL;
 		goto bad;
 	}
+
+	/*
+	 * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+	 * so we cannot write filtering rule to the inner packet.
+	 */
+	if (saidx->mode == IPSEC_MODE_TUNNEL)
+		m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
 	(*inetsw[ip_protox[prot]].pr_input)(m, skip, prot);
 	return 0;
 
@@ -533,6 +541,14 @@ ipsec6_common_input_cb(struct mbuf *m, s
 			error = EINVAL;
 			goto bad;
 		}
+
+		/*
+		 * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+		 * so we cannot write filtering rule to the inner packet.
+		 */
+		if (saidx->mode == IPSEC_MODE_TUNNEL)
+			m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
 		nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
 	}
 	return 0;

Index: src/sys/sys/mbuf.h
diff -u src/sys/sys/mbuf.h:1.218 src/sys/sys/mbuf.h:1.219
--- src/sys/sys/mbuf.h:1.218	Thu Dec 27 14:24:11 2018
+++ src/sys/sys/mbuf.h	Thu Jan 17 02:47:15 2019
@@ -1,4 +1,4 @@
-/*	$NetBSD: mbuf.h,v 1.218 2018/12/27 14:24:11 maxv Exp $	*/
+/*	$NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $	*/
 
 /*
  * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@@ -193,7 +193,8 @@ struct pkthdr {
 	uint32_t	csum_data;		/* checksum data */
 	u_int		segsz;			/* segment size */
 	uint16_t	ether_vtag;		/* ethernet 802.1p+q vlan tag */
-	uint16_t	pad0;			/* padding */
+	uint16_t	pkthdr_flags;		/* flags for pkthdr, see blow */
+#define PKTHDR_FLAG_IPSEC_SKIP_PFIL	0x0001	/* skip pfil_run_hooks() after ipsec decrypt */
 
 	/*
 	 * Following three fields are open-coded struct altq_pktattr

Reply via email to