On Mon, Nov 13, 2017 at 01:30:43PM +0100, Martin Pieuchot wrote: > This move all IPsec tunables to netinet/ipsec_input.c without breaking > the "net.inet.ip" sysctl(3) namespace. > > The reason for this move is to properly separate IPsec and IP globals > in order to ease the removal of the NET_LOCK() in these layers. > > ok?
OK bluhm@ > Index: netinet/in.h > =================================================================== > RCS file: /cvs/src/sys/netinet/in.h,v > retrieving revision 1.125 > diff -u -p -r1.125 in.h > --- netinet/in.h 6 Oct 2017 21:14:55 -0000 1.125 > +++ netinet/in.h 13 Nov 2017 12:11:16 -0000 > @@ -745,19 +745,19 @@ struct ip_mreq { > &ipport_hifirstauto, \ > &ipport_hilastauto, \ > &ip_maxqueue, \ > - &encdebug, \ > + NULL /* encdebug */, \ > NULL, \ > - &ipsec_expire_acquire, \ > - &ipsec_keep_invalid, \ > - &ipsec_require_pfs, \ > - &ipsec_soft_allocations, \ > - &ipsec_exp_allocations, \ > - &ipsec_soft_bytes, \ > - &ipsec_exp_bytes, \ > - &ipsec_exp_timeout, \ > - &ipsec_soft_timeout, \ > - &ipsec_soft_first_use, \ > - &ipsec_exp_first_use, \ > + NULL /* ipsec_expire_acquire */, \ > + NULL /* ipsec_keep_invalid */, \ > + NULL /* ipsec_require_pfs */, \ > + NULL /* ipsec_soft_allocations */, \ > + NULL /* ipsec_exp_allocations */, \ > + NULL /* ipsec_soft_bytes */, \ > + NULL /* ipsec_exp_bytes */, \ > + NULL /* ipsec_exp_timeout */, \ > + NULL /* ipsec_soft_timeout */, \ > + NULL /* ipsec_soft_first_use */, \ > + NULL /* ipsec_exp_first_use */, \ > NULL, \ > NULL, \ > NULL, \ > Index: netinet/ip_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_input.c,v > retrieving revision 1.331 > diff -u -p -r1.331 ip_input.c > --- netinet/ip_input.c 10 Nov 2017 08:55:49 -0000 1.331 > +++ netinet/ip_input.c 13 Nov 2017 08:51:37 -0000 > @@ -84,22 +84,6 @@ > #include <netinet/ip_carp.h> > #endif > > -int encdebug = 0; > -int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; > -int ipsec_require_pfs = IPSEC_DEFAULT_PFS; > -int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; > -int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; > -int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; > -int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; > -int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; > -int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; > -int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; > -int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; > -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; > -char ipsec_def_enc[20]; > -char ipsec_def_auth[20]; > -char ipsec_def_comp[20]; > - > /* values controllable via sysctl */ > int ipforwarding = 0; > int ipmforwarding = 0; > @@ -211,10 +195,6 @@ ip_init(void) > for (i = 0; defrootonlyports_udp[i] != 0; i++) > DP_SET(rootonlyports.udp, defrootonlyports_udp[i]); > > - strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); > - strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); > - strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); > - > mq_init(&ipsend_mq, 64, IPL_SOFTNET); > > #ifdef IPSEC > @@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void > ip_mtudisc_timeout); > NET_UNLOCK(); > return (error); > +#ifdef IPSEC > + case IPCTL_ENCDEBUG: > + case IPCTL_IPSEC_EXPIRE_ACQUIRE: > + case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT: > + case IPCTL_IPSEC_REQUIRE_PFS: > + case IPCTL_IPSEC_SOFT_ALLOCATIONS: > + case IPCTL_IPSEC_ALLOCATIONS: > + case IPCTL_IPSEC_SOFT_BYTES: > + case IPCTL_IPSEC_BYTES: > + case IPCTL_IPSEC_TIMEOUT: > + case IPCTL_IPSEC_SOFT_TIMEOUT: > + case IPCTL_IPSEC_SOFT_FIRSTUSE: > + case IPCTL_IPSEC_FIRSTUSE: > case IPCTL_IPSEC_ENC_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > - ipsec_def_enc, sizeof(ipsec_def_enc)); > - NET_UNLOCK(); > - return (error); > case IPCTL_IPSEC_AUTH_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > - ipsec_def_auth, > - sizeof(ipsec_def_auth)); > - NET_UNLOCK(); > - return (error); > case IPCTL_IPSEC_IPCOMP_ALGORITHM: > - NET_LOCK(); > - error = sysctl_tstring(oldp, oldlenp, newp, newlen, > - ipsec_def_comp, > - sizeof(ipsec_def_comp)); > - NET_UNLOCK(); > - return (error); > + return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp, > + newlen)); > +#endif > case IPCTL_IFQUEUE: > return (sysctl_niq(name + 1, namelen - 1, > oldp, oldlenp, newp, newlen, &ipintrq)); > Index: netinet/ip_ipsp.h > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v > retrieving revision 1.186 > diff -u -p -r1.186 ip_ipsp.h > --- netinet/ip_ipsp.h 8 Nov 2017 16:29:20 -0000 1.186 > +++ netinet/ip_ipsp.h 13 Nov 2017 08:52:18 -0000 > @@ -424,6 +424,51 @@ extern int ipsec_exp_timeout; /* second > extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */ > extern int ipsec_exp_first_use; /* seconds between 1st asso & > expire */ > > +/* > + * Names for IPsec sysctl objects > + */ > +#define IPSEC_ENCDEBUG IPCTL_ENCDEBUG > /* 12 */ > +#define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */ > +#define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */ > +#define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */ > +#define IPSEC_SOFT_ALLOCATIONS IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */ > +#define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */ > +#define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */ > +#define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */ > +#define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT > /* 21 */ > +#define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */ > +#define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */ > +#define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE > /* 24 */ > +#define IPSEC_MAXID 25 > + > +#define IPSECCTL_VARS { \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + NULL, \ > + &encdebug, \ > + NULL, \ > + &ipsec_expire_acquire, \ > + &ipsec_keep_invalid, \ > + &ipsec_require_pfs, \ > + &ipsec_soft_allocations, \ > + &ipsec_exp_allocations, \ > + &ipsec_soft_bytes, \ > + &ipsec_exp_bytes, \ > + &ipsec_exp_timeout, \ > + &ipsec_soft_timeout, \ > + &ipsec_soft_first_use, \ > + &ipsec_exp_first_use, \ > +} > + > extern char ipsec_def_enc[]; > extern char ipsec_def_auth[]; > extern char ipsec_def_comp[]; > @@ -549,6 +594,7 @@ struct ipsec_ids *ipsp_ids_lookup(u_int3 > void ipsp_ids_free(struct ipsec_ids *); > > void ipsec_init(void); > +int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t); > int ipsec_common_input(struct mbuf *, int, int, int, int, int); > void ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int); > int ipsec_delete_policy(struct ipsec_policy *); > Index: netinet/ipsec_input.c > =================================================================== > RCS file: /cvs/src/sys/netinet/ipsec_input.c,v > retrieving revision 1.159 > diff -u -p -r1.159 ipsec_input.c > --- netinet/ipsec_input.c 8 Nov 2017 16:29:20 -0000 1.159 > +++ netinet/ipsec_input.c 13 Nov 2017 08:51:45 -0000 > @@ -88,6 +88,19 @@ void ipsec_common_ctlinput(u_int, int, s > #endif > > /* sysctl variables */ > +int encdebug = 0; > +int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT; > +int ipsec_require_pfs = IPSEC_DEFAULT_PFS; > +int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS; > +int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS; > +int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES; > +int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES; > +int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT; > +int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT; > +int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE; > +int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE; > +int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE; > + > int esp_enable = 1; > int ah_enable = 1; > int ipcomp_enable = 0; > @@ -100,6 +113,12 @@ struct cpumem *espcounters; > struct cpumem *ahcounters; > struct cpumem *ipcompcounters; > > +char ipsec_def_enc[20]; > +char ipsec_def_auth[20]; > +char ipsec_def_comp[20]; > + > +int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS; > + > int esp_sysctl_espstat(void *, size_t *, void *); > int ah_sysctl_ahstat(void *, size_t *, void *); > int ipcomp_sysctl_ipcompstat(void *, size_t *, void *); > @@ -110,6 +129,11 @@ ipsec_init(void) > espcounters = counters_alloc(esps_ncounters); > ahcounters = counters_alloc(ahs_ncounters); > ipcompcounters = counters_alloc(ipcomps_ncounters); > + > + strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc)); > + strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth)); > + strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp)); > + > } > > /* > @@ -609,6 +633,43 @@ ipsec_common_input_cb(struct mbuf *m, st > /* Call the appropriate IPsec transform callback. */ > ip_deliver(&m, &skip, prot, af); > #undef IPSEC_ISTAT > +} > + > +int > +ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void > *newp, > + size_t newlen) > +{ > + int error; > + > + switch (name[0]) { > + case IPCTL_IPSEC_ENC_ALGORITHM: > + NET_LOCK(); > + error = sysctl_tstring(oldp, oldlenp, newp, newlen, > + ipsec_def_enc, sizeof(ipsec_def_enc)); > + NET_UNLOCK(); > + return (error); > + case IPCTL_IPSEC_AUTH_ALGORITHM: > + NET_LOCK(); > + error = sysctl_tstring(oldp, oldlenp, newp, newlen, > + ipsec_def_auth, sizeof(ipsec_def_auth)); > + NET_UNLOCK(); > + return (error); > + case IPCTL_IPSEC_IPCOMP_ALGORITHM: > + NET_LOCK(); > + error = sysctl_tstring(oldp, oldlenp, newp, newlen, > + ipsec_def_comp, sizeof(ipsec_def_comp)); > + NET_UNLOCK(); > + return (error); > + default: > + if (name[0] < IPSEC_MAXID) { > + NET_LOCK(); > + error = sysctl_int_arr(ipsecctl_vars, name, namelen, > + oldp, oldlenp, newp, newlen); > + NET_UNLOCK(); > + return (error); > + } > + return (EOPNOTSUPP); > + } > } > > int