diff --git a/sys/kern/uipc_mbuf.c b/sys/kern/uipc_mbuf.c index 6e0bc7409602..547970ce9721 100644 --- a/sys/kern/uipc_mbuf.c +++ b/sys/kern/uipc_mbuf.c @@ -1,4 +1,4 @@ -/* $NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $ */ +/* $NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $ */ /* * Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc. @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_mbuftrace.h" @@ -567,6 +567,7 @@ m_gethdr(int how, int type) m->m_pkthdr.csum_data = 0; m->m_pkthdr.segsz = 0; m->m_pkthdr.ether_vtag = 0; + m->m_pkthdr.pkthdr_flags = 0; SLIST_INIT(&m->m_pkthdr.tags); m->m_pkthdr.pattr_class = NULL; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 6873b49b396c..afdba230836f 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $ */ +/* $NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -91,7 +91,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_inet.h" @@ -567,7 +567,7 @@ ip_input(struct mbuf *m) * IPsec (encapsulated, tunnel mode). */ #if defined(IPSEC) - if (!ipsec_used || !ipsec_indone(m)) + if (!ipsec_used || !ipsec_skip_pfil(m)) #else if (1) #endif diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index 91ff415eeebf..8d0fb64af906 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $ */ +/* $NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $"); #ifdef _KERNEL_OPT #include "opt_gateway.h" @@ -342,7 +342,7 @@ ip6_input(struct mbuf *m, struct ifnet *rcvif) * IPsec (encapsulated, tunnel mode). */ #if defined(IPSEC) - if (!ipsec_used || !ipsec_indone(m)) + if (!ipsec_used || !ipsec_skip_pfil(m)) #else if (1) #endif diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index e46e728a8d56..3ea784be3d39 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec.h,v 1.86 2018/11/22 04:48:34 knakahara Exp $ */ +/* $NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ @@ -250,6 +250,22 @@ extern int crypto_support; #define ipsec_outdone(m) \ (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL) +static __inline bool +ipsec_skip_pfil(struct mbuf *m) +{ + bool rv; + + if (ipsec_indone(m) && + ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) { + m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL; + rv = true; + } else { + rv = false; + } + + return rv; +} + void ipsec_pcbconn(struct inpcbpolicy *); void ipsec_pcbdisconn(struct inpcbpolicy *); void ipsec_invalpcbcacheall(void); diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index e98173b4b483..b8ffdc3921ce 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $ */ +/* $NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ @@ -39,7 +39,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $"); /* * IPsec input processing. @@ -386,6 +386,14 @@ cantpull: error = EINVAL; goto bad; } + + /* + * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion, + * so we cannot write filtering rule to the inner packet. + */ + if (saidx->mode == IPSEC_MODE_TUNNEL) + m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL; + (*inetsw[ip_protox[prot]].pr_input)(m, skip, prot); return 0; @@ -533,6 +541,14 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, error = EINVAL; goto bad; } + + /* + * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion, + * so we cannot write filtering rule to the inner packet. + */ + if (saidx->mode == IPSEC_MODE_TUNNEL) + m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL; + nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); } return 0; diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h index c8f59f8d5903..53eade314ca7 100644 --- a/sys/sys/mbuf.h +++ b/sys/sys/mbuf.h @@ -1,4 +1,4 @@ -/* $NetBSD: mbuf.h,v 1.218 2018/12/27 14:24:11 maxv Exp $ */ +/* $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $ */ /* * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc. @@ -193,7 +193,8 @@ struct pkthdr { uint32_t csum_data; /* checksum data */ u_int segsz; /* segment size */ uint16_t ether_vtag; /* ethernet 802.1p+q vlan tag */ - uint16_t pad0; /* padding */ + uint16_t pkthdr_flags; /* flags for pkthdr, see blow */ +#define PKTHDR_FLAG_IPSEC_SKIP_PFIL 0x0001 /* skip pfil_run_hooks() after ipsec decrypt */ /* * Following three fields are open-coded struct altq_pktattr