Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix ipsecif(4) cannot apply input direction packet filter. Reviewed by ozaki-r@n.o and ryo@n.o. 

Add ATF later.
This commit is contained in:
knakahara 2019-01-17 02:47:15 +00:00
parent 4bfe81d9d9
commit e2f99c2d1d
6 changed files with 47 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/kern/uipc_mbuf.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $ */ /* $NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $ */
/* /*
* Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc. * Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@ -62,7 +62,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $"); __KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT #ifdef _KERNEL_OPT
#include "opt_mbuftrace.h" #include "opt_mbuftrace.h"
@ -567,6 +567,7 @@ m_gethdr(int how, int type)
m->m_pkthdr.csum_data = 0; m->m_pkthdr.csum_data = 0;
m->m_pkthdr.segsz = 0; m->m_pkthdr.segsz = 0;
m->m_pkthdr.ether_vtag = 0; m->m_pkthdr.ether_vtag = 0;
m->m_pkthdr.pkthdr_flags = 0;
SLIST_INIT(&m->m_pkthdr.tags); SLIST_INIT(&m->m_pkthdr.tags);
m->m_pkthdr.pattr_class = NULL; m->m_pkthdr.pattr_class = NULL;

6
sys/netinet/ip_input.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $ */ /* $NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $ */
/* /*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@ -91,7 +91,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT #ifdef _KERNEL_OPT
#include "opt_inet.h" #include "opt_inet.h"
@ -567,7 +567,7 @@ ip_input(struct mbuf *m)
* IPsec (encapsulated, tunnel mode). * IPsec (encapsulated, tunnel mode).
*/ */
#if defined(IPSEC) #if defined(IPSEC)
if (!ipsec_used || !ipsec_indone(m)) if (!ipsec_used || !ipsec_skip_pfil(m))
#else #else
if (1) if (1)
#endif #endif

6
sys/netinet6/ip6_input.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $ */ /* $NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $ */
/* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */
/* /*
@ -62,7 +62,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $"); __KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $");
#ifdef _KERNEL_OPT #ifdef _KERNEL_OPT
#include "opt_gateway.h" #include "opt_gateway.h"
@ -342,7 +342,7 @@ ip6_input(struct mbuf *m, struct ifnet *rcvif)
* IPsec (encapsulated, tunnel mode). * IPsec (encapsulated, tunnel mode).
*/ */
#if defined(IPSEC) #if defined(IPSEC)
if (!ipsec_used || !ipsec_indone(m)) if (!ipsec_used || !ipsec_skip_pfil(m))
#else #else
if (1) if (1)
#endif #endif

18
sys/netipsec/ipsec.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec.h,v 1.86 2018/11/22 04:48:34 knakahara Exp $ */ /* $NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $ */
/* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /* $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
@ -250,6 +250,22 @@ extern int crypto_support;
#define ipsec_outdone(m) \ #define ipsec_outdone(m) \
(m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL) (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
static __inline bool
ipsec_skip_pfil(struct mbuf *m)
{
bool rv;
if (ipsec_indone(m) &&
((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
rv = true;
} else {
rv = false;
}
return rv;
}
void ipsec_pcbconn(struct inpcbpolicy *); void ipsec_pcbconn(struct inpcbpolicy *);
void ipsec_pcbdisconn(struct inpcbpolicy *); void ipsec_pcbdisconn(struct inpcbpolicy *);
void ipsec_invalpcbcacheall(void); void ipsec_invalpcbcacheall(void);

20
sys/netipsec/ipsec_input.c
View File

@ -1,4 +1,4 @@
/* $NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $ */ /* $NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $ */
/* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */ /* $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
/* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */ /* $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $ */
@ -39,7 +39,7 @@
*/ */
#include <sys/cdefs.h> #include <sys/cdefs.h>
__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $"); __KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $");
/* /*
* IPsec input processing. * IPsec input processing.
@ -386,6 +386,14 @@ cantpull:
error = EINVAL; error = EINVAL;
goto bad; goto bad;
} }
/*
* There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
* so we cannot write filtering rule to the inner packet.
*/
if (saidx->mode == IPSEC_MODE_TUNNEL)
m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
(*inetsw[ip_protox[prot]].pr_input)(m, skip, prot); (*inetsw[ip_protox[prot]].pr_input)(m, skip, prot);
return 0; return 0;
@ -533,6 +541,14 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip,
error = EINVAL; error = EINVAL;
goto bad; goto bad;
} }
/*
* There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
* so we cannot write filtering rule to the inner packet.
*/
if (saidx->mode == IPSEC_MODE_TUNNEL)
m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt); nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
} }
return 0; return 0;

5
sys/sys/mbuf.h
View File

@ -1,4 +1,4 @@
/* $NetBSD: mbuf.h,v 1.218 2018/12/27 14:24:11 maxv Exp $ */ /* $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $ */
/* /*
* Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc. * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@ -193,7 +193,8 @@ struct pkthdr {
uint32_t csum_data; /* checksum data */ uint32_t csum_data; /* checksum data */
u_int segsz; /* segment size */ u_int segsz; /* segment size */
uint16_t ether_vtag; /* ethernet 802.1p+q vlan tag */ uint16_t ether_vtag; /* ethernet 802.1p+q vlan tag */
uint16_t pad0; /* padding */ uint16_t pkthdr_flags; /* flags for pkthdr, see blow */
#define PKTHDR_FLAG_IPSEC_SKIP_PFIL 0x0001 /* skip pfil_run_hooks() after ipsec decrypt */
/* /*
* Following three fields are open-coded struct altq_pktattr * Following three fields are open-coded struct altq_pktattr