From owner-svn-src-head@FreeBSD.ORG  Sat Apr 18 16:51:25 2015
Return-Path: <owner-svn-src-head@FreeBSD.ORG>
Delivered-To: svn-src-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 695134CA;
 Sat, 18 Apr 2015 16:51:25 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3DC34604;
 Sat, 18 Apr 2015 16:51:25 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t3IGpPJK049825;
 Sat, 18 Apr 2015 16:51:25 GMT (envelope-from ae@FreeBSD.org)
Received: (from ae@localhost)
 by svn.freebsd.org (8.14.9/8.14.9/Submit) id t3IGpP0K049823;
 Sat, 18 Apr 2015 16:51:25 GMT (envelope-from ae@FreeBSD.org)
Message-Id: <201504181651.t3IGpP0K049823@svn.freebsd.org>
X-Authentication-Warning: svn.freebsd.org: ae set sender to ae@FreeBSD.org
 using -f
From: "Andrey V. Elsukov" <ae@FreeBSD.org>
Date: Sat, 18 Apr 2015 16:51:25 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r281694 - head/sys/netipsec
X-SVN-Group: head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-head@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: SVN commit messages for the src tree for head/-current
 <svn-src-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-head/>
List-Post: <mailto:svn-src-head@freebsd.org>
List-Help: <mailto:svn-src-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-head>,
 <mailto:svn-src-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Apr 2015 16:51:25 -0000

Author: ae
Date: Sat Apr 18 16:51:24 2015
New Revision: 281694
URL: https://svnweb.freebsd.org/changeset/base/281694

Log:
  Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6.
  
  ipsec6_common_input_cb() uses partial copy of ip6_input() to parse
  headers. But this isn't correct, when we use tunnel mode IPSec.
  
  When we stripped outer IPv6 header from the decrypted packet, it
  can become IPv4 packet and should be handled by ip_input. Also when
  we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted
  packet with inner IPv6 header to ip6_input, it will correctly handle
  it and also can decide to forward it.
  
  The "skip" variable points to offset where payload starts. In tunnel
  mode we reset it to zero after stripping the outer header. So, when
  it is zero, we should requeue mbuf via netisr.
  
  Differential Revision:	https://reviews.freebsd.org/D2306
  Reviewed by:	adrian, gnn
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netipsec/ipsec_input.c

Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c	Sat Apr 18 16:46:31 2015	(r281693)
+++ head/sys/netipsec/ipsec_input.c	Sat Apr 18 16:51:24 2015	(r281694)
@@ -627,7 +627,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secasindex *saidx;
-	int nxt;
+	int nxt, isr_prot;
 	u_int8_t nxt8;
 	int error, nest;
 #ifdef notyet
@@ -803,6 +803,35 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
 		return (error);
 #endif /* DEV_ENC */
+	if (skip == 0) {
+		/*
+		 * We stripped outer IPv6 header.
+		 * Now we should requeue decrypted packet via netisr.
+		 */
+		switch (prot) {
+#ifdef INET
+		case IPPROTO_IPIP:
+			isr_prot = NETISR_IP;
+			break;
+#endif
+		case IPPROTO_IPV6:
+			isr_prot = NETISR_IPV6;
+			break;
+		default:
+			DPRINTF(("%s: cannot handle inner ip proto %d\n",
+			    __func__, prot));
+			IPSEC_ISTAT(sproto, nopf);
+			error = EPFNOSUPPORT;
+			goto bad;
+		}
+		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
+		if (error) {
+			IPSEC_ISTAT(sproto, qfull);
+			DPRINTF(("%s: queue full; proto %u packet dropped\n",
+			    __func__, sproto));
+		}
+		return (error);
+	}
 	/*
 	 * See the end of ip6_input for this logic.
 	 * IPPROTO_IPV[46] case will be processed just like other ones