Date: Mon, 3 Apr 2017 17:39:52 -0400 From: Mike Tancsa <mike@sentex.net> To: "Andrey V. Elsukov" <ae@FreeBSD.org>, FreeBSD-STABLE Mailing List <freebsd-stable@freebsd.org>, svn-src-stable-11@freebsd.org Subject: Re: svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne... Message-ID: <7738349f-e89a-d37d-e36f-0a5e18dc4249@sentex.net> In-Reply-To: <201703182204.v2IM4Kfj060263@repo.freebsd.org> References: <201703182204.v2IM4Kfj060263@repo.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, I ran into a strange problem when migrating a box that makes use of tcp md5 signatures. Having these two policies that have IPs which happen to be 128 octets apart get rejected add 10.50.34.158 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; Similarly, if I have the entries add 10.50.34.159 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; it errors out as well # setkey -F ; setkey -FP ; setkey -F ; setkey -f test.ipsec.2 The result of line 2: File exists. The result of line 4: File exists. # cat test.ipsec.2 add 10.50.34.158 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; add 10.50.34.159 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; But if the IPs are not 128 apart, its fine # cat test.ipsec.3 add 10.50.34.157 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; add 10.50.34.160 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ; add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ; # setkey -F ; setkey -FP ; setkey -F ; setkey -f test.ipsec.3 # On 3/18/2017 6:04 PM, Andrey V. Elsukov wrote: > Author: ae > Date: Sat Mar 18 22:04:20 2017 > New Revision: 315514 > URL: https://svnweb.freebsd.org/changeset/base/315514 > > Log: > MFC r304572 (by bz): > Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated > more than 7 years ago in favour of a sysctl in r192648. > > MFC r305122: > Remove redundant sanity checks from ipsec[46]_common_input_cb(). > > This check already has been done in the each protocol callback. > > MFC r309144,309174,309201 (by fabient): > IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets. > > Since the previous algorithm, based on bit shifting, does not scale > with large replay windows, the algorithm used here is based on > RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting. > The replay window will be fast to be updated, but will cost as many bits > in RAM as its size. > > The previous implementation did not provide a lock on the replay window, > which may lead to replay issues. > > Obtained from: emeric.poupon@stormshield.eu > Sponsored by: Stormshield > Differential Revision: https://reviews.freebsd.org/D8468 > > MFC r309143,309146 (by fabient): > In a dual processor system (2*6 cores) during IPSec throughput tests, > we see a lot of contention on the arc4 lock, used to generate the IV > of the ESP output packets. > > The idea of this patch is to split this mutex in order to reduce the > contention on this lock. > > Update r309143 to prevent false sharing. > > Reviewed by: delphij, markm, ache > Approved by: so > Obtained from: emeric.poupon@stormshield.eu > Sponsored by: Stormshield > Differential Revision: https://reviews.freebsd.org/D8130 > > MFC r313330: > Merge projects/ipsec into head/. > > Small summary > ------------- > > o Almost all IPsec releated code was moved into sys/netipsec. > o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel > option IPSEC_SUPPORT added. It enables support for loading > and unloading of ipsec.ko and tcpmd5.ko kernel modules. > o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by > default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type > support was removed. Added TCP/UDP checksum handling for > inbound packets that were decapsulated by transport mode SAs. > setkey(8) modified to show run-time NAT-T configuration of SA. > o New network pseudo interface if_ipsec(4) added. For now it is > build as part of ipsec.ko module (or with IPSEC kernel). > It implements IPsec virtual tunnels to create route-based VPNs. > o The network stack now invokes IPsec functions using special > methods. The only one header file <netipsec/ipsec_support.h> > should be included to declare all the needed things to work > with IPsec. > o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. > Now these protocols are handled directly via IPsec methods. > o TCP_SIGNATURE support was reworked to be more close to RFC. > o PF_KEY SADB was reworked: > - now all security associations stored in the single SPI namespace, > and all SAs MUST have unique SPI. > - several hash tables added to speed up lookups in SADB. > - SADB now uses rmlock to protect access, and concurrent threads > can do SA lookups in the same time. > - many PF_KEY message handlers were reworked to reflect changes > in SADB. > - SADB_UPDATE message was extended to support new PF_KEY headers: > SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They > can be used by IKE daemon to change SA addresses. > o ipsecrequest and secpolicy structures were cardinally changed to > avoid locking protection for ipsecrequest. Now we support > only limited number (4) of bundled SAs, but they are supported > for both INET and INET6. > o INPCB security policy cache was introduced. Each PCB now caches > used security policies to avoid SP lookup for each packet. > o For inbound security policies added the mode, when the kernel does > check for full history of applied IPsec transforms. > o References counting rules for security policies and security > associations were changed. The proper SA locking added into xform > code. > o xform code was also changed. Now it is possible to unregister xforms. > tdb_xxx structures were changed and renamed to reflect changes in > SADB/SPDB, and changed rules for locking and refcounting. > > Obtained from: Yandex LLC > Relnotes: yes > Sponsored by: Yandex LLC > Differential Revision: https://reviews.freebsd.org/D9352 > > MFC r313331: > Add removed headers into the ObsoleteFiles.inc. > > MFC r313561 (by glebius): > Move tcp_fields_to_net() static inline into tcp_var.h, just below its > friend tcp_fields_to_host(). There is third party code that also uses > this inline. > > MFC r313697: > Remove IPsec related PCB code from SCTP. > > The inpcb structure has inp_sp pointer that is initialized by > ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec > security policies associated with a specific socket. > An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket > options to configure these security policies. Then ip[6]_output() > uses inpcb pointer to specify that an outgoing packet is associated > with some socket. And IPSEC_OUTPUT() method can use a security policy > stored in the inp_sp. For inbound packet the protocol-specific input > routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms > to inbound security policy configured in the inpcb. > > SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends > packets. Thus IPSEC_OUTPUT() method does not consider such packets as > associated with some socket and can not apply security policies > from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY() > method is called from protocol-specific input routine, it can specify > inpcb pointer and associated with socket inbound policy will be > checked. But there are two problems: > 1. Such check is asymmetric, becasue we can not apply security policy > from inpcb for outgoing packet. > 2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and > access to inp_sp is protected. But for SCTP this is not correct, > becasue SCTP uses own locks to protect inpcb. > > To fix these problems remove IPsec related PCB code from SCTP. > This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options > will be not applicable to SCTP sockets. To be able correctly check > inbound security policies for SCTP, mark its protocol header with > the PR_LASTHDR flag. > > Differential Revision: https://reviews.freebsd.org/D9538 > > MFC r313746: > Add missing check to fix the build with IPSEC_SUPPORT and without MAC. > > MFC r313805: > Fix LINT build for powerpc. > > Build kernel modules support only when both IPSEC and TCP_SIGNATURE > are not defined. > > MFC r313922: > For translated packets do not adjust UDP checksum if it is zero. > > In case when decrypted and decapsulated packet is an UDP datagram, > check that its checksum is not zero before doing incremental checksum > adjustment. > > MFC r314339: > Document that the size of AH ICV for HMAC-SHA2-NNN should be half of > NNN bits as described in RFC4868. > > PR: 215978 > > MFC r314812: > Introduce the concept of IPsec security policies scope. > > Currently are defined three scopes: global, ifnet, and pcb. > Generic security policies that IKE daemon can add via PF_KEY interface > or an administrator creates with setkey(8) utility have GLOBAL scope. > Such policies can be applied by the kernel to outgoing packets and checked > agains inbound packets after IPsec processing. > Security policies created by if_ipsec(4) interfaces have IFNET scope. > Such policies are applied to packets that are passed through if_ipsec(4) > interface. > And security policies created by application using setsockopt() > IP_IPSEC_POLICY option have PCB scope. Such policies are applied to > packets related to specific socket. Currently there is no way to list > PCB policies via setkey(8) utility. > > Modify setkey(8) and libipsec(3) to be able distinguish the scope of > security policies in the `setkey -DP` listing. Add two optional flags: > '-t' to list only policies related to virtual *tunneling* interfaces, > i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL > scope. By default policies from all scopes are listed. > > To implement this PF_KEY's sadb_x_policy structure was modified. > sadb_x_policy_reserved field is used to pass the policy scope from the > kernel to userland. SADB_SPDDUMP message extended to support filtering > by scope: sadb_msg_satype field is used to specify bit mask of requested > scopes. > > For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy > is used to pass if_ipsec's interface if_index to the userland. For GLOBAL > policies sadb_x_policy_priority is used only to manage order of security > policies in the SPDB. For IFNET policies it is not used, so it can be used > to keep if_index. > > After this change the output of `setkey -DP` now looks like: > # setkey -DPt > 0.0.0.0/0[any] 0.0.0.0/0[any] any > in ipsec > esp/tunnel/87.250.242.144-87.250.242.145/unique:145 > spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0 > refcnt=1 > # setkey -DPg > ::/0 ::/0 icmp6 135,0 > out none > spid=5 seq=1 pid=872 scope=global > refcnt=1 > > Obtained from: Yandex LLC > Sponsored by: Yandex LLC > Differential Revision: https://reviews.freebsd.org/D9805 > > PR: 212018 > Relnotes: yes > Sponsored by: Yandex LLC > > Added: > stable/11/sbin/ifconfig/ifipsec.c > - copied unchanged from r313330, head/sbin/ifconfig/ifipsec.c > stable/11/share/man/man4/if_ipsec.4 > - copied unchanged from r313330, head/share/man/man4/if_ipsec.4 > stable/11/sys/modules/ipsec/ > - copied from r313330, head/sys/modules/ipsec/ > stable/11/sys/modules/tcp/tcpmd5/ > - copied from r313330, head/sys/modules/tcp/tcpmd5/ > stable/11/sys/net/if_ipsec.c > - copied, changed from r313330, head/sys/net/if_ipsec.c > stable/11/sys/net/if_ipsec.h > - copied unchanged from r313330, head/sys/net/if_ipsec.h > stable/11/sys/netipsec/ipsec_mod.c > - copied unchanged from r313330, head/sys/netipsec/ipsec_mod.c > stable/11/sys/netipsec/ipsec_pcb.c > - copied unchanged from r313330, head/sys/netipsec/ipsec_pcb.c > stable/11/sys/netipsec/ipsec_support.h > - copied unchanged from r313330, head/sys/netipsec/ipsec_support.h > stable/11/sys/netipsec/subr_ipsec.c > - copied, changed from r313330, head/sys/netipsec/subr_ipsec.c > stable/11/sys/netipsec/udpencap.c > - copied, changed from r313330, head/sys/netipsec/udpencap.c > Deleted: > stable/11/sys/netinet/ip_ipsec.c > stable/11/sys/netinet/ip_ipsec.h > stable/11/sys/netinet6/ip6_ipsec.c > stable/11/sys/netinet6/ip6_ipsec.h > Modified: > stable/11/ObsoleteFiles.inc > stable/11/contrib/netcat/netcat.c > stable/11/lib/libipsec/pfkey.c > stable/11/lib/libipsec/pfkey_dump.c > stable/11/sbin/ifconfig/Makefile > stable/11/sbin/ipfw/ipfw.8 > stable/11/sbin/setkey/setkey.8 > stable/11/sbin/setkey/setkey.c > stable/11/share/man/man4/Makefile > stable/11/share/man/man4/ipsec.4 > stable/11/share/man/man4/tcp.4 > stable/11/share/man/man4/udp.4 > stable/11/sys/conf/NOTES > stable/11/sys/conf/files > stable/11/sys/conf/files.amd64 > stable/11/sys/conf/files.arm > stable/11/sys/conf/files.arm64 > stable/11/sys/conf/files.i386 > stable/11/sys/conf/files.mips > stable/11/sys/conf/files.pc98 > stable/11/sys/conf/files.powerpc > stable/11/sys/conf/files.riscv > stable/11/sys/conf/files.sparc64 > stable/11/sys/conf/kern.opts.mk > stable/11/sys/conf/options > stable/11/sys/libkern/arc4random.c > stable/11/sys/modules/Makefile > stable/11/sys/net/pfkeyv2.h > stable/11/sys/netinet/in_pcb.c > stable/11/sys/netinet/in_proto.c > stable/11/sys/netinet/ip_input.c > stable/11/sys/netinet/ip_output.c > stable/11/sys/netinet/raw_ip.c > stable/11/sys/netinet/sctp_input.c > stable/11/sys/netinet/sctp_os_bsd.h > stable/11/sys/netinet/sctp_pcb.c > stable/11/sys/netinet/tcp_input.c > stable/11/sys/netinet/tcp_output.c > stable/11/sys/netinet/tcp_stacks/fastpath.c > stable/11/sys/netinet/tcp_subr.c > stable/11/sys/netinet/tcp_syncache.c > stable/11/sys/netinet/tcp_usrreq.c > stable/11/sys/netinet/tcp_var.h > stable/11/sys/netinet/udp.h > stable/11/sys/netinet/udp_usrreq.c > stable/11/sys/netinet6/in6.h > stable/11/sys/netinet6/in6_proto.c > stable/11/sys/netinet6/ip6_forward.c > stable/11/sys/netinet6/ip6_input.c > stable/11/sys/netinet6/ip6_output.c > stable/11/sys/netinet6/raw_ip6.c > stable/11/sys/netinet6/sctp6_usrreq.c > stable/11/sys/netinet6/udp6_usrreq.c > stable/11/sys/netipsec/ipsec.c > stable/11/sys/netipsec/ipsec.h > stable/11/sys/netipsec/ipsec6.h > stable/11/sys/netipsec/ipsec_input.c > stable/11/sys/netipsec/ipsec_mbuf.c > stable/11/sys/netipsec/ipsec_output.c > stable/11/sys/netipsec/key.c > stable/11/sys/netipsec/key.h > stable/11/sys/netipsec/key_debug.c > stable/11/sys/netipsec/key_debug.h > stable/11/sys/netipsec/keydb.h > stable/11/sys/netipsec/keysock.c > stable/11/sys/netipsec/xform.h > stable/11/sys/netipsec/xform_ah.c > stable/11/sys/netipsec/xform_esp.c > stable/11/sys/netipsec/xform_ipcomp.c > stable/11/sys/netipsec/xform_tcp.c > stable/11/usr.bin/netstat/inet.c > Directory Properties: > stable/11/ (props changed) > > Modified: stable/11/ObsoleteFiles.inc > ============================================================================== > --- stable/11/ObsoleteFiles.inc Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/ObsoleteFiles.inc Sat Mar 18 22:04:20 2017 (r315514) > @@ -45,6 +45,9 @@ OLD_FILES+=usr/tests/sys/geom/class/gate > OLD_FILES+=usr/tests/sys/geom/class/gate/conf.sh > # 20170211: libarchive ACL pax test renamed to test_acl_pax_posix1e.tar.uu > OLD_FILES+=usr/tests/lib/libarchive/test_acl_pax.tar.uu > +# 20170206: merged projects/ipsec > +OLD_FILES+=usr/include/netinet/ip_ipsec.h > +OLD_FILES+=usr/include/netinet6/ip6_ipsec.h > # 20170103: libbsnmptools.so made into an INTERNALLIB > OLD_FILES+=usr/lib/libbsnmptools.a > OLD_FILES+=usr/lib/libbsnmptools_p.a > > Modified: stable/11/contrib/netcat/netcat.c > ============================================================================== > --- stable/11/contrib/netcat/netcat.c Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/contrib/netcat/netcat.c Sat Mar 18 22:04:20 2017 (r315514) > @@ -131,7 +131,7 @@ ssize_t drainbuf(int, unsigned char *, s > ssize_t fillbuf(int, unsigned char *, size_t *); > > #ifdef IPSEC > -void add_ipsec_policy(int, char *); > +void add_ipsec_policy(int, int, char *); > > char *ipsec_policy[2]; > #endif > @@ -642,12 +642,6 @@ remote_connect(const char *host, const c > if ((s = socket(res0->ai_family, res0->ai_socktype, > res0->ai_protocol)) < 0) > continue; > -#ifdef IPSEC > - if (ipsec_policy[0] != NULL) > - add_ipsec_policy(s, ipsec_policy[0]); > - if (ipsec_policy[1] != NULL) > - add_ipsec_policy(s, ipsec_policy[1]); > -#endif > > if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_SETFIB, > &rtableid, sizeof(rtableid)) == -1)) > @@ -765,12 +759,7 @@ local_listen(char *host, char *port, str > ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); > if (ret == -1) > err(1, NULL); > -#ifdef IPSEC > - if (ipsec_policy[0] != NULL) > - add_ipsec_policy(s, ipsec_policy[0]); > - if (ipsec_policy[1] != NULL) > - add_ipsec_policy(s, ipsec_policy[1]); > -#endif > + > if (FreeBSD_Oflag) { > if (setsockopt(s, IPPROTO_TCP, TCP_NOOPT, > &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1) > @@ -1235,6 +1224,12 @@ set_common_sockopts(int s, int af) > &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1) > err(1, "disable TCP options"); > } > +#ifdef IPSEC > + if (ipsec_policy[0] != NULL) > + add_ipsec_policy(s, af, ipsec_policy[0]); > + if (ipsec_policy[1] != NULL) > + add_ipsec_policy(s, af, ipsec_policy[1]); > +#endif > } > > int > @@ -1360,7 +1355,7 @@ help(void) > > #ifdef IPSEC > void > -add_ipsec_policy(int s, char *policy) > +add_ipsec_policy(int s, int af, char *policy) > { > char *raw; > int e; > @@ -1369,8 +1364,12 @@ add_ipsec_policy(int s, char *policy) > if (raw == NULL) > errx(1, "ipsec_set_policy `%s': %s", policy, > ipsec_strerror()); > - e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw, > - ipsec_get_policylen(raw)); > + if (af == AF_INET) > + e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw, > + ipsec_get_policylen(raw)); > + if (af == AF_INET6) > + e = setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, raw, > + ipsec_get_policylen(raw)); > if (e < 0) > err(1, "ipsec policy cannot be configured"); > free(raw); > > Modified: stable/11/lib/libipsec/pfkey.c > ============================================================================== > --- stable/11/lib/libipsec/pfkey.c Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/lib/libipsec/pfkey.c Sat Mar 18 22:04:20 2017 (r315514) > @@ -1776,20 +1776,17 @@ pfkey_align(msg, mhp) > case SADB_EXT_SPIRANGE: > case SADB_X_EXT_POLICY: > case SADB_X_EXT_SA2: > - mhp[ext->sadb_ext_type] = (caddr_t)ext; > - break; > case SADB_X_EXT_NAT_T_TYPE: > case SADB_X_EXT_NAT_T_SPORT: > case SADB_X_EXT_NAT_T_DPORT: > - /* case SADB_X_EXT_NAT_T_OA: is OAI */ > case SADB_X_EXT_NAT_T_OAI: > case SADB_X_EXT_NAT_T_OAR: > case SADB_X_EXT_NAT_T_FRAG: > - if (feature_present("ipsec_natt")) { > - mhp[ext->sadb_ext_type] = (caddr_t)ext; > - break; > - } > - /* FALLTHROUGH */ > + case SADB_X_EXT_SA_REPLAY: > + case SADB_X_EXT_NEW_ADDRESS_SRC: > + case SADB_X_EXT_NEW_ADDRESS_DST: > + mhp[ext->sadb_ext_type] = (caddr_t)ext; > + break; > default: > __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; > return -1; > > Modified: stable/11/lib/libipsec/pfkey_dump.c > ============================================================================== > --- stable/11/lib/libipsec/pfkey_dump.c Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/lib/libipsec/pfkey_dump.c Sat Mar 18 22:04:20 2017 (r315514) > @@ -35,8 +35,9 @@ __FBSDID("$FreeBSD$"); > #include <sys/types.h> > #include <sys/param.h> > #include <sys/socket.h> > -#include <netipsec/ipsec.h> > +#include <net/if.h> > #include <net/pfkeyv2.h> > +#include <netipsec/ipsec.h> > #include <netipsec/key_var.h> > #include <netipsec/key_debug.h> > > @@ -204,6 +205,13 @@ static struct val2str str_alg_comp[] = { > { -1, NULL, }, > }; > > +static struct val2str str_sp_scope[] = { > + { IPSEC_POLICYSCOPE_GLOBAL, "global" }, > + { IPSEC_POLICYSCOPE_IFNET, "ifnet" }, > + { IPSEC_POLICYSCOPE_PCB, "pcb"}, > + { -1, NULL }, > +}; > + > /* > * dump SADB_MSG formated. For debugging, you should use kdebug_sadb(). > */ > @@ -219,6 +227,10 @@ pfkey_sadump(m) > struct sadb_key *m_auth, *m_enc; > struct sadb_ident *m_sid, *m_did; > struct sadb_sens *m_sens; > + struct sadb_x_sa_replay *m_sa_replay; > + struct sadb_x_nat_t_type *natt_type; > + struct sadb_x_nat_t_port *natt_sport, *natt_dport; > + struct sadb_address *natt_oai, *natt_oar; > > /* check pfkey message. */ > if (pfkey_align(m, mhp)) { > @@ -243,33 +255,47 @@ pfkey_sadump(m) > m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC]; > m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST]; > m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY]; > + m_sa_replay = (struct sadb_x_sa_replay *)mhp[SADB_X_EXT_SA_REPLAY]; > + natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE]; > + natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT]; > + natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT]; > + natt_oai = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAI]; > + natt_oar = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAR]; > + > > /* source address */ > if (m_saddr == NULL) { > printf("no ADDRESS_SRC extension.\n"); > return; > } > - printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1))); > + printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1))); > + if (natt_type != NULL && natt_sport != NULL) > + printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port)); > > /* destination address */ > if (m_daddr == NULL) { > - printf("no ADDRESS_DST extension.\n"); > + printf("\nno ADDRESS_DST extension.\n"); > return; > } > - printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1))); > + printf(" %s", str_ipaddr((struct sockaddr *)(m_daddr + 1))); > + if (natt_type != NULL && natt_dport != NULL) > + printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port)); > > /* SA type */ > if (m_sa == NULL) { > - printf("no SA extension.\n"); > + printf("\nno SA extension.\n"); > return; > } > if (m_sa2 == NULL) { > - printf("no SA2 extension.\n"); > + printf("\nno SA2 extension.\n"); > return; > } > printf("\n\t"); > > - GETMSGSTR(str_satype, m->sadb_msg_satype); > + if (m->sadb_msg_satype == SADB_SATYPE_ESP && natt_type != NULL) > + printf("esp-udp "); > + else > + GETMSGSTR(str_satype, m->sadb_msg_satype); > > printf("mode="); > GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode); > @@ -280,6 +306,18 @@ pfkey_sadump(m) > (u_int32_t)m_sa2->sadb_x_sa2_reqid, > (u_int32_t)m_sa2->sadb_x_sa2_reqid); > > + /* other NAT-T information */ > + if (natt_type != NULL && (natt_oai != NULL || natt_oar != NULL)) { > + printf("\tNAT:"); > + if (natt_oai != NULL) > + printf(" OAI=%s", > + str_ipaddr((struct sockaddr *)(natt_oai + 1))); > + if (natt_oar != NULL) > + printf(" OAR=%s", > + str_ipaddr((struct sockaddr *)(natt_oar + 1))); > + printf("\n"); > + } > + > /* encryption key */ > if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) { > printf("\tC: "); > @@ -306,7 +344,8 @@ pfkey_sadump(m) > /* replay windoe size & flags */ > printf("\tseq=0x%08x replay=%u flags=0x%08x ", > m_sa2->sadb_x_sa2_sequence, > - m_sa->sadb_sa_replay, > + m_sa_replay ? (m_sa_replay->sadb_x_sa_replay_replay >> 3) : > + m_sa->sadb_sa_replay, > m_sa->sadb_sa_flags); > > /* state */ > @@ -367,8 +406,7 @@ pfkey_sadump(m) > } > > void > -pfkey_spdump(m) > - struct sadb_msg *m; > +pfkey_spdump(struct sadb_msg *m) > { > char pbuf[NI_MAXSERV]; > caddr_t mhp[SADB_EXT_MAX + 1]; > @@ -476,10 +514,15 @@ pfkey_spdump(m) > } > > > - printf("\tspid=%ld seq=%ld pid=%ld\n", > + printf("\tspid=%ld seq=%ld pid=%ld scope=", > (u_long)m_xpl->sadb_x_policy_id, > (u_long)m->sadb_msg_seq, > (u_long)m->sadb_msg_pid); > + GETMSGV2S(str_sp_scope, m_xpl->sadb_x_policy_scope); > + if (m_xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET && > + if_indextoname(m_xpl->sadb_x_policy_ifindex, pbuf) != NULL) > + printf("ifname=%s", pbuf); > + printf("\n"); > > /* XXX TEST */ > printf("\trefcnt=%u\n", m->sadb_msg_reserved); > > Modified: stable/11/sbin/ifconfig/Makefile > ============================================================================== > --- stable/11/sbin/ifconfig/Makefile Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sbin/ifconfig/Makefile Sat Mar 18 22:04:20 2017 (r315514) > @@ -34,6 +34,7 @@ SRCS+= ifvlan.c # SIOC[GS]ETVLAN suppor > SRCS+= ifvxlan.c # VXLAN support > SRCS+= ifgre.c # GRE keys etc > SRCS+= ifgif.c # GIF reversed header workaround > +SRCS+= ifipsec.c # IPsec VTI > > SRCS+= sfp.c # SFP/SFP+ information > LIBADD+= m > > Copied: stable/11/sbin/ifconfig/ifipsec.c (from r313330, head/sbin/ifconfig/ifipsec.c) > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ stable/11/sbin/ifconfig/ifipsec.c Sat Mar 18 22:04:20 2017 (r315514, copy of r313330, head/sbin/ifconfig/ifipsec.c) > @@ -0,0 +1,101 @@ > +/*- > + * Copyright (c) 2016 Yandex LLC > + * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> > + * All rights reserved. > + * > + * Redistribution and use in source and binary forms, with or without > + * modification, are permitted provided that the following conditions > + * are met: > + * > + * 1. Redistributions of source code must retain the above copyright > + * notice, this list of conditions and the following disclaimer. > + * 2. Redistributions in binary form must reproduce the above copyright > + * notice, this list of conditions and the following disclaimer in the > + * documentation and/or other materials provided with the distribution. > + * > + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR > + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES > + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. > + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, > + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT > + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, > + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY > + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT > + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF > + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > + */ > + > +#include <sys/cdefs.h> > +__FBSDID("$FreeBSD$"); > + > +#include <sys/param.h> > +#include <sys/ioctl.h> > +#include <sys/socket.h> > +#include <sys/sockio.h> > +#include <sys/stdint.h> > + > +#include <stdlib.h> > +#include <unistd.h> > + > +#include <net/ethernet.h> > +#include <net/if.h> > +#include <net/if_ipsec.h> > +#include <net/route.h> > + > +#include <ctype.h> > +#include <stdio.h> > +#include <string.h> > +#include <err.h> > +#include <errno.h> > + > +#include "ifconfig.h" > + > +static void > +ipsec_status(int s) > +{ > + uint32_t reqid; > + > + ifr.ifr_data = (caddr_t)&reqid; > + if (ioctl(s, IPSECGREQID, &ifr) == -1) > + return; > + printf("\treqid: %u\n", reqid); > +} > + > +static > +DECL_CMD_FUNC(setreqid, val, arg) > +{ > + char *ep; > + uint32_t v; > + > + v = strtoul(val, &ep, 0); > + if (*ep != '\0') { > + warn("Invalid reqid value %s", val); > + return; > + } > + ifr.ifr_data = (char *)&v; > + if (ioctl(s, IPSECSREQID, &ifr) == -1) { > + warn("ioctl(IPSECSREQID)"); > + return; > + } > +} > + > +static struct cmd ipsec_cmds[] = { > + DEF_CMD_ARG("reqid", setreqid), > +}; > + > +static struct afswtch af_ipsec = { > + .af_name = "af_ipsec", > + .af_af = AF_UNSPEC, > + .af_other_status = ipsec_status, > +}; > + > +static __constructor void > +ipsec_ctor(void) > +{ > + size_t i; > + > + for (i = 0; i < nitems(ipsec_cmds); i++) > + cmd_register(&ipsec_cmds[i]); > + af_register(&af_ipsec); > +#undef N > +} > > Modified: stable/11/sbin/ipfw/ipfw.8 > ============================================================================== > --- stable/11/sbin/ipfw/ipfw.8 Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sbin/ipfw/ipfw.8 Sat Mar 18 22:04:20 2017 (r315514) > @@ -1518,8 +1518,7 @@ Matches IPv4 packets whose precedence fi > .It Cm ipsec > Matches packets that have IPSEC history associated with them > (i.e., the packet comes encapsulated in IPSEC, the kernel > -has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly > -decapsulate it). > +has IPSEC support, and can correctly decapsulate it). > .Pp > Note that specifying > .Cm ipsec > > Modified: stable/11/sbin/setkey/setkey.8 > ============================================================================== > --- stable/11/sbin/setkey/setkey.8 Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sbin/setkey/setkey.8 Sat Mar 18 22:04:20 2017 (r315514) > @@ -29,7 +29,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd October 3, 2016 > +.Dd March 7, 2017 > .Dt SETKEY 8 > .Os > .\" > @@ -45,7 +45,7 @@ > .Op Fl v > .Fl f Ar filename > .Nm > -.Op Fl aPlv > +.Op Fl Pgltv > .Fl D > .Nm > .Op Fl Pv > @@ -81,18 +81,21 @@ Flush the SAD entries. > If with > .Fl P , > the SPD entries are flushed. > -.It Fl a > -The > -.Nm > -utility > -usually does not display dead SAD entries with > -.Fl D . > -If with > -.Fl a , > -the dead SAD entries will be displayed as well. > -A dead SAD entry means that > -it has been expired but remains in the system > -because it is referenced by some SPD entries. > +.It Fl g > +Only SPD entries with global scope are dumped with > +.Fl D > +and > +.Fl P > +flags. > +.It Fl t > +Only SPD entries with ifnet scope are dumped with > +.Fl D > +and > +.Fl P > +flags. > +Such SPD entries are linked to the corresponding > +.Xr if_ipsec 4 > +virtual tunneling interface. > .It Fl h > Add hexadecimal dump on > .Fl x > @@ -270,8 +273,6 @@ must be a decimal number, or a hexadecim > prefix. > SPI values between 0 and 255 are reserved for future use by IANA > and they cannot be used. > -TCP-MD5 associations must use 0x1000 and therefore only have per-host > -granularity at this time. > .\" > .Pp > .It Ar extensions > @@ -595,12 +596,11 @@ keyed-md5 128 ah: 96bit ICV (no documen > keyed-sha1 160 ah: 96bit ICV (no document) > 160 ah-old: 128bit ICV (no document) > null 0 to 2048 for debugging > -hmac-sha2-256 256 ah: 96bit ICV > - (draft-ietf-ipsec-ciph-sha-256-00) > +hmac-sha2-256 256 ah: 128bit ICV (RFC4868) > 256 ah-old: 128bit ICV (no document) > -hmac-sha2-384 384 ah: 96bit ICV (no document) > +hmac-sha2-384 384 ah: 192bit ICV (RFC4868) > 384 ah-old: 128bit ICV (no document) > -hmac-sha2-512 512 ah: 96bit ICV (no document) > +hmac-sha2-512 512 ah: 256bit ICV (RFC4868) > 512 ah-old: 128bit ICV (no document) > hmac-ripemd160 160 ah: 96bit ICV (RFC2857) > ah-old: 128bit ICV (no document) > @@ -700,6 +700,7 @@ add 10.1.10.34 10.1.10.36 tcp 0x1000 -A > .\" > .Sh SEE ALSO > .Xr ipsec_set_policy 3 , > +.Xr if_ipsec 4 , > .Xr racoon 8 , > .Xr sysctl 8 > .Rs > > Modified: stable/11/sbin/setkey/setkey.c > ============================================================================== > --- stable/11/sbin/setkey/setkey.c Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sbin/setkey/setkey.c Sat Mar 18 22:04:20 2017 (r315514) > @@ -56,7 +56,7 @@ > void usage(void); > int main(int, char **); > int get_supported(void); > -void sendkeyshort(u_int); > +void sendkeyshort(u_int, uint8_t); > void promisc(void); > int sendkeymsg(char *, size_t); > int postproc(struct sadb_msg *, int); > @@ -81,6 +81,7 @@ int f_cmddump = 0; > int f_policy = 0; > int f_hexdump = 0; > int f_tflag = 0; > +int f_scope = 0; > static time_t thiszone; > > extern int lineno; > @@ -93,7 +94,7 @@ usage() > > printf("usage: setkey [-v] -c\n"); > printf(" setkey [-v] -f filename\n"); > - printf(" setkey [-Palv] -D\n"); > + printf(" setkey [-Pagltv] -D\n"); > printf(" setkey [-Pv] -F\n"); > printf(" setkey [-h] -x\n"); > exit(1); > @@ -114,7 +115,7 @@ main(ac, av) > > thiszone = gmt2local(0); > > - while ((c = getopt(ac, av, "acdf:hlvxDFP")) != -1) { > + while ((c = getopt(ac, av, "acdf:ghltvxDFP")) != -1) { > switch (c) { > case 'c': > f_mode = MODE_SCRIPT; > @@ -149,6 +150,12 @@ main(ac, av) > case 'P': > f_policy = 1; > break; > + case 'g': /* global */ > + f_scope |= IPSEC_POLICYSCOPE_GLOBAL; > + break; > + case 't': /* tunnel */ > + f_scope |= IPSEC_POLICYSCOPE_IFNET; > + break; > case 'v': > f_verbose = 1; > break; > @@ -166,10 +173,12 @@ main(ac, av) > > switch (f_mode) { > case MODE_CMDDUMP: > - sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP); > + sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP, > + f_policy ? f_scope: SADB_SATYPE_UNSPEC); > break; > case MODE_CMDFLUSH: > - sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH); > + sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH, > + SADB_SATYPE_UNSPEC); > break; > case MODE_SCRIPT: > if (get_supported() < 0) { > @@ -204,15 +213,14 @@ get_supported() > } > > void > -sendkeyshort(type) > - u_int type; > +sendkeyshort(u_int type, uint8_t satype) > { > struct sadb_msg msg; > > msg.sadb_msg_version = PF_KEY_V2; > msg.sadb_msg_type = type; > msg.sadb_msg_errno = 0; > - msg.sadb_msg_satype = SADB_SATYPE_UNSPEC; > + msg.sadb_msg_satype = satype; > msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg)); > msg.sadb_msg_reserved = 0; > msg.sadb_msg_seq = 0; > > Modified: stable/11/share/man/man4/Makefile > ============================================================================== > --- stable/11/share/man/man4/Makefile Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/share/man/man4/Makefile Sat Mar 18 22:04:20 2017 (r315514) > @@ -202,6 +202,7 @@ MAN= aac.4 \ > icmp.4 \ > icmp6.4 \ > ida.4 \ > + if_ipsec.4 \ > ifmib.4 \ > ig4.4 \ > igb.4 \ > > Copied: stable/11/share/man/man4/if_ipsec.4 (from r313330, head/share/man/man4/if_ipsec.4) > ============================================================================== > --- /dev/null 00:00:00 1970 (empty, because file is newly added) > +++ stable/11/share/man/man4/if_ipsec.4 Sat Mar 18 22:04:20 2017 (r315514, copy of r313330, head/share/man/man4/if_ipsec.4) > @@ -0,0 +1,141 @@ > +.\" Copyright (c) 2017 Andrey V. Elsukov <ae@FreeBSD.org> > +.\" All rights reserved. > +.\" > +.\" Redistribution and use in source and binary forms, with or without > +.\" modification, are permitted provided that the following conditions > +.\" are met: > +.\" 1. Redistributions of source code must retain the above copyright > +.\" notice, this list of conditions and the following disclaimer. > +.\" 2. Redistributions in binary form must reproduce the above copyright > +.\" notice, this list of conditions and the following disclaimer in the > +.\" documentation and/or other materials provided with the distribution. > +.\" > +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND > +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE > +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE > +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE > +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL > +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS > +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) > +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT > +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY > +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF > +.\" SUCH DAMAGE. > +.\" > +.\" $FreeBSD$ > +.\" > +.Dd February 6, 2017 > +.Dt if_ipsec 4 > +.Os > +.Sh NAME > +.Nm if_ipsec > +.Nd IPsec virtual tunneling interface > +.Sh SYNOPSIS > +The > +.Cm if_ipsec > +network interface is a part of the > +.Fx > +IPsec implementation. > +To compile it into the kernel, place this line in the kernel > +configuration file: > +.Bd -ragged -offset indent > +.Cd "options IPSEC" > +.Ed > +.Pp > +It can also be loaded as part of the > +.Cm ipsec > +kernel module if the kernel was compiled with > +.Bd -ragged -offset indent > +.Cd "options IPSEC_SUPPORT" > +.Ed > +.Sh DESCRIPTION > +The > +.Nm > +network interface is targeted for creating route-based VPNs. > +It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure > +it with ESP. > +.Pp > +.Nm > +interfaces are dynamically created and destroyed with the > +.Xr ifconfig 8 > +.Cm create > +and > +.Cm destroy > +subcommands. > +The administrator must configure IPsec > +.Cm tunnel > +endpoint addresses. > +These addresses will be used for the outer IP header of ESP packets. > +The administrator can also configure the protocol and addresses for the inner > +IP header with > +.Xr ifconfig 8 , > +and modify the routing table to route the packets through the > +.Nm > +interface. > +.Pp > +When the > +.Nm > +interface is configured, it automatically creates special security policies. > +These policies can be used to acquire security associations from the IKE daemon, > +which are needed for establishing an IPsec tunnel. > +It is also possible to create needed security associations manually with the > +.Xr setkey 8 > +utility. > +.Pp > +Each > +.Nm > +interface has an additional numeric configuration option > +.Cm reqid Ar id . > +This > +.Ar id > +is used to distinguish traffic and security policies between several > +.Nm > +interfaces. > +The > +.Cm reqid > +can be specified on interface creation and changed later. > +If not specified, it is automatically assigned. > +Note that changing > +.Cm reqid > +will lead to generation of new security policies, and this > +may require creating new security associations. > +.Sh EXAMPLES > +The example below shows manual configuration of an IPsec tunnel > +between two FreeBSD hosts. > +Host A has the IP address 192.168.0.3, and host B has the IP address > +192.168.0.5. > +.Pp > +On host A: > +.Bd -literal -offset indent > +ifconfig ipsec0 create reqid 100 > +ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 > +ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5 > +setkey -c > +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1"; > +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2"; > +^D > +.Ed > +.Pp > +On host B: > +.Bd -literal -offset indent > +ifconfig ipsec0 create reqid 200 > +ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3 > +ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3 > +setkey -c > +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1"; > +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2"; > +^D > +.Ed > +.Pp > +Note the value 100 on host A and value 200 on host B are used as reqid. > +The same value must be used as identifier of the policy entry in the > +.Xr setkey 8 > +command. > +.Sh SEE ALSO > +.Xr gif 4 , > +.Xr gre 4 , > +.Xr ipsec 4 , > +.Xr ifconfig 8 , > +.Xr setkey 8 > +.Sh AUTHORS > +.An Andrey V. Elsukov Aq Mt ae@FreeBSD.org > > Modified: stable/11/share/man/man4/ipsec.4 > ============================================================================== > --- stable/11/share/man/man4/ipsec.4 Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/share/man/man4/ipsec.4 Sat Mar 18 22:04:20 2017 (r315514) > @@ -29,7 +29,7 @@ > .\" > .\" $FreeBSD$ > .\" > -.Dd November 29, 2009 > +.Dd February 6, 2017 > .Dt IPSEC 4 > .Os > .Sh NAME > @@ -37,6 +37,7 @@ > .Nd Internet Protocol Security protocol > .Sh SYNOPSIS > .Cd "options IPSEC" > +.Cd "options IPSEC_SUPPORT" > .Cd "device crypto" > .Pp > .In sys/types.h > @@ -151,6 +152,16 @@ Refer to > .Xr setkey 8 > on how to use it. > .Pp > +Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6 > +transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options > +may be used to configure per-socket security policies. > +A properly-formed IPsec policy specification structure can be > +created using > +.Xr ipsec_set_policy 3 > +function and used as socket option value for the > +.Xr setsockopt 2 > +call. > +.Pp > When setting policies using the > .Xr setkey 8 > command, the > @@ -228,6 +239,8 @@ for tweaking the kernel's IPsec behavior > .It "net.inet.ipsec.dfbit integer yes" > .It "net.inet.ipsec.ecn integer yes" > .It "net.inet.ipsec.debug integer yes" > +.It "net.inet.ipsec.natt_cksum_policy integer yes" > +.It "net.inet.ipsec.check_policy_history integer yes" > .It "net.inet6.ipsec6.ecn integer yes" > .It "net.inet6.ipsec6.debug integer yes" > .El > @@ -270,6 +283,23 @@ talks more about the behavior. > .It Li ipsec.debug > If set to non-zero, debug messages will be generated via > .Xr syslog 3 . > +.It Li ipsec.natt_cksum_policy > +Controls how the kernel handles TCP and UDP checksums when ESP in UDP > +encapsulation is used for IPsec transport mode. > +If set to a non-zero value, the kernel fully recomputes checksums for > +inbound TCP segments and UDP datagrams after they are decapsulated and > +decrypted. > +If set to 0 and original addresses were configured for corresponding SA > +by the IKE daemon, the kernel incrementally recomputes checksums for > +inbound TCP segments and UDP datagrams. > +If addresses were not configured, the checksums are ignored. > +.It Li ipsec.check_policy_history > +Enables strict policy checking for inbound packets. > +By default, inbound security policies check that packets handled by IPsec > +have been decrypted and authenticated. > +If this variable is set to a non-zero value, each packet handled by IPsec > +is checked against the history of IPsec security associations. > +The IPsec security protocol, mode, and SA addresses must match. > .El > .Pp > Variables under the > @@ -305,6 +335,7 @@ routines from looking into the IP payloa > .Xr ipsec_set_policy 3 , > .Xr crypto 4 , > .Xr enc 4 , > +.Xr if_ipsec 4 , > .Xr icmp6 4 , > .Xr intro 4 , > .Xr ip6 4 , > > Modified: stable/11/share/man/man4/tcp.4 > ============================================================================== > --- stable/11/share/man/man4/tcp.4 Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/share/man/man4/tcp.4 Sat Mar 18 22:04:20 2017 (r315514) > @@ -34,7 +34,7 @@ > .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 > .\" $FreeBSD$ > .\" > -.Dd October 21, 2016 > +.Dd February 6, 2017 > .Dt TCP 4 > .Os > .Sh NAME > @@ -272,33 +272,27 @@ or the internal send buffer is filled. > This option enables the use of MD5 digests (also known as TCP-MD5) > on writes to the specified socket. > Outgoing traffic is digested; > -digests on incoming traffic are verified if the > -.Va net.inet.tcp.signature_verify_input > -sysctl is nonzero. > -The current default behavior for the system is to respond to a system > -advertising this option with TCP-MD5; this may change. > +digests on incoming traffic are verified. > +When this option is enabled on a socket, all inbound and outgoing > +TCP segments must be signed with MD5 digests. > .Pp > One common use for this in a > .Fx > router deployment is to enable > based routers to interwork with Cisco equipment at peering points. > Support for this feature conforms to RFC 2385. > -Only IPv4 > -.Pq Dv AF_INET > -sessions are supported. > .Pp > In order for this option to function correctly, it is necessary for the > administrator to add a tcp-md5 key entry to the system's security > associations database (SADB) using the > .Xr setkey 8 > utility. > -This entry must have an SPI of 0x1000 and can therefore only be specified > -on a per-host basis at this time. > +This entry can only be specified on a per-host basis at this time. > .Pp > -If an SADB entry cannot be found for the destination, the outgoing traffic > -will have an invalid digest option prepended, and the following error message > -will be visible on the system console: > -.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" . > +If an SADB entry cannot be found for the destination, > +the system does not send any outgoing segments and drops any inbound segments. > +.Pp > +Each dropped segment is taken into account in the TCP protocol statistics. > .El > .Pp > The option level for the > > Modified: stable/11/share/man/man4/udp.4 > ============================================================================== > --- stable/11/share/man/man4/udp.4 Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/share/man/man4/udp.4 Sat Mar 18 22:04:20 2017 (r315514) > @@ -28,7 +28,7 @@ > .\" @(#)udp.4 8.1 (Berkeley) 6/5/93 > .\" $FreeBSD$ > .\" > -.Dd June 5, 1993 > +.Dd February 6, 2017 > .Dt UDP 4 > .Os > .Sh NAME > @@ -99,6 +99,17 @@ transport level may be used with > .Tn UDP ; > see > .Xr ip 4 . > +.Tn UDP_ENCAP > +socket option may be used at the > +.Tn IPPROTO_UDP > +level to encapsulate > +.Tn ESP > +packets in > +.Tn UDP . > +Only one value is supported for this option: > +.Tn UDP_ENCAP_ESPINUDP > +from RFC 3948, defined in > +.In netinet/udp.h . > .Sh MIB VARIABLES > The > .Nm > @@ -158,7 +169,8 @@ exists. > .Xr blackhole 4 , > .Xr inet 4 , > .Xr intro 4 , > -.Xr ip 4 > +.Xr ip 4 , > +.Xr udplite 4 > .Sh HISTORY > The > .Nm > > Modified: stable/11/sys/conf/NOTES > ============================================================================== > --- stable/11/sys/conf/NOTES Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sys/conf/NOTES Sat Mar 18 22:04:20 2017 (r315514) > @@ -613,23 +613,12 @@ options TCP_OFFLOAD # TCP offload supp > # In order to enable IPSEC you MUST also add device crypto to > # your kernel configuration > options IPSEC #IP security (requires device crypto) > + > +# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to > +# load it as a kernel module. You still MUST add device crypto to your kernel > +# configuration. > +options IPSEC_SUPPORT > #options IPSEC_DEBUG #debug for IP security > -# > -# #DEPRECATED# > -# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets > -# coming through a tunnel to be processed by any configured packet filtering > -# twice. The default is that packets coming out of a tunnel are _not_ processed; > -# they are assumed trusted. > -# > -# IPSEC history is preserved for such packets, and can be filtered > -# using ipfw(8)'s 'ipsec' keyword, when this option is enabled. > -# > -#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel > -# > -# Set IPSEC_NAT_T to enable NAT-Traversal support. This enables > -# optional UDP encapsulation of ESP packets. > -# > -options IPSEC_NAT_T #NAT-T support, UDP encap of ESP > > # > # SMB/CIFS requester > @@ -1015,7 +1004,8 @@ options ACCEPT_FILTER_HTTP > # carried in TCP option 19. This option is commonly used to protect > # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable. > # This is enabled on a per-socket basis using the TCP_MD5SIG socket option. > -# This requires the use of 'device crypto' and 'options IPSEC'. > +# This requires the use of 'device crypto' and either 'options IPSEC' or > +# 'options IPSEC_SUPPORT'. > options TCP_SIGNATURE #include support for RFC 2385 > > # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL > > Modified: stable/11/sys/conf/files > ============================================================================== > --- stable/11/sys/conf/files Sat Mar 18 21:44:42 2017 (r315513) > +++ stable/11/sys/conf/files Sat Mar 18 22:04:20 2017 (r315514) > @@ -574,22 +574,24 @@ contrib/ngatm/netnatm/sig/sig_unimsgcpy. > compile-with "${NORMAL_C} -I$S/contrib/ngatm" > contrib/ngatm/netnatm/sig/sig_verify.c optional ngatm_uni \ > compile-with "${NORMAL_C} -I$S/contrib/ngatm" > -crypto/blowfish/bf_ecb.c optional ipsec > -crypto/blowfish/bf_skey.c optional crypto | ipsec > -crypto/camellia/camellia.c optional crypto | ipsec > -crypto/camellia/camellia-api.c optional crypto | ipsec > -crypto/des/des_ecb.c optional crypto | ipsec | netsmb > -crypto/des/des_setkey.c optional crypto | ipsec | netsmb > +crypto/blowfish/bf_ecb.c optional ipsec | ipsec_support > +crypto/blowfish/bf_skey.c optional crypto | ipsec | ipsec_support > +crypto/camellia/camellia.c optional crypto | ipsec | ipsec_support > +crypto/camellia/camellia-api.c optional crypto | ipsec | ipsec_support > +crypto/des/des_ecb.c optional crypto | ipsec | ipsec_support | netsmb > +crypto/des/des_setkey.c optional crypto | ipsec | ipsec_support | netsmb > crypto/rc4/rc4.c optional netgraph_mppc_encryption | kgssapi > crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \ > - ipsec | random !random_loadable | wlan_ccmp > + ipsec | ipsec_support | random !random_loadable | wlan_ccmp > crypto/rijndael/rijndael-api-fst.c optional geom_bde | random !random_loadable > -crypto/rijndael/rijndael-api.c optional crypto | ipsec | wlan_ccmp > +crypto/rijndael/rijndael-api.c optional crypto | ipsec | ipsec_support | \ > + wlan_ccmp > crypto/sha1.c optional carp | crypto | ipsec | \ > - netgraph_mppc_encryption | sctp > -crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | random !random_loadable | \ > - sctp | zfs > -crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | zfs > + ipsec_support | netgraph_mppc_encryption | sctp > +crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | \ > + ipsec_support | random !random_loadable | sctp | zfs > +crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | \ > + ipsec_support | zfs > crypto/skein/skein.c optional crypto | zfs > crypto/skein/skein_block.c optional crypto | zfs > crypto/siphash/siphash.c optional inet | inet6 > @@ -3592,8 +3594,7 @@ libkern/strtouq.c standard > libkern/strvalid.c standard > libkern/timingsafe_bcmp.c standard > libkern/zlib.c optional crypto | geom_uzip | ipsec | \ > - mxge | netgraph_deflate | \ > - ddb_ctf | gzio > + ipsec_support | mxge | netgraph_deflate | ddb_ctf | gzio > net/altq/altq_cbq.c optional altq > net/altq/altq_cdnr.c optional altq > net/altq/altq_codel.c optional altq > @@ -3629,6 +3630,7 @@ net/if_fwsubr.c optional fwip > net/if_gif.c optional gif inet | gif inet6 | \ > netgraph_gif inet | netgraph_gif inet6 > net/if_gre.c optional gre inet | gre inet6 > +net/if_ipsec.c optional inet ipsec | inet6 ipsec > net/if_iso88025subr.c optional token > net/if_lagg.c optional lagg > net/if_loop.c optional loop > @@ -3814,7 +3816,6 @@ netinet/ip_encap.c optional inet | inet > netinet/ip_fastfwd.c optional inet > netinet/ip_icmp.c optional inet | inet6 > netinet/ip_input.c optional inet > -netinet/ip_ipsec.c optional inet ipsec > netinet/ip_mroute.c optional mrouting inet > netinet/ip_options.c optional inet > netinet/ip_output.c optional inet > @@ -3883,7 +3884,6 @@ netinet6/ip6_id.c optional inet6 > netinet6/ip6_input.c optional inet6 > netinet6/ip6_mroute.c optional mrouting inet6 > netinet6/ip6_output.c optional inet6 > -netinet6/ip6_ipsec.c optional inet6 ipsec > netinet6/mld6.c optional inet6 > netinet6/nd6.c optional inet6 > netinet6/nd6_nbr.c optional inet6 > @@ -3896,15 +3896,25 @@ netinet6/udp6_usrreq.c optional inet6 > netipsec/ipsec.c optional ipsec inet | ipsec inet6 > netipsec/ipsec_input.c optional ipsec inet | ipsec inet6 > netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6 > > *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** > _______________________________________________ > svn-src-stable-11@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11 > To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe@freebsd.org" > > -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7738349f-e89a-d37d-e36f-0a5e18dc4249>