From owner-svn-src-stable-11@freebsd.org Wed Aug 23 08:56:20 2017 Return-Path: Delivered-To: svn-src-stable-11@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 41340DE1BB6; Wed, 23 Aug 2017 08:56:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1CE63679FE; Wed, 23 Aug 2017 08:56:20 +0000 (UTC) (envelope-from ae@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v7N8uJAM091886; Wed, 23 Aug 2017 08:56:19 GMT (envelope-from ae@FreeBSD.org) Received: (from ae@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id v7N8uJg1091884; Wed, 23 Aug 2017 08:56:19 GMT (envelope-from ae@FreeBSD.org) Message-Id: <201708230856.v7N8uJg1091884@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: ae set sender to ae@FreeBSD.org using -f From: "Andrey V. Elsukov" Date: Wed, 23 Aug 2017 08:56:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r322808 - in stable/11: share/man/man4 sys/net X-SVN-Group: stable-11 X-SVN-Commit-Author: ae X-SVN-Commit-Paths: in stable/11: share/man/man4 sys/net X-SVN-Commit-Revision: 322808 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Aug 2017 08:56:20 -0000 Author: ae Date: Wed Aug 23 08:56:18 2017 New Revision: 322808 URL: https://svnweb.freebsd.org/changeset/base/322808 Log: MFC r322310: Add to if_enc(4) ability to capture packets via BPF after pfil processing. New flag 0x4 can be configured in net.enc.[in|out].ipsec_bpf_mask. When it is set, if_enc(4) additionally captures a packet via BPF after invoking pfil hook. This may be useful for debugging. Sponsored by: Yandex LLC Modified: stable/11/share/man/man4/enc.4 stable/11/sys/net/if_enc.c Directory Properties: stable/11/ (props changed) Modified: stable/11/share/man/man4/enc.4 ============================================================================== --- stable/11/share/man/man4/enc.4 Wed Aug 23 04:43:50 2017 (r322807) +++ stable/11/share/man/man4/enc.4 Wed Aug 23 08:56:18 2017 (r322808) @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 28, 2007 +.Dd August 9, 2017 .Dt ENC 4 .Os .Sh NAME @@ -44,6 +44,13 @@ kernel configuration file: .Bd -ragged -offset indent .Cd "device enc" .Ed +.Pp +Alternatively, to load the driver as a +module at boot time, place the following line in +.Xr loader.conf 5 : +.Bd -literal -offset indent +if_enc_load="YES" +.Ed .Sh DESCRIPTION The .Nm @@ -115,6 +122,11 @@ outgoing path Most people will want to run with the suggested defaults for .Cm ipsec_filter_mask and rely on the security policy database for the outer headers. +.Pp +Note that packets are captured by BPF before firewall processing. +The special value 0x4 can be configured in the +.Ar ipsec_bpf_mask +and packets will be also captured after firewall processing. .Sh EXAMPLES To see the packets the processed via .Xr ipsec 4 , Modified: stable/11/sys/net/if_enc.c ============================================================================== --- stable/11/sys/net/if_enc.c Wed Aug 23 04:43:50 2017 (r322807) +++ stable/11/sys/net/if_enc.c Wed Aug 23 08:56:18 2017 (r322808) @@ -99,9 +99,15 @@ static void enc_remove_hhooks(struct enc_softc *); static const char encname[] = "enc"; +#define IPSEC_ENC_AFTER_PFIL 0x04 /* * Before and after are relative to when we are stripping the * outer IP header. + * + * AFTER_PFIL flag used only for bpf_mask_*. It enables BPF capturing + * after PFIL hook execution. It might be useful when PFIL hook does + * some changes to the packet, e.g. address translation. If PFIL hook + * consumes mbuf, nothing will be captured. */ static VNET_DEFINE(int, filter_mask_in) = IPSEC_ENC_BEFORE; static VNET_DEFINE(int, bpf_mask_in) = IPSEC_ENC_BEFORE; @@ -194,6 +200,30 @@ enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) return (0); } +static void +enc_bpftap(struct ifnet *ifp, struct mbuf *m, const struct secasvar *sav, + int32_t hhook_type, uint8_t enc, uint8_t af) +{ + struct enchdr hdr; + + if (hhook_type == HHOOK_TYPE_IPSEC_IN && + (enc & V_bpf_mask_in) == 0) + return; + else if (hhook_type == HHOOK_TYPE_IPSEC_OUT && + (enc & V_bpf_mask_out) == 0) + return; + if (bpf_peers_present(ifp->if_bpf) == 0) + return; + hdr.af = af; + hdr.spi = sav->spi; + hdr.flags = 0; + if (sav->alg_enc != SADB_EALG_NONE) + hdr.flags |= M_CONF; + if (sav->alg_auth != SADB_AALG_NONE) + hdr.flags |= M_AUTH; + bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), m); +} + /* * One helper hook function is used by any hook points. * + from hhook_type we can determine the packet direction: @@ -206,7 +236,6 @@ static int enc_hhook(int32_t hhook_type, int32_t hhook_id, void *udata, void *ctx_data, void *hdata, struct osd *hosd) { - struct enchdr hdr; struct ipsec_ctx_data *ctx; struct enc_softc *sc; struct ifnet *ifp, *rcvif; @@ -223,21 +252,7 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, void * if (ctx->af != hhook_id) return (EPFNOSUPPORT); - if (((hhook_type == HHOOK_TYPE_IPSEC_IN && - (ctx->enc & V_bpf_mask_in) != 0) || - (hhook_type == HHOOK_TYPE_IPSEC_OUT && - (ctx->enc & V_bpf_mask_out) != 0)) && - bpf_peers_present(ifp->if_bpf) != 0) { - hdr.af = ctx->af; - hdr.spi = ctx->sav->spi; - hdr.flags = 0; - if (ctx->sav->alg_enc != SADB_EALG_NONE) - hdr.flags |= M_CONF; - if (ctx->sav->alg_auth != SADB_AALG_NONE) - hdr.flags |= M_AUTH; - bpf_mtap2(ifp->if_bpf, &hdr, sizeof(hdr), *ctx->mp); - } - + enc_bpftap(ifp, *ctx->mp, ctx->sav, hhook_type, ctx->enc, ctx->af); switch (hhook_type) { case HHOOK_TYPE_IPSEC_IN: if (ctx->enc == IPSEC_ENC_BEFORE) { @@ -290,6 +305,8 @@ enc_hhook(int32_t hhook_type, int32_t hhook_id, void * return (EACCES); } (*ctx->mp)->m_pkthdr.rcvif = rcvif; + enc_bpftap(ifp, *ctx->mp, ctx->sav, hhook_type, + IPSEC_ENC_AFTER_PFIL, ctx->af); return (0); }