From owner-svn-src-head@FreeBSD.ORG Sat May 23 16:42:39 2009 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62678106566B; Sat, 23 May 2009 16:42:39 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4E74F8FC0C; Sat, 23 May 2009 16:42:39 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n4NGgd2Q060969; Sat, 23 May 2009 16:42:39 GMT (envelope-from bz@svn.freebsd.org) Received: (from bz@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n4NGgcbJ060961; Sat, 23 May 2009 16:42:38 GMT (envelope-from bz@svn.freebsd.org) Message-Id: <200905231642.n4NGgcbJ060961@svn.freebsd.org> From: "Bjoern A. Zeeb" Date: Sat, 23 May 2009 16:42:38 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r192648 - in head: share/man/man4 sys/conf sys/netinet sys/netinet6 sys/netipsec X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 May 2009 16:42:39 -0000 Author: bz Date: Sat May 23 16:42:38 2009 New Revision: 192648 URL: http://svn.freebsd.org/changeset/base/192648 Log: Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL kernel option. This also permits tuning of the option per virtual network stack, as well as separately per inet, inet6. The kernel option is left for a transition period, marked deprecated, and will be removed soon. Initially requested by: phk (1 year 1 day ago) MFC after: 4 weeks Modified: head/share/man/man4/ipsec.4 head/sys/conf/NOTES head/sys/netinet/ip_ipsec.c head/sys/netinet6/ip6_ipsec.c head/sys/netipsec/ipsec.c head/sys/netipsec/ipsec.h head/sys/netipsec/ipsec6.h head/sys/netipsec/vipsec.h Modified: head/share/man/man4/ipsec.4 ============================================================================== --- head/share/man/man4/ipsec.4 Sat May 23 16:39:49 2009 (r192647) +++ head/share/man/man4/ipsec.4 Sat May 23 16:42:38 2009 (r192648) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd August 5, 2007 +.Dd May 23, 2009 .Dt IPSEC 4 .Os .Sh NAME @@ -37,7 +37,6 @@ .Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" -.Cd "options IPSEC_FILTERTUNNEL" .Cd "device crypto" .Pp .In sys/types.h @@ -88,9 +87,12 @@ inbound. .Pp To properly filter on the inner packets of an .Nm -tunnel with firewalls, add -.Cd "options IPSEC_FILTERTUNNEL" -to the kernel configuration file. +tunnel with firewalls, you can change the values of the following sysctls +.Bl -column net.inet6.ipsec6.filtertunnel default enable +.It Sy "Name Default Enable" +.It net.inet.ipsec.filtertunnel 0 1 +.It net.inet6.ipsec6.filtertunnel 0 1 +.El .\" .Ss Kernel interface .Nm Modified: head/sys/conf/NOTES ============================================================================== --- head/sys/conf/NOTES Sat May 23 16:39:49 2009 (r192647) +++ head/sys/conf/NOTES Sat May 23 16:42:38 2009 (r192648) @@ -524,9 +524,10 @@ options ROUTETABLES=2 # max 16. 1 is b options IPSEC #IP security (requires device crypto) #options IPSEC_DEBUG #debug for IP security # -# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel -# to be processed by any configured packet filtering twice. -# The default is that packets coming out of a tunnel are _not_ processed; +# #DEPRECATED# +# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets +# coming through a tunnel to be processed by any configured packet filtering +# twice. The default is that packets coming out of a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered Modified: head/sys/netinet/ip_ipsec.c ============================================================================== --- head/sys/netinet/ip_ipsec.c Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netinet/ip_ipsec.c Sat May 23 16:42:38 2009 (r192648) @@ -71,6 +71,10 @@ __FBSDID("$FreeBSD$"); extern struct protosw inetsw[]; +#ifdef VIMAGE_GLOBALS +int ip4_ipsec_filtertunnel; +#endif + /* * Check if we have to jump over firewall processing for this packet. * Called from ip_input(). @@ -79,11 +83,14 @@ extern struct protosw inetsw[]; int ip_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) +#if defined(IPSEC) + INIT_VNET_IPSEC(curvnet); + /* * Bypass packet filtering for packets from a tunnel. */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (!V_ip4_ipsec_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; #endif return 0; Modified: head/sys/netinet6/ip6_ipsec.c ============================================================================== --- head/sys/netinet6/ip6_ipsec.c Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netinet6/ip6_ipsec.c Sat May 23 16:42:38 2009 (r192648) @@ -76,6 +76,10 @@ __FBSDID("$FreeBSD$"); extern struct protosw inet6sw[]; +#ifdef VIMAGE_GLOBALS +int ip6_ipsec6_filtertunnel; +#endif + /* * Check if we have to jump over firewall processing for this packet. * Called from ip_input(). @@ -84,11 +88,14 @@ extern struct protosw inet6sw[]; int ip6_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) +#if defined(IPSEC) + INIT_VNET_IPSEC(curvnet); + /* * Bypass packet filtering for packets from a tunnel. */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (!V_ip6_ipsec6_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; #endif return 0; Modified: head/sys/netipsec/ipsec.c ============================================================================== --- head/sys/netipsec/ipsec.c Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netipsec/ipsec.c Sat May 23 16:42:38 2009 (r192648) @@ -167,6 +167,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_ine SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, "IPsec IPv4 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, + filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0, + "If set filter packets from an IPsec tunnel."); #ifdef REGRESSION #ifdef VIMAGE_GLOBALS @@ -228,6 +231,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_ine SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, "IPsec IPv6 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO, + filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0, + "If set filter packets from an IPsec tunnel."); #endif /* INET6 */ static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *)); @@ -273,6 +279,11 @@ ipsec_init(void) V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ V_ip4_esp_randpad = -1; +#ifdef IPSEC_FILTERTUNNEL + V_ip4_ipsec_filtertunnel = 1; +#else + V_ip4_ipsec_filtertunnel = 0; +#endif V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; @@ -287,6 +298,11 @@ ipsec_init(void) V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +#ifdef IPSEC_FILTERTUNNEL + V_ip6_ipsec6_filtertunnel = 1; +#else + V_ip6_ipsec6_filtertunnel = 0; +#endif #endif } Modified: head/sys/netipsec/ipsec.h ============================================================================== --- head/sys/netipsec/ipsec.h Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netipsec/ipsec.h Sat May 23 16:42:38 2009 (r192648) @@ -348,6 +348,7 @@ extern int ip4_ah_cleartos; extern int ip4_ah_offsetmask; extern int ip4_ipsec_dfbit; extern int ip4_ipsec_ecn; +extern int ip4_ipsec_filtertunnel; extern int ip4_esp_randpad; extern int crypto_support; Modified: head/sys/netipsec/ipsec6.h ============================================================================== --- head/sys/netipsec/ipsec6.h Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netipsec/ipsec6.h Sat May 23 16:42:38 2009 (r192648) @@ -47,6 +47,7 @@ extern int ip6_esp_net_deflev; extern int ip6_ah_trans_deflev; extern int ip6_ah_net_deflev; extern int ip6_ipsec_ecn; +extern int ip6_ipsec6_filtertunnel; struct inpcb; Modified: head/sys/netipsec/vipsec.h ============================================================================== --- head/sys/netipsec/vipsec.h Sat May 23 16:39:49 2009 (r192647) +++ head/sys/netipsec/vipsec.h Sat May 23 16:42:38 2009 (r192648) @@ -57,6 +57,7 @@ struct vnet_ipsec { int _ip4_ah_offsetmask; int _ip4_ipsec_dfbit; int _ip4_ipsec_ecn; + int _ip4_ipsec_filtertunnel; int _ip4_esp_randpad; int _ipsec_replay; @@ -90,6 +91,7 @@ struct vnet_ipsec { int _ip6_ah_trans_deflev; int _ip6_ah_net_deflev; int _ip6_ipsec_ecn; + int _ip6_ipsec6_filtertunnel; int _ah_enable; int _ah_cleartos; @@ -142,12 +144,14 @@ extern struct vnet_ipsec vnet_ipsec_0; #define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev) #define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn) +#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel) #define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) #define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) #define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) #define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) #define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) #define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) +#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel) #define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) #define V_ipcompstat VNET_IPSEC(ipcompstat) #define V_ipip_allow VNET_IPSEC(ipip_allow)