tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

getsockopt(IP[V6]_IPSEC_POLICY) does not work

   While converting protocol code to sockopt(9) API, one of the remaining
issues is that the socket options IP_IPSEC_POLICY and IPV6_IPSEC_POLICY
can be set but not got though there is half hearted code to attempt it.

  The reason is that the getopt code in netipsec/ipsec.c (duplicated in
netinet6?) expects a "struct sadb_x_policy" to be passed in from userland,
so that it can extract a further argument (direction INWARD or OUTWARD)
but getsockopt() does not provide that and never has; the memory access is
kernel->userland only for getsockopt().

  On FreeBSD, the sockopt API can be convinced to read both ways (because
they store the userspace pointer into the sockopt structure**) though they
only have correct code in the IP6 version. Linux has no such option
available in the getopt path.

  If I understand correctly, the ipsec code is of external origin to
NetBSD, but it seems that this part of the API needs to be rethought in
general. There are some ways I can think of to move on with this:

- remove that code from the get path entirely
- #if 0 that code in the get path and let it rot
- create extra option names _INWARD and _OUTWARD
- version the _IPSEC_POLICY names and sadb_x_policy structure so
   that it contains inward AND outward policy.
- make getsockopt copy in the buffer

Frankly I don't know what is best, none of the options seem very palatable
and I guess this has never come up but I favour pruning.

any thoughts?


** Elad objected to this as being open to 'Time Of Check, Time Of Use' abuse

Home | Main Index | Thread Index | Old Index