kern/39919: no access to ipip_allow kernel variable via sysctl

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/39919: no access to ipip_allow kernel variable via sysctl
From: Wolfgang.Stukenbrock%nagler-company.com@localhost
Date: Fri, 14 Nov 2008 13:30:01 +0000 (UTC)

>Number:         39919
>Category:       kern
>Synopsis:       no access to ipip_allow kernel variable via sysctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 14 13:30:01 +0000 2008
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH
        
>Environment:
        
        
System: NetBSD s040 4.0 NetBSD 4.0 (NSW-S040) #15: Fri Sep 26 14:12:09 CEST 
2008 
wgstuken@s012:/export/NetBSD-4.0/N+C-build/.OBJDIR_amd64/export/NetBSD-4.0/src/sys/arch/amd64/compile/NSW-S040
 amd64
Architecture: x86_64
Machine: amd64
>Description:
        The kernel variable ipip_allow in netipsec/xform_ipip.c controls the 
behaviour of ipip-packets
        with possible spoofed addresses in the FAST_IPSEC implementation.
        The variable gets initialized to 0 - drop all spoofed attemmpts.
        The value 2 will allow processing of such packets, but there is no way 
to access it via sysctl interface.
        There is some code to add it for FreeBSD, but in ipsec_netbsd.c the 
variable is missing.

        The following fix will add this variable to the sysctl interface and 
allow access to it.
        Perhaps some documentation should be updated too, but this variable is 
only present if
        the kernel is compiled with FAST_IPSEC, so I'm not shure where to add 
it in the documentation.
>How-To-Repeat:
        Setup a kernel with FAST_IPSEC and try to change ipip_allow via sysctl. 
You will fail, because it is no available there.
>Fix:
        Here the output of "rcsdiff -u" that will add the missing definition to 
/sys/netipsec/ipsec_netbsd.c.
        remarks:
          I've used the name "allow" for the variable mentioned in a comment in 
sys/netipsec/xform_ipip.c.
          I've used IPSECCTL_DFBIT in the new entry, because I've no better 
idea. IPSECCTL_DFBIT seems to be
          a definitions that stands for itself only, so there should be no side 
effects. There is no other reference to
          this name in the whole source other than  the sysctl definitions. In 
the final fix, perhaps an other value will
          be the better choice ...

CS file: RCS/ipsec_netbsd.c,v
retrieving revision 1.1
diff -u -r1.1 ipsec_netbsd.c
--- ipsec_netbsd.c      2008/11/14 12:58:25     1.1
+++ ipsec_netbsd.c      2008/11/14 13:13:38
@@ -516,6 +516,12 @@
                       NULL, 0, NULL, 0,
                       CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
        sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "allow", NULL,
+                      NULL, 0, &ipip_allow, 0,
+                      CTL_NET, PF_INET, IPPROTO_IPIP,
+                      IPSECCTL_DFBIT, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
                       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
                       CTLTYPE_STRUCT, "ipip_stats", NULL,
                       NULL, 0, &ipipstat, sizeof(ipipstat),

>Unformatted:

Prev by Date: PR/39913 CVS commit: src/sys/kern
Next by Date: PR/38983 CVS commit: pkgsrc/mail/sendmail
Previous by Thread: PR/39913 CVS commit: src/sys/kern
Next by Thread: PR/38983 CVS commit: pkgsrc/mail/sendmail
Indexes:

Home | Main Index | Thread Index | Old Index