NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/39919: no access to ipip_allow kernel variable via sysctl

>Number:         39919
>Category:       kern
>Synopsis:       no access to ipip_allow kernel variable via sysctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 14 13:30:01 +0000 2008
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
Dr. Nagler & Company GmbH
System: NetBSD s040 4.0 NetBSD 4.0 (NSW-S040) #15: Fri Sep 26 14:12:09 CEST 
Architecture: x86_64
Machine: amd64
        The kernel variable ipip_allow in netipsec/xform_ipip.c controls the 
behaviour of ipip-packets
        with possible spoofed addresses in the FAST_IPSEC implementation.
        The variable gets initialized to 0 - drop all spoofed attemmpts.
        The value 2 will allow processing of such packets, but there is no way 
to access it via sysctl interface.
        There is some code to add it for FreeBSD, but in ipsec_netbsd.c the 
variable is missing.

        The following fix will add this variable to the sysctl interface and 
allow access to it.
        Perhaps some documentation should be updated too, but this variable is 
only present if
        the kernel is compiled with FAST_IPSEC, so I'm not shure where to add 
it in the documentation.
        Setup a kernel with FAST_IPSEC and try to change ipip_allow via sysctl. 
You will fail, because it is no available there.
        Here the output of "rcsdiff -u" that will add the missing definition to 
          I've used the name "allow" for the variable mentioned in a comment in 
          I've used IPSECCTL_DFBIT in the new entry, because I've no better 
idea. IPSECCTL_DFBIT seems to be
          a definitions that stands for itself only, so there should be no side 
effects. There is no other reference to
          this name in the whole source other than  the sysctl definitions. In 
the final fix, perhaps an other value will
          be the better choice ...

CS file: RCS/ipsec_netbsd.c,v
retrieving revision 1.1
diff -u -r1.1 ipsec_netbsd.c
--- ipsec_netbsd.c      2008/11/14 12:58:25     1.1
+++ ipsec_netbsd.c      2008/11/14 13:13:38
@@ -516,6 +516,12 @@
                       NULL, 0, NULL, 0,
                       CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
        sysctl_createv(clog, 0, NULL, NULL,
+                      CTLTYPE_INT, "allow", NULL,
+                      NULL, 0, &ipip_allow, 0,
+                      CTL_NET, PF_INET, IPPROTO_IPIP,
+                      IPSECCTL_DFBIT, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
                       CTLTYPE_STRUCT, "ipip_stats", NULL,
                       NULL, 0, &ipipstat, sizeof(ipipstat),


Home | Main Index | Thread Index | Old Index