[src/trunk]: src/sys Fix ipsecif(4) cannot apply input direction packet filte...

[knakahara <knakahara%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/28fb8a9da9a9
branches:  trunk
changeset: 447570:28fb8a9da9a9
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Thu Jan 17 02:47:15 2019 +0000

description:
Fix ipsecif(4) cannot apply input direction packet filter. Reviewed by ozaki-r@n.o and ryo@n.o.

Add ATF later.

diffstat:

 sys/kern/uipc_mbuf.c       |   5 +++--
 sys/netinet/ip_input.c     |   6 +++---
 sys/netinet6/ip6_input.c   |   6 +++---
 sys/netipsec/ipsec.h       |  18 +++++++++++++++++-
 sys/netipsec/ipsec_input.c |  20 ++++++++++++++++++--
 sys/sys/mbuf.h             |   5 +++--
 6 files changed, 47 insertions(+), 13 deletions(-)

diffs (179 lines):

diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/kern/uipc_mbuf.c
--- a/sys/kern/uipc_mbuf.c      Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/kern/uipc_mbuf.c      Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $        */
+/*     $NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $        */
 
 /*
  * Copyright (c) 1999, 2001, 2018 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.231 2019/01/16 01:50:25 knakahara Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.232 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_mbuftrace.h"
@@ -567,6 +567,7 @@
        m->m_pkthdr.csum_data = 0;
        m->m_pkthdr.segsz = 0;
        m->m_pkthdr.ether_vtag = 0;
+       m->m_pkthdr.pkthdr_flags = 0;
        SLIST_INIT(&m->m_pkthdr.tags);
 
        m->m_pkthdr.pattr_class = NULL;
diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c    Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netinet/ip_input.c    Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $      */
+/*     $NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $ */
 
 /*
  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -91,7 +91,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.387 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip_input.c,v 1.388 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_inet.h"
@@ -567,7 +567,7 @@
         * IPsec (encapsulated, tunnel mode).
         */
 #if defined(IPSEC)
-       if (!ipsec_used || !ipsec_indone(m))
+       if (!ipsec_used || !ipsec_skip_pfil(m))
 #else
        if (1)
 #endif
diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netinet6/ip6_input.c  Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $     */
+/*     $NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $        */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.206 2019/01/14 18:51:15 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.207 2019/01/17 02:47:15 knakahara Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_gateway.h"
@@ -342,7 +342,7 @@
         * IPsec (encapsulated, tunnel mode).
         */
 #if defined(IPSEC)
-       if (!ipsec_used || !ipsec_indone(m))
+       if (!ipsec_used || !ipsec_skip_pfil(m))
 #else
        if (1)
 #endif
diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h      Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netipsec/ipsec.h      Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec.h,v 1.86 2018/11/22 04:48:34 knakahara Exp $     */
+/*     $NetBSD: ipsec.h,v 1.87 2019/01/17 02:47:15 knakahara Exp $     */
 /*     $FreeBSD: ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $       */
 /*     $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $  */
 
@@ -250,6 +250,22 @@
 #define ipsec_outdone(m) \
        (m_tag_find((m), PACKET_TAG_IPSEC_OUT_DONE) != NULL)
 
+static __inline bool
+ipsec_skip_pfil(struct mbuf *m)
+{
+       bool rv;
+
+       if (ipsec_indone(m) &&
+           ((m->m_pkthdr.pkthdr_flags & PKTHDR_FLAG_IPSEC_SKIP_PFIL) != 0)) {
+               m->m_pkthdr.pkthdr_flags &= ~PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+               rv = true;
+       } else {
+               rv = false;
+       }
+
+       return rv;
+}
+
 void ipsec_pcbconn(struct inpcbpolicy *);
 void ipsec_pcbdisconn(struct inpcbpolicy *);
 void ipsec_invalpcbcacheall(void);
diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/netipsec/ipsec_input.c
--- a/sys/netipsec/ipsec_input.c        Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/netipsec/ipsec_input.c        Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $    */
+/*     $NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $       */
 /*     $FreeBSD: ipsec_input.c,v 1.2.4.2 2003/03/28 20:32:53 sam Exp $ */
 /*     $OpenBSD: ipsec_input.c,v 1.63 2003/02/20 18:35:43 deraadt Exp $        */
 
@@ -39,7 +39,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.73 2018/11/15 10:23:56 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_input.c,v 1.74 2019/01/17 02:47:15 knakahara Exp $");
 
 /*
  * IPsec input processing.
@@ -386,6 +386,14 @@
                error = EINVAL;
                goto bad;
        }
+
+       /*
+        * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+        * so we cannot write filtering rule to the inner packet.
+        */
+       if (saidx->mode == IPSEC_MODE_TUNNEL)
+               m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
        (*inetsw[ip_protox[prot]].pr_input)(m, skip, prot);
        return 0;
 
@@ -533,6 +541,14 @@
                        error = EINVAL;
                        goto bad;
                }
+
+               /*
+                * There is no struct ifnet for tunnel mode IP-IP tunnel connecttion,
+                * so we cannot write filtering rule to the inner packet.
+                */
+               if (saidx->mode == IPSEC_MODE_TUNNEL)
+                       m->m_pkthdr.pkthdr_flags |= PKTHDR_FLAG_IPSEC_SKIP_PFIL;
+
                nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &skip, nxt);
        }
        return 0;
diff -r d40d066b93c1 -r 28fb8a9da9a9 sys/sys/mbuf.h
--- a/sys/sys/mbuf.h    Wed Jan 16 13:54:17 2019 +0000
+++ b/sys/sys/mbuf.h    Thu Jan 17 02:47:15 2019 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: mbuf.h,v 1.218 2018/12/27 14:24:11 maxv Exp $  */
+/*     $NetBSD: mbuf.h,v 1.219 2019/01/17 02:47:15 knakahara Exp $     */
 
 /*
  * Copyright (c) 1996, 1997, 1999, 2001, 2007 The NetBSD Foundation, Inc.
@@ -193,7 +193,8 @@
        uint32_t        csum_data;              /* checksum data */
        u_int           segsz;                  /* segment size */
        uint16_t        ether_vtag;             /* ethernet 802.1p+q vlan tag */
-       uint16_t        pad0;                   /* padding */
+       uint16_t        pkthdr_flags;           /* flags for pkthdr, see blow */
+#define PKTHDR_FLAG_IPSEC_SKIP_PFIL    0x0001  /* skip pfil_run_hooks() after ipsec decrypt */
 
        /*
         * Following three fields are open-coded struct altq_pktattr