Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys make sure to enforce inbound ipsec policy checking, for ...
details: https://anonhg.NetBSD.org/src/rev/e34635c225bd
branches: trunk
changeset: 504399:e34635c225bd
user: itojun <itojun%NetBSD.org@localhost>
date: Thu Mar 01 16:31:37 2001 +0000
description:
make sure to enforce inbound ipsec policy checking, for any protocols on top
of ip (check it when final header is visited). sync with kame.
XXX kame team will need to re-check policy engine code
diffstat:
sys/netinet/in_proto.c | 22 +++++++++++-----------
sys/netinet/ip_icmp.c | 9 +--------
sys/netinet/ip_input.c | 15 ++++++++++++++-
sys/netinet6/ah_input.c | 13 +++++++++----
sys/netinet6/esp_input.c | 13 +++++++++----
sys/netinet6/icmp6.c | 12 ++----------
sys/netinet6/in6_proto.c | 18 +++++++++---------
sys/netinet6/ip6_input.c | 21 +++++++++++++++++++--
sys/netinet6/ipcomp_input.c | 13 +++++++++----
sys/sys/protosw.h | 3 ++-
10 files changed, 85 insertions(+), 54 deletions(-)
diffs (truncated from 380 to 300 lines):
diff -r b86541f03fd0 -r e34635c225bd sys/netinet/in_proto.c
--- a/sys/netinet/in_proto.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet/in_proto.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in_proto.c,v 1.46 2001/02/21 00:11:53 itojun Exp $ */
+/* $NetBSD: in_proto.c,v 1.47 2001/03/01 16:31:38 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -175,7 +175,7 @@
rip_usrreq,
0, 0, 0, 0,
},
-{ SOCK_RAW, &inetdomain, IPPROTO_ICMP, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_ICMP, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
icmp_input, rip_output, 0, rip_ctloutput,
rip_usrreq,
0, 0, 0, 0, icmp_sysctl
@@ -199,37 +199,37 @@
0, 0, 0, 0, ipsec_sysctl
},
#endif /* IPSEC */
-{ SOCK_RAW, &inetdomain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap4_input, rip_output, 0, rip_ctloutput,
rip_usrreq, /*XXX*/
encap_init, 0, 0, 0,
},
#ifdef INET6
-{ SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap4_input, rip_output, 0, rip_ctloutput,
rip_usrreq, /*XXX*/
0, 0, 0, 0,
},
#endif /* INET6 */
#if NGRE > 0
-{ SOCK_RAW, &inetdomain, IPPROTO_GRE, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_GRE, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
gre_input, rip_output, 0, rip_ctloutput,
rip_usrreq,
0, 0, 0, 0,
},
-{ SOCK_RAW, &inetdomain, IPPROTO_MOBILE, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_MOBILE, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
gre_mobile_input, rip_output, 0, rip_ctloutput,
rip_usrreq,
0, 0, 0, 0,
},
#endif /* NGRE > 0 */
-{ SOCK_RAW, &inetdomain, IPPROTO_IGMP, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_IGMP, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
igmp_input, rip_output, 0, rip_ctloutput,
rip_usrreq,
igmp_init, igmp_fasttimo, igmp_slowtimo, 0,
},
#ifdef TPIP
-{ SOCK_SEQPACKET,&inetdomain, IPPROTO_TP, PR_CONNREQUIRED|PR_WANTRCVD|PR_LISTEN,
+{ SOCK_SEQPACKET,&inetdomain, IPPROTO_TP, PR_CONNREQUIRED|PR_WANTRCVD|PR_LISTEN|PR_LASTHDR,
tpip_input, 0, tpip_ctlinput, tp_ctloutput,
tp_usrreq,
tp_init, 0, tp_slowtimo, tp_drain,
@@ -238,13 +238,13 @@
#ifdef ISO
/* EON (ISO CLNL over IP) */
#ifdef EON
-{ SOCK_RAW, &inetdomain, IPPROTO_EON, 0,
+{ SOCK_RAW, &inetdomain, IPPROTO_EON, PR_LASTHDR,
eoninput, 0, eonctlinput, 0,
0,
eonprotoinit, 0, 0, 0,
},
#else
-{ SOCK_RAW, &inetdomain, IPPROTO_EON, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_EON, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap4_input, rip_output, 0, rip_ctloutput,
rip_usrreq, /*XXX*/
0, 0, 0, 0,
@@ -252,7 +252,7 @@
#endif /* EON */
#endif /* ISO */
#ifdef NSIP
-{ SOCK_RAW, &inetdomain, IPPROTO_IDP, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inetdomain, IPPROTO_IDP, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
idpip_input, NULL, nsip_ctlinput, 0,
rip_usrreq,
0, 0, 0, 0,
diff -r b86541f03fd0 -r e34635c225bd sys/netinet/ip_icmp.c
--- a/sys/netinet/ip_icmp.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet/ip_icmp.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_icmp.c,v 1.58 2001/01/24 09:04:15 itojun Exp $ */
+/* $NetBSD: ip_icmp.c,v 1.59 2001/03/01 16:31:38 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -415,13 +415,6 @@
printf("icmp_input, type %d code %d\n", icp->icmp_type,
icp->icmp_code);
#endif
-#ifdef IPSEC
- /* drop it if it does not match the policy */
- if (ipsec4_in_reject(m, NULL)) {
- ipsecstat.in_polvio++;
- goto freeit;
- }
-#endif
if (icp->icmp_type > ICMP_MAXTYPE)
goto raw;
icmpstat.icps_inhist[icp->icmp_type]++;
diff -r b86541f03fd0 -r e34635c225bd sys/netinet/ip_input.c
--- a/sys/netinet/ip_input.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet/ip_input.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_input.c,v 1.127 2001/01/24 09:04:15 itojun Exp $ */
+/* $NetBSD: ip_input.c,v 1.128 2001/03/01 16:31:39 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -710,6 +710,19 @@
IPQ_UNLOCK();
}
+#ifdef IPSEC
+ /*
+ * enforce IPsec policy checking if we are seeing last header.
+ * note that we do not visit this with protocols with pcb layer
+ * code - like udp/tcp/raw ip.
+ */
+ if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0 &&
+ ipsec4_in_reject(m, NULL)) {
+ ipsecstat.in_polvio++;
+ goto bad;
+ }
+#endif
+
/*
* Switch out to protocol's input routine.
*/
diff -r b86541f03fd0 -r e34635c225bd sys/netinet6/ah_input.c
--- a/sys/netinet6/ah_input.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet6/ah_input.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ah_input.c,v 1.25 2001/02/11 06:49:51 itojun Exp $ */
-/* $KAME: ah_input.c,v 1.51 2001/02/08 14:24:05 itojun Exp $ */
+/* $NetBSD: ah_input.c,v 1.26 2001/03/01 16:31:40 itojun Exp $ */
+/* $KAME: ah_input.c,v 1.53 2001/03/01 09:12:08 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -548,9 +548,14 @@
goto fail;
}
- if (nxt != IPPROTO_DONE)
+ if (nxt != IPPROTO_DONE) {
+ if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+ ipsec4_in_reject(m, NULL)) {
+ ipsecstat.in_polvio++;
+ goto fail;
+ }
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
- else
+ } else
m_freem(m);
m = NULL;
}
diff -r b86541f03fd0 -r e34635c225bd sys/netinet6/esp_input.c
--- a/sys/netinet6/esp_input.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet6/esp_input.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: esp_input.c,v 1.15 2001/02/11 06:49:51 itojun Exp $ */
-/* $KAME: esp_input.c,v 1.52 2001/02/07 04:58:47 itojun Exp $ */
+/* $NetBSD: esp_input.c,v 1.16 2001/03/01 16:31:40 itojun Exp $ */
+/* $KAME: esp_input.c,v 1.54 2001/03/01 09:12:08 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -429,9 +429,14 @@
goto bad;
}
- if (nxt != IPPROTO_DONE)
+ if (nxt != IPPROTO_DONE) {
+ if ((inetsw[ip_protox[nxt]].pr_flags & PR_LASTHDR) != 0 &&
+ ipsec4_in_reject(m, NULL)) {
+ ipsecstat.in_polvio++;
+ goto bad;
+ }
(*inetsw[ip_protox[nxt]].pr_input)(m, off, nxt);
- else
+ } else
m_freem(m);
m = NULL;
}
diff -r b86541f03fd0 -r e34635c225bd sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet6/icmp6.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: icmp6.c,v 1.58 2001/02/11 06:49:51 itojun Exp $ */
-/* $KAME: icmp6.c,v 1.198 2001/02/11 04:51:12 itojun Exp $ */
+/* $NetBSD: icmp6.c,v 1.59 2001/03/01 16:31:40 itojun Exp $ */
+/* $KAME: icmp6.c,v 1.202 2001/03/01 16:15:52 itojun Exp $ */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -462,14 +462,6 @@
}
#endif
-#ifdef IPSEC
- /* drop it if it does not match the default policy */
- if (ipsec6_in_reject(m, NULL)) {
- ipsec6stat.in_polvio++;
- goto freeit;
- }
-#endif
-
icmp6stat.icp6s_inhist[icmp6->icmp6_type]++;
icmp6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_msg);
if (icmp6->icmp6_type < ICMP6_INFOMSG_MASK)
diff -r b86541f03fd0 -r e34635c225bd sys/netinet6/in6_proto.c
--- a/sys/netinet6/in6_proto.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet6/in6_proto.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in6_proto.c,v 1.27 2001/02/21 00:11:53 itojun Exp $ */
+/* $NetBSD: in6_proto.c,v 1.28 2001/03/01 16:31:41 itojun Exp $ */
/* $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $ */
/*
@@ -141,7 +141,7 @@
ip6_init, 0, frag6_slowtimo, frag6_drain,
ip6_sysctl,
},
-{ SOCK_DGRAM, &inet6domain, IPPROTO_UDP, PR_ATOMIC | PR_ADDR,
+{ SOCK_DGRAM, &inet6domain, IPPROTO_UDP, PR_ATOMIC|PR_ADDR,
udp6_input, 0, udp6_ctlinput, ip6_ctloutput,
udp6_usrreq, udp6_init,
0, 0, 0,
@@ -157,12 +157,12 @@
#endif
tcp_sysctl,
},
-{ SOCK_RAW, &inet6domain, IPPROTO_RAW, PR_ATOMIC | PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_RAW, PR_ATOMIC|PR_ADDR,
rip6_input, rip6_output, rip6_ctlinput, rip6_ctloutput,
rip6_usrreq,
0, 0, 0, 0,
},
-{ SOCK_RAW, &inet6domain, IPPROTO_ICMPV6, PR_ATOMIC | PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_ICMPV6, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
icmp6_input, rip6_output, rip6_ctlinput, rip6_ctloutput,
rip6_usrreq,
icmp6_init, icmp6_fasttimo, 0, 0,
@@ -206,13 +206,13 @@
},
#endif /* IPSEC */
#ifdef INET
-{ SOCK_RAW, &inet6domain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_IPV4, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap6_input, rip6_output, 0, rip6_ctloutput,
rip6_usrreq,
0, 0, 0, 0,
},
#endif
-{ SOCK_RAW, &inet6domain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_IPV6, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap6_input, rip6_output, 0, rip6_ctloutput,
rip6_usrreq,
#ifndef INET6
@@ -222,19 +222,19 @@
#endif
},
#ifdef ISO
-{ SOCK_RAW, &inet6domain, IPPROTO_EON, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_EON, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
encap6_input, rip6_output, 0, rip6_ctloutput,
rip6_usrreq, /*XXX*/
0, 0, 0, 0,
},
#endif
-{ SOCK_RAW, &inet6domain, IPPROTO_PIM, PR_ATOMIC|PR_ADDR,
+{ SOCK_RAW, &inet6domain, IPPROTO_PIM, PR_ATOMIC|PR_ADDR|PR_LASTHDR,
pim6_input, rip6_output, 0, rip6_ctloutput,
rip6_usrreq,
0, 0, 0, 0,
},
/* raw wildcard */
-{ SOCK_RAW, &inet6domain, 0, PR_ATOMIC | PR_ADDR,
+{ SOCK_RAW, &inet6domain, 0, PR_ATOMIC|PR_ADDR,
rip6_input, rip6_output, 0, rip6_ctloutput,
rip6_usrreq,
rip6_init, 0, 0, 0,
diff -r b86541f03fd0 -r e34635c225bd sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c Thu Mar 01 16:14:25 2001 +0000
+++ b/sys/netinet6/ip6_input.c Thu Mar 01 16:31:37 2001 +0000
@@ -1,5 +1,5 @@
-/* $NetBSD: ip6_input.c,v 1.36 2001/02/24 00:02:16 cgd Exp $ */
-/* $KAME: ip6_input.c,v 1.174 2001/02/09 06:17:41 jinmei Exp $ */
+/* $NetBSD: ip6_input.c,v 1.37 2001/03/01 16:31:41 itojun Exp $ */
Home |
Main Index |
Thread Index |
Old Index