[src/trunk]: src PR/46602: Move the rfc6056 port randomization to the IP layer.

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/0039eec17d63
branches:  trunk
changeset: 779841:0039eec17d63
user:      christos <christos%NetBSD.org@localhost>
date:      Fri Jun 22 14:54:34 2012 +0000

description:
PR/46602: Move the rfc6056 port randomization to the IP layer.

diffstat:

 share/man/man4/ip.4        |  26 ++++++++++++++++++++-
 share/man/man4/ip6.4       |  27 +++++++++++++++++++++-
 share/man/man4/udp.4       |  29 +-----------------------
 share/man/man7/rfc6056.7   |  24 +++++++++++--------
 share/man/man7/sysctl.7    |  28 +++++++++++-----------
 sys/netinet/in.h           |   3 +-
 sys/netinet/ip_input.c     |  26 ++++++++++++++++++++-
 sys/netinet/ip_output.c    |  21 ++++++++++++++---
 sys/netinet/rfc6056.h      |   3 +-
 sys/netinet/tcp_input.c    |   9 +++++-
 sys/netinet/udp.h          |   3 +-
 sys/netinet/udp_usrreq.c   |  35 +----------------------------
 sys/netinet/udp_var.h      |   4 +--
 sys/netinet6/in6.h         |   3 +-
 sys/netinet6/ip6_input.c   |  25 +++++++++++++++++++-
 sys/netinet6/ip6_output.c  |  18 +++++++++++++-
 sys/netinet6/udp6_usrreq.c |  54 ++-------------------------------------------
 sys/netinet6/udp6_var.h    |   5 +--
 tests/net/sys/t_rfc6056.c  |  23 +++++++++++++++----
 19 files changed, 199 insertions(+), 167 deletions(-)

diffs (truncated from 893 to 300 lines):

diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/ip.4
--- a/share/man/man4/ip.4       Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/ip.4       Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ip.4,v 1.31 2011/05/19 21:16:45 riastradh Exp $
+.\"    $NetBSD: ip.4,v 1.32 2012/06/22 14:54:34 christos Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)ip.4       8.2 (Berkeley) 11/30/93
 .\"
-.Dd May 19, 2011
+.Dd June 20, 2012
 .Dt IP 4
 .Os
 .Sh NAME
@@ -110,6 +110,28 @@
 setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, buf, ipsec_get_policylen(buf));
 .Ed
 .Pp
+The
+.Dv IP_PORTALGO
+can be used to randomize the port selection.
+Valid algorithms are described in
+.Xr rfc6056 7
+and their respective constants are in
+.In netinet/rfc6056.h .
+For example,
+.Bd -literal
+int algo = RFC6056_ALGO_RANDOM_PICK;       /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
+setsockopt(s, IPPROTO_IP, IP_PORTALGO, \*[Am]algo, sizeof(algo));
+.Ed
+.Pp
+The port selection can be also viewed and controlled at a global level for all
+.Tn IP
+sockets using the following
+.Xr sysctl 7
+variables:
+.Dv net.inet.ip.anonportalgo.available
+and
+.Dv net.inet.ip.anonportalgo.selected .
+.Pp
 .Dv IP_PORTRANGE
 controls how ephemeral ports are allocated for
 .Dv SOCK_STREAM
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/ip6.4
--- a/share/man/man4/ip6.4      Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/ip6.4      Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ip6.4,v 1.28 2011/05/19 21:16:45 riastradh Exp $
+.\"    $NetBSD: ip6.4,v 1.29 2012/06/22 14:54:34 christos Exp $
 .\"    $KAME: ip6.4,v 1.23 2005/01/11 05:56:25 itojun Exp $
 .\"    $OpenBSD: ip6.4,v 1.21 2005/01/06 03:50:46 itojun Exp $
 .\"
@@ -28,7 +28,7 @@
 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
-.Dd May 19, 2011
+.Dd June 20, 2012
 .Dt IP6 4
 .Os
 .Sh NAME
@@ -231,6 +231,29 @@
 char *buf = ipsec_set_policy(policy, strlen(policy));
 setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf, ipsec_get_policylen(buf));
 .Ed
+.It Dv IPV6_PORTALGO Fa "int *"
+The
+.Dv IP_PORTALGO
+can be used to randomize the port selection.
+Valid algorithms are described in
+.Xr rfc6056 7
+and their respective constants are in
+.In netinet/rfc6056.h .
+For example,
+.Bd -literal
+int algo = RFC6056_ALGO_RANDOM_PICK;       /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
+setsockopt(s, IPPROTO_IPV6, IPV6_PORTALGO, \*[Am]algo, sizeof(algo));
+.Ed
+.Pp
+The port selection can be also viewed and controlled at a global level for all
+.Tn IPV6
+sockets using the following
+.Xr sysctl 7
+variables:
+.Dv net.inet.ip6.anonportalgo.available
+and
+.Dv net.inet.ip6.anonportalgo.selected .
+.Pp
 .It Dv IPV6_PORTRANGE Fa "int *"
 Get or set the allocation policy of ephemeral ports for when the kernel
 automatically binds a local address to this socket.
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/udp.4
--- a/share/man/man4/udp.4      Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/udp.4      Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: udp.4,v 1.12 2011/09/24 18:49:13 christos Exp $
+.\"    $NetBSD: udp.4,v 1.13 2012/06/22 14:54:34 christos Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"     @(#)udp.4      8.1 (Berkeley) 6/5/93
 .\"
-.Dd September 24, 2011
+.Dd June 20, 2012
 .Dt UDP 4
 .Os
 .Sh NAME
@@ -119,31 +119,6 @@
 defined in
 .In netinet/udp.h .
 .Pp
-The
-.Dv UDP_RFC6056ALGO
-can be used to randomize the port selection.
-Valid algorithms are described in
-.Xr rfc6056 7
-and their respective constants are in
-.In netinet/rfc6056.h .
-For example,
-.Bd -literal
-int algo = RFC6056_ALGO_RANDOM_PICK;       /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
-setsockopt(s, IPPROTO_UDP, UDP_RFC6056ALGO, \*[Am]algo, sizeof(algo));
-.Ed
-.Pp
-The port selection can be also controlled at a global level for all
-.Tn UDP
-or
-.Tn UDP6
-sockets using the following
-.Xr sysctl 7
-variables:
-.Dv net.inet.udp.rfc6056.selected
-and
-.Dv net.inet6.udp6.rfc6056.selected
-respectively.
-.Pp
 Options at the
 .Tn IP
 transport level may be used with
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man7/rfc6056.7
--- a/share/man/man7/rfc6056.7  Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man7/rfc6056.7  Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\"     $NetBSD: rfc6056.7,v 1.2 2011/09/24 18:47:59 wiz Exp $
+.\"     $NetBSD: rfc6056.7,v 1.3 2012/06/22 14:54:34 christos Exp $
 .\"
 .\" Copyright (c) 2011
 .\"     The NetBSD Foundation.  All rights reserved.
@@ -91,18 +91,22 @@
 .Sh SYSCTL CONTROLS
 The following sysctl controls are available for selecting the default
 port randomization algorithm:
-.Bl -column "net.inet6.udp6.rfc6056.available" "string" "Changeable"
+.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
 .It Sy sysctl name                   Ta Sy Type Ta Sy Changeable
-.It net.inet.udp.rfc6056.available   Ta string  Ta no
-.It net.inet.udp.rfc6056.selected    Ta string  Ta yes
-.It net.inet6.udp6.rfc6056.available Ta string  Ta no
-.It net.inet6.udp6.rfc6056.selected  Ta string  Ta yes
+.It net.inet.ip.anonportalgo.available   Ta string  Ta no
+.It net.inet.ip.anonportalgo.selected    Ta string  Ta yes
+.It net.inet6.ip6.anonportalgo.available Ta string  Ta no
+.It net.inet6.ip6.anonportalgo.selected  Ta string  Ta yes
 .El
 .Sh SOCKET OPTIONS
-The socket option
-.Dv UDP_RFC6056ALGO
-at the
-.Dv IPPROTO_UDP
+The
+.Dv IP_PORTSEL
+socket option at the
+.Dv IPPROTO_IP
+level and the
+.Dv IPV6_PORTSEL
+socket option at the
+.Dv IPPROTO_IPV6
 level can be used with a string argument specifying the algorithm's
 name in order to select the port randomization algorithm
 for a specific socket.
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7   Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man7/sysctl.7   Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.7,v 1.71 2012/06/09 08:22:14 wiz Exp $
+.\"    $NetBSD: sysctl.7,v 1.72 2012/06/22 14:54:35 christos Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"    @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"
-.Dd June 8, 2012
+.Dd June 20, 2012
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -1223,6 +1223,8 @@
 .It icmp       redirtimeout    integer yes
 .It icmp       bmcastecho      integer yes
 .It ip allowsrcrt      integer yes
+.It ip         anonportalgo.selected   string  yes
+.It ip         anonportalgo.available  string  yes
 .It ip anonportmax     integer yes
 .It ip anonportmin     integer yes
 .It ip checkinterface  integer yes
@@ -1282,8 +1284,6 @@
 .It udp        checksum        integer yes
 .It udp        do_loopback_cksum       integer yes
 .It udp        recvspace       integer yes
-.It udp        rfc6056.selected        string  yes
-.It udp        rfc6056.available       string  yes
 .It udp        sendspace       integer yes
 .El
 .Pp
@@ -1327,6 +1327,10 @@
 Disabled by default.
 .It Li ip.allowsrcrt
 If set to 1, the host accepts source routed packets.
+.It Li ip.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm.
 .It Li ip.anonportmax
 The highest port number to use for TCP and UDP ephemeral port allocation.
 This cannot be set to less than 1024 or greater than 65535, and must
@@ -1565,10 +1569,6 @@
 Disabling UDP checksums is strongly discouraged.
 .It Li udp.recvspace
 The default UDP receive buffer size.
-.It Li udp.rfc6056.available
-The available RFC 6056 port randomization algorithms.
-.It Li udp.rfc6056.selected
-The currently selected RFC 6056 port randomization algorithm.
 .It Li udp.sendspace
 The default UDP send buffer size.
 .El
@@ -1597,6 +1597,8 @@
 .It icmp6      rediraccept     integer yes
 .It icmp6      redirtimeout    integer yes
 .It ip6        accept_rtadv    integer yes
+.It ip6        anonportalgo.selected   string  yes
+.It ip6        anonportalgo.available  string  yes
 .It ip6        anonportmax     integer yes
 .It ip6        anonportmin     integer yes
 .It ip6        auto_flowlabel  integer yes
@@ -1621,8 +1623,6 @@
 .It ip6        v6only  integer yes
 .It udp6       do_loopback_cksum       integer yes
 .It udp6       recvspace       integer yes
-.It udp6       rfc6056.selected        string  yes
-.It udp6       rfc6056.available       string  yes
 .It udp6       sendspace       integer yes
 .El
 .Pp
@@ -1634,6 +1634,10 @@
 The node must be a host
 .Pq not a router
 for the option to be meaningful.
+.It Li ip6.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip6.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm.
 .It Li ip6.anonportmax
 The highest port number to use for TCP and UDP ephemeral port allocation.
 This cannot be set to less than 1024 or greater than 65535, and must
@@ -1830,10 +1834,6 @@
 Perform UDP checksum on loopback.
 .It Li udp6.recvspace
 Default UDP receive buffer size.
-.It Li udp6.rfc6056.available
-The available RFC 6056 port randomization algorithms for IPv6.
-.It Li udp6.rfc6056.selected
-The currently selected RFC 6056 port randomization algorithm for IPv6.
 .It Li udp6.sendspace
 Default UDP send buffer size.
 .El
diff -r 9c40bfcc65dc -r 0039eec17d63 sys/netinet/in.h
--- a/sys/netinet/in.h  Fri Jun 22 13:43:17 2012 +0000
+++ b/sys/netinet/in.h  Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in.h,v 1.86 2009/09/14 10:36:50 degroote Exp $ */
+/*     $NetBSD: in.h,v 1.87 2012/06/22 14:54:35 christos Exp $ */
 
 /*
  * Copyright (c) 1982, 1986, 1990, 1993
@@ -277,6 +277,7 @@
 #define        IP_MULTICAST_LOOP       11   /* u_char; set/get IP multicast loopback */
 #define        IP_ADD_MEMBERSHIP       12   /* ip_mreq; add an IP group membership */
 #define        IP_DROP_MEMBERSHIP      13   /* ip_mreq; drop an IP group membership */
+#define        IP_PORTALGO             18   /* int; port selection algo (rfc6056) */
 #define        IP_PORTRANGE            19   /* int; range to use for ephemeral port */
 #define        IP_RECVIF               20   /* bool; receive reception if w/dgram */