Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src PR/46602: Move the rfc6056 port randomization to the IP layer.
details: https://anonhg.NetBSD.org/src/rev/0039eec17d63
branches: trunk
changeset: 779841:0039eec17d63
user: christos <christos%NetBSD.org@localhost>
date: Fri Jun 22 14:54:34 2012 +0000
description:
PR/46602: Move the rfc6056 port randomization to the IP layer.
diffstat:
share/man/man4/ip.4 | 26 ++++++++++++++++++++-
share/man/man4/ip6.4 | 27 +++++++++++++++++++++-
share/man/man4/udp.4 | 29 +-----------------------
share/man/man7/rfc6056.7 | 24 +++++++++++--------
share/man/man7/sysctl.7 | 28 +++++++++++-----------
sys/netinet/in.h | 3 +-
sys/netinet/ip_input.c | 26 ++++++++++++++++++++-
sys/netinet/ip_output.c | 21 ++++++++++++++---
sys/netinet/rfc6056.h | 3 +-
sys/netinet/tcp_input.c | 9 +++++-
sys/netinet/udp.h | 3 +-
sys/netinet/udp_usrreq.c | 35 +----------------------------
sys/netinet/udp_var.h | 4 +--
sys/netinet6/in6.h | 3 +-
sys/netinet6/ip6_input.c | 25 +++++++++++++++++++-
sys/netinet6/ip6_output.c | 18 +++++++++++++-
sys/netinet6/udp6_usrreq.c | 54 ++-------------------------------------------
sys/netinet6/udp6_var.h | 5 +--
tests/net/sys/t_rfc6056.c | 23 +++++++++++++++----
19 files changed, 199 insertions(+), 167 deletions(-)
diffs (truncated from 893 to 300 lines):
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/ip.4
--- a/share/man/man4/ip.4 Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/ip.4 Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ip.4,v 1.31 2011/05/19 21:16:45 riastradh Exp $
+.\" $NetBSD: ip.4,v 1.32 2012/06/22 14:54:34 christos Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)ip.4 8.2 (Berkeley) 11/30/93
.\"
-.Dd May 19, 2011
+.Dd June 20, 2012
.Dt IP 4
.Os
.Sh NAME
@@ -110,6 +110,28 @@
setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, buf, ipsec_get_policylen(buf));
.Ed
.Pp
+The
+.Dv IP_PORTALGO
+can be used to randomize the port selection.
+Valid algorithms are described in
+.Xr rfc6056 7
+and their respective constants are in
+.In netinet/rfc6056.h .
+For example,
+.Bd -literal
+int algo = RFC6056_ALGO_RANDOM_PICK; /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
+setsockopt(s, IPPROTO_IP, IP_PORTALGO, \*[Am]algo, sizeof(algo));
+.Ed
+.Pp
+The port selection can be also viewed and controlled at a global level for all
+.Tn IP
+sockets using the following
+.Xr sysctl 7
+variables:
+.Dv net.inet.ip.anonportalgo.available
+and
+.Dv net.inet.ip.anonportalgo.selected .
+.Pp
.Dv IP_PORTRANGE
controls how ephemeral ports are allocated for
.Dv SOCK_STREAM
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/ip6.4
--- a/share/man/man4/ip6.4 Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/ip6.4 Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ip6.4,v 1.28 2011/05/19 21:16:45 riastradh Exp $
+.\" $NetBSD: ip6.4,v 1.29 2012/06/22 14:54:34 christos Exp $
.\" $KAME: ip6.4,v 1.23 2005/01/11 05:56:25 itojun Exp $
.\" $OpenBSD: ip6.4,v 1.21 2005/01/06 03:50:46 itojun Exp $
.\"
@@ -28,7 +28,7 @@
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
-.Dd May 19, 2011
+.Dd June 20, 2012
.Dt IP6 4
.Os
.Sh NAME
@@ -231,6 +231,29 @@
char *buf = ipsec_set_policy(policy, strlen(policy));
setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, buf, ipsec_get_policylen(buf));
.Ed
+.It Dv IPV6_PORTALGO Fa "int *"
+The
+.Dv IP_PORTALGO
+can be used to randomize the port selection.
+Valid algorithms are described in
+.Xr rfc6056 7
+and their respective constants are in
+.In netinet/rfc6056.h .
+For example,
+.Bd -literal
+int algo = RFC6056_ALGO_RANDOM_PICK; /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
+setsockopt(s, IPPROTO_IPV6, IPV6_PORTALGO, \*[Am]algo, sizeof(algo));
+.Ed
+.Pp
+The port selection can be also viewed and controlled at a global level for all
+.Tn IPV6
+sockets using the following
+.Xr sysctl 7
+variables:
+.Dv net.inet.ip6.anonportalgo.available
+and
+.Dv net.inet.ip6.anonportalgo.selected .
+.Pp
.It Dv IPV6_PORTRANGE Fa "int *"
Get or set the allocation policy of ephemeral ports for when the kernel
automatically binds a local address to this socket.
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man4/udp.4
--- a/share/man/man4/udp.4 Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man4/udp.4 Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: udp.4,v 1.12 2011/09/24 18:49:13 christos Exp $
+.\" $NetBSD: udp.4,v 1.13 2012/06/22 14:54:34 christos Exp $
.\"
.\" Copyright (c) 1983, 1991, 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\"
-.Dd September 24, 2011
+.Dd June 20, 2012
.Dt UDP 4
.Os
.Sh NAME
@@ -119,31 +119,6 @@
defined in
.In netinet/udp.h .
.Pp
-The
-.Dv UDP_RFC6056ALGO
-can be used to randomize the port selection.
-Valid algorithms are described in
-.Xr rfc6056 7
-and their respective constants are in
-.In netinet/rfc6056.h .
-For example,
-.Bd -literal
-int algo = RFC6056_ALGO_RANDOM_PICK; /* see \*[Lt]netinet/rfc6056.h\*[Gt] */
-setsockopt(s, IPPROTO_UDP, UDP_RFC6056ALGO, \*[Am]algo, sizeof(algo));
-.Ed
-.Pp
-The port selection can be also controlled at a global level for all
-.Tn UDP
-or
-.Tn UDP6
-sockets using the following
-.Xr sysctl 7
-variables:
-.Dv net.inet.udp.rfc6056.selected
-and
-.Dv net.inet6.udp6.rfc6056.selected
-respectively.
-.Pp
Options at the
.Tn IP
transport level may be used with
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man7/rfc6056.7
--- a/share/man/man7/rfc6056.7 Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man7/rfc6056.7 Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: rfc6056.7,v 1.2 2011/09/24 18:47:59 wiz Exp $
+.\" $NetBSD: rfc6056.7,v 1.3 2012/06/22 14:54:34 christos Exp $
.\"
.\" Copyright (c) 2011
.\" The NetBSD Foundation. All rights reserved.
@@ -91,18 +91,22 @@
.Sh SYSCTL CONTROLS
The following sysctl controls are available for selecting the default
port randomization algorithm:
-.Bl -column "net.inet6.udp6.rfc6056.available" "string" "Changeable"
+.Bl -column "net.inet6.udp6.anonportalgo.available" "string" "Changeable"
.It Sy sysctl name Ta Sy Type Ta Sy Changeable
-.It net.inet.udp.rfc6056.available Ta string Ta no
-.It net.inet.udp.rfc6056.selected Ta string Ta yes
-.It net.inet6.udp6.rfc6056.available Ta string Ta no
-.It net.inet6.udp6.rfc6056.selected Ta string Ta yes
+.It net.inet.ip.anonportalgo.available Ta string Ta no
+.It net.inet.ip.anonportalgo.selected Ta string Ta yes
+.It net.inet6.ip6.anonportalgo.available Ta string Ta no
+.It net.inet6.ip6.anonportalgo.selected Ta string Ta yes
.El
.Sh SOCKET OPTIONS
-The socket option
-.Dv UDP_RFC6056ALGO
-at the
-.Dv IPPROTO_UDP
+The
+.Dv IP_PORTSEL
+socket option at the
+.Dv IPPROTO_IP
+level and the
+.Dv IPV6_PORTSEL
+socket option at the
+.Dv IPPROTO_IPV6
level can be used with a string argument specifying the algorithm's
name in order to select the port randomization algorithm
for a specific socket.
diff -r 9c40bfcc65dc -r 0039eec17d63 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7 Fri Jun 22 13:43:17 2012 +0000
+++ b/share/man/man7/sysctl.7 Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: sysctl.7,v 1.71 2012/06/09 08:22:14 wiz Exp $
+.\" $NetBSD: sysctl.7,v 1.72 2012/06/22 14:54:35 christos Exp $
.\"
.\" Copyright (c) 1993
.\" The Regents of the University of California. All rights reserved.
@@ -29,7 +29,7 @@
.\"
.\" @(#)sysctl.3 8.4 (Berkeley) 5/9/95
.\"
-.Dd June 8, 2012
+.Dd June 20, 2012
.Dt SYSCTL 7
.Os
.Sh NAME
@@ -1223,6 +1223,8 @@
.It icmp redirtimeout integer yes
.It icmp bmcastecho integer yes
.It ip allowsrcrt integer yes
+.It ip anonportalgo.selected string yes
+.It ip anonportalgo.available string yes
.It ip anonportmax integer yes
.It ip anonportmin integer yes
.It ip checkinterface integer yes
@@ -1282,8 +1284,6 @@
.It udp checksum integer yes
.It udp do_loopback_cksum integer yes
.It udp recvspace integer yes
-.It udp rfc6056.selected string yes
-.It udp rfc6056.available string yes
.It udp sendspace integer yes
.El
.Pp
@@ -1327,6 +1327,10 @@
Disabled by default.
.It Li ip.allowsrcrt
If set to 1, the host accepts source routed packets.
+.It Li ip.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm.
.It Li ip.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
@@ -1565,10 +1569,6 @@
Disabling UDP checksums is strongly discouraged.
.It Li udp.recvspace
The default UDP receive buffer size.
-.It Li udp.rfc6056.available
-The available RFC 6056 port randomization algorithms.
-.It Li udp.rfc6056.selected
-The currently selected RFC 6056 port randomization algorithm.
.It Li udp.sendspace
The default UDP send buffer size.
.El
@@ -1597,6 +1597,8 @@
.It icmp6 rediraccept integer yes
.It icmp6 redirtimeout integer yes
.It ip6 accept_rtadv integer yes
+.It ip6 anonportalgo.selected string yes
+.It ip6 anonportalgo.available string yes
.It ip6 anonportmax integer yes
.It ip6 anonportmin integer yes
.It ip6 auto_flowlabel integer yes
@@ -1621,8 +1623,6 @@
.It ip6 v6only integer yes
.It udp6 do_loopback_cksum integer yes
.It udp6 recvspace integer yes
-.It udp6 rfc6056.selected string yes
-.It udp6 rfc6056.available string yes
.It udp6 sendspace integer yes
.El
.Pp
@@ -1634,6 +1634,10 @@
The node must be a host
.Pq not a router
for the option to be meaningful.
+.It Li ip6.anonportalgo.available
+The available RFC 6056 port randomization algorithms.
+.It Li ip6.anonportalgo.selected
+The currently selected RFC 6056 port randomization algorithm.
.It Li ip6.anonportmax
The highest port number to use for TCP and UDP ephemeral port allocation.
This cannot be set to less than 1024 or greater than 65535, and must
@@ -1830,10 +1834,6 @@
Perform UDP checksum on loopback.
.It Li udp6.recvspace
Default UDP receive buffer size.
-.It Li udp6.rfc6056.available
-The available RFC 6056 port randomization algorithms for IPv6.
-.It Li udp6.rfc6056.selected
-The currently selected RFC 6056 port randomization algorithm for IPv6.
.It Li udp6.sendspace
Default UDP send buffer size.
.El
diff -r 9c40bfcc65dc -r 0039eec17d63 sys/netinet/in.h
--- a/sys/netinet/in.h Fri Jun 22 13:43:17 2012 +0000
+++ b/sys/netinet/in.h Fri Jun 22 14:54:34 2012 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: in.h,v 1.86 2009/09/14 10:36:50 degroote Exp $ */
+/* $NetBSD: in.h,v 1.87 2012/06/22 14:54:35 christos Exp $ */
/*
* Copyright (c) 1982, 1986, 1990, 1993
@@ -277,6 +277,7 @@
#define IP_MULTICAST_LOOP 11 /* u_char; set/get IP multicast loopback */
#define IP_ADD_MEMBERSHIP 12 /* ip_mreq; add an IP group membership */
#define IP_DROP_MEMBERSHIP 13 /* ip_mreq; drop an IP group membership */
+#define IP_PORTALGO 18 /* int; port selection algo (rfc6056) */
#define IP_PORTRANGE 19 /* int; range to use for ephemeral port */
#define IP_RECVIF 20 /* bool; receive reception if w/dgram */
Home |
Main Index |
Thread Index |
Old Index