[src/trunk]: src/sys/netipsec Add sysctl entry to improve interconnectivity t...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/sys/netipsec Add sysctl entry to improve interconnectivity t...
From: knakahara <knakahara%NetBSD.org@localhost>
Date: Tue, 09 Aug 2022 12:50:46 +0000

details:   https://anonhg.NetBSD.org/src/rev/1f44fcd0f383
branches:  trunk
changeset: 368868:1f44fcd0f383
user:      knakahara <knakahara%NetBSD.org@localhost>
date:      Tue Aug 09 08:03:22 2022 +0000

description:
Add sysctl entry to improve interconnectivity to some VPN appliances, pointed out by seil-team@IIJ.

If we want to allow different identifier types on IDii and IDir, set
net.key.allow_different_idtype=1.  Default(=0) is the same as before.

diffstat:

 share/man/man7/sysctl.7 |   9 +++++++--
 sys/netipsec/key.c      |  19 ++++++++++++++++---
 sys/netipsec/key_var.h  |   5 +++--
 3 files changed, 26 insertions(+), 7 deletions(-)

diffs (110 lines):

diff -r a0079aa0da6d -r 1f44fcd0f383 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7   Tue Aug 09 07:56:19 2022 +0000
+++ b/share/man/man7/sysctl.7   Tue Aug 09 08:03:22 2022 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.7,v 1.157 2022/07/25 14:46:53 pgoyette Exp $
+.\"    $NetBSD: sysctl.7,v 1.158 2022/08/09 08:03:22 knakahara Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"    @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"
-.Dd July 25, 2022
+.Dd August 9, 2022
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -2143,6 +2143,7 @@
 .It esp_keymin integer yes
 .It esp_auth   integer yes
 .It ah_keymin  integer yes
+.It allow_different_idtype     boolean yes
 .El
 The variables are as follows:
 .Bl -tag -width "123456"
@@ -2192,6 +2193,10 @@
 Minimum AH key length, in bits,
 The value is used when the kernel creates proposal payload
 on ACQUIRE PF_KEY message.
+.It Li allow_different_idtype
+A boolean that allow or disallow different identifier types
+on IDii and IDir.
+Allowing that can improve interconnectivity to some VPN appliances.
 .El
 .It Li net.local ( Dv PF_LOCAL )
 Get or set various global information about
diff -r a0079aa0da6d -r 1f44fcd0f383 sys/netipsec/key.c
--- a/sys/netipsec/key.c        Tue Aug 09 07:56:19 2022 +0000
+++ b/sys/netipsec/key.c        Tue Aug 09 08:03:22 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $ */
+/*     $NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $      */
 /*     $FreeBSD: key.c,v 1.3.2.3 2004/02/14 22:23:23 bms Exp $ */
 /*     $KAME: key.c,v 1.191 2001/06/27 10:46:49 sakane Exp $   */
 
@@ -32,7 +32,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.275 2022/05/24 20:50:20 andvar Exp $");
+__KERNEL_RCSID(0, "$NetBSD: key.c,v 1.276 2022/08/09 08:03:22 knakahara Exp $");
 
 /*
  * This code is referred to RFC 2367
@@ -534,6 +534,7 @@
 static int ipsec_esp_keymin = 256;
 static int ipsec_esp_auth = 0;
 static int ipsec_ah_keymin = 128;
+static bool ipsec_allow_different_idtype = false;
 
 #ifdef SYSCTL_DECL
 SYSCTL_DECL(_net_key);
@@ -6171,7 +6172,14 @@
        if (idsrc->sadb_ident_type != iddst->sadb_ident_type) {
                IPSECLOG(LOG_DEBUG, "ident type mismatched src %u, dst %u.\n",
                    idsrc->sadb_ident_type, iddst->sadb_ident_type);
-               return EINVAL;
+               /*
+                * Some VPN appliances(e.g. NetScreen) can send different
+                * identifier types on IDii and IDir, so be able to allow
+                * such message.
+                */
+               if (!ipsec_allow_different_idtype) {
+                       return EINVAL;
+               }
        }
 
        switch (idsrc->sadb_ident_type) {
@@ -9034,6 +9042,11 @@
                       SYSCTL_DESCR("PF_KEY statistics"),
                       sysctl_net_key_stats, 0, NULL, 0,
                       CTL_NET, IPSEC_PFKEY, CTL_CREATE, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_BOOL, "allow_different_idtype", NULL,
+                      NULL, 0, &ipsec_allow_different_idtype, 0,
+                      CTL_NET, IPSEC_PFKEY, KEYCTL_ALLOW_DIFFERENT_IDTYPE, CTL_EOL);
 }
 
 /*
diff -r a0079aa0da6d -r 1f44fcd0f383 sys/netipsec/key_var.h
--- a/sys/netipsec/key_var.h    Tue Aug 09 07:56:19 2022 +0000
+++ b/sys/netipsec/key_var.h    Tue Aug 09 08:03:22 2022 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: key_var.h,v 1.5 2018/04/28 13:23:17 maxv Exp $ */
+/*     $NetBSD: key_var.h,v 1.6 2022/08/09 08:03:22 knakahara Exp $    */
 /*     $FreeBSD: key_var.h,v 1.1.4.1 2003/01/24 05:11:36 sam Exp $     */
 /*     $KAME: key_var.h,v 1.11 2001/09/12 23:05:07 sakane Exp $        */
 
@@ -49,7 +49,8 @@
 #define KEYCTL_PREFERED_OLDSA          12
 #define KEYCTL_DUMPSA                  13
 #define KEYCTL_DUMPSP                  14
-#define KEYCTL_MAXID                   15
+#define KEYCTL_ALLOW_DIFFERENT_IDTYPE  15
+#define KEYCTL_MAXID                   16
 
 #ifdef _KERNEL
 #define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))

Prev by Date: [src/trunk]: src/usr.bin/db PR bin/51878: db(1)'s man page to describe the ac...
Next by Date: [src/trunk]: src/sys/arch/mac68k/dev Switch from ``(1 << depth) color'' to ``...
Previous by Thread: [src/trunk]: src/usr.bin/db PR bin/51878: db(1)'s man page to describe the ac...
Next by Thread: [src/trunk]: src/sys/arch/mac68k/dev Switch from ``(1 << depth) color'' to ``...
Indexes:

Home | Main Index | Thread Index | Old Index