From nobody Wed Aug 17 15:24:54 2022 X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M7Bdy55RNz4Zhrb; Wed, 17 Aug 2022 15:24:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M7Bdy2mlwz3ZMN; Wed, 17 Aug 2022 15:24:54 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660749894; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wznmDUFIfh2I3mI6WdATZ7sJTlm6HO95GUnG1kQfT2s=; b=W1/Ra9GaZdyL80W9tuvdTYB4UhXagIFmZVFIwVlqCPAn13x4wC7VjwDZ9uiI2RCla7nJwc bHSDiMHyHkXGkrN+GL2SXQqeruDbDRX7XQ4gCWuV2IY2QlA8zSL2LWDNLYrEDGBq/V7Z/0 KFcnocP4QLYKGsMFKykCRZQjSH+AyBRZsnReV95QSxM+o5KYi+9/33UObIs9wIfvsj4Daa dz0NF7VrjdQiWJA7ydxaNgjQw1So3SdZFmAKvl3SGTMHWCRh77SugP0mO37rbq3LEMe58J 24TBnqwkvcYP3X9mJ+uOXi9Uage96XDHp7ShMgWscz0S3slBnbqsb5P083B3+Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M7Bdy1YP0zttJ; Wed, 17 Aug 2022 15:24:54 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27HFOsh2010333; Wed, 17 Aug 2022 15:24:54 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27HFOsnJ010332; Wed, 17 Aug 2022 15:24:54 GMT (envelope-from git) Date: Wed, 17 Aug 2022 15:24:54 GMT Message-Id: <202208171524.27HFOsnJ010332@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Gleb Smirnoff Subject: git: 489482e276cf - main - ipsec: isolate knowledge about protocols that are last header List-Id: Commit messages for the main branch of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-main@freebsd.org X-BeenThere: dev-commits-src-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: glebius X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 489482e276cf301ba3c47e022a50b0f4f6d2b6f2 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660749894; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=wznmDUFIfh2I3mI6WdATZ7sJTlm6HO95GUnG1kQfT2s=; b=qPM9xi6iavdECJBwaNoFrxvKgI9UxkvqvACl5r/hwdHIZBsYKmGt2KNOCG8uuA/MprkO0i 1U1pQAQXoa6iIRYyDvXYv4Ky3d07MkkPnFjTSOa5GjufGiZMB727f3S/azT+s6eAjh1dYT xJKCec1pzY9GvWCKTm8iYgqsey+5qKdT4JqWBoEfUcfHZVSJuPSv8afl/uwUTjH0tkt7Gr S+rHpJz3uR34fFJGI1khwIR/q0Ex84jv8JP0I4Cdbqv2olyOyZMkeNDwk4/a6iAxN5eoeM +hGJFv2qUUxliwFtUQ8mAwILgdKPZfT6/NtuMgR7KfI6adAH/BlRkhrXB1INyA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660749894; a=rsa-sha256; cv=none; b=Yv68vknVMGEBQstXmcgtjV5utlrsdvBP5ri4Bbgwifg/2Y7Q2U7P906hY1p+8e0HkGoXI4 Vw25Qa/NUF5muyY4lPinQWuSQHRqOqobQK2SRvdtQC9Q6dLdT47qodSjMaaa/Hk3j1Ceq+ V4hDCqujqOF7B3Zuw8DrHM8SHGBOsVwRdrwXBVjAznrgVLS3Ypvnp2251bvrNmcw4sxdAj G5xl6v16l5+87sZHmAZ2HMLtp70GswW8ZUVQCEPLoQTM35TMgrahXsZQYUstxPR8LnbzlF 84C2VprmEA8SYEERNPnYNfXMW2FZsN0fhJGbuBiT+Kboxt+CMpu93DXtdW1WuQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by glebius: URL: https://cgit.FreeBSD.org/src/commit/?id=489482e276cf301ba3c47e022a50b0f4f6d2b6f2 commit 489482e276cf301ba3c47e022a50b0f4f6d2b6f2 Author: Gleb Smirnoff AuthorDate: 2022-08-17 15:24:11 +0000 Commit: Gleb Smirnoff CommitDate: 2022-08-17 15:24:28 +0000 ipsec: isolate knowledge about protocols that are last header Retire PR_LASTHDR protosw flag. Reviewed by: ae Differential revision: https://reviews.freebsd.org/D36155 --- sys/kern/uipc_debug.c | 4 ---- sys/netinet/in_proto.c | 22 +++++++++++----------- sys/netinet/sctp_module.c | 8 ++++---- sys/netinet6/in6_proto.c | 16 ++++++++-------- sys/netipsec/ipsec_input.c | 41 ++++++++++++++++++++++++++++++++++------- sys/sys/protosw.h | 2 +- 6 files changed, 58 insertions(+), 35 deletions(-) diff --git a/sys/kern/uipc_debug.c b/sys/kern/uipc_debug.c index ead7d0e506c0..c553ee1047b6 100644 --- a/sys/kern/uipc_debug.c +++ b/sys/kern/uipc_debug.c @@ -288,10 +288,6 @@ db_print_prflags(short pr_flags) db_printf("%sPR_IMPLOPCL", comma ? ", " : ""); comma = 1; } - if (pr_flags & PR_LASTHDR) { - db_printf("%sPR_LASTHDR", comma ? ", " : ""); - comma = 1; - } } static void diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index b9f506518cce..81c078e2f306 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -145,7 +145,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_SEQPACKET, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_WANTRCVD, .pr_input = sctp_input, .pr_ctlinput = sctp_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -156,7 +156,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_STREAM, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD, .pr_input = sctp_input, .pr_ctlinput = sctp_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -188,7 +188,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ICMP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = icmp_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -197,7 +197,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IGMP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = igmp_input, .pr_ctloutput = rip_ctloutput, .pr_fasttimo = igmp_fasttimo, @@ -208,7 +208,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_RSVP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = rsvp_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -217,7 +217,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -226,7 +226,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_MOBILE, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -235,7 +235,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_ETHERIP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -244,7 +244,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_GRE, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -254,7 +254,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPV6, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs @@ -264,7 +264,7 @@ struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_PIM, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap4_input, .pr_ctloutput = rip_ctloutput, .pr_usrreqs = &rip_usrreqs diff --git a/sys/netinet/sctp_module.c b/sys/netinet/sctp_module.c index 70a9daeffc2a..faa7fca49d28 100644 --- a/sys/netinet/sctp_module.c +++ b/sys/netinet/sctp_module.c @@ -59,7 +59,7 @@ struct protosw sctp_stream_protosw = { .pr_type = SOCK_STREAM, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD, .pr_input = sctp_input, .pr_ctlinput = sctp_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -71,7 +71,7 @@ struct protosw sctp_seqpacket_protosw = { .pr_type = SOCK_SEQPACKET, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_WANTRCVD, .pr_input = sctp_input, .pr_ctlinput = sctp_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -87,7 +87,7 @@ struct protosw sctp6_stream_protosw = { .pr_type = SOCK_STREAM, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD, .pr_input = sctp6_input, .pr_ctlinput = sctp6_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -99,7 +99,7 @@ struct protosw sctp6_seqpacket_protosw = { .pr_type = SOCK_SEQPACKET, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_WANTRCVD, .pr_input = sctp6_input, .pr_ctlinput = sctp6_ctlinput, .pr_ctloutput = sctp_ctloutput, diff --git a/sys/netinet6/in6_proto.c b/sys/netinet6/in6_proto.c index b47b726a9a71..a34b7aa9cc7f 100644 --- a/sys/netinet6/in6_proto.c +++ b/sys/netinet6/in6_proto.c @@ -180,7 +180,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_SEQPACKET, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_WANTRCVD, .pr_input = sctp6_input, .pr_ctlinput = sctp6_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -193,7 +193,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_STREAM, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_SCTP, - .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD|PR_LASTHDR, + .pr_flags = PR_CONNREQUIRED|PR_WANTRCVD, .pr_input = sctp6_input, .pr_ctlinput = sctp6_ctlinput, .pr_ctloutput = sctp_ctloutput, @@ -225,7 +225,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ICMPV6, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = icmp6_input, .pr_ctlinput = rip6_ctlinput, .pr_ctloutput = rip6_ctloutput, @@ -262,7 +262,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs @@ -272,7 +272,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_IPV6, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs @@ -281,7 +281,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_ETHERIP, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs @@ -290,7 +290,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_GRE, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs @@ -299,7 +299,7 @@ struct protosw inet6sw[] = { .pr_type = SOCK_RAW, .pr_domain = &inet6domain, .pr_protocol = IPPROTO_PIM, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR, + .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = encap6_input, .pr_ctloutput = rip6_ctloutput, .pr_usrreqs = &rip6_usrreqs diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 268d8a797c35..1548a87c844d 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -228,8 +228,6 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) } #ifdef INET -extern struct protosw inetsw[]; - /* * IPSEC_INPUT() method implementation for IPv4. * 0 - Permitted by inbound security policy for further processing. @@ -253,9 +251,21 @@ ipsec4_input(struct mbuf *m, int offset, int proto) * Protocols with further headers get their IPsec treatment * within the protocol specific processing. */ - if ((inetsw[ip_protox[proto]].pr_flags & PR_LASTHDR) == 0) + switch (proto) { + case IPPROTO_ICMP: + case IPPROTO_IGMP: + case IPPROTO_IPV4: + case IPPROTO_IPV6: + case IPPROTO_RSVP: + case IPPROTO_GRE: + case IPPROTO_MOBILE: + case IPPROTO_ETHERIP: + case IPPROTO_PIM: + case IPPROTO_SCTP: + break; + default: return (0); - /* FALLTHROUGH */ + } }; /* * Enforce IPsec policy checking if we are seeing last header. @@ -501,6 +511,24 @@ bad_noepoch: #endif /* INET */ #ifdef INET6 +static bool +ipsec6_lasthdr(int proto) +{ + + switch (proto) { + case IPPROTO_IPV4: + case IPPROTO_IPV6: + case IPPROTO_GRE: + case IPPROTO_ICMPV6: + case IPPROTO_ETHERIP: + case IPPROTO_PIM: + case IPPROTO_SCTP: + return (true); + default: + return (false); + }; +} + /* * IPSEC_INPUT() method implementation for IPv6. * 0 - Permitted by inbound security policy for further processing. @@ -524,7 +552,7 @@ ipsec6_input(struct mbuf *m, int offset, int proto) * Protocols with further headers get their IPsec treatment * within the protocol specific processing. */ - if ((inet6sw[ip6_protox[proto]].pr_flags & PR_LASTHDR) == 0) + if (!ipsec6_lasthdr(proto)) return (0); /* FALLTHROUGH */ }; @@ -728,8 +756,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && - ipsec6_in_reject(m, NULL)) { + if (ipsec6_lasthdr(nxt) && ipsec6_in_reject(m, NULL)) { error = EINVAL; goto bad; } diff --git a/sys/sys/protosw.h b/sys/sys/protosw.h index 1f48ef9ef55f..d08b20f24604 100644 --- a/sys/sys/protosw.h +++ b/sys/sys/protosw.h @@ -161,7 +161,7 @@ struct protosw { #define PR_WANTRCVD 0x08 /* want PRU_RCVD calls */ #define PR_RIGHTS 0x10 /* passes capabilities */ #define PR_IMPLOPCL 0x20 /* implied open/close */ -#define PR_LASTHDR 0x40 /* enforce ipsec policy; last header */ +/* was PR_LASTHDR 0x40 enforce ipsec policy; last header */ #define PR_CAPATTACH 0x80 /* socket can attach in cap mode */ #define PR_SOCKBUF 0x100 /* private implementation of buffers */