svn commit: r315514 - in stable/11: . contrib/netcat lib/libipsec sbin/ifconfig sbin/ipfw sbin/setkey share/man/man4 sys/conf sys/libkern sys/modules sys/modules/ipsec sys/modules/tcp/tcpmd5 sys/ne...
Mike Tancsa
mike at sentex.net
Mon Apr 3 22:08:43 UTC 2017
Hi,
I ran into a strange problem when migrating a box that makes use of tcp
md5 signatures. Having these two policies that have IPs which happen to
be 128 octets apart get rejected
add 10.50.34.158 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
Similarly, if I have the entries
add 10.50.34.159 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
it errors out as well
# setkey -F ; setkey -FP ; setkey -F ; setkey -f test.ipsec.2
The result of line 2: File exists.
The result of line 4: File exists.
# cat test.ipsec.2
add 10.50.34.158 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
add 10.50.34.159 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
But if the IPs are not 128 apart, its fine
# cat test.ipsec.3
add 10.50.34.157 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.30 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
add 10.50.34.160 10.50.34.18 tcp 0x101c -A tcp-md5 "test14" ;
add 10.50.34.31 10.50.34.18 tcp 0x1002 -A tcp-md5 "test1" ;
# setkey -F ; setkey -FP ; setkey -F ; setkey -f test.ipsec.3
#
On 3/18/2017 6:04 PM, Andrey V. Elsukov wrote:
> Author: ae
> Date: Sat Mar 18 22:04:20 2017
> New Revision: 315514
> URL: https://svnweb.freebsd.org/changeset/base/315514
>
> Log:
> MFC r304572 (by bz):
> Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated
> more than 7 years ago in favour of a sysctl in r192648.
>
> MFC r305122:
> Remove redundant sanity checks from ipsec[46]_common_input_cb().
>
> This check already has been done in the each protocol callback.
>
> MFC r309144,309174,309201 (by fabient):
> IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets.
>
> Since the previous algorithm, based on bit shifting, does not scale
> with large replay windows, the algorithm used here is based on
> RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting.
> The replay window will be fast to be updated, but will cost as many bits
> in RAM as its size.
>
> The previous implementation did not provide a lock on the replay window,
> which may lead to replay issues.
>
> Obtained from: emeric.poupon at stormshield.eu
> Sponsored by: Stormshield
> Differential Revision: https://reviews.freebsd.org/D8468
>
> MFC r309143,309146 (by fabient):
> In a dual processor system (2*6 cores) during IPSec throughput tests,
> we see a lot of contention on the arc4 lock, used to generate the IV
> of the ESP output packets.
>
> The idea of this patch is to split this mutex in order to reduce the
> contention on this lock.
>
> Update r309143 to prevent false sharing.
>
> Reviewed by: delphij, markm, ache
> Approved by: so
> Obtained from: emeric.poupon at stormshield.eu
> Sponsored by: Stormshield
> Differential Revision: https://reviews.freebsd.org/D8130
>
> MFC r313330:
> Merge projects/ipsec into head/.
>
> Small summary
> -------------
>
> o Almost all IPsec releated code was moved into sys/netipsec.
> o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel
> option IPSEC_SUPPORT added. It enables support for loading
> and unloading of ipsec.ko and tcpmd5.ko kernel modules.
> o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by
> default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type
> support was removed. Added TCP/UDP checksum handling for
> inbound packets that were decapsulated by transport mode SAs.
> setkey(8) modified to show run-time NAT-T configuration of SA.
> o New network pseudo interface if_ipsec(4) added. For now it is
> build as part of ipsec.ko module (or with IPSEC kernel).
> It implements IPsec virtual tunnels to create route-based VPNs.
> o The network stack now invokes IPsec functions using special
> methods. The only one header file <netipsec/ipsec_support.h>
> should be included to declare all the needed things to work
> with IPsec.
> o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed.
> Now these protocols are handled directly via IPsec methods.
> o TCP_SIGNATURE support was reworked to be more close to RFC.
> o PF_KEY SADB was reworked:
> - now all security associations stored in the single SPI namespace,
> and all SAs MUST have unique SPI.
> - several hash tables added to speed up lookups in SADB.
> - SADB now uses rmlock to protect access, and concurrent threads
> can do SA lookups in the same time.
> - many PF_KEY message handlers were reworked to reflect changes
> in SADB.
> - SADB_UPDATE message was extended to support new PF_KEY headers:
> SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They
> can be used by IKE daemon to change SA addresses.
> o ipsecrequest and secpolicy structures were cardinally changed to
> avoid locking protection for ipsecrequest. Now we support
> only limited number (4) of bundled SAs, but they are supported
> for both INET and INET6.
> o INPCB security policy cache was introduced. Each PCB now caches
> used security policies to avoid SP lookup for each packet.
> o For inbound security policies added the mode, when the kernel does
> check for full history of applied IPsec transforms.
> o References counting rules for security policies and security
> associations were changed. The proper SA locking added into xform
> code.
> o xform code was also changed. Now it is possible to unregister xforms.
> tdb_xxx structures were changed and renamed to reflect changes in
> SADB/SPDB, and changed rules for locking and refcounting.
>
> Obtained from: Yandex LLC
> Relnotes: yes
> Sponsored by: Yandex LLC
> Differential Revision: https://reviews.freebsd.org/D9352
>
> MFC r313331:
> Add removed headers into the ObsoleteFiles.inc.
>
> MFC r313561 (by glebius):
> Move tcp_fields_to_net() static inline into tcp_var.h, just below its
> friend tcp_fields_to_host(). There is third party code that also uses
> this inline.
>
> MFC r313697:
> Remove IPsec related PCB code from SCTP.
>
> The inpcb structure has inp_sp pointer that is initialized by
> ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec
> security policies associated with a specific socket.
> An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket
> options to configure these security policies. Then ip[6]_output()
> uses inpcb pointer to specify that an outgoing packet is associated
> with some socket. And IPSEC_OUTPUT() method can use a security policy
> stored in the inp_sp. For inbound packet the protocol-specific input
> routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms
> to inbound security policy configured in the inpcb.
>
> SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends
> packets. Thus IPSEC_OUTPUT() method does not consider such packets as
> associated with some socket and can not apply security policies
> from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY()
> method is called from protocol-specific input routine, it can specify
> inpcb pointer and associated with socket inbound policy will be
> checked. But there are two problems:
> 1. Such check is asymmetric, becasue we can not apply security policy
> from inpcb for outgoing packet.
> 2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and
> access to inp_sp is protected. But for SCTP this is not correct,
> becasue SCTP uses own locks to protect inpcb.
>
> To fix these problems remove IPsec related PCB code from SCTP.
> This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options
> will be not applicable to SCTP sockets. To be able correctly check
> inbound security policies for SCTP, mark its protocol header with
> the PR_LASTHDR flag.
>
> Differential Revision: https://reviews.freebsd.org/D9538
>
> MFC r313746:
> Add missing check to fix the build with IPSEC_SUPPORT and without MAC.
>
> MFC r313805:
> Fix LINT build for powerpc.
>
> Build kernel modules support only when both IPSEC and TCP_SIGNATURE
> are not defined.
>
> MFC r313922:
> For translated packets do not adjust UDP checksum if it is zero.
>
> In case when decrypted and decapsulated packet is an UDP datagram,
> check that its checksum is not zero before doing incremental checksum
> adjustment.
>
> MFC r314339:
> Document that the size of AH ICV for HMAC-SHA2-NNN should be half of
> NNN bits as described in RFC4868.
>
> PR: 215978
>
> MFC r314812:
> Introduce the concept of IPsec security policies scope.
>
> Currently are defined three scopes: global, ifnet, and pcb.
> Generic security policies that IKE daemon can add via PF_KEY interface
> or an administrator creates with setkey(8) utility have GLOBAL scope.
> Such policies can be applied by the kernel to outgoing packets and checked
> agains inbound packets after IPsec processing.
> Security policies created by if_ipsec(4) interfaces have IFNET scope.
> Such policies are applied to packets that are passed through if_ipsec(4)
> interface.
> And security policies created by application using setsockopt()
> IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
> packets related to specific socket. Currently there is no way to list
> PCB policies via setkey(8) utility.
>
> Modify setkey(8) and libipsec(3) to be able distinguish the scope of
> security policies in the `setkey -DP` listing. Add two optional flags:
> '-t' to list only policies related to virtual *tunneling* interfaces,
> i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
> scope. By default policies from all scopes are listed.
>
> To implement this PF_KEY's sadb_x_policy structure was modified.
> sadb_x_policy_reserved field is used to pass the policy scope from the
> kernel to userland. SADB_SPDDUMP message extended to support filtering
> by scope: sadb_msg_satype field is used to specify bit mask of requested
> scopes.
>
> For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
> is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
> policies sadb_x_policy_priority is used only to manage order of security
> policies in the SPDB. For IFNET policies it is not used, so it can be used
> to keep if_index.
>
> After this change the output of `setkey -DP` now looks like:
> # setkey -DPt
> 0.0.0.0/0[any] 0.0.0.0/0[any] any
> in ipsec
> esp/tunnel/87.250.242.144-87.250.242.145/unique:145
> spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
> refcnt=1
> # setkey -DPg
> ::/0 ::/0 icmp6 135,0
> out none
> spid=5 seq=1 pid=872 scope=global
> refcnt=1
>
> Obtained from: Yandex LLC
> Sponsored by: Yandex LLC
> Differential Revision: https://reviews.freebsd.org/D9805
>
> PR: 212018
> Relnotes: yes
> Sponsored by: Yandex LLC
>
> Added:
> stable/11/sbin/ifconfig/ifipsec.c
> - copied unchanged from r313330, head/sbin/ifconfig/ifipsec.c
> stable/11/share/man/man4/if_ipsec.4
> - copied unchanged from r313330, head/share/man/man4/if_ipsec.4
> stable/11/sys/modules/ipsec/
> - copied from r313330, head/sys/modules/ipsec/
> stable/11/sys/modules/tcp/tcpmd5/
> - copied from r313330, head/sys/modules/tcp/tcpmd5/
> stable/11/sys/net/if_ipsec.c
> - copied, changed from r313330, head/sys/net/if_ipsec.c
> stable/11/sys/net/if_ipsec.h
> - copied unchanged from r313330, head/sys/net/if_ipsec.h
> stable/11/sys/netipsec/ipsec_mod.c
> - copied unchanged from r313330, head/sys/netipsec/ipsec_mod.c
> stable/11/sys/netipsec/ipsec_pcb.c
> - copied unchanged from r313330, head/sys/netipsec/ipsec_pcb.c
> stable/11/sys/netipsec/ipsec_support.h
> - copied unchanged from r313330, head/sys/netipsec/ipsec_support.h
> stable/11/sys/netipsec/subr_ipsec.c
> - copied, changed from r313330, head/sys/netipsec/subr_ipsec.c
> stable/11/sys/netipsec/udpencap.c
> - copied, changed from r313330, head/sys/netipsec/udpencap.c
> Deleted:
> stable/11/sys/netinet/ip_ipsec.c
> stable/11/sys/netinet/ip_ipsec.h
> stable/11/sys/netinet6/ip6_ipsec.c
> stable/11/sys/netinet6/ip6_ipsec.h
> Modified:
> stable/11/ObsoleteFiles.inc
> stable/11/contrib/netcat/netcat.c
> stable/11/lib/libipsec/pfkey.c
> stable/11/lib/libipsec/pfkey_dump.c
> stable/11/sbin/ifconfig/Makefile
> stable/11/sbin/ipfw/ipfw.8
> stable/11/sbin/setkey/setkey.8
> stable/11/sbin/setkey/setkey.c
> stable/11/share/man/man4/Makefile
> stable/11/share/man/man4/ipsec.4
> stable/11/share/man/man4/tcp.4
> stable/11/share/man/man4/udp.4
> stable/11/sys/conf/NOTES
> stable/11/sys/conf/files
> stable/11/sys/conf/files.amd64
> stable/11/sys/conf/files.arm
> stable/11/sys/conf/files.arm64
> stable/11/sys/conf/files.i386
> stable/11/sys/conf/files.mips
> stable/11/sys/conf/files.pc98
> stable/11/sys/conf/files.powerpc
> stable/11/sys/conf/files.riscv
> stable/11/sys/conf/files.sparc64
> stable/11/sys/conf/kern.opts.mk
> stable/11/sys/conf/options
> stable/11/sys/libkern/arc4random.c
> stable/11/sys/modules/Makefile
> stable/11/sys/net/pfkeyv2.h
> stable/11/sys/netinet/in_pcb.c
> stable/11/sys/netinet/in_proto.c
> stable/11/sys/netinet/ip_input.c
> stable/11/sys/netinet/ip_output.c
> stable/11/sys/netinet/raw_ip.c
> stable/11/sys/netinet/sctp_input.c
> stable/11/sys/netinet/sctp_os_bsd.h
> stable/11/sys/netinet/sctp_pcb.c
> stable/11/sys/netinet/tcp_input.c
> stable/11/sys/netinet/tcp_output.c
> stable/11/sys/netinet/tcp_stacks/fastpath.c
> stable/11/sys/netinet/tcp_subr.c
> stable/11/sys/netinet/tcp_syncache.c
> stable/11/sys/netinet/tcp_usrreq.c
> stable/11/sys/netinet/tcp_var.h
> stable/11/sys/netinet/udp.h
> stable/11/sys/netinet/udp_usrreq.c
> stable/11/sys/netinet6/in6.h
> stable/11/sys/netinet6/in6_proto.c
> stable/11/sys/netinet6/ip6_forward.c
> stable/11/sys/netinet6/ip6_input.c
> stable/11/sys/netinet6/ip6_output.c
> stable/11/sys/netinet6/raw_ip6.c
> stable/11/sys/netinet6/sctp6_usrreq.c
> stable/11/sys/netinet6/udp6_usrreq.c
> stable/11/sys/netipsec/ipsec.c
> stable/11/sys/netipsec/ipsec.h
> stable/11/sys/netipsec/ipsec6.h
> stable/11/sys/netipsec/ipsec_input.c
> stable/11/sys/netipsec/ipsec_mbuf.c
> stable/11/sys/netipsec/ipsec_output.c
> stable/11/sys/netipsec/key.c
> stable/11/sys/netipsec/key.h
> stable/11/sys/netipsec/key_debug.c
> stable/11/sys/netipsec/key_debug.h
> stable/11/sys/netipsec/keydb.h
> stable/11/sys/netipsec/keysock.c
> stable/11/sys/netipsec/xform.h
> stable/11/sys/netipsec/xform_ah.c
> stable/11/sys/netipsec/xform_esp.c
> stable/11/sys/netipsec/xform_ipcomp.c
> stable/11/sys/netipsec/xform_tcp.c
> stable/11/usr.bin/netstat/inet.c
> Directory Properties:
> stable/11/ (props changed)
>
> Modified: stable/11/ObsoleteFiles.inc
> ==============================================================================
> --- stable/11/ObsoleteFiles.inc Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/ObsoleteFiles.inc Sat Mar 18 22:04:20 2017 (r315514)
> @@ -45,6 +45,9 @@ OLD_FILES+=usr/tests/sys/geom/class/gate
> OLD_FILES+=usr/tests/sys/geom/class/gate/conf.sh
> # 20170211: libarchive ACL pax test renamed to test_acl_pax_posix1e.tar.uu
> OLD_FILES+=usr/tests/lib/libarchive/test_acl_pax.tar.uu
> +# 20170206: merged projects/ipsec
> +OLD_FILES+=usr/include/netinet/ip_ipsec.h
> +OLD_FILES+=usr/include/netinet6/ip6_ipsec.h
> # 20170103: libbsnmptools.so made into an INTERNALLIB
> OLD_FILES+=usr/lib/libbsnmptools.a
> OLD_FILES+=usr/lib/libbsnmptools_p.a
>
> Modified: stable/11/contrib/netcat/netcat.c
> ==============================================================================
> --- stable/11/contrib/netcat/netcat.c Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/contrib/netcat/netcat.c Sat Mar 18 22:04:20 2017 (r315514)
> @@ -131,7 +131,7 @@ ssize_t drainbuf(int, unsigned char *, s
> ssize_t fillbuf(int, unsigned char *, size_t *);
>
> #ifdef IPSEC
> -void add_ipsec_policy(int, char *);
> +void add_ipsec_policy(int, int, char *);
>
> char *ipsec_policy[2];
> #endif
> @@ -642,12 +642,6 @@ remote_connect(const char *host, const c
> if ((s = socket(res0->ai_family, res0->ai_socktype,
> res0->ai_protocol)) < 0)
> continue;
> -#ifdef IPSEC
> - if (ipsec_policy[0] != NULL)
> - add_ipsec_policy(s, ipsec_policy[0]);
> - if (ipsec_policy[1] != NULL)
> - add_ipsec_policy(s, ipsec_policy[1]);
> -#endif
>
> if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_SETFIB,
> &rtableid, sizeof(rtableid)) == -1))
> @@ -765,12 +759,7 @@ local_listen(char *host, char *port, str
> ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
> if (ret == -1)
> err(1, NULL);
> -#ifdef IPSEC
> - if (ipsec_policy[0] != NULL)
> - add_ipsec_policy(s, ipsec_policy[0]);
> - if (ipsec_policy[1] != NULL)
> - add_ipsec_policy(s, ipsec_policy[1]);
> -#endif
> +
> if (FreeBSD_Oflag) {
> if (setsockopt(s, IPPROTO_TCP, TCP_NOOPT,
> &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1)
> @@ -1235,6 +1224,12 @@ set_common_sockopts(int s, int af)
> &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1)
> err(1, "disable TCP options");
> }
> +#ifdef IPSEC
> + if (ipsec_policy[0] != NULL)
> + add_ipsec_policy(s, af, ipsec_policy[0]);
> + if (ipsec_policy[1] != NULL)
> + add_ipsec_policy(s, af, ipsec_policy[1]);
> +#endif
> }
>
> int
> @@ -1360,7 +1355,7 @@ help(void)
>
> #ifdef IPSEC
> void
> -add_ipsec_policy(int s, char *policy)
> +add_ipsec_policy(int s, int af, char *policy)
> {
> char *raw;
> int e;
> @@ -1369,8 +1364,12 @@ add_ipsec_policy(int s, char *policy)
> if (raw == NULL)
> errx(1, "ipsec_set_policy `%s': %s", policy,
> ipsec_strerror());
> - e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw,
> - ipsec_get_policylen(raw));
> + if (af == AF_INET)
> + e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw,
> + ipsec_get_policylen(raw));
> + if (af == AF_INET6)
> + e = setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, raw,
> + ipsec_get_policylen(raw));
> if (e < 0)
> err(1, "ipsec policy cannot be configured");
> free(raw);
>
> Modified: stable/11/lib/libipsec/pfkey.c
> ==============================================================================
> --- stable/11/lib/libipsec/pfkey.c Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/lib/libipsec/pfkey.c Sat Mar 18 22:04:20 2017 (r315514)
> @@ -1776,20 +1776,17 @@ pfkey_align(msg, mhp)
> case SADB_EXT_SPIRANGE:
> case SADB_X_EXT_POLICY:
> case SADB_X_EXT_SA2:
> - mhp[ext->sadb_ext_type] = (caddr_t)ext;
> - break;
> case SADB_X_EXT_NAT_T_TYPE:
> case SADB_X_EXT_NAT_T_SPORT:
> case SADB_X_EXT_NAT_T_DPORT:
> - /* case SADB_X_EXT_NAT_T_OA: is OAI */
> case SADB_X_EXT_NAT_T_OAI:
> case SADB_X_EXT_NAT_T_OAR:
> case SADB_X_EXT_NAT_T_FRAG:
> - if (feature_present("ipsec_natt")) {
> - mhp[ext->sadb_ext_type] = (caddr_t)ext;
> - break;
> - }
> - /* FALLTHROUGH */
> + case SADB_X_EXT_SA_REPLAY:
> + case SADB_X_EXT_NEW_ADDRESS_SRC:
> + case SADB_X_EXT_NEW_ADDRESS_DST:
> + mhp[ext->sadb_ext_type] = (caddr_t)ext;
> + break;
> default:
> __ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
> return -1;
>
> Modified: stable/11/lib/libipsec/pfkey_dump.c
> ==============================================================================
> --- stable/11/lib/libipsec/pfkey_dump.c Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/lib/libipsec/pfkey_dump.c Sat Mar 18 22:04:20 2017 (r315514)
> @@ -35,8 +35,9 @@ __FBSDID("$FreeBSD$");
> #include <sys/types.h>
> #include <sys/param.h>
> #include <sys/socket.h>
> -#include <netipsec/ipsec.h>
> +#include <net/if.h>
> #include <net/pfkeyv2.h>
> +#include <netipsec/ipsec.h>
> #include <netipsec/key_var.h>
> #include <netipsec/key_debug.h>
>
> @@ -204,6 +205,13 @@ static struct val2str str_alg_comp[] = {
> { -1, NULL, },
> };
>
> +static struct val2str str_sp_scope[] = {
> + { IPSEC_POLICYSCOPE_GLOBAL, "global" },
> + { IPSEC_POLICYSCOPE_IFNET, "ifnet" },
> + { IPSEC_POLICYSCOPE_PCB, "pcb"},
> + { -1, NULL },
> +};
> +
> /*
> * dump SADB_MSG formated. For debugging, you should use kdebug_sadb().
> */
> @@ -219,6 +227,10 @@ pfkey_sadump(m)
> struct sadb_key *m_auth, *m_enc;
> struct sadb_ident *m_sid, *m_did;
> struct sadb_sens *m_sens;
> + struct sadb_x_sa_replay *m_sa_replay;
> + struct sadb_x_nat_t_type *natt_type;
> + struct sadb_x_nat_t_port *natt_sport, *natt_dport;
> + struct sadb_address *natt_oai, *natt_oar;
>
> /* check pfkey message. */
> if (pfkey_align(m, mhp)) {
> @@ -243,33 +255,47 @@ pfkey_sadump(m)
> m_sid = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_SRC];
> m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
> m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
> + m_sa_replay = (struct sadb_x_sa_replay *)mhp[SADB_X_EXT_SA_REPLAY];
> + natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE];
> + natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT];
> + natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT];
> + natt_oai = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAI];
> + natt_oar = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAR];
> +
>
> /* source address */
> if (m_saddr == NULL) {
> printf("no ADDRESS_SRC extension.\n");
> return;
> }
> - printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
> + printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
> + if (natt_type != NULL && natt_sport != NULL)
> + printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
>
> /* destination address */
> if (m_daddr == NULL) {
> - printf("no ADDRESS_DST extension.\n");
> + printf("\nno ADDRESS_DST extension.\n");
> return;
> }
> - printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
> + printf(" %s", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
> + if (natt_type != NULL && natt_dport != NULL)
> + printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
>
> /* SA type */
> if (m_sa == NULL) {
> - printf("no SA extension.\n");
> + printf("\nno SA extension.\n");
> return;
> }
> if (m_sa2 == NULL) {
> - printf("no SA2 extension.\n");
> + printf("\nno SA2 extension.\n");
> return;
> }
> printf("\n\t");
>
> - GETMSGSTR(str_satype, m->sadb_msg_satype);
> + if (m->sadb_msg_satype == SADB_SATYPE_ESP && natt_type != NULL)
> + printf("esp-udp ");
> + else
> + GETMSGSTR(str_satype, m->sadb_msg_satype);
>
> printf("mode=");
> GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
> @@ -280,6 +306,18 @@ pfkey_sadump(m)
> (u_int32_t)m_sa2->sadb_x_sa2_reqid,
> (u_int32_t)m_sa2->sadb_x_sa2_reqid);
>
> + /* other NAT-T information */
> + if (natt_type != NULL && (natt_oai != NULL || natt_oar != NULL)) {
> + printf("\tNAT:");
> + if (natt_oai != NULL)
> + printf(" OAI=%s",
> + str_ipaddr((struct sockaddr *)(natt_oai + 1)));
> + if (natt_oar != NULL)
> + printf(" OAR=%s",
> + str_ipaddr((struct sockaddr *)(natt_oar + 1)));
> + printf("\n");
> + }
> +
> /* encryption key */
> if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
> printf("\tC: ");
> @@ -306,7 +344,8 @@ pfkey_sadump(m)
> /* replay windoe size & flags */
> printf("\tseq=0x%08x replay=%u flags=0x%08x ",
> m_sa2->sadb_x_sa2_sequence,
> - m_sa->sadb_sa_replay,
> + m_sa_replay ? (m_sa_replay->sadb_x_sa_replay_replay >> 3) :
> + m_sa->sadb_sa_replay,
> m_sa->sadb_sa_flags);
>
> /* state */
> @@ -367,8 +406,7 @@ pfkey_sadump(m)
> }
>
> void
> -pfkey_spdump(m)
> - struct sadb_msg *m;
> +pfkey_spdump(struct sadb_msg *m)
> {
> char pbuf[NI_MAXSERV];
> caddr_t mhp[SADB_EXT_MAX + 1];
> @@ -476,10 +514,15 @@ pfkey_spdump(m)
> }
>
>
> - printf("\tspid=%ld seq=%ld pid=%ld\n",
> + printf("\tspid=%ld seq=%ld pid=%ld scope=",
> (u_long)m_xpl->sadb_x_policy_id,
> (u_long)m->sadb_msg_seq,
> (u_long)m->sadb_msg_pid);
> + GETMSGV2S(str_sp_scope, m_xpl->sadb_x_policy_scope);
> + if (m_xpl->sadb_x_policy_scope == IPSEC_POLICYSCOPE_IFNET &&
> + if_indextoname(m_xpl->sadb_x_policy_ifindex, pbuf) != NULL)
> + printf("ifname=%s", pbuf);
> + printf("\n");
>
> /* XXX TEST */
> printf("\trefcnt=%u\n", m->sadb_msg_reserved);
>
> Modified: stable/11/sbin/ifconfig/Makefile
> ==============================================================================
> --- stable/11/sbin/ifconfig/Makefile Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sbin/ifconfig/Makefile Sat Mar 18 22:04:20 2017 (r315514)
> @@ -34,6 +34,7 @@ SRCS+= ifvlan.c # SIOC[GS]ETVLAN suppor
> SRCS+= ifvxlan.c # VXLAN support
> SRCS+= ifgre.c # GRE keys etc
> SRCS+= ifgif.c # GIF reversed header workaround
> +SRCS+= ifipsec.c # IPsec VTI
>
> SRCS+= sfp.c # SFP/SFP+ information
> LIBADD+= m
>
> Copied: stable/11/sbin/ifconfig/ifipsec.c (from r313330, head/sbin/ifconfig/ifipsec.c)
> ==============================================================================
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ stable/11/sbin/ifconfig/ifipsec.c Sat Mar 18 22:04:20 2017 (r315514, copy of r313330, head/sbin/ifconfig/ifipsec.c)
> @@ -0,0 +1,101 @@
> +/*-
> + * Copyright (c) 2016 Yandex LLC
> + * Copyright (c) 2016 Andrey V. Elsukov <ae at FreeBSD.org>
> + * All rights reserved.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + *
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
> + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
> + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
> + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
> + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
> + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
> + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
> + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
> + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
> + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> + */
> +
> +#include <sys/cdefs.h>
> +__FBSDID("$FreeBSD$");
> +
> +#include <sys/param.h>
> +#include <sys/ioctl.h>
> +#include <sys/socket.h>
> +#include <sys/sockio.h>
> +#include <sys/stdint.h>
> +
> +#include <stdlib.h>
> +#include <unistd.h>
> +
> +#include <net/ethernet.h>
> +#include <net/if.h>
> +#include <net/if_ipsec.h>
> +#include <net/route.h>
> +
> +#include <ctype.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <err.h>
> +#include <errno.h>
> +
> +#include "ifconfig.h"
> +
> +static void
> +ipsec_status(int s)
> +{
> + uint32_t reqid;
> +
> + ifr.ifr_data = (caddr_t)&reqid;
> + if (ioctl(s, IPSECGREQID, &ifr) == -1)
> + return;
> + printf("\treqid: %u\n", reqid);
> +}
> +
> +static
> +DECL_CMD_FUNC(setreqid, val, arg)
> +{
> + char *ep;
> + uint32_t v;
> +
> + v = strtoul(val, &ep, 0);
> + if (*ep != '\0') {
> + warn("Invalid reqid value %s", val);
> + return;
> + }
> + ifr.ifr_data = (char *)&v;
> + if (ioctl(s, IPSECSREQID, &ifr) == -1) {
> + warn("ioctl(IPSECSREQID)");
> + return;
> + }
> +}
> +
> +static struct cmd ipsec_cmds[] = {
> + DEF_CMD_ARG("reqid", setreqid),
> +};
> +
> +static struct afswtch af_ipsec = {
> + .af_name = "af_ipsec",
> + .af_af = AF_UNSPEC,
> + .af_other_status = ipsec_status,
> +};
> +
> +static __constructor void
> +ipsec_ctor(void)
> +{
> + size_t i;
> +
> + for (i = 0; i < nitems(ipsec_cmds); i++)
> + cmd_register(&ipsec_cmds[i]);
> + af_register(&af_ipsec);
> +#undef N
> +}
>
> Modified: stable/11/sbin/ipfw/ipfw.8
> ==============================================================================
> --- stable/11/sbin/ipfw/ipfw.8 Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sbin/ipfw/ipfw.8 Sat Mar 18 22:04:20 2017 (r315514)
> @@ -1518,8 +1518,7 @@ Matches IPv4 packets whose precedence fi
> .It Cm ipsec
> Matches packets that have IPSEC history associated with them
> (i.e., the packet comes encapsulated in IPSEC, the kernel
> -has IPSEC support and IPSEC_FILTERTUNNEL option, and can correctly
> -decapsulate it).
> +has IPSEC support, and can correctly decapsulate it).
> .Pp
> Note that specifying
> .Cm ipsec
>
> Modified: stable/11/sbin/setkey/setkey.8
> ==============================================================================
> --- stable/11/sbin/setkey/setkey.8 Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sbin/setkey/setkey.8 Sat Mar 18 22:04:20 2017 (r315514)
> @@ -29,7 +29,7 @@
> .\"
> .\" $FreeBSD$
> .\"
> -.Dd October 3, 2016
> +.Dd March 7, 2017
> .Dt SETKEY 8
> .Os
> .\"
> @@ -45,7 +45,7 @@
> .Op Fl v
> .Fl f Ar filename
> .Nm
> -.Op Fl aPlv
> +.Op Fl Pgltv
> .Fl D
> .Nm
> .Op Fl Pv
> @@ -81,18 +81,21 @@ Flush the SAD entries.
> If with
> .Fl P ,
> the SPD entries are flushed.
> -.It Fl a
> -The
> -.Nm
> -utility
> -usually does not display dead SAD entries with
> -.Fl D .
> -If with
> -.Fl a ,
> -the dead SAD entries will be displayed as well.
> -A dead SAD entry means that
> -it has been expired but remains in the system
> -because it is referenced by some SPD entries.
> +.It Fl g
> +Only SPD entries with global scope are dumped with
> +.Fl D
> +and
> +.Fl P
> +flags.
> +.It Fl t
> +Only SPD entries with ifnet scope are dumped with
> +.Fl D
> +and
> +.Fl P
> +flags.
> +Such SPD entries are linked to the corresponding
> +.Xr if_ipsec 4
> +virtual tunneling interface.
> .It Fl h
> Add hexadecimal dump on
> .Fl x
> @@ -270,8 +273,6 @@ must be a decimal number, or a hexadecim
> prefix.
> SPI values between 0 and 255 are reserved for future use by IANA
> and they cannot be used.
> -TCP-MD5 associations must use 0x1000 and therefore only have per-host
> -granularity at this time.
> .\"
> .Pp
> .It Ar extensions
> @@ -595,12 +596,11 @@ keyed-md5 128 ah: 96bit ICV (no documen
> keyed-sha1 160 ah: 96bit ICV (no document)
> 160 ah-old: 128bit ICV (no document)
> null 0 to 2048 for debugging
> -hmac-sha2-256 256 ah: 96bit ICV
> - (draft-ietf-ipsec-ciph-sha-256-00)
> +hmac-sha2-256 256 ah: 128bit ICV (RFC4868)
> 256 ah-old: 128bit ICV (no document)
> -hmac-sha2-384 384 ah: 96bit ICV (no document)
> +hmac-sha2-384 384 ah: 192bit ICV (RFC4868)
> 384 ah-old: 128bit ICV (no document)
> -hmac-sha2-512 512 ah: 96bit ICV (no document)
> +hmac-sha2-512 512 ah: 256bit ICV (RFC4868)
> 512 ah-old: 128bit ICV (no document)
> hmac-ripemd160 160 ah: 96bit ICV (RFC2857)
> ah-old: 128bit ICV (no document)
> @@ -700,6 +700,7 @@ add 10.1.10.34 10.1.10.36 tcp 0x1000 -A
> .\"
> .Sh SEE ALSO
> .Xr ipsec_set_policy 3 ,
> +.Xr if_ipsec 4 ,
> .Xr racoon 8 ,
> .Xr sysctl 8
> .Rs
>
> Modified: stable/11/sbin/setkey/setkey.c
> ==============================================================================
> --- stable/11/sbin/setkey/setkey.c Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sbin/setkey/setkey.c Sat Mar 18 22:04:20 2017 (r315514)
> @@ -56,7 +56,7 @@
> void usage(void);
> int main(int, char **);
> int get_supported(void);
> -void sendkeyshort(u_int);
> +void sendkeyshort(u_int, uint8_t);
> void promisc(void);
> int sendkeymsg(char *, size_t);
> int postproc(struct sadb_msg *, int);
> @@ -81,6 +81,7 @@ int f_cmddump = 0;
> int f_policy = 0;
> int f_hexdump = 0;
> int f_tflag = 0;
> +int f_scope = 0;
> static time_t thiszone;
>
> extern int lineno;
> @@ -93,7 +94,7 @@ usage()
>
> printf("usage: setkey [-v] -c\n");
> printf(" setkey [-v] -f filename\n");
> - printf(" setkey [-Palv] -D\n");
> + printf(" setkey [-Pagltv] -D\n");
> printf(" setkey [-Pv] -F\n");
> printf(" setkey [-h] -x\n");
> exit(1);
> @@ -114,7 +115,7 @@ main(ac, av)
>
> thiszone = gmt2local(0);
>
> - while ((c = getopt(ac, av, "acdf:hlvxDFP")) != -1) {
> + while ((c = getopt(ac, av, "acdf:ghltvxDFP")) != -1) {
> switch (c) {
> case 'c':
> f_mode = MODE_SCRIPT;
> @@ -149,6 +150,12 @@ main(ac, av)
> case 'P':
> f_policy = 1;
> break;
> + case 'g': /* global */
> + f_scope |= IPSEC_POLICYSCOPE_GLOBAL;
> + break;
> + case 't': /* tunnel */
> + f_scope |= IPSEC_POLICYSCOPE_IFNET;
> + break;
> case 'v':
> f_verbose = 1;
> break;
> @@ -166,10 +173,12 @@ main(ac, av)
>
> switch (f_mode) {
> case MODE_CMDDUMP:
> - sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP);
> + sendkeyshort(f_policy ? SADB_X_SPDDUMP: SADB_DUMP,
> + f_policy ? f_scope: SADB_SATYPE_UNSPEC);
> break;
> case MODE_CMDFLUSH:
> - sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH);
> + sendkeyshort(f_policy ? SADB_X_SPDFLUSH: SADB_FLUSH,
> + SADB_SATYPE_UNSPEC);
> break;
> case MODE_SCRIPT:
> if (get_supported() < 0) {
> @@ -204,15 +213,14 @@ get_supported()
> }
>
> void
> -sendkeyshort(type)
> - u_int type;
> +sendkeyshort(u_int type, uint8_t satype)
> {
> struct sadb_msg msg;
>
> msg.sadb_msg_version = PF_KEY_V2;
> msg.sadb_msg_type = type;
> msg.sadb_msg_errno = 0;
> - msg.sadb_msg_satype = SADB_SATYPE_UNSPEC;
> + msg.sadb_msg_satype = satype;
> msg.sadb_msg_len = PFKEY_UNIT64(sizeof(msg));
> msg.sadb_msg_reserved = 0;
> msg.sadb_msg_seq = 0;
>
> Modified: stable/11/share/man/man4/Makefile
> ==============================================================================
> --- stable/11/share/man/man4/Makefile Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/share/man/man4/Makefile Sat Mar 18 22:04:20 2017 (r315514)
> @@ -202,6 +202,7 @@ MAN= aac.4 \
> icmp.4 \
> icmp6.4 \
> ida.4 \
> + if_ipsec.4 \
> ifmib.4 \
> ig4.4 \
> igb.4 \
>
> Copied: stable/11/share/man/man4/if_ipsec.4 (from r313330, head/share/man/man4/if_ipsec.4)
> ==============================================================================
> --- /dev/null 00:00:00 1970 (empty, because file is newly added)
> +++ stable/11/share/man/man4/if_ipsec.4 Sat Mar 18 22:04:20 2017 (r315514, copy of r313330, head/share/man/man4/if_ipsec.4)
> @@ -0,0 +1,141 @@
> +.\" Copyright (c) 2017 Andrey V. Elsukov <ae at FreeBSD.org>
> +.\" All rights reserved.
> +.\"
> +.\" Redistribution and use in source and binary forms, with or without
> +.\" modification, are permitted provided that the following conditions
> +.\" are met:
> +.\" 1. Redistributions of source code must retain the above copyright
> +.\" notice, this list of conditions and the following disclaimer.
> +.\" 2. Redistributions in binary form must reproduce the above copyright
> +.\" notice, this list of conditions and the following disclaimer in the
> +.\" documentation and/or other materials provided with the distribution.
> +.\"
> +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
> +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
> +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> +.\" SUCH DAMAGE.
> +.\"
> +.\" $FreeBSD$
> +.\"
> +.Dd February 6, 2017
> +.Dt if_ipsec 4
> +.Os
> +.Sh NAME
> +.Nm if_ipsec
> +.Nd IPsec virtual tunneling interface
> +.Sh SYNOPSIS
> +The
> +.Cm if_ipsec
> +network interface is a part of the
> +.Fx
> +IPsec implementation.
> +To compile it into the kernel, place this line in the kernel
> +configuration file:
> +.Bd -ragged -offset indent
> +.Cd "options IPSEC"
> +.Ed
> +.Pp
> +It can also be loaded as part of the
> +.Cm ipsec
> +kernel module if the kernel was compiled with
> +.Bd -ragged -offset indent
> +.Cd "options IPSEC_SUPPORT"
> +.Ed
> +.Sh DESCRIPTION
> +The
> +.Nm
> +network interface is targeted for creating route-based VPNs.
> +It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure
> +it with ESP.
> +.Pp
> +.Nm
> +interfaces are dynamically created and destroyed with the
> +.Xr ifconfig 8
> +.Cm create
> +and
> +.Cm destroy
> +subcommands.
> +The administrator must configure IPsec
> +.Cm tunnel
> +endpoint addresses.
> +These addresses will be used for the outer IP header of ESP packets.
> +The administrator can also configure the protocol and addresses for the inner
> +IP header with
> +.Xr ifconfig 8 ,
> +and modify the routing table to route the packets through the
> +.Nm
> +interface.
> +.Pp
> +When the
> +.Nm
> +interface is configured, it automatically creates special security policies.
> +These policies can be used to acquire security associations from the IKE daemon,
> +which are needed for establishing an IPsec tunnel.
> +It is also possible to create needed security associations manually with the
> +.Xr setkey 8
> +utility.
> +.Pp
> +Each
> +.Nm
> +interface has an additional numeric configuration option
> +.Cm reqid Ar id .
> +This
> +.Ar id
> +is used to distinguish traffic and security policies between several
> +.Nm
> +interfaces.
> +The
> +.Cm reqid
> +can be specified on interface creation and changed later.
> +If not specified, it is automatically assigned.
> +Note that changing
> +.Cm reqid
> +will lead to generation of new security policies, and this
> +may require creating new security associations.
> +.Sh EXAMPLES
> +The example below shows manual configuration of an IPsec tunnel
> +between two FreeBSD hosts.
> +Host A has the IP address 192.168.0.3, and host B has the IP address
> +192.168.0.5.
> +.Pp
> +On host A:
> +.Bd -literal -offset indent
> +ifconfig ipsec0 create reqid 100
> +ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5
> +ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5
> +setkey -c
> +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
> +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";
> +^D
> +.Ed
> +.Pp
> +On host B:
> +.Bd -literal -offset indent
> +ifconfig ipsec0 create reqid 200
> +ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3
> +ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3
> +setkey -c
> +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
> +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";
> +^D
> +.Ed
> +.Pp
> +Note the value 100 on host A and value 200 on host B are used as reqid.
> +The same value must be used as identifier of the policy entry in the
> +.Xr setkey 8
> +command.
> +.Sh SEE ALSO
> +.Xr gif 4 ,
> +.Xr gre 4 ,
> +.Xr ipsec 4 ,
> +.Xr ifconfig 8 ,
> +.Xr setkey 8
> +.Sh AUTHORS
> +.An Andrey V. Elsukov Aq Mt ae at FreeBSD.org
>
> Modified: stable/11/share/man/man4/ipsec.4
> ==============================================================================
> --- stable/11/share/man/man4/ipsec.4 Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/share/man/man4/ipsec.4 Sat Mar 18 22:04:20 2017 (r315514)
> @@ -29,7 +29,7 @@
> .\"
> .\" $FreeBSD$
> .\"
> -.Dd November 29, 2009
> +.Dd February 6, 2017
> .Dt IPSEC 4
> .Os
> .Sh NAME
> @@ -37,6 +37,7 @@
> .Nd Internet Protocol Security protocol
> .Sh SYNOPSIS
> .Cd "options IPSEC"
> +.Cd "options IPSEC_SUPPORT"
> .Cd "device crypto"
> .Pp
> .In sys/types.h
> @@ -151,6 +152,16 @@ Refer to
> .Xr setkey 8
> on how to use it.
> .Pp
> +Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6
> +transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options
> +may be used to configure per-socket security policies.
> +A properly-formed IPsec policy specification structure can be
> +created using
> +.Xr ipsec_set_policy 3
> +function and used as socket option value for the
> +.Xr setsockopt 2
> +call.
> +.Pp
> When setting policies using the
> .Xr setkey 8
> command, the
> @@ -228,6 +239,8 @@ for tweaking the kernel's IPsec behavior
> .It "net.inet.ipsec.dfbit integer yes"
> .It "net.inet.ipsec.ecn integer yes"
> .It "net.inet.ipsec.debug integer yes"
> +.It "net.inet.ipsec.natt_cksum_policy integer yes"
> +.It "net.inet.ipsec.check_policy_history integer yes"
> .It "net.inet6.ipsec6.ecn integer yes"
> .It "net.inet6.ipsec6.debug integer yes"
> .El
> @@ -270,6 +283,23 @@ talks more about the behavior.
> .It Li ipsec.debug
> If set to non-zero, debug messages will be generated via
> .Xr syslog 3 .
> +.It Li ipsec.natt_cksum_policy
> +Controls how the kernel handles TCP and UDP checksums when ESP in UDP
> +encapsulation is used for IPsec transport mode.
> +If set to a non-zero value, the kernel fully recomputes checksums for
> +inbound TCP segments and UDP datagrams after they are decapsulated and
> +decrypted.
> +If set to 0 and original addresses were configured for corresponding SA
> +by the IKE daemon, the kernel incrementally recomputes checksums for
> +inbound TCP segments and UDP datagrams.
> +If addresses were not configured, the checksums are ignored.
> +.It Li ipsec.check_policy_history
> +Enables strict policy checking for inbound packets.
> +By default, inbound security policies check that packets handled by IPsec
> +have been decrypted and authenticated.
> +If this variable is set to a non-zero value, each packet handled by IPsec
> +is checked against the history of IPsec security associations.
> +The IPsec security protocol, mode, and SA addresses must match.
> .El
> .Pp
> Variables under the
> @@ -305,6 +335,7 @@ routines from looking into the IP payloa
> .Xr ipsec_set_policy 3 ,
> .Xr crypto 4 ,
> .Xr enc 4 ,
> +.Xr if_ipsec 4 ,
> .Xr icmp6 4 ,
> .Xr intro 4 ,
> .Xr ip6 4 ,
>
> Modified: stable/11/share/man/man4/tcp.4
> ==============================================================================
> --- stable/11/share/man/man4/tcp.4 Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/share/man/man4/tcp.4 Sat Mar 18 22:04:20 2017 (r315514)
> @@ -34,7 +34,7 @@
> .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
> .\" $FreeBSD$
> .\"
> -.Dd October 21, 2016
> +.Dd February 6, 2017
> .Dt TCP 4
> .Os
> .Sh NAME
> @@ -272,33 +272,27 @@ or the internal send buffer is filled.
> This option enables the use of MD5 digests (also known as TCP-MD5)
> on writes to the specified socket.
> Outgoing traffic is digested;
> -digests on incoming traffic are verified if the
> -.Va net.inet.tcp.signature_verify_input
> -sysctl is nonzero.
> -The current default behavior for the system is to respond to a system
> -advertising this option with TCP-MD5; this may change.
> +digests on incoming traffic are verified.
> +When this option is enabled on a socket, all inbound and outgoing
> +TCP segments must be signed with MD5 digests.
> .Pp
> One common use for this in a
> .Fx
> router deployment is to enable
> based routers to interwork with Cisco equipment at peering points.
> Support for this feature conforms to RFC 2385.
> -Only IPv4
> -.Pq Dv AF_INET
> -sessions are supported.
> .Pp
> In order for this option to function correctly, it is necessary for the
> administrator to add a tcp-md5 key entry to the system's security
> associations database (SADB) using the
> .Xr setkey 8
> utility.
> -This entry must have an SPI of 0x1000 and can therefore only be specified
> -on a per-host basis at this time.
> +This entry can only be specified on a per-host basis at this time.
> .Pp
> -If an SADB entry cannot be found for the destination, the outgoing traffic
> -will have an invalid digest option prepended, and the following error message
> -will be visible on the system console:
> -.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
> +If an SADB entry cannot be found for the destination,
> +the system does not send any outgoing segments and drops any inbound segments.
> +.Pp
> +Each dropped segment is taken into account in the TCP protocol statistics.
> .El
> .Pp
> The option level for the
>
> Modified: stable/11/share/man/man4/udp.4
> ==============================================================================
> --- stable/11/share/man/man4/udp.4 Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/share/man/man4/udp.4 Sat Mar 18 22:04:20 2017 (r315514)
> @@ -28,7 +28,7 @@
> .\" @(#)udp.4 8.1 (Berkeley) 6/5/93
> .\" $FreeBSD$
> .\"
> -.Dd June 5, 1993
> +.Dd February 6, 2017
> .Dt UDP 4
> .Os
> .Sh NAME
> @@ -99,6 +99,17 @@ transport level may be used with
> .Tn UDP ;
> see
> .Xr ip 4 .
> +.Tn UDP_ENCAP
> +socket option may be used at the
> +.Tn IPPROTO_UDP
> +level to encapsulate
> +.Tn ESP
> +packets in
> +.Tn UDP .
> +Only one value is supported for this option:
> +.Tn UDP_ENCAP_ESPINUDP
> +from RFC 3948, defined in
> +.In netinet/udp.h .
> .Sh MIB VARIABLES
> The
> .Nm
> @@ -158,7 +169,8 @@ exists.
> .Xr blackhole 4 ,
> .Xr inet 4 ,
> .Xr intro 4 ,
> -.Xr ip 4
> +.Xr ip 4 ,
> +.Xr udplite 4
> .Sh HISTORY
> The
> .Nm
>
> Modified: stable/11/sys/conf/NOTES
> ==============================================================================
> --- stable/11/sys/conf/NOTES Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sys/conf/NOTES Sat Mar 18 22:04:20 2017 (r315514)
> @@ -613,23 +613,12 @@ options TCP_OFFLOAD # TCP offload supp
> # In order to enable IPSEC you MUST also add device crypto to
> # your kernel configuration
> options IPSEC #IP security (requires device crypto)
> +
> +# Option IPSEC_SUPPORT does not enable IPsec, but makes it possible to
> +# load it as a kernel module. You still MUST add device crypto to your kernel
> +# configuration.
> +options IPSEC_SUPPORT
> #options IPSEC_DEBUG #debug for IP security
> -#
> -# #DEPRECATED#
> -# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
> -# coming through a tunnel to be processed by any configured packet filtering
> -# twice. The default is that packets coming out of a tunnel are _not_ processed;
> -# they are assumed trusted.
> -#
> -# IPSEC history is preserved for such packets, and can be filtered
> -# using ipfw(8)'s 'ipsec' keyword, when this option is enabled.
> -#
> -#options IPSEC_FILTERTUNNEL #filter ipsec packets from a tunnel
> -#
> -# Set IPSEC_NAT_T to enable NAT-Traversal support. This enables
> -# optional UDP encapsulation of ESP packets.
> -#
> -options IPSEC_NAT_T #NAT-T support, UDP encap of ESP
>
> #
> # SMB/CIFS requester
> @@ -1015,7 +1004,8 @@ options ACCEPT_FILTER_HTTP
> # carried in TCP option 19. This option is commonly used to protect
> # TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
> # This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
> -# This requires the use of 'device crypto' and 'options IPSEC'.
> +# This requires the use of 'device crypto' and either 'options IPSEC' or
> +# 'options IPSEC_SUPPORT'.
> options TCP_SIGNATURE #include support for RFC 2385
>
> # DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
>
> Modified: stable/11/sys/conf/files
> ==============================================================================
> --- stable/11/sys/conf/files Sat Mar 18 21:44:42 2017 (r315513)
> +++ stable/11/sys/conf/files Sat Mar 18 22:04:20 2017 (r315514)
> @@ -574,22 +574,24 @@ contrib/ngatm/netnatm/sig/sig_unimsgcpy.
> compile-with "${NORMAL_C} -I$S/contrib/ngatm"
> contrib/ngatm/netnatm/sig/sig_verify.c optional ngatm_uni \
> compile-with "${NORMAL_C} -I$S/contrib/ngatm"
> -crypto/blowfish/bf_ecb.c optional ipsec
> -crypto/blowfish/bf_skey.c optional crypto | ipsec
> -crypto/camellia/camellia.c optional crypto | ipsec
> -crypto/camellia/camellia-api.c optional crypto | ipsec
> -crypto/des/des_ecb.c optional crypto | ipsec | netsmb
> -crypto/des/des_setkey.c optional crypto | ipsec | netsmb
> +crypto/blowfish/bf_ecb.c optional ipsec | ipsec_support
> +crypto/blowfish/bf_skey.c optional crypto | ipsec | ipsec_support
> +crypto/camellia/camellia.c optional crypto | ipsec | ipsec_support
> +crypto/camellia/camellia-api.c optional crypto | ipsec | ipsec_support
> +crypto/des/des_ecb.c optional crypto | ipsec | ipsec_support | netsmb
> +crypto/des/des_setkey.c optional crypto | ipsec | ipsec_support | netsmb
> crypto/rc4/rc4.c optional netgraph_mppc_encryption | kgssapi
> crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
> - ipsec | random !random_loadable | wlan_ccmp
> + ipsec | ipsec_support | random !random_loadable | wlan_ccmp
> crypto/rijndael/rijndael-api-fst.c optional geom_bde | random !random_loadable
> -crypto/rijndael/rijndael-api.c optional crypto | ipsec | wlan_ccmp
> +crypto/rijndael/rijndael-api.c optional crypto | ipsec | ipsec_support | \
> + wlan_ccmp
> crypto/sha1.c optional carp | crypto | ipsec | \
> - netgraph_mppc_encryption | sctp
> -crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | random !random_loadable | \
> - sctp | zfs
> -crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | zfs
> + ipsec_support | netgraph_mppc_encryption | sctp
> +crypto/sha2/sha256c.c optional crypto | geom_bde | ipsec | \
> + ipsec_support | random !random_loadable | sctp | zfs
> +crypto/sha2/sha512c.c optional crypto | geom_bde | ipsec | \
> + ipsec_support | zfs
> crypto/skein/skein.c optional crypto | zfs
> crypto/skein/skein_block.c optional crypto | zfs
> crypto/siphash/siphash.c optional inet | inet6
> @@ -3592,8 +3594,7 @@ libkern/strtouq.c standard
> libkern/strvalid.c standard
> libkern/timingsafe_bcmp.c standard
> libkern/zlib.c optional crypto | geom_uzip | ipsec | \
> - mxge | netgraph_deflate | \
> - ddb_ctf | gzio
> + ipsec_support | mxge | netgraph_deflate | ddb_ctf | gzio
> net/altq/altq_cbq.c optional altq
> net/altq/altq_cdnr.c optional altq
> net/altq/altq_codel.c optional altq
> @@ -3629,6 +3630,7 @@ net/if_fwsubr.c optional fwip
> net/if_gif.c optional gif inet | gif inet6 | \
> netgraph_gif inet | netgraph_gif inet6
> net/if_gre.c optional gre inet | gre inet6
> +net/if_ipsec.c optional inet ipsec | inet6 ipsec
> net/if_iso88025subr.c optional token
> net/if_lagg.c optional lagg
> net/if_loop.c optional loop
> @@ -3814,7 +3816,6 @@ netinet/ip_encap.c optional inet | inet
> netinet/ip_fastfwd.c optional inet
> netinet/ip_icmp.c optional inet | inet6
> netinet/ip_input.c optional inet
> -netinet/ip_ipsec.c optional inet ipsec
> netinet/ip_mroute.c optional mrouting inet
> netinet/ip_options.c optional inet
> netinet/ip_output.c optional inet
> @@ -3883,7 +3884,6 @@ netinet6/ip6_id.c optional inet6
> netinet6/ip6_input.c optional inet6
> netinet6/ip6_mroute.c optional mrouting inet6
> netinet6/ip6_output.c optional inet6
> -netinet6/ip6_ipsec.c optional inet6 ipsec
> netinet6/mld6.c optional inet6
> netinet6/nd6.c optional inet6
> netinet6/nd6_nbr.c optional inet6
> @@ -3896,15 +3896,25 @@ netinet6/udp6_usrreq.c optional inet6
> netipsec/ipsec.c optional ipsec inet | ipsec inet6
> netipsec/ipsec_input.c optional ipsec inet | ipsec inet6
> netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6
>
> *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
> _______________________________________________
> svn-src-stable-11 at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/svn-src-stable-11
> To unsubscribe, send any mail to "svn-src-stable-11-unsubscribe at freebsd.org"
>
>
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-stable
mailing list