Module Name: src Committed By: maxv Date: Sun Apr 22 10:25:40 UTC 2018
Modified Files: src/sys/netipsec: ipip_var.h ipsec_netbsd.c xform_ipip.c Log Message: Rename ipip_allow->ipip_spoofcheck, and add net.inet.ipsec.ipip_spoofcheck. Makes it simpler, and also fixes PR/39919. To generate a diff of this commit: cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/ipip_var.h cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/ipsec_netbsd.c cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/xform_ipip.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/netipsec/ipip_var.h diff -u src/sys/netipsec/ipip_var.h:1.5 src/sys/netipsec/ipip_var.h:1.6 --- src/sys/netipsec/ipip_var.h:1.5 Thu Apr 19 08:27:38 2018 +++ src/sys/netipsec/ipip_var.h Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipip_var.h,v 1.5 2018/04/19 08:27:38 maxv Exp $ */ +/* $NetBSD: ipip_var.h,v 1.6 2018/04/22 10:25:40 maxv Exp $ */ /* $FreeBSD: ipip_var.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */ /* $OpenBSD: ip_ipip.h,v 1.5 2002/06/09 16:26:10 itojun Exp $ */ /* @@ -59,6 +59,6 @@ #define IPIP_NSTATS 10 #ifdef _KERNEL -extern int ipip_allow; +extern int ipip_spoofcheck; #endif /* _KERNEL */ #endif /* !_NETINET_IPIP_H_ */ Index: src/sys/netipsec/ipsec_netbsd.c diff -u src/sys/netipsec/ipsec_netbsd.c:1.52 src/sys/netipsec/ipsec_netbsd.c:1.53 --- src/sys/netipsec/ipsec_netbsd.c:1.52 Wed Apr 18 07:38:02 2018 +++ src/sys/netipsec/ipsec_netbsd.c Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_inet.h" @@ -624,6 +624,12 @@ sysctl_net_inet_ipsec_setup(struct sysct CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_DEBUG, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ipip_spoofcheck", NULL, + NULL, 0, &ipip_spoofcheck, 0, + CTL_NET, PF_INET, ipproto_ipsec, + CTL_CREATE, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, CTLTYPE_STRUCT, "ipsecstats", NULL, sysctl_net_inet_ipsec_stats, 0, NULL, 0, Index: src/sys/netipsec/xform_ipip.c diff -u src/sys/netipsec/xform_ipip.c:1.66 src/sys/netipsec/xform_ipip.c:1.67 --- src/sys/netipsec/xform_ipip.c:1.66 Thu Apr 19 08:27:39 2018 +++ src/sys/netipsec/xform_ipip.c Sun Apr 22 10:25:40 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $ */ +/* $NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $ */ /* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */ /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */ @@ -39,7 +39,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $"); +__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $"); /* * IP-inside-IP processing @@ -87,7 +87,7 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) -int ipip_allow = 0; +int ipip_spoofcheck = 1; percpu_t *ipipstat_percpu; void ipe4_attach(void); @@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen) /* Check for local address spoofing. */ if ((m_get_rcvif_NOMPSAFE(m) == NULL || !(m_get_rcvif_NOMPSAFE(m)->if_flags & IFF_LOOPBACK)) && - ipip_allow != 2) { + ipip_spoofcheck) { int s = pserialize_read_enter(); IFNET_READER_FOREACH(ifp) { IFADDR_READER_FOREACH(ifa, ifp) {