Module Name: src
Committed By: maxv
Date: Sun Apr 22 10:25:40 UTC 2018
Modified Files:
src/sys/netipsec: ipip_var.h ipsec_netbsd.c xform_ipip.c
Log Message:
Rename ipip_allow->ipip_spoofcheck, and add net.inet.ipsec.ipip_spoofcheck.
Makes it simpler, and also fixes PR/39919.
To generate a diff of this commit:
cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/ipip_var.h
cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/ipsec_netbsd.c
cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/xform_ipip.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/netipsec/ipip_var.h
diff -u src/sys/netipsec/ipip_var.h:1.5 src/sys/netipsec/ipip_var.h:1.6
--- src/sys/netipsec/ipip_var.h:1.5 Thu Apr 19 08:27:38 2018
+++ src/sys/netipsec/ipip_var.h Sun Apr 22 10:25:40 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipip_var.h,v 1.5 2018/04/19 08:27:38 maxv Exp $ */
+/* $NetBSD: ipip_var.h,v 1.6 2018/04/22 10:25:40 maxv Exp $ */
/* $FreeBSD: ipip_var.h,v 1.1.4.1 2003/01/24 05:11:35 sam Exp $ */
/* $OpenBSD: ip_ipip.h,v 1.5 2002/06/09 16:26:10 itojun Exp $ */
/*
@@ -59,6 +59,6 @@
#define IPIP_NSTATS 10
#ifdef _KERNEL
-extern int ipip_allow;
+extern int ipip_spoofcheck;
#endif /* _KERNEL */
#endif /* !_NETINET_IPIP_H_ */
Index: src/sys/netipsec/ipsec_netbsd.c
diff -u src/sys/netipsec/ipsec_netbsd.c:1.52 src/sys/netipsec/ipsec_netbsd.c:1.53
--- src/sys/netipsec/ipsec_netbsd.c:1.52 Wed Apr 18 07:38:02 2018
+++ src/sys/netipsec/ipsec_netbsd.c Sun Apr 22 10:25:40 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $ */
+/* $NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $ */
/* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
/* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.52 2018/04/18 07:38:02 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.53 2018/04/22 10:25:40 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_inet.h"
@@ -624,6 +624,12 @@ sysctl_net_inet_ipsec_setup(struct sysct
CTL_NET, PF_INET, ipproto_ipsec,
IPSECCTL_DEBUG, CTL_EOL);
sysctl_createv(clog, 0, NULL, NULL,
+ CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+ CTLTYPE_INT, "ipip_spoofcheck", NULL,
+ NULL, 0, &ipip_spoofcheck, 0,
+ CTL_NET, PF_INET, ipproto_ipsec,
+ CTL_CREATE, CTL_EOL);
+ sysctl_createv(clog, 0, NULL, NULL,
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
CTLTYPE_STRUCT, "ipsecstats", NULL,
sysctl_net_inet_ipsec_stats, 0, NULL, 0,
Index: src/sys/netipsec/xform_ipip.c
diff -u src/sys/netipsec/xform_ipip.c:1.66 src/sys/netipsec/xform_ipip.c:1.67
--- src/sys/netipsec/xform_ipip.c:1.66 Thu Apr 19 08:27:39 2018
+++ src/sys/netipsec/xform_ipip.c Sun Apr 22 10:25:40 2018
@@ -1,4 +1,4 @@
-/* $NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $ */
+/* $NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $ */
/* $FreeBSD: xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
/* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
@@ -39,7 +39,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.66 2018/04/19 08:27:39 maxv Exp $");
+__KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.67 2018/04/22 10:25:40 maxv Exp $");
/*
* IP-inside-IP processing
@@ -87,7 +87,7 @@ __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c
/* XXX IPCOMP */
#define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
-int ipip_allow = 0;
+int ipip_spoofcheck = 1;
percpu_t *ipipstat_percpu;
void ipe4_attach(void);
@@ -254,7 +254,7 @@ _ipip_input(struct mbuf *m, int iphlen)
/* Check for local address spoofing. */
if ((m_get_rcvif_NOMPSAFE(m) == NULL ||
!(m_get_rcvif_NOMPSAFE(m)->if_flags & IFF_LOOPBACK)) &&
- ipip_allow != 2) {
+ ipip_spoofcheck) {
int s = pserialize_read_enter();
IFNET_READER_FOREACH(ifp) {
IFADDR_READER_FOREACH(ifa, ifp) {
