NetBSD Problem Report #39919

From Wolfgang.Stukenbrock@nagler-company.com  Fri Nov 14 13:27:15 2008
Return-Path: <Wolfgang.Stukenbrock@nagler-company.com>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id CFBDB63B889
	for <gnats-bugs@gnats.NetBSD.org>; Fri, 14 Nov 2008 13:27:15 +0000 (UTC)
Message-Id: <20081114132712.486E5122E58@s040.nagler-company.com>
Date: Fri, 14 Nov 2008 14:27:12 +0100 (CET)
From: Wolfgang.Stukenbrock@nagler-company.com
Reply-To: Wolfgang.Stukenbrock@nagler-company.com
To: gnats-bugs@gnats.NetBSD.org
Subject: no access to ipip_allow kernel variable via sysctl
X-Send-Pr-Version: 3.95

>Number:         39919
>Category:       kern
>Synopsis:       IPsec: no access to ipip_allow kernel variable via sysctl
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Fri Nov 14 13:30:01 +0000 2008
>Closed-Date:    Sun Apr 22 10:45:10 +0000 2018
>Last-Modified:  Sun Apr 22 10:45:10 +0000 2018
>Originator:     Wolfgang Stukenbrock
>Release:        NetBSD 4.0
>Organization:
Dr. Nagler & Company GmbH

>Environment:


System: NetBSD s040 4.0 NetBSD 4.0 (NSW-S040) #15: Fri Sep 26 14:12:09 CEST 2008 wgstuken@s012:/export/NetBSD-4.0/N+C-build/.OBJDIR_amd64/export/NetBSD-4.0/src/sys/arch/amd64/compile/NSW-S040 amd64
Architecture: x86_64
Machine: amd64
>Description:
	The kernel variable ipip_allow in netipsec/xform_ipip.c controls the behaviour of ipip-packets
	with possible spoofed addresses in the FAST_IPSEC implementation.
	The variable gets initialized to 0 - drop all spoofed attemmpts.
	The value 2 will allow processing of such packets, but there is no way to access it via sysctl interface.
	There is some code to add it for FreeBSD, but in ipsec_netbsd.c the variable is missing.

	The following fix will add this variable to the sysctl interface and allow access to it.
	Perhaps some documentation should be updated too, but this variable is only present if
	the kernel is compiled with FAST_IPSEC, so I'm not shure where to add it in the documentation.
>How-To-Repeat:
	Setup a kernel with FAST_IPSEC and try to change ipip_allow via sysctl. You will fail, because it is no available there.
>Fix:
	Here the output of "rcsdiff -u" that will add the missing definition to /sys/netipsec/ipsec_netbsd.c.
	remarks:
	  I've used the name "allow" for the variable mentioned in a comment in sys/netipsec/xform_ipip.c.
	  I've used IPSECCTL_DFBIT in the new entry, because I've no better idea. IPSECCTL_DFBIT seems to be
	  a definitions that stands for itself only, so there should be no side effects. There is no other reference to
	  this name in the whole source other than  the sysctl definitions. In the final fix, perhaps an other value will
	  be the better choice ...

CS file: RCS/ipsec_netbsd.c,v
retrieving revision 1.1
diff -u -r1.1 ipsec_netbsd.c
--- ipsec_netbsd.c      2008/11/14 12:58:25     1.1
+++ ipsec_netbsd.c      2008/11/14 13:13:38
@@ -516,6 +516,12 @@
                       NULL, 0, NULL, 0,
                       CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
        sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "allow", NULL,
+                      NULL, 0, &ipip_allow, 0,
+                      CTL_NET, PF_INET, IPPROTO_IPIP,
+                      IPSECCTL_DFBIT, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
                       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
                       CTLTYPE_STRUCT, "ipip_stats", NULL,
                       NULL, 0, &ipipstat, sizeof(ipipstat),

>Release-Note:

>Audit-Trail:

From: "Maxime Villard" <maxv@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/39919 CVS commit: src/sys/netipsec
Date: Sun, 22 Apr 2018 10:25:40 +0000

 Module Name:	src
 Committed By:	maxv
 Date:		Sun Apr 22 10:25:40 UTC 2018

 Modified Files:
 	src/sys/netipsec: ipip_var.h ipsec_netbsd.c xform_ipip.c

 Log Message:
 Rename ipip_allow->ipip_spoofcheck, and add net.inet.ipsec.ipip_spoofcheck.
 Makes it simpler, and also fixes PR/39919.


 To generate a diff of this commit:
 cvs rdiff -u -r1.5 -r1.6 src/sys/netipsec/ipip_var.h
 cvs rdiff -u -r1.52 -r1.53 src/sys/netipsec/ipsec_netbsd.c
 cvs rdiff -u -r1.66 -r1.67 src/sys/netipsec/xform_ipip.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Sun, 22 Apr 2018 10:45:10 +0000
State-Changed-Why:
fixed


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.