Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. =================================================================== RCS file: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v rcsdiff: /ftp/cvs/cvsroot/src/sys/netinet6/ip6_input.c,v: warning: Unknown phrases like `commitid ...;' are present. retrieving revision 1.132.2.3 retrieving revision 1.133 diff -u -p -r1.132.2.3 -r1.133 --- src/sys/netinet6/ip6_input.c 2013/01/16 05:33:50 1.132.2.3 +++ src/sys/netinet6/ip6_input.c 2011/11/19 22:51:29 1.133 @@ -1,4 +1,4 @@ -/* $NetBSD: ip6_input.c,v 1.132.2.3 2013/01/16 05:33:50 yamt Exp $ */ +/* $NetBSD: ip6_input.c,v 1.133 2011/11/19 22:51:29 tls Exp $ */ /* $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $ */ /* @@ -62,7 +62,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.132.2.3 2013/01/16 05:33:50 yamt Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.133 2011/11/19 22:51:29 tls Exp $"); #include "opt_gateway.h" #include "opt_inet.h" @@ -103,7 +103,6 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #endif /* INET */ #include -#include #include #include #include @@ -113,6 +112,11 @@ __KERNEL_RCSID(0, "$NetBSD: ip6_input.c, #include #include +#ifdef IPSEC +#include +#include +#endif + #ifdef FAST_IPSEC #include #include @@ -157,8 +161,7 @@ percpu_t *ip6stat_percpu; static void ip6_init2(void *); static struct m_tag *ip6_setdstifaddr(struct mbuf *, const struct in6_ifaddr *); -static int ip6_process_hopopts(struct mbuf *, u_int8_t *, int, u_int32_t *, - u_int32_t *); +static int ip6_hopopts_input(u_int32_t *, u_int32_t *, struct mbuf **, int *); static struct mbuf *ip6_pullexthdr(struct mbuf *, size_t, int); static void sysctl_net_inet6_ip6_setup(struct sysctllog **); @@ -190,7 +193,7 @@ ip6_init(void) frag6_init(); ip6_desync_factor = cprng_fast32() % MAX_TEMP_DESYNC_FACTOR; - ip6_init2(NULL); + ip6_init2((void *)0); #ifdef GATEWAY ip6flow_init(ip6_hashsize); #endif @@ -276,6 +279,15 @@ ip6_input(struct mbuf *m) int s, error; #endif +#ifdef IPSEC + /* + * should the inner packet be considered authentic? + * see comment in ah4_input(). + */ + m->m_flags &= ~M_AUTHIPHDR; + m->m_flags &= ~M_AUTHIPDGM; +#endif + /* * make sure we don't have onion peering information into m_tag. */ @@ -339,11 +351,16 @@ ip6_input(struct mbuf *m) goto bad; } +#if defined(IPSEC) + /* IPv6 fast forwarding is not compatible with IPsec. */ + m->m_flags &= ~M_CANFASTFWD; +#else /* * Assume that we can create a fast-forward IP flow entry * based on this packet. */ m->m_flags |= M_CANFASTFWD; +#endif #ifdef PFIL_HOOKS /* @@ -357,7 +374,9 @@ ip6_input(struct mbuf *m) * let ipfilter look at packet on the wire, * not the decapsulated packet. */ -#if defined(FAST_IPSEC) +#ifdef IPSEC + if (!ipsec_getnhist(m)) +#elif defined(FAST_IPSEC) if (!ipsec_indone(m)) #else if (1) @@ -766,6 +785,18 @@ ip6_input(struct mbuf *m) } } +#ifdef IPSEC + /* + * enforce IPsec policy checking if we are seeing last header. + * note that we do not visit this with protocols with pcb layer + * code - like udp/tcp/raw ip. + */ + if ((inet6sw[ip6_protox[nxt]].pr_flags & PR_LASTHDR) != 0 && + ipsec6_in_reject(m, NULL)) { + IPSEC6_STATINC(IPSEC_STAT_IN_POLVIO); + goto bad; + } +#endif #ifdef FAST_IPSEC /* * enforce IPsec policy checking if we are seeing last header. @@ -851,7 +882,7 @@ ip6_getdstifaddr(struct mbuf *m) * * rtalertp - XXX: should be stored more smart way */ -int +static int ip6_hopopts_input(u_int32_t *plenp, u_int32_t *rtalertp, struct mbuf **mp, int *offp) { @@ -896,7 +927,7 @@ ip6_hopopts_input(u_int32_t *plenp, u_in * (RFC2460 p7), opthead is pointer into data content in m, and opthead to * opthead + hbhlen is located in continuous memory region. */ -static int +int ip6_process_hopopts(struct mbuf *m, u_int8_t *opthead, int hbhlen, u_int32_t *rtalertp, u_int32_t *plenp) { @@ -1957,64 +1988,6 @@ sysctl_net_inet6_ip6_setup(struct sysctl CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); #endif - /* anonportalgo RFC6056 subtree */ - const struct sysctlnode *portalgo_node; - sysctl_createv(clog, 0, NULL, &portalgo_node, - CTLFLAG_PERMANENT, - CTLTYPE_NODE, "anonportalgo", - SYSCTL_DESCR("Anonymous port algorithm selection (RFC 6056)"), - NULL, 0, NULL, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_STRING, "available", - SYSCTL_DESCR("available algorithms"), - sysctl_portalgo_available, 0, NULL, PORTALGO_MAXLEN, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRING, "selected", - SYSCTL_DESCR("selected algorithm"), - sysctl_portalgo_selected6, 0, NULL, PORTALGO_MAXLEN, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, &portalgo_node, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_STRUCT, "reserve", - SYSCTL_DESCR("bitmap of reserved ports"), - sysctl_portalgo_reserve6, 0, NULL, 0, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "neighborgcthresh", - SYSCTL_DESCR("Maximum number of entries in neighbor" - " cache"), - NULL, 1, &ip6_neighborgcthresh, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifprefixes", - SYSCTL_DESCR("Maximum number of prefixes created by" - " route advertisement per interface"), - NULL, 1, &ip6_maxifprefixes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxifdefrouters", - SYSCTL_DESCR("Maximum number of default routers created" - " by route advertisement per interface"), - NULL, 1, &ip6_maxifdefrouters, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "maxdynroutes", - SYSCTL_DESCR("Maximum number of routes created via" - " redirect"), - NULL, 1, &ip6_maxdynroutes, 0, - CTL_NET, PF_INET6, IPPROTO_IPV6, - CTL_CREATE, CTL_EOL); } void