mirror of
https://github.com/openbsd/src.git
synced 2024-12-22 16:42:56 -08:00
Unlock unlock ipip_sysctl().
- IPIPCTL_ALLOW - atomically accessed integer; - IPIPCTL_STATS - per-CPU counters; In ipip_input() load `ipip_allow' value to `ipip_allow_local' and pass it down to ipip_input_if() as `allow' arg. ok bluhm
This commit is contained in:
parent
f9d2544ecb
commit
7af0f08f59
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: in_proto.c,v 1.112 2024/08/21 12:53:36 mvs Exp $ */
|
/* $OpenBSD: in_proto.c,v 1.113 2024/08/22 10:58:31 mvs Exp $ */
|
||||||
/* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */
|
/* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@ -230,7 +230,7 @@ const struct protosw inetsw[] = {
|
|||||||
.pr_type = SOCK_RAW,
|
.pr_type = SOCK_RAW,
|
||||||
.pr_domain = &inetdomain,
|
.pr_domain = &inetdomain,
|
||||||
.pr_protocol = IPPROTO_IPV4,
|
.pr_protocol = IPPROTO_IPV4,
|
||||||
.pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET,
|
.pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET|PR_MPSYSCTL,
|
||||||
#if NGIF > 0
|
#if NGIF > 0
|
||||||
.pr_input = in_gif_input,
|
.pr_input = in_gif_input,
|
||||||
#else
|
#else
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: ip_ipip.c,v 1.104 2024/08/21 12:53:36 mvs Exp $ */
|
/* $OpenBSD: ip_ipip.c,v 1.105 2024/08/22 10:58:31 mvs Exp $ */
|
||||||
/*
|
/*
|
||||||
* The authors of this code are John Ioannidis (ji@tla.org),
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
||||||
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
||||||
@ -72,6 +72,11 @@
|
|||||||
#include <net/pfvar.h>
|
#include <net/pfvar.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Locks used to protect data:
|
||||||
|
* a atomic
|
||||||
|
*/
|
||||||
|
|
||||||
#ifdef ENCDEBUG
|
#ifdef ENCDEBUG
|
||||||
#define DPRINTF(fmt, args...) \
|
#define DPRINTF(fmt, args...) \
|
||||||
do { \
|
do { \
|
||||||
@ -87,7 +92,7 @@
|
|||||||
* We can control the acceptance of IP4 packets by altering the sysctl
|
* We can control the acceptance of IP4 packets by altering the sysctl
|
||||||
* net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
|
* net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
|
||||||
*/
|
*/
|
||||||
int ipip_allow = 0;
|
int ipip_allow = 0; /* [a] */
|
||||||
|
|
||||||
struct cpumem *ipipcounters;
|
struct cpumem *ipipcounters;
|
||||||
|
|
||||||
@ -104,9 +109,10 @@ int
|
|||||||
ipip_input(struct mbuf **mp, int *offp, int nxt, int af)
|
ipip_input(struct mbuf **mp, int *offp, int nxt, int af)
|
||||||
{
|
{
|
||||||
struct ifnet *ifp;
|
struct ifnet *ifp;
|
||||||
|
int ipip_allow_local = atomic_load_int(&ipip_allow);
|
||||||
|
|
||||||
/* If we do not accept IP-in-IP explicitly, drop. */
|
/* If we do not accept IP-in-IP explicitly, drop. */
|
||||||
if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) {
|
if (ipip_allow_local == 0 && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) {
|
||||||
DPRINTF("dropped due to policy");
|
DPRINTF("dropped due to policy");
|
||||||
ipipstat_inc(ipips_pdrops);
|
ipipstat_inc(ipips_pdrops);
|
||||||
m_freemp(mp);
|
m_freemp(mp);
|
||||||
@ -118,7 +124,7 @@ ipip_input(struct mbuf **mp, int *offp, int nxt, int af)
|
|||||||
m_freemp(mp);
|
m_freemp(mp);
|
||||||
return IPPROTO_DONE;
|
return IPPROTO_DONE;
|
||||||
}
|
}
|
||||||
nxt = ipip_input_if(mp, offp, nxt, af, ifp);
|
nxt = ipip_input_if(mp, offp, nxt, af, ipip_allow_local, ifp);
|
||||||
if_put(ifp);
|
if_put(ifp);
|
||||||
|
|
||||||
return nxt;
|
return nxt;
|
||||||
@ -133,7 +139,7 @@ ipip_input(struct mbuf **mp, int *offp, int nxt, int af)
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
int
|
int
|
||||||
ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf,
|
ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf, int allow,
|
||||||
struct ifnet *ifp)
|
struct ifnet *ifp)
|
||||||
{
|
{
|
||||||
struct mbuf *m = *mp;
|
struct mbuf *m = *mp;
|
||||||
@ -271,7 +277,7 @@ ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Check for local address spoofing. */
|
/* Check for local address spoofing. */
|
||||||
if (!(ifp->if_flags & IFF_LOOPBACK) && ipip_allow != 2) {
|
if (!(ifp->if_flags & IFF_LOOPBACK) && allow != 2) {
|
||||||
struct sockaddr_storage ss;
|
struct sockaddr_storage ss;
|
||||||
struct rtentry *rt;
|
struct rtentry *rt;
|
||||||
|
|
||||||
@ -584,19 +590,14 @@ int
|
|||||||
ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
|
ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
|
||||||
size_t newlen)
|
size_t newlen)
|
||||||
{
|
{
|
||||||
int error;
|
|
||||||
|
|
||||||
/* All sysctl names at this level are terminal. */
|
/* All sysctl names at this level are terminal. */
|
||||||
if (namelen != 1)
|
if (namelen != 1)
|
||||||
return (ENOTDIR);
|
return (ENOTDIR);
|
||||||
|
|
||||||
switch (name[0]) {
|
switch (name[0]) {
|
||||||
case IPIPCTL_ALLOW:
|
case IPIPCTL_ALLOW:
|
||||||
NET_LOCK();
|
return (sysctl_int_bounded(oldp, oldlenp, newp, newlen,
|
||||||
error = sysctl_int_bounded(oldp, oldlenp, newp, newlen,
|
&ipip_allow, 0, 2));
|
||||||
&ipip_allow, 0, 2);
|
|
||||||
NET_UNLOCK();
|
|
||||||
return (error);
|
|
||||||
case IPIPCTL_STATS:
|
case IPIPCTL_STATS:
|
||||||
return (ipip_sysctl_ipipstat(oldp, oldlenp, newp));
|
return (ipip_sysctl_ipipstat(oldp, oldlenp, newp));
|
||||||
default:
|
default:
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: ip_ipip.h,v 1.13 2021/10/13 14:36:31 bluhm Exp $ */
|
/* $OpenBSD: ip_ipip.h,v 1.14 2024/08/22 10:58:31 mvs Exp $ */
|
||||||
/*
|
/*
|
||||||
* The authors of this code are John Ioannidis (ji@tla.org),
|
* The authors of this code are John Ioannidis (ji@tla.org),
|
||||||
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
* Angelos D. Keromytis (kermit@csd.uch.gr) and
|
||||||
@ -114,7 +114,7 @@ struct tdb;
|
|||||||
|
|
||||||
void ipip_init(void);
|
void ipip_init(void);
|
||||||
int ipip_input(struct mbuf **, int *, int, int);
|
int ipip_input(struct mbuf **, int *, int, int);
|
||||||
int ipip_input_if(struct mbuf **, int *, int, int, struct ifnet *);
|
int ipip_input_if(struct mbuf **, int *, int, int, int, struct ifnet *);
|
||||||
int ipip_output(struct mbuf **, struct tdb *);
|
int ipip_output(struct mbuf **, struct tdb *);
|
||||||
int ipip_sysctl(int *, u_int, void *, size_t *, void *, size_t);
|
int ipip_sysctl(int *, u_int, void *, size_t *, void *, size_t);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user