upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-03-12 21:52:51 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys/netinet
History
Andrey V. Elsukov 627c036f65 Remove IPsec related PCB code from SCTP. 
The inpcb structure has inp_sp pointer that is initialized by
ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec
security policies associated with a specific socket.
An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket
options to configure these security policies. Then ip[6]_output()
uses inpcb pointer to specify that an outgoing packet is associated
with some socket. And IPSEC_OUTPUT() method can use a security policy
stored in the inp_sp. For inbound packet the protocol-specific input
routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms
to inbound security policy configured in the inpcb.

SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends
packets. Thus IPSEC_OUTPUT() method does not consider such packets as
associated with some socket and can not apply security policies
from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY()
method is called from protocol-specific input routine, it can specify
inpcb pointer and associated with socket inbound policy will be
checked. But there are two problems:
1. Such check is asymmetric, becasue we can not apply security policy
from inpcb for outgoing packet.
2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and
access to inp_sp is protected. But for SCTP this is not correct,
becasue SCTP uses own locks to protect inpcb.

To fix these problems remove IPsec related PCB code from SCTP.
This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options
will be not applicable to SCTP sockets. To be able correctly check
inbound security policies for SCTP, mark its protocol header with
the PR_LASTHDR flag.

Reported by:	tuexen
Reviewed by:	tuexen
Differential Revision:	https://reviews.freebsd.org/D9538
2017-02-13 11:37:52 +00:00
..
cc Fix a variety of cosmetic typos and misspellings 2017-01-15 18:00:45 +00:00
khelp Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
libalias sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
tcp_stacks Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
accf_data.c Rework socket upcalls to close some races with setup/teardown of upcalls. 2009-06-01 21:17:03 +00:00
accf_dns.c In preparation of merging projects/sendfile, transform bare access to 2014-11-12 09:57:15 +00:00
accf_http.c In preparation of merging projects/sendfile, transform bare access to 2014-11-12 09:57:15 +00:00
icmp6.h Add missing constants from RFCs 4443 and 6550 2016-06-06 00:35:45 +00:00
icmp_var.h Use counter_ratecheck() in the ICMP rate limiting. 2016-12-09 17:59:15 +00:00
if_atm.c The r48589 promised to remove implicit inclusion of if_var.h soon. Prepare 2013-10-26 17:58:36 +00:00
if_atm.h Add const qualifier to the dst parameter of the ifnet if_output method. 2013-04-26 12:50:32 +00:00
if_ether.c Add GARP retransmit capability 2016-10-02 01:42:45 +00:00
if_ether.h This change re-adds L2 caching for TCP and UDP, as originally added in D4306 2016-06-02 17:51:29 +00:00
igmp.c With clang 3.9.0, compiling sys/netinet/igmp.c results in the following 2016-09-04 17:23:10 +00:00
igmp.h These are no longer referenced in the tree, so can be safely removed. 2009-06-10 18:12:15 +00:00
igmp_var.h - Rename 'struct igmp_ifinfo' into 'struct igmp_ifsoftc', since it really 2015-02-19 22:35:23 +00:00
in.c After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
in.h Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
in_cksum.c nobody uses this file except the userspace ipfw code, but the cast 2012-07-31 08:04:49 +00:00
in_debug.c Remove last remnants of classful addressing: 2011-10-15 16:28:06 +00:00
in_fib.c MFP r287070,r287073: split radix implementation and route table structure. 2016-01-25 06:33:15 +00:00
in_fib.h Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
in_gif.c Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
in_jail.c Move IPv4-specific jail functions to new file netinet/in_jail.c 2016-08-09 02:16:21 +00:00
in_kdtrace.c Add an mbuf to ipinfo_t translator to finish cleanup of mbuf passing to TCP probes. 2017-02-01 19:33:00 +00:00
in_kdtrace.h Fix style issues around existing SDT probes. 2015-12-16 23:39:27 +00:00
in_mcast.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
in_pcb.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
in_pcb.h Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
in_pcbgroup.c Unbreak the RSS/PCBGROUp build. 2016-03-31 00:53:23 +00:00
in_prot.c Remove BSD and USL copyright and update license block in in_prot.c, as the 2016-07-28 18:39:30 +00:00
in_proto.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
in_rmx.c Code duplication but rib_head is special. Not found an easy way to go 2016-02-03 21:56:51 +00:00
in_rss.c Rename rss_soft_m2cpuid() -> rss_soft_m2cpuid_v4() in preparation for 2015-08-29 06:58:30 +00:00
in_rss.h Rename rss_soft_m2cpuid() -> rss_soft_m2cpuid_v4() in preparation for 2015-08-29 06:58:30 +00:00
in_systm.h Prepare for network stack as a module 2016-07-27 20:34:09 +00:00
in_var.h Add GARP retransmit capability 2016-10-02 01:42:45 +00:00
ip.h sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
ip6.h Eliminate use of M_EXT in IP6_EXTHDR_CHECK() by trimming a redundant 2014-10-05 06:28:53 +00:00
ip_carp.c After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
ip_carp.h After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
ip_divert.c The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
ip_divert.h Various cleanup done in ipfw3-head branch including: 2010-01-04 19:01:22 +00:00
ip_dummynet.h Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE). 2016-05-26 21:40:13 +00:00
ip_ecn.c
ip_ecn.h Remove unneded #include "opt_inet.h". 2015-07-31 09:02:28 +00:00
ip_encap.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
ip_encap.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
ip_fastfwd.c When we are sending IP fragments, update ip pointers in IP_PROBE() for 2016-12-29 19:57:46 +00:00
ip_fw.h Add stats reset command implementation to NPTv6 module 2016-08-13 16:45:14 +00:00
ip_gre.c o Use new function ip_fillid() in all places throughout the kernel, 2015-04-01 22:26:39 +00:00
ip_icmp.c Fix build for 32-bit machines. 2016-12-09 20:50:35 +00:00
ip_icmp.h Add support for handling ICMP and ICMP6 messages sent in response 2016-04-29 20:22:01 +00:00
ip_id.c Replace a number of conflations of mp_ncpus and mp_maxid with either 2016-07-06 14:09:49 +00:00
ip_input.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
ip_mroute.c Remove the 4.3BSD compatible macro m_copy(), use m_copym() instead. 2016-09-15 07:41:48 +00:00
ip_mroute.h Migrate structs arpstat, icmpstat, mrtstat, pimstat and udpstat to PCPU 2013-07-09 09:50:15 +00:00
ip_options.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
ip_options.h Make net.inet.ip.sourceroute, net.inet.ip.accept_sourceroute, and 2014-09-15 07:20:40 +00:00
ip_output.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
ip_reass.c Fix RSS build - netisr input / NETISR_IP_DIRECT is used here. 2015-04-15 00:57:21 +00:00
ip_var.h The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
pim.h
pim_var.h Merge 'struct ip6protosw' and 'struct protosw' into one. Now we have 2014-08-08 01:57:15 +00:00
raw_ip.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
sctp.h This is work done by Michael Tuexen and myself at the IETF. This 2016-04-07 09:10:34 +00:00
sctp_asconf.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_asconf.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_auth.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_auth.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_bsd_addr.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_bsd_addr.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_cc_functions.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_constants.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctp_crc32.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_crc32.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_dtrace_declare.h - For kernel compiled only with KDTRACE_HOOKS and not any lock debugging 2013-11-25 07:38:45 +00:00
sctp_dtrace_define.h This is work done by Michael Tuexen and myself at the IETF. This 2016-04-07 09:10:34 +00:00
sctp_header.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctp_indata.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_indata.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_input.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_input.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_lock_bsd.h netinet/sctp*: minor spelling fixes in comments. 2016-05-02 20:56:11 +00:00
sctp_os.h Use consistent text at the begining of the files. 2012-05-23 11:26:28 +00:00
sctp_os_bsd.h Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_output.c Ensure that the variable bail is always initialized before used. 2017-02-01 00:10:29 +00:00
sctp_output.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_pcb.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_pcb.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_peeloff.c Add a SCTP socket option to limit the cwnd for each path. 2015-03-10 19:49:25 +00:00
sctp_peeloff.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_ss_functions.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_structs.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_syscalls.c Use getsock_cap() instead of deprecated fgetsock(). 2017-01-13 16:54:44 +00:00
sctp_sysctl.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_sysctl.h Retire net.inet.sctp.strict_sacks and net.inet.sctp.strict_data_order 2016-05-12 16:34:59 +00:00
sctp_timer.c Remove a duplicate debug statement. 2017-01-31 23:34:02 +00:00
sctp_timer.h Code cleanup which will silence a warning in PVS / D5245. 2016-02-17 18:04:22 +00:00
sctp_uio.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_usrreq.c Take the SCTP common header into account when computing the 2017-01-31 23:36:31 +00:00
sctp_var.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctputil.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctputil.h Whitespace changes. 2016-12-26 11:06:41 +00:00
siftr.c Use SI_SUB_LAST instead of SI_SUB_SMP as the "catch-all" subsystem. 2016-03-11 23:18:06 +00:00
tcp.h Provide new socket option TCP_CCALGOOPT, which stands for TCP congestion 2016-01-22 02:07:48 +00:00
tcp_debug.c Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_debug.h Use uint32_t instead of n_long and n_time, and uint16_t instead of n_short. 2009-02-13 15:14:43 +00:00
tcp_fastopen.c Fix VIMAGE-related bugs in TFO. The autokey callout vnet context was 2017-02-03 17:02:57 +00:00
tcp_fastopen.h Implementation of server-side TCP Fast Open (TFO) [RFC7413]. 2015-12-24 19:09:48 +00:00
tcp_fsm.h Update TCPS_HAVERCVDFIN() macro to correctly include all states a connection 2016-08-26 17:48:54 +00:00
tcp_hostcache.c sysctl net.inet.tcp.hostcache.list in a jail can see connections from other 2017-01-05 17:22:09 +00:00
tcp_hostcache.h Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_input.c Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_lro.c Pass the number of segments coalesced by LRO up the stack by repurposing the 2016-08-25 13:33:32 +00:00
tcp_lro.h tcp/lro: Implement hash table for LRO entries. 2016-08-02 06:36:47 +00:00
tcp_offload.c Augment struct tcpstat with tcps_states[], which is used for book-keeping 2016-01-27 00:45:46 +00:00
tcp_offload.h - Updated TOE support in the kernel. 2012-06-19 07:34:13 +00:00
tcp_output.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_pcap.c The TCPPCAP debugging feature caches recently-used mbufs for use in 2016-07-06 16:17:13 +00:00
tcp_pcap.h The TCPPCAP debugging feature caches recently-used mbufs for use in 2016-07-06 16:17:13 +00:00
tcp_reass.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
tcp_sack.c Remove a KASSERT which is not always true. 2016-12-25 17:37:18 +00:00
tcp_seq.h Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_subr.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_syncache.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_syncache.h Grab a snap amount of TCP connections in syncache from tcpstat. 2016-01-27 00:48:05 +00:00
tcp_timer.c Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_timer.h Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_timewait.c Ensure that TCP state changes to state-closing are reported via dtrace. 2016-11-19 14:45:08 +00:00
tcp_usrreq.c Revert r313527 2017-02-10 05:58:16 +00:00
tcp_var.h Move tcp_fields_to_net() static inline into tcp_var.h, just below its 2017-02-10 17:46:26 +00:00
tcpip.h
toecore.c This change re-adds L2 caching for TCP and UDP, as originally added in D4306 2016-06-02 17:51:29 +00:00
toecore.h * Convert TOE framework to use new routing api. 2014-10-25 18:25:00 +00:00
udp.h Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
udp_usrreq.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
udp_var.h The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
udplite.h Add support for UDP-Lite protocol (RFC 3828) to IPv4 and IPv6 stacks. 2014-04-07 01:53:03 +00:00