d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
41716b8d51
freebsd-dev/sys/net
History
Andrey V. Elsukov 22986c6740 Introduce the concept of IPsec security policies scope. 
Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.

Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.

To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.

For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.

After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global
	refcnt=1

No objection from:	#network
Obtained from:	Yandex LLC
MFC after:	2 weeks
Sponsored by:	Yandex LLC
Differential Revision:	https://reviews.freebsd.org/D9805
2017-03-07 00:13:53 +00:00
..
altq Remove an alias if_list, use if_link consistently. 2016-10-06 00:51:27 +00:00
bpf_buffer.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
bpf_buffer.h
bpf_filter.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
bpf_jitter.c
bpf_jitter.h
bpf_zerocopy.c
bpf_zerocopy.h
bpf.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
bpf.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
bpfdesc.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
bridgestp.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
bridgestp.h
dlt.h MFV r313759: license change for a few headers (4 clause BSD to 3 clause BSD). 2017-02-15 07:22:47 +00:00
ethernet.h net/vlan: Shift for pri is 13 (pri mask 0xe000) not 1. 2016-09-01 06:32:35 +00:00
fddi.h
firewire.h
flowtable.c Add variable declaration missing in r302372. 2016-07-06 17:46:49 +00:00
flowtable.h
ieee8023ad_lacp.c Do some minimal work to better conform to the 802.3ad (LACP) standard. 2017-02-26 00:19:02 +00:00
ieee8023ad_lacp.h Implement kernel support for hardware rate limited sockets. 2017-01-18 13:31:17 +00:00
ieee_oui.h
if_arc.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_arcsubr.c Remove the 4.3BSD compatible macro m_copy(), use m_copym() instead. 2016-09-15 07:41:48 +00:00
if_arp.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_atm.h sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
if_atmsubr.c sys/net* : for pointers replace 0 with NULL. 2016-04-15 17:30:33 +00:00
if_bridge.c bridge: Release the bridge lock when calling bridge_set_ifcap() 2017-01-25 21:25:26 +00:00
if_bridgevar.h bridge: Release the bridge lock when calling bridge_set_ifcap() 2017-01-25 21:25:26 +00:00
if_clone.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_clone.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_dead.c Implement kernel support for hardware rate limited sockets. 2017-01-18 13:31:17 +00:00
if_debug.c Add more fields to if_debug.c for ddb(4) 'show ifnet'; resort 2016-06-22 12:53:10 +00:00
if_disc.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_dl.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_edsc.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_enc.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
if_enc.h Overhaul if_enc(4) and make it loadable in run-time. 2015-11-25 07:31:59 +00:00
if_epair.c Back out r314471. In https://reviews.freebsd.org/D1858 it was clear 2017-03-01 05:38:04 +00:00
if_ethersubr.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_fddisubr.c sys: Replace zero with NULL for pointers. 2017-02-22 02:35:59 +00:00
if_fwsubr.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_gif.c Extract out the various local definitions of ETHER_IS_BROADCAST() and 2016-08-07 03:48:33 +00:00
if_gif.h - Remove GIF_{SEND,ACCEPT}_REVETHIP. 2015-09-10 05:59:39 +00:00
if_gre.c Cleanup unnecessary semicolons from the kernel. 2016-04-10 23:07:00 +00:00
if_gre.h Extern declarations in C files loses compile-time checking that 2014-12-25 21:32:37 +00:00
if_ipsec.c Introduce the concept of IPsec security policies scope. 2017-03-07 00:13:53 +00:00
if_ipsec.h Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
if_iso88025subr.c sys: Replace zero with NULL for pointers. 2017-02-22 02:35:59 +00:00
if_lagg.c Do not update the lagg link layer address when destroying a lagg clone. 2017-01-30 03:04:33 +00:00
if_lagg.h Do not update the lagg link layer address when destroying a lagg clone. 2017-01-30 03:04:33 +00:00
if_llatbl.c Make LLTABLE list lock private for if_llatbl.c 2016-10-11 17:41:13 +00:00
if_llatbl.h Make LLTABLE list lock private for if_llatbl.c 2016-10-11 17:41:13 +00:00
if_llc.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_loop.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_me.c Add IFCAP_LINKSTATE support. 2015-10-03 09:15:23 +00:00
if_media.c Fix reference to free memory in ixgbe/if_media.c 2017-01-20 17:16:48 +00:00
if_media.h [net80211] add VHT media types in the media layer. 2017-01-05 04:49:23 +00:00
if_mib.c These files were getting sys/malloc.h and vm/uma.h with header pollution 2016-02-01 17:41:21 +00:00
if_mib.h
if_pflog.h
if_pfsync.h
if_sppp.h sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
if_spppfr.c
if_spppsubr.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
if_stf.c The stf(4) interface name does not conform with the default naming 2017-01-29 18:41:09 +00:00
if_tap.c if_tap: correct typo in sysctl description (Enably) 2015-10-21 19:56:16 +00:00
if_tap.h
if_tapvar.h
if_tun.c Allow writing IP packets of length TUNMRU no matter if TUNSIFHEAD is set 2016-05-19 13:52:12 +00:00
if_tun.h Allow an MTU of 65535 bytes to be set via TUN[SG]IFINFO. This requires 2016-05-24 11:47:14 +00:00
if_types.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_var.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if_vlan_var.h Add support to priority code point (PCP) that is an 3-bit field 2016-06-06 09:51:58 +00:00
if_vlan.c Implement kernel support for hardware rate limited sockets. 2017-01-18 13:31:17 +00:00
if_vxlan.c net: Use M_HASHTYPE_OPAQUE_HASH if the mbuf flowid has hash properties 2016-06-07 04:51:50 +00:00
if_vxlan.h
if.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
if.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
ifdi_if.m 2017 IFLIB updates in preparation for commits to e1000 and ixgbe. 2017-01-02 00:56:33 +00:00
iflib.c Make gtaskqueue compatible with drm-next such that they can be used with the 2017-03-01 18:37:35 +00:00
iflib.h IFLIB updates: 2017-01-27 23:08:06 +00:00
ifq.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
iso88025.h
mp_ring.c sys/net: more spelling. 2016-05-19 16:28:05 +00:00
mp_ring.h Import the 'iflib' API library for network drivers. From the author: 2016-05-18 04:35:58 +00:00
mppc.h ng_mppc(4): Bring netgraph(3) MPPC compression support. 2016-06-07 15:07:00 +00:00
mppcc.c ng_mppc(4):: basic readability cleanups. 2016-07-09 02:33:45 +00:00
mppcd.c ng_mppc(4):: basic readability cleanups. 2016-07-09 02:33:45 +00:00
netisr_internal.h
netisr.c Bring back r313037, with fixes for mips: 2017-02-19 02:03:09 +00:00
netisr.h Introduce a per-VNET flag to enable/disable netisr prcessing on that VNET. 2016-06-03 13:57:10 +00:00
netmap_user.h remove trailing whitespace. No code changes. 2016-10-18 15:41:57 +00:00
netmap_virt.h Various fixes for ptnet/ptnetmap (passthrough of netmap ports). In detail: 2016-10-27 09:46:22 +00:00
netmap.h Various fixes for ptnet/ptnetmap (passthrough of netmap ports). In detail: 2016-10-27 09:46:22 +00:00
paravirt.h
pfil.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
pfil.h
pfkeyv2.h Introduce the concept of IPsec security policies scope. 2017-03-07 00:13:53 +00:00
pfvar.h Update pf(4) and pflog(4) to survive basic VNET testing, which includes 2016-06-23 21:34:38 +00:00
ppp_defs.h
radix_mpath.c radix_mpath: Don't derefence a NULL pointer in for loop iteration 2016-04-26 20:27:17 +00:00
radix_mpath.h MFP r287070,r287073: split radix implementation and route table structure. 2016-01-25 06:33:15 +00:00
radix.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
radix.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
raw_cb.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
raw_cb.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
raw_usrreq.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
rndis.h hyperv/hn: Define empty packet filter. 2016-10-27 04:55:19 +00:00
route_var.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
route.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
route.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
rss_config.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
rss_config.h Replace the printf()s with optional rate limited debugging for RSS. 2015-08-28 05:58:16 +00:00
rtsock.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
sff8436.h Add SFF-8024 Extended Specification Compliance 2015-12-28 09:26:07 +00:00
sff8472.h sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
slcompress.c Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
slcompress.h Renumber copyright clause 4 2017-02-28 23:42:47 +00:00
toeplitz.c Refactor / restructure the RSS code into generic, IPv4 and IPv6 specific 2015-01-18 18:06:40 +00:00
toeplitz.h Refactor / restructure the RSS code into generic, IPv4 and IPv6 specific 2015-01-18 18:06:40 +00:00
vnet.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
vnet.h Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00