d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
627c036f65
freebsd-nq/sys/netinet
History
Andrey V. Elsukov 627c036f65 Remove IPsec related PCB code from SCTP. 
The inpcb structure has inp_sp pointer that is initialized by
ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec
security policies associated with a specific socket.
An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket
options to configure these security policies. Then ip[6]_output()
uses inpcb pointer to specify that an outgoing packet is associated
with some socket. And IPSEC_OUTPUT() method can use a security policy
stored in the inp_sp. For inbound packet the protocol-specific input
routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms
to inbound security policy configured in the inpcb.

SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends
packets. Thus IPSEC_OUTPUT() method does not consider such packets as
associated with some socket and can not apply security policies
from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY()
method is called from protocol-specific input routine, it can specify
inpcb pointer and associated with socket inbound policy will be
checked. But there are two problems:
1. Such check is asymmetric, becasue we can not apply security policy
from inpcb for outgoing packet.
2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and
access to inp_sp is protected. But for SCTP this is not correct,
becasue SCTP uses own locks to protect inpcb.

To fix these problems remove IPsec related PCB code from SCTP.
This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options
will be not applicable to SCTP sockets. To be able correctly check
inbound security policies for SCTP, mark its protocol header with
the PR_LASTHDR flag.

Reported by:	tuexen
Reviewed by:	tuexen
Differential Revision:	https://reviews.freebsd.org/D9538
2017-02-13 11:37:52 +00:00
..
cc Fix a variety of cosmetic typos and misspellings 2017-01-15 18:00:45 +00:00
khelp Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
libalias sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
tcp_stacks Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
accf_data.c
accf_dns.c
accf_http.c
icmp6.h Add missing constants from RFCs 4443 and 6550 2016-06-06 00:35:45 +00:00
icmp_var.h Use counter_ratecheck() in the ICMP rate limiting. 2016-12-09 17:59:15 +00:00
if_atm.c
if_atm.h
if_ether.c Add GARP retransmit capability 2016-10-02 01:42:45 +00:00
if_ether.h This change re-adds L2 caching for TCP and UDP, as originally added in D4306 2016-06-02 17:51:29 +00:00
igmp_var.h
igmp.c With clang 3.9.0, compiling sys/netinet/igmp.c results in the following 2016-09-04 17:23:10 +00:00
igmp.h
in_cksum.c
in_debug.c
in_fib.c MFP r287070,r287073: split radix implementation and route table structure. 2016-01-25 06:33:15 +00:00
in_fib.h Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
in_gif.c Merge helper fib* functions used for basic lookups. 2015-12-08 10:50:03 +00:00
in_jail.c Move IPv4-specific jail functions to new file netinet/in_jail.c 2016-08-09 02:16:21 +00:00
in_kdtrace.c Add an mbuf to ipinfo_t translator to finish cleanup of mbuf passing to TCP probes. 2017-02-01 19:33:00 +00:00
in_kdtrace.h Fix style issues around existing SDT probes. 2015-12-16 23:39:27 +00:00
in_mcast.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
in_pcb.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
in_pcb.h Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
in_pcbgroup.c Unbreak the RSS/PCBGROUp build. 2016-03-31 00:53:23 +00:00
in_prot.c Remove BSD and USL copyright and update license block in in_prot.c, as the 2016-07-28 18:39:30 +00:00
in_proto.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
in_rmx.c Code duplication but rib_head is special. Not found an easy way to go 2016-02-03 21:56:51 +00:00
in_rss.c Rename rss_soft_m2cpuid() -> rss_soft_m2cpuid_v4() in preparation for 2015-08-29 06:58:30 +00:00
in_rss.h Rename rss_soft_m2cpuid() -> rss_soft_m2cpuid_v4() in preparation for 2015-08-29 06:58:30 +00:00
in_systm.h Prepare for network stack as a module 2016-07-27 20:34:09 +00:00
in_var.h Add GARP retransmit capability 2016-10-02 01:42:45 +00:00
in.c After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
in.h Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
ip6.h
ip_carp.c After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
ip_carp.h After the in_control() changes in r257692, an existing address is 2017-01-25 19:04:08 +00:00
ip_divert.c The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
ip_divert.h
ip_dummynet.h Import Dummynet AQM version 0.2.1 (CoDel, FQ-CoDel, PIE and FQ-PIE). 2016-05-26 21:40:13 +00:00
ip_ecn.c
ip_ecn.h Remove unneded #include "opt_inet.h". 2015-07-31 09:02:28 +00:00
ip_encap.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
ip_encap.h
ip_fastfwd.c When we are sending IP fragments, update ip pointers in IP_PROBE() for 2016-12-29 19:57:46 +00:00
ip_fw.h Add stats reset command implementation to NPTv6 module 2016-08-13 16:45:14 +00:00
ip_gre.c
ip_icmp.c Fix build for 32-bit machines. 2016-12-09 20:50:35 +00:00
ip_icmp.h Add support for handling ICMP and ICMP6 messages sent in response 2016-04-29 20:22:01 +00:00
ip_id.c Replace a number of conflations of mp_ncpus and mp_maxid with either 2016-07-06 14:09:49 +00:00
ip_input.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
ip_mroute.c Remove the 4.3BSD compatible macro m_copy(), use m_copym() instead. 2016-09-15 07:41:48 +00:00
ip_mroute.h
ip_options.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
ip_options.h
ip_output.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
ip_reass.c
ip_var.h The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
ip.h sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
pim_var.h
pim.h
raw_ip.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
sctp_asconf.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_asconf.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_auth.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_auth.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_bsd_addr.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_bsd_addr.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_cc_functions.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_constants.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctp_crc32.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_crc32.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_dtrace_declare.h
sctp_dtrace_define.h This is work done by Michael Tuexen and myself at the IETF. This 2016-04-07 09:10:34 +00:00
sctp_header.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctp_indata.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_indata.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_input.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_input.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_lock_bsd.h netinet/sctp*: minor spelling fixes in comments. 2016-05-02 20:56:11 +00:00
sctp_os_bsd.h Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_os.h
sctp_output.c Ensure that the variable bail is always initialized before used. 2017-02-01 00:10:29 +00:00
sctp_output.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_pcb.c Remove IPsec related PCB code from SCTP. 2017-02-13 11:37:52 +00:00
sctp_pcb.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_peeloff.c
sctp_peeloff.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_ss_functions.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_structs.h Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_syscalls.c Use getsock_cap() instead of deprecated fgetsock(). 2017-01-13 16:54:44 +00:00
sctp_sysctl.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctp_sysctl.h Retire net.inet.sctp.strict_sacks and net.inet.sctp.strict_data_order 2016-05-12 16:34:59 +00:00
sctp_timer.c Remove a duplicate debug statement. 2017-01-31 23:34:02 +00:00
sctp_timer.h Code cleanup which will silence a warning in PVS / D5245. 2016-02-17 18:04:22 +00:00
sctp_uio.h Whitespace changes. 2016-12-06 10:21:25 +00:00
sctp_usrreq.c Take the SCTP common header into account when computing the 2017-01-31 23:36:31 +00:00
sctp_var.h Cleanup the names of SSN, SID, TSN, FSN, PPID and MID. 2016-12-07 19:30:59 +00:00
sctp.h This is work done by Michael Tuexen and myself at the IETF. This 2016-04-07 09:10:34 +00:00
sctputil.c Whitespace changes. 2016-12-26 11:06:41 +00:00
sctputil.h Whitespace changes. 2016-12-26 11:06:41 +00:00
siftr.c Use SI_SUB_LAST instead of SI_SUB_SMP as the "catch-all" subsystem. 2016-03-11 23:18:06 +00:00
tcp_debug.c Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_debug.h
tcp_fastopen.c Fix VIMAGE-related bugs in TFO. The autokey callout vnet context was 2017-02-03 17:02:57 +00:00
tcp_fastopen.h Implementation of server-side TCP Fast Open (TFO) [RFC7413]. 2015-12-24 19:09:48 +00:00
tcp_fsm.h Update TCPS_HAVERCVDFIN() macro to correctly include all states a connection 2016-08-26 17:48:54 +00:00
tcp_hostcache.c sysctl net.inet.tcp.hostcache.list in a jail can see connections from other 2017-01-05 17:22:09 +00:00
tcp_hostcache.h Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_input.c Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_lro.c Pass the number of segments coalesced by LRO up the stack by repurposing the 2016-08-25 13:33:32 +00:00
tcp_lro.h tcp/lro: Implement hash table for LRO entries. 2016-08-02 06:36:47 +00:00
tcp_offload.c Augment struct tcpstat with tcps_states[], which is used for book-keeping 2016-01-27 00:45:46 +00:00
tcp_offload.h
tcp_output.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_pcap.c The TCPPCAP debugging feature caches recently-used mbufs for use in 2016-07-06 16:17:13 +00:00
tcp_pcap.h The TCPPCAP debugging feature caches recently-used mbufs for use in 2016-07-06 16:17:13 +00:00
tcp_reass.c Remove sys/eventhandler.h from net/route.h 2016-01-09 09:34:39 +00:00
tcp_sack.c Remove a KASSERT which is not always true. 2016-12-25 17:37:18 +00:00
tcp_seq.h Remove "long" variables from the TCP stack (not including the modular 2016-10-06 16:28:34 +00:00
tcp_subr.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_syncache.c Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
tcp_syncache.h Grab a snap amount of TCP connections in syncache from tcpstat. 2016-01-27 00:48:05 +00:00
tcp_timer.c Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_timer.h Don't zero out srtt after excess retransmits 2017-02-11 17:05:08 +00:00
tcp_timewait.c Ensure that TCP state changes to state-closing are reported via dtrace. 2016-11-19 14:45:08 +00:00
tcp_usrreq.c Revert r313527 2017-02-10 05:58:16 +00:00
tcp_var.h Move tcp_fields_to_net() static inline into tcp_var.h, just below its 2017-02-10 17:46:26 +00:00
tcp.h Provide new socket option TCP_CCALGOOPT, which stands for TCP congestion 2016-01-22 02:07:48 +00:00
tcpip.h
toecore.c This change re-adds L2 caching for TCP and UDP, as originally added in D4306 2016-06-02 17:51:29 +00:00
toecore.h
udp_usrreq.c Committed without approval from mentor. 2017-02-12 06:56:33 +00:00
udp_var.h The pr_destroy field does not allow us to run the teardown code in a 2016-06-01 10:14:04 +00:00
udp.h Merge projects/ipsec into head/. 2017-02-06 08:49:57 +00:00
udplite.h