Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL

kernel option. This also permits tuning of the option per virtual network stack, as well as separately per inet, inet6. The kernel option is left for a transition period, marked deprecated, and will be removed soon. Initially requested by: phk (1 year 1 day ago) MFC after: 4 weeks
2009-05-23 16:42:38 +00:00 · 2009-05-23 16:42:38 +00:00 · db2e47925e
commit db2e47925e
parent b44522f44b
8 changed files with 51 additions and 12 deletions
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 5, 2007
+.Dd May 23, 2009
 .Dt IPSEC 4
 .Os
 .Sh NAME
@ -37,7 +37,6 @@
 .Nd Internet Protocol Security protocol
 .Sh SYNOPSIS
 .Cd "options IPSEC"
-.Cd "options IPSEC_FILTERTUNNEL"
 .Cd "device crypto"
 .Pp
 .In sys/types.h
@ -88,9 +87,12 @@ inbound.
 .Pp
 To properly filter on the inner packets of an
 .Nm
-tunnel with firewalls, add
-.Cd "options IPSEC_FILTERTUNNEL"
-to the kernel configuration file.
+tunnel with firewalls, you can change the values of the following sysctls
+.Bl -column net.inet6.ipsec6.filtertunnel default enable
+.It Sy "Name	Default	Enable"
+.It net.inet.ipsec.filtertunnel	0	1
+.It net.inet6.ipsec6.filtertunnel	0	1
+.El
 .\"
 .Ss Kernel interface
 .Nm
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@ -524,9 +524,10 @@ options 	ROUTETABLES=2		# max 16. 1 is back compatible.
 options 	IPSEC			#IP security (requires device crypto)
 #options 	IPSEC_DEBUG		#debug for IP security
 #
-# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel
-# to be processed by any configured packet filtering twice.
-# The default is that packets coming out of a tunnel are _not_ processed;
+# #DEPRECATED#
+# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
+# coming through a tunnel to be processed by any configured packet filtering
+# twice. The default is that packets coming out of a tunnel are _not_ processed;
 # they are assumed trusted.
 #
 # IPSEC history is preserved for such packets, and can be filtered
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@ -71,6 +71,10 @@ __FBSDID("$FreeBSD$");

 extern	struct protosw inetsw[];

+#ifdef VIMAGE_GLOBALS
+int ip4_ipsec_filtertunnel;
+#endif
+
 /*
 * Check if we have to jump over firewall processing for this packet.
 * Called from ip_input().
@ -79,11 +83,14 @@ extern	struct protosw inetsw[];
 int
 ip_ipsec_filtertunnel(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+	INIT_VNET_IPSEC(curvnet);
+
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
 	 */
-	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+	if (!V_ip4_ipsec_filtertunnel &&
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 		return 1;
 #endif
 	return 0;
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@ -76,6 +76,10 @@ __FBSDID("$FreeBSD$");

 extern	struct protosw inet6sw[];

+#ifdef VIMAGE_GLOBALS
+int ip6_ipsec6_filtertunnel;
+#endif
+
 /*
 * Check if we have to jump over firewall processing for this packet.
 * Called from ip_input().
@ -84,11 +88,14 @@ extern	struct protosw inet6sw[];
 int
 ip6_ipsec_filtertunnel(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+	INIT_VNET_IPSEC(curvnet);
+
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
 	 */
-	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+	if (!V_ip6_ipsec6_filtertunnel &&
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 		return 1;
 #endif
 	return 0;
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@ -167,6 +167,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat,	
 	"IPsec IPv4 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");

 #ifdef REGRESSION
 #ifdef VIMAGE_GLOBALS
@ -228,6 +231,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
 	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
 	"IPsec IPv6 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");
 #endif /* INET6 */

 static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@ -273,6 +279,11 @@ ipsec_init(void)
 	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 	V_ip4_esp_randpad = -1;
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip4_ipsec_filtertunnel = 1;
+#else
+	V_ip4_ipsec_filtertunnel = 0;
+#endif

 	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;

@ -287,6 +298,11 @@ ipsec_init(void)
 	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip6_ipsec6_filtertunnel = 1;
+#else
+	V_ip6_ipsec6_filtertunnel = 0;
+#endif
 #endif
 }

--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -348,6 +348,7 @@ extern int ip4_ah_cleartos;
 extern int ip4_ah_offsetmask;
 extern int ip4_ipsec_dfbit;
 extern int ip4_ipsec_ecn;
+extern int ip4_ipsec_filtertunnel;
 extern int ip4_esp_randpad;
 extern int crypto_support;

--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@ -47,6 +47,7 @@ extern int ip6_esp_net_deflev;
 extern int ip6_ah_trans_deflev;
 extern int ip6_ah_net_deflev;
 extern int ip6_ipsec_ecn;
+extern int ip6_ipsec6_filtertunnel;

 struct inpcb;

--- a/sys/netipsec/vipsec.h
+++ b/sys/netipsec/vipsec.h
@ -57,6 +57,7 @@ struct vnet_ipsec {
 	int			_ip4_ah_offsetmask;
 	int			_ip4_ipsec_dfbit;
 	int			_ip4_ipsec_ecn;
+	int			_ip4_ipsec_filtertunnel;
 	int			_ip4_esp_randpad;

 	int			_ipsec_replay;
@ -90,6 +91,7 @@ struct vnet_ipsec {
 	int			_ip6_ah_trans_deflev;
 	int			_ip6_ah_net_deflev;
 	int			_ip6_ipsec_ecn;
+	int			_ip6_ipsec6_filtertunnel;

 	int			_ah_enable;
 	int			_ah_cleartos;
@ -142,12 +144,14 @@ extern struct vnet_ipsec vnet_ipsec_0;
 #define	V_ip4_esp_trans_deflev		VNET_IPSEC(ip4_esp_trans_deflev)
 #define	V_ip4_ipsec_dfbit		VNET_IPSEC(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn			VNET_IPSEC(ip4_ipsec_ecn)
+#define	V_ip4_ipsec_filtertunnel	VNET_IPSEC(ip4_ipsec_filtertunnel)
 #define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
 #define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
 #define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
 #define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
 #define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
 #define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
+#define	V_ip6_ipsec6_filtertunnel	VNET_IPSEC(ip6_ipsec6_filtertunnel)
 #define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
 #define	V_ipcompstat			VNET_IPSEC(ipcompstat)
 #define	V_ipip_allow			VNET_IPSEC(ipip_allow)