diff options
| author |   vgross <vgross@openbsd.org> | 2016-09-02 09:39:32 +0000 |
|---|---|---|
| committer | vgross <vgross@openbsd.org> | 2016-09-02 09:39:32 +0000 |
| commit | 220db2a09610ff661ff9aad8727d1bfd050edda2 (patch) | |
| tree | fb02d4406509cb8b16a3dd37610e291306b025b4 | |
| parent | Go through the set function like normal people; no functional change. (diff) | |
| download | wireguard-openbsd-220db2a09610ff661ff9aad8727d1bfd050edda2.tar.xz wireguard-openbsd-220db2a09610ff661ff9aad8727d1bfd050edda2.zip | |
Drop non-encapulated ESP packets using a UDP-encapsulating TDB, and add
the relevant counters.
Ok mikeb@
| -rw-r--r-- | sys/netinet/ip_esp.h | 3 | ||||
| -rw-r--r-- | sys/netinet/ipsec_input.c | 12 | ||||
| -rw-r--r-- | usr.bin/netstat/inet.c | 3 |
3 files changed, 15 insertions, 3 deletions
diff --git a/sys/netinet/ip_esp.h b/sys/netinet/ip_esp.h index 97c18b50fe5..22e186319ca 100644 --- a/sys/netinet/ip_esp.h +++ b/sys/netinet/ip_esp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_esp.h,v 1.42 2010/01/10 12:43:07 markus Exp $ */ +/* $OpenBSD: ip_esp.h,v 1.43 2016/09/02 09:39:32 vgross Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -62,6 +62,7 @@ struct espstat u_int32_t esps_udpencin; /* Input ESP-in-UDP packets */ u_int32_t esps_udpencout; /* Output ESP-in-UDP packets */ u_int32_t esps_udpinval; /* Invalid input ESP-in-UDP packets */ + u_int32_t esps_udpneeded; /* Trying to use a ESP-in-UDP TDB */ }; /* diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c index fe0ee48a6ad..dbe1a2ceda5 100644 --- a/sys/netinet/ipsec_input.c +++ b/sys/netinet/ipsec_input.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec_input.c,v 1.135 2015/09/10 17:52:05 claudio Exp $ */ +/* $OpenBSD: ipsec_input.c,v 1.136 2016/09/02 09:39:32 vgross Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -262,6 +262,16 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto, return EINVAL; } + if (!udpencap && (tdbp->tdb_flags & TDBF_UDPENCAP)) { + splx(s); + DPRINTF(("ipsec_common_input(): attempted to use udpencap " + "SA %s/%08x/%u\n", ipsp_address(&dst_address, buf, + sizeof(buf)), ntohl(spi), tdbp->tdb_sproto)); + m_freem(m); + espstat.esps_udpneeded++; + return EINVAL; + } + if (tdbp->tdb_xform == NULL) { splx(s); DPRINTF(("ipsec_common_input(): attempted to use uninitialized " diff --git a/usr.bin/netstat/inet.c b/usr.bin/netstat/inet.c index 9e0e0a67d85..fc8ee471987 100644 --- a/usr.bin/netstat/inet.c +++ b/usr.bin/netstat/inet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: inet.c,v 1.150 2016/08/27 04:13:43 guenther Exp $ */ +/* $OpenBSD: inet.c,v 1.151 2016/09/02 09:39:32 vgross Exp $ */ /* $NetBSD: inet.c,v 1.14 1995/10/03 21:42:37 thorpej Exp $ */ /* @@ -1073,6 +1073,7 @@ esp_stats(char *name) p(esps_udpencin, "\t%u input UDP encapsulated ESP packet%s\n"); p(esps_udpencout, "\t%u output UDP encapsulated ESP packet%s\n"); p(esps_udpinval, "\t%u UDP packet%s for non-encapsulating TDB received\n"); + p(esps_udpneeded, "\t%u raw ESP packet%s for encapsulating TDB received\n"); p(esps_ibytes, "\t%llu input byte%s\n"); p(esps_obytes, "\t%llu output byte%s\n"); |