diff options
| author |   yasuoka <yasuoka@openbsd.org> | 2012-07-17 03:18:57 +0000 |
|---|---|---|
| committer | yasuoka <yasuoka@openbsd.org> | 2012-07-17 03:18:57 +0000 |
| commit | a5018c90fb0a9e77456d14f2a6faf7433416eb0c (patch) | |
| tree | e07c80baf6726afae996f63ec803c48f01ee1967 | |
| parent | Always fix the man(7) subsection header (.SS) indent to 3n, (diff) | |
| download | wireguard-openbsd-a5018c90fb0a9e77456d14f2a6faf7433416eb0c.tar.xz wireguard-openbsd-a5018c90fb0a9e77456d14f2a6faf7433416eb0c.zip | |
use IPsec flowinfo on pipex(4) to select the IPsec tunnel for sending
L2TP packets.
ok markus henning
| -rw-r--r-- | sys/net/pipex.c | 10 | ||||
| -rw-r--r-- | sys/net/pipex.h | 5 | ||||
| -rw-r--r-- | sys/net/pipex_local.h | 3 | ||||
| -rw-r--r-- | sys/netinet/udp_usrreq.c | 23 | ||||
| -rw-r--r-- | usr.sbin/npppd/npppd/npppd.c | 15 |
5 files changed, 34 insertions, 22 deletions
diff --git a/sys/net/pipex.c b/sys/net/pipex.c index ab15ec38883..05e783e544a 100644 --- a/sys/net/pipex.c +++ b/sys/net/pipex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.c,v 1.29 2012/05/05 14:48:51 yasuoka Exp $ */ +/* $OpenBSD: pipex.c,v 1.30 2012/07/17 03:18:57 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -390,6 +390,7 @@ pipex_add_session(struct pipex_session_req *req, sess_l2tp->nr_acked = req->pr_proto.l2tp.nr_acked; /* last ack number */ sess_l2tp->ul_ns_una = sess_l2tp->ns_una - 1; + sess_l2tp->ipsecflowinfo = req->pr_proto.l2tp.ipsecflowinfo; } #endif #ifdef PIPEX_MPPE @@ -1974,7 +1975,8 @@ pipex_l2tp_output(struct mbuf *m0, struct pipex_session *session) } else udp->uh_sum = 0; - if (ip_output(m0, NULL, NULL, 0, NULL, NULL) != 0) { + if (ip_output(m0, NULL, NULL, IP_IPSECFLOW, NULL, NULL, + session->proto.l2tp.ipsecflowinfo) != 0) { PIPEX_DBG((session, LOG_DEBUG, "ip_output failed.")); goto drop; } @@ -2066,7 +2068,8 @@ not_ours: } struct mbuf * -pipex_l2tp_input(struct mbuf *m0, int off0, struct pipex_session *session) +pipex_l2tp_input(struct mbuf *m0, int off0, struct pipex_session *session, + uint32_t ipsecflowinfo) { struct pipex_l2tp_session *l2tp_session; int length, offset, hlen, nseq; @@ -2076,6 +2079,7 @@ pipex_l2tp_input(struct mbuf *m0, int off0, struct pipex_session *session) length = offset = ns = nr = 0; l2tp_session = &session->proto.l2tp; + l2tp_session->ipsecflowinfo = ipsecflowinfo; nsp = nrp = NULL; m_copydata(m0, off0, sizeof(flags), (caddr_t)&flags); diff --git a/sys/net/pipex.h b/sys/net/pipex.h index e8ef12afbe7..c2f59881893 100644 --- a/sys/net/pipex.h +++ b/sys/net/pipex.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex.h,v 1.12 2012/04/04 04:31:38 yasuoka Exp $ */ +/* $OpenBSD: pipex.h,v 1.13 2012/07/17 03:18:57 yasuoka Exp $ */ /* * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -122,6 +122,7 @@ struct pipex_session_req { uint32_t nr_nxt; /* receive next */ uint32_t ns_una; /* unacked */ uint32_t nr_acked; /* recv acked */ + uint32_t ipsecflowinfo; /* IPsec flow id for NAT-T */ } l2tp; struct { char over_ifname[IF_NAMESIZE]; /* ethernet i/f name */ @@ -213,7 +214,7 @@ struct pipex_session *pipex_pptp_userland_lookup_session_ipv6 (struct mbuf *, s struct pipex_session *pipex_l2tp_userland_lookup_session(struct mbuf *, struct sockaddr *); struct mbuf *pipex_pptp_userland_output (struct mbuf *, struct pipex_session *); struct pipex_session *pipex_l2tp_lookup_session (struct mbuf *, int); -struct mbuf *pipex_l2tp_input (struct mbuf *, int off, struct pipex_session *); +struct mbuf *pipex_l2tp_input (struct mbuf *, int off, struct pipex_session *, uint32_t); struct pipex_session *pipex_l2tp_userland_lookup_session_ipv4 (struct mbuf *, struct in_addr); struct pipex_session *pipex_l2tp_userland_lookup_session_ipv6 (struct mbuf *, struct in6_addr); struct mbuf *pipex_l2tp_userland_output (struct mbuf *, struct pipex_session *); diff --git a/sys/net/pipex_local.h b/sys/net/pipex_local.h index cefaf215c3a..ba9fa023773 100644 --- a/sys/net/pipex_local.h +++ b/sys/net/pipex_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pipex_local.h,v 1.15 2012/04/04 04:31:38 yasuoka Exp $ */ +/* $OpenBSD: pipex_local.h,v 1.16 2012/07/17 03:18:57 yasuoka Exp $ */ /* * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -149,6 +149,7 @@ struct pipex_l2tp_session { uint16_t nr_nxt; /* next sequence number to recv */ uint16_t nr_acked; /* acked sequence number to recv */ + uint32_t ipsecflowinfo; /* IPsec SA flow id for NAT-T */ }; #endif /* PIPEX_L2TP */ diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 8e7c92db484..5a8d8e596e4 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_usrreq.c,v 1.148 2012/07/16 18:05:36 markus Exp $ */ +/* $OpenBSD: udp_usrreq.c,v 1.149 2012/07/17 03:18:57 yasuoka Exp $ */ /* $NetBSD: udp_usrreq.c,v 1.28 1996/03/16 23:54:03 christos Exp $ */ /* @@ -197,8 +197,8 @@ udp_input(struct mbuf *m, ...) struct m_tag *mtag; struct tdb_ident *tdbi; struct tdb *tdb; - struct mbuf *iopts = NULL; int error, s; + u_int32_t ipsecflowinfo = 0; #endif /* IPSEC */ va_start(ap, m); @@ -673,9 +673,9 @@ udp_input(struct mbuf *m, ...) } } /* create ipsec options while we know that tdb cannot be modified */ - if (tdb && (inp->inp_flags & INP_IPSECFLOWINFO)) - iopts = sbcreatecontrol((caddr_t)&tdb->tdb_spi, - sizeof(tdb->tdb_spi), IP_IPSECFLOWINFO, IPPROTO_IP); + if (tdb) + ipsecflowinfo = tdb->tdb_spi; + splx(s); #endif /*IPSEC */ @@ -697,9 +697,13 @@ udp_input(struct mbuf *m, ...) IP_RECVDSTPORT, IPPROTO_IP); } #ifdef IPSEC - if (iopts) { - iopts->m_next = opts; - opts = iopts; /* prepend */ + if (ipsecflowinfo && (inp->inp_flags & INP_IPSECFLOWINFO)) { + struct mbuf **mp = &opts; + + while (*mp) + mp = &(*mp)->m_next; + *mp = sbcreatecontrol((caddr_t)&ipsecflowinfo, + sizeof(u_int32_t), IP_IPSECFLOWINFO, IPPROTO_IP); } #endif #ifdef PIPEX @@ -707,7 +711,8 @@ udp_input(struct mbuf *m, ...) struct pipex_session *session; int off = iphlen + sizeof(struct udphdr); if ((session = pipex_l2tp_lookup_session(m, off)) != NULL) { - if ((m = pipex_l2tp_input(m, off, session)) == NULL) + if ((m = pipex_l2tp_input(m, off, session, + ipsecflowinfo)) == NULL) return; /* the packet is handled by PIPEX */ } } diff --git a/usr.sbin/npppd/npppd/npppd.c b/usr.sbin/npppd/npppd/npppd.c index 3e81ff8c008..9b34890f99f 100644 --- a/usr.sbin/npppd/npppd/npppd.c +++ b/usr.sbin/npppd/npppd/npppd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: npppd.c,v 1.19 2012/07/16 18:05:36 markus Exp $ */ +/* $OpenBSD: npppd.c,v 1.20 2012/07/17 03:18:57 yasuoka Exp $ */ /*- * Copyright (c) 2009 Internet Initiative Japan Inc. @@ -29,7 +29,7 @@ * Next pppd(nppd). This file provides a npppd daemon process and operations * for npppd instance. * @author Yasuoka Masahiko - * $Id: npppd.c,v 1.19 2012/07/16 18:05:36 markus Exp $ + * $Id: npppd.c,v 1.20 2012/07/17 03:18:57 yasuoka Exp $ */ #include <sys/cdefs.h> #include "version.h" @@ -1041,7 +1041,6 @@ npppd_ppp_pipex_enable(npppd *_this, npppd_ppp *ppp) req.pr_session_id = l2tp->session_id; req.pr_peer_session_id = l2tp->peer_session_id; - /* options: XXX: needs other? */ if (l2tpctrl->data_use_seq) req.pr_proto.l2tp.option_flags |= PIPEX_L2TP_USE_SEQUENCING; @@ -1054,10 +1053,12 @@ npppd_ppp_pipex_enable(npppd *_this, npppd_ppp *ppp) l2tpctrl->peer.ss_len); memcpy(&req.local_address, &l2tpctrl->sock, l2tpctrl->sock.ss_len); -#ifdef IP_IPSEC_SA_COOKIE - if (l2tpctrl->sa_cookie != NULL) - req.pr_proto.l2tp.ipsec_sa_cookie = - *(struct in_ipsec_sa_cookie *)l2tpctrl->sa_cookie; +#ifdef USE_SA_COOKIE + if (l2tpctrl->sa_cookie != NULL) { + req.pr_proto.l2tp.ipsecflowinfo = + ((struct in_ipsec_sa_cookie *)l2tpctrl->sa_cookie) + ->ipsecflow; + } #endif break; #endif |