| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
destination address and their netmasks match, otherwise return EINVAL.
ok bluhm@ patrick@
|
| |
|
|
|
|
| |
Fixes CID 1496732.
ok patrick@
|
| |
|
|
|
|
| |
information. Make sure to only copy out actually used memory.
ok patrick@
|
| |
|
|
| |
ok patrick@
|
| |
|
|
| |
ok kn@, patrick@
|
| |
|
|
|
|
|
|
|
|
|
| |
pfkeyv2_send() allocates multiple buffers using the same variable `i' to
calculate their sizes, use dedicated size variables for each buffer to reuse
them with free(9).
For this, make pfkeyv2_policy() pass back the size of its freshly allocated
buffer.
Tested, feedback and OK tobhe
|
| |
|
|
|
|
|
|
|
|
| |
pfkeyv2_get() and pfkeyv2_dump_policy() allocate buffers and can pass back
their sizes, those sizes are already used during copyout() and such.
Make one pfkeyv2_dump_policy() call pass back the size and reuse all sizes
in the respective free(9) calls.
Tested and OK tobhe
|
| |
|
|
|
|
|
| |
All of these buffers are cleared with explicit sizes before free(), so
reuse the given sizes.
tested and OK tobhe
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
encryption or decryption. This allows us to keep plaintext and encrypted
network traffic seperated and reduces the attack surface for network
sidechannel attacks.
The only way to reach the inner rdomain from outside is by successful
decryption and integrity verification through the responsible Security
Association (SA).
The only way for internal traffic to get out is getting encrypted and
moved through the outgoing SA.
Multiple plaintext rdomains can share the same encrypted rdomain while
the unencrypted packets are still kept seperate.
The encrypted and unencrypted rdomains can have different default routes.
The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey
extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'.
If this differs from 'tdb_rdomain' then the packet is moved to
'tdb_rdomain_post' afer IPsec processing.
Flows and outgoing IPsec SAs are installed in the plaintext rdomain,
incoming IPsec SAs are installed in the encrypted rdomain.
IPCOMP SAs are always installed in the plaintext rdomain.
They can be viewed with 'route -T X exec ipsecctl -sa' where X is the
rdomain ID.
As the kernel does not create encX devices automatically when creating
rdomains they have to be added by hand with ifconfig for IPsec to work
in non-default rdomains.
discussed with chris@ and kn@
ok markus@, patrick@
|
| |
|
|
| |
From Benjamin Baier, ok tobhe@
|
| |
|
|
|
|
|
|
| |
only used in process context, so pass PR_WAITOK to pool_init(9).
The possible sleep in pool_put(9) should not hurt as pfkeyv2_detach()
is only called by soclose(9). As both pr_attach() and pr_detach()
are always called with kernel lock, PR_RWLOCK is not needed.
OK mpi@
|
| |
|
|
|
|
|
|
|
|
| |
usrreq functions move the mbuf m_freem() logic to the release block
instead of distributing it over the switch statement. Then the
goto release in the initial check, whether the pcb still exists,
will not free the mbuf for the PRU_RCVD, PRU_RVCOOB, PRU_SENSE
command.
OK claudio@ mpi@ visa@
Reported-by: syzbot+8e7997d4036ae523c79c@syzkaller.appspotmail.com
|
| |
|
|
|
|
| |
This time add the counter extention to SADB_GET's whitelist.
ok bluhm@, visa@
|
| |
|
|
| |
ok bluhm@, visa@
|
| |
|
|
|
|
| |
workaround for this bug.
ok visa@
|
| |
|
|
|
|
|
|
| |
the mutex with and without the kernel lock.
Prompted by WITNESS.
OK deraadt@ kettenis@
|
| |
|
|
|
|
| |
regression with iked(8).
Reported by Mark Patruck.
|
| |
|
|
|
|
| |
No functionnal change.
ok deraadt@, bluhm@, visa@
|
| |
|
|
|
|
| |
userland.
Inputs from markus@, ok sthen@
|
| |
|
|
|
| |
protocol specific ones.
OK mpi@
|
| |
|
|
|
| |
variables can be delared constant.
OK claudio@ mpi@
|
| |
|
|
|
|
| |
change to rtsock.c. This simplifies the pfkey code since there is no special
wrapping needed and in general the PRU cases get easier.
OK bluhm@ henning@ mpi@
|
| |
|
|
|
|
| |
While here document which field of the PCB is protected by which lock.
ok visa@
|
| |
|
|
| |
inputs & ok visa@
|
| |
|
|
| |
ok claudio@
|
| |
|
|
| |
ok tb@
|
| |
|
|
| |
ok visa@, tb@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
of calling sofree(), when its PCB is detached.
This is different from TCP which does not always detach `inpcb's from
sockets. In the pfkey & routing case caling sofree() there is a noop
whereas for TCP it's needed to free closed connections.
Having fewer sofree() makes it easier to understand the code and move
the locks down.
ok visa@
|
| |
|
|
|
|
|
| |
or kernel lock when accessing a socket. For pf key sockets it is
kernel lock, so add its protection in pfkey_sendup(). Fixes a
kernel lock assertion panic reported by Peter J. Philipp.
OK mpi@ visa@
|
| |
|
|
| |
OK mikeb@
|
| |
|
|
|
|
|
|
| |
grab the KERNEL_LOCK() when delivering messages.
This is the same solution already used by routing sockets.
ok claudio@, visa@
|
| |
|
|
|
|
|
|
|
| |
socket receive buffer.
It is modelled after pfkey_sendup() as both will need the same MP
treatment.
ok tb@, bluhm@, visa@
|
| |
|
|
|
|
|
| |
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
| |
|
|
|
|
| |
This will allows us to get rid of the list.
ok visa@
|
| |
|
|
|
|
|
|
|
|
|
| |
It isn't safe to manipulate PF_KEY sockets without KERNEL_LOCK() because
they aren't protected by the NET_LOCK().
I missed this in my previous audit and neither my tests, the regression
tests nor the IPsec performance tests exposed the problem. Hopefully I
added the right check to soassertlocked() a while back.
Found the hardway by and ok sthen@
|
| |
|
|
|
|
|
|
|
|
| |
IPsec is enabled.
This is currently a no-op since we still use a single taskq. But it
will allows us to experiment with multiple forwarding threads and the
PF_LOCK() without having to fix IPsec at the same time.
ok sashan@, visa@
|
| |
|
|
| |
by & OK mpi, input & OK visa
|
| |
|
|
| |
Suggested by and OK mpi, OK visa
|
| |
|
|
|
|
| |
functions to pave way for more fine grained locking.
Suggested by, comments & OK mpi
|
| |
|
|
|
|
| |
This enforces an order and will allow us to get rid of the global list.
ok millert@, visa@, markus@
|
| |
|
|
|
|
|
|
|
|
| |
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
| |
|
|
|
|
| |
Exposes per-CPU counters to real parrallelism.
ok visa@, bluhm@, jca@
|
| | |
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok bluhm@
|
| |
|
|
| |
Suggested by and OK bluhm@ OK mpi@
|
| |
|
|
|
|
|
| |
to simplify the locking of those lists. For now move the LIST_ENTRY from
rawcb into routecb and in the pfkey case a new keycb. Do some cleanup and
renaming in the pfkey code but more to come.
OK bluhm@ mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
buffers.
This is one step towards unlocking TCP input path. Note that all the
functions asserting for the socket lock are not necessarilly MP-safe.
All the fields of 'struct socket' aren't protected.
Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to
tell when a filter needs to lock the underlying data structures. Logic
and name taken from NetBSD.
Tested by Hrvoje Popovski.
ok claudio@, bluhm@, mikeb@
|
| |
|
|
|
|
|
|
|
| |
destination address is used as an index when looking for a TDB, we need
to supply the new destination address in a different member. For this,
re-use the proxy address, that so far no one else has been using. It
would make sense to rename this member in the future.
ok claudio@
|
| | |
|
| |
|
|
|
| |
to pfkeyv2.c. These structs are nowhere else needed.
OK gcc
|
tobhe
kn
mpi
bluhm
visa
claudio
reyk
florian
deraadt
patrick