PERFORCE change 162632 for review
Edward Tomasz Napierala
trasz at FreeBSD.org
Sun May 24 10:18:26 UTC 2009
http://perforce.freebsd.org/chv.cgi?CH=162632
Change 162632 by trasz at trasz_victim on 2009/05/24 10:18:02
IFC.
Affected files ...
.. //depot/projects/soc2008/trasz_nfs4acl/ObsoleteFiles.inc#24 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/share/man/man4/ipsec.4#2 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/conf/NOTES#32 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/kern_jail.c#18 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/ip_ipsec.c#9 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/tcp_subr.c#21 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_usrreq.c#21 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_var.h#5 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/vinet.h#11 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/ip6_ipsec.c#7 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/udp6_usrreq.c#17 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.c#14 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.h#9 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec6.h#5 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/vipsec.h#7 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/nfsclient/bootp_subr.c#8 integrate
.. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/acl.h#36 edit
.. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/param.h#25 integrate
Differences ...
==== //depot/projects/soc2008/trasz_nfs4acl/ObsoleteFiles.inc#24 (text+ko) ====
@@ -1,5 +1,5 @@
#
-# $FreeBSD: src/ObsoleteFiles.inc,v 1.189 2009/05/22 13:57:44 rwatson Exp $
+# $FreeBSD: src/ObsoleteFiles.inc,v 1.190 2009/05/23 16:54:07 antoine Exp $
#
# This file lists old files (OLD_FILES), libraries (OLD_LIBS) and
# directories (OLD_DIRS) which should get removed at an update. Recently
@@ -18,7 +18,11 @@
OLD_FILES+=etc/rc.d/idmapd
OLD_FILES+=sbin/idmapd
OLD_FILES+=sbin/mount_nfs4
+OLD_FILES+=usr/share/man/man8/idmapd.8.gz
OLD_FILES+=usr/share/man/man8/mount_nfs4.8.gz
+# 20090513: removal of legacy versions of USB network interface drivers
+OLD_FILES+=usr/include/legacy/dev/usb/if_upgtvar.h
+OLD_FILES+=usr/include/legacy/dev/usb/usb_ethersubr.h
# 20090417: removal of legacy versions of USB network interface drivers
OLD_FILES+=usr/include/legacy/dev/usb/if_auereg.h
OLD_FILES+=usr/include/legacy/dev/usb/if_axereg.h
==== //depot/projects/soc2008/trasz_nfs4acl/share/man/man4/ipsec.4#2 (text+ko) ====
@@ -27,9 +27,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.22 2007/08/05 16:16:14 bz Exp $
+.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.23 2009/05/23 16:42:38 bz Exp $
.\"
-.Dd August 5, 2007
+.Dd May 23, 2009
.Dt IPSEC 4
.Os
.Sh NAME
@@ -37,7 +37,6 @@
.Nd Internet Protocol Security protocol
.Sh SYNOPSIS
.Cd "options IPSEC"
-.Cd "options IPSEC_FILTERTUNNEL"
.Cd "device crypto"
.Pp
.In sys/types.h
@@ -88,9 +87,12 @@
.Pp
To properly filter on the inner packets of an
.Nm
-tunnel with firewalls, add
-.Cd "options IPSEC_FILTERTUNNEL"
-to the kernel configuration file.
+tunnel with firewalls, you can change the values of the following sysctls
+.Bl -column net.inet6.ipsec6.filtertunnel default enable
+.It Sy "Name Default Enable"
+.It net.inet.ipsec.filtertunnel 0 1
+.It net.inet6.ipsec6.filtertunnel 0 1
+.El
.\"
.Ss Kernel interface
.Nm
==== //depot/projects/soc2008/trasz_nfs4acl/sys/conf/NOTES#32 (text+ko) ====
@@ -1,4 +1,4 @@
-# $FreeBSD: src/sys/conf/NOTES,v 1.1538 2009/05/10 00:00:25 kuriyama Exp $
+# $FreeBSD: src/sys/conf/NOTES,v 1.1539 2009/05/23 16:42:38 bz Exp $
#
# NOTES -- Lines that can be cut/pasted into kernel and hints configs.
#
@@ -524,9 +524,10 @@
options IPSEC #IP security (requires device crypto)
#options IPSEC_DEBUG #debug for IP security
#
-# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel
-# to be processed by any configured packet filtering twice.
-# The default is that packets coming out of a tunnel are _not_ processed;
+# #DEPRECATED#
+# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
+# coming through a tunnel to be processed by any configured packet filtering
+# twice. The default is that packets coming out of a tunnel are _not_ processed;
# they are assumed trusted.
#
# IPSEC history is preserved for such packets, and can be filtered
==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/kern_jail.c#18 (text+ko) ====
@@ -27,7 +27,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.100 2009/05/08 14:11:06 zec Exp $");
+__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.101 2009/05/23 16:13:26 jamie Exp $");
#include "opt_ddb.h"
#include "opt_inet.h"
@@ -1196,14 +1196,6 @@
if (flags & ~JAIL_GET_MASK)
return (EINVAL);
- if (jailed(td->td_ucred)) {
- /*
- * Don't allow a jailed process to see any jails,
- * not even its own.
- */
- vfs_opterror(opts, "jail not found");
- return (ENOENT);
- }
/* Get the parameter list. */
error = vfs_buildopts(optuio, &opts);
@@ -1211,6 +1203,12 @@
return (error);
errmsg_pos = vfs_getopt_pos(opts, "errmsg");
+ /* Don't allow a jailed process to see any jails, not even its own. */
+ if (jailed(td->td_ucred)) {
+ vfs_opterror(opts, "jail not found");
+ return (ENOENT);
+ }
+
/*
* Find the prison specified by one of: lastjid, jid, name.
*/
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/ip_ipsec.c#9 (text+ko) ====
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/netinet/ip_ipsec.c,v 1.17 2009/04/28 11:10:33 trasz Exp $");
+__FBSDID("$FreeBSD: src/sys/netinet/ip_ipsec.c,v 1.18 2009/05/23 16:42:38 bz Exp $");
#include "opt_ipsec.h"
#include "opt_sctp.h"
@@ -71,6 +71,10 @@
extern struct protosw inetsw[];
+#ifdef VIMAGE_GLOBALS
+int ip4_ipsec_filtertunnel;
+#endif
+
/*
* Check if we have to jump over firewall processing for this packet.
* Called from ip_input().
@@ -79,11 +83,14 @@
int
ip_ipsec_filtertunnel(struct mbuf *m)
{
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+ INIT_VNET_IPSEC(curvnet);
+
/*
* Bypass packet filtering for packets from a tunnel.
*/
- if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+ if (!V_ip4_ipsec_filtertunnel &&
+ m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
return 1;
#endif
return 0;
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/tcp_subr.c#21 (text+ko) ====
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/netinet/tcp_subr.c,v 1.340 2009/04/30 13:36:26 zec Exp $");
+__FBSDID("$FreeBSD: src/sys/netinet/tcp_subr.c,v 1.341 2009/05/23 17:02:30 bz Exp $");
#include "opt_compat.h"
#include "opt_inet.h"
@@ -373,7 +373,7 @@
&V_tcbinfo.ipi_hashmask);
V_tcbinfo.ipi_porthashbase = hashinit(hashsize, M_PCB,
&V_tcbinfo.ipi_porthashmask);
- V_tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb),
+ V_tcbinfo.ipi_zone = uma_zcreate("tcp_inpcb", sizeof(struct inpcb),
NULL, NULL, tcp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets);
/*
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_usrreq.c#21 (text+ko) ====
@@ -32,7 +32,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/netinet/udp_usrreq.c,v 1.253 2009/04/30 13:36:26 zec Exp $");
+__FBSDID("$FreeBSD: src/sys/netinet/udp_usrreq.c,v 1.254 2009/05/23 16:51:13 bz Exp $");
#include "opt_ipfw.h"
#include "opt_inet6.h"
@@ -137,6 +137,7 @@
#ifdef VIMAGE_GLOBALS
struct inpcbhead udb; /* from udp_var.h */
struct inpcbinfo udbinfo;
+static uma_zone_t udpcb_zone;
struct udpstat udpstat; /* from udp_var.h */
#endif
@@ -158,6 +159,7 @@
INIT_VNET_INET(curvnet);
uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets);
+ uma_zone_set_max(V_udpcb_zone, maxsockets);
}
static int
@@ -187,13 +189,39 @@
&V_udbinfo.ipi_hashmask);
V_udbinfo.ipi_porthashbase = hashinit(UDBHASHSIZE, M_PCB,
&V_udbinfo.ipi_porthashmask);
- V_udbinfo.ipi_zone = uma_zcreate("udpcb", sizeof(struct inpcb), NULL,
- NULL, udp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ V_udbinfo.ipi_zone = uma_zcreate("udp_inpcb", sizeof(struct inpcb),
+ NULL, NULL, udp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets);
+
+ V_udpcb_zone = uma_zcreate("udpcb", sizeof(struct udpcb),
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
+ uma_zone_set_max(V_udpcb_zone, maxsockets);
+
EVENTHANDLER_REGISTER(maxsockets_change, udp_zone_change, NULL,
EVENTHANDLER_PRI_ANY);
}
+int
+udp_newudpcb(struct inpcb *inp)
+{
+ INIT_VNET_INET(curvnet);
+ struct udpcb *up;
+
+ up = uma_zalloc(V_udpcb_zone, M_NOWAIT | M_ZERO);
+ if (up == NULL)
+ return (ENOBUFS);
+ inp->inp_ppcb = up;
+ return (0);
+}
+
+void
+udp_discardcb(struct udpcb *up)
+{
+ INIT_VNET_INET(curvnet);
+
+ uma_zfree(V_udpcb_zone, up);
+}
+
/*
* Subroutine of udp_input(), which appends the provided mbuf chain to the
* passed pcb/socket. The caller must provide a sockaddr_in via udp_in that
@@ -272,6 +300,7 @@
struct udphdr *uh;
struct ifnet *ifp;
struct inpcb *inp;
+ struct udpcb *up;
int len;
struct ip save_ip;
struct sockaddr_in udp_in;
@@ -455,28 +484,25 @@
struct mbuf *n;
n = m_copy(m, 0, M_COPYALL);
- if (last->inp_ppcb == NULL) {
+ up = intoudpcb(last);
+ if (up->u_tun_func == NULL) {
if (n != NULL)
udp_append(last,
ip, n,
iphlen +
sizeof(struct udphdr),
&udp_in);
- INP_RUNLOCK(last);
} else {
/*
* Engage the tunneling protocol we
* will have to leave the info_lock
* up, since we are hunting through
* multiple UDP's.
- *
*/
- udp_tun_func_t tunnel_func;
- tunnel_func = (udp_tun_func_t)last->inp_ppcb;
- tunnel_func(n, iphlen, last);
- INP_RUNLOCK(last);
+ (*up->u_tun_func)(n, iphlen, last);
}
+ INP_RUNLOCK(last);
}
last = inp;
/*
@@ -501,22 +527,18 @@
UDPSTAT_INC(udps_noportbcast);
goto badheadlocked;
}
- if (last->inp_ppcb == NULL) {
+ up = intoudpcb(last);
+ if (up->u_tun_func == NULL) {
udp_append(last, ip, m, iphlen + sizeof(struct udphdr),
&udp_in);
- INP_RUNLOCK(last);
- INP_INFO_RUNLOCK(&V_udbinfo);
} else {
/*
* Engage the tunneling protocol.
*/
- udp_tun_func_t tunnel_func;
-
- tunnel_func = (udp_tun_func_t)last->inp_ppcb;
- tunnel_func(m, iphlen, last);
- INP_RUNLOCK(last);
- INP_INFO_RUNLOCK(&V_udbinfo);
+ (*up->u_tun_func)(m, iphlen, last);
}
+ INP_RUNLOCK(last);
+ INP_INFO_RUNLOCK(&V_udbinfo);
return;
}
@@ -560,18 +582,16 @@
INP_RUNLOCK(inp);
goto badunlocked;
}
- if (inp->inp_ppcb != NULL) {
+ up = intoudpcb(inp);
+ if (up->u_tun_func == NULL) {
+ udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in);
+ } else {
/*
* Engage the tunneling protocol.
*/
- udp_tun_func_t tunnel_func;
- tunnel_func = (udp_tun_func_t)inp->inp_ppcb;
- tunnel_func(m, iphlen, inp);
- INP_RUNLOCK(inp);
- return;
+ (*up->u_tun_func)(m, iphlen, inp);
}
- udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in);
INP_RUNLOCK(inp);
return;
@@ -1142,18 +1162,19 @@
}
inp = (struct inpcb *)so->so_pcb;
- INP_INFO_WUNLOCK(&V_udbinfo);
inp->inp_vflag |= INP_IPV4;
inp->inp_ip_ttl = V_ip_defttl;
- /*
- * UDP does not have a per-protocol pcb (inp->inp_ppcb).
- * We use this pointer for kernel tunneling pointer.
- * If we ever need to have a protocol block we will
- * need to move this function pointer there. Null
- * in this pointer means "do the normal thing".
- */
- inp->inp_ppcb = NULL;
+
+ error = udp_newudpcb(inp);
+ if (error) {
+ in_pcbdetach(inp);
+ in_pcbfree(inp);
+ INP_INFO_WUNLOCK(&V_udbinfo);
+ return (error);
+ }
+
INP_WUNLOCK(inp);
+ INP_INFO_WUNLOCK(&V_udbinfo);
return (0);
}
@@ -1161,24 +1182,26 @@
udp_set_kernel_tunneling(struct socket *so, udp_tun_func_t f)
{
struct inpcb *inp;
+ struct udpcb *up;
- inp = (struct inpcb *)so->so_pcb;
KASSERT(so->so_type == SOCK_DGRAM, ("udp_set_kernel_tunneling: !dgram"));
KASSERT(so->so_pcb != NULL, ("udp_set_kernel_tunneling: NULL inp"));
if (so->so_type != SOCK_DGRAM) {
/* Not UDP socket... sorry! */
return (ENOTSUP);
}
+ inp = (struct inpcb *)so->so_pcb;
if (inp == NULL) {
/* NULL INP? */
return (EINVAL);
}
INP_WLOCK(inp);
- if (inp->inp_ppcb != NULL) {
+ up = intoudpcb(inp);
+ if (up->u_tun_func != NULL) {
INP_WUNLOCK(inp);
return (EBUSY);
}
- inp->inp_ppcb = f;
+ up->u_tun_func = f;
INP_WUNLOCK(inp);
return (0);
}
@@ -1256,6 +1279,7 @@
{
INIT_VNET_INET(so->so_vnet);
struct inpcb *inp;
+ struct udpcb *up;
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("udp_detach: inp == NULL"));
@@ -1263,9 +1287,13 @@
("udp_detach: not disconnected"));
INP_INFO_WLOCK(&V_udbinfo);
INP_WLOCK(inp);
+ up = intoudpcb(inp);
+ KASSERT(up != NULL, ("%s: up == NULL", __func__));
+ inp->inp_ppcb = NULL;
in_pcbdetach(inp);
in_pcbfree(inp);
INP_INFO_WUNLOCK(&V_udbinfo);
+ udp_discardcb(up);
}
static int
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_var.h#5 (text+ko) ====
@@ -28,7 +28,7 @@
* SUCH DAMAGE.
*
* @(#)udp_var.h 8.1 (Berkeley) 6/10/93
- * $FreeBSD: src/sys/netinet/udp_var.h,v 1.36 2009/04/12 11:42:40 rwatson Exp $
+ * $FreeBSD: src/sys/netinet/udp_var.h,v 1.37 2009/05/23 16:51:13 bz Exp $
*/
#ifndef _NETINET_UDP_VAR_H_
@@ -51,6 +51,19 @@
#define ui_ulen ui_u.uh_ulen
#define ui_sum ui_u.uh_sum
+typedef void(*udp_tun_func_t)(struct mbuf *, int off, struct inpcb *);
+
+/*
+ * UDP control block; one per udp.
+ */
+struct udpcb {
+ udp_tun_func_t u_tun_func; /* UDP kernel tunneling callback. */
+ u_int u_flags; /* Generic UDP flags. */
+};
+
+#define intoudpcb(ip) ((struct udpcb *)(ip)->inp_ppcb)
+#define sotoudpcb(so) (intoudpcb(sotoinpcb(so)))
+
struct udpstat {
/* input statistics: */
u_long udps_ipackets; /* total input packets */
@@ -110,14 +123,15 @@
extern u_long udp_recvspace;
extern int udp_log_in_vain;
+int udp_newudpcb(struct inpcb *);
+void udp_discardcb(struct udpcb *);
+
void udp_ctlinput(int, struct sockaddr *, void *);
void udp_init(void);
void udp_input(struct mbuf *, int);
struct inpcb *udp_notify(struct inpcb *inp, int errno);
int udp_shutdown(struct socket *so);
-
-typedef void(*udp_tun_func_t)(struct mbuf *, int off, struct inpcb *);
int udp_set_kernel_tunneling(struct socket *so, udp_tun_func_t f);
#endif
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/vinet.h#11 (text+ko) ====
@@ -27,7 +27,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/netinet/vinet.h,v 1.15 2009/05/02 08:16:26 zec Exp $
+ * $FreeBSD: src/sys/netinet/vinet.h,v 1.16 2009/05/23 16:51:13 bz Exp $
*/
#ifndef _NETINET_VINET_H_
@@ -149,6 +149,7 @@
struct inpcbhead _udb;
struct inpcbinfo _udbinfo;
+ uma_zone_t _udpcb_zone;
struct udpstat _udpstat;
int _udp_blackhole;
@@ -373,6 +374,7 @@
#define V_twq_2msl VNET_INET(twq_2msl)
#define V_udb VNET_INET(udb)
#define V_udbinfo VNET_INET(udbinfo)
+#define V_udpcb_zone VNET_INET(udpcb_zone)
#define V_udp_blackhole VNET_INET(udp_blackhole)
#define V_udpstat VNET_INET(udpstat)
#define V_useloopback VNET_INET(useloopback)
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/ip6_ipsec.c#7 (text+ko) ====
@@ -28,7 +28,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/netinet6/ip6_ipsec.c,v 1.15 2009/02/08 09:27:07 bz Exp $");
+__FBSDID("$FreeBSD: src/sys/netinet6/ip6_ipsec.c,v 1.16 2009/05/23 16:42:38 bz Exp $");
#include "opt_ipsec.h"
@@ -76,6 +76,10 @@
extern struct protosw inet6sw[];
+#ifdef VIMAGE_GLOBALS
+int ip6_ipsec6_filtertunnel;
+#endif
+
/*
* Check if we have to jump over firewall processing for this packet.
* Called from ip_input().
@@ -84,11 +88,14 @@
int
ip6_ipsec_filtertunnel(struct mbuf *m)
{
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+ INIT_VNET_IPSEC(curvnet);
+
/*
* Bypass packet filtering for packets from a tunnel.
*/
- if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+ if (!V_ip6_ipsec6_filtertunnel &&
+ m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
return 1;
#endif
return 0;
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/udp6_usrreq.c#17 (text+ko) ====
@@ -63,7 +63,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/netinet6/udp6_usrreq.c,v 1.110 2009/05/01 11:05:24 bms Exp $");
+__FBSDID("$FreeBSD: src/sys/netinet6/udp6_usrreq.c,v 1.111 2009/05/23 16:51:13 bz Exp $");
#include "opt_inet.h"
#include "opt_inet6.h"
@@ -181,6 +181,7 @@
struct ip6_hdr *ip6;
struct udphdr *uh;
struct inpcb *inp;
+ struct udpcb *up;
int off = *offp;
int plen, ulen;
struct sockaddr_in6 fromsa;
@@ -315,7 +316,10 @@
if ((n = m_copy(m, 0, M_COPYALL)) != NULL) {
INP_RLOCK(last);
- if (last->inp_ppcb != NULL) {
+ up = intoudpcb(last);
+ if (up->u_tun_func == NULL) {
+ udp6_append(last, n, off, &fromsa);
+ } else {
/*
* Engage the tunneling
* protocol we will have to
@@ -324,15 +328,9 @@
* through multiple UDP's.
*
*/
- udp_tun_func_t tunnel_func;
-
- tunnel_func = (udp_tun_func_t)last->inp_ppcb;
- tunnel_func(n, off, last);
- INP_RUNLOCK(last);
- } else {
- udp6_append(last, n, off, &fromsa);
- INP_RUNLOCK(last);
+ (*up->u_tun_func)(n, off, last);
}
+ INP_RUNLOCK(last);
}
}
last = inp;
@@ -361,18 +359,15 @@
}
INP_RLOCK(last);
INP_INFO_RUNLOCK(&V_udbinfo);
- if (last->inp_ppcb != NULL) {
+ up = intoudpcb(last);
+ if (up->u_tun_func == NULL) {
+ udp6_append(last, m, off, &fromsa);
+ } else {
/*
* Engage the tunneling protocol.
*/
- udp_tun_func_t tunnel_func;
-
- tunnel_func = (udp_tun_func_t)inp->inp_ppcb;
- tunnel_func(m, off, last);
- INP_RUNLOCK(last);
- return (IPPROTO_DONE);
+ (*up->u_tun_func)(m, off, last);
}
- udp6_append(last, m, off, &fromsa);
INP_RUNLOCK(last);
return (IPPROTO_DONE);
}
@@ -409,18 +404,16 @@
}
INP_RLOCK(inp);
INP_INFO_RUNLOCK(&V_udbinfo);
- if (inp->inp_ppcb != NULL) {
+ up = intoudpcb(inp);
+ if (up->u_tun_func == NULL) {
+ udp6_append(inp, m, off, &fromsa);
+ } else {
/*
* Engage the tunneling protocol.
*/
- udp_tun_func_t tunnel_func;
- tunnel_func = (udp_tun_func_t)inp->inp_ppcb;
- tunnel_func(m, off, inp);
- INP_RUNLOCK(inp);
- return (IPPROTO_DONE);
+ (*up->u_tun_func)(m, off, inp);
}
- udp6_append(inp, m, off, &fromsa);
INP_RUNLOCK(inp);
return (IPPROTO_DONE);
@@ -820,7 +813,6 @@
return (error);
}
inp = (struct inpcb *)so->so_pcb;
- INP_INFO_WUNLOCK(&V_udbinfo);
inp->inp_vflag |= INP_IPV6;
if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0)
inp->inp_vflag |= INP_IPV4;
@@ -833,7 +825,16 @@
* which may match an IPv4-mapped IPv6 address.
*/
inp->inp_ip_ttl = V_ip_defttl;
+
+ error = udp_newudpcb(inp);
+ if (error) {
+ in_pcbdetach(inp);
+ in_pcbfree(inp);
+ INP_INFO_WUNLOCK(&V_udbinfo);
+ return (error);
+ }
INP_WUNLOCK(inp);
+ INP_INFO_WUNLOCK(&V_udbinfo);
return (0);
}
@@ -968,15 +969,19 @@
{
INIT_VNET_INET(so->so_vnet);
struct inpcb *inp;
+ struct udpcb *up;
inp = sotoinpcb(so);
KASSERT(inp != NULL, ("udp6_detach: inp == NULL"));
INP_INFO_WLOCK(&V_udbinfo);
INP_WLOCK(inp);
+ up = intoudpcb(inp);
+ KASSERT(up != NULL, ("%s: up == NULL", __func__));
in_pcbdetach(inp);
in_pcbfree(inp);
INP_INFO_WUNLOCK(&V_udbinfo);
+ udp_discardcb(up);
}
static int
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.c#14 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.49 2009/04/30 13:36:26 zec Exp $ */
+/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.50 2009/05/23 16:42:38 bz Exp $ */
/* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */
/*-
@@ -167,6 +167,9 @@
SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat,
"IPsec IPv4 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+ filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0,
+ "If set filter packets from an IPsec tunnel.");
#ifdef REGRESSION
#ifdef VIMAGE_GLOBALS
@@ -228,6 +231,9 @@
SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
"IPsec IPv6 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
+ filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0,
+ "If set filter packets from an IPsec tunnel.");
#endif /* INET6 */
static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@@ -273,6 +279,11 @@
V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
V_ip4_esp_randpad = -1;
+#ifdef IPSEC_FILTERTUNNEL
+ V_ip4_ipsec_filtertunnel = 1;
+#else
+ V_ip4_ipsec_filtertunnel = 0;
+#endif
V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
@@ -287,6 +298,11 @@
V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+#ifdef IPSEC_FILTERTUNNEL
+ V_ip6_ipsec6_filtertunnel = 1;
+#else
+ V_ip6_ipsec6_filtertunnel = 0;
+#endif
#endif
}
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.h#9 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.23 2009/02/08 09:27:07 bz Exp $ */
+/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.24 2009/05/23 16:42:38 bz Exp $ */
/* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */
/*-
@@ -348,6 +348,7 @@
extern int ip4_ah_offsetmask;
extern int ip4_ipsec_dfbit;
extern int ip4_ipsec_ecn;
+extern int ip4_ipsec_filtertunnel;
extern int ip4_esp_randpad;
extern int crypto_support;
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec6.h#5 (text+ko) ====
@@ -1,4 +1,4 @@
-/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.7 2009/02/08 09:27:07 bz Exp $ */
+/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.8 2009/05/23 16:42:38 bz Exp $ */
/* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */
/*-
@@ -47,6 +47,7 @@
extern int ip6_ah_trans_deflev;
extern int ip6_ah_net_deflev;
extern int ip6_ipsec_ecn;
+extern int ip6_ipsec6_filtertunnel;
struct inpcb;
==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/vipsec.h#7 (text+ko) ====
@@ -27,7 +27,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/netipsec/vipsec.h,v 1.8 2009/05/02 08:16:26 zec Exp $
+ * $FreeBSD: src/sys/netipsec/vipsec.h,v 1.9 2009/05/23 16:42:38 bz Exp $
*/
#ifndef _NETIPSEC_VIPSEC_H_
@@ -57,6 +57,7 @@
int _ip4_ah_offsetmask;
int _ip4_ipsec_dfbit;
int _ip4_ipsec_ecn;
+ int _ip4_ipsec_filtertunnel;
int _ip4_esp_randpad;
int _ipsec_replay;
@@ -90,6 +91,7 @@
int _ip6_ah_trans_deflev;
int _ip6_ah_net_deflev;
int _ip6_ipsec_ecn;
+ int _ip6_ipsec6_filtertunnel;
int _ah_enable;
int _ah_cleartos;
@@ -142,12 +144,14 @@
#define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev)
#define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit)
#define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn)
+#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel)
#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev)
#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev)
#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev)
#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad)
#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev)
#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn)
+#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel)
#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable)
#define V_ipcompstat VNET_IPSEC(ipcompstat)
#define V_ipip_allow VNET_IPSEC(ipip_allow)
==== //depot/projects/soc2008/trasz_nfs4acl/sys/nfsclient/bootp_subr.c#8 (text+ko) ====
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/sys/nfsclient/bootp_subr.c,v 1.78 2009/05/23 00:07:55 bz Exp $");
+__FBSDID("$FreeBSD: src/sys/nfsclient/bootp_subr.c,v 1.79 2009/05/23 16:27:42 bz Exp $");
#include "opt_route.h"
#include "opt_bootp.h"
@@ -359,6 +359,7 @@
void
bootpboot_p_rtlist(void)
{
+ INIT_VNET_NET(curvnet);
printf("Routing table:\n");
RADIX_NODE_HEAD_RLOCK(V_rt_tables[0][AF_INET]); /* could sleep XXX */
@@ -383,6 +384,7 @@
void
bootpboot_p_iflist(void)
{
+ INIT_VNET_NET(curvnet);
struct ifnet *ifp;
struct ifaddr *ifa;
@@ -1592,6 +1594,7 @@
void
bootpc_init(void)
{
+ INIT_VNET_NET(curvnet);
struct bootpc_ifcontext *ifctx, *nctx; /* Interface BOOTP contexts */
struct bootpc_globalcontext *gctx; /* Global BOOTP context */
struct ifnet *ifp;
==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/acl.h#36 (text+ko) ====
@@ -1,5 +1,6 @@
/*-
* Copyright (c) 1999-2001 Robert N. M. Watson
+ * Copyright (c) 2008 Edward Tomasz Napierała <trasz at FreeBSD.org>
* All rights reserved.
*
* This software was developed by Robert Watson for the TrustedBSD Project.
@@ -25,7 +26,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $FreeBSD: src/sys/sys/acl.h,v 1.32 2009/05/22 15:56:43 trasz Exp $
+ * $FreeBSD: src/sys/sys/acl.h,v 1.33 2009/05/23 17:09:47 trasz Exp $
*/
/*
* Developed by the TrustedBSD Project.
@@ -40,7 +41,7 @@
#include <vm/uma.h>
/*
- * POSIX.1e ACL types and related constants.
+ * POSIX.1e and NFSv4 ACL types and related constants.
*/
typedef uint32_t acl_tag_t;
@@ -53,7 +54,7 @@
/*
* With 254 entries, "struct acl_t_struct" is exactly one 4kB page big.
- * Note that with NFS4 ACLs, the maximum number of ACL entries one
+ * Note that with NFSv4 ACLs, the maximum number of ACL entries one
* may set on file or directory is about half of ACL_MAX_ENTRIES.
*
* If you increase this, you might also need to increase
@@ -110,7 +111,7 @@
/*
* Internal ACL structure, used in libc, kernel APIs and for on-disk
- * storage of NFS4 ACLs. POSIX.1e ACLs use "struct oldacl" for on-disk
+ * storage of NFSv4 ACLs. POSIX.1e ACLs use "struct oldacl" for on-disk
* storage.
*/
struct acl {
@@ -167,7 +168,7 @@
#define ACL_EVERYONE 0x00000040
/*
- * Possible valid values for ae_entry_type field.
+ * Possible valid values for ae_entry_type field, valid only for NFSv4 ACLs.
*/
#define ACL_ENTRY_TYPE_ALLOW 0x0100
#define ACL_ENTRY_TYPE_DENY 0x0200
@@ -185,7 +186,7 @@
#define ACL_TYPE_NFS4 0x00000004
/*
- * Possible flags in ae_perm field for POSIX.1e ACLs. Note
+ * Possible bits in ae_perm field for POSIX.1e ACLs. Note
* that ACL_EXECUTE may be used in both NFSv4 and POSIX.1e ACLs.
*/
#define ACL_EXECUTE 0x0001
@@ -196,25 +197,25 @@
#define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ)
/*
- * Possible flags in ae_perm field for NFSv4 ACLs.
+ * Possible bits in ae_perm field for NFSv4 ACLs.
*/
-#define ACL_READ_DATA 0x00000020
-#define ACL_LIST_DIRECTORY 0x00000020
-#define ACL_WRITE_DATA 0x00000040
-#define ACL_ADD_FILE 0x00000040
-#define ACL_APPEND_DATA 0x00000080
-#define ACL_ADD_SUBDIRECTORY 0x00000080
-#define ACL_READ_NAMED_ATTRS 0x00000100
-#define ACL_WRITE_NAMED_ATTRS 0x00000200
+#define ACL_READ_DATA 0x00000008
+#define ACL_LIST_DIRECTORY 0x00000008
+#define ACL_WRITE_DATA 0x00000010
+#define ACL_ADD_FILE 0x00000010
+#define ACL_APPEND_DATA 0x00000020
+#define ACL_ADD_SUBDIRECTORY 0x00000020
+#define ACL_READ_NAMED_ATTRS 0x00000040
+#define ACL_WRITE_NAMED_ATTRS 0x00000080
/* ACL_EXECUTE is defined above. */
-#define ACL_DELETE_CHILD 0x00000400
-#define ACL_READ_ATTRIBUTES 0x00000800
-#define ACL_WRITE_ATTRIBUTES 0x00001000
-#define ACL_DELETE 0x00002000
-#define ACL_READ_ACL 0x00004000
-#define ACL_WRITE_ACL 0x00008000
-#define ACL_WRITE_OWNER 0x00010000
-#define ACL_SYNCHRONIZE 0x00020000
+#define ACL_DELETE_CHILD 0x00000100
+#define ACL_READ_ATTRIBUTES 0x00000200
+#define ACL_WRITE_ATTRIBUTES 0x00000400
+#define ACL_DELETE 0x00000800
+#define ACL_READ_ACL 0x00001000
+#define ACL_WRITE_ACL 0x00002000
+#define ACL_WRITE_OWNER 0x00004000
+#define ACL_SYNCHRONIZE 0x00008000
#define ACL_NFS4_PERM_BITS (ACL_READ_DATA | ACL_WRITE_DATA | \
ACL_APPEND_DATA | ACL_READ_NAMED_ATTRS | ACL_WRITE_NAMED_ATTRS | \
@@ -266,6 +267,7 @@
#define ACL_PRESERVE_MASK (~ACL_OVERRIDE_MASK)
#ifdef _KERNEL
+
/*
* Filesystem-independent code to move back and forth between POSIX mode and
* POSIX.1e ACL representations.
==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/param.h#25 (text+ko) ====
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list