svn commit: r281694 - head/sys/netipsec

Andrey V. Elsukov ae at FreeBSD.org
Sat Apr 18 16:51:25 UTC 2015 

Author: ae
Date: Sat Apr 18 16:51:24 2015
New Revision: 281694
URL: https://svnweb.freebsd.org/changeset/base/281694

Log:
  Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6.
  
  ipsec6_common_input_cb() uses partial copy of ip6_input() to parse
  headers. But this isn't correct, when we use tunnel mode IPSec.
  
  When we stripped outer IPv6 header from the decrypted packet, it
  can become IPv4 packet and should be handled by ip_input. Also when
  we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted
  packet with inner IPv6 header to ip6_input, it will correctly handle
  it and also can decide to forward it.
  
  The "skip" variable points to offset where payload starts. In tunnel
  mode we reset it to zero after stripping the outer header. So, when
  it is zero, we should requeue mbuf via netisr.
  
  Differential Revision:	https://reviews.freebsd.org/D2306
  Reviewed by:	adrian, gnn
  Sponsored by:	Yandex LLC

Modified:
  head/sys/netipsec/ipsec_input.c

Modified: head/sys/netipsec/ipsec_input.c
==============================================================================
--- head/sys/netipsec/ipsec_input.c	Sat Apr 18 16:46:31 2015	(r281693)
+++ head/sys/netipsec/ipsec_input.c	Sat Apr 18 16:51:24 2015	(r281694)
@@ -627,7 +627,7 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	struct m_tag *mtag;
 	struct tdb_ident *tdbi;
 	struct secasindex *saidx;
-	int nxt;
+	int nxt, isr_prot;
 	u_int8_t nxt8;
 	int error, nest;
 #ifdef notyet
@@ -803,6 +803,35 @@ ipsec6_common_input_cb(struct mbuf *m, s
 	if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER)) != 0)
 		return (error);
 #endif /* DEV_ENC */
+	if (skip == 0) {
+		/*
+		 * We stripped outer IPv6 header.
+		 * Now we should requeue decrypted packet via netisr.
+		 */
+		switch (prot) {
+#ifdef INET
+		case IPPROTO_IPIP:
+			isr_prot = NETISR_IP;
+			break;
+#endif
+		case IPPROTO_IPV6:
+			isr_prot = NETISR_IPV6;
+			break;
+		default:
+			DPRINTF(("%s: cannot handle inner ip proto %d\n",
+			    __func__, prot));
+			IPSEC_ISTAT(sproto, nopf);
+			error = EPFNOSUPPORT;
+			goto bad;
+		}
+		error = netisr_queue_src(isr_prot, (uintptr_t)sav->spi, m);
+		if (error) {
+			IPSEC_ISTAT(sproto, qfull);
+			DPRINTF(("%s: queue full; proto %u packet dropped\n",
+			    __func__, sproto));
+		}
+		return (error);
+	}
 	/*
 	 * See the end of ip6_input for this logic.
 	 * IPPROTO_IPV[46] case will be processed just like other ones

More information about the svn-src-head mailing list