Date: Sun, 24 May 2009 10:18:24 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 162632 for review Message-ID: <200905241018.n4OAIOxb017549@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=162632 Change 162632 by trasz@trasz_victim on 2009/05/24 10:18:02 IFC. Affected files ... .. //depot/projects/soc2008/trasz_nfs4acl/ObsoleteFiles.inc#24 integrate .. //depot/projects/soc2008/trasz_nfs4acl/share/man/man4/ipsec.4#2 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/conf/NOTES#32 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/kern/kern_jail.c#18 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/ip_ipsec.c#9 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/tcp_subr.c#21 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_usrreq.c#21 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_var.h#5 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/vinet.h#11 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/ip6_ipsec.c#7 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/udp6_usrreq.c#17 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.c#14 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.h#9 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec6.h#5 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/vipsec.h#7 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/nfsclient/bootp_subr.c#8 integrate .. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/acl.h#36 edit .. //depot/projects/soc2008/trasz_nfs4acl/sys/sys/param.h#25 integrate Differences ... ==== //depot/projects/soc2008/trasz_nfs4acl/ObsoleteFiles.inc#24 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD: src/ObsoleteFiles.inc,v 1.189 2009/05/22 13:57:44 rwatson Exp $ +# $FreeBSD: src/ObsoleteFiles.inc,v 1.190 2009/05/23 16:54:07 antoine Exp $ # # This file lists old files (OLD_FILES), libraries (OLD_LIBS) and # directories (OLD_DIRS) which should get removed at an update. Recently @@ -18,7 +18,11 @@ OLD_FILES+=etc/rc.d/idmapd OLD_FILES+=sbin/idmapd OLD_FILES+=sbin/mount_nfs4 +OLD_FILES+=usr/share/man/man8/idmapd.8.gz OLD_FILES+=usr/share/man/man8/mount_nfs4.8.gz +# 20090513: removal of legacy versions of USB network interface drivers +OLD_FILES+=usr/include/legacy/dev/usb/if_upgtvar.h +OLD_FILES+=usr/include/legacy/dev/usb/usb_ethersubr.h # 20090417: removal of legacy versions of USB network interface drivers OLD_FILES+=usr/include/legacy/dev/usb/if_auereg.h OLD_FILES+=usr/include/legacy/dev/usb/if_axereg.h ==== //depot/projects/soc2008/trasz_nfs4acl/share/man/man4/ipsec.4#2 (text+ko) ==== @@ -27,9 +27,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.22 2007/08/05 16:16:14 bz Exp $ +.\" $FreeBSD: src/share/man/man4/ipsec.4,v 1.23 2009/05/23 16:42:38 bz Exp $ .\" -.Dd August 5, 2007 +.Dd May 23, 2009 .Dt IPSEC 4 .Os .Sh NAME @@ -37,7 +37,6 @@ .Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" -.Cd "options IPSEC_FILTERTUNNEL" .Cd "device crypto" .Pp .In sys/types.h @@ -88,9 +87,12 @@ .Pp To properly filter on the inner packets of an .Nm -tunnel with firewalls, add -.Cd "options IPSEC_FILTERTUNNEL" -to the kernel configuration file. +tunnel with firewalls, you can change the values of the following sysctls +.Bl -column net.inet6.ipsec6.filtertunnel default enable +.It Sy "Name Default Enable" +.It net.inet.ipsec.filtertunnel 0 1 +.It net.inet6.ipsec6.filtertunnel 0 1 +.El .\" .Ss Kernel interface .Nm ==== //depot/projects/soc2008/trasz_nfs4acl/sys/conf/NOTES#32 (text+ko) ==== @@ -1,4 +1,4 @@ -# $FreeBSD: src/sys/conf/NOTES,v 1.1538 2009/05/10 00:00:25 kuriyama Exp $ +# $FreeBSD: src/sys/conf/NOTES,v 1.1539 2009/05/23 16:42:38 bz Exp $ # # NOTES -- Lines that can be cut/pasted into kernel and hints configs. # @@ -524,9 +524,10 @@ options IPSEC #IP security (requires device crypto) #options IPSEC_DEBUG #debug for IP security # -# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel -# to be processed by any configured packet filtering twice. -# The default is that packets coming out of a tunnel are _not_ processed; +# #DEPRECATED# +# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets +# coming through a tunnel to be processed by any configured packet filtering +# twice. The default is that packets coming out of a tunnel are _not_ processed; # they are assumed trusted. # # IPSEC history is preserved for such packets, and can be filtered ==== //depot/projects/soc2008/trasz_nfs4acl/sys/kern/kern_jail.c#18 (text+ko) ==== @@ -27,7 +27,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.100 2009/05/08 14:11:06 zec Exp $"); +__FBSDID("$FreeBSD: src/sys/kern/kern_jail.c,v 1.101 2009/05/23 16:13:26 jamie Exp $"); #include "opt_ddb.h" #include "opt_inet.h" @@ -1196,14 +1196,6 @@ if (flags & ~JAIL_GET_MASK) return (EINVAL); - if (jailed(td->td_ucred)) { - /* - * Don't allow a jailed process to see any jails, - * not even its own. - */ - vfs_opterror(opts, "jail not found"); - return (ENOENT); - } /* Get the parameter list. */ error = vfs_buildopts(optuio, &opts); @@ -1211,6 +1203,12 @@ return (error); errmsg_pos = vfs_getopt_pos(opts, "errmsg"); + /* Don't allow a jailed process to see any jails, not even its own. */ + if (jailed(td->td_ucred)) { + vfs_opterror(opts, "jail not found"); + return (ENOENT); + } + /* * Find the prison specified by one of: lastjid, jid, name. */ ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/ip_ipsec.c#9 (text+ko) ==== @@ -28,7 +28,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/netinet/ip_ipsec.c,v 1.17 2009/04/28 11:10:33 trasz Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet/ip_ipsec.c,v 1.18 2009/05/23 16:42:38 bz Exp $"); #include "opt_ipsec.h" #include "opt_sctp.h" @@ -71,6 +71,10 @@ extern struct protosw inetsw[]; +#ifdef VIMAGE_GLOBALS +int ip4_ipsec_filtertunnel; +#endif + /* * Check if we have to jump over firewall processing for this packet. * Called from ip_input(). @@ -79,11 +83,14 @@ int ip_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) +#if defined(IPSEC) + INIT_VNET_IPSEC(curvnet); + /* * Bypass packet filtering for packets from a tunnel. */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (!V_ip4_ipsec_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; #endif return 0; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/tcp_subr.c#21 (text+ko) ==== @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/netinet/tcp_subr.c,v 1.340 2009/04/30 13:36:26 zec Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet/tcp_subr.c,v 1.341 2009/05/23 17:02:30 bz Exp $"); #include "opt_compat.h" #include "opt_inet.h" @@ -373,7 +373,7 @@ &V_tcbinfo.ipi_hashmask); V_tcbinfo.ipi_porthashbase = hashinit(hashsize, M_PCB, &V_tcbinfo.ipi_porthashmask); - V_tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb), + V_tcbinfo.ipi_zone = uma_zcreate("tcp_inpcb", sizeof(struct inpcb), NULL, NULL, tcp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets); /* ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_usrreq.c#21 (text+ko) ==== @@ -32,7 +32,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/netinet/udp_usrreq.c,v 1.253 2009/04/30 13:36:26 zec Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet/udp_usrreq.c,v 1.254 2009/05/23 16:51:13 bz Exp $"); #include "opt_ipfw.h" #include "opt_inet6.h" @@ -137,6 +137,7 @@ #ifdef VIMAGE_GLOBALS struct inpcbhead udb; /* from udp_var.h */ struct inpcbinfo udbinfo; +static uma_zone_t udpcb_zone; struct udpstat udpstat; /* from udp_var.h */ #endif @@ -158,6 +159,7 @@ INIT_VNET_INET(curvnet); uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets); + uma_zone_set_max(V_udpcb_zone, maxsockets); } static int @@ -187,13 +189,39 @@ &V_udbinfo.ipi_hashmask); V_udbinfo.ipi_porthashbase = hashinit(UDBHASHSIZE, M_PCB, &V_udbinfo.ipi_porthashmask); - V_udbinfo.ipi_zone = uma_zcreate("udpcb", sizeof(struct inpcb), NULL, - NULL, udp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); + V_udbinfo.ipi_zone = uma_zcreate("udp_inpcb", sizeof(struct inpcb), + NULL, NULL, udp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); uma_zone_set_max(V_udbinfo.ipi_zone, maxsockets); + + V_udpcb_zone = uma_zcreate("udpcb", sizeof(struct udpcb), + NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE); + uma_zone_set_max(V_udpcb_zone, maxsockets); + EVENTHANDLER_REGISTER(maxsockets_change, udp_zone_change, NULL, EVENTHANDLER_PRI_ANY); } +int +udp_newudpcb(struct inpcb *inp) +{ + INIT_VNET_INET(curvnet); + struct udpcb *up; + + up = uma_zalloc(V_udpcb_zone, M_NOWAIT | M_ZERO); + if (up == NULL) + return (ENOBUFS); + inp->inp_ppcb = up; + return (0); +} + +void +udp_discardcb(struct udpcb *up) +{ + INIT_VNET_INET(curvnet); + + uma_zfree(V_udpcb_zone, up); +} + /* * Subroutine of udp_input(), which appends the provided mbuf chain to the * passed pcb/socket. The caller must provide a sockaddr_in via udp_in that @@ -272,6 +300,7 @@ struct udphdr *uh; struct ifnet *ifp; struct inpcb *inp; + struct udpcb *up; int len; struct ip save_ip; struct sockaddr_in udp_in; @@ -455,28 +484,25 @@ struct mbuf *n; n = m_copy(m, 0, M_COPYALL); - if (last->inp_ppcb == NULL) { + up = intoudpcb(last); + if (up->u_tun_func == NULL) { if (n != NULL) udp_append(last, ip, n, iphlen + sizeof(struct udphdr), &udp_in); - INP_RUNLOCK(last); } else { /* * Engage the tunneling protocol we * will have to leave the info_lock * up, since we are hunting through * multiple UDP's. - * */ - udp_tun_func_t tunnel_func; - tunnel_func = (udp_tun_func_t)last->inp_ppcb; - tunnel_func(n, iphlen, last); - INP_RUNLOCK(last); + (*up->u_tun_func)(n, iphlen, last); } + INP_RUNLOCK(last); } last = inp; /* @@ -501,22 +527,18 @@ UDPSTAT_INC(udps_noportbcast); goto badheadlocked; } - if (last->inp_ppcb == NULL) { + up = intoudpcb(last); + if (up->u_tun_func == NULL) { udp_append(last, ip, m, iphlen + sizeof(struct udphdr), &udp_in); - INP_RUNLOCK(last); - INP_INFO_RUNLOCK(&V_udbinfo); } else { /* * Engage the tunneling protocol. */ - udp_tun_func_t tunnel_func; - - tunnel_func = (udp_tun_func_t)last->inp_ppcb; - tunnel_func(m, iphlen, last); - INP_RUNLOCK(last); - INP_INFO_RUNLOCK(&V_udbinfo); + (*up->u_tun_func)(m, iphlen, last); } + INP_RUNLOCK(last); + INP_INFO_RUNLOCK(&V_udbinfo); return; } @@ -560,18 +582,16 @@ INP_RUNLOCK(inp); goto badunlocked; } - if (inp->inp_ppcb != NULL) { + up = intoudpcb(inp); + if (up->u_tun_func == NULL) { + udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in); + } else { /* * Engage the tunneling protocol. */ - udp_tun_func_t tunnel_func; - tunnel_func = (udp_tun_func_t)inp->inp_ppcb; - tunnel_func(m, iphlen, inp); - INP_RUNLOCK(inp); - return; + (*up->u_tun_func)(m, iphlen, inp); } - udp_append(inp, ip, m, iphlen + sizeof(struct udphdr), &udp_in); INP_RUNLOCK(inp); return; @@ -1142,18 +1162,19 @@ } inp = (struct inpcb *)so->so_pcb; - INP_INFO_WUNLOCK(&V_udbinfo); inp->inp_vflag |= INP_IPV4; inp->inp_ip_ttl = V_ip_defttl; - /* - * UDP does not have a per-protocol pcb (inp->inp_ppcb). - * We use this pointer for kernel tunneling pointer. - * If we ever need to have a protocol block we will - * need to move this function pointer there. Null - * in this pointer means "do the normal thing". - */ - inp->inp_ppcb = NULL; + + error = udp_newudpcb(inp); + if (error) { + in_pcbdetach(inp); + in_pcbfree(inp); + INP_INFO_WUNLOCK(&V_udbinfo); + return (error); + } + INP_WUNLOCK(inp); + INP_INFO_WUNLOCK(&V_udbinfo); return (0); } @@ -1161,24 +1182,26 @@ udp_set_kernel_tunneling(struct socket *so, udp_tun_func_t f) { struct inpcb *inp; + struct udpcb *up; - inp = (struct inpcb *)so->so_pcb; KASSERT(so->so_type == SOCK_DGRAM, ("udp_set_kernel_tunneling: !dgram")); KASSERT(so->so_pcb != NULL, ("udp_set_kernel_tunneling: NULL inp")); if (so->so_type != SOCK_DGRAM) { /* Not UDP socket... sorry! */ return (ENOTSUP); } + inp = (struct inpcb *)so->so_pcb; if (inp == NULL) { /* NULL INP? */ return (EINVAL); } INP_WLOCK(inp); - if (inp->inp_ppcb != NULL) { + up = intoudpcb(inp); + if (up->u_tun_func != NULL) { INP_WUNLOCK(inp); return (EBUSY); } - inp->inp_ppcb = f; + up->u_tun_func = f; INP_WUNLOCK(inp); return (0); } @@ -1256,6 +1279,7 @@ { INIT_VNET_INET(so->so_vnet); struct inpcb *inp; + struct udpcb *up; inp = sotoinpcb(so); KASSERT(inp != NULL, ("udp_detach: inp == NULL")); @@ -1263,9 +1287,13 @@ ("udp_detach: not disconnected")); INP_INFO_WLOCK(&V_udbinfo); INP_WLOCK(inp); + up = intoudpcb(inp); + KASSERT(up != NULL, ("%s: up == NULL", __func__)); + inp->inp_ppcb = NULL; in_pcbdetach(inp); in_pcbfree(inp); INP_INFO_WUNLOCK(&V_udbinfo); + udp_discardcb(up); } static int ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/udp_var.h#5 (text+ko) ==== @@ -28,7 +28,7 @@ * SUCH DAMAGE. * * @(#)udp_var.h 8.1 (Berkeley) 6/10/93 - * $FreeBSD: src/sys/netinet/udp_var.h,v 1.36 2009/04/12 11:42:40 rwatson Exp $ + * $FreeBSD: src/sys/netinet/udp_var.h,v 1.37 2009/05/23 16:51:13 bz Exp $ */ #ifndef _NETINET_UDP_VAR_H_ @@ -51,6 +51,19 @@ #define ui_ulen ui_u.uh_ulen #define ui_sum ui_u.uh_sum +typedef void(*udp_tun_func_t)(struct mbuf *, int off, struct inpcb *); + +/* + * UDP control block; one per udp. + */ +struct udpcb { + udp_tun_func_t u_tun_func; /* UDP kernel tunneling callback. */ + u_int u_flags; /* Generic UDP flags. */ +}; + +#define intoudpcb(ip) ((struct udpcb *)(ip)->inp_ppcb) +#define sotoudpcb(so) (intoudpcb(sotoinpcb(so))) + struct udpstat { /* input statistics: */ u_long udps_ipackets; /* total input packets */ @@ -110,14 +123,15 @@ extern u_long udp_recvspace; extern int udp_log_in_vain; +int udp_newudpcb(struct inpcb *); +void udp_discardcb(struct udpcb *); + void udp_ctlinput(int, struct sockaddr *, void *); void udp_init(void); void udp_input(struct mbuf *, int); struct inpcb *udp_notify(struct inpcb *inp, int errno); int udp_shutdown(struct socket *so); - -typedef void(*udp_tun_func_t)(struct mbuf *, int off, struct inpcb *); int udp_set_kernel_tunneling(struct socket *so, udp_tun_func_t f); #endif ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet/vinet.h#11 (text+ko) ==== @@ -27,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/netinet/vinet.h,v 1.15 2009/05/02 08:16:26 zec Exp $ + * $FreeBSD: src/sys/netinet/vinet.h,v 1.16 2009/05/23 16:51:13 bz Exp $ */ #ifndef _NETINET_VINET_H_ @@ -149,6 +149,7 @@ struct inpcbhead _udb; struct inpcbinfo _udbinfo; + uma_zone_t _udpcb_zone; struct udpstat _udpstat; int _udp_blackhole; @@ -373,6 +374,7 @@ #define V_twq_2msl VNET_INET(twq_2msl) #define V_udb VNET_INET(udb) #define V_udbinfo VNET_INET(udbinfo) +#define V_udpcb_zone VNET_INET(udpcb_zone) #define V_udp_blackhole VNET_INET(udp_blackhole) #define V_udpstat VNET_INET(udpstat) #define V_useloopback VNET_INET(useloopback) ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/ip6_ipsec.c#7 (text+ko) ==== @@ -28,7 +28,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/netinet6/ip6_ipsec.c,v 1.15 2009/02/08 09:27:07 bz Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet6/ip6_ipsec.c,v 1.16 2009/05/23 16:42:38 bz Exp $"); #include "opt_ipsec.h" @@ -76,6 +76,10 @@ extern struct protosw inet6sw[]; +#ifdef VIMAGE_GLOBALS +int ip6_ipsec6_filtertunnel; +#endif + /* * Check if we have to jump over firewall processing for this packet. * Called from ip_input(). @@ -84,11 +88,14 @@ int ip6_ipsec_filtertunnel(struct mbuf *m) { -#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL) +#if defined(IPSEC) + INIT_VNET_IPSEC(curvnet); + /* * Bypass packet filtering for packets from a tunnel. */ - if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + if (!V_ip6_ipsec6_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) return 1; #endif return 0; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netinet6/udp6_usrreq.c#17 (text+ko) ==== @@ -63,7 +63,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/netinet6/udp6_usrreq.c,v 1.110 2009/05/01 11:05:24 bms Exp $"); +__FBSDID("$FreeBSD: src/sys/netinet6/udp6_usrreq.c,v 1.111 2009/05/23 16:51:13 bz Exp $"); #include "opt_inet.h" #include "opt_inet6.h" @@ -181,6 +181,7 @@ struct ip6_hdr *ip6; struct udphdr *uh; struct inpcb *inp; + struct udpcb *up; int off = *offp; int plen, ulen; struct sockaddr_in6 fromsa; @@ -315,7 +316,10 @@ if ((n = m_copy(m, 0, M_COPYALL)) != NULL) { INP_RLOCK(last); - if (last->inp_ppcb != NULL) { + up = intoudpcb(last); + if (up->u_tun_func == NULL) { + udp6_append(last, n, off, &fromsa); + } else { /* * Engage the tunneling * protocol we will have to @@ -324,15 +328,9 @@ * through multiple UDP's. * */ - udp_tun_func_t tunnel_func; - - tunnel_func = (udp_tun_func_t)last->inp_ppcb; - tunnel_func(n, off, last); - INP_RUNLOCK(last); - } else { - udp6_append(last, n, off, &fromsa); - INP_RUNLOCK(last); + (*up->u_tun_func)(n, off, last); } + INP_RUNLOCK(last); } } last = inp; @@ -361,18 +359,15 @@ } INP_RLOCK(last); INP_INFO_RUNLOCK(&V_udbinfo); - if (last->inp_ppcb != NULL) { + up = intoudpcb(last); + if (up->u_tun_func == NULL) { + udp6_append(last, m, off, &fromsa); + } else { /* * Engage the tunneling protocol. */ - udp_tun_func_t tunnel_func; - - tunnel_func = (udp_tun_func_t)inp->inp_ppcb; - tunnel_func(m, off, last); - INP_RUNLOCK(last); - return (IPPROTO_DONE); + (*up->u_tun_func)(m, off, last); } - udp6_append(last, m, off, &fromsa); INP_RUNLOCK(last); return (IPPROTO_DONE); } @@ -409,18 +404,16 @@ } INP_RLOCK(inp); INP_INFO_RUNLOCK(&V_udbinfo); - if (inp->inp_ppcb != NULL) { + up = intoudpcb(inp); + if (up->u_tun_func == NULL) { + udp6_append(inp, m, off, &fromsa); + } else { /* * Engage the tunneling protocol. */ - udp_tun_func_t tunnel_func; - tunnel_func = (udp_tun_func_t)inp->inp_ppcb; - tunnel_func(m, off, inp); - INP_RUNLOCK(inp); - return (IPPROTO_DONE); + (*up->u_tun_func)(m, off, inp); } - udp6_append(inp, m, off, &fromsa); INP_RUNLOCK(inp); return (IPPROTO_DONE); @@ -820,7 +813,6 @@ return (error); } inp = (struct inpcb *)so->so_pcb; - INP_INFO_WUNLOCK(&V_udbinfo); inp->inp_vflag |= INP_IPV6; if ((inp->inp_flags & IN6P_IPV6_V6ONLY) == 0) inp->inp_vflag |= INP_IPV4; @@ -833,7 +825,16 @@ * which may match an IPv4-mapped IPv6 address. */ inp->inp_ip_ttl = V_ip_defttl; + + error = udp_newudpcb(inp); + if (error) { + in_pcbdetach(inp); + in_pcbfree(inp); + INP_INFO_WUNLOCK(&V_udbinfo); + return (error); + } INP_WUNLOCK(inp); + INP_INFO_WUNLOCK(&V_udbinfo); return (0); } @@ -968,15 +969,19 @@ { INIT_VNET_INET(so->so_vnet); struct inpcb *inp; + struct udpcb *up; inp = sotoinpcb(so); KASSERT(inp != NULL, ("udp6_detach: inp == NULL")); INP_INFO_WLOCK(&V_udbinfo); INP_WLOCK(inp); + up = intoudpcb(inp); + KASSERT(up != NULL, ("%s: up == NULL", __func__)); in_pcbdetach(inp); in_pcbfree(inp); INP_INFO_WUNLOCK(&V_udbinfo); + udp_discardcb(up); } static int ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.c#14 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.49 2009/04/30 13:36:26 zec Exp $ */ +/* $FreeBSD: src/sys/netipsec/ipsec.c,v 1.50 2009/05/23 16:42:38 bz Exp $ */ /* $KAME: ipsec.c,v 1.103 2001/05/24 07:14:18 sakane Exp $ */ /*- @@ -167,6 +167,9 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, "IPsec IPv4 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, + filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel, 0, + "If set filter packets from an IPsec tunnel."); #ifdef REGRESSION #ifdef VIMAGE_GLOBALS @@ -228,6 +231,9 @@ SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, "IPsec IPv6 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO, + filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel, 0, + "If set filter packets from an IPsec tunnel."); #endif /* INET6 */ static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *)); @@ -273,6 +279,11 @@ V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; V_ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ V_ip4_esp_randpad = -1; +#ifdef IPSEC_FILTERTUNNEL + V_ip4_ipsec_filtertunnel = 1; +#else + V_ip4_ipsec_filtertunnel = 0; +#endif V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; @@ -287,6 +298,11 @@ V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +#ifdef IPSEC_FILTERTUNNEL + V_ip6_ipsec6_filtertunnel = 1; +#else + V_ip6_ipsec6_filtertunnel = 0; +#endif #endif } ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec.h#9 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.23 2009/02/08 09:27:07 bz Exp $ */ +/* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.24 2009/05/23 16:42:38 bz Exp $ */ /* $KAME: ipsec.h,v 1.53 2001/11/20 08:32:38 itojun Exp $ */ /*- @@ -348,6 +348,7 @@ extern int ip4_ah_offsetmask; extern int ip4_ipsec_dfbit; extern int ip4_ipsec_ecn; +extern int ip4_ipsec_filtertunnel; extern int ip4_esp_randpad; extern int crypto_support; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/ipsec6.h#5 (text+ko) ==== @@ -1,4 +1,4 @@ -/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.7 2009/02/08 09:27:07 bz Exp $ */ +/* $FreeBSD: src/sys/netipsec/ipsec6.h,v 1.8 2009/05/23 16:42:38 bz Exp $ */ /* $KAME: ipsec.h,v 1.44 2001/03/23 08:08:47 itojun Exp $ */ /*- @@ -47,6 +47,7 @@ extern int ip6_ah_trans_deflev; extern int ip6_ah_net_deflev; extern int ip6_ipsec_ecn; +extern int ip6_ipsec6_filtertunnel; struct inpcb; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/netipsec/vipsec.h#7 (text+ko) ==== @@ -27,7 +27,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/netipsec/vipsec.h,v 1.8 2009/05/02 08:16:26 zec Exp $ + * $FreeBSD: src/sys/netipsec/vipsec.h,v 1.9 2009/05/23 16:42:38 bz Exp $ */ #ifndef _NETIPSEC_VIPSEC_H_ @@ -57,6 +57,7 @@ int _ip4_ah_offsetmask; int _ip4_ipsec_dfbit; int _ip4_ipsec_ecn; + int _ip4_ipsec_filtertunnel; int _ip4_esp_randpad; int _ipsec_replay; @@ -90,6 +91,7 @@ int _ip6_ah_trans_deflev; int _ip6_ah_net_deflev; int _ip6_ipsec_ecn; + int _ip6_ipsec6_filtertunnel; int _ah_enable; int _ah_cleartos; @@ -142,12 +144,14 @@ #define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev) #define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn) +#define V_ip4_ipsec_filtertunnel VNET_IPSEC(ip4_ipsec_filtertunnel) #define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) #define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) #define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) #define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) #define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) #define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) +#define V_ip6_ipsec6_filtertunnel VNET_IPSEC(ip6_ipsec6_filtertunnel) #define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) #define V_ipcompstat VNET_IPSEC(ipcompstat) #define V_ipip_allow VNET_IPSEC(ipip_allow) ==== //depot/projects/soc2008/trasz_nfs4acl/sys/nfsclient/bootp_subr.c#8 (text+ko) ==== @@ -41,7 +41,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/sys/nfsclient/bootp_subr.c,v 1.78 2009/05/23 00:07:55 bz Exp $"); +__FBSDID("$FreeBSD: src/sys/nfsclient/bootp_subr.c,v 1.79 2009/05/23 16:27:42 bz Exp $"); #include "opt_route.h" #include "opt_bootp.h" @@ -359,6 +359,7 @@ void bootpboot_p_rtlist(void) { + INIT_VNET_NET(curvnet); printf("Routing table:\n"); RADIX_NODE_HEAD_RLOCK(V_rt_tables[0][AF_INET]); /* could sleep XXX */ @@ -383,6 +384,7 @@ void bootpboot_p_iflist(void) { + INIT_VNET_NET(curvnet); struct ifnet *ifp; struct ifaddr *ifa; @@ -1592,6 +1594,7 @@ void bootpc_init(void) { + INIT_VNET_NET(curvnet); struct bootpc_ifcontext *ifctx, *nctx; /* Interface BOOTP contexts */ struct bootpc_globalcontext *gctx; /* Global BOOTP context */ struct ifnet *ifp; ==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/acl.h#36 (text+ko) ==== @@ -1,5 +1,6 @@ /*- * Copyright (c) 1999-2001 Robert N. M. Watson + * Copyright (c) 2008 Edward Tomasz NapieraĆa <trasz@FreeBSD.org> * All rights reserved. * * This software was developed by Robert Watson for the TrustedBSD Project. @@ -25,7 +26,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/sys/sys/acl.h,v 1.32 2009/05/22 15:56:43 trasz Exp $ + * $FreeBSD: src/sys/sys/acl.h,v 1.33 2009/05/23 17:09:47 trasz Exp $ */ /* * Developed by the TrustedBSD Project. @@ -40,7 +41,7 @@ #include <vm/uma.h> /* - * POSIX.1e ACL types and related constants. + * POSIX.1e and NFSv4 ACL types and related constants. */ typedef uint32_t acl_tag_t; @@ -53,7 +54,7 @@ /* * With 254 entries, "struct acl_t_struct" is exactly one 4kB page big. - * Note that with NFS4 ACLs, the maximum number of ACL entries one + * Note that with NFSv4 ACLs, the maximum number of ACL entries one * may set on file or directory is about half of ACL_MAX_ENTRIES. * * If you increase this, you might also need to increase @@ -110,7 +111,7 @@ /* * Internal ACL structure, used in libc, kernel APIs and for on-disk - * storage of NFS4 ACLs. POSIX.1e ACLs use "struct oldacl" for on-disk + * storage of NFSv4 ACLs. POSIX.1e ACLs use "struct oldacl" for on-disk * storage. */ struct acl { @@ -167,7 +168,7 @@ #define ACL_EVERYONE 0x00000040 /* - * Possible valid values for ae_entry_type field. + * Possible valid values for ae_entry_type field, valid only for NFSv4 ACLs. */ #define ACL_ENTRY_TYPE_ALLOW 0x0100 #define ACL_ENTRY_TYPE_DENY 0x0200 @@ -185,7 +186,7 @@ #define ACL_TYPE_NFS4 0x00000004 /* - * Possible flags in ae_perm field for POSIX.1e ACLs. Note + * Possible bits in ae_perm field for POSIX.1e ACLs. Note * that ACL_EXECUTE may be used in both NFSv4 and POSIX.1e ACLs. */ #define ACL_EXECUTE 0x0001 @@ -196,25 +197,25 @@ #define ACL_POSIX1E_BITS (ACL_EXECUTE | ACL_WRITE | ACL_READ) /* - * Possible flags in ae_perm field for NFSv4 ACLs. + * Possible bits in ae_perm field for NFSv4 ACLs. */ -#define ACL_READ_DATA 0x00000020 -#define ACL_LIST_DIRECTORY 0x00000020 -#define ACL_WRITE_DATA 0x00000040 -#define ACL_ADD_FILE 0x00000040 -#define ACL_APPEND_DATA 0x00000080 -#define ACL_ADD_SUBDIRECTORY 0x00000080 -#define ACL_READ_NAMED_ATTRS 0x00000100 -#define ACL_WRITE_NAMED_ATTRS 0x00000200 +#define ACL_READ_DATA 0x00000008 +#define ACL_LIST_DIRECTORY 0x00000008 +#define ACL_WRITE_DATA 0x00000010 +#define ACL_ADD_FILE 0x00000010 +#define ACL_APPEND_DATA 0x00000020 +#define ACL_ADD_SUBDIRECTORY 0x00000020 +#define ACL_READ_NAMED_ATTRS 0x00000040 +#define ACL_WRITE_NAMED_ATTRS 0x00000080 /* ACL_EXECUTE is defined above. */ -#define ACL_DELETE_CHILD 0x00000400 -#define ACL_READ_ATTRIBUTES 0x00000800 -#define ACL_WRITE_ATTRIBUTES 0x00001000 -#define ACL_DELETE 0x00002000 -#define ACL_READ_ACL 0x00004000 -#define ACL_WRITE_ACL 0x00008000 -#define ACL_WRITE_OWNER 0x00010000 -#define ACL_SYNCHRONIZE 0x00020000 +#define ACL_DELETE_CHILD 0x00000100 +#define ACL_READ_ATTRIBUTES 0x00000200 +#define ACL_WRITE_ATTRIBUTES 0x00000400 +#define ACL_DELETE 0x00000800 +#define ACL_READ_ACL 0x00001000 +#define ACL_WRITE_ACL 0x00002000 +#define ACL_WRITE_OWNER 0x00004000 +#define ACL_SYNCHRONIZE 0x00008000 #define ACL_NFS4_PERM_BITS (ACL_READ_DATA | ACL_WRITE_DATA | \ ACL_APPEND_DATA | ACL_READ_NAMED_ATTRS | ACL_WRITE_NAMED_ATTRS | \ @@ -266,6 +267,7 @@ #define ACL_PRESERVE_MASK (~ACL_OVERRIDE_MASK) #ifdef _KERNEL + /* * Filesystem-independent code to move back and forth between POSIX mode and * POSIX.1e ACL representations. ==== //depot/projects/soc2008/trasz_nfs4acl/sys/sys/param.h#25 (text+ko) ==== >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200905241018.n4OAIOxb017549>