deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

David Gwynne-5
i dont understand the usefulness of the sysctls to turn etherip,
gre, and mobileip handling on. if you arent going to handle etherip,
gre, or mobileip, just dont create interfaces to handle them.

for now, this dummies up handling of the sysctls by letting userland
read that theyre allowed, but allow is readonly.

ok?

Index: if_gre.c
===================================================================
RCS file: /cvs/src/sys/net/if_gre.c,v
retrieving revision 1.100
diff -u -p -r1.100 if_gre.c
--- if_gre.c 12 Feb 2018 03:15:32 -0000 1.100
+++ if_gre.c 14 Feb 2018 08:02:30 -0000
@@ -288,7 +288,6 @@ struct gre_list egre_list = TAILQ_HEAD_I
  * allowed as well.
  *
  */
-int gre_allow = 0;
 int gre_wccp = 0;
 
 void
@@ -495,9 +494,6 @@ gre_input_key(struct mbuf **mp, int *off
  int mcast = 0;
  int ttloff;
 
- if (!gre_allow)
- goto decline;
-
  hlen = iphlen + sizeof(*gh);
  if (m->m_pkthdr.len < hlen)
  goto decline;
@@ -555,7 +551,11 @@ gre_input_key(struct mbuf **mp, int *off
  key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
  switch (gh->gre_proto) {
- case htons(GRE_WCCP):
+ case htons(GRE_WCCP): {
+ struct mbuf *n;
+ int off;
+ uint8_t v;
+
  /* WCCP/GRE:
  *   So far as I can see (and test) it seems that Cisco's WCCP
  *   GRE tunnel is precisely a IP-in-GRE tunnel that differs
@@ -569,11 +569,19 @@ gre_input_key(struct mbuf **mp, int *off
  *   So yes, we're doing a fall-through (unless, of course,
  *   net.inet.gre.wccp is 0).
  */
+
+ n = m_getptr(m, hlen, &off);
+ if (n == NULL)
+ goto decline;
+
+ v = n->m_data[off];
+ if (v >> 4 != IPVERSION)
+ hlen += sizeof(gre_wccp);
+
  switch (gre_wccp) {
  case 1:
  break;
  case 2:
- hlen += sizeof(gre_wccp);
  break;
  case 0:
  default:
@@ -811,11 +819,6 @@ gre_output(struct ifnet *ifp, struct mbu
  struct m_tag *mtag;
  int error = 0;
 
- if (!gre_allow) {
- error = EACCES;
- goto drop;
- }
-
  if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
  error = ENETDOWN;
  goto drop;
@@ -964,9 +967,6 @@ egre_start(struct ifnet *ifp)
  caddr_t if_bpf;
 #endif
 
- if (!gre_allow)
- ifq_purge(&ifp->if_snd);
-
  while ((m0 = ifq_dequeue(&ifp->if_snd)) != NULL) {
 #if NBPFILTER > 0
  if_bpf = ifp->if_bpf;
@@ -1691,10 +1691,7 @@ gre_sysctl(int *name, u_int namelen, voi
 
  switch (name[0]) {
  case GRECTL_ALLOW:
- NET_LOCK();
- error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_allow);
- NET_UNLOCK();
- return (error);
+ return (sysctl_rdint(oldp, oldlenp, newp, 1));
  case GRECTL_WCCP:
  NET_LOCK();
  error = sysctl_int(oldp, oldlenp, newp, newlen, &gre_wccp);
Index: if_etherip.c
===================================================================
RCS file: /cvs/src/sys/net/if_etherip.c,v
retrieving revision 1.35
diff -u -p -r1.35 if_etherip.c
--- if_etherip.c 12 Feb 2018 01:43:42 -0000 1.35
+++ if_etherip.c 14 Feb 2018 08:02:30 -0000
@@ -88,12 +88,6 @@ struct etherip_softc {
  uint8_t sc_ttl;
 };
 
-/*
- * We can control the acceptance of EtherIP packets by altering the sysctl
- * net.inet.etherip.allow value. Zero means drop them, all else is acceptance.
- */
-int etherip_allow = 0;
-
 struct cpumem *etheripcounters;
 
 void etheripattach(int);
@@ -547,11 +541,6 @@ etherip_input(struct etherip_tunnel *key
  struct ifnet *ifp;
  struct etherip_header *eip;
 
- if (!etherip_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0) {
- etheripstat_inc(etherips_pdrops);
- goto drop;
- }
-
  key->t_rtableid = m->m_pkthdr.ph_rtableid;
 
  NET_ASSERT_LOCKED();
@@ -696,10 +685,7 @@ etherip_sysctl(int *name, u_int namelen,
 
  switch (name[0]) {
  case ETHERIPCTL_ALLOW:
- NET_LOCK();
- error = sysctl_int(oldp, oldlenp, newp, newlen, &etherip_allow);
- NET_UNLOCK();
- return (error);
+ return (sysctl_rdint(oldp, oldlenp, newp, 1);
  case ETHERIPCTL_STATS:
  return (etherip_sysctl_etheripstat(oldp, oldlenp, newp));
  default:
Index: if_mobileip.c
===================================================================
RCS file: /cvs/src/sys/net/if_mobileip.c,v
retrieving revision 1.7
diff -u -p -r1.7 if_mobileip.c
--- if_mobileip.c 12 Feb 2018 02:55:40 -0000 1.7
+++ if_mobileip.c 14 Feb 2018 08:02:30 -0000
@@ -100,8 +100,6 @@ static struct mobileip_softc *
  * let's begin
  */
 
-int mobileip_allow = 0;
-
 void
 mobileipattach(int n)
 {
@@ -215,12 +213,6 @@ mobileip_output(struct ifnet *ifp, struc
  struct m_tag *mtag;
  int error = 0;
 
- if (!mobileip_allow) {
- m_freem(m);
- error = EACCES;
- goto end;
- }
-
  if (!ISSET(ifp->if_flags, IFF_RUNNING)) {
  m_freem(m);
  error = ENETDOWN;
@@ -540,9 +532,6 @@ mobileip_input(struct mbuf **mp, int *of
  int iphlen = 0;
  int hlen;
 
- if (!mobileip_allow)
- goto drop;
-
  ip = mtod(m, struct ip *);
 
  key.t_rtableid = m->m_pkthdr.ph_rtableid;
@@ -628,24 +617,13 @@ int
 mobileip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp,
     void *newp, size_t newlen)
 {
- int allow;
- int error;
-
  /* All sysctl names at this level are terminal. */
  if (namelen != 1)
  return (ENOTDIR);
 
  switch (name[0]) {
  case MOBILEIPCTL_ALLOW:
- allow = mobileip_allow;
-
- error = sysctl_int(oldp, oldlenp, newp, newlen,
-    &allow);
- if (error != 0)
- return (error);
-
- mobileip_allow = allow;
- break;
+ return (sysctl_rdint(oldp, oldlenp, newp, 1));
  default:
  return (ENOPROTOOPT);
  }

Reply | Threaded
Open this post in threaded view
|

Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

Stuart Henderson
On 2018/02/14 18:05, David Gwynne wrote:
> i dont understand the usefulness of the sysctls to turn etherip,
> gre, and mobileip handling on. if you arent going to handle etherip,
> gre, or mobileip, just dont create interfaces to handle them.
>
> for now, this dummies up handling of the sysctls by letting userland
> read that theyre allowed, but allow is readonly.

The etherip one is really "allow unprotected etherip" to give a foolproof
way of ensuring it only works over ipsec by default. (otherwise you need
to know about if-bound states in pf).

Reply | Threaded
Open this post in threaded view
|

Re: deprecate sysctl net.inet.{etherip,gre,mobileip}.allow

David Gwynne-5

> On 14 Feb 2018, at 20:03, Stuart Henderson <[hidden email]> wrote:
>
> On 2018/02/14 18:05, David Gwynne wrote:
>> i dont understand the usefulness of the sysctls to turn etherip,
>> gre, and mobileip handling on. if you arent going to handle etherip,
>> gre, or mobileip, just dont create interfaces to handle them.
>>
>> for now, this dummies up handling of the sysctls by letting userland
>> read that theyre allowed, but allow is readonly.
>
> The etherip one is really "allow unprotected etherip" to give a foolproof
> way of ensuring it only works over ipsec by default. (otherwise you need
> to know about if-bound states in pf).

grumble grumble. id argue there are similar concerns for traffic over vxlan, tun, and tap, but they lack a magic sysctl.

ipsec.conf includes a "PACKET FILTERING" section that discusses this for ipencap, we could point etherip.4 at that or move this kind of into the pf.conf manpage.

another interesting idea would be to have tunnel interfaces take a "tagged" configuration option that would allow them to check that their encapsulated traffic has been tagged by some other subsystem, like ipsec or pf.

dlg