Index: head/sys/netinet/libalias/alias_sctp.c =================================================================== --- head/sys/netinet/libalias/alias_sctp.c +++ head/sys/netinet/libalias/alias_sctp.c @@ -367,44 +367,68 @@ SYSCTL_DECL(_net_inet_ip); SYSCTL_DECL(_net_inet_ip_alias); -static SYSCTL_NODE(_net_inet_ip_alias, OID_AUTO, sctp, CTLFLAG_RW, NULL, +static SYSCTL_NODE(_net_inet_ip_alias, OID_AUTO, sctp, + CTLFLAG_RW | CTLFLAG_MPSAFE, NULL, "SCTP NAT"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, log_level, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, log_level, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_log_level, 0, sysctl_chg_loglevel, "IU", "Level of detail (0 - default, 1 - event, 2 - info, 3 - detail, 4 - debug, 5 - max debug)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, init_timer, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, init_timer, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_init_timer, 0, sysctl_chg_timer, "IU", "Timeout value (s) while waiting for (INIT-ACK|AddIP-ACK)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, up_timer, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, up_timer, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_up_timer, 0, sysctl_chg_timer, "IU", "Timeout value (s) to keep an association up with no traffic"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, shutdown_timer, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, shutdown_timer, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_shutdown_timer, 0, sysctl_chg_timer, "IU", "Timeout value (s) while waiting for SHUTDOWN-COMPLETE"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, holddown_timer, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, holddown_timer, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_holddown_timer, 0, sysctl_chg_timer, "IU", "Hold association in table for this many seconds after receiving a SHUTDOWN-COMPLETE"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, hashtable_size, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, hashtable_size, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_hashtable_size, 0, sysctl_chg_hashtable_size, "IU", "Size of hash tables used for NAT lookups (100 < prime_number > 1000001)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, error_on_ootb, CTLTYPE_UINT | CTLFLAG_RW, +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, error_on_ootb, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_error_on_ootb, 0, sysctl_chg_error_on_ootb, "IU", - "ErrorM sent on receipt of ootb packet:\n\t0 - none,\n\t1 - to local only,\n\t2 - to local and global if a partial association match,\n\t3 - to local and global (DoS risk)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, accept_global_ootb_addip, CTLTYPE_UINT | CTLFLAG_RW, + "ErrorM sent on receipt of ootb packet:\n\t0 - none,\n" + "\t1 - to local only,\n" + "\t2 - to local and global if a partial association match,\n" + "\t3 - to local and global (DoS risk)"); +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, accept_global_ootb_addip, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_accept_global_ootb_addip, 0, sysctl_chg_accept_global_ootb_addip, "IU", - "NAT response to receipt of global OOTB AddIP:\n\t0 - No response,\n\t1 - NAT will accept OOTB global AddIP messages for processing (Security risk)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, initialising_chunk_proc_limit, CTLTYPE_UINT | CTLFLAG_RW, - &sysctl_initialising_chunk_proc_limit, 0, sysctl_chg_initialising_chunk_proc_limit, "IU", - "Number of chunks that should be processed if there is no current association found:\n\t > 0 (A high value is a DoS risk)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, chunk_proc_limit, CTLTYPE_UINT | CTLFLAG_RW, + "NAT response to receipt of global OOTB AddIP:\n" + "\t0 - No response,\n" + "\t1 - NAT will accept OOTB global AddIP messages for processing (Security risk)"); +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, initialising_chunk_proc_limit, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + &sysctl_initialising_chunk_proc_limit, 0, + sysctl_chg_initialising_chunk_proc_limit, "IU", + "Number of chunks that should be processed if there is no current " + "association found:\n\t > 0 (A high value is a DoS risk)"); +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, chunk_proc_limit, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_chunk_proc_limit, 0, sysctl_chg_chunk_proc_limit, "IU", - "Number of chunks that should be processed to find key chunk:\n\t>= initialising_chunk_proc_limit (A high value is a DoS risk)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, param_proc_limit, CTLTYPE_UINT | CTLFLAG_RW, + "Number of chunks that should be processed to find key chunk:\n" + "\t>= initialising_chunk_proc_limit (A high value is a DoS risk)"); +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, param_proc_limit, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_param_proc_limit, 0, sysctl_chg_param_proc_limit, "IU", - "Number of parameters (in a chunk) that should be processed to find key parameters:\n\t> 1 (A high value is a DoS risk)"); -SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, track_global_addresses, CTLTYPE_UINT | CTLFLAG_RW, + "Number of parameters (in a chunk) that should be processed to find key " + "parameters:\n\t> 1 (A high value is a DoS risk)"); +SYSCTL_PROC(_net_inet_ip_alias_sctp, OID_AUTO, track_global_addresses, + CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, &sysctl_track_global_addresses, 0, sysctl_chg_track_global_addresses, "IU", - "Configures the global address tracking option within the NAT:\n\t0 - Global tracking is disabled,\n\t> 0 - enables tracking but limits the number of global IP addresses to this value"); + "Configures the global address tracking option within the NAT:\n" + "\t0 - Global tracking is disabled,\n" + "\t> 0 - enables tracking but limits the number of global IP addresses to this value"); #endif /* SYSCTL_NODE */ Index: head/sys/netinet/sctp_sysctl.c =================================================================== --- head/sys/netinet/sctp_sysctl.c +++ head/sys/netinet/sctp_sysctl.c @@ -861,8 +861,8 @@ return (error); \ } \ SYSCTL_PROC(_net_inet_sctp, OID_AUTO, mib_name, \ - CTLFLAG_VNET|CTLTYPE_UINT|CTLFLAG_RW, NULL, 0, \ - sctp_sysctl_handle_##mib_name, "UI", prefix##_DESC); + CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, \ + NULL, 0, sctp_sysctl_handle_##mib_name, "UI", prefix##_DESC); /* * sysctl definitions @@ -873,10 +873,14 @@ SCTP_UINT_SYSCTL(auto_asconf, sctp_auto_asconf, SCTPCTL_AUTOASCONF) SCTP_UINT_SYSCTL(ecn_enable, sctp_ecn_enable, SCTPCTL_ECN_ENABLE) SCTP_UINT_SYSCTL(pr_enable, sctp_pr_enable, SCTPCTL_PR_ENABLE) -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, auth_enable, CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW, - NULL, 0, sctp_sysctl_handle_auth, "IU", SCTPCTL_AUTH_ENABLE_DESC); -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, asconf_enable, CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW, - NULL, 0, sctp_sysctl_handle_asconf, "IU", SCTPCTL_ASCONF_ENABLE_DESC); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, auth_enable, + CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_auth, "IU", + SCTPCTL_AUTH_ENABLE_DESC); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, asconf_enable, + CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_asconf, "IU", + SCTPCTL_ASCONF_ENABLE_DESC); SCTP_UINT_SYSCTL(reconfig_enable, sctp_reconfig_enable, SCTPCTL_RECONFIG_ENABLE) SCTP_UINT_SYSCTL(nrsack_enable, sctp_nrsack_enable, SCTPCTL_NRSACK_ENABLE) SCTP_UINT_SYSCTL(pktdrop_enable, sctp_pktdrop_enable, SCTPCTL_PKTDROP_ENABLE) @@ -926,13 +930,19 @@ SCTP_UINT_SYSCTL(mobility_base, sctp_mobility_base, SCTPCTL_MOBILITY_BASE) SCTP_UINT_SYSCTL(mobility_fasthandoff, sctp_mobility_fasthandoff, SCTPCTL_MOBILITY_FASTHANDOFF) #if defined(SCTP_LOCAL_TRACE_BUF) -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, log, CTLFLAG_VNET | CTLTYPE_STRUCT | CTLFLAG_RD, - NULL, 0, sctp_sysctl_handle_trace_log, "S,sctplog", "SCTP logging (struct sctp_log)"); -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, clear_trace, CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW, - NULL, 0, sctp_sysctl_handle_trace_log_clear, "IU", "Clear SCTP Logging buffer"); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, log, + CTLFLAG_VNET | CTLTYPE_STRUCT | CTLFLAG_RD | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_trace_log, "S,sctplog"a + , "SCTP logging (struct sctp_log)"); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, clear_trace, + CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_trace_log_clear, "IU", + "Clear SCTP Logging buffer"); #endif -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, udp_tunneling_port, CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW, - NULL, 0, sctp_sysctl_handle_udp_tunneling, "IU", SCTPCTL_UDP_TUNNELING_PORT_DESC); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, udp_tunneling_port, + CTLFLAG_VNET | CTLTYPE_UINT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_udp_tunneling, "IU", + SCTPCTL_UDP_TUNNELING_PORT_DESC); SCTP_UINT_SYSCTL(enable_sack_immediately, sctp_enable_sack_immediately, SCTPCTL_SACK_IMMEDIATELY_ENABLE) SCTP_UINT_SYSCTL(nat_friendly_init, sctp_inits_include_nat_friendly, SCTPCTL_NAT_FRIENDLY_INITS) SCTP_UINT_SYSCTL(vtag_time_wait, sctp_vtag_time_wait, SCTPCTL_TIME_WAIT) @@ -952,7 +962,11 @@ #if defined(__APPLE__) || defined(SCTP_SO_LOCK_TESTING) SCTP_UINT_SYSCTL(output_unlocked, sctp_output_unlocked, SCTPCTL_OUTPUT_UNLOCKED) #endif -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, stats, CTLFLAG_VNET | CTLTYPE_STRUCT | CTLFLAG_RW, - NULL, 0, sctp_sysctl_handle_stats, "S,sctpstat", "SCTP statistics (struct sctp_stat)"); -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, assoclist, CTLFLAG_VNET | CTLTYPE_OPAQUE | CTLFLAG_RD, - NULL, 0, sctp_sysctl_handle_assoclist, "S,xassoc", "List of active SCTP associations"); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, stats, + CTLFLAG_VNET | CTLTYPE_STRUCT | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_stats, "S,sctpstat", + "SCTP statistics (struct sctp_stat)"); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, assoclist, + CTLFLAG_VNET | CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_NEEDGIANT, + NULL, 0, sctp_sysctl_handle_assoclist, "S,xassoc", + "List of active SCTP associations"); Index: head/sys/netinet/sctp_usrreq.c =================================================================== --- head/sys/netinet/sctp_usrreq.c +++ head/sys/netinet/sctp_usrreq.c @@ -421,8 +421,10 @@ return (error); } -SYSCTL_PROC(_net_inet_sctp, OID_AUTO, getcred, CTLTYPE_OPAQUE | CTLFLAG_RW, - 0, 0, sctp_getcred, "S,ucred", "Get the ucred of a SCTP connection"); +SYSCTL_PROC(_net_inet_sctp, OID_AUTO, getcred, + CTLTYPE_OPAQUE | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + 0, 0, sctp_getcred, "S,ucred", + "Get the ucred of a SCTP connection"); #ifdef INET Index: head/sys/netinet6/sctp6_usrreq.c =================================================================== --- head/sys/netinet6/sctp6_usrreq.c +++ head/sys/netinet6/sctp6_usrreq.c @@ -472,9 +472,10 @@ return (error); } -SYSCTL_PROC(_net_inet6_sctp6, OID_AUTO, getcred, CTLTYPE_OPAQUE | CTLFLAG_RW, - 0, 0, - sctp6_getcred, "S,ucred", "Get the ucred of a SCTP6 connection"); +SYSCTL_PROC(_net_inet6_sctp6, OID_AUTO, getcred, + CTLTYPE_OPAQUE | CTLFLAG_RW | CTLFLAG_NEEDGIANT, + 0, 0, sctp6_getcred, "S,ucred", + "Get the ucred of a SCTP6 connection"); /* This is the same as the sctp_abort() could be made common */