Page MenuHomeFreeBSD
Differential D9805

Add the ability to filter the listing of security policies by policy scope
ClosedPublic
Actions

Authored by ae on Feb 26 2017, 2:45 PM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Jan 18, 2:36 AM
Unknown Object (File)
Fri, Jan 17, 5:38 PM
Unknown Object (File)
Fri, Jan 17, 1:22 PM
Unknown Object (File)
Sat, Jan 11, 4:34 PM
Unknown Object (File)
Dec 14 2024, 3:43 PM
Unknown Object (File)
Nov 14 2024, 3:17 AM
Unknown Object (File)
Oct 23 2024, 1:05 PM
Unknown Object (File)
Oct 23 2024, 5:17 AM
View All Files
Subscribers
gnn
imp
wblock

Details

Reviewers
None
Group Reviewers
network
manpages
Commits
rS314812: Introduce the concept of IPsec security policies scope.
Summary

The rS313330 introduced new security policy types for IFNET and PCB.
IFNET security policies are used by if_ipsec(4) interface. The are automatically created when if_ipsec(4) interface is configured.
PCB security policies are used by application to apply SP for specific socket.
Basically, they all have a different scope.
I added several constants to describe the scope of policy (IPSEC_POLICYSCOPE_XXX).
Currently only IPSEC_POLICYSCOPE_IFNET and IPSEC_POLICYSCOPE_GLOBAL are used.
These scopes can be used to filter the listing that does `setkey -DP' command.
Two additional flags are added to setkey(8) utility:

-g to show only policies from global scope;
-t to show only policies from ifnet scope (virtual *tunnel* interface).

To achieve this I used sadb_x_policy_reserved field in the struct sadb_x_policy to specify policy scope.
How it worked now:

# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=1 seq=3 pid=873 scope=ifnet 
	refcnt=1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=3 seq=2 pid=873 scope=ifnet 
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=2 seq=1 pid=873 scope=ifnet 
	refcnt=1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=4 seq=0 pid=873 scope=ifnet 
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global 
	refcnt=1
::/0 ::/0 icmp6 136,0
	out none
	spid=6 seq=0 pid=872 scope=global 
	refcnt=1

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

ae updated this revision to Diff 25706.Feb 26 2017, 2:45 PM
ae retitled this revision from to Add the ability to filter the listing of security policies by policy scope.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added a reviewer: network.
ae set the repository for this revision to rS FreeBSD src repository - subversion.
Herald added a subscriber: imp. · View Herald TranscriptFeb 26 2017, 2:45 PM
ae updated this revision to Diff 25708.Feb 26 2017, 3:05 PM

Document new -g and -t flags.
Also remove note about -a flag. Now it is impossible to get DEAD SAs via PF_KEY interface.

Herald added a reviewer: manpages. · View Herald TranscriptFeb 26 2017, 3:05 PM
ae updated this revision to Diff 25720.Feb 26 2017, 7:20 PM
ae edited edge metadata.

Use SP priority to keep if_index. SP priority is used only for ordering
when new security policies are added. For ifnet security policies priority
is not used, because each interface uses only its own policies and there
are no need to manage order of these policies.

setkey(8) now can show interface's name using retrieved if_index:

# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=9 seq=2 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=8 seq=1 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=10 seq=0 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
Herald edited edge metadata. · View Herald TranscriptFeb 26 2017, 7:20 PM
ae updated this revision to Diff 25721.Feb 26 2017, 7:30 PM
ae edited edge metadata.

GC unneded variable.
pbuf has enough size to use with if_indextoname().

Herald edited edge metadata. · View Herald TranscriptFeb 26 2017, 7:30 PM
gnn added a subscriber: gnn.Mar 2 2017, 4:40 PM
gnn added inline comments.
sys/net/if_ipsec.c
738 ↗(On Diff #25721)

Is there a reason to override that field rather than to add a new one?

ae added inline comments.Mar 2 2017, 6:34 PM
sys/net/if_ipsec.c
738 ↗(On Diff #25721)

This field is reported from the kernel to userland via sadb_x_policy_priority field of struct sadb_x_policy. Unfortunately this structure has no unused fields, that can be used to keep an ifindex.

We can introduce new extension header like was done in rS309144, but I think this approach also acceptable and requires less changes.

wblock added a subscriber: wblock.Mar 3 2017, 4:22 PM
wblock added inline comments.
sbin/setkey/setkey.8
703 ↗(On Diff #25721)

Please add

.Xr if_ipsec 4 ,
Closed by commit rS314812: Introduce the concept of IPsec security policies scope. (authored by ae). · Explain WhyMar 7 2017, 12:14 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
lib/
libipsec/
20 lines
sbin/
setkey/
32 lines
24 lines
sys/
net/
6 lines
5 lines
netipsec/
6 lines
187 lines

Diff 26047

View Options

head/lib/libipsec/pfkey_dump.c

Loading...
View Options

head/sbin/setkey/setkey.8

Loading...
View Options

head/sbin/setkey/setkey.c

Loading...
View Options

head/sys/net/if_ipsec.c

Loading...
View Options

head/sys/net/pfkeyv2.h

Loading...
View Options

head/sys/netipsec/ipsec.h

Loading...
View Options

head/sys/netipsec/key.c

Loading...