Add the ability to filter the listing of security policies by policy scope
ClosedPublic

Authored by ae on Feb 26 2017, 2:45 PM.

Details

Summary

The rS313330 introduced new security policy types for IFNET and PCB.
IFNET security policies are used by if_ipsec(4) interface. The are automatically created when if_ipsec(4) interface is configured.
PCB security policies are used by application to apply SP for specific socket.
Basically, they all have a different scope.
I added several constants to describe the scope of policy (IPSEC_POLICYSCOPE_XXX).
Currently only IPSEC_POLICYSCOPE_IFNET and IPSEC_POLICYSCOPE_GLOBAL are used.
These scopes can be used to filter the listing that does `setkey -DP' command.
Two additional flags are added to setkey(8) utility:

-g to show only policies from global scope;
-t to show only policies from ifnet scope (virtual *tunnel* interface).

To achieve this I used sadb_x_policy_reserved field in the struct sadb_x_policy to specify policy scope.
How it worked now:

# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=1 seq=3 pid=873 scope=ifnet 
	refcnt=1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=3 seq=2 pid=873 scope=ifnet 
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=2 seq=1 pid=873 scope=ifnet 
	refcnt=1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=4 seq=0 pid=873 scope=ifnet 
	refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
	out none
	spid=5 seq=1 pid=872 scope=global 
	refcnt=1
::/0 ::/0 icmp6 136,0
	out none
	spid=6 seq=0 pid=872 scope=global 
	refcnt=1

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
ae updated this revision to Diff 25706.Feb 26 2017, 2:45 PM
ae retitled this revision from to Add the ability to filter the listing of security policies by policy scope.
ae updated this object.
ae edited the test plan for this revision. (Show Details)
ae added a reviewer: network.
ae set the repository for this revision to rS FreeBSD src repository.
ae updated this revision to Diff 25708.Feb 26 2017, 3:05 PM

Document new -g and -t flags.
Also remove note about -a flag. Now it is impossible to get DEAD SAs via PF_KEY interface.

ae updated this revision to Diff 25720.Feb 26 2017, 7:20 PM
ae edited edge metadata.

Use SP priority to keep if_index. SP priority is used only for ordering
when new security policies are added. For ifnet security policies priority
is not used, because each interface uses only its own policies and there
are no need to manage order of these policies.

setkey(8) now can show interface's name using retrieved if_index:

# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
::/0[any] ::/0[any] any
	in ipsec
	esp/tunnel/87.250.242.144-87.250.242.145/unique:145
	spid=9 seq=2 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=8 seq=1 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
::/0[any] ::/0[any] any
	out ipsec
	esp/tunnel/87.250.242.145-87.250.242.144/unique:145
	spid=10 seq=0 pid=58025 scope=ifnet ifname=ipsec0
	refcnt=1
ae updated this revision to Diff 25721.Feb 26 2017, 7:30 PM
ae edited edge metadata.

GC unneded variable.
pbuf has enough size to use with if_indextoname().

gnn added a subscriber: gnn.Mar 2 2017, 4:40 PM
gnn added inline comments.
sys/net/if_ipsec.c
738 ↗(On Diff #25721)

Is there a reason to override that field rather than to add a new one?

ae added inline comments.Mar 2 2017, 6:34 PM
sys/net/if_ipsec.c
738 ↗(On Diff #25721)

This field is reported from the kernel to userland via sadb_x_policy_priority field of struct sadb_x_policy. Unfortunately this structure has no unused fields, that can be used to keep an ifindex.

We can introduce new extension header like was done in rS309144, but I think this approach also acceptable and requires less changes.

wblock added a subscriber: wblock.Mar 3 2017, 4:22 PM
wblock added inline comments.
sbin/setkey/setkey.8
703 ↗(On Diff #25721)

Please add

.Xr if_ipsec 4 ,
This revision was automatically updated to reflect the committed changes.