summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVitaliy Makkoveev <mvs@cvs.openbsd.org>2024-08-21 12:53:37 +0000
committerVitaliy Makkoveev <mvs@cvs.openbsd.org>2024-08-21 12:53:37 +0000
commit9d06bedc4cbcf89531f8bf68b76318387e49846c (patch)
treea0c07296707d2d7f7eff36454167c24d3b8288dd
parent50d54e03f117cfa2bd30a9d8bc3fb883bc6fcbd6 (diff)
Revert previous. It was committed mistakenly.
-rw-r--r--sys/netinet/in_proto.c4
-rw-r--r--sys/netinet/ip_ipip.c24
2 files changed, 13 insertions, 15 deletions
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index 9aefbd326a0..cd64f177724 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: in_proto.c,v 1.111 2024/08/21 07:36:12 mvs Exp $ */
+/* $OpenBSD: in_proto.c,v 1.112 2024/08/21 12:53:36 mvs Exp $ */
/* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */
/*
@@ -230,7 +230,7 @@ const struct protosw inetsw[] = {
.pr_type = SOCK_RAW,
.pr_domain = &inetdomain,
.pr_protocol = IPPROTO_IPV4,
- .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET|PR_MPSYSCTL,
+ .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET,
#if NGIF > 0
.pr_input = in_gif_input,
#else
diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c
index 760eb8c9de9..67434ca1fb1 100644
--- a/sys/netinet/ip_ipip.c
+++ b/sys/netinet/ip_ipip.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipip.c,v 1.103 2024/08/21 07:36:12 mvs Exp $ */
+/* $OpenBSD: ip_ipip.c,v 1.104 2024/08/21 12:53:36 mvs Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -72,11 +72,6 @@
#include <net/pfvar.h>
#endif
-/*
- * Locks used to protect data:
- * a atomic
- */
-
#ifdef ENCDEBUG
#define DPRINTF(fmt, args...) \
do { \
@@ -92,7 +87,7 @@
* We can control the acceptance of IP4 packets by altering the sysctl
* net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
*/
-int ipip_allow = 0; /* [a] */
+int ipip_allow = 0;
struct cpumem *ipipcounters;
@@ -111,8 +106,7 @@ ipip_input(struct mbuf **mp, int *offp, int nxt, int af)
struct ifnet *ifp;
/* If we do not accept IP-in-IP explicitly, drop. */
- if (atomic_load_int(&ipip_allow) == 0 &&
- ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) {
+ if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) {
DPRINTF("dropped due to policy");
ipipstat_inc(ipips_pdrops);
m_freemp(mp);
@@ -277,8 +271,7 @@ ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf,
}
/* Check for local address spoofing. */
- if (!(ifp->if_flags & IFF_LOOPBACK) &&
- atomic_load_int(&ipip_allow) != 2) {
+ if (!(ifp->if_flags & IFF_LOOPBACK) && ipip_allow != 2) {
struct sockaddr_storage ss;
struct rtentry *rt;
@@ -591,14 +584,19 @@ int
ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
size_t newlen)
{
+ int error;
+
/* All sysctl names at this level are terminal. */
if (namelen != 1)
return (ENOTDIR);
switch (name[0]) {
case IPIPCTL_ALLOW:
- return (sysctl_int_bounded(oldp, oldlenp, newp, newlen,
- &ipip_allow, 0, 2));
+ NET_LOCK();
+ error = sysctl_int_bounded(oldp, oldlenp, newp, newlen,
+ &ipip_allow, 0, 2);
+ NET_UNLOCK();
+ return (error);
case IPIPCTL_STATS:
return (ipip_sysctl_ipipstat(oldp, oldlenp, newp));
default: