The kernel parts of a sysctl that can switch on/off IP-in-IP (protocol 4)

support, when IPSEC is compiled in.  The default is disabled.  Turn on with:
sysctl -w net.inet.ip4.allow=1
***Only*** do this if you are really knowing what you do!
This control does not control the tunnel modes of ESP and AH.

4 files changed, 78 insertions, 7 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index d58c46f1bc5..089d5e40dcb 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.21 1999/03/27 21:04:21 provos Exp $	*/
+/*	$OpenBSD: in.h,v 1.22 1999/04/09 23:28:44 niklas Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -463,7 +463,7 @@ struct in6_pktinfo {
 	{ "icmp", CTLTYPE_NODE }, \
 	{ "igmp", CTLTYPE_NODE }, \
 	{ "ggp", CTLTYPE_NODE }, \
-	{ 0, 0 }, \
+	{ "ip4", CTLTYPE_NODE }, \
 	{ 0, 0 }, \
 	{ "tcp", CTLTYPE_NODE }, \
 	{ 0, 0 }, \
diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c
index 3a1b928d7f8..7e9abf88109 100644
--- a/sys/netinet/in_proto.c
+++ b/sys/netinet/in_proto.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in_proto.c,v 1.11 1999/02/24 22:32:58 angelos Exp $	*/
+/*	$OpenBSD: in_proto.c,v 1.12 1999/04/09 23:28:45 niklas Exp $	*/
 /*	$NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $	*/
 
 /*
@@ -112,6 +112,7 @@ void	iplinit __P((void));
 
 #ifdef IPSEC
 #include <netinet/ip_ipsp.h>
+#include <netinet/ip_ip4.h>
 
 extern void ah_input __P((struct mbuf *, ...));
 extern void esp_input __P((struct mbuf *, ...));
@@ -153,7 +154,7 @@ struct protosw inetsw[] = {
 { SOCK_RAW,	&inetdomain,	IPPROTO_IPIP,	PR_ATOMIC|PR_ADDR,
   ip4_input,	rip_output,	0,		rip_ctloutput,
   rip_usrreq,	/* XXX */
-  0,		0,		0,		0,
+  0,		0,		0,		0,		ip4_sysctl
 },
 #elif defined(MROUTING)
 { SOCK_RAW,     &inetdomain,    IPPROTO_IPIP,   PR_ATOMIC|PR_ADDR,
diff --git a/sys/netinet/ip_ip4.c b/sys/netinet/ip_ip4.c
index 6337bb7b119..024e05abd41 100644
--- a/sys/netinet/ip_ip4.c
+++ b/sys/netinet/ip_ip4.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ip4.c,v 1.27 1999/04/09 19:42:09 angelos Exp $	*/
+/*	$OpenBSD: ip_ip4.c,v 1.28 1999/04/09 23:28:45 niklas Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -50,6 +50,7 @@
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
+#include <sys/sysctl.h>
 #include <machine/cpu.h>
 
 #include <net/if.h>
@@ -78,6 +79,13 @@
 #endif
 
 /*
+ * We can control the acceptance of IP4 packets by altering the sysctl
+ * net.inet.ip4.allow value.  Zero means drop them, all ilse is acceptance.
+ */
+int ip4_allow = 0;
+struct ip4stat ip4stat;
+
+/*
  * ip4_input gets called when we receive an encapsulated packet,
  * either because we got it at a real interface, or because AH or ESP
  * were being used in tunnel mode (in which case the rcvif element will 
@@ -108,6 +116,15 @@ ip4_input(m, va_alist)
 
     ip4stat.ip4s_ipackets++;
 
+    /* If we do not accept IP4 explicitly, drop.  */
+    if (!ip4_allow && (m->m_flags & (M_AUTH|M_CONF)) == 0)
+    {
+	DPRINTF(("ip4_input(): dropped due to policy\n"));
+	ip4stat.ip4s_pdrops++;
+	m_freem(m);
+	return;
+    }
+
     /*
      * Strip IP options, if any.
      */
@@ -133,6 +150,7 @@ ip4_input(m, va_alist)
 	{
 	    DPRINTF(("ip4_input(): m_pullup() failed\n"));
 	    ip4stat.ip4s_hdrops++;
+	    m_freem(m);
 	    return;
 	}
 
@@ -155,6 +173,19 @@ ip4_input(m, va_alist)
 	return;
     }
 
+     /*
+      * If we do not accept IP4 other than part of ESP & AH, we should
+      * not accept a packet with double ip4 headers neither.
+      */
+ 
+     if (!ip4_allow && ipi->ip_p == IPPROTO_IPIP)
+     {
+ 	DPRINTF(("ip4_input(): dropped due to policy\n"));
+ 	ip4stat.ip4s_pdrops++;
+ 	m_freem(m);
+ 	return;
+     }
+ 
     /*
      * Check for local address spoofing.
      */
@@ -171,6 +202,7 @@ ip4_input(m, va_alist)
 	  if (sin->sin_addr.s_addr == ipi->ip_src.s_addr)
 	  {
 	      DPRINTF(("ip_input(): possible local address spoofing detected on packet from %s to %s (%s->%s)\n", inet_ntoa4(ipo->ip_src), inet_ntoa4(ipo->ip_dst), inet_ntoa4(ipi->ip_src), inet_ntoa4(ipi->ip_dst)));
+ 	      ip4stat.ip4s_spoof++;
 	      m_freem(m);
 	      return;
 	  }
@@ -314,3 +346,25 @@ ipe4_input(struct mbuf *m, ...)
     if (m)
       m_freem(m);
 }
+
+int
+ip4_sysctl(name, namelen, oldp, oldlenp, newp, newlen)
+	int *name;
+	u_int namelen;
+	void *oldp;
+	size_t *oldlenp;
+	void *newp;
+	size_t newlen;
+{
+	/* All sysctl names at this level are terminal. */
+	if (namelen != 1)
+		return (ENOTDIR);
+
+	switch (name[0]) {
+	case IP4CTL_ALLOW:
+		return (sysctl_int(oldp, oldlenp, newp, newlen, &ip4_allow));
+	default:
+		return (ENOPROTOOPT);
+	}
+	/* NOTREACHED */
+}
diff --git a/sys/netinet/ip_ip4.h b/sys/netinet/ip_ip4.h
index 86949539a58..4eaca741649 100644
--- a/sys/netinet/ip_ip4.h
+++ b/sys/netinet/ip_ip4.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ip4.h,v 1.13 1999/02/24 23:45:51 angelos Exp $	*/
+/*	$OpenBSD: ip_ip4.h,v 1.14 1999/04/09 23:28:45 niklas Exp $	*/
 
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
@@ -50,11 +50,27 @@ struct ip4stat
     u_int32_t	ip4s_qfull;
     u_int64_t   ip4s_ibytes;
     u_int64_t   ip4s_obytes;
+    u_int32_t	ip4s_pdrops;		/* packet dropped due to policy */
+    u_int32_t	ip4s_spoof;		/* IP spoofing attempts */
 };
 
 #define IP4_DEFAULT_TTL    0
 #define IP4_SAME_TTL	  -1
 
+/*
+ * Names for IP4 sysctl objects
+ */
+#define	IP4CTL_ALLOW	1		/* accept incoming IP4 packets */
+#define IP4CTL_MAXID	2
+
+#define IP4CTL_NAMES { \
+	{ 0, 0 }, \
+	{ "allow", CTLTYPE_INT }, \
+}
+
 #ifdef _KERNEL
-struct ip4stat ip4stat;
+int	ip4_sysctl __P((int *, u_int, void *, size_t *, void *, size_t));
+
+extern int ip4_allow;
+extern struct ip4stat ip4stat;
 #endif