summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--share/man/man9/mbuf_tags.99
-rw-r--r--sys/net/pipex.c13
-rw-r--r--sys/netinet/ip_input.c11
-rw-r--r--sys/sys/mbuf.h5
4 files changed, 31 insertions, 7 deletions
diff --git a/share/man/man9/mbuf_tags.9 b/share/man/man9/mbuf_tags.9
index 424916d3d07..a71e45625c2 100644
--- a/share/man/man9/mbuf_tags.9
+++ b/share/man/man9/mbuf_tags.9
@@ -1,4 +1,4 @@
-.\" $OpenBSD: mbuf_tags.9,v 1.42 2021/05/12 23:17:30 yasuoka Exp $
+.\" $OpenBSD: mbuf_tags.9,v 1.43 2021/05/15 08:07:20 yasuoka Exp $
.\"
.\" The author of this man page is Angelos D. Keromytis (angelos@cis.upenn.edu)
.\"
@@ -15,7 +15,7 @@
.\" MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
.\" PURPOSE.
.\"
-.Dd $Mdocdate: May 12 2021 $
+.Dd $Mdocdate: May 15 2021 $
.Dt M_TAG_GET 9
.Os
.Sh NAME
@@ -122,6 +122,11 @@ The tag contains a
identifying the security association applied to the packet.
This tag is primarily used to detect and avoid loops in IPsec
processing on output.
+.It PACKET_TAG_IPSEC_FLOWINFO
+Used by the IPv4 stack to specify the IPsec flow of an output IP packet.
+The tag contains a
+.Va u_int32_t
+identifying the IPsec flow.
.It PACKET_TAG_WIREGUARD
Used by the
.Xr wg 4
diff --git a/sys/net/pipex.c b/sys/net/pipex.c
index 83cafd0c99a..a78cbd6e051 100644
--- a/sys/net/pipex.c
+++ b/sys/net/pipex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pipex.c,v 1.132 2021/03/10 10:21:48 jsg Exp $ */
+/* $OpenBSD: pipex.c,v 1.133 2021/05/15 08:07:20 yasuoka Exp $ */
/*-
* Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -1628,6 +1628,7 @@ pipex_l2tp_output(struct mbuf *m0, struct pipex_session *session)
#ifdef INET6
struct ip6_hdr *ip6;
#endif
+ struct m_tag *mtag;
hlen = sizeof(struct pipex_l2tp_header) +
((pipex_session_is_l2tp_data_sequencing_on(session))
@@ -1704,6 +1705,15 @@ pipex_l2tp_output(struct mbuf *m0, struct pipex_session *session)
ip->ip_tos = 0;
ip->ip_off = 0;
+ if (session->proto.l2tp.ipsecflowinfo > 0) {
+ if ((mtag = m_tag_get(PACKET_TAG_IPSEC_FLOWINFO,
+ sizeof(u_int32_t), M_NOWAIT)) == NULL)
+ goto drop;
+ *(u_int32_t *)(mtag + 1) =
+ session->proto.l2tp.ipsecflowinfo;
+ m_tag_prepend(m0, mtag);
+ }
+
ip_send(m0);
break;
#ifdef INET6
@@ -1733,6 +1743,7 @@ pipex_l2tp_output(struct mbuf *m0, struct pipex_session *session)
return;
drop:
+ m_freem(m0);
session->stat.oerrors++;
}
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index c2f63e79c69..2c09c327197 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_input.c,v 1.359 2021/04/30 13:52:48 bluhm Exp $ */
+/* $OpenBSD: ip_input.c,v 1.360 2021/05/15 08:07:20 yasuoka Exp $ */
/* $NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $ */
/*
@@ -1790,6 +1790,8 @@ ip_send_do_dispatch(void *xmq, int flags)
struct mbuf_queue *mq = xmq;
struct mbuf *m;
struct mbuf_list ml;
+ struct m_tag *mtag;
+ u_int32_t ipsecflowinfo = 0;
mq_delist(mq, &ml);
if (ml_empty(&ml))
@@ -1797,7 +1799,12 @@ ip_send_do_dispatch(void *xmq, int flags)
NET_LOCK();
while ((m = ml_dequeue(&ml)) != NULL) {
- ip_output(m, NULL, NULL, flags, NULL, NULL, 0);
+ if ((mtag = m_tag_find(m, PACKET_TAG_IPSEC_FLOWINFO, NULL))
+ != NULL) {
+ ipsecflowinfo = *(u_int32_t *)(mtag + 1);
+ m_tag_delete(m, mtag);
+ }
+ ip_output(m, NULL, NULL, flags, NULL, NULL, ipsecflowinfo);
}
NET_UNLOCK();
}
diff --git a/sys/sys/mbuf.h b/sys/sys/mbuf.h
index 4a590a01e3e..488b75b525a 100644
--- a/sys/sys/mbuf.h
+++ b/sys/sys/mbuf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: mbuf.h,v 1.252 2021/02/25 02:43:31 dlg Exp $ */
+/* $OpenBSD: mbuf.h,v 1.253 2021/05/15 08:07:20 yasuoka Exp $ */
/* $NetBSD: mbuf.h,v 1.19 1996/02/09 18:25:14 christos Exp $ */
/*
@@ -469,6 +469,7 @@ struct m_tag *m_tag_next(struct mbuf *, struct m_tag *);
/* Packet tag types */
#define PACKET_TAG_IPSEC_IN_DONE 0x0001 /* IPsec applied, in */
#define PACKET_TAG_IPSEC_OUT_DONE 0x0002 /* IPsec applied, out */
+#define PACKET_TAG_IPSEC_FLOWINFO 0x0004 /* IPsec flowinfo */
#define PACKET_TAG_WIREGUARD 0x0040 /* WireGuard data */
#define PACKET_TAG_GRE 0x0080 /* GRE processing done */
#define PACKET_TAG_DLT 0x0100 /* data link layer type */
@@ -479,7 +480,7 @@ struct m_tag *m_tag_next(struct mbuf *, struct m_tag *);
#define PACKET_TAG_CARP_BAL_IP 0x4000 /* carp(4) ip balanced marker */
#define MTAG_BITS \
- ("\20\1IPSEC_IN_DONE\2IPSEC_OUT_DONE\3IPSEC_IN_CRYPTO_DONE" \
+ ("\20\1IPSEC_IN_DONE\2IPSEC_OUT_DONE\3IPSEC_FLOWINFO" \
"\4IPSEC_OUT_CRYPTO_NEEDED\5IPSEC_PENDING_TDB\6BRIDGE\7WG\10GRE\11DLT" \
"\12PF_DIVERT\14PF_REASSEMBLED\15SRCROUTE\16TUNNEL\17CARP_BAL_IP")