Mercurial > illumos > illumos-gate

changeset 6048:fe40e7ead0fb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
6452869 ipv6 MAC awareness is missing some basics, i.e. raw ipv6 mac awareness is non-existant 6478442 ip_wput_ire passed ALL_ZONES has bad assertions with an ipsec outbound policy 6578843 IPv6 tunnels subtract the encapsulation limit options from the effective mtu twice after CR#6535669 6629370 tunnels apparently get mac_exempt in Tx when they should not -- missing CIPSO labels. 6640590 TX: CIPSO and AH don't play well together
author wy83408
date Wed, 20 Feb 2008 12:21:06 -0800
parents 235fee4665e7
children 5569229e1d94
files usr/src/uts/common/inet/ip/ip.c usr/src/uts/common/inet/ip/ip6.c usr/src/uts/common/inet/ip/ipsecah.c usr/src/uts/common/inet/ip/tn_ipopt.c usr/src/uts/common/inet/ip/tun.c
diffstat 5 files changed, 66 insertions(+), 41 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/uts/common/inet/ip/ip.c	Wed Feb 20 11:04:28 2008 -0800
+++ b/usr/src/uts/common/inet/ip/ip.c	Wed Feb 20 12:21:06 2008 -0800
@@ -20691,10 +20691,11 @@
 	/*
 	 * Make sure we have a full-word aligned message and that at least
 	 * a simple IP header is accessible in the first message.  If not,
-	 * try a pullup.
+	 * try a pullup.  For labeled systems we need to always take this
+	 * path as M_CTLs are "notdata" but have trailing data to process.
 	 */
 	if (!OK_32PTR(rptr) ||
-	    (mp->b_wptr - rptr) < IP_SIMPLE_HDR_LENGTH) {
+	    (mp->b_wptr - rptr) < IP_SIMPLE_HDR_LENGTH || is_system_labeled()) {
 hdrtoosmall:
 		if (!pullupmsg(mp, IP_SIMPLE_HDR_LENGTH)) {
 			TRACE_2(TR_FAC_IP, TR_IP_WPUT_END,
@@ -22184,6 +22185,16 @@
 				ill_refrele(conn_outgoing_ill);
 			return;
 		}
+		/*
+		 * Trusted Extensions supports all-zones interfaces, so
+		 * zoneid == ALL_ZONES is valid, but IPsec maps ALL_ZONES to
+		 * the global zone.
+		 */
+		if (zoneid == ALL_ZONES && mp->b_datap->db_type == M_CTL) {
+			io = (ipsec_out_t *)mp->b_rptr;
+			ASSERT(io->ipsec_out_type == IPSEC_OUT);
+			zoneid = io->ipsec_out_zoneid;
+		}
 	}
 
 	first_mp = mp;
--- a/usr/src/uts/common/inet/ip/ip6.c	Wed Feb 20 11:04:28 2008 -0800
+++ b/usr/src/uts/common/inet/ip/ip6.c	Wed Feb 20 12:21:06 2008 -0800
@@ -1623,7 +1623,7 @@
 		}
 		msg_len = len_needed;
 	}
-	mp1 = allocb(IPV6_HDR_LEN + len, BPRI_HI);
+	mp1 = allocb_cred(IPV6_HDR_LEN + len, DB_CRED(mp));
 	if (mp1 == NULL) {
 		BUMP_MIB(ill->ill_icmp6_mib, ipv6IfIcmpOutErrors);
 		freemsg(ipsec_mp);
@@ -9164,13 +9164,14 @@
 	boolean_t	drop_if_delayed = B_FALSE;
 	boolean_t	multirt_need_resolve = B_FALSE;
 	mblk_t		*copy_mp = NULL;
-	int		err;
+	int		err = 0;
 	int		ip6i_flags = 0;
 	zoneid_t	zoneid;
 	ill_t		*saved_ill = NULL;
 	boolean_t	conn_lock_held;
 	boolean_t	need_decref = B_FALSE;
 	ip_stack_t	*ipst;
+	int		adjust;
 
 	if (q->q_next != NULL) {
 		ill = (ill_t *)q->q_ptr;
@@ -9297,6 +9298,30 @@
 		goto notv6;
 	}
 
+	if (is_system_labeled() && DB_TYPE(mp) == M_DATA &&
+	    (connp == NULL || !connp->conn_ulp_labeled)) {
+		if (connp != NULL) {
+			ASSERT(CONN_CRED(connp) != NULL);
+			err = tsol_check_label_v6(BEST_CRED(mp, connp),
+			    &mp, &adjust, connp->conn_mac_exempt, ipst);
+		} else if (DB_CRED(mp) != NULL) {
+			err = tsol_check_label_v6(DB_CRED(mp),
+			    &mp, &adjust, 0, ipst);
+		}
+		if (mctl_present)
+			first_mp->b_cont = mp;
+		else
+			first_mp = mp;
+		if (err != 0) {
+			DTRACE_PROBE3(
+			    tsol_ip_log_drop_checklabel_ip6, char *,
+			    "conn(1), failed to check/update mp(2)",
+			    conn_t, connp, mblk_t, mp);
+			    freemsg(first_mp);
+			return;
+		}
+		ip6h = (ip6_t *)mp->b_rptr;
+	}
 	if (q->q_next != NULL) {
 		/*
 		 * We don't know if this ill will be used for IPv6
@@ -9328,7 +9353,6 @@
 		do_outrequests = B_FALSE;
 		zoneid = (zoneid_t)(uintptr_t)arg;
 	} else {
-		connp = (conn_t *)arg;
 		ASSERT(connp != NULL);
 		zoneid = connp->conn_zoneid;
 
--- a/usr/src/uts/common/inet/ip/ipsecah.c	Wed Feb 20 11:04:28 2008 -0800
+++ b/usr/src/uts/common/inet/ip/ipsecah.c	Wed Feb 20 12:21:06 2008 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -2995,7 +2995,8 @@
 			return (NULL);
 	}
 
-	if ((phdr_mp = allocb(hdr_size + ah_data_sz, BPRI_HI)) == NULL) {
+	if ((phdr_mp = allocb_cred(hdr_size + ah_data_sz,
+	    DB_CRED(mp))) == NULL) {
 		return (NULL);
 	}
 
@@ -3126,7 +3127,7 @@
 		size += option_length;
 	}
 
-	if ((phdr_mp = allocb(size, BPRI_HI)) == NULL) {
+	if ((phdr_mp = allocb_cred(size, DB_CRED(mp))) == NULL) {
 		return (NULL);
 	}
 
@@ -4171,13 +4172,6 @@
 	}
 	freeb(phdr_mp);
 	ipsec_in->b_cont = mp;
-
-	if (is_system_labeled()) {
-		/*
-		 * inherit the label by setting it in the new ip header
-		 */
-		mblk_setcred(mp, DB_CRED(mp));
-	}
 	return (IPSEC_STATUS_SUCCESS);
 
 ah_in_discard:
@@ -4308,13 +4302,6 @@
 		nip6h->ip6_plen = htons((uint16_t)length);
 	}
 
-	if (is_system_labeled()) {
-		/*
-		 * inherit the label by setting it in the new ip header
-		 */
-		mblk_setcred(phdr_mp, DB_CRED(mp));
-	}
-
 	/* Skip the original IP header */
 	mp->b_rptr += hdrs_length;
 	if (mp->b_rptr == mp->b_wptr) {
--- a/usr/src/uts/common/inet/ip/tn_ipopt.c	Wed Feb 20 11:04:28 2008 -0800
+++ b/usr/src/uts/common/inet/ip/tn_ipopt.c	Wed Feb 20 12:21:06 2008 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -675,11 +675,10 @@
 		copylen = MBLKL(mp);
 		if (copylen > 256)
 			copylen = 256;
-		new_mp = allocb(hlen + copylen +
-		    (mp->b_rptr - mp->b_datap->db_base), BPRI_HI);
+		new_mp = allocb_cred(hlen + copylen +
+		    (mp->b_rptr - mp->b_datap->db_base), DB_CRED(mp));
 		if (new_mp == NULL)
 			return (ENOMEM);
-		mblk_setcred(new_mp, DB_CRED(mp));
 
 		/* keep the bias */
 		new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
@@ -1251,11 +1250,10 @@
 			copylen = 256;
 		if (copylen < hdr_len)
 			copylen = hdr_len;
-		new_mp = allocb(hlen + copylen +
-		    (mp->b_rptr - mp->b_datap->db_base), BPRI_HI);
+		new_mp = allocb_cred(hlen + copylen +
+		    (mp->b_rptr - mp->b_datap->db_base), DB_CRED(mp));
 		if (new_mp == NULL)
 			return (ENOMEM);
-		mblk_setcred(new_mp, DB_CRED(mp));
 
 		/* keep the bias */
 		new_mp->b_rptr += mp->b_rptr - mp->b_datap->db_base;
--- a/usr/src/uts/common/inet/ip/tun.c	Wed Feb 20 11:04:28 2008 -0800
+++ b/usr/src/uts/common/inet/ip/tun.c	Wed Feb 20 12:21:06 2008 -0800
@@ -19,7 +19,7 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -75,6 +75,7 @@
 #include <net/if_dl.h>
 #include <inet/ip_if.h>
 #include <sys/strsun.h>
+#include <sys/strsubr.h>
 #include <inet/ipsec_impl.h>
 #include <inet/ipdrop.h>
 #include <inet/tun.h>
@@ -2780,7 +2781,9 @@
 	/*
 	 * If the pmtu provided came from an ICMP error being passed up
 	 * from below, then the pmtu argument has already been adjusted
-	 * by the IPsec overhead and ip header length.
+	 * by the IPsec overhead and ip header length.  For ICMP6, the
+	 * encap limit option's size is also accounted for as part of
+	 * outer_hlen in icmp_ricmp_err_v?_v6().
 	 */
 	if (!icmp && atp->tun_itp != NULL &&
 	    (atp->tun_itp->itp_flags & ITPF_P_ACTIVE))
@@ -2793,10 +2796,11 @@
 			newmtu = IP_MIN_MTU;
 	} else {
 		ASSERT(atp->tun_flags & TUN_L_V6);
-		if (!icmp)
+		if (!icmp) {
 			newmtu -= sizeof (ip6_t);
-		if (atp->tun_encap_lim > 0)
-			newmtu -= IPV6_TUN_ENCAP_OPT_LEN;
+			if (atp->tun_encap_lim > 0)
+				newmtu -= IPV6_TUN_ENCAP_OPT_LEN;
+		}
 		if (newmtu < IPV6_MIN_MTU)
 			newmtu = IPV6_MIN_MTU;
 	}
@@ -4729,7 +4733,8 @@
 		if ((mp->b_rptr - mp->b_datap->db_base) < hdrlen) {
 			/* no */
 
-			nmp = allocb(hdrlen + atp->tun_extra_offset, BPRI_HI);
+			nmp = allocb_cred(hdrlen + atp->tun_extra_offset,
+			    DB_CRED(mp));
 			if (nmp == NULL) {
 				atomic_add_32(&atp->tun_OutDiscard, 1);
 				atomic_add_32(&atp->tun_allocbfail, 1);
@@ -4773,8 +4778,8 @@
 
 		if ((mp->b_rptr - mp->b_datap->db_base) < hdrlen) {
 			/* no */
-			nmp = allocb(hdrlen + atp->tun_extra_offset,
-			    BPRI_HI);
+			nmp = allocb_cred(hdrlen + atp->tun_extra_offset,
+			    DB_CRED(mp));
 			if (nmp == NULL) {
 				atomic_add_32(&atp->tun_OutDiscard, 1);
 				atomic_add_32(&atp->tun_allocbfail, 1);
@@ -5251,8 +5256,8 @@
 		if ((mp->b_rptr - mp->b_datap->db_base) < sizeof (ipha_t)) {
 			/* no */
 
-			nmp = allocb(sizeof (ipha_t) + atp->tun_extra_offset,
-			    BPRI_HI);
+			nmp = allocb_cred(sizeof (ipha_t) +
+			    atp->tun_extra_offset, DB_CRED(mp));
 			if (nmp == NULL) {
 				atomic_add_32(&atp->tun_OutDiscard, 1);
 				atomic_add_32(&atp->tun_allocbfail, 1);
@@ -5438,8 +5443,8 @@
 
 		if ((mp->b_rptr - mp->b_datap->db_base) < hdrlen) {
 			/* no */
-			nmp = allocb(hdrlen + atp->tun_extra_offset,
-			    BPRI_HI);
+			nmp = allocb_cred(hdrlen + atp->tun_extra_offset,
+			    DB_CRED(mp));
 			if (nmp == NULL) {
 				atomic_add_32(&atp->tun_OutDiscard, 1);
 				atomic_add_32(&atp->tun_allocbfail, 1);