Page MenuHomeFreeBSD
Files F112547923

D49164.diff
No OneTemporary
Actions

D49164.diff
View Options

diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -27,7 +27,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd February 6, 2017
+.Dd March 4, 2025
.Dt IPSEC 4
.Os
.Sh NAME
@@ -239,6 +239,7 @@
.It "net.inet.ipsec.debug integer yes"
.It "net.inet.ipsec.natt_cksum_policy integer yes"
.It "net.inet.ipsec.check_policy_history integer yes"
+.It "net.inet.ipsec.random_id integer yes"
.It "net.inet6.ipsec6.ecn integer yes"
.It "net.inet6.ipsec6.debug integer yes"
.El
@@ -298,6 +299,9 @@
If this variable is set to a non-zero value, each packet handled by IPsec
is checked against the history of IPsec security associations.
The IPsec security protocol, mode, and SA addresses must match.
+.It Li ipsec.random_id
+Enables randomization of encapsulated IPv4 packets ID.
+By default, ID randomization is not enabled.
.El
.Pp
Variables under the
diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -1256,7 +1256,7 @@
ip->ip_ttl = CARP_DFLTTL;
ip->ip_p = IPPROTO_CARP;
ip->ip_sum = 0;
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
ifa = carp_best_ifa(AF_INET, sc->sc_carpdev);
if (ifa != NULL) {
@@ -1395,7 +1395,7 @@
ip->ip_ttl = CARP_DFLTTL;
ip->ip_p = IPPROTO_CARP;
ip->ip_sum = 0;
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
ifa = carp_best_ifa(AF_INET, sc->sc_carpdev);
if (ifa != NULL) {
diff --git a/sys/netinet/ip_gre.c b/sys/netinet/ip_gre.c
--- a/sys/netinet/ip_gre.c
+++ b/sys/netinet/ip_gre.c
@@ -534,7 +534,7 @@
#ifdef INET6
case AF_INET6:
gi->gi_ip.ip_tos = 0; /* XXX */
- ip_fillid(&gi->gi_ip);
+ ip_fillid(&gi->gi_ip, V_ip_random_id);
break;
#endif
}
diff --git a/sys/netinet/ip_id.c b/sys/netinet/ip_id.c
--- a/sys/netinet/ip_id.c
+++ b/sys/netinet/ip_id.c
@@ -97,9 +97,9 @@
* user wants to, we can turn on random ID generation.
*/
VNET_DEFINE_STATIC(int, ip_rfc6864) = 1;
-VNET_DEFINE_STATIC(int, ip_do_randomid) = 0;
#define V_ip_rfc6864 VNET(ip_rfc6864)
-#define V_ip_do_randomid VNET(ip_do_randomid)
+
+VNET_DEFINE(int, ip_random_id) = 0;
/*
* Random ID state engine.
@@ -126,7 +126,7 @@
VNET_DEFINE_STATIC(counter_u64_t, ip_id);
#define V_ip_id VNET(ip_id)
-static int sysctl_ip_randomid(SYSCTL_HANDLER_ARGS);
+static int sysctl_ip_random_id(SYSCTL_HANDLER_ARGS);
static int sysctl_ip_id_change(SYSCTL_HANDLER_ARGS);
static void ip_initid(int);
static uint16_t ip_randomid(void);
@@ -136,7 +136,7 @@
SYSCTL_DECL(_net_inet_ip);
SYSCTL_PROC(_net_inet_ip, OID_AUTO, random_id,
CTLTYPE_INT | CTLFLAG_VNET | CTLFLAG_RW | CTLFLAG_MPSAFE,
- &VNET_NAME(ip_do_randomid), 0, sysctl_ip_randomid, "IU",
+ &VNET_NAME(ip_random_id), 0, sysctl_ip_random_id, "IU",
"Assign random ip_id values");
SYSCTL_INT(_net_inet_ip, OID_AUTO, rfc6864, CTLFLAG_VNET | CTLFLAG_RW,
&VNET_NAME(ip_rfc6864), 0,
@@ -151,22 +151,22 @@
&VNET_NAME(random_id_total), 0, "Count of IP IDs created");
static int
-sysctl_ip_randomid(SYSCTL_HANDLER_ARGS)
+sysctl_ip_random_id(SYSCTL_HANDLER_ARGS)
{
int error, new;
- new = V_ip_do_randomid;
+ new = V_ip_random_id;
error = sysctl_handle_int(oidp, &new, 0, req);
if (error || req->newptr == NULL)
return (error);
if (new != 0 && new != 1)
return (EINVAL);
- if (new == V_ip_do_randomid)
+ if (new == V_ip_random_id)
return (0);
- if (new == 1 && V_ip_do_randomid == 0)
+ if (new == 1 && V_ip_random_id == 0)
ip_initid(8192);
/* We don't free memory when turning random ID off, due to race. */
- V_ip_do_randomid = new;
+ V_ip_random_id = new;
return (0);
}
@@ -238,7 +238,7 @@
}
void
-ip_fillid(struct ip *ip)
+ip_fillid(struct ip *ip, bool do_randomid)
{
/*
@@ -249,7 +249,7 @@
*/
if (V_ip_rfc6864 && (ip->ip_off & htons(IP_DF)) == htons(IP_DF))
ip->ip_id = 0;
- else if (V_ip_do_randomid)
+ else if (do_randomid)
ip->ip_id = ip_randomid();
else {
counter_u64_add(V_ip_id, 1);
diff --git a/sys/netinet/ip_mroute.c b/sys/netinet/ip_mroute.c
--- a/sys/netinet/ip_mroute.c
+++ b/sys/netinet/ip_mroute.c
@@ -2466,7 +2466,7 @@
ip_outer->ip_tos = ip->ip_tos;
if (ip->ip_off & htons(IP_DF))
ip_outer->ip_off |= htons(IP_DF);
- ip_fillid(ip_outer);
+ ip_fillid(ip_outer, V_ip_random_id);
pimhdr = (struct pim_encap_pimhdr *)((caddr_t)ip_outer
+ sizeof(pim_encap_iphdr));
*pimhdr = pim_encap_pimhdr;
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -368,7 +368,7 @@
if ((flags & (IP_FORWARDING|IP_RAWOUTPUT)) == 0) {
ip->ip_v = IPVERSION;
ip->ip_hl = hlen >> 2;
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
} else {
/* Header already set, fetch hlen from there */
hlen = ip->ip_hl << 2;
diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h
--- a/sys/netinet/ip_var.h
+++ b/sys/netinet/ip_var.h
@@ -204,6 +204,7 @@
extern u_long (*ip_mcast_src)(int);
VNET_DECLARE(int, rsvp_on);
VNET_DECLARE(int, drop_redirect);
+VNET_DECLARE(int, ip_random_id);
#define V_ip_id VNET(ip_id)
#define V_ip_defttl VNET(ip_defttl)
@@ -216,6 +217,7 @@
#define V_ip_mrouter VNET(ip_mrouter)
#define V_rsvp_on VNET(rsvp_on)
#define V_drop_redirect VNET(drop_redirect)
+#define V_ip_random_id VNET(ip_random_id)
void inp_freemoptions(struct ip_moptions *);
int inp_getmoptions(struct inpcb *, struct sockopt *);
@@ -235,7 +237,7 @@
ip_reass(struct mbuf *);
void ip_savecontrol(struct inpcb *, struct mbuf **, struct ip *,
struct mbuf *);
-void ip_fillid(struct ip *);
+void ip_fillid(struct ip *, bool);
int rip_ctloutput(struct socket *, struct sockopt *);
int ipip_input(struct mbuf **, int *, int);
int rsvp_input(struct mbuf **, int *, int);
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -601,7 +601,7 @@
* but we got this limitation from the beginning of history.
*/
if (ip->ip_id == 0)
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
/*
* XXX prevent ip_output from overwriting header fields.
diff --git a/sys/netinet/sctp_output.c b/sys/netinet/sctp_output.c
--- a/sys/netinet/sctp_output.c
+++ b/sys/netinet/sctp_output.c
@@ -4071,7 +4071,7 @@
ip->ip_off = htons(0);
}
/* FreeBSD has a function for ip_id's */
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
ip->ip_ttl = inp->ip_inp.inp.inp_ip_ttl;
ip->ip_len = htons(packet_length);
@@ -11197,7 +11197,7 @@
ip->ip_hl = (sizeof(struct ip) >> 2);
ip->ip_tos = 0;
ip->ip_off = htons(IP_DF);
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
ip->ip_ttl = MODULE_GLOBAL(ip_defttl);
if (port) {
ip->ip_p = IPPROTO_UDP;
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -260,6 +260,7 @@
#define IPSECCTL_DEBUG 12
#define IPSECCTL_ESP_RANDPAD 13
#define IPSECCTL_MIN_PMTU 14
+#define IPSECCTL_RANDOM_ID 15
#ifdef _KERNEL
#include <sys/counter.h>
@@ -293,6 +294,7 @@
VNET_DECLARE(int, ip4_ipsec_dfbit);
VNET_DECLARE(int, ip4_ipsec_min_pmtu);
VNET_DECLARE(int, ip4_ipsec_ecn);
+VNET_DECLARE(int, ip4_ipsec_random_id);
VNET_DECLARE(int, crypto_support);
VNET_DECLARE(int, async_crypto);
VNET_DECLARE(int, natt_cksum_policy);
@@ -310,6 +312,7 @@
#define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit)
#define V_ip4_ipsec_min_pmtu VNET(ip4_ipsec_min_pmtu)
#define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn)
+#define V_ip4_ipsec_random_id VNET(ip4_ipsec_random_id)
#define V_crypto_support VNET(crypto_support)
#define V_async_crypto VNET(async_crypto)
#define V_natt_cksum_policy VNET(natt_cksum_policy)
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -119,6 +119,7 @@
VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE;
/* ECN ignore(-1)/forbidden(0)/allowed(1) */
VNET_DEFINE(int, ip4_ipsec_ecn) = 0;
+VNET_DEFINE(int, ip4_ipsec_random_id) = 0;
VNET_DEFINE_STATIC(int, ip4_filtertunnel) = 0;
#define V_ip4_filtertunnel VNET(ip4_filtertunnel)
@@ -201,6 +202,9 @@
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, ecn,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_ecn), 0,
"Explicit Congestion Notification handling.");
+SYSCTL_INT(_net_inet_ipsec, IPSECCTL_RANDOM_ID, random_id,
+ CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_random_id), 0,
+ "Assign random ip_id values.");
SYSCTL_INT(_net_inet_ipsec, OID_AUTO, crypto_support,
CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(crypto_support), 0,
"Crypto driver selection.");
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -1200,7 +1200,7 @@
ip->ip_src = saidx->src.sin.sin_addr;
ip->ip_dst = saidx->dst.sin.sin_addr;
ip_ecn_ingress(V_ip4_ipsec_ecn, &ip->ip_tos, &itos);
- ip_fillid(ip);
+ ip_fillid(ip, V_ip4_ipsec_random_id);
break;
#endif /* INET */
#ifdef INET6
diff --git a/sys/netpfil/ipfilter/netinet/fil.c b/sys/netpfil/ipfilter/netinet/fil.c
--- a/sys/netpfil/ipfilter/netinet/fil.c
+++ b/sys/netpfil/ipfilter/netinet/fil.c
@@ -5952,7 +5952,7 @@
id = (u_short)sum;
ip->ip_id = htons(id);
} else {
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
id = ntohs(ip->ip_id);
if ((fin->fin_flx & FI_FRAG) != 0)
(void) ipf_frag_ipidnew(fin, (u_32_t)id);
diff --git a/sys/netpfil/ipfilter/netinet/ip_nat.c b/sys/netpfil/ipfilter/netinet/ip_nat.c
--- a/sys/netpfil/ipfilter/netinet/ip_nat.c
+++ b/sys/netpfil/ipfilter/netinet/ip_nat.c
@@ -5117,7 +5117,7 @@
}
ip = MTOD(m, ip_t *);
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
s2 = ntohs(ip->ip_id);
s1 = ip->ip_len;
@@ -5560,7 +5560,7 @@
}
ip = MTOD(m, ip_t *);
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
sum1 = ntohs(ip->ip_len);
ip->ip_len = ntohs(ip->ip_len);
ip->ip_len += fin->fin_plen;
diff --git a/sys/netpfil/ipfw/nat64/nat64_translate.c b/sys/netpfil/ipfw/nat64/nat64_translate.c
--- a/sys/netpfil/ipfw/nat64/nat64_translate.c
+++ b/sys/netpfil/ipfw/nat64/nat64_translate.c
@@ -520,7 +520,7 @@
ip->ip_ttl -= IPV6_HLIMDEC;
ip->ip_sum = 0;
ip->ip_p = (proto == IPPROTO_ICMPV6) ? IPPROTO_ICMP: proto;
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
if (frag != NULL) {
ip->ip_off = htons(ntohs(frag->ip6f_offlg) >> 3);
if (frag->ip6f_offlg & IP6F_MORE_FRAG)
@@ -845,7 +845,7 @@
oip->ip_len = htons(n->m_pkthdr.len);
oip->ip_ttl = V_ip_defttl;
oip->ip_p = IPPROTO_ICMP;
- ip_fillid(oip);
+ ip_fillid(oip, V_ip_random_id);
oip->ip_off = htons(IP_DF);
oip->ip_src = ip->ip_dst;
oip->ip_dst = ip->ip_src;
diff --git a/sys/netpfil/pf/if_pfsync.c b/sys/netpfil/pf/if_pfsync.c
--- a/sys/netpfil/pf/if_pfsync.c
+++ b/sys/netpfil/pf/if_pfsync.c
@@ -1900,7 +1900,7 @@
len -= sizeof(union inet_template) - sizeof(struct ip);
ip->ip_len = htons(len);
- ip_fillid(ip);
+ ip_fillid(ip, V_ip_random_id);
break;
}
#endif
diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -3527,7 +3527,7 @@
ip4->ip_hl = hlen >> 2;
ip4->ip_tos = pd->tos;
ip4->ip_len = htons(hlen + (pd->tot_len - pd->off));
- ip_fillid(ip4);
+ ip_fillid(ip4, V_ip_random_id);
ip4->ip_ttl = pd->ttl;
ip4->ip_p = pd->proto;
ip4->ip_src = pd->nsaddr.v4;
@@ -3630,7 +3630,7 @@
ip4->ip_v = IPVERSION;
ip4->ip_hl = sizeof(*ip4) >> 2;
ip4->ip_len = htons(sizeof(*ip4) + pd2->tot_len - olen);
- ip_fillid(ip4);
+ ip_fillid(ip4, V_ip_random_id);
ip4->ip_off = htons(IP_DF);
ip4->ip_ttl = pd2->ttl;
if (pd2->proto == IPPROTO_ICMPV6)
diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -2254,7 +2254,7 @@
pd->act.flags & PFSTATE_RANDOMID && !(h->ip_off & ~htons(IP_DF))) {
uint16_t ip_id = h->ip_id;
- ip_fillid(h);
+ ip_fillid(h, V_ip_random_id);
h->ip_sum = pf_cksum_fixup(h->ip_sum, ip_id, h->ip_id, 0);
}
#endif

File Metadata

Mime Type
text/plain
Expires
Thu, Mar 20, 4:56 PM (18 h, 19 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
17232713
Default Alt Text
D49164.diff (11 KB)

Event Timeline