From: dlg Date: Tue, 15 Aug 2023 09:46:30 +0000 (+0000) Subject: scrub the mbuf flowid for packets going out a sec interface. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=42aedc3cbba5e3eebebb7a14ceb092ac1aec752f;p=openbsd scrub the mbuf flowid for packets going out a sec interface. maybe ipsec should do this for all packets it encapsulates. tested by hrvoje --- diff --git a/sys/net/if_sec.c b/sys/net/if_sec.c index 76e9e309073..4c65efe36f8 100644 --- a/sys/net/if_sec.c +++ b/sys/net/if_sec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: if_sec.c,v 1.6 2023/08/15 02:31:07 dlg Exp $ */ +/* $OpenBSD: if_sec.c,v 1.7 2023/08/15 09:46:30 dlg Exp $ */ /* * Copyright (c) 2022 The University of Queensland @@ -72,6 +72,7 @@ struct sec_softc { unsigned int sc_up; struct task sc_send; + int sc_txprio; unsigned int sc_unit; SMR_SLIST_ENTRY(sec_softc) sc_entry; @@ -100,6 +101,7 @@ static void sec_tdb_gc(void *); static struct if_clone sec_cloner = IF_CLONE_INITIALIZER("sec", sec_clone_create, sec_clone_destroy); +static unsigned int sec_mix; static struct sec_bucket sec_map[256] __aligned(CACHELINESIZE); static struct tdb *sec_tdbh[256] __aligned(CACHELINESIZE); @@ -112,6 +114,7 @@ static struct mutex sec_tdb_gc_mtx = void secattach(int n) { + sec_mix = arc4random(); if_clone_attach(&sec_cloner); } @@ -350,6 +353,7 @@ sec_send(void *arg) struct tdb *tdb; struct mbuf *m; int error; + unsigned int flowid; if (!ISSET(ifp->if_flags, IFF_RUNNING)) return; @@ -358,6 +362,8 @@ sec_send(void *arg) if (tdb == NULL) goto purge; + flowid = sc->sc_unit ^ sec_mix; + NET_LOCK(); while ((m = ifq_dequeue(ifq)) != NULL) { CLR(m->m_flags, M_BCAST|M_MCAST); @@ -372,6 +378,10 @@ sec_send(void *arg) BPF_DIRECTION_OUT); #endif + m->m_pkthdr.pf.prio = sc->sc_txprio; + SET(m->m_pkthdr.csum_flags, M_FLOWID); + m->m_pkthdr.ph_flowid = flowid; + error = ipsp_process_packet(m, tdb, m->m_pkthdr.ph_family, /* already tunnelled? */ 0); if (error != 0)