From: tobhe Date: Mon, 8 Feb 2021 16:13:58 +0000 (+0000) Subject: Clean up kernel IPsec flows and security associations on shutdown. X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=cd3f460f019218506b76b9c27bcae6c385ab7665;p=openbsd Clean up kernel IPsec flows and security associations on shutdown. Discussed with sthen@ ok patrick@ --- diff --git a/sbin/iked/config.c b/sbin/iked/config.c index 7df23d84bba..26c63f5855c 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.75 2021/01/21 16:46:47 tobhe Exp $ */ +/* $OpenBSD: config.c,v 1.76 2021/02/08 16:13:58 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -531,14 +531,14 @@ config_getreset(struct iked *env, struct imsg *imsg) IMSG_SIZE_CHECK(imsg, &mode); memcpy(&mode, imsg->data, sizeof(mode)); - if (mode == RESET_ALL || mode == RESET_POLICY) { + if (mode == RESET_EXIT || mode == RESET_ALL || mode == RESET_POLICY) { log_debug("%s: flushing policies", __func__); TAILQ_FOREACH_SAFE(pol, &env->sc_policies, pol_entry, poltmp) { config_free_policy(env, pol); } } - if (mode == RESET_ALL || mode == RESET_SA) { + if (mode == RESET_EXIT || mode == RESET_ALL || mode == RESET_SA) { log_debug("%s: flushing SAs", __func__); while ((sa = RB_MIN(iked_sas, &env->sc_sas))) { /* for RESET_SA we try send a DELETE */ @@ -552,7 +552,7 @@ config_getreset(struct iked *env, struct imsg *imsg) } } - if (mode == RESET_ALL || mode == RESET_USER) { + if (mode == RESET_EXIT || mode == RESET_ALL || mode == RESET_USER) { log_debug("%s: flushing users", __func__); while ((usr = RB_MIN(iked_users, &env->sc_users))) { RB_REMOVE(iked_users, &env->sc_users, usr); @@ -560,6 +560,9 @@ config_getreset(struct iked *env, struct imsg *imsg) } } + if (mode == RESET_EXIT) + proc_compose(&env->sc_ps, PROC_PARENT, IMSG_CTL_EXIT, NULL, 0); + return (0); } diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c index 202879bc58c..b4a13353974 100644 --- a/sbin/iked/iked.c +++ b/sbin/iked/iked.c @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.c,v 1.52 2020/12/17 20:43:07 tobhe Exp $ */ +/* $OpenBSD: iked.c,v 1.53 2021/02/08 16:13:58 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -43,12 +43,13 @@ void parent_shutdown(struct iked *); void parent_sig_handler(int, short, void *); int parent_dispatch_ca(int, struct privsep_proc *, struct imsg *); int parent_dispatch_control(int, struct privsep_proc *, struct imsg *); +int parent_dispatch_ikev2(int, struct privsep_proc *, struct imsg *); int parent_configure(struct iked *); static struct privsep_proc procs[] = { { "ca", PROC_CERT, parent_dispatch_ca, caproc, IKED_CA }, { "control", PROC_CONTROL, parent_dispatch_control, control }, - { "ikev2", PROC_IKEV2, NULL, ikev2 } + { "ikev2", PROC_IKEV2, parent_dispatch_ikev2, ikev2 } }; __dead void @@ -341,8 +342,10 @@ parent_sig_handler(int sig, short event, void *arg) break; case SIGTERM: case SIGINT: - die = 1; - /* FALLTHROUGH */ + log_info("%s: stopping iked", __func__); + config_setreset(ps->ps_env, RESET_EXIT, PROC_IKEV2); + config_setreset(ps->ps_env, RESET_ALL, PROC_CERT); + break; case SIGCHLD: do { int len; @@ -445,6 +448,21 @@ parent_dispatch_control(int fd, struct privsep_proc *p, struct imsg *imsg) return (0); } +int +parent_dispatch_ikev2(int fd, struct privsep_proc *p, struct imsg *imsg) +{ + struct iked *env = p->p_ps->ps_env; + + switch (imsg->hdr.type) { + case IMSG_CTL_EXIT: + parent_shutdown(env); + default: + return (-1); + } + + return (0); +} + void parent_shutdown(struct iked *env) { diff --git a/sbin/iked/types.h b/sbin/iked/types.h index 56970db6894..61dcfcb971d 100644 --- a/sbin/iked/types.h +++ b/sbin/iked/types.h @@ -1,4 +1,4 @@ -/* $OpenBSD: types.h,v 1.40 2020/09/23 14:25:55 tobhe Exp $ */ +/* $OpenBSD: types.h,v 1.41 2021/02/08 16:13:58 tobhe Exp $ */ /* * Copyright (c) 2019 Tobias Heider @@ -100,6 +100,7 @@ enum imsg_type { IMSG_CTL_ACTIVE, IMSG_CTL_PASSIVE, IMSG_CTL_RESET_ID, + IMSG_CTL_EXIT, IMSG_CTL_SHOW_SA, IMSG_CTL_STATIC, IMSG_COMPILE, @@ -135,7 +136,8 @@ enum flushmode { RESET_CA, RESET_POLICY, RESET_SA, - RESET_USER + RESET_USER, + RESET_EXIT }; #ifndef nitems