From 9c33e07143f5fc5de504b592724e392d9cc6f8a4 Mon Sep 17 00:00:00 2001 From: mvs Date: Wed, 21 Aug 2024 07:36:12 +0000 Subject: [PATCH] Unlock ipip_sysctl(). - IPIPCTL_ALLOW - atomically accessed integer; - IPIPCTL_STATS - per-CPU counters; ok bluhm --- sys/netinet/in_proto.c | 4 ++-- sys/netinet/ip_ipip.c | 24 +++++++++++++----------- 2 files changed, 15 insertions(+), 13 deletions(-) diff --git a/sys/netinet/in_proto.c b/sys/netinet/in_proto.c index e4e00015ce9..9aefbd326a0 100644 --- a/sys/netinet/in_proto.c +++ b/sys/netinet/in_proto.c @@ -1,4 +1,4 @@ -/* $OpenBSD: in_proto.c,v 1.110 2024/08/20 07:47:25 mvs Exp $ */ +/* $OpenBSD: in_proto.c,v 1.111 2024/08/21 07:36:12 mvs Exp $ */ /* $NetBSD: in_proto.c,v 1.14 1996/02/18 18:58:32 christos Exp $ */ /* @@ -230,7 +230,7 @@ const struct protosw inetsw[] = { .pr_type = SOCK_RAW, .pr_domain = &inetdomain, .pr_protocol = IPPROTO_IPV4, - .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET, + .pr_flags = PR_ATOMIC|PR_ADDR|PR_MPSOCKET|PR_MPSYSCTL, #if NGIF > 0 .pr_input = in_gif_input, #else diff --git a/sys/netinet/ip_ipip.c b/sys/netinet/ip_ipip.c index fdebd088385..760eb8c9de9 100644 --- a/sys/netinet/ip_ipip.c +++ b/sys/netinet/ip_ipip.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipip.c,v 1.102 2024/05/17 20:44:36 bluhm Exp $ */ +/* $OpenBSD: ip_ipip.c,v 1.103 2024/08/21 07:36:12 mvs Exp $ */ /* * The authors of this code are John Ioannidis (ji@tla.org), * Angelos D. Keromytis (kermit@csd.uch.gr) and @@ -72,6 +72,11 @@ #include #endif +/* + * Locks used to protect data: + * a atomic + */ + #ifdef ENCDEBUG #define DPRINTF(fmt, args...) \ do { \ @@ -87,7 +92,7 @@ * We can control the acceptance of IP4 packets by altering the sysctl * net.inet.ipip.allow value. Zero means drop them, all else is acceptance. */ -int ipip_allow = 0; +int ipip_allow = 0; /* [a] */ struct cpumem *ipipcounters; @@ -106,7 +111,8 @@ ipip_input(struct mbuf **mp, int *offp, int nxt, int af) struct ifnet *ifp; /* If we do not accept IP-in-IP explicitly, drop. */ - if (!ipip_allow && ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) { + if (atomic_load_int(&ipip_allow) == 0 && + ((*mp)->m_flags & (M_AUTH|M_CONF)) == 0) { DPRINTF("dropped due to policy"); ipipstat_inc(ipips_pdrops); m_freemp(mp); @@ -271,7 +277,8 @@ ipip_input_if(struct mbuf **mp, int *offp, int proto, int oaf, } /* Check for local address spoofing. */ - if (!(ifp->if_flags & IFF_LOOPBACK) && ipip_allow != 2) { + if (!(ifp->if_flags & IFF_LOOPBACK) && + atomic_load_int(&ipip_allow) != 2) { struct sockaddr_storage ss; struct rtentry *rt; @@ -584,19 +591,14 @@ int ipip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp, size_t newlen) { - int error; - /* All sysctl names at this level are terminal. */ if (namelen != 1) return (ENOTDIR); switch (name[0]) { case IPIPCTL_ALLOW: - NET_LOCK(); - error = sysctl_int_bounded(oldp, oldlenp, newp, newlen, - &ipip_allow, 0, 2); - NET_UNLOCK(); - return (error); + return (sysctl_int_bounded(oldp, oldlenp, newp, newlen, + &ipip_allow, 0, 2)); case IPIPCTL_STATS: return (ipip_sysctl_ipipstat(oldp, oldlenp, newp)); default: -- 2.20.1