Iain Hibbert
2008-10-12 17:46:30 UTC
Hi,
While converting protocol code to sockopt(9) API, one of the remaining
issues is that the socket options IP_IPSEC_POLICY and IPV6_IPSEC_POLICY
can be set but not got though there is half hearted code to attempt it.
The reason is that the getopt code in netipsec/ipsec.c (duplicated in
netinet6?) expects a "struct sadb_x_policy" to be passed in from userland,
so that it can extract a further argument (direction INWARD or OUTWARD)
but getsockopt() does not provide that and never has; the memory access is
kernel->userland only for getsockopt().
On FreeBSD, the sockopt API can be convinced to read both ways (because
they store the userspace pointer into the sockopt structure**) though they
only have correct code in the IP6 version. Linux has no such option
available in the getopt path.
If I understand correctly, the ipsec code is of external origin to
NetBSD, but it seems that this part of the API needs to be rethought in
general. There are some ways I can think of to move on with this:
- remove that code from the get path entirely
- #if 0 that code in the get path and let it rot
- create extra option names _INWARD and _OUTWARD
- version the _IPSEC_POLICY names and sadb_x_policy structure so
that it contains inward AND outward policy.
- make getsockopt copy in the buffer
Frankly I don't know what is best, none of the options seem very palatable
and I guess this has never come up but I favour pruning.
any thoughts?
iain
** Elad objected to this as being open to 'Time Of Check, Time Of Use' abuse
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
While converting protocol code to sockopt(9) API, one of the remaining
issues is that the socket options IP_IPSEC_POLICY and IPV6_IPSEC_POLICY
can be set but not got though there is half hearted code to attempt it.
The reason is that the getopt code in netipsec/ipsec.c (duplicated in
netinet6?) expects a "struct sadb_x_policy" to be passed in from userland,
so that it can extract a further argument (direction INWARD or OUTWARD)
but getsockopt() does not provide that and never has; the memory access is
kernel->userland only for getsockopt().
On FreeBSD, the sockopt API can be convinced to read both ways (because
they store the userspace pointer into the sockopt structure**) though they
only have correct code in the IP6 version. Linux has no such option
available in the getopt path.
If I understand correctly, the ipsec code is of external origin to
NetBSD, but it seems that this part of the API needs to be rethought in
general. There are some ways I can think of to move on with this:
- remove that code from the get path entirely
- #if 0 that code in the get path and let it rot
- create extra option names _INWARD and _OUTWARD
- version the _IPSEC_POLICY names and sadb_x_policy structure so
that it contains inward AND outward policy.
- make getsockopt copy in the buffer
Frankly I don't know what is best, none of the options seem very palatable
and I guess this has never come up but I favour pruning.
any thoughts?
iain
** Elad objected to this as being open to 'Time Of Check, Time Of Use' abuse
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de