Project

General

Profile

Bug #8541

pfiles does not properly identify PF_KEY or PF_POLICY

Added by Dan McDonald about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
networking
Start date:
2017-07-26
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

Discovered in-house at Joyent as OS-6254, the pfiles(1) command doesn't report information that a socket is PF_KEY or PF_POLICY. Easily demonstrated by running

pfiles `pgrep iked`
on a machine running IKE.

History

#1

Updated by Dan McDonald about 2 years ago

The fix involves having keysock and spdsock implement the TI_GET{MY,PEER}NAME ioctls. Until spdsock and keysock become direct-sockets consumers, this is how one implements get{sock,peer}name().

#2

Updated by Dan McDonald about 2 years ago

Two ways to test:

1.) (easy way) Do pfiles `pgrep in.iked` on a system running IKE. File descriptor 5(ish) will have little useful information. With this fix, it will have more useful information.

2.) (harder way, but proves PF_POLICY)

a.) truss -Twrite ipsecconf -qF
b.) pfiles `pgrep ipsecconf`
#3

Updated by Electric Monk about 2 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit f8cbe0e7fd4f172d5ed456a8f7425890e1ea20cd

commit  f8cbe0e7fd4f172d5ed456a8f7425890e1ea20cd
Author: Dan McDonald <danmcd@joyent.com>
Date:   2017-08-08T13:01:51.000Z

    8541 pfiles does not properly identify PF_KEY or PF_POLICY
    Reviewed by: Mike Zeller <mike.zeller@joyent.com>
    Reviewed by: Patrick Mooney <patrick.mooney@joyent.com>
    Reviewed by: Yuri Pankov <yuripv@gmx.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF