1 /* $NetBSD: ipsec_netbsd.c,v 1.17.12.1 2007/05/24 19:13:11 pavel Exp $ */
2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.17.12.1 2007/05/24 19:13:11 pavel Exp $");
36
37 #include "opt_inet.h"
38 #include "opt_ipsec.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/mbuf.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/kernel.h>
50 #include <sys/sysctl.h>
51
52 #include <net/if.h>
53 #include <net/route.h>
54 #include <net/netisr.h>
55 #include <machine/cpu.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
64
65
66 #include <netipsec/ipsec.h>
67 #include <netipsec/ipsec_var.h>
68 #include <netipsec/key.h>
69 #include <netipsec/keydb.h>
70 #include <netipsec/key_debug.h>
71 #include <netipsec/ah.h>
72 #include <netipsec/ah_var.h>
73 #include <netipsec/esp.h>
74 #include <netipsec/esp_var.h>
75 #include <netipsec/ipip_var.h>
76 #include <netipsec/ipcomp_var.h>
77
78 #ifdef INET6
79 #include <netipsec/ipsec6.h>
80 #include <netinet6/ip6protosw.h>
81 #include <netinet/icmp6.h>
82 #endif
83
84 #include <machine/stdarg.h>
85
86
87
88 #include <netipsec/key.h>
89
90 /* assumes that ip header and ah header are contiguous on mbuf */
91 void *
92 ah4_ctlinput(cmd, sa, v)
93 int cmd;
94 struct sockaddr *sa;
95 void *v;
96 {
97 struct ip *ip = v;
98 struct ah *ah;
99 struct icmp *icp;
100 struct secasvar *sav;
101
102 if (sa->sa_family != AF_INET ||
103 sa->sa_len != sizeof(struct sockaddr_in))
104 return NULL;
105 if ((unsigned)cmd >= PRC_NCMDS)
106 return NULL;
107 #ifndef notyet
108 /* jonathan@NetBSD.org: XXX FIXME */
109 (void) ip; (void) ah; (void) icp; (void) sav;
110 #else
111 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
112 /*
113 * Check to see if we have a valid SA corresponding to
114 * the address in the ICMP message payload.
115 */
116 ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2));
117 if ((sav = key_allocsa(AF_INET,
118 (caddr_t) &ip->ip_src,
119 (caddr_t) &ip->ip_dst,
120 IPPROTO_AH, ah->ah_spi)) == NULL)
121 return NULL;
122 if (sav->state != SADB_SASTATE_MATURE &&
123 sav->state != SADB_SASTATE_DYING) {
124 key_freesav(sav);
125 return NULL;
126 }
127
128 /* XXX Further validation? */
129
130 key_freesav(sav);
131
132 /*
133 * Now that we've validated that we are actually communicating
134 * with the host indicated in the ICMP message, locate the
135 * ICMP header, recalculate the new MTU, and create the
136 * corresponding routing entry.
137 */
138 icp = (struct icmp *)((caddr_t)ip -
139 offsetof(struct icmp, icmp_ip));
140 icmp_mtudisc(icp, ip->ip_dst);
141
142 return NULL;
143 }
144 #endif
145
146 return NULL;
147 }
148
149 /* assumes that ip header and esp header are contiguous on mbuf */
150 void *
151 esp4_ctlinput(cmd, sa, v)
152 int cmd;
153 struct sockaddr *sa;
154 void *v;
155 {
156 struct ip *ip = v;
157 struct esp *esp;
158 struct icmp *icp;
159 struct secasvar *sav;
160
161 if (sa->sa_family != AF_INET ||
162 sa->sa_len != sizeof(struct sockaddr_in))
163 return NULL;
164 if ((unsigned)cmd >= PRC_NCMDS)
165 return NULL;
166 #ifndef notyet
167 /* jonathan@NetBSD.org: XXX FIXME */
168 (void) ip; (void) esp; (void) icp; (void) sav;
169 #else
170 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
171 /*
172 * Check to see if we have a valid SA corresponding to
173 * the address in the ICMP message payload.
174 */
175 esp = (struct esp *)((caddr_t)ip + (ip->ip_hl << 2));
176 if ((sav = key_allocsa(AF_INET,
177 (caddr_t) &ip->ip_src,
178 (caddr_t) &ip->ip_dst,
179 IPPROTO_ESP, esp->esp_spi)) == NULL)
180 return NULL;
181 if (sav->state != SADB_SASTATE_MATURE &&
182 sav->state != SADB_SASTATE_DYING) {
183 key_freesav(sav);
184 return NULL;
185 }
186
187 /* XXX Further validation? */
188
189 key_freesav(sav);
190
191 /*
192 * Now that we've validated that we are actually communicating
193 * with the host indicated in the ICMP message, locate the
194 * ICMP header, recalculate the new MTU, and create the
195 * corresponding routing entry.
196 */
197 icp = (struct icmp *)((caddr_t)ip -
198 offsetof(struct icmp, icmp_ip));
199 icmp_mtudisc(icp, ip->ip_dst);
200
201 return NULL;
202 }
203 #endif
204
205 return NULL;
206 }
207
208 #ifdef INET6
209 void
210 ah6_ctlinput(cmd, sa, d)
211 int cmd;
212 struct sockaddr *sa;
213 void *d;
214 {
215 const struct newah *ahp;
216 struct newah ah;
217 struct secasvar *sav;
218 struct ip6_hdr *ip6;
219 struct mbuf *m;
220 struct ip6ctlparam *ip6cp = NULL;
221 int off;
222
223 if (sa->sa_family != AF_INET6 ||
224 sa->sa_len != sizeof(struct sockaddr_in6))
225 return;
226 if ((unsigned)cmd >= PRC_NCMDS)
227 return;
228
229 /* if the parameter is from icmp6, decode it. */
230 if (d != NULL) {
231 ip6cp = (struct ip6ctlparam *)d;
232 m = ip6cp->ip6c_m;
233 ip6 = ip6cp->ip6c_ip6;
234 off = ip6cp->ip6c_off;
235 } else {
236 m = NULL;
237 ip6 = NULL;
238 off = 0;
239 }
240
241 if (ip6) {
242 /*
243 * XXX: We assume that when ip6 is non NULL,
244 * M and OFF are valid.
245 */
246
247 /* check if we can safely examine src and dst ports */
248 if (m->m_pkthdr.len < off + sizeof(ah))
249 return;
250
251 if (m->m_len < off + sizeof(ah)) {
252 /*
253 * this should be rare case,
254 * so we compromise on this copy...
255 */
256 m_copydata(m, off, sizeof(ah), (caddr_t)&ah);
257 ahp = &ah;
258 } else
259 ahp = (struct newah *)(mtod(m, caddr_t) + off);
260
261 if (cmd == PRC_MSGSIZE) {
262 int valid = 0;
263
264 /*
265 * Check to see if we have a valid SA corresponding
266 * to the address in the ICMP message payload.
267 */
268 sav = KEY_ALLOCSA((union sockaddr_union*)sa,
269 IPPROTO_AH, ahp->ah_spi);
270
271 if (sav) {
272 if (sav->state == SADB_SASTATE_MATURE ||
273 sav->state == SADB_SASTATE_DYING)
274 valid++;
275 KEY_FREESAV(&sav);
276 }
277
278 /* XXX Further validation? */
279
280 /*
281 * Depending on the value of "valid" and routing
282 * table size (mtudisc_{hi,lo}wat), we will:
283 * - recalcurate the new MTU and create the
284 * corresponding routing entry, or
285 * - ignore the MTU change notification.
286 */
287 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
288 }
289
290 /* we normally notify single pcb here */
291 } else {
292 /* we normally notify any pcb here */
293 }
294 }
295
296
297
298 void
299 esp6_ctlinput(cmd, sa, d)
300 int cmd;
301 struct sockaddr *sa;
302 void *d;
303 {
304 const struct newesp *espp;
305 struct newesp esp;
306 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
307 struct secasvar *sav;
308 struct ip6_hdr *ip6;
309 struct mbuf *m;
310 int off;
311 struct sockaddr_in6 *sa6_src, *sa6_dst;
312
313 if (sa->sa_family != AF_INET6 ||
314 sa->sa_len != sizeof(struct sockaddr_in6))
315 return;
316 if ((unsigned)cmd >= PRC_NCMDS)
317 return;
318
319 /* if the parameter is from icmp6, decode it. */
320 if (d != NULL) {
321 ip6cp = (struct ip6ctlparam *)d;
322 m = ip6cp->ip6c_m;
323 ip6 = ip6cp->ip6c_ip6;
324 off = ip6cp->ip6c_off;
325 } else {
326 m = NULL;
327 ip6 = NULL;
328 off = 0;
329 }
330
331 if (ip6) {
332 /*
333 * Notify the error to all possible sockets via pfctlinput2.
334 * Since the upper layer information (such as protocol type,
335 * source and destination ports) is embedded in the encrypted
336 * data and might have been cut, we can't directly call
337 * an upper layer ctlinput function. However, the pcbnotify
338 * function will consider source and destination addresses
339 * as well as the flow info value, and may be able to find
340 * some PCB that should be notified.
341 * Although pfctlinput2 will call esp6_ctlinput(), there is
342 * no possibility of an infinite loop of function calls,
343 * because we don't pass the inner IPv6 header.
344 */
345 bzero(&ip6cp1, sizeof(ip6cp1));
346 ip6cp1.ip6c_src = ip6cp->ip6c_src;
347 pfctlinput2(cmd, sa, (void *)&ip6cp1);
348
349 /*
350 * Then go to special cases that need ESP header information.
351 * XXX: We assume that when ip6 is non NULL,
352 * M and OFF are valid.
353 */
354
355 /* check if we can safely examine src and dst ports */
356 if (m->m_pkthdr.len < off + sizeof(esp))
357 return;
358
359 if (m->m_len < off + sizeof(esp)) {
360 /*
361 * this should be rare case,
362 * so we compromise on this copy...
363 */
364 m_copydata(m, off, sizeof(esp), (caddr_t)&esp);
365 espp = &esp;
366 } else
367 espp = (struct newesp*)(mtod(m, caddr_t) + off);
368
369 if (cmd == PRC_MSGSIZE) {
370 int valid = 0;
371
372 /*
373 * Check to see if we have a valid SA corresponding to
374 * the address in the ICMP message payload.
375 */
376 sa6_src = ip6cp->ip6c_src;
377 sa6_dst = (struct sockaddr_in6 *)sa;
378 #ifdef KAME
379 sav = key_allocsa(AF_INET6,
380 (caddr_t)&sa6_src->sin6_addr,
381 (caddr_t)&sa6_dst->sin6_addr,
382 IPPROTO_ESP, espp->esp_spi);
383 #else
384 /* jonathan@NetBSD.org: XXX FIXME */
385 (void)sa6_src; (void)sa6_dst;
386 sav = KEY_ALLOCSA((union sockaddr_union*)sa,
387 IPPROTO_ESP, espp->esp_spi);
388
389 #endif
390 if (sav) {
391 if (sav->state == SADB_SASTATE_MATURE ||
392 sav->state == SADB_SASTATE_DYING)
393 valid++;
394 KEY_FREESAV(&sav);
395 }
396
397 /* XXX Further validation? */
398
399 /*
400 * Depending on the value of "valid" and routing table
401 * size (mtudisc_{hi,lo}wat), we will:
402 * - recalcurate the new MTU and create the
403 * corresponding routing entry, or
404 * - ignore the MTU change notification.
405 */
406 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
407 }
408 } else {
409 /* we normally notify any pcb here */
410 }
411 }
412 #endif /* INET6 */
413
414 static int
415 sysctl_fast_ipsec(SYSCTLFN_ARGS)
416 {
417 int error, t;
418 struct sysctlnode node;
419
420 node = *rnode;
421 t = *(int*)rnode->sysctl_data;
422 node.sysctl_data = &t;
423 error = sysctl_lookup(SYSCTLFN_CALL(&node));
424 if (error || newp == NULL)
425 return (error);
426
427 switch (rnode->sysctl_num) {
428 case IPSECCTL_DEF_ESP_TRANSLEV:
429 case IPSECCTL_DEF_ESP_NETLEV:
430 case IPSECCTL_DEF_AH_TRANSLEV:
431 case IPSECCTL_DEF_AH_NETLEV:
432 if (t != IPSEC_LEVEL_USE &&
433 t != IPSEC_LEVEL_REQUIRE)
434 return (EINVAL);
435 ipsec_invalpcbcacheall();
436 break;
437 case IPSECCTL_DEF_POLICY:
438 if (t != IPSEC_POLICY_DISCARD &&
439 t != IPSEC_POLICY_NONE)
440 return (EINVAL);
441 ipsec_invalpcbcacheall();
442 break;
443 default:
444 return (EINVAL);
445 }
446
447 *(int*)rnode->sysctl_data = t;
448
449 return (0);
450 }
451
452 #ifdef IPSEC_DEBUG
453 static int
454 sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
455 {
456 int t, error;
457 struct sysctlnode node;
458
459 node = *rnode;
460 t = *(int*)rnode->sysctl_data;
461 node.sysctl_data = &t;
462 error = sysctl_lookup(SYSCTLFN_CALL(&node));
463 if (error || newp == NULL)
464 return (error);
465
466 if (t < 0 || t > 1)
467 return EINVAL;
468
469 if (rnode->sysctl_data == &ipsec_replay)
470 printf("fast_ipsec: Anti-Replay service %s\n",
471 (t == 1) ? "deactivated" : "activated");
472 else if (rnode->sysctl_data == &ipsec_integrity)
473 printf("fast_ipsec: HMAC corruption %s\n",
474 (t == 0) ? "deactivated" : "activated");
475
476 *(int*)rnode->sysctl_data = t;
477
478 return 0;
479 }
480 #endif
481
482 /* XXX will need a different oid at parent */
483 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
484 {
485 const struct sysctlnode *_ipsec;
486 int ipproto_ipsec;
487
488 sysctl_createv(clog, 0, NULL, NULL,
489 CTLFLAG_PERMANENT,
490 CTLTYPE_NODE, "net", NULL,
491 NULL, 0, NULL, 0,
492 CTL_NET, CTL_EOL);
493 sysctl_createv(clog, 0, NULL, NULL,
494 CTLFLAG_PERMANENT,
495 CTLTYPE_NODE, "inet", NULL,
496 NULL, 0, NULL, 0,
497 CTL_NET, PF_INET, CTL_EOL);
498
499 /*
500 * in numerical order:
501 *
502 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
503 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
504 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
505 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
506 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
507 *
508 * this creates separate trees by name, but maintains that the
509 * ipsec name leads to all the old leaves.
510 */
511
512 /* create net.inet.ipip */
513 sysctl_createv(clog, 0, NULL, NULL,
514 CTLFLAG_PERMANENT,
515 CTLTYPE_NODE, "ipip", NULL,
516 NULL, 0, NULL, 0,
517 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
518 sysctl_createv(clog, 0, NULL, NULL,
519 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
520 CTLTYPE_STRUCT, "ipip_stats", NULL,
521 NULL, 0, &ipipstat, sizeof(ipipstat),
522 CTL_NET, PF_INET, IPPROTO_IPIP,
523 CTL_CREATE, CTL_EOL);
524
525 /* create net.inet.esp subtree under IPPROTO_ESP */
526 sysctl_createv(clog, 0, NULL, NULL,
527 CTLFLAG_PERMANENT,
528 CTLTYPE_NODE, "esp", NULL,
529 NULL, 0, NULL, 0,
530 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
531 sysctl_createv(clog, 0, NULL, NULL,
532 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
533 CTLTYPE_INT, "trans_deflev", NULL,
534 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
535 CTL_NET, PF_INET, IPPROTO_ESP,
536 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
537 sysctl_createv(clog, 0, NULL, NULL,
538 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
539 CTLTYPE_INT, "net_deflev", NULL,
540 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
541 CTL_NET, PF_INET, IPPROTO_ESP,
542 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
543 sysctl_createv(clog, 0, NULL, NULL,
544 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
545 CTLTYPE_STRUCT, "esp_stats", NULL,
546 NULL, 0, &espstat, sizeof(espstat),
547 CTL_NET, PF_INET, IPPROTO_ESP,
548 CTL_CREATE, CTL_EOL);
549
550 /* create net.inet.ah subtree under IPPROTO_AH */
551 sysctl_createv(clog, 0, NULL, NULL,
552 CTLFLAG_PERMANENT,
553 CTLTYPE_NODE, "ah", NULL,
554 NULL, 0, NULL, 0,
555 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
556 sysctl_createv(clog, 0, NULL, NULL,
557 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
558 CTLTYPE_INT, "cleartos", NULL,
559 NULL, 0, &/*ip4_*/ah_cleartos, 0,
560 CTL_NET, PF_INET, IPPROTO_AH,
561 IPSECCTL_AH_CLEARTOS, CTL_EOL);
562 sysctl_createv(clog, 0, NULL, NULL,
563 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
564 CTLTYPE_INT, "offsetmask", NULL,
565 NULL, 0, &ip4_ah_offsetmask, 0,
566 CTL_NET, PF_INET, IPPROTO_AH,
567 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
568 sysctl_createv(clog, 0, NULL, NULL,
569 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
570 CTLTYPE_INT, "trans_deflev", NULL,
571 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
572 CTL_NET, PF_INET, IPPROTO_AH,
573 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
574 sysctl_createv(clog, 0, NULL, NULL,
575 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
576 CTLTYPE_INT, "net_deflev", NULL,
577 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
578 CTL_NET, PF_INET, IPPROTO_AH,
579 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
580 sysctl_createv(clog, 0, NULL, NULL,
581 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
582 CTLTYPE_STRUCT, "ah_stats", NULL,
583 NULL, 0, &ahstat, sizeof(ahstat),
584 CTL_NET, PF_INET, IPPROTO_AH,
585 CTL_CREATE, CTL_EOL);
586
587 /* create net.inet.ipcomp */
588 sysctl_createv(clog, 0, NULL, NULL,
589 CTLFLAG_PERMANENT,
590 CTLTYPE_NODE, "ipcomp", NULL,
591 NULL, 0, NULL, 0,
592 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
593 sysctl_createv(clog, 0, NULL, NULL,
594 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
595 CTLTYPE_STRUCT, "ipcomp_stats", NULL,
596 NULL, 0, &ipcompstat, sizeof(ipcompstat),
597 CTL_NET, PF_INET, IPPROTO_IPCOMP,
598 CTL_CREATE, CTL_EOL);
599
600 /* create net.inet.ipsec subtree under dynamic oid */
601 sysctl_createv(clog, 0, NULL, &_ipsec,
602 CTLFLAG_PERMANENT,
603 CTLTYPE_NODE, "ipsec", NULL,
604 NULL, 0, NULL, 0,
605 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
606 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
607
608 sysctl_createv(clog, 0, NULL, NULL,
609 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
610 CTLTYPE_INT, "def_policy", NULL,
611 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
612 CTL_NET, PF_INET, ipproto_ipsec,
613 IPSECCTL_DEF_POLICY, CTL_EOL);
614 sysctl_createv(clog, 0, NULL, NULL,
615 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
616 CTLTYPE_INT, "esp_trans_deflev", NULL,
617 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
618 CTL_NET, PF_INET, ipproto_ipsec,
619 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
620 sysctl_createv(clog, 0, NULL, NULL,
621 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
622 CTLTYPE_INT, "esp_net_deflev", NULL,
623 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
624 CTL_NET, PF_INET, ipproto_ipsec,
625 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
626 sysctl_createv(clog, 0, NULL, NULL,
627 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
628 CTLTYPE_INT, "ah_trans_deflev", NULL,
629 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
630 CTL_NET, PF_INET, ipproto_ipsec,
631 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
632 sysctl_createv(clog, 0, NULL, NULL,
633 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
634 CTLTYPE_INT, "ah_net_deflev", NULL,
635 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
636 CTL_NET, PF_INET, ipproto_ipsec,
637 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
638 sysctl_createv(clog, 0, NULL, NULL,
639 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
640 CTLTYPE_INT, "ah_cleartos", NULL,
641 NULL, 0, &/*ip4_*/ah_cleartos, 0,
642 CTL_NET, PF_INET, ipproto_ipsec,
643 IPSECCTL_AH_CLEARTOS, CTL_EOL);
644 sysctl_createv(clog, 0, NULL, NULL,
645 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
646 CTLTYPE_INT, "ah_offsetmask", NULL,
647 NULL, 0, &ip4_ah_offsetmask, 0,
648 CTL_NET, PF_INET, ipproto_ipsec,
649 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
650 sysctl_createv(clog, 0, NULL, NULL,
651 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
652 CTLTYPE_INT, "dfbit", NULL,
653 NULL, 0, &ip4_ipsec_dfbit, 0,
654 CTL_NET, PF_INET, ipproto_ipsec,
655 IPSECCTL_DFBIT, CTL_EOL);
656 sysctl_createv(clog, 0, NULL, NULL,
657 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
658 CTLTYPE_INT, "ecn", NULL,
659 NULL, 0, &ip4_ipsec_ecn, 0,
660 CTL_NET, PF_INET, ipproto_ipsec,
661 IPSECCTL_ECN, CTL_EOL);
662 sysctl_createv(clog, 0, NULL, NULL,
663 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
664 CTLTYPE_INT, "debug", NULL,
665 NULL, 0, &ipsec_debug, 0,
666 CTL_NET, PF_INET, ipproto_ipsec,
667 IPSECCTL_DEBUG, CTL_EOL);
668 sysctl_createv(clog, 0, NULL, NULL,
669 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
670 CTLTYPE_STRUCT, "ipsecstats", NULL,
671 NULL, 0, &ipsecstat, sizeof(ipsecstat),
672 CTL_NET, PF_INET, ipproto_ipsec,
673 CTL_CREATE, CTL_EOL);
674 #ifdef IPSEC_DEBUG
675 sysctl_createv(clog, 0, NULL, NULL,
676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
677 CTLTYPE_INT, "test_replay",
678 SYSCTL_DESCR("Emulate replay attack"),
679 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
680 CTL_NET, PF_INET, ipproto_ipsec,
681 CTL_CREATE, CTL_EOL);
682 sysctl_createv(clog, 0, NULL, NULL,
683 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
684 CTLTYPE_INT, "test_integrity",
685 SYSCTL_DESCR("Emulate man-in-the-middle attack"),
686 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
687 CTL_NET, PF_INET, ipproto_ipsec,
688 CTL_CREATE, CTL_EOL);
689 #endif
690 }
691
692 #ifdef INET6
693 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup,
694 "sysctl net.inet6.ipsec6 subtree setup")
695 {
696
697 sysctl_createv(clog, 0, NULL, NULL,
698 CTLFLAG_PERMANENT,
699 CTLTYPE_NODE, "net", NULL,
700 NULL, 0, NULL, 0,
701 CTL_NET, CTL_EOL);
702 sysctl_createv(clog, 0, NULL, NULL,
703 CTLFLAG_PERMANENT,
704 CTLTYPE_NODE, "inet6", NULL,
705 NULL, 0, NULL, 0,
706 CTL_NET, PF_INET6, CTL_EOL);
707 sysctl_createv(clog, 0, NULL, NULL,
708 CTLFLAG_PERMANENT,
709 CTLTYPE_NODE, "ipsec6",
710 SYSCTL_DESCR("IPv6 related IPSec settings"),
711 NULL, 0, NULL, 0,
712 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
713
714 sysctl_createv(clog, 0, NULL, NULL,
715 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
716 CTLTYPE_STRUCT, "stats",
717 SYSCTL_DESCR("IPSec statistics and counters"),
718 NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
719 CTL_NET, PF_INET6, IPPROTO_AH,
720 IPSECCTL_STATS, CTL_EOL);
721 sysctl_createv(clog, 0, NULL, NULL,
722 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
723 CTLTYPE_INT, "def_policy",
724 SYSCTL_DESCR("Default action for non-IPSec packets"),
725 sysctl_fast_ipsec, 0, &ip6_def_policy, 0,
726 CTL_NET, PF_INET6, IPPROTO_AH,
727 IPSECCTL_DEF_POLICY, CTL_EOL);
728 sysctl_createv(clog, 0, NULL, NULL,
729 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
730 CTLTYPE_INT, "esp_trans_deflev",
731 SYSCTL_DESCR("Default required security level for "
732 "transport mode traffic"),
733 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0,
734 CTL_NET, PF_INET6, IPPROTO_AH,
735 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
736 sysctl_createv(clog, 0, NULL, NULL,
737 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
738 CTLTYPE_INT, "esp_net_deflev",
739 SYSCTL_DESCR("Default required security level for "
740 "tunneled traffic"),
741 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0,
742 CTL_NET, PF_INET6, IPPROTO_AH,
743 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
744 sysctl_createv(clog, 0, NULL, NULL,
745 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
746 CTLTYPE_INT, "ah_trans_deflev",
747 SYSCTL_DESCR("Default required security level for "
748 "transport mode headers"),
749 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0,
750 CTL_NET, PF_INET6, IPPROTO_AH,
751 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
752 sysctl_createv(clog, 0, NULL, NULL,
753 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
754 CTLTYPE_INT, "ah_net_deflev",
755 SYSCTL_DESCR("Default required security level for "
756 "tunneled headers"),
757 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0,
758 CTL_NET, PF_INET6, IPPROTO_AH,
759 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
760 sysctl_createv(clog, 0, NULL, NULL,
761 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
762 CTLTYPE_INT, "ecn",
763 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
764 NULL, 0, &ip6_ipsec_ecn, 0,
765 CTL_NET, PF_INET6, IPPROTO_AH,
766 IPSECCTL_ECN, CTL_EOL);
767 sysctl_createv(clog, 0, NULL, NULL,
768 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
769 CTLTYPE_INT, "debug",
770 SYSCTL_DESCR("Enable IPSec debugging output"),
771 NULL, 0, &ipsec_debug, 0,
772 CTL_NET, PF_INET6, IPPROTO_AH,
773 IPSECCTL_DEBUG, CTL_EOL);
774
775 /*
776 * "aliases" for the ipsec6 subtree
777 */
778 sysctl_createv(clog, 0, NULL, NULL,
779 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
780 CTLTYPE_NODE, "esp6", NULL,
781 NULL, IPPROTO_AH, NULL, 0,
782 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
783 sysctl_createv(clog, 0, NULL, NULL,
784 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
785 CTLTYPE_NODE, "ipcomp6", NULL,
786 NULL, IPPROTO_AH, NULL, 0,
787 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
788 sysctl_createv(clog, 0, NULL, NULL,
789 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
790 CTLTYPE_NODE, "ah6", NULL,
791 NULL, IPPROTO_AH, NULL, 0,
792 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
793 }
794 #endif /* INET6 */
Cache object: fe038b3ea2fc792e12082821b992b997
|