The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netipsec/ipsec_netbsd.c

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*      $NetBSD: ipsec_netbsd.c,v 1.32 2008/05/04 07:22:15 thorpej Exp $        */
    2 /*      $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $      */
    3 /*      $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $       */
    4 
    5 /*
    6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    7  * All rights reserved.
    8  *
    9  * Redistribution and use in source and binary forms, with or without
   10  * modification, are permitted provided that the following conditions
   11  * are met:
   12  * 1. Redistributions of source code must retain the above copyright
   13  *    notice, this list of conditions and the following disclaimer.
   14  * 2. Redistributions in binary form must reproduce the above copyright
   15  *    notice, this list of conditions and the following disclaimer in the
   16  *    documentation and/or other materials provided with the distribution.
   17  * 3. Neither the name of the project nor the names of its contributors
   18  *    may be used to endorse or promote products derived from this software
   19  *    without specific prior written permission.
   20  *
   21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   31  * SUCH DAMAGE.
   32  */
   33 
   34 #include <sys/cdefs.h>
   35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.32 2008/05/04 07:22:15 thorpej Exp $");
   36 
   37 #include "opt_inet.h"
   38 #include "opt_ipsec.h"
   39 
   40 #include <sys/param.h>
   41 #include <sys/systm.h>
   42 #include <sys/malloc.h>
   43 #include <sys/mbuf.h>
   44 #include <sys/domain.h>
   45 #include <sys/protosw.h>
   46 #include <sys/socket.h>
   47 #include <sys/errno.h>
   48 #include <sys/time.h>
   49 #include <sys/kernel.h>
   50 #include <sys/sysctl.h>
   51 
   52 #include <net/if.h>
   53 #include <net/route.h>
   54 #include <net/netisr.h>
   55 #include <sys/cpu.h>
   56 
   57 #include <netinet/in.h>
   58 #include <netinet/in_systm.h>
   59 #include <netinet/in_var.h>
   60 #include <netinet/ip.h>
   61 #include <netinet/ip_var.h>
   62 #include <netinet/ip_ecn.h>
   63 #include <netinet/ip_icmp.h>
   64 
   65 
   66 #include <netipsec/ipsec.h>
   67 #include <netipsec/ipsec_var.h>
   68 #include <netipsec/ipsec_private.h>
   69 #include <netipsec/key.h>
   70 #include <netipsec/keydb.h>
   71 #include <netipsec/key_debug.h>
   72 #include <netipsec/ah.h>
   73 #include <netipsec/ah_var.h>
   74 #include <netipsec/esp.h>
   75 #include <netipsec/esp_var.h>
   76 #include <netipsec/ipip_var.h>
   77 #include <netipsec/ipcomp_var.h>
   78 
   79 #ifdef INET6
   80 #include <netipsec/ipsec6.h>
   81 #include <netinet6/ip6protosw.h>
   82 #include <netinet/icmp6.h>
   83 #endif
   84 
   85 #include <machine/stdarg.h>
   86 
   87 
   88 
   89 #include <netipsec/key.h>
   90 
   91 /* assumes that ip header and ah header are contiguous on mbuf */
   92 void*
   93 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
   94 {
   95         struct ip *ip = v;
   96         struct ah *ah;
   97         struct icmp *icp;
   98         struct secasvar *sav;
   99 
  100         if (sa->sa_family != AF_INET ||
  101                 sa->sa_len != sizeof(struct sockaddr_in))
  102                 return NULL; 
  103         if ((unsigned)cmd >= PRC_NCMDS)
  104                 return NULL;
  105 
  106         if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
  107                 /*
  108                  * Check to see if we have a valid SA corresponding to
  109                  * the address in the ICMP message payload.
  110                  */
  111                 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
  112                 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
  113                                                 IPPROTO_AH, ah->ah_spi, 0, 0);
  114 
  115                 if (sav) {
  116                 if (sav->state == SADB_SASTATE_MATURE ||
  117                 sav->state == SADB_SASTATE_DYING) {
  118 
  119                                 /*
  120                                  * Now that we've validated that we are actually 
  121                                  * communicating with the host indicated in the         
  122                                  * ICMP message, locate the ICMP header, 
  123                                  * recalculate the new MTU, and create the
  124                                  * corresponding routing entry.
  125                                  */
  126                                 icp = (struct icmp *)((char *)ip - 
  127                                                                           offsetof(struct icmp, icmp_ip));
  128                                 icmp_mtudisc(icp, ip->ip_dst);
  129 
  130                         }
  131                         KEY_FREESAV(&sav);
  132                 }
  133         }
  134         return NULL;
  135 }
  136 
  137 
  138 
  139 /* assumes that ip header and esp header are contiguous on mbuf */
  140 void*
  141 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
  142 {
  143         struct ip *ip = v;
  144         struct esp *esp;
  145         struct icmp *icp;
  146         struct secasvar *sav;
  147 
  148         if (sa->sa_family != AF_INET ||
  149             sa->sa_len != sizeof(struct sockaddr_in))
  150                 return NULL;
  151         if ((unsigned)cmd >= PRC_NCMDS)
  152                 return NULL;
  153 
  154         if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
  155                 /*
  156                  * Check to see if we have a valid SA corresponding to
  157                  * the address in the ICMP message payload.
  158                  */
  159                 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
  160                 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
  161                                                 IPPROTO_ESP, esp->esp_spi, 0, 0);
  162 
  163                 if (sav) {
  164                 if (sav->state == SADB_SASTATE_MATURE ||
  165                 sav->state == SADB_SASTATE_DYING) {
  166 
  167                                 /*
  168                                  * Now that we've validated that we are actually 
  169                                  * communicating with the host indicated in the         
  170                                  * ICMP message, locate the ICMP header, 
  171                                  * recalculate the new MTU, and create the
  172                                  * corresponding routing entry.
  173                                  */
  174 
  175                                 icp = (struct icmp *)((char *)ip - 
  176                                                                            offsetof(struct icmp, icmp_ip));
  177                                 icmp_mtudisc(icp, ip->ip_dst);
  178 
  179                         }
  180                         KEY_FREESAV(&sav);
  181                 }
  182         }
  183         return NULL;
  184 }
  185 
  186 #ifdef INET6
  187 void *
  188 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
  189 {
  190        const struct newah *ahp;
  191        struct newah ah;
  192        struct secasvar *sav;
  193        struct ip6_hdr *ip6;
  194        struct mbuf *m;
  195        struct ip6ctlparam *ip6cp = NULL;
  196        int off;
  197 
  198        if (sa->sa_family != AF_INET6 ||
  199            sa->sa_len != sizeof(struct sockaddr_in6))
  200                return NULL;
  201        if ((unsigned)cmd >= PRC_NCMDS)
  202                return NULL;
  203 
  204        /* if the parameter is from icmp6, decode it. */
  205        if (d != NULL) {
  206                ip6cp = (struct ip6ctlparam *)d;
  207                m = ip6cp->ip6c_m;
  208                ip6 = ip6cp->ip6c_ip6;
  209                off = ip6cp->ip6c_off;
  210        } else {
  211                m = NULL;
  212                ip6 = NULL;
  213                off = 0;
  214        }
  215 
  216        if (ip6) {
  217                /*
  218                 * XXX: We assume that when ip6 is non NULL,
  219                 * M and OFF are valid.
  220                 */
  221 
  222                /* check if we can safely examine src and dst ports */
  223                if (m->m_pkthdr.len < off + sizeof(ah))
  224                        return NULL;
  225 
  226                if (m->m_len < off + sizeof(ah)) {
  227                        /*
  228                         * this should be rare case,
  229                         * so we compromise on this copy...
  230                         */
  231                        m_copydata(m, off, sizeof(ah), &ah);
  232                        ahp = &ah;
  233                } else
  234                        ahp = (struct newah *)(mtod(m, char *) + off);
  235 
  236                if (cmd == PRC_MSGSIZE) {
  237                        int valid = 0;
  238 
  239                        /*
  240                         * Check to see if we have a valid SA corresponding
  241                         * to the address in the ICMP message payload.
  242                         */
  243                        sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
  244                                          IPPROTO_AH, ahp->ah_spi, 0, 0);
  245 
  246                        if (sav) {
  247                                if (sav->state == SADB_SASTATE_MATURE ||
  248                                    sav->state == SADB_SASTATE_DYING)
  249                                        valid++;
  250                                KEY_FREESAV(&sav);
  251                        }
  252 
  253                        /* XXX Further validation? */
  254 
  255                        /*
  256                         * Depending on the value of "valid" and routing 
  257                         * table size (mtudisc_{hi,lo}wat), we will:
  258                         * - recalcurate the new MTU and create the
  259                         *   corresponding routing entry, or
  260                         * - ignore the MTU change notification.
  261                         */
  262                        icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
  263                }
  264 
  265                /* we normally notify single pcb here */
  266        } else {
  267                /* we normally notify any pcb here */
  268        }
  269            return NULL;
  270 }
  271 
  272 
  273 
  274 void *
  275 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
  276 {
  277         const struct newesp *espp;
  278         struct newesp esp;
  279         struct ip6ctlparam *ip6cp = NULL, ip6cp1;
  280         struct secasvar *sav;
  281         struct ip6_hdr *ip6;
  282         struct mbuf *m;
  283         int off;
  284 
  285         if (sa->sa_family != AF_INET6 ||
  286             sa->sa_len != sizeof(struct sockaddr_in6))
  287                 return NULL;
  288         if ((unsigned)cmd >= PRC_NCMDS)
  289                 return NULL;
  290 
  291         /* if the parameter is from icmp6, decode it. */
  292         if (d != NULL) {
  293                 ip6cp = (struct ip6ctlparam *)d;
  294                 m = ip6cp->ip6c_m;
  295                 ip6 = ip6cp->ip6c_ip6;
  296                 off = ip6cp->ip6c_off;
  297         } else {
  298                 m = NULL;
  299                 ip6 = NULL;
  300                 off = 0;
  301         }
  302 
  303         if (ip6) {
  304                 /*
  305                  * Notify the error to all possible sockets via pfctlinput2.
  306                  * Since the upper layer information (such as protocol type,
  307                  * source and destination ports) is embedded in the encrypted
  308                  * data and might have been cut, we can't directly call
  309                  * an upper layer ctlinput function. However, the pcbnotify
  310                  * function will consider source and destination addresses
  311                  * as well as the flow info value, and may be able to find
  312                  * some PCB that should be notified.
  313                  * Although pfctlinput2 will call esp6_ctlinput(), there is
  314                  * no possibility of an infinite loop of function calls,
  315                  * because we don't pass the inner IPv6 header.
  316                  */
  317                 memset(&ip6cp1, 0, sizeof(ip6cp1));
  318                 ip6cp1.ip6c_src = ip6cp->ip6c_src;
  319                 pfctlinput2(cmd, sa, &ip6cp1);
  320 
  321                 /*
  322                  * Then go to special cases that need ESP header information.
  323                  * XXX: We assume that when ip6 is non NULL,
  324                  * M and OFF are valid.
  325                  */
  326 
  327                 /* check if we can safely examine src and dst ports */
  328                 if (m->m_pkthdr.len < off + sizeof(esp))
  329                         return NULL;
  330 
  331                 if (m->m_len < off + sizeof(esp)) {
  332                         /*
  333                          * this should be rare case,
  334                          * so we compromise on this copy...
  335                          */
  336                         m_copydata(m, off, sizeof(esp), &esp);
  337                         espp = &esp;
  338                 } else
  339                         espp = (struct newesp*)(mtod(m, char *) + off);
  340 
  341                 if (cmd == PRC_MSGSIZE) {
  342                         int valid = 0;
  343 
  344                         /*
  345                          * Check to see if we have a valid SA corresponding to
  346                          * the address in the ICMP message payload.
  347                          */
  348 
  349                         sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
  350                                           IPPROTO_ESP, espp->esp_spi, 0, 0);
  351 
  352                         if (sav) {
  353                                 if (sav->state == SADB_SASTATE_MATURE ||
  354                                     sav->state == SADB_SASTATE_DYING)
  355                                         valid++;
  356                                 KEY_FREESAV(&sav);
  357                         }
  358 
  359                         /* XXX Further validation? */
  360 
  361                         /*
  362                          * Depending on the value of "valid" and routing table
  363                          * size (mtudisc_{hi,lo}wat), we will:
  364                          * - recalcurate the new MTU and create the
  365                          *   corresponding routing entry, or
  366                          * - ignore the MTU change notification.
  367                          */
  368                         icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
  369                 }
  370         } else {
  371                 /* we normally notify any pcb here */
  372         }
  373         return NULL;
  374 }
  375 #endif /* INET6 */
  376 
  377 static int
  378 sysctl_fast_ipsec(SYSCTLFN_ARGS)
  379 {
  380         int error, t;
  381         struct sysctlnode node;
  382 
  383         node = *rnode;
  384         t = *(int*)rnode->sysctl_data;
  385         node.sysctl_data = &t;
  386         error = sysctl_lookup(SYSCTLFN_CALL(&node));
  387         if (error || newp == NULL)
  388                 return (error);
  389 
  390         switch (rnode->sysctl_num) {
  391         case IPSECCTL_DEF_ESP_TRANSLEV:
  392         case IPSECCTL_DEF_ESP_NETLEV:
  393         case IPSECCTL_DEF_AH_TRANSLEV:
  394         case IPSECCTL_DEF_AH_NETLEV:
  395                 if (t != IPSEC_LEVEL_USE &&
  396                     t != IPSEC_LEVEL_REQUIRE)
  397                         return (EINVAL);
  398                 ipsec_invalpcbcacheall();
  399                 break;
  400         case IPSECCTL_DEF_POLICY:
  401                 if (t != IPSEC_POLICY_DISCARD &&
  402                     t != IPSEC_POLICY_NONE)
  403                         return (EINVAL);
  404                 ipsec_invalpcbcacheall();
  405                 break;
  406         default:
  407                 return (EINVAL);
  408         }
  409 
  410         *(int*)rnode->sysctl_data = t;
  411 
  412         return (0);
  413 }
  414 
  415 #ifdef IPSEC_DEBUG
  416 static int
  417 sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
  418 {
  419         int t, error;
  420         struct sysctlnode node;
  421 
  422         node = *rnode; 
  423         t = *(int*)rnode->sysctl_data;
  424         node.sysctl_data = &t;
  425         error = sysctl_lookup(SYSCTLFN_CALL(&node));
  426         if (error || newp == NULL)
  427                 return (error);
  428 
  429         if (t < 0 || t > 1)
  430                 return EINVAL;
  431 
  432         if (rnode->sysctl_data == &ipsec_replay)
  433                 printf("fast_ipsec: Anti-Replay service %s\n",
  434                     (t == 1) ? "deactivated" : "activated");
  435         else if (rnode->sysctl_data == &ipsec_integrity)
  436                  printf("fast_ipsec: HMAC corruption %s\n",
  437                      (t == 0) ? "deactivated" : "activated");
  438 
  439         *(int*)rnode->sysctl_data = t;
  440 
  441         return 0;
  442 }
  443 #endif
  444 
  445 static int
  446 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS)
  447 {
  448 
  449         return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
  450 }
  451 
  452 static int
  453 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
  454 {
  455 
  456         return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
  457 }
  458 
  459 static int
  460 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
  461 {
  462 
  463         return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
  464 }
  465 
  466 static int
  467 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
  468 {
  469 
  470         return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
  471 }
  472 
  473 static int
  474 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
  475 {
  476 
  477         return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
  478 }
  479 
  480 /* XXX will need a different oid at parent */
  481 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
  482 {
  483         const struct sysctlnode *_ipsec;
  484         int ipproto_ipsec;
  485 
  486         sysctl_createv(clog, 0, NULL, NULL,
  487                        CTLFLAG_PERMANENT,
  488                        CTLTYPE_NODE, "net", NULL,
  489                        NULL, 0, NULL, 0,
  490                        CTL_NET, CTL_EOL);
  491         sysctl_createv(clog, 0, NULL, NULL,
  492                        CTLFLAG_PERMANENT,
  493                        CTLTYPE_NODE, "inet", NULL,
  494                        NULL, 0, NULL, 0,
  495                        CTL_NET, PF_INET, CTL_EOL);
  496 
  497         /*
  498          * in numerical order:
  499          *
  500          * net.inet.ipip:       CTL_NET.PF_INET.IPPROTO_IPIP
  501          * net.inet.esp:        CTL_NET.PF_INET.IPPROTO_ESP
  502          * net.inet.ah:         CTL_NET.PF_INET.IPPROTO_AH
  503          * net.inet.ipcomp:     CTL_NET.PF_INET.IPPROTO_IPCOMP
  504          * net.inet.ipsec:      CTL_NET.PF_INET.CTL_CREATE
  505          *
  506          * this creates separate trees by name, but maintains that the
  507          * ipsec name leads to all the old leaves.
  508          */
  509 
  510         /* create net.inet.ipip */
  511         sysctl_createv(clog, 0, NULL, NULL,
  512                        CTLFLAG_PERMANENT,
  513                        CTLTYPE_NODE, "ipip", NULL,
  514                        NULL, 0, NULL, 0,
  515                        CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
  516         sysctl_createv(clog, 0, NULL, NULL,
  517                        CTLFLAG_PERMANENT|CTLFLAG_READONLY,
  518                        CTLTYPE_STRUCT, "ipip_stats", NULL,
  519                        sysctl_net_inet_ipip_stats, 0, NULL, 0,
  520                        CTL_NET, PF_INET, IPPROTO_IPIP,
  521                        CTL_CREATE, CTL_EOL);
  522 
  523         /* create net.inet.esp subtree under IPPROTO_ESP */
  524         sysctl_createv(clog, 0, NULL, NULL,
  525                        CTLFLAG_PERMANENT,
  526                        CTLTYPE_NODE, "esp", NULL,
  527                        NULL, 0, NULL, 0,
  528                        CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
  529         sysctl_createv(clog, 0, NULL, NULL,
  530                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  531                        CTLTYPE_INT, "trans_deflev", NULL,
  532                        sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
  533                        CTL_NET, PF_INET, IPPROTO_ESP,
  534                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
  535         sysctl_createv(clog, 0, NULL, NULL,
  536                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  537                        CTLTYPE_INT, "net_deflev", NULL,
  538                        sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
  539                        CTL_NET, PF_INET, IPPROTO_ESP,
  540                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
  541         sysctl_createv(clog, 0, NULL, NULL,
  542                        CTLFLAG_PERMANENT|CTLFLAG_READONLY,
  543                        CTLTYPE_STRUCT, "esp_stats", NULL,
  544                        sysctl_net_inet_esp_stats, 0, NULL, 0,
  545                        CTL_NET, PF_INET, IPPROTO_ESP,
  546                        CTL_CREATE, CTL_EOL);
  547 
  548         /* create net.inet.ah subtree under IPPROTO_AH */
  549         sysctl_createv(clog, 0, NULL, NULL,
  550                        CTLFLAG_PERMANENT,
  551                        CTLTYPE_NODE, "ah", NULL,
  552                        NULL, 0, NULL, 0,
  553                        CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
  554         sysctl_createv(clog, 0, NULL, NULL,
  555                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  556                        CTLTYPE_INT, "cleartos", NULL,
  557                        NULL, 0, &ip4_ah_cleartos, 0,
  558                        CTL_NET, PF_INET, IPPROTO_AH,
  559                        IPSECCTL_AH_CLEARTOS, CTL_EOL);
  560         sysctl_createv(clog, 0, NULL, NULL,
  561                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  562                        CTLTYPE_INT, "offsetmask", NULL,
  563                        NULL, 0, &ip4_ah_offsetmask, 0,
  564                        CTL_NET, PF_INET, IPPROTO_AH,
  565                        IPSECCTL_AH_OFFSETMASK, CTL_EOL);
  566         sysctl_createv(clog, 0, NULL, NULL,
  567                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  568                        CTLTYPE_INT, "trans_deflev", NULL,
  569                        sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
  570                        CTL_NET, PF_INET, IPPROTO_AH,
  571                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
  572         sysctl_createv(clog, 0, NULL, NULL,
  573                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  574                        CTLTYPE_INT, "net_deflev", NULL,
  575                        sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
  576                        CTL_NET, PF_INET, IPPROTO_AH,
  577                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
  578         sysctl_createv(clog, 0, NULL, NULL,
  579                        CTLFLAG_PERMANENT|CTLFLAG_READONLY,
  580                        CTLTYPE_STRUCT, "ah_stats", NULL,
  581                        sysctl_net_inet_ah_stats, 0, NULL, 0,
  582                        CTL_NET, PF_INET, IPPROTO_AH,
  583                        CTL_CREATE, CTL_EOL);
  584 
  585         /* create net.inet.ipcomp */
  586         sysctl_createv(clog, 0, NULL, NULL,
  587                        CTLFLAG_PERMANENT,
  588                        CTLTYPE_NODE, "ipcomp", NULL,
  589                        NULL, 0, NULL, 0,
  590                        CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
  591         sysctl_createv(clog, 0, NULL, NULL,
  592                        CTLFLAG_PERMANENT|CTLFLAG_READONLY,
  593                        CTLTYPE_STRUCT, "ipcomp_stats", NULL,
  594                        sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
  595                        CTL_NET, PF_INET, IPPROTO_IPCOMP,
  596                        CTL_CREATE, CTL_EOL);
  597 
  598         /* create net.inet.ipsec subtree under dynamic oid */
  599         sysctl_createv(clog, 0, NULL, &_ipsec,
  600                        CTLFLAG_PERMANENT,
  601                        CTLTYPE_NODE, "ipsec", NULL,
  602                        NULL, 0, NULL, 0,
  603                        CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
  604         ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
  605 
  606         sysctl_createv(clog, 0, NULL, NULL,
  607                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  608                        CTLTYPE_INT, "def_policy", NULL,
  609                        sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
  610                        CTL_NET, PF_INET, ipproto_ipsec,
  611                        IPSECCTL_DEF_POLICY, CTL_EOL);
  612         sysctl_createv(clog, 0, NULL, NULL,
  613                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  614                        CTLTYPE_INT, "esp_trans_deflev", NULL,
  615                        sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
  616                        CTL_NET, PF_INET, ipproto_ipsec,
  617                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
  618         sysctl_createv(clog, 0, NULL, NULL,
  619                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  620                        CTLTYPE_INT, "esp_net_deflev", NULL,
  621                        sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
  622                        CTL_NET, PF_INET, ipproto_ipsec,
  623                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
  624         sysctl_createv(clog, 0, NULL, NULL,
  625                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  626                        CTLTYPE_INT, "ah_trans_deflev", NULL,
  627                        sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
  628                        CTL_NET, PF_INET, ipproto_ipsec,
  629                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
  630         sysctl_createv(clog, 0, NULL, NULL,
  631                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  632                        CTLTYPE_INT, "ah_net_deflev", NULL,
  633                        sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
  634                        CTL_NET, PF_INET, ipproto_ipsec,
  635                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
  636         sysctl_createv(clog, 0, NULL, NULL,
  637                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  638                        CTLTYPE_INT, "ah_cleartos", NULL,
  639                        NULL, 0, &ip4_ah_cleartos, 0,
  640                        CTL_NET, PF_INET, ipproto_ipsec,
  641                        IPSECCTL_AH_CLEARTOS, CTL_EOL);
  642         sysctl_createv(clog, 0, NULL, NULL,
  643                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  644                        CTLTYPE_INT, "ah_offsetmask", NULL,
  645                        NULL, 0, &ip4_ah_offsetmask, 0,
  646                        CTL_NET, PF_INET, ipproto_ipsec,
  647                        IPSECCTL_AH_OFFSETMASK, CTL_EOL);
  648         sysctl_createv(clog, 0, NULL, NULL,
  649                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  650                        CTLTYPE_INT, "dfbit", NULL,
  651                        NULL, 0, &ip4_ipsec_dfbit, 0,
  652                        CTL_NET, PF_INET, ipproto_ipsec,
  653                        IPSECCTL_DFBIT, CTL_EOL);
  654         sysctl_createv(clog, 0, NULL, NULL,
  655                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  656                        CTLTYPE_INT, "ecn", NULL,
  657                        NULL, 0, &ip4_ipsec_ecn, 0,
  658                        CTL_NET, PF_INET, ipproto_ipsec,
  659                        IPSECCTL_ECN, CTL_EOL);
  660         sysctl_createv(clog, 0, NULL, NULL,
  661                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  662                        CTLTYPE_INT, "debug", NULL,
  663                        NULL, 0, &ipsec_debug, 0,
  664                        CTL_NET, PF_INET, ipproto_ipsec,
  665                        IPSECCTL_DEBUG, CTL_EOL);
  666         sysctl_createv(clog, 0, NULL, NULL,
  667                        CTLFLAG_PERMANENT|CTLFLAG_READONLY,
  668                        CTLTYPE_STRUCT, "ipsecstats", NULL,
  669                        sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
  670                        CTL_NET, PF_INET, ipproto_ipsec,
  671                        CTL_CREATE, CTL_EOL);
  672 #ifdef IPSEC_DEBUG
  673         sysctl_createv(clog, 0, NULL, NULL,
  674                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  675                        CTLTYPE_INT, "test_replay",
  676                        SYSCTL_DESCR("Emulate replay attack"),
  677                        sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
  678                        CTL_NET, PF_INET, ipproto_ipsec,
  679                        CTL_CREATE, CTL_EOL);
  680         sysctl_createv(clog, 0, NULL, NULL,
  681                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  682                        CTLTYPE_INT, "test_integrity",
  683                        SYSCTL_DESCR("Emulate man-in-the-middle attack"),
  684                        sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
  685                        CTL_NET, PF_INET, ipproto_ipsec,
  686                        CTL_CREATE, CTL_EOL);
  687 #endif
  688 }
  689 
  690 #ifdef INET6
  691 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup,
  692              "sysctl net.inet6.ipsec6 subtree setup")
  693 {
  694 
  695         sysctl_createv(clog, 0, NULL, NULL,
  696                        CTLFLAG_PERMANENT,
  697                        CTLTYPE_NODE, "net", NULL,
  698                        NULL, 0, NULL, 0,
  699                        CTL_NET, CTL_EOL);
  700         sysctl_createv(clog, 0, NULL, NULL,
  701                        CTLFLAG_PERMANENT,
  702                        CTLTYPE_NODE, "inet6", NULL,
  703                        NULL, 0, NULL, 0,
  704                        CTL_NET, PF_INET6, CTL_EOL);
  705         sysctl_createv(clog, 0, NULL, NULL,
  706                        CTLFLAG_PERMANENT,
  707                        CTLTYPE_NODE, "ipsec6",
  708                        SYSCTL_DESCR("IPv6 related IPSec settings"),
  709                        NULL, 0, NULL, 0,
  710                        CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
  711 
  712         sysctl_createv(clog, 0, NULL, NULL,
  713                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  714                        CTLTYPE_STRUCT, "stats",
  715                        SYSCTL_DESCR("IPSec statistics and counters"),
  716                        sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
  717                        CTL_NET, PF_INET6, IPPROTO_AH,
  718                        IPSECCTL_STATS, CTL_EOL);
  719         sysctl_createv(clog, 0, NULL, NULL,
  720                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  721                        CTLTYPE_INT, "def_policy",
  722                        SYSCTL_DESCR("Default action for non-IPSec packets"),
  723                        sysctl_fast_ipsec, 0, &ip6_def_policy, 0,
  724                        CTL_NET, PF_INET6, IPPROTO_AH,
  725                        IPSECCTL_DEF_POLICY, CTL_EOL);
  726         sysctl_createv(clog, 0, NULL, NULL,
  727                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  728                        CTLTYPE_INT, "esp_trans_deflev",
  729                        SYSCTL_DESCR("Default required security level for "
  730                                     "transport mode traffic"),
  731                        sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0,
  732                        CTL_NET, PF_INET6, IPPROTO_AH,
  733                        IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
  734         sysctl_createv(clog, 0, NULL, NULL,
  735                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  736                        CTLTYPE_INT, "esp_net_deflev",
  737                        SYSCTL_DESCR("Default required security level for "
  738                                     "tunneled traffic"),
  739                        sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0,
  740                        CTL_NET, PF_INET6, IPPROTO_AH,
  741                        IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
  742         sysctl_createv(clog, 0, NULL, NULL,
  743                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  744                        CTLTYPE_INT, "ah_trans_deflev",
  745                        SYSCTL_DESCR("Default required security level for "
  746                                     "transport mode headers"),
  747                        sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0,
  748                        CTL_NET, PF_INET6, IPPROTO_AH,
  749                        IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
  750         sysctl_createv(clog, 0, NULL, NULL,
  751                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  752                        CTLTYPE_INT, "ah_net_deflev",
  753                        SYSCTL_DESCR("Default required security level for "
  754                                     "tunneled headers"),
  755                        sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0,
  756                        CTL_NET, PF_INET6, IPPROTO_AH,
  757                        IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
  758         sysctl_createv(clog, 0, NULL, NULL,
  759                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  760                        CTLTYPE_INT, "ecn",
  761                        SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
  762                        NULL, 0, &ip6_ipsec_ecn, 0,
  763                        CTL_NET, PF_INET6, IPPROTO_AH,
  764                        IPSECCTL_ECN, CTL_EOL);
  765         sysctl_createv(clog, 0, NULL, NULL,
  766                        CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
  767                        CTLTYPE_INT, "debug",
  768                        SYSCTL_DESCR("Enable IPSec debugging output"),
  769                        NULL, 0, &ipsec_debug, 0,
  770                        CTL_NET, PF_INET6, IPPROTO_AH,
  771                        IPSECCTL_DEBUG, CTL_EOL);
  772 
  773         /*
  774          * "aliases" for the ipsec6 subtree
  775          */
  776         sysctl_createv(clog, 0, NULL, NULL,
  777                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
  778                        CTLTYPE_NODE, "esp6", NULL,
  779                        NULL, IPPROTO_AH, NULL, 0,
  780                        CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
  781         sysctl_createv(clog, 0, NULL, NULL,
  782                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
  783                        CTLTYPE_NODE, "ipcomp6", NULL,
  784                        NULL, IPPROTO_AH, NULL, 0,
  785                        CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
  786         sysctl_createv(clog, 0, NULL, NULL,
  787                        CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
  788                        CTLTYPE_NODE, "ah6", NULL,
  789                        NULL, IPPROTO_AH, NULL, 0,
  790                        CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
  791 }
  792 #endif /* INET6 */

Cache object: 5ac2c5fd5cc6b8962a8d41f7a0d2101a


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.