1 /* $NetBSD: ipsec_netbsd.c,v 1.55 2022/09/02 23:48:11 thorpej Exp $ */
2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.55 2022/09/02 23:48:11 thorpej Exp $");
36
37 #if defined(_KERNEL_OPT)
38 #include "opt_inet.h"
39 #include "opt_ipsec.h"
40 #endif
41
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/errno.h>
49 #include <sys/time.h>
50 #include <sys/kernel.h>
51 #include <sys/sysctl.h>
52
53 #include <net/if.h>
54 #include <net/route.h>
55 #include <sys/cpu.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
64
65 #include <netipsec/ipsec.h>
66 #include <netipsec/ipsec_var.h>
67 #include <netipsec/ipsec_private.h>
68 #include <netipsec/key.h>
69 #include <netipsec/keydb.h>
70 #include <netipsec/key_debug.h>
71 #include <netipsec/ah.h>
72 #include <netipsec/ah_var.h>
73 #include <netipsec/esp.h>
74 #include <netipsec/esp_var.h>
75 #include <netipsec/ipip_var.h>
76 #include <netipsec/ipcomp_var.h>
77
78 #ifdef INET6
79 #include <netipsec/ipsec6.h>
80 #include <netinet6/ip6protosw.h>
81 #include <netinet/icmp6.h>
82 #endif
83
84 #include <netipsec/key.h>
85
86 /* assumes that ip header and ah header are contiguous on mbuf */
87 void *
ah4_ctlinput(int cmd,const struct sockaddr * sa,void * v)88 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
89 {
90 struct ip *ip = v;
91 struct ah *ah;
92 struct icmp *icp;
93 struct secasvar *sav;
94
95 if (sa->sa_family != AF_INET ||
96 sa->sa_len != sizeof(struct sockaddr_in))
97 return NULL;
98 if ((unsigned)cmd >= PRC_NCMDS)
99 return NULL;
100
101 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
102 /*
103 * Check to see if we have a valid SA corresponding to
104 * the address in the ICMP message payload.
105 */
106 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
107 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
108 IPPROTO_AH, ah->ah_spi, 0, 0);
109
110 if (sav) {
111 if (SADB_SASTATE_USABLE_P(sav)) {
112 /*
113 * Now that we've validated that we are actually
114 * communicating with the host indicated in the
115 * ICMP message, locate the ICMP header,
116 * recalculate the new MTU, and create the
117 * corresponding routing entry.
118 */
119 icp = (struct icmp *)((char *)ip -
120 offsetof(struct icmp, icmp_ip));
121 icmp_mtudisc(icp, ip->ip_dst);
122 }
123 KEY_SA_UNREF(&sav);
124 }
125 }
126 return NULL;
127 }
128
129 /* assumes that ip header and esp header are contiguous on mbuf */
130 void *
esp4_ctlinput(int cmd,const struct sockaddr * sa,void * v)131 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
132 {
133 struct ip *ip = v;
134 struct esp *esp;
135 struct icmp *icp;
136 struct secasvar *sav;
137
138 if (sa->sa_family != AF_INET ||
139 sa->sa_len != sizeof(struct sockaddr_in))
140 return NULL;
141 if ((unsigned)cmd >= PRC_NCMDS)
142 return NULL;
143
144 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
145 /*
146 * Check to see if we have a valid SA corresponding to
147 * the address in the ICMP message payload.
148 */
149 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
150 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
151 IPPROTO_ESP, esp->esp_spi, 0, 0);
152
153 if (sav) {
154 if (SADB_SASTATE_USABLE_P(sav)) {
155 /*
156 * Now that we've validated that we are actually
157 * communicating with the host indicated in the
158 * ICMP message, locate the ICMP header,
159 * recalculate the new MTU, and create the
160 * corresponding routing entry.
161 */
162 icp = (struct icmp *)((char *)ip -
163 offsetof(struct icmp, icmp_ip));
164 icmp_mtudisc(icp, ip->ip_dst);
165 }
166 KEY_SA_UNREF(&sav);
167 }
168 }
169 return NULL;
170 }
171
172 #ifdef INET6
173 void *
ah6_ctlinput(int cmd,const struct sockaddr * sa,void * d)174 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
175 {
176 const struct newah *ahp;
177 struct newah ah;
178 struct secasvar *sav;
179 struct ip6_hdr *ip6;
180 struct mbuf *m;
181 struct ip6ctlparam *ip6cp = NULL;
182 int off;
183
184 if (sa->sa_family != AF_INET6 ||
185 sa->sa_len != sizeof(struct sockaddr_in6))
186 return NULL;
187 if ((unsigned)cmd >= PRC_NCMDS)
188 return NULL;
189
190 /* if the parameter is from icmp6, decode it. */
191 if (d != NULL) {
192 ip6cp = (struct ip6ctlparam *)d;
193 m = ip6cp->ip6c_m;
194 ip6 = ip6cp->ip6c_ip6;
195 off = ip6cp->ip6c_off;
196 } else {
197 m = NULL;
198 ip6 = NULL;
199 off = 0;
200 }
201
202 if (ip6) {
203 /* check if we can safely examine src and dst ports */
204 if (m->m_pkthdr.len < off + sizeof(ah))
205 return NULL;
206
207 if (m->m_len < off + sizeof(ah)) {
208 /*
209 * this should be rare case,
210 * so we compromise on this copy...
211 */
212 m_copydata(m, off, sizeof(ah), &ah);
213 ahp = &ah;
214 } else
215 ahp = (struct newah *)(mtod(m, char *) + off);
216
217 if (cmd == PRC_MSGSIZE) {
218 int valid = 0;
219
220 /*
221 * Check to see if we have a valid SA corresponding
222 * to the address in the ICMP message payload.
223 */
224 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
225 IPPROTO_AH, ahp->ah_spi, 0, 0);
226
227 if (sav) {
228 if (SADB_SASTATE_USABLE_P(sav))
229 valid++;
230 KEY_SA_UNREF(&sav);
231 }
232
233 /* XXX Further validation? */
234
235 /*
236 * Depending on the value of "valid" and routing
237 * table size (mtudisc_{hi,lo}wat), we will:
238 * - recalculate the new MTU and create the
239 * corresponding routing entry, or
240 * - ignore the MTU change notification.
241 */
242 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
243 }
244
245 /* we normally notify single pcb here */
246 } else {
247 /* we normally notify any pcb here */
248 }
249 return NULL;
250 }
251
252 void *
esp6_ctlinput(int cmd,const struct sockaddr * sa,void * d)253 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
254 {
255 const struct newesp *espp;
256 struct newesp esp;
257 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
258 struct secasvar *sav;
259 struct ip6_hdr *ip6;
260 struct mbuf *m;
261 int off;
262
263 if (sa->sa_family != AF_INET6 ||
264 sa->sa_len != sizeof(struct sockaddr_in6))
265 return NULL;
266 if ((unsigned)cmd >= PRC_NCMDS)
267 return NULL;
268
269 /* if the parameter is from icmp6, decode it. */
270 if (d != NULL) {
271 ip6cp = (struct ip6ctlparam *)d;
272 m = ip6cp->ip6c_m;
273 ip6 = ip6cp->ip6c_ip6;
274 off = ip6cp->ip6c_off;
275 } else {
276 m = NULL;
277 ip6 = NULL;
278 off = 0;
279 }
280
281 if (ip6) {
282 /*
283 * Notify the error to all possible sockets via pfctlinput2.
284 * Since the upper layer information (such as protocol type,
285 * source and destination ports) is embedded in the encrypted
286 * data and might have been cut, we can't directly call
287 * an upper layer ctlinput function. However, the pcbnotify
288 * function will consider source and destination addresses
289 * as well as the flow info value, and may be able to find
290 * some PCB that should be notified.
291 * Although pfctlinput2 will call esp6_ctlinput(), there is
292 * no possibility of an infinite loop of function calls,
293 * because we don't pass the inner IPv6 header.
294 */
295 memset(&ip6cp1, 0, sizeof(ip6cp1));
296 ip6cp1.ip6c_src = ip6cp->ip6c_src;
297 pfctlinput2(cmd, sa, &ip6cp1);
298
299 /* check if we can safely examine src and dst ports */
300 if (m->m_pkthdr.len < off + sizeof(esp))
301 return NULL;
302
303 if (m->m_len < off + sizeof(esp)) {
304 /*
305 * this should be rare case,
306 * so we compromise on this copy...
307 */
308 m_copydata(m, off, sizeof(esp), &esp);
309 espp = &esp;
310 } else
311 espp = (struct newesp *)(mtod(m, char *) + off);
312
313 if (cmd == PRC_MSGSIZE) {
314 int valid = 0;
315
316 /*
317 * Check to see if we have a valid SA corresponding to
318 * the address in the ICMP message payload.
319 */
320
321 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
322 IPPROTO_ESP, espp->esp_spi, 0, 0);
323
324 if (sav) {
325 if (SADB_SASTATE_USABLE_P(sav))
326 valid++;
327 KEY_SA_UNREF(&sav);
328 }
329
330 /* XXX Further validation? */
331
332 /*
333 * Depending on the value of "valid" and routing table
334 * size (mtudisc_{hi,lo}wat), we will:
335 * - recalcurate the new MTU and create the
336 * corresponding routing entry, or
337 * - ignore the MTU change notification.
338 */
339 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
340 }
341 } else {
342 /* we normally notify any pcb here */
343 }
344 return NULL;
345 }
346 #endif /* INET6 */
347
348 static int
sysctl_ipsec(SYSCTLFN_ARGS)349 sysctl_ipsec(SYSCTLFN_ARGS)
350 {
351 int error, t;
352 struct sysctlnode node;
353
354 node = *rnode;
355 t = *(int *)rnode->sysctl_data;
356 node.sysctl_data = &t;
357 error = sysctl_lookup(SYSCTLFN_CALL(&node));
358 if (error || newp == NULL)
359 return error;
360
361 switch (rnode->sysctl_num) {
362 case IPSECCTL_DEF_ESP_TRANSLEV:
363 case IPSECCTL_DEF_ESP_NETLEV:
364 case IPSECCTL_DEF_AH_TRANSLEV:
365 case IPSECCTL_DEF_AH_NETLEV:
366 if (t != IPSEC_LEVEL_USE &&
367 t != IPSEC_LEVEL_REQUIRE)
368 return EINVAL;
369 ipsec_invalpcbcacheall();
370 break;
371 case IPSECCTL_DEF_POLICY:
372 if (t != IPSEC_POLICY_DISCARD &&
373 t != IPSEC_POLICY_NONE)
374 return EINVAL;
375 ipsec_invalpcbcacheall();
376 break;
377 default:
378 return EINVAL;
379 }
380
381 *(int *)rnode->sysctl_data = t;
382
383 return 0;
384 }
385
386 #ifdef IPSEC_DEBUG
387 static int
sysctl_ipsec_test(SYSCTLFN_ARGS)388 sysctl_ipsec_test(SYSCTLFN_ARGS)
389 {
390 int t, error;
391 struct sysctlnode node;
392
393 node = *rnode;
394 t = *(int *)rnode->sysctl_data;
395 node.sysctl_data = &t;
396 error = sysctl_lookup(SYSCTLFN_CALL(&node));
397 if (error || newp == NULL)
398 return error;
399
400 if (t < 0 || t > 1)
401 return EINVAL;
402
403 if (rnode->sysctl_data == &ipsec_replay)
404 printf("ipsec: Anti-Replay service %s\n",
405 (t == 1) ? "deactivated" : "activated");
406 else if (rnode->sysctl_data == &ipsec_integrity)
407 printf("ipsec: HMAC corruption %s\n",
408 (t == 0) ? "deactivated" : "activated");
409
410 *(int *)rnode->sysctl_data = t;
411
412 return 0;
413 }
414 #endif
415
416 static int
sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS)417 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS)
418 {
419
420 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
421 }
422
423 static int
sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)424 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
425 {
426
427 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
428 }
429
430 static int
sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)431 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
432 {
433
434 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
435 }
436
437 static int
sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)438 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
439 {
440
441 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
442 }
443
444 static int
sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)445 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
446 {
447
448 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
449 }
450
451 static int
sysctl_net_ipsec_enabled(SYSCTLFN_ARGS)452 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS)
453 {
454 int newenabled, error;
455 struct sysctlnode node;
456 node = *rnode;
457 node.sysctl_data = &newenabled;
458
459 newenabled = ipsec_enabled;
460 error = sysctl_lookup(SYSCTLFN_CALL(&node));
461 if (error || newp == NULL)
462 return error;
463
464 switch (newenabled) {
465 case 0:
466 if (key_get_used())
467 return EBUSY;
468 /*FALLTHROUGH*/
469 case 1:
470 case 2:
471 ipsec_enabled = newenabled;
472 key_update_used();
473 return 0;
474 default:
475 return EINVAL;
476 }
477 }
478
479 /* XXX will need a different oid at parent */
480 void
sysctl_net_inet_ipsec_setup(struct sysctllog ** clog)481 sysctl_net_inet_ipsec_setup(struct sysctllog **clog)
482 {
483 const struct sysctlnode *_ipsec;
484 int ipproto_ipsec;
485
486 sysctl_createv(clog, 0, NULL, NULL,
487 CTLFLAG_PERMANENT,
488 CTLTYPE_NODE, "inet", NULL,
489 NULL, 0, NULL, 0,
490 CTL_NET, PF_INET, CTL_EOL);
491
492 /*
493 * in numerical order:
494 *
495 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
496 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
497 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
498 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
499 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
500 *
501 * this creates separate trees by name, but maintains that the
502 * ipsec name leads to all the old leaves.
503 */
504
505 /* create net.inet.ipip */
506 sysctl_createv(clog, 0, NULL, NULL,
507 CTLFLAG_PERMANENT,
508 CTLTYPE_NODE, "ipip", NULL,
509 NULL, 0, NULL, 0,
510 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
511 sysctl_createv(clog, 0, NULL, NULL,
512 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
513 CTLTYPE_STRUCT, "ipip_stats", NULL,
514 sysctl_net_inet_ipip_stats, 0, NULL, 0,
515 CTL_NET, PF_INET, IPPROTO_IPIP,
516 CTL_CREATE, CTL_EOL);
517
518 /* create net.inet.esp subtree under IPPROTO_ESP */
519 sysctl_createv(clog, 0, NULL, NULL,
520 CTLFLAG_PERMANENT,
521 CTLTYPE_NODE, "esp", NULL,
522 NULL, 0, NULL, 0,
523 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
524 sysctl_createv(clog, 0, NULL, NULL,
525 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
526 CTLTYPE_STRUCT, "esp_stats", NULL,
527 sysctl_net_inet_esp_stats, 0, NULL, 0,
528 CTL_NET, PF_INET, IPPROTO_ESP,
529 CTL_CREATE, CTL_EOL);
530
531 /* create net.inet.ah subtree under IPPROTO_AH */
532 sysctl_createv(clog, 0, NULL, NULL,
533 CTLFLAG_PERMANENT,
534 CTLTYPE_NODE, "ah", NULL,
535 NULL, 0, NULL, 0,
536 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
537 sysctl_createv(clog, 0, NULL, NULL,
538 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
539 CTLTYPE_STRUCT, "ah_stats", NULL,
540 sysctl_net_inet_ah_stats, 0, NULL, 0,
541 CTL_NET, PF_INET, IPPROTO_AH,
542 CTL_CREATE, CTL_EOL);
543
544 /* create net.inet.ipcomp */
545 sysctl_createv(clog, 0, NULL, NULL,
546 CTLFLAG_PERMANENT,
547 CTLTYPE_NODE, "ipcomp", NULL,
548 NULL, 0, NULL, 0,
549 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
550 sysctl_createv(clog, 0, NULL, NULL,
551 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
552 CTLTYPE_STRUCT, "ipcomp_stats", NULL,
553 sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
554 CTL_NET, PF_INET, IPPROTO_IPCOMP,
555 CTL_CREATE, CTL_EOL);
556
557 /* create net.inet.ipsec subtree under dynamic oid */
558 sysctl_createv(clog, 0, NULL, &_ipsec,
559 CTLFLAG_PERMANENT,
560 CTLTYPE_NODE, "ipsec", NULL,
561 NULL, 0, NULL, 0,
562 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
563 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
564
565 sysctl_createv(clog, 0, NULL, NULL,
566 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
567 CTLTYPE_INT, "def_policy", NULL,
568 sysctl_ipsec, 0, &ip4_def_policy.policy, 0,
569 CTL_NET, PF_INET, ipproto_ipsec,
570 IPSECCTL_DEF_POLICY, CTL_EOL);
571 sysctl_createv(clog, 0, NULL, NULL,
572 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
573 CTLTYPE_INT, "esp_trans_deflev", NULL,
574 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
575 CTL_NET, PF_INET, ipproto_ipsec,
576 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
577 sysctl_createv(clog, 0, NULL, NULL,
578 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
579 CTLTYPE_INT, "esp_net_deflev", NULL,
580 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
581 CTL_NET, PF_INET, ipproto_ipsec,
582 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
583 sysctl_createv(clog, 0, NULL, NULL,
584 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
585 CTLTYPE_INT, "ah_trans_deflev", NULL,
586 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
587 CTL_NET, PF_INET, ipproto_ipsec,
588 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
589 sysctl_createv(clog, 0, NULL, NULL,
590 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
591 CTLTYPE_INT, "ah_net_deflev", NULL,
592 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
593 CTL_NET, PF_INET, ipproto_ipsec,
594 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
595 sysctl_createv(clog, 0, NULL, NULL,
596 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
597 CTLTYPE_INT, "ah_cleartos", NULL,
598 NULL, 0, &ip4_ah_cleartos, 0,
599 CTL_NET, PF_INET, ipproto_ipsec,
600 IPSECCTL_AH_CLEARTOS, CTL_EOL);
601 sysctl_createv(clog, 0, NULL, NULL,
602 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
603 CTLTYPE_INT, "ah_offsetmask", NULL,
604 NULL, 0, &ip4_ah_offsetmask, 0,
605 CTL_NET, PF_INET, ipproto_ipsec,
606 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
607 sysctl_createv(clog, 0, NULL, NULL,
608 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
609 CTLTYPE_INT, "dfbit", NULL,
610 NULL, 0, &ip4_ipsec_dfbit, 0,
611 CTL_NET, PF_INET, ipproto_ipsec,
612 IPSECCTL_DFBIT, CTL_EOL);
613 sysctl_createv(clog, 0, NULL, NULL,
614 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
615 CTLTYPE_INT, "ecn", NULL,
616 NULL, 0, &ip4_ipsec_ecn, 0,
617 CTL_NET, PF_INET, ipproto_ipsec,
618 IPSECCTL_ECN, CTL_EOL);
619 sysctl_createv(clog, 0, NULL, NULL,
620 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
621 CTLTYPE_INT, "debug", NULL,
622 NULL, 0, &ipsec_debug, 0,
623 CTL_NET, PF_INET, ipproto_ipsec,
624 IPSECCTL_DEBUG, CTL_EOL);
625 sysctl_createv(clog, 0, NULL, NULL,
626 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
627 CTLTYPE_INT, "ipip_spoofcheck", NULL,
628 NULL, 0, &ipip_spoofcheck, 0,
629 CTL_NET, PF_INET, ipproto_ipsec,
630 CTL_CREATE, CTL_EOL);
631 sysctl_createv(clog, 0, NULL, NULL,
632 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
633 CTLTYPE_STRUCT, "ipsecstats", NULL,
634 sysctl_net_inet_ipsec_stats, 0, NULL, 0,
635 CTL_NET, PF_INET, ipproto_ipsec,
636 CTL_CREATE, CTL_EOL);
637 sysctl_createv(clog, 0, NULL, NULL,
638 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
639 CTLTYPE_INT, "enabled",
640 SYSCTL_DESCR("Enable IPSec processing"),
641 sysctl_net_ipsec_enabled, 0, NULL, 0,
642 CTL_NET, PF_INET, ipproto_ipsec,
643 CTL_CREATE, CTL_EOL);
644 sysctl_createv(clog, 0, NULL, NULL,
645 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
646 CTLTYPE_INT, "used",
647 SYSCTL_DESCR("Is IPSec active?"),
648 NULL, 0, &ipsec_used, 0,
649 CTL_NET, PF_INET, ipproto_ipsec,
650 CTL_CREATE, CTL_EOL);
651 sysctl_createv(clog, 0, NULL, NULL,
652 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
653 CTLTYPE_INT, "ah_enable", NULL,
654 NULL, 0, &ah_enable, 0,
655 CTL_NET, PF_INET, ipproto_ipsec,
656 CTL_CREATE, CTL_EOL);
657 sysctl_createv(clog, 0, NULL, NULL,
658 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
659 CTLTYPE_INT, "esp_enable", NULL,
660 NULL, 0, &esp_enable, 0,
661 CTL_NET, PF_INET, ipproto_ipsec,
662 CTL_CREATE, CTL_EOL);
663 sysctl_createv(clog, 0, NULL, NULL,
664 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
665 CTLTYPE_INT, "ipcomp_enable", NULL,
666 NULL, 0, &ipcomp_enable, 0,
667 CTL_NET, PF_INET, ipproto_ipsec,
668 CTL_CREATE, CTL_EOL);
669 sysctl_createv(clog, 0, NULL, NULL,
670 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
671 CTLTYPE_INT, "crypto_support", NULL,
672 NULL, 0, &crypto_support, 0,
673 CTL_NET, PF_INET, ipproto_ipsec,
674 CTL_CREATE, CTL_EOL);
675
676 #ifdef IPSEC_DEBUG
677 sysctl_createv(clog, 0, NULL, NULL,
678 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
679 CTLTYPE_INT, "test_replay",
680 SYSCTL_DESCR("Emulate replay attack"),
681 sysctl_ipsec_test, 0, &ipsec_replay, 0,
682 CTL_NET, PF_INET, ipproto_ipsec,
683 CTL_CREATE, CTL_EOL);
684 sysctl_createv(clog, 0, NULL, NULL,
685 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
686 CTLTYPE_INT, "test_integrity",
687 SYSCTL_DESCR("Emulate man-in-the-middle attack"),
688 sysctl_ipsec_test, 0, &ipsec_integrity, 0,
689 CTL_NET, PF_INET, ipproto_ipsec,
690 CTL_CREATE, CTL_EOL);
691 #endif
692 }
693
694 #ifdef INET6
695 void
sysctl_net_inet6_ipsec6_setup(struct sysctllog ** clog)696 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog)
697 {
698
699 sysctl_createv(clog, 0, NULL, NULL,
700 CTLFLAG_PERMANENT,
701 CTLTYPE_NODE, "inet6", NULL,
702 NULL, 0, NULL, 0,
703 CTL_NET, PF_INET6, CTL_EOL);
704 sysctl_createv(clog, 0, NULL, NULL,
705 CTLFLAG_PERMANENT,
706 CTLTYPE_NODE, "ipsec6",
707 SYSCTL_DESCR("IPv6 related IPSec settings"),
708 NULL, 0, NULL, 0,
709 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
710
711 sysctl_createv(clog, 0, NULL, NULL,
712 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
713 CTLTYPE_STRUCT, "stats",
714 SYSCTL_DESCR("IPSec statistics and counters"),
715 sysctl_net_inet_ipsec_stats, 0, NULL, 0,
716 CTL_NET, PF_INET6, IPPROTO_AH,
717 IPSECCTL_STATS, CTL_EOL);
718 sysctl_createv(clog, 0, NULL, NULL,
719 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
720 CTLTYPE_INT, "def_policy",
721 SYSCTL_DESCR("Default action for non-IPSec packets"),
722 sysctl_ipsec, 0, &ip6_def_policy.policy, 0,
723 CTL_NET, PF_INET6, IPPROTO_AH,
724 IPSECCTL_DEF_POLICY, CTL_EOL);
725 sysctl_createv(clog, 0, NULL, NULL,
726 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
727 CTLTYPE_INT, "esp_trans_deflev",
728 SYSCTL_DESCR("Default required security level for "
729 "transport mode traffic"),
730 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
731 CTL_NET, PF_INET6, IPPROTO_AH,
732 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
733 sysctl_createv(clog, 0, NULL, NULL,
734 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
735 CTLTYPE_INT, "esp_net_deflev",
736 SYSCTL_DESCR("Default required security level for "
737 "tunneled traffic"),
738 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
739 CTL_NET, PF_INET6, IPPROTO_AH,
740 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
741 sysctl_createv(clog, 0, NULL, NULL,
742 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
743 CTLTYPE_INT, "ah_trans_deflev",
744 SYSCTL_DESCR("Default required security level for "
745 "transport mode headers"),
746 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
747 CTL_NET, PF_INET6, IPPROTO_AH,
748 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
749 sysctl_createv(clog, 0, NULL, NULL,
750 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
751 CTLTYPE_INT, "ah_net_deflev",
752 SYSCTL_DESCR("Default required security level for "
753 "tunneled headers"),
754 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
755 CTL_NET, PF_INET6, IPPROTO_AH,
756 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
757 sysctl_createv(clog, 0, NULL, NULL,
758 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
759 CTLTYPE_INT, "ecn",
760 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
761 NULL, 0, &ip6_ipsec_ecn, 0,
762 CTL_NET, PF_INET6, IPPROTO_AH,
763 IPSECCTL_ECN, CTL_EOL);
764 sysctl_createv(clog, 0, NULL, NULL,
765 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
766 CTLTYPE_INT, "debug",
767 SYSCTL_DESCR("Enable IPSec debugging output"),
768 NULL, 0, &ipsec_debug, 0,
769 CTL_NET, PF_INET6, IPPROTO_AH,
770 IPSECCTL_DEBUG, CTL_EOL);
771 sysctl_createv(clog, 0, NULL, NULL,
772 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
773 CTLTYPE_INT, "enabled",
774 SYSCTL_DESCR("Enable IPSec processing"),
775 sysctl_net_ipsec_enabled, 0, NULL, 0,
776 CTL_NET, PF_INET6, IPPROTO_AH,
777 CTL_CREATE, CTL_EOL);
778 sysctl_createv(clog, 0, NULL, NULL,
779 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
780 CTLTYPE_INT, "used",
781 SYSCTL_DESCR("Is IPSec active?"),
782 NULL, 0, &ipsec_used, 0,
783 CTL_NET, PF_INET6, IPPROTO_AH,
784 CTL_CREATE, CTL_EOL);
785 }
786 #endif /* INET6 */
787