1fcf59617SAndrey V. Elsukov /*- 2fcf59617SAndrey V. Elsukov * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 3fcf59617SAndrey V. Elsukov * All rights reserved. 4fcf59617SAndrey V. Elsukov * 5fcf59617SAndrey V. Elsukov * Redistribution and use in source and binary forms, with or without 6fcf59617SAndrey V. Elsukov * modification, are permitted provided that the following conditions 7fcf59617SAndrey V. Elsukov * are met: 8fcf59617SAndrey V. Elsukov * 9fcf59617SAndrey V. Elsukov * 1. Redistributions of source code must retain the above copyright 10fcf59617SAndrey V. Elsukov * notice, this list of conditions and the following disclaimer. 11fcf59617SAndrey V. Elsukov * 2. Redistributions in binary form must reproduce the above copyright 12fcf59617SAndrey V. Elsukov * notice, this list of conditions and the following disclaimer in the 13fcf59617SAndrey V. Elsukov * documentation and/or other materials provided with the distribution. 14fcf59617SAndrey V. Elsukov * 15fcf59617SAndrey V. Elsukov * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16fcf59617SAndrey V. Elsukov * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17fcf59617SAndrey V. Elsukov * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18fcf59617SAndrey V. Elsukov * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19fcf59617SAndrey V. Elsukov * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20fcf59617SAndrey V. Elsukov * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21fcf59617SAndrey V. Elsukov * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22fcf59617SAndrey V. Elsukov * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23fcf59617SAndrey V. Elsukov * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24fcf59617SAndrey V. Elsukov * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25fcf59617SAndrey V. Elsukov */ 26fcf59617SAndrey V. Elsukov 27fcf59617SAndrey V. Elsukov #ifndef _NETIPSEC_IPSEC_SUPPORT_H_ 28fcf59617SAndrey V. Elsukov #define _NETIPSEC_IPSEC_SUPPORT_H_ 29fcf59617SAndrey V. Elsukov 30fcf59617SAndrey V. Elsukov #ifdef _KERNEL 31fcf59617SAndrey V. Elsukov #if defined(IPSEC) || defined(IPSEC_SUPPORT) 32de1da299SKonstantin Belousov struct ifnet; 33*0ff2d00dSKonstantin Belousov struct ip; 34fcf59617SAndrey V. Elsukov struct mbuf; 35fcf59617SAndrey V. Elsukov struct inpcb; 36fcf59617SAndrey V. Elsukov struct tcphdr; 37fcf59617SAndrey V. Elsukov struct sockopt; 38fcf59617SAndrey V. Elsukov struct sockaddr; 39fcf59617SAndrey V. Elsukov struct ipsec_support; 40fcf59617SAndrey V. Elsukov struct tcpmd5_support; 41fcb3f813SGleb Smirnoff struct icmp; 42fcb3f813SGleb Smirnoff struct ip6ctlparam; 43fcb3f813SGleb Smirnoff 44fcb3f813SGleb Smirnoff typedef union { 45fcb3f813SGleb Smirnoff struct icmp *icmp; 46fcb3f813SGleb Smirnoff struct ip6ctlparam *ip6cp; 47fcb3f813SGleb Smirnoff } ipsec_ctlinput_param_t __attribute__((__transparent_union__)); 48fcf59617SAndrey V. Elsukov 49fcf59617SAndrey V. Elsukov size_t ipsec_hdrsiz_inpcb(struct inpcb *); 50fcf59617SAndrey V. Elsukov int ipsec_init_pcbpolicy(struct inpcb *); 51fcf59617SAndrey V. Elsukov int ipsec_delete_pcbpolicy(struct inpcb *); 52fcf59617SAndrey V. Elsukov int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); 53fcf59617SAndrey V. Elsukov 54c3d7bb5aSKristof Provost #if defined(INET) || defined(INET6) 55809fef29SGleb Smirnoff int udp_ipsec_input(struct mbuf *, int, int); 56809fef29SGleb Smirnoff int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); 57c3d7bb5aSKristof Provost #endif 58c3d7bb5aSKristof Provost #ifdef INET 59809fef29SGleb Smirnoff int ipsec4_in_reject(const struct mbuf *, struct inpcb *); 60*0ff2d00dSKonstantin Belousov int ipsec4_in_reject1(const struct mbuf *m, struct ip *ip1, struct inpcb *inp); 61809fef29SGleb Smirnoff int ipsec4_input(struct mbuf *, int, int); 62809fef29SGleb Smirnoff int ipsec4_forward(struct mbuf *); 63809fef29SGleb Smirnoff int ipsec4_pcbctl(struct inpcb *, struct sockopt *); 6400524fd4SKonstantin Belousov int ipsec4_output(struct ifnet *, struct mbuf *, struct inpcb *, u_long); 65809fef29SGleb Smirnoff int ipsec4_capability(struct mbuf *, u_int); 66fcb3f813SGleb Smirnoff int ipsec4_ctlinput(ipsec_ctlinput_param_t); 67809fef29SGleb Smirnoff #endif /* INET */ 68809fef29SGleb Smirnoff 69809fef29SGleb Smirnoff #ifdef INET6 70809fef29SGleb Smirnoff int ipsec6_input(struct mbuf *, int, int); 71809fef29SGleb Smirnoff int ipsec6_in_reject(const struct mbuf *, struct inpcb *); 72809fef29SGleb Smirnoff int ipsec6_forward(struct mbuf *); 73809fef29SGleb Smirnoff int ipsec6_pcbctl(struct inpcb *, struct sockopt *); 7400524fd4SKonstantin Belousov int ipsec6_output(struct ifnet *, struct mbuf *, struct inpcb *, u_long); 75809fef29SGleb Smirnoff int ipsec6_capability(struct mbuf *, u_int); 76fcb3f813SGleb Smirnoff int ipsec6_ctlinput(ipsec_ctlinput_param_t); 77809fef29SGleb Smirnoff #endif /* INET6 */ 78809fef29SGleb Smirnoff 79fcf59617SAndrey V. Elsukov struct ipsec_methods { 80fcf59617SAndrey V. Elsukov int (*input)(struct mbuf *, int, int); 81fcf59617SAndrey V. Elsukov int (*check_policy)(const struct mbuf *, struct inpcb *); 82fcf59617SAndrey V. Elsukov int (*forward)(struct mbuf *); 8300524fd4SKonstantin Belousov int (*output)(struct ifnet *, struct mbuf *, struct inpcb *, 8400524fd4SKonstantin Belousov u_long); 85fcf59617SAndrey V. Elsukov int (*pcbctl)(struct inpcb *, struct sockopt *); 86fcf59617SAndrey V. Elsukov size_t (*hdrsize)(struct inpcb *); 87fcf59617SAndrey V. Elsukov int (*capability)(struct mbuf *, u_int); 88fcb3f813SGleb Smirnoff int (*ctlinput)(ipsec_ctlinput_param_t); 89fcf59617SAndrey V. Elsukov 90fcf59617SAndrey V. Elsukov int (*udp_input)(struct mbuf *, int, int); 91fcf59617SAndrey V. Elsukov int (*udp_pcbctl)(struct inpcb *, struct sockopt *); 92fcf59617SAndrey V. Elsukov }; 93fcf59617SAndrey V. Elsukov #define IPSEC_CAP_OPERABLE 1 94fcf59617SAndrey V. Elsukov #define IPSEC_CAP_BYPASS_FILTER 2 95fcf59617SAndrey V. Elsukov 96fcf59617SAndrey V. Elsukov struct tcpmd5_methods { 97fcf59617SAndrey V. Elsukov int (*input)(struct mbuf *, struct tcphdr *, u_char *); 98fcf59617SAndrey V. Elsukov int (*output)(struct mbuf *, struct tcphdr *, u_char *); 99fcf59617SAndrey V. Elsukov int (*pcbctl)(struct inpcb *, struct sockopt *); 100fcf59617SAndrey V. Elsukov }; 101fcf59617SAndrey V. Elsukov 102fcf59617SAndrey V. Elsukov #define IPSEC_MODULE_ENABLED 0x0001 103fcf59617SAndrey V. Elsukov #define IPSEC_ENABLED(proto) \ 104fcf59617SAndrey V. Elsukov ((proto ## _ipsec_support)->enabled & IPSEC_MODULE_ENABLED) 105fcf59617SAndrey V. Elsukov #define TCPMD5_ENABLED() IPSEC_ENABLED(tcp) 106fcf59617SAndrey V. Elsukov 107fcf59617SAndrey V. Elsukov #ifdef TCP_SIGNATURE 108fcf59617SAndrey V. Elsukov /* TCP-MD5 build in the kernel */ 109fcf59617SAndrey V. Elsukov struct tcpmd5_support { 110fcf59617SAndrey V. Elsukov const u_int enabled; 111fcf59617SAndrey V. Elsukov const struct tcpmd5_methods * const methods; 112fcf59617SAndrey V. Elsukov }; 113fcf59617SAndrey V. Elsukov extern const struct tcpmd5_support * const tcp_ipsec_support; 114fcf59617SAndrey V. Elsukov 115fcf59617SAndrey V. Elsukov #define TCPMD5_INPUT(m, ...) \ 116fcf59617SAndrey V. Elsukov (*tcp_ipsec_support->methods->input)(m, __VA_ARGS__) 117fcf59617SAndrey V. Elsukov #define TCPMD5_OUTPUT(m, ...) \ 118fcf59617SAndrey V. Elsukov (*tcp_ipsec_support->methods->output)(m, __VA_ARGS__) 119fcf59617SAndrey V. Elsukov #define TCPMD5_PCBCTL(inp, sopt) \ 120fcf59617SAndrey V. Elsukov (*tcp_ipsec_support->methods->pcbctl)(inp, sopt) 121fcf59617SAndrey V. Elsukov #elif defined(IPSEC_SUPPORT) 122fcf59617SAndrey V. Elsukov /* TCP-MD5 build as module */ 123fcf59617SAndrey V. Elsukov struct tcpmd5_support { 124fcf59617SAndrey V. Elsukov volatile u_int enabled; 125fcf59617SAndrey V. Elsukov const struct tcpmd5_methods * volatile methods; 126fcf59617SAndrey V. Elsukov }; 127fcf59617SAndrey V. Elsukov extern struct tcpmd5_support * const tcp_ipsec_support; 128fcf59617SAndrey V. Elsukov 129fcf59617SAndrey V. Elsukov void tcpmd5_support_enable(const struct tcpmd5_methods * const); 130fcf59617SAndrey V. Elsukov void tcpmd5_support_disable(void); 131fcf59617SAndrey V. Elsukov 132fcf59617SAndrey V. Elsukov int tcpmd5_kmod_pcbctl(struct tcpmd5_support * const, struct inpcb *, 133fcf59617SAndrey V. Elsukov struct sockopt *); 134fcf59617SAndrey V. Elsukov int tcpmd5_kmod_input(struct tcpmd5_support * const, struct mbuf *, 135fcf59617SAndrey V. Elsukov struct tcphdr *, u_char *); 136fcf59617SAndrey V. Elsukov int tcpmd5_kmod_output(struct tcpmd5_support * const, struct mbuf *, 137fcf59617SAndrey V. Elsukov struct tcphdr *, u_char *); 138fcf59617SAndrey V. Elsukov #define TCPMD5_INPUT(m, ...) \ 139fcf59617SAndrey V. Elsukov tcpmd5_kmod_input(tcp_ipsec_support, m, __VA_ARGS__) 140fcf59617SAndrey V. Elsukov #define TCPMD5_OUTPUT(m, ...) \ 141fcf59617SAndrey V. Elsukov tcpmd5_kmod_output(tcp_ipsec_support, m, __VA_ARGS__) 142fcf59617SAndrey V. Elsukov #define TCPMD5_PCBCTL(inp, sopt) \ 143fcf59617SAndrey V. Elsukov tcpmd5_kmod_pcbctl(tcp_ipsec_support, inp, sopt) 144fcf59617SAndrey V. Elsukov #endif 145fcf59617SAndrey V. Elsukov 146fcf59617SAndrey V. Elsukov #endif /* IPSEC || IPSEC_SUPPORT */ 147fcf59617SAndrey V. Elsukov 148fcf59617SAndrey V. Elsukov #if defined(IPSEC) 149fcf59617SAndrey V. Elsukov struct ipsec_support { 150fcf59617SAndrey V. Elsukov const u_int enabled; 151fcf59617SAndrey V. Elsukov const struct ipsec_methods * const methods; 152fcf59617SAndrey V. Elsukov }; 153fcf59617SAndrey V. Elsukov extern const struct ipsec_support * const ipv4_ipsec_support; 154fcf59617SAndrey V. Elsukov extern const struct ipsec_support * const ipv6_ipsec_support; 155fcf59617SAndrey V. Elsukov 156fcf59617SAndrey V. Elsukov #define IPSEC_INPUT(proto, m, ...) \ 157fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->input)(m, __VA_ARGS__) 158fcf59617SAndrey V. Elsukov #define IPSEC_CHECK_POLICY(proto, m, ...) \ 159fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->check_policy)(m, __VA_ARGS__) 160fcf59617SAndrey V. Elsukov #define IPSEC_FORWARD(proto, m) \ 161fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->forward)(m) 162fcf59617SAndrey V. Elsukov #define IPSEC_OUTPUT(proto, m, ...) \ 163fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->output)(m, __VA_ARGS__) 164fcf59617SAndrey V. Elsukov #define IPSEC_PCBCTL(proto, inp, sopt) \ 165fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->pcbctl)(inp, sopt) 166fcf59617SAndrey V. Elsukov #define IPSEC_CAPS(proto, m, ...) \ 167fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->capability)(m, __VA_ARGS__) 168fcf59617SAndrey V. Elsukov #define IPSEC_HDRSIZE(proto, inp) \ 169fcf59617SAndrey V. Elsukov (*(proto ## _ipsec_support)->methods->hdrsize)(inp) 170fcb3f813SGleb Smirnoff #define IPSEC_CTLINPUT(proto, param) \ 171fcb3f813SGleb Smirnoff (*(proto ## _ipsec_support)->methods->ctlinput)(param) 172fcf59617SAndrey V. Elsukov 17380044c78SXavier Beaudouin #define UDPENCAP_INPUT(proto, m, ...) \ 17480044c78SXavier Beaudouin (*(proto ## _ipsec_support)->methods->udp_input)(m, __VA_ARGS__) 17580044c78SXavier Beaudouin #define UDPENCAP_PCBCTL(proto, inp, sopt) \ 17680044c78SXavier Beaudouin (*(proto ## _ipsec_support)->methods->udp_pcbctl)(inp, sopt) 177fcf59617SAndrey V. Elsukov 178fcf59617SAndrey V. Elsukov #elif defined(IPSEC_SUPPORT) 179fcf59617SAndrey V. Elsukov struct ipsec_support { 180fcf59617SAndrey V. Elsukov volatile u_int enabled; 181fcf59617SAndrey V. Elsukov const struct ipsec_methods * volatile methods; 182fcf59617SAndrey V. Elsukov }; 183fcf59617SAndrey V. Elsukov extern struct ipsec_support * const ipv4_ipsec_support; 184fcf59617SAndrey V. Elsukov extern struct ipsec_support * const ipv6_ipsec_support; 185fcf59617SAndrey V. Elsukov 186fcf59617SAndrey V. Elsukov void ipsec_support_enable(struct ipsec_support * const, 187fcf59617SAndrey V. Elsukov const struct ipsec_methods * const); 188fcf59617SAndrey V. Elsukov void ipsec_support_disable(struct ipsec_support * const); 189fcf59617SAndrey V. Elsukov 190fcf59617SAndrey V. Elsukov int ipsec_kmod_input(struct ipsec_support * const, struct mbuf *, int, int); 191fcf59617SAndrey V. Elsukov int ipsec_kmod_check_policy(struct ipsec_support * const, struct mbuf *, 192fcf59617SAndrey V. Elsukov struct inpcb *); 193fcf59617SAndrey V. Elsukov int ipsec_kmod_forward(struct ipsec_support * const, struct mbuf *); 194de1da299SKonstantin Belousov int ipsec_kmod_output(struct ipsec_support * const, struct ifnet *, 19500524fd4SKonstantin Belousov struct mbuf *, struct inpcb *, u_long); 196fcf59617SAndrey V. Elsukov int ipsec_kmod_pcbctl(struct ipsec_support * const, struct inpcb *, 197fcf59617SAndrey V. Elsukov struct sockopt *); 198fcf59617SAndrey V. Elsukov int ipsec_kmod_capability(struct ipsec_support * const, struct mbuf *, u_int); 199fcf59617SAndrey V. Elsukov size_t ipsec_kmod_hdrsize(struct ipsec_support * const, struct inpcb *); 2009f69c0b8SHans Petter Selasky int ipsec_kmod_ctlinput(struct ipsec_support *, ipsec_ctlinput_param_t); 201fcf59617SAndrey V. Elsukov int ipsec_kmod_udp_input(struct ipsec_support * const, struct mbuf *, int, int); 202fcf59617SAndrey V. Elsukov int ipsec_kmod_udp_pcbctl(struct ipsec_support * const, struct inpcb *, 203fcf59617SAndrey V. Elsukov struct sockopt *); 204fcf59617SAndrey V. Elsukov 20580044c78SXavier Beaudouin #define UDPENCAP_INPUT(proto, m, ...) \ 20680044c78SXavier Beaudouin ipsec_kmod_udp_input(proto ## _ipsec_support, m, __VA_ARGS__) 20780044c78SXavier Beaudouin #define UDPENCAP_PCBCTL(proto, inp, sopt) \ 20880044c78SXavier Beaudouin ipsec_kmod_udp_pcbctl(proto ## _ipsec_support, inp, sopt) 209fcf59617SAndrey V. Elsukov 210fcf59617SAndrey V. Elsukov #define IPSEC_INPUT(proto, ...) \ 211fcf59617SAndrey V. Elsukov ipsec_kmod_input(proto ## _ipsec_support, __VA_ARGS__) 212fcf59617SAndrey V. Elsukov #define IPSEC_CHECK_POLICY(proto, ...) \ 213fcf59617SAndrey V. Elsukov ipsec_kmod_check_policy(proto ## _ipsec_support, __VA_ARGS__) 214fcf59617SAndrey V. Elsukov #define IPSEC_FORWARD(proto, ...) \ 215fcf59617SAndrey V. Elsukov ipsec_kmod_forward(proto ## _ipsec_support, __VA_ARGS__) 216fcf59617SAndrey V. Elsukov #define IPSEC_OUTPUT(proto, ...) \ 217fcf59617SAndrey V. Elsukov ipsec_kmod_output(proto ## _ipsec_support, __VA_ARGS__) 218fcf59617SAndrey V. Elsukov #define IPSEC_PCBCTL(proto, ...) \ 219fcf59617SAndrey V. Elsukov ipsec_kmod_pcbctl(proto ## _ipsec_support, __VA_ARGS__) 220fcf59617SAndrey V. Elsukov #define IPSEC_CAPS(proto, ...) \ 221fcf59617SAndrey V. Elsukov ipsec_kmod_capability(proto ## _ipsec_support, __VA_ARGS__) 222fcf59617SAndrey V. Elsukov #define IPSEC_HDRSIZE(proto, ...) \ 223fcf59617SAndrey V. Elsukov ipsec_kmod_hdrsize(proto ## _ipsec_support, __VA_ARGS__) 224d9d59bb1SWojciech Macek #define IPSEC_CTLINPUT(proto, ...) \ 225d9d59bb1SWojciech Macek ipsec_kmod_ctlinput(proto ## _ipsec_support, __VA_ARGS__) 226fcf59617SAndrey V. Elsukov #endif /* IPSEC_SUPPORT */ 227fcf59617SAndrey V. Elsukov #endif /* _KERNEL */ 228fcf59617SAndrey V. Elsukov #endif /* _NETIPSEC_IPSEC_SUPPORT_H_ */ 229