1 /* $NetBSD: ipsec_netbsd.c,v 1.55 2022/09/02 23:48:11 thorpej Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.55 2022/09/02 23:48:11 thorpej Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/protosw.h> 47 #include <sys/socket.h> 48 #include <sys/errno.h> 49 #include <sys/time.h> 50 #include <sys/kernel.h> 51 #include <sys/sysctl.h> 52 53 #include <net/if.h> 54 #include <net/route.h> 55 #include <sys/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 #include <netipsec/ipsec.h> 66 #include <netipsec/ipsec_var.h> 67 #include <netipsec/ipsec_private.h> 68 #include <netipsec/key.h> 69 #include <netipsec/keydb.h> 70 #include <netipsec/key_debug.h> 71 #include <netipsec/ah.h> 72 #include <netipsec/ah_var.h> 73 #include <netipsec/esp.h> 74 #include <netipsec/esp_var.h> 75 #include <netipsec/ipip_var.h> 76 #include <netipsec/ipcomp_var.h> 77 78 #ifdef INET6 79 #include <netipsec/ipsec6.h> 80 #include <netinet6/ip6protosw.h> 81 #include <netinet/icmp6.h> 82 #endif 83 84 #include <netipsec/key.h> 85 86 /* assumes that ip header and ah header are contiguous on mbuf */ 87 void * 88 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 89 { 90 struct ip *ip = v; 91 struct ah *ah; 92 struct icmp *icp; 93 struct secasvar *sav; 94 95 if (sa->sa_family != AF_INET || 96 sa->sa_len != sizeof(struct sockaddr_in)) 97 return NULL; 98 if ((unsigned)cmd >= PRC_NCMDS) 99 return NULL; 100 101 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 102 /* 103 * Check to see if we have a valid SA corresponding to 104 * the address in the ICMP message payload. 105 */ 106 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 107 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 108 IPPROTO_AH, ah->ah_spi, 0, 0); 109 110 if (sav) { 111 if (SADB_SASTATE_USABLE_P(sav)) { 112 /* 113 * Now that we've validated that we are actually 114 * communicating with the host indicated in the 115 * ICMP message, locate the ICMP header, 116 * recalculate the new MTU, and create the 117 * corresponding routing entry. 118 */ 119 icp = (struct icmp *)((char *)ip - 120 offsetof(struct icmp, icmp_ip)); 121 icmp_mtudisc(icp, ip->ip_dst); 122 } 123 KEY_SA_UNREF(&sav); 124 } 125 } 126 return NULL; 127 } 128 129 /* assumes that ip header and esp header are contiguous on mbuf */ 130 void * 131 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 132 { 133 struct ip *ip = v; 134 struct esp *esp; 135 struct icmp *icp; 136 struct secasvar *sav; 137 138 if (sa->sa_family != AF_INET || 139 sa->sa_len != sizeof(struct sockaddr_in)) 140 return NULL; 141 if ((unsigned)cmd >= PRC_NCMDS) 142 return NULL; 143 144 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 145 /* 146 * Check to see if we have a valid SA corresponding to 147 * the address in the ICMP message payload. 148 */ 149 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 150 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 151 IPPROTO_ESP, esp->esp_spi, 0, 0); 152 153 if (sav) { 154 if (SADB_SASTATE_USABLE_P(sav)) { 155 /* 156 * Now that we've validated that we are actually 157 * communicating with the host indicated in the 158 * ICMP message, locate the ICMP header, 159 * recalculate the new MTU, and create the 160 * corresponding routing entry. 161 */ 162 icp = (struct icmp *)((char *)ip - 163 offsetof(struct icmp, icmp_ip)); 164 icmp_mtudisc(icp, ip->ip_dst); 165 } 166 KEY_SA_UNREF(&sav); 167 } 168 } 169 return NULL; 170 } 171 172 #ifdef INET6 173 void * 174 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 175 { 176 const struct newah *ahp; 177 struct newah ah; 178 struct secasvar *sav; 179 struct ip6_hdr *ip6; 180 struct mbuf *m; 181 struct ip6ctlparam *ip6cp = NULL; 182 int off; 183 184 if (sa->sa_family != AF_INET6 || 185 sa->sa_len != sizeof(struct sockaddr_in6)) 186 return NULL; 187 if ((unsigned)cmd >= PRC_NCMDS) 188 return NULL; 189 190 /* if the parameter is from icmp6, decode it. */ 191 if (d != NULL) { 192 ip6cp = (struct ip6ctlparam *)d; 193 m = ip6cp->ip6c_m; 194 ip6 = ip6cp->ip6c_ip6; 195 off = ip6cp->ip6c_off; 196 } else { 197 m = NULL; 198 ip6 = NULL; 199 off = 0; 200 } 201 202 if (ip6) { 203 /* check if we can safely examine src and dst ports */ 204 if (m->m_pkthdr.len < off + sizeof(ah)) 205 return NULL; 206 207 if (m->m_len < off + sizeof(ah)) { 208 /* 209 * this should be rare case, 210 * so we compromise on this copy... 211 */ 212 m_copydata(m, off, sizeof(ah), &ah); 213 ahp = &ah; 214 } else 215 ahp = (struct newah *)(mtod(m, char *) + off); 216 217 if (cmd == PRC_MSGSIZE) { 218 int valid = 0; 219 220 /* 221 * Check to see if we have a valid SA corresponding 222 * to the address in the ICMP message payload. 223 */ 224 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 225 IPPROTO_AH, ahp->ah_spi, 0, 0); 226 227 if (sav) { 228 if (SADB_SASTATE_USABLE_P(sav)) 229 valid++; 230 KEY_SA_UNREF(&sav); 231 } 232 233 /* XXX Further validation? */ 234 235 /* 236 * Depending on the value of "valid" and routing 237 * table size (mtudisc_{hi,lo}wat), we will: 238 * - recalculate the new MTU and create the 239 * corresponding routing entry, or 240 * - ignore the MTU change notification. 241 */ 242 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 243 } 244 245 /* we normally notify single pcb here */ 246 } else { 247 /* we normally notify any pcb here */ 248 } 249 return NULL; 250 } 251 252 void * 253 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 254 { 255 const struct newesp *espp; 256 struct newesp esp; 257 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 258 struct secasvar *sav; 259 struct ip6_hdr *ip6; 260 struct mbuf *m; 261 int off; 262 263 if (sa->sa_family != AF_INET6 || 264 sa->sa_len != sizeof(struct sockaddr_in6)) 265 return NULL; 266 if ((unsigned)cmd >= PRC_NCMDS) 267 return NULL; 268 269 /* if the parameter is from icmp6, decode it. */ 270 if (d != NULL) { 271 ip6cp = (struct ip6ctlparam *)d; 272 m = ip6cp->ip6c_m; 273 ip6 = ip6cp->ip6c_ip6; 274 off = ip6cp->ip6c_off; 275 } else { 276 m = NULL; 277 ip6 = NULL; 278 off = 0; 279 } 280 281 if (ip6) { 282 /* 283 * Notify the error to all possible sockets via pfctlinput2. 284 * Since the upper layer information (such as protocol type, 285 * source and destination ports) is embedded in the encrypted 286 * data and might have been cut, we can't directly call 287 * an upper layer ctlinput function. However, the pcbnotify 288 * function will consider source and destination addresses 289 * as well as the flow info value, and may be able to find 290 * some PCB that should be notified. 291 * Although pfctlinput2 will call esp6_ctlinput(), there is 292 * no possibility of an infinite loop of function calls, 293 * because we don't pass the inner IPv6 header. 294 */ 295 memset(&ip6cp1, 0, sizeof(ip6cp1)); 296 ip6cp1.ip6c_src = ip6cp->ip6c_src; 297 pfctlinput2(cmd, sa, &ip6cp1); 298 299 /* check if we can safely examine src and dst ports */ 300 if (m->m_pkthdr.len < off + sizeof(esp)) 301 return NULL; 302 303 if (m->m_len < off + sizeof(esp)) { 304 /* 305 * this should be rare case, 306 * so we compromise on this copy... 307 */ 308 m_copydata(m, off, sizeof(esp), &esp); 309 espp = &esp; 310 } else 311 espp = (struct newesp *)(mtod(m, char *) + off); 312 313 if (cmd == PRC_MSGSIZE) { 314 int valid = 0; 315 316 /* 317 * Check to see if we have a valid SA corresponding to 318 * the address in the ICMP message payload. 319 */ 320 321 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 322 IPPROTO_ESP, espp->esp_spi, 0, 0); 323 324 if (sav) { 325 if (SADB_SASTATE_USABLE_P(sav)) 326 valid++; 327 KEY_SA_UNREF(&sav); 328 } 329 330 /* XXX Further validation? */ 331 332 /* 333 * Depending on the value of "valid" and routing table 334 * size (mtudisc_{hi,lo}wat), we will: 335 * - recalcurate the new MTU and create the 336 * corresponding routing entry, or 337 * - ignore the MTU change notification. 338 */ 339 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 340 } 341 } else { 342 /* we normally notify any pcb here */ 343 } 344 return NULL; 345 } 346 #endif /* INET6 */ 347 348 static int 349 sysctl_ipsec(SYSCTLFN_ARGS) 350 { 351 int error, t; 352 struct sysctlnode node; 353 354 node = *rnode; 355 t = *(int *)rnode->sysctl_data; 356 node.sysctl_data = &t; 357 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 358 if (error || newp == NULL) 359 return error; 360 361 switch (rnode->sysctl_num) { 362 case IPSECCTL_DEF_ESP_TRANSLEV: 363 case IPSECCTL_DEF_ESP_NETLEV: 364 case IPSECCTL_DEF_AH_TRANSLEV: 365 case IPSECCTL_DEF_AH_NETLEV: 366 if (t != IPSEC_LEVEL_USE && 367 t != IPSEC_LEVEL_REQUIRE) 368 return EINVAL; 369 ipsec_invalpcbcacheall(); 370 break; 371 case IPSECCTL_DEF_POLICY: 372 if (t != IPSEC_POLICY_DISCARD && 373 t != IPSEC_POLICY_NONE) 374 return EINVAL; 375 ipsec_invalpcbcacheall(); 376 break; 377 default: 378 return EINVAL; 379 } 380 381 *(int *)rnode->sysctl_data = t; 382 383 return 0; 384 } 385 386 #ifdef IPSEC_DEBUG 387 static int 388 sysctl_ipsec_test(SYSCTLFN_ARGS) 389 { 390 int t, error; 391 struct sysctlnode node; 392 393 node = *rnode; 394 t = *(int *)rnode->sysctl_data; 395 node.sysctl_data = &t; 396 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 397 if (error || newp == NULL) 398 return error; 399 400 if (t < 0 || t > 1) 401 return EINVAL; 402 403 if (rnode->sysctl_data == &ipsec_replay) 404 printf("ipsec: Anti-Replay service %s\n", 405 (t == 1) ? "deactivated" : "activated"); 406 else if (rnode->sysctl_data == &ipsec_integrity) 407 printf("ipsec: HMAC corruption %s\n", 408 (t == 0) ? "deactivated" : "activated"); 409 410 *(int *)rnode->sysctl_data = t; 411 412 return 0; 413 } 414 #endif 415 416 static int 417 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 418 { 419 420 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 421 } 422 423 static int 424 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 425 { 426 427 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 428 } 429 430 static int 431 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 432 { 433 434 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 435 } 436 437 static int 438 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 439 { 440 441 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 442 } 443 444 static int 445 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 446 { 447 448 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 449 } 450 451 static int 452 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 453 { 454 int newenabled, error; 455 struct sysctlnode node; 456 node = *rnode; 457 node.sysctl_data = &newenabled; 458 459 newenabled = ipsec_enabled; 460 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 461 if (error || newp == NULL) 462 return error; 463 464 switch (newenabled) { 465 case 0: 466 if (key_get_used()) 467 return EBUSY; 468 /*FALLTHROUGH*/ 469 case 1: 470 case 2: 471 ipsec_enabled = newenabled; 472 key_update_used(); 473 return 0; 474 default: 475 return EINVAL; 476 } 477 } 478 479 /* XXX will need a different oid at parent */ 480 void 481 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 482 { 483 const struct sysctlnode *_ipsec; 484 int ipproto_ipsec; 485 486 sysctl_createv(clog, 0, NULL, NULL, 487 CTLFLAG_PERMANENT, 488 CTLTYPE_NODE, "inet", NULL, 489 NULL, 0, NULL, 0, 490 CTL_NET, PF_INET, CTL_EOL); 491 492 /* 493 * in numerical order: 494 * 495 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 496 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 497 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 498 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 499 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 500 * 501 * this creates separate trees by name, but maintains that the 502 * ipsec name leads to all the old leaves. 503 */ 504 505 /* create net.inet.ipip */ 506 sysctl_createv(clog, 0, NULL, NULL, 507 CTLFLAG_PERMANENT, 508 CTLTYPE_NODE, "ipip", NULL, 509 NULL, 0, NULL, 0, 510 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 511 sysctl_createv(clog, 0, NULL, NULL, 512 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 513 CTLTYPE_STRUCT, "ipip_stats", NULL, 514 sysctl_net_inet_ipip_stats, 0, NULL, 0, 515 CTL_NET, PF_INET, IPPROTO_IPIP, 516 CTL_CREATE, CTL_EOL); 517 518 /* create net.inet.esp subtree under IPPROTO_ESP */ 519 sysctl_createv(clog, 0, NULL, NULL, 520 CTLFLAG_PERMANENT, 521 CTLTYPE_NODE, "esp", NULL, 522 NULL, 0, NULL, 0, 523 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 524 sysctl_createv(clog, 0, NULL, NULL, 525 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 526 CTLTYPE_STRUCT, "esp_stats", NULL, 527 sysctl_net_inet_esp_stats, 0, NULL, 0, 528 CTL_NET, PF_INET, IPPROTO_ESP, 529 CTL_CREATE, CTL_EOL); 530 531 /* create net.inet.ah subtree under IPPROTO_AH */ 532 sysctl_createv(clog, 0, NULL, NULL, 533 CTLFLAG_PERMANENT, 534 CTLTYPE_NODE, "ah", NULL, 535 NULL, 0, NULL, 0, 536 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 537 sysctl_createv(clog, 0, NULL, NULL, 538 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 539 CTLTYPE_STRUCT, "ah_stats", NULL, 540 sysctl_net_inet_ah_stats, 0, NULL, 0, 541 CTL_NET, PF_INET, IPPROTO_AH, 542 CTL_CREATE, CTL_EOL); 543 544 /* create net.inet.ipcomp */ 545 sysctl_createv(clog, 0, NULL, NULL, 546 CTLFLAG_PERMANENT, 547 CTLTYPE_NODE, "ipcomp", NULL, 548 NULL, 0, NULL, 0, 549 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 550 sysctl_createv(clog, 0, NULL, NULL, 551 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 552 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 553 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 554 CTL_NET, PF_INET, IPPROTO_IPCOMP, 555 CTL_CREATE, CTL_EOL); 556 557 /* create net.inet.ipsec subtree under dynamic oid */ 558 sysctl_createv(clog, 0, NULL, &_ipsec, 559 CTLFLAG_PERMANENT, 560 CTLTYPE_NODE, "ipsec", NULL, 561 NULL, 0, NULL, 0, 562 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 563 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 564 565 sysctl_createv(clog, 0, NULL, NULL, 566 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 567 CTLTYPE_INT, "def_policy", NULL, 568 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 569 CTL_NET, PF_INET, ipproto_ipsec, 570 IPSECCTL_DEF_POLICY, CTL_EOL); 571 sysctl_createv(clog, 0, NULL, NULL, 572 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 573 CTLTYPE_INT, "esp_trans_deflev", NULL, 574 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 575 CTL_NET, PF_INET, ipproto_ipsec, 576 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 577 sysctl_createv(clog, 0, NULL, NULL, 578 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 579 CTLTYPE_INT, "esp_net_deflev", NULL, 580 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 581 CTL_NET, PF_INET, ipproto_ipsec, 582 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 583 sysctl_createv(clog, 0, NULL, NULL, 584 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 585 CTLTYPE_INT, "ah_trans_deflev", NULL, 586 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 587 CTL_NET, PF_INET, ipproto_ipsec, 588 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 589 sysctl_createv(clog, 0, NULL, NULL, 590 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 591 CTLTYPE_INT, "ah_net_deflev", NULL, 592 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 593 CTL_NET, PF_INET, ipproto_ipsec, 594 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 595 sysctl_createv(clog, 0, NULL, NULL, 596 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 597 CTLTYPE_INT, "ah_cleartos", NULL, 598 NULL, 0, &ip4_ah_cleartos, 0, 599 CTL_NET, PF_INET, ipproto_ipsec, 600 IPSECCTL_AH_CLEARTOS, CTL_EOL); 601 sysctl_createv(clog, 0, NULL, NULL, 602 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 603 CTLTYPE_INT, "ah_offsetmask", NULL, 604 NULL, 0, &ip4_ah_offsetmask, 0, 605 CTL_NET, PF_INET, ipproto_ipsec, 606 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 607 sysctl_createv(clog, 0, NULL, NULL, 608 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 609 CTLTYPE_INT, "dfbit", NULL, 610 NULL, 0, &ip4_ipsec_dfbit, 0, 611 CTL_NET, PF_INET, ipproto_ipsec, 612 IPSECCTL_DFBIT, CTL_EOL); 613 sysctl_createv(clog, 0, NULL, NULL, 614 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 615 CTLTYPE_INT, "ecn", NULL, 616 NULL, 0, &ip4_ipsec_ecn, 0, 617 CTL_NET, PF_INET, ipproto_ipsec, 618 IPSECCTL_ECN, CTL_EOL); 619 sysctl_createv(clog, 0, NULL, NULL, 620 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 621 CTLTYPE_INT, "debug", NULL, 622 NULL, 0, &ipsec_debug, 0, 623 CTL_NET, PF_INET, ipproto_ipsec, 624 IPSECCTL_DEBUG, CTL_EOL); 625 sysctl_createv(clog, 0, NULL, NULL, 626 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 627 CTLTYPE_INT, "ipip_spoofcheck", NULL, 628 NULL, 0, &ipip_spoofcheck, 0, 629 CTL_NET, PF_INET, ipproto_ipsec, 630 CTL_CREATE, CTL_EOL); 631 sysctl_createv(clog, 0, NULL, NULL, 632 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 633 CTLTYPE_STRUCT, "ipsecstats", NULL, 634 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 635 CTL_NET, PF_INET, ipproto_ipsec, 636 CTL_CREATE, CTL_EOL); 637 sysctl_createv(clog, 0, NULL, NULL, 638 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 639 CTLTYPE_INT, "enabled", 640 SYSCTL_DESCR("Enable IPSec processing"), 641 sysctl_net_ipsec_enabled, 0, NULL, 0, 642 CTL_NET, PF_INET, ipproto_ipsec, 643 CTL_CREATE, CTL_EOL); 644 sysctl_createv(clog, 0, NULL, NULL, 645 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 646 CTLTYPE_INT, "used", 647 SYSCTL_DESCR("Is IPSec active?"), 648 NULL, 0, &ipsec_used, 0, 649 CTL_NET, PF_INET, ipproto_ipsec, 650 CTL_CREATE, CTL_EOL); 651 sysctl_createv(clog, 0, NULL, NULL, 652 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 653 CTLTYPE_INT, "ah_enable", NULL, 654 NULL, 0, &ah_enable, 0, 655 CTL_NET, PF_INET, ipproto_ipsec, 656 CTL_CREATE, CTL_EOL); 657 sysctl_createv(clog, 0, NULL, NULL, 658 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 659 CTLTYPE_INT, "esp_enable", NULL, 660 NULL, 0, &esp_enable, 0, 661 CTL_NET, PF_INET, ipproto_ipsec, 662 CTL_CREATE, CTL_EOL); 663 sysctl_createv(clog, 0, NULL, NULL, 664 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 665 CTLTYPE_INT, "ipcomp_enable", NULL, 666 NULL, 0, &ipcomp_enable, 0, 667 CTL_NET, PF_INET, ipproto_ipsec, 668 CTL_CREATE, CTL_EOL); 669 sysctl_createv(clog, 0, NULL, NULL, 670 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 671 CTLTYPE_INT, "crypto_support", NULL, 672 NULL, 0, &crypto_support, 0, 673 CTL_NET, PF_INET, ipproto_ipsec, 674 CTL_CREATE, CTL_EOL); 675 676 #ifdef IPSEC_DEBUG 677 sysctl_createv(clog, 0, NULL, NULL, 678 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 679 CTLTYPE_INT, "test_replay", 680 SYSCTL_DESCR("Emulate replay attack"), 681 sysctl_ipsec_test, 0, &ipsec_replay, 0, 682 CTL_NET, PF_INET, ipproto_ipsec, 683 CTL_CREATE, CTL_EOL); 684 sysctl_createv(clog, 0, NULL, NULL, 685 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 686 CTLTYPE_INT, "test_integrity", 687 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 688 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 689 CTL_NET, PF_INET, ipproto_ipsec, 690 CTL_CREATE, CTL_EOL); 691 #endif 692 } 693 694 #ifdef INET6 695 void 696 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 697 { 698 699 sysctl_createv(clog, 0, NULL, NULL, 700 CTLFLAG_PERMANENT, 701 CTLTYPE_NODE, "inet6", NULL, 702 NULL, 0, NULL, 0, 703 CTL_NET, PF_INET6, CTL_EOL); 704 sysctl_createv(clog, 0, NULL, NULL, 705 CTLFLAG_PERMANENT, 706 CTLTYPE_NODE, "ipsec6", 707 SYSCTL_DESCR("IPv6 related IPSec settings"), 708 NULL, 0, NULL, 0, 709 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 710 711 sysctl_createv(clog, 0, NULL, NULL, 712 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 713 CTLTYPE_STRUCT, "stats", 714 SYSCTL_DESCR("IPSec statistics and counters"), 715 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 716 CTL_NET, PF_INET6, IPPROTO_AH, 717 IPSECCTL_STATS, CTL_EOL); 718 sysctl_createv(clog, 0, NULL, NULL, 719 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 720 CTLTYPE_INT, "def_policy", 721 SYSCTL_DESCR("Default action for non-IPSec packets"), 722 sysctl_ipsec, 0, &ip6_def_policy.policy, 0, 723 CTL_NET, PF_INET6, IPPROTO_AH, 724 IPSECCTL_DEF_POLICY, CTL_EOL); 725 sysctl_createv(clog, 0, NULL, NULL, 726 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 727 CTLTYPE_INT, "esp_trans_deflev", 728 SYSCTL_DESCR("Default required security level for " 729 "transport mode traffic"), 730 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 731 CTL_NET, PF_INET6, IPPROTO_AH, 732 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 733 sysctl_createv(clog, 0, NULL, NULL, 734 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 735 CTLTYPE_INT, "esp_net_deflev", 736 SYSCTL_DESCR("Default required security level for " 737 "tunneled traffic"), 738 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 739 CTL_NET, PF_INET6, IPPROTO_AH, 740 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 741 sysctl_createv(clog, 0, NULL, NULL, 742 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 743 CTLTYPE_INT, "ah_trans_deflev", 744 SYSCTL_DESCR("Default required security level for " 745 "transport mode headers"), 746 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 747 CTL_NET, PF_INET6, IPPROTO_AH, 748 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 749 sysctl_createv(clog, 0, NULL, NULL, 750 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 751 CTLTYPE_INT, "ah_net_deflev", 752 SYSCTL_DESCR("Default required security level for " 753 "tunneled headers"), 754 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 755 CTL_NET, PF_INET6, IPPROTO_AH, 756 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 757 sysctl_createv(clog, 0, NULL, NULL, 758 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 759 CTLTYPE_INT, "ecn", 760 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 761 NULL, 0, &ip6_ipsec_ecn, 0, 762 CTL_NET, PF_INET6, IPPROTO_AH, 763 IPSECCTL_ECN, CTL_EOL); 764 sysctl_createv(clog, 0, NULL, NULL, 765 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 766 CTLTYPE_INT, "debug", 767 SYSCTL_DESCR("Enable IPSec debugging output"), 768 NULL, 0, &ipsec_debug, 0, 769 CTL_NET, PF_INET6, IPPROTO_AH, 770 IPSECCTL_DEBUG, CTL_EOL); 771 sysctl_createv(clog, 0, NULL, NULL, 772 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 773 CTLTYPE_INT, "enabled", 774 SYSCTL_DESCR("Enable IPSec processing"), 775 sysctl_net_ipsec_enabled, 0, NULL, 0, 776 CTL_NET, PF_INET6, IPPROTO_AH, 777 CTL_CREATE, CTL_EOL); 778 sysctl_createv(clog, 0, NULL, NULL, 779 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 780 CTLTYPE_INT, "used", 781 SYSCTL_DESCR("Is IPSec active?"), 782 NULL, 0, &ipsec_used, 0, 783 CTL_NET, PF_INET6, IPPROTO_AH, 784 CTL_CREATE, CTL_EOL); 785 } 786 #endif /* INET6 */ 787