xref: /netbsd-src/sys/netipsec/ipsec_netbsd.c (revision a536ee5124e62c9a0051a252f7833dc8f50f44c9)
1 /*	$NetBSD: ipsec_netbsd.c,v 1.34 2012/06/02 21:36:48 dsl Exp $	*/
2 /*	$KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $	*/
3 /*	$KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $	*/
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.34 2012/06/02 21:36:48 dsl Exp $");
36 
37 #include "opt_inet.h"
38 #include "opt_ipsec.h"
39 
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/mbuf.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/kernel.h>
50 #include <sys/sysctl.h>
51 
52 #include <net/if.h>
53 #include <net/route.h>
54 #include <net/netisr.h>
55 #include <sys/cpu.h>
56 
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
64 
65 
66 #include <netipsec/ipsec.h>
67 #include <netipsec/ipsec_var.h>
68 #include <netipsec/ipsec_private.h>
69 #include <netipsec/key.h>
70 #include <netipsec/keydb.h>
71 #include <netipsec/key_debug.h>
72 #include <netipsec/ah.h>
73 #include <netipsec/ah_var.h>
74 #include <netipsec/esp.h>
75 #include <netipsec/esp_var.h>
76 #include <netipsec/ipip_var.h>
77 #include <netipsec/ipcomp_var.h>
78 
79 #ifdef INET6
80 #include <netipsec/ipsec6.h>
81 #include <netinet6/ip6protosw.h>
82 #include <netinet/icmp6.h>
83 #endif
84 
85 #include <netipsec/key.h>
86 
87 /* assumes that ip header and ah header are contiguous on mbuf */
88 void*
89 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
90 {
91 	struct ip *ip = v;
92 	struct ah *ah;
93 	struct icmp *icp;
94 	struct secasvar *sav;
95 
96 	if (sa->sa_family != AF_INET ||
97 		sa->sa_len != sizeof(struct sockaddr_in))
98 		return NULL;
99 	if ((unsigned)cmd >= PRC_NCMDS)
100 		return NULL;
101 
102 	if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
103 		/*
104 		 * Check to see if we have a valid SA corresponding to
105 		 * the address in the ICMP message payload.
106 		 */
107 		ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
108 		sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
109 					   	IPPROTO_AH, ah->ah_spi, 0, 0);
110 
111 		if (sav) {
112         	if (sav->state == SADB_SASTATE_MATURE ||
113                 sav->state == SADB_SASTATE_DYING) {
114 
115 				/*
116 				 * Now that we've validated that we are actually
117 				 * communicating with the host indicated in the
118 				 * ICMP message, locate the ICMP header,
119 				 * recalculate the new MTU, and create the
120 		 		 * corresponding routing entry.
121 		 		 */
122 				icp = (struct icmp *)((char *)ip -
123 									  offsetof(struct icmp, icmp_ip));
124 				icmp_mtudisc(icp, ip->ip_dst);
125 
126 			}
127 			KEY_FREESAV(&sav);
128 		}
129 	}
130 	return NULL;
131 }
132 
133 
134 
135 /* assumes that ip header and esp header are contiguous on mbuf */
136 void*
137 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
138 {
139 	struct ip *ip = v;
140 	struct esp *esp;
141 	struct icmp *icp;
142 	struct secasvar *sav;
143 
144 	if (sa->sa_family != AF_INET ||
145 	    sa->sa_len != sizeof(struct sockaddr_in))
146 		return NULL;
147 	if ((unsigned)cmd >= PRC_NCMDS)
148 		return NULL;
149 
150 	if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
151 		/*
152 		 * Check to see if we have a valid SA corresponding to
153 		 * the address in the ICMP message payload.
154 		 */
155 		esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
156 		sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
157 					   	IPPROTO_ESP, esp->esp_spi, 0, 0);
158 
159 		if (sav) {
160         	if (sav->state == SADB_SASTATE_MATURE ||
161                 sav->state == SADB_SASTATE_DYING) {
162 
163 				/*
164 				 * Now that we've validated that we are actually
165 				 * communicating with the host indicated in the
166 				 * ICMP message, locate the ICMP header,
167 				 * recalculate the new MTU, and create the
168 		 		 * corresponding routing entry.
169 		 		 */
170 
171 				icp = (struct icmp *)((char *)ip -
172 									   offsetof(struct icmp, icmp_ip));
173 				icmp_mtudisc(icp, ip->ip_dst);
174 
175 			}
176 			KEY_FREESAV(&sav);
177 		}
178 	}
179 	return NULL;
180 }
181 
182 #ifdef INET6
183 void *
184 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
185 {
186        const struct newah *ahp;
187        struct newah ah;
188        struct secasvar *sav;
189        struct ip6_hdr *ip6;
190        struct mbuf *m;
191        struct ip6ctlparam *ip6cp = NULL;
192        int off;
193 
194        if (sa->sa_family != AF_INET6 ||
195            sa->sa_len != sizeof(struct sockaddr_in6))
196                return NULL;
197        if ((unsigned)cmd >= PRC_NCMDS)
198                return NULL;
199 
200        /* if the parameter is from icmp6, decode it. */
201        if (d != NULL) {
202                ip6cp = (struct ip6ctlparam *)d;
203                m = ip6cp->ip6c_m;
204                ip6 = ip6cp->ip6c_ip6;
205                off = ip6cp->ip6c_off;
206        } else {
207                m = NULL;
208                ip6 = NULL;
209                off = 0;
210        }
211 
212        if (ip6) {
213                /*
214                 * XXX: We assume that when ip6 is non NULL,
215                 * M and OFF are valid.
216                 */
217 
218                /* check if we can safely examine src and dst ports */
219                if (m->m_pkthdr.len < off + sizeof(ah))
220                        return NULL;
221 
222                if (m->m_len < off + sizeof(ah)) {
223                        /*
224                         * this should be rare case,
225                         * so we compromise on this copy...
226                         */
227                        m_copydata(m, off, sizeof(ah), &ah);
228                        ahp = &ah;
229                } else
230                        ahp = (struct newah *)(mtod(m, char *) + off);
231 
232                if (cmd == PRC_MSGSIZE) {
233                        int valid = 0;
234 
235                        /*
236                         * Check to see if we have a valid SA corresponding
237                         * to the address in the ICMP message payload.
238                         */
239                        sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
240                                          IPPROTO_AH, ahp->ah_spi, 0, 0);
241 
242                        if (sav) {
243                                if (sav->state == SADB_SASTATE_MATURE ||
244                                    sav->state == SADB_SASTATE_DYING)
245                                        valid++;
246                                KEY_FREESAV(&sav);
247                        }
248 
249                        /* XXX Further validation? */
250 
251                        /*
252                         * Depending on the value of "valid" and routing
253                         * table size (mtudisc_{hi,lo}wat), we will:
254                         * - recalcurate the new MTU and create the
255                         *   corresponding routing entry, or
256                         * - ignore the MTU change notification.
257                         */
258                        icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
259                }
260 
261                /* we normally notify single pcb here */
262        } else {
263                /* we normally notify any pcb here */
264        }
265 	   return NULL;
266 }
267 
268 
269 
270 void *
271 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
272 {
273 	const struct newesp *espp;
274 	struct newesp esp;
275 	struct ip6ctlparam *ip6cp = NULL, ip6cp1;
276 	struct secasvar *sav;
277 	struct ip6_hdr *ip6;
278 	struct mbuf *m;
279 	int off;
280 
281 	if (sa->sa_family != AF_INET6 ||
282 	    sa->sa_len != sizeof(struct sockaddr_in6))
283 		return NULL;
284 	if ((unsigned)cmd >= PRC_NCMDS)
285 		return NULL;
286 
287 	/* if the parameter is from icmp6, decode it. */
288 	if (d != NULL) {
289 		ip6cp = (struct ip6ctlparam *)d;
290 		m = ip6cp->ip6c_m;
291 		ip6 = ip6cp->ip6c_ip6;
292 		off = ip6cp->ip6c_off;
293 	} else {
294 		m = NULL;
295 		ip6 = NULL;
296 		off = 0;
297 	}
298 
299 	if (ip6) {
300 		/*
301 		 * Notify the error to all possible sockets via pfctlinput2.
302 		 * Since the upper layer information (such as protocol type,
303 		 * source and destination ports) is embedded in the encrypted
304 		 * data and might have been cut, we can't directly call
305 		 * an upper layer ctlinput function. However, the pcbnotify
306 		 * function will consider source and destination addresses
307 		 * as well as the flow info value, and may be able to find
308 		 * some PCB that should be notified.
309 		 * Although pfctlinput2 will call esp6_ctlinput(), there is
310 		 * no possibility of an infinite loop of function calls,
311 		 * because we don't pass the inner IPv6 header.
312 		 */
313 		memset(&ip6cp1, 0, sizeof(ip6cp1));
314 		ip6cp1.ip6c_src = ip6cp->ip6c_src;
315 		pfctlinput2(cmd, sa, &ip6cp1);
316 
317 		/*
318 		 * Then go to special cases that need ESP header information.
319 		 * XXX: We assume that when ip6 is non NULL,
320 		 * M and OFF are valid.
321 		 */
322 
323 		/* check if we can safely examine src and dst ports */
324 		if (m->m_pkthdr.len < off + sizeof(esp))
325 			return NULL;
326 
327 		if (m->m_len < off + sizeof(esp)) {
328 			/*
329 			 * this should be rare case,
330 			 * so we compromise on this copy...
331 			 */
332 			m_copydata(m, off, sizeof(esp), &esp);
333 			espp = &esp;
334 		} else
335 			espp = (struct newesp*)(mtod(m, char *) + off);
336 
337 		if (cmd == PRC_MSGSIZE) {
338 			int valid = 0;
339 
340 			/*
341 			 * Check to see if we have a valid SA corresponding to
342 			 * the address in the ICMP message payload.
343 			 */
344 
345 			sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
346 					  IPPROTO_ESP, espp->esp_spi, 0, 0);
347 
348 			if (sav) {
349 				if (sav->state == SADB_SASTATE_MATURE ||
350 				    sav->state == SADB_SASTATE_DYING)
351 					valid++;
352 				KEY_FREESAV(&sav);
353 			}
354 
355 			/* XXX Further validation? */
356 
357 			/*
358 			 * Depending on the value of "valid" and routing table
359 			 * size (mtudisc_{hi,lo}wat), we will:
360 			 * - recalcurate the new MTU and create the
361 			 *   corresponding routing entry, or
362 			 * - ignore the MTU change notification.
363 			 */
364 			icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
365 		}
366 	} else {
367 		/* we normally notify any pcb here */
368 	}
369 	return NULL;
370 }
371 #endif /* INET6 */
372 
373 static int
374 sysctl_fast_ipsec(SYSCTLFN_ARGS)
375 {
376 	int error, t;
377 	struct sysctlnode node;
378 
379 	node = *rnode;
380 	t = *(int*)rnode->sysctl_data;
381 	node.sysctl_data = &t;
382 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
383 	if (error || newp == NULL)
384 		return (error);
385 
386 	switch (rnode->sysctl_num) {
387 	case IPSECCTL_DEF_ESP_TRANSLEV:
388 	case IPSECCTL_DEF_ESP_NETLEV:
389 	case IPSECCTL_DEF_AH_TRANSLEV:
390 	case IPSECCTL_DEF_AH_NETLEV:
391 		if (t != IPSEC_LEVEL_USE &&
392 		    t != IPSEC_LEVEL_REQUIRE)
393 			return (EINVAL);
394 		ipsec_invalpcbcacheall();
395 		break;
396       	case IPSECCTL_DEF_POLICY:
397 		if (t != IPSEC_POLICY_DISCARD &&
398 		    t != IPSEC_POLICY_NONE)
399 			return (EINVAL);
400 		ipsec_invalpcbcacheall();
401 		break;
402 	default:
403 		return (EINVAL);
404 	}
405 
406 	*(int*)rnode->sysctl_data = t;
407 
408 	return (0);
409 }
410 
411 #ifdef IPSEC_DEBUG
412 static int
413 sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
414 {
415 	int t, error;
416 	struct sysctlnode node;
417 
418 	node = *rnode;
419 	t = *(int*)rnode->sysctl_data;
420 	node.sysctl_data = &t;
421 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
422 	if (error || newp == NULL)
423 		return (error);
424 
425 	if (t < 0 || t > 1)
426 		return EINVAL;
427 
428 	if (rnode->sysctl_data == &ipsec_replay)
429 		printf("fast_ipsec: Anti-Replay service %s\n",
430 		    (t == 1) ? "deactivated" : "activated");
431 	else if (rnode->sysctl_data == &ipsec_integrity)
432 		 printf("fast_ipsec: HMAC corruption %s\n",
433 		     (t == 0) ? "deactivated" : "activated");
434 
435 	*(int*)rnode->sysctl_data = t;
436 
437 	return 0;
438 }
439 #endif
440 
441 static int
442 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS)
443 {
444 
445 	return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
446 }
447 
448 static int
449 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
450 {
451 
452 	return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
453 }
454 
455 static int
456 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
457 {
458 
459 	return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
460 }
461 
462 static int
463 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
464 {
465 
466 	return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
467 }
468 
469 static int
470 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
471 {
472 
473 	return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
474 }
475 
476 /* XXX will need a different oid at parent */
477 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
478 {
479 	const struct sysctlnode *_ipsec;
480 	int ipproto_ipsec;
481 
482 	sysctl_createv(clog, 0, NULL, NULL,
483 		       CTLFLAG_PERMANENT,
484 		       CTLTYPE_NODE, "net", NULL,
485 		       NULL, 0, NULL, 0,
486 		       CTL_NET, CTL_EOL);
487 	sysctl_createv(clog, 0, NULL, NULL,
488 		       CTLFLAG_PERMANENT,
489 		       CTLTYPE_NODE, "inet", NULL,
490 		       NULL, 0, NULL, 0,
491 		       CTL_NET, PF_INET, CTL_EOL);
492 
493 	/*
494 	 * in numerical order:
495 	 *
496 	 * net.inet.ipip:	CTL_NET.PF_INET.IPPROTO_IPIP
497 	 * net.inet.esp:	CTL_NET.PF_INET.IPPROTO_ESP
498 	 * net.inet.ah:		CTL_NET.PF_INET.IPPROTO_AH
499 	 * net.inet.ipcomp:	CTL_NET.PF_INET.IPPROTO_IPCOMP
500 	 * net.inet.ipsec:	CTL_NET.PF_INET.CTL_CREATE
501 	 *
502 	 * this creates separate trees by name, but maintains that the
503 	 * ipsec name leads to all the old leaves.
504 	 */
505 
506 	/* create net.inet.ipip */
507 	sysctl_createv(clog, 0, NULL, NULL,
508 		       CTLFLAG_PERMANENT,
509 		       CTLTYPE_NODE, "ipip", NULL,
510 		       NULL, 0, NULL, 0,
511 		       CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
512 	sysctl_createv(clog, 0, NULL, NULL,
513 		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
514 		       CTLTYPE_STRUCT, "ipip_stats", NULL,
515 		       sysctl_net_inet_ipip_stats, 0, NULL, 0,
516 		       CTL_NET, PF_INET, IPPROTO_IPIP,
517 		       CTL_CREATE, CTL_EOL);
518 
519 	/* create net.inet.esp subtree under IPPROTO_ESP */
520 	sysctl_createv(clog, 0, NULL, NULL,
521 		       CTLFLAG_PERMANENT,
522 		       CTLTYPE_NODE, "esp", NULL,
523 		       NULL, 0, NULL, 0,
524 		       CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
525 	sysctl_createv(clog, 0, NULL, NULL,
526 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
527 		       CTLTYPE_INT, "trans_deflev", NULL,
528 		       sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
529 		       CTL_NET, PF_INET, IPPROTO_ESP,
530 		       IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
531 	sysctl_createv(clog, 0, NULL, NULL,
532 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
533 		       CTLTYPE_INT, "net_deflev", NULL,
534 		       sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
535 		       CTL_NET, PF_INET, IPPROTO_ESP,
536 		       IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
537 	sysctl_createv(clog, 0, NULL, NULL,
538 		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
539 		       CTLTYPE_STRUCT, "esp_stats", NULL,
540 		       sysctl_net_inet_esp_stats, 0, NULL, 0,
541 		       CTL_NET, PF_INET, IPPROTO_ESP,
542 		       CTL_CREATE, CTL_EOL);
543 
544 	/* create net.inet.ah subtree under IPPROTO_AH */
545 	sysctl_createv(clog, 0, NULL, NULL,
546 		       CTLFLAG_PERMANENT,
547 		       CTLTYPE_NODE, "ah", NULL,
548 		       NULL, 0, NULL, 0,
549 		       CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
550 	sysctl_createv(clog, 0, NULL, NULL,
551 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
552 		       CTLTYPE_INT, "cleartos", NULL,
553 		       NULL, 0, &ip4_ah_cleartos, 0,
554 		       CTL_NET, PF_INET, IPPROTO_AH,
555 		       IPSECCTL_AH_CLEARTOS, CTL_EOL);
556 	sysctl_createv(clog, 0, NULL, NULL,
557 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
558 		       CTLTYPE_INT, "offsetmask", NULL,
559 		       NULL, 0, &ip4_ah_offsetmask, 0,
560 		       CTL_NET, PF_INET, IPPROTO_AH,
561 		       IPSECCTL_AH_OFFSETMASK, CTL_EOL);
562 	sysctl_createv(clog, 0, NULL, NULL,
563 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
564 		       CTLTYPE_INT, "trans_deflev", NULL,
565 		       sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
566 		       CTL_NET, PF_INET, IPPROTO_AH,
567 		       IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
568 	sysctl_createv(clog, 0, NULL, NULL,
569 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
570 		       CTLTYPE_INT, "net_deflev", NULL,
571 		       sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
572 		       CTL_NET, PF_INET, IPPROTO_AH,
573 		       IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
574 	sysctl_createv(clog, 0, NULL, NULL,
575 		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
576 		       CTLTYPE_STRUCT, "ah_stats", NULL,
577 		       sysctl_net_inet_ah_stats, 0, NULL, 0,
578 		       CTL_NET, PF_INET, IPPROTO_AH,
579 		       CTL_CREATE, CTL_EOL);
580 
581 	/* create net.inet.ipcomp */
582 	sysctl_createv(clog, 0, NULL, NULL,
583 		       CTLFLAG_PERMANENT,
584 		       CTLTYPE_NODE, "ipcomp", NULL,
585 		       NULL, 0, NULL, 0,
586 		       CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
587 	sysctl_createv(clog, 0, NULL, NULL,
588 		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
589 		       CTLTYPE_STRUCT, "ipcomp_stats", NULL,
590 		       sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
591 		       CTL_NET, PF_INET, IPPROTO_IPCOMP,
592 		       CTL_CREATE, CTL_EOL);
593 
594 	/* create net.inet.ipsec subtree under dynamic oid */
595 	sysctl_createv(clog, 0, NULL, &_ipsec,
596 		       CTLFLAG_PERMANENT,
597 		       CTLTYPE_NODE, "ipsec", NULL,
598 		       NULL, 0, NULL, 0,
599 		       CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
600 	ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
601 
602 	sysctl_createv(clog, 0, NULL, NULL,
603 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
604 		       CTLTYPE_INT, "def_policy", NULL,
605 		       sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
606 		       CTL_NET, PF_INET, ipproto_ipsec,
607 		       IPSECCTL_DEF_POLICY, CTL_EOL);
608 	sysctl_createv(clog, 0, NULL, NULL,
609 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
610 		       CTLTYPE_INT, "esp_trans_deflev", NULL,
611 		       sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
612 		       CTL_NET, PF_INET, ipproto_ipsec,
613 		       IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
614 	sysctl_createv(clog, 0, NULL, NULL,
615 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
616 		       CTLTYPE_INT, "esp_net_deflev", NULL,
617 		       sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
618 		       CTL_NET, PF_INET, ipproto_ipsec,
619 		       IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
620 	sysctl_createv(clog, 0, NULL, NULL,
621 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
622 		       CTLTYPE_INT, "ah_trans_deflev", NULL,
623 		       sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
624 		       CTL_NET, PF_INET, ipproto_ipsec,
625 		       IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
626 	sysctl_createv(clog, 0, NULL, NULL,
627 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
628 		       CTLTYPE_INT, "ah_net_deflev", NULL,
629 		       sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
630 		       CTL_NET, PF_INET, ipproto_ipsec,
631 		       IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
632 	sysctl_createv(clog, 0, NULL, NULL,
633 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
634 		       CTLTYPE_INT, "ah_cleartos", NULL,
635 		       NULL, 0, &ip4_ah_cleartos, 0,
636 		       CTL_NET, PF_INET, ipproto_ipsec,
637 		       IPSECCTL_AH_CLEARTOS, CTL_EOL);
638 	sysctl_createv(clog, 0, NULL, NULL,
639 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
640 		       CTLTYPE_INT, "ah_offsetmask", NULL,
641 		       NULL, 0, &ip4_ah_offsetmask, 0,
642 		       CTL_NET, PF_INET, ipproto_ipsec,
643 		       IPSECCTL_AH_OFFSETMASK, CTL_EOL);
644 	sysctl_createv(clog, 0, NULL, NULL,
645 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
646 		       CTLTYPE_INT, "dfbit", NULL,
647 		       NULL, 0, &ip4_ipsec_dfbit, 0,
648 		       CTL_NET, PF_INET, ipproto_ipsec,
649 		       IPSECCTL_DFBIT, CTL_EOL);
650 	sysctl_createv(clog, 0, NULL, NULL,
651 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
652 		       CTLTYPE_INT, "ecn", NULL,
653 		       NULL, 0, &ip4_ipsec_ecn, 0,
654 		       CTL_NET, PF_INET, ipproto_ipsec,
655 		       IPSECCTL_ECN, CTL_EOL);
656 	sysctl_createv(clog, 0, NULL, NULL,
657 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
658 		       CTLTYPE_INT, "debug", NULL,
659 		       NULL, 0, &ipsec_debug, 0,
660 		       CTL_NET, PF_INET, ipproto_ipsec,
661 		       IPSECCTL_DEBUG, CTL_EOL);
662 	sysctl_createv(clog, 0, NULL, NULL,
663 		       CTLFLAG_PERMANENT|CTLFLAG_READONLY,
664 		       CTLTYPE_STRUCT, "ipsecstats", NULL,
665 		       sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
666 		       CTL_NET, PF_INET, ipproto_ipsec,
667 		       CTL_CREATE, CTL_EOL);
668 #ifdef IPSEC_DEBUG
669 	sysctl_createv(clog, 0, NULL, NULL,
670 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
671 		       CTLTYPE_INT, "test_replay",
672 		       SYSCTL_DESCR("Emulate replay attack"),
673 		       sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
674 		       CTL_NET, PF_INET, ipproto_ipsec,
675 		       CTL_CREATE, CTL_EOL);
676 	sysctl_createv(clog, 0, NULL, NULL,
677 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
678 		       CTLTYPE_INT, "test_integrity",
679 		       SYSCTL_DESCR("Emulate man-in-the-middle attack"),
680 		       sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
681 		       CTL_NET, PF_INET, ipproto_ipsec,
682 		       CTL_CREATE, CTL_EOL);
683 #endif
684 }
685 
686 #ifdef INET6
687 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup,
688 	     "sysctl net.inet6.ipsec6 subtree setup")
689 {
690 
691 	sysctl_createv(clog, 0, NULL, NULL,
692 		       CTLFLAG_PERMANENT,
693 		       CTLTYPE_NODE, "net", NULL,
694 		       NULL, 0, NULL, 0,
695 		       CTL_NET, CTL_EOL);
696 	sysctl_createv(clog, 0, NULL, NULL,
697 		       CTLFLAG_PERMANENT,
698 		       CTLTYPE_NODE, "inet6", NULL,
699 		       NULL, 0, NULL, 0,
700 		       CTL_NET, PF_INET6, CTL_EOL);
701 	sysctl_createv(clog, 0, NULL, NULL,
702 		       CTLFLAG_PERMANENT,
703 		       CTLTYPE_NODE, "ipsec6",
704 		       SYSCTL_DESCR("IPv6 related IPSec settings"),
705 		       NULL, 0, NULL, 0,
706 		       CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
707 
708 	sysctl_createv(clog, 0, NULL, NULL,
709 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
710 		       CTLTYPE_STRUCT, "stats",
711 		       SYSCTL_DESCR("IPSec statistics and counters"),
712 		       sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
713 		       CTL_NET, PF_INET6, IPPROTO_AH,
714 		       IPSECCTL_STATS, CTL_EOL);
715 	sysctl_createv(clog, 0, NULL, NULL,
716 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
717 		       CTLTYPE_INT, "def_policy",
718 		       SYSCTL_DESCR("Default action for non-IPSec packets"),
719 		       sysctl_fast_ipsec, 0, (void *)&ip6_def_policy, 0,
720 		       CTL_NET, PF_INET6, IPPROTO_AH,
721 		       IPSECCTL_DEF_POLICY, CTL_EOL);
722 	sysctl_createv(clog, 0, NULL, NULL,
723 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
724 		       CTLTYPE_INT, "esp_trans_deflev",
725 		       SYSCTL_DESCR("Default required security level for "
726 				    "transport mode traffic"),
727 		       sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0,
728 		       CTL_NET, PF_INET6, IPPROTO_AH,
729 		       IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
730 	sysctl_createv(clog, 0, NULL, NULL,
731 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
732 		       CTLTYPE_INT, "esp_net_deflev",
733 		       SYSCTL_DESCR("Default required security level for "
734 				    "tunneled traffic"),
735 		       sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0,
736 		       CTL_NET, PF_INET6, IPPROTO_AH,
737 		       IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
738 	sysctl_createv(clog, 0, NULL, NULL,
739 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
740 		       CTLTYPE_INT, "ah_trans_deflev",
741 		       SYSCTL_DESCR("Default required security level for "
742 				    "transport mode headers"),
743 		       sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0,
744 		       CTL_NET, PF_INET6, IPPROTO_AH,
745 		       IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
746 	sysctl_createv(clog, 0, NULL, NULL,
747 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
748 		       CTLTYPE_INT, "ah_net_deflev",
749 		       SYSCTL_DESCR("Default required security level for "
750 				    "tunneled headers"),
751 		       sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0,
752 		       CTL_NET, PF_INET6, IPPROTO_AH,
753 		       IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
754 	sysctl_createv(clog, 0, NULL, NULL,
755 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
756 		       CTLTYPE_INT, "ecn",
757 		       SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
758 		       NULL, 0, &ip6_ipsec_ecn, 0,
759 		       CTL_NET, PF_INET6, IPPROTO_AH,
760 		       IPSECCTL_ECN, CTL_EOL);
761 	sysctl_createv(clog, 0, NULL, NULL,
762 		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
763 		       CTLTYPE_INT, "debug",
764 		       SYSCTL_DESCR("Enable IPSec debugging output"),
765 		       NULL, 0, &ipsec_debug, 0,
766 		       CTL_NET, PF_INET6, IPPROTO_AH,
767 		       IPSECCTL_DEBUG, CTL_EOL);
768 
769 	/*
770 	 * "aliases" for the ipsec6 subtree
771 	 */
772 	sysctl_createv(clog, 0, NULL, NULL,
773 		       CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
774 		       CTLTYPE_NODE, "esp6", NULL,
775 		       NULL, IPPROTO_AH, NULL, 0,
776 		       CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
777 	sysctl_createv(clog, 0, NULL, NULL,
778 		       CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
779 		       CTLTYPE_NODE, "ipcomp6", NULL,
780 		       NULL, IPPROTO_AH, NULL, 0,
781 		       CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
782 	sysctl_createv(clog, 0, NULL, NULL,
783 		       CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
784 		       CTLTYPE_NODE, "ah6", NULL,
785 		       NULL, IPPROTO_AH, NULL, 0,
786 		       CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
787 }
788 #endif /* INET6 */
789