1 /* $NetBSD: ipsec_netbsd.c,v 1.34 2012/06/02 21:36:48 dsl Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.34 2012/06/02 21:36:48 dsl Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <sys/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/key.h> 70 #include <netipsec/keydb.h> 71 #include <netipsec/key_debug.h> 72 #include <netipsec/ah.h> 73 #include <netipsec/ah_var.h> 74 #include <netipsec/esp.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipip_var.h> 77 #include <netipsec/ipcomp_var.h> 78 79 #ifdef INET6 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/ip6protosw.h> 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <netipsec/key.h> 86 87 /* assumes that ip header and ah header are contiguous on mbuf */ 88 void* 89 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 90 { 91 struct ip *ip = v; 92 struct ah *ah; 93 struct icmp *icp; 94 struct secasvar *sav; 95 96 if (sa->sa_family != AF_INET || 97 sa->sa_len != sizeof(struct sockaddr_in)) 98 return NULL; 99 if ((unsigned)cmd >= PRC_NCMDS) 100 return NULL; 101 102 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 103 /* 104 * Check to see if we have a valid SA corresponding to 105 * the address in the ICMP message payload. 106 */ 107 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 108 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 109 IPPROTO_AH, ah->ah_spi, 0, 0); 110 111 if (sav) { 112 if (sav->state == SADB_SASTATE_MATURE || 113 sav->state == SADB_SASTATE_DYING) { 114 115 /* 116 * Now that we've validated that we are actually 117 * communicating with the host indicated in the 118 * ICMP message, locate the ICMP header, 119 * recalculate the new MTU, and create the 120 * corresponding routing entry. 121 */ 122 icp = (struct icmp *)((char *)ip - 123 offsetof(struct icmp, icmp_ip)); 124 icmp_mtudisc(icp, ip->ip_dst); 125 126 } 127 KEY_FREESAV(&sav); 128 } 129 } 130 return NULL; 131 } 132 133 134 135 /* assumes that ip header and esp header are contiguous on mbuf */ 136 void* 137 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 138 { 139 struct ip *ip = v; 140 struct esp *esp; 141 struct icmp *icp; 142 struct secasvar *sav; 143 144 if (sa->sa_family != AF_INET || 145 sa->sa_len != sizeof(struct sockaddr_in)) 146 return NULL; 147 if ((unsigned)cmd >= PRC_NCMDS) 148 return NULL; 149 150 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 151 /* 152 * Check to see if we have a valid SA corresponding to 153 * the address in the ICMP message payload. 154 */ 155 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 156 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 157 IPPROTO_ESP, esp->esp_spi, 0, 0); 158 159 if (sav) { 160 if (sav->state == SADB_SASTATE_MATURE || 161 sav->state == SADB_SASTATE_DYING) { 162 163 /* 164 * Now that we've validated that we are actually 165 * communicating with the host indicated in the 166 * ICMP message, locate the ICMP header, 167 * recalculate the new MTU, and create the 168 * corresponding routing entry. 169 */ 170 171 icp = (struct icmp *)((char *)ip - 172 offsetof(struct icmp, icmp_ip)); 173 icmp_mtudisc(icp, ip->ip_dst); 174 175 } 176 KEY_FREESAV(&sav); 177 } 178 } 179 return NULL; 180 } 181 182 #ifdef INET6 183 void * 184 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 185 { 186 const struct newah *ahp; 187 struct newah ah; 188 struct secasvar *sav; 189 struct ip6_hdr *ip6; 190 struct mbuf *m; 191 struct ip6ctlparam *ip6cp = NULL; 192 int off; 193 194 if (sa->sa_family != AF_INET6 || 195 sa->sa_len != sizeof(struct sockaddr_in6)) 196 return NULL; 197 if ((unsigned)cmd >= PRC_NCMDS) 198 return NULL; 199 200 /* if the parameter is from icmp6, decode it. */ 201 if (d != NULL) { 202 ip6cp = (struct ip6ctlparam *)d; 203 m = ip6cp->ip6c_m; 204 ip6 = ip6cp->ip6c_ip6; 205 off = ip6cp->ip6c_off; 206 } else { 207 m = NULL; 208 ip6 = NULL; 209 off = 0; 210 } 211 212 if (ip6) { 213 /* 214 * XXX: We assume that when ip6 is non NULL, 215 * M and OFF are valid. 216 */ 217 218 /* check if we can safely examine src and dst ports */ 219 if (m->m_pkthdr.len < off + sizeof(ah)) 220 return NULL; 221 222 if (m->m_len < off + sizeof(ah)) { 223 /* 224 * this should be rare case, 225 * so we compromise on this copy... 226 */ 227 m_copydata(m, off, sizeof(ah), &ah); 228 ahp = &ah; 229 } else 230 ahp = (struct newah *)(mtod(m, char *) + off); 231 232 if (cmd == PRC_MSGSIZE) { 233 int valid = 0; 234 235 /* 236 * Check to see if we have a valid SA corresponding 237 * to the address in the ICMP message payload. 238 */ 239 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 240 IPPROTO_AH, ahp->ah_spi, 0, 0); 241 242 if (sav) { 243 if (sav->state == SADB_SASTATE_MATURE || 244 sav->state == SADB_SASTATE_DYING) 245 valid++; 246 KEY_FREESAV(&sav); 247 } 248 249 /* XXX Further validation? */ 250 251 /* 252 * Depending on the value of "valid" and routing 253 * table size (mtudisc_{hi,lo}wat), we will: 254 * - recalcurate the new MTU and create the 255 * corresponding routing entry, or 256 * - ignore the MTU change notification. 257 */ 258 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 259 } 260 261 /* we normally notify single pcb here */ 262 } else { 263 /* we normally notify any pcb here */ 264 } 265 return NULL; 266 } 267 268 269 270 void * 271 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 272 { 273 const struct newesp *espp; 274 struct newesp esp; 275 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 276 struct secasvar *sav; 277 struct ip6_hdr *ip6; 278 struct mbuf *m; 279 int off; 280 281 if (sa->sa_family != AF_INET6 || 282 sa->sa_len != sizeof(struct sockaddr_in6)) 283 return NULL; 284 if ((unsigned)cmd >= PRC_NCMDS) 285 return NULL; 286 287 /* if the parameter is from icmp6, decode it. */ 288 if (d != NULL) { 289 ip6cp = (struct ip6ctlparam *)d; 290 m = ip6cp->ip6c_m; 291 ip6 = ip6cp->ip6c_ip6; 292 off = ip6cp->ip6c_off; 293 } else { 294 m = NULL; 295 ip6 = NULL; 296 off = 0; 297 } 298 299 if (ip6) { 300 /* 301 * Notify the error to all possible sockets via pfctlinput2. 302 * Since the upper layer information (such as protocol type, 303 * source and destination ports) is embedded in the encrypted 304 * data and might have been cut, we can't directly call 305 * an upper layer ctlinput function. However, the pcbnotify 306 * function will consider source and destination addresses 307 * as well as the flow info value, and may be able to find 308 * some PCB that should be notified. 309 * Although pfctlinput2 will call esp6_ctlinput(), there is 310 * no possibility of an infinite loop of function calls, 311 * because we don't pass the inner IPv6 header. 312 */ 313 memset(&ip6cp1, 0, sizeof(ip6cp1)); 314 ip6cp1.ip6c_src = ip6cp->ip6c_src; 315 pfctlinput2(cmd, sa, &ip6cp1); 316 317 /* 318 * Then go to special cases that need ESP header information. 319 * XXX: We assume that when ip6 is non NULL, 320 * M and OFF are valid. 321 */ 322 323 /* check if we can safely examine src and dst ports */ 324 if (m->m_pkthdr.len < off + sizeof(esp)) 325 return NULL; 326 327 if (m->m_len < off + sizeof(esp)) { 328 /* 329 * this should be rare case, 330 * so we compromise on this copy... 331 */ 332 m_copydata(m, off, sizeof(esp), &esp); 333 espp = &esp; 334 } else 335 espp = (struct newesp*)(mtod(m, char *) + off); 336 337 if (cmd == PRC_MSGSIZE) { 338 int valid = 0; 339 340 /* 341 * Check to see if we have a valid SA corresponding to 342 * the address in the ICMP message payload. 343 */ 344 345 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 346 IPPROTO_ESP, espp->esp_spi, 0, 0); 347 348 if (sav) { 349 if (sav->state == SADB_SASTATE_MATURE || 350 sav->state == SADB_SASTATE_DYING) 351 valid++; 352 KEY_FREESAV(&sav); 353 } 354 355 /* XXX Further validation? */ 356 357 /* 358 * Depending on the value of "valid" and routing table 359 * size (mtudisc_{hi,lo}wat), we will: 360 * - recalcurate the new MTU and create the 361 * corresponding routing entry, or 362 * - ignore the MTU change notification. 363 */ 364 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 365 } 366 } else { 367 /* we normally notify any pcb here */ 368 } 369 return NULL; 370 } 371 #endif /* INET6 */ 372 373 static int 374 sysctl_fast_ipsec(SYSCTLFN_ARGS) 375 { 376 int error, t; 377 struct sysctlnode node; 378 379 node = *rnode; 380 t = *(int*)rnode->sysctl_data; 381 node.sysctl_data = &t; 382 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 383 if (error || newp == NULL) 384 return (error); 385 386 switch (rnode->sysctl_num) { 387 case IPSECCTL_DEF_ESP_TRANSLEV: 388 case IPSECCTL_DEF_ESP_NETLEV: 389 case IPSECCTL_DEF_AH_TRANSLEV: 390 case IPSECCTL_DEF_AH_NETLEV: 391 if (t != IPSEC_LEVEL_USE && 392 t != IPSEC_LEVEL_REQUIRE) 393 return (EINVAL); 394 ipsec_invalpcbcacheall(); 395 break; 396 case IPSECCTL_DEF_POLICY: 397 if (t != IPSEC_POLICY_DISCARD && 398 t != IPSEC_POLICY_NONE) 399 return (EINVAL); 400 ipsec_invalpcbcacheall(); 401 break; 402 default: 403 return (EINVAL); 404 } 405 406 *(int*)rnode->sysctl_data = t; 407 408 return (0); 409 } 410 411 #ifdef IPSEC_DEBUG 412 static int 413 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 414 { 415 int t, error; 416 struct sysctlnode node; 417 418 node = *rnode; 419 t = *(int*)rnode->sysctl_data; 420 node.sysctl_data = &t; 421 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 422 if (error || newp == NULL) 423 return (error); 424 425 if (t < 0 || t > 1) 426 return EINVAL; 427 428 if (rnode->sysctl_data == &ipsec_replay) 429 printf("fast_ipsec: Anti-Replay service %s\n", 430 (t == 1) ? "deactivated" : "activated"); 431 else if (rnode->sysctl_data == &ipsec_integrity) 432 printf("fast_ipsec: HMAC corruption %s\n", 433 (t == 0) ? "deactivated" : "activated"); 434 435 *(int*)rnode->sysctl_data = t; 436 437 return 0; 438 } 439 #endif 440 441 static int 442 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS) 443 { 444 445 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 446 } 447 448 static int 449 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 450 { 451 452 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 453 } 454 455 static int 456 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 457 { 458 459 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 460 } 461 462 static int 463 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 464 { 465 466 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 467 } 468 469 static int 470 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 471 { 472 473 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 474 } 475 476 /* XXX will need a different oid at parent */ 477 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 478 { 479 const struct sysctlnode *_ipsec; 480 int ipproto_ipsec; 481 482 sysctl_createv(clog, 0, NULL, NULL, 483 CTLFLAG_PERMANENT, 484 CTLTYPE_NODE, "net", NULL, 485 NULL, 0, NULL, 0, 486 CTL_NET, CTL_EOL); 487 sysctl_createv(clog, 0, NULL, NULL, 488 CTLFLAG_PERMANENT, 489 CTLTYPE_NODE, "inet", NULL, 490 NULL, 0, NULL, 0, 491 CTL_NET, PF_INET, CTL_EOL); 492 493 /* 494 * in numerical order: 495 * 496 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 497 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 498 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 499 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 500 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 501 * 502 * this creates separate trees by name, but maintains that the 503 * ipsec name leads to all the old leaves. 504 */ 505 506 /* create net.inet.ipip */ 507 sysctl_createv(clog, 0, NULL, NULL, 508 CTLFLAG_PERMANENT, 509 CTLTYPE_NODE, "ipip", NULL, 510 NULL, 0, NULL, 0, 511 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 512 sysctl_createv(clog, 0, NULL, NULL, 513 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 514 CTLTYPE_STRUCT, "ipip_stats", NULL, 515 sysctl_net_inet_ipip_stats, 0, NULL, 0, 516 CTL_NET, PF_INET, IPPROTO_IPIP, 517 CTL_CREATE, CTL_EOL); 518 519 /* create net.inet.esp subtree under IPPROTO_ESP */ 520 sysctl_createv(clog, 0, NULL, NULL, 521 CTLFLAG_PERMANENT, 522 CTLTYPE_NODE, "esp", NULL, 523 NULL, 0, NULL, 0, 524 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 525 sysctl_createv(clog, 0, NULL, NULL, 526 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 527 CTLTYPE_INT, "trans_deflev", NULL, 528 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 529 CTL_NET, PF_INET, IPPROTO_ESP, 530 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 531 sysctl_createv(clog, 0, NULL, NULL, 532 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 533 CTLTYPE_INT, "net_deflev", NULL, 534 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 535 CTL_NET, PF_INET, IPPROTO_ESP, 536 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 537 sysctl_createv(clog, 0, NULL, NULL, 538 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 539 CTLTYPE_STRUCT, "esp_stats", NULL, 540 sysctl_net_inet_esp_stats, 0, NULL, 0, 541 CTL_NET, PF_INET, IPPROTO_ESP, 542 CTL_CREATE, CTL_EOL); 543 544 /* create net.inet.ah subtree under IPPROTO_AH */ 545 sysctl_createv(clog, 0, NULL, NULL, 546 CTLFLAG_PERMANENT, 547 CTLTYPE_NODE, "ah", NULL, 548 NULL, 0, NULL, 0, 549 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 550 sysctl_createv(clog, 0, NULL, NULL, 551 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 552 CTLTYPE_INT, "cleartos", NULL, 553 NULL, 0, &ip4_ah_cleartos, 0, 554 CTL_NET, PF_INET, IPPROTO_AH, 555 IPSECCTL_AH_CLEARTOS, CTL_EOL); 556 sysctl_createv(clog, 0, NULL, NULL, 557 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 558 CTLTYPE_INT, "offsetmask", NULL, 559 NULL, 0, &ip4_ah_offsetmask, 0, 560 CTL_NET, PF_INET, IPPROTO_AH, 561 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 562 sysctl_createv(clog, 0, NULL, NULL, 563 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 564 CTLTYPE_INT, "trans_deflev", NULL, 565 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 566 CTL_NET, PF_INET, IPPROTO_AH, 567 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 568 sysctl_createv(clog, 0, NULL, NULL, 569 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 570 CTLTYPE_INT, "net_deflev", NULL, 571 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 572 CTL_NET, PF_INET, IPPROTO_AH, 573 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 574 sysctl_createv(clog, 0, NULL, NULL, 575 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 576 CTLTYPE_STRUCT, "ah_stats", NULL, 577 sysctl_net_inet_ah_stats, 0, NULL, 0, 578 CTL_NET, PF_INET, IPPROTO_AH, 579 CTL_CREATE, CTL_EOL); 580 581 /* create net.inet.ipcomp */ 582 sysctl_createv(clog, 0, NULL, NULL, 583 CTLFLAG_PERMANENT, 584 CTLTYPE_NODE, "ipcomp", NULL, 585 NULL, 0, NULL, 0, 586 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 587 sysctl_createv(clog, 0, NULL, NULL, 588 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 589 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 590 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 591 CTL_NET, PF_INET, IPPROTO_IPCOMP, 592 CTL_CREATE, CTL_EOL); 593 594 /* create net.inet.ipsec subtree under dynamic oid */ 595 sysctl_createv(clog, 0, NULL, &_ipsec, 596 CTLFLAG_PERMANENT, 597 CTLTYPE_NODE, "ipsec", NULL, 598 NULL, 0, NULL, 0, 599 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 600 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 601 602 sysctl_createv(clog, 0, NULL, NULL, 603 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 604 CTLTYPE_INT, "def_policy", NULL, 605 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 606 CTL_NET, PF_INET, ipproto_ipsec, 607 IPSECCTL_DEF_POLICY, CTL_EOL); 608 sysctl_createv(clog, 0, NULL, NULL, 609 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 610 CTLTYPE_INT, "esp_trans_deflev", NULL, 611 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 612 CTL_NET, PF_INET, ipproto_ipsec, 613 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 614 sysctl_createv(clog, 0, NULL, NULL, 615 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 616 CTLTYPE_INT, "esp_net_deflev", NULL, 617 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 618 CTL_NET, PF_INET, ipproto_ipsec, 619 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 620 sysctl_createv(clog, 0, NULL, NULL, 621 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 622 CTLTYPE_INT, "ah_trans_deflev", NULL, 623 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 624 CTL_NET, PF_INET, ipproto_ipsec, 625 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 626 sysctl_createv(clog, 0, NULL, NULL, 627 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 628 CTLTYPE_INT, "ah_net_deflev", NULL, 629 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 630 CTL_NET, PF_INET, ipproto_ipsec, 631 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 632 sysctl_createv(clog, 0, NULL, NULL, 633 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 634 CTLTYPE_INT, "ah_cleartos", NULL, 635 NULL, 0, &ip4_ah_cleartos, 0, 636 CTL_NET, PF_INET, ipproto_ipsec, 637 IPSECCTL_AH_CLEARTOS, CTL_EOL); 638 sysctl_createv(clog, 0, NULL, NULL, 639 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 640 CTLTYPE_INT, "ah_offsetmask", NULL, 641 NULL, 0, &ip4_ah_offsetmask, 0, 642 CTL_NET, PF_INET, ipproto_ipsec, 643 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 644 sysctl_createv(clog, 0, NULL, NULL, 645 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 646 CTLTYPE_INT, "dfbit", NULL, 647 NULL, 0, &ip4_ipsec_dfbit, 0, 648 CTL_NET, PF_INET, ipproto_ipsec, 649 IPSECCTL_DFBIT, CTL_EOL); 650 sysctl_createv(clog, 0, NULL, NULL, 651 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 652 CTLTYPE_INT, "ecn", NULL, 653 NULL, 0, &ip4_ipsec_ecn, 0, 654 CTL_NET, PF_INET, ipproto_ipsec, 655 IPSECCTL_ECN, CTL_EOL); 656 sysctl_createv(clog, 0, NULL, NULL, 657 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 658 CTLTYPE_INT, "debug", NULL, 659 NULL, 0, &ipsec_debug, 0, 660 CTL_NET, PF_INET, ipproto_ipsec, 661 IPSECCTL_DEBUG, CTL_EOL); 662 sysctl_createv(clog, 0, NULL, NULL, 663 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 664 CTLTYPE_STRUCT, "ipsecstats", NULL, 665 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 666 CTL_NET, PF_INET, ipproto_ipsec, 667 CTL_CREATE, CTL_EOL); 668 #ifdef IPSEC_DEBUG 669 sysctl_createv(clog, 0, NULL, NULL, 670 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 671 CTLTYPE_INT, "test_replay", 672 SYSCTL_DESCR("Emulate replay attack"), 673 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 674 CTL_NET, PF_INET, ipproto_ipsec, 675 CTL_CREATE, CTL_EOL); 676 sysctl_createv(clog, 0, NULL, NULL, 677 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 678 CTLTYPE_INT, "test_integrity", 679 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 680 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 681 CTL_NET, PF_INET, ipproto_ipsec, 682 CTL_CREATE, CTL_EOL); 683 #endif 684 } 685 686 #ifdef INET6 687 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup, 688 "sysctl net.inet6.ipsec6 subtree setup") 689 { 690 691 sysctl_createv(clog, 0, NULL, NULL, 692 CTLFLAG_PERMANENT, 693 CTLTYPE_NODE, "net", NULL, 694 NULL, 0, NULL, 0, 695 CTL_NET, CTL_EOL); 696 sysctl_createv(clog, 0, NULL, NULL, 697 CTLFLAG_PERMANENT, 698 CTLTYPE_NODE, "inet6", NULL, 699 NULL, 0, NULL, 0, 700 CTL_NET, PF_INET6, CTL_EOL); 701 sysctl_createv(clog, 0, NULL, NULL, 702 CTLFLAG_PERMANENT, 703 CTLTYPE_NODE, "ipsec6", 704 SYSCTL_DESCR("IPv6 related IPSec settings"), 705 NULL, 0, NULL, 0, 706 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 707 708 sysctl_createv(clog, 0, NULL, NULL, 709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 710 CTLTYPE_STRUCT, "stats", 711 SYSCTL_DESCR("IPSec statistics and counters"), 712 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 713 CTL_NET, PF_INET6, IPPROTO_AH, 714 IPSECCTL_STATS, CTL_EOL); 715 sysctl_createv(clog, 0, NULL, NULL, 716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 717 CTLTYPE_INT, "def_policy", 718 SYSCTL_DESCR("Default action for non-IPSec packets"), 719 sysctl_fast_ipsec, 0, (void *)&ip6_def_policy, 0, 720 CTL_NET, PF_INET6, IPPROTO_AH, 721 IPSECCTL_DEF_POLICY, CTL_EOL); 722 sysctl_createv(clog, 0, NULL, NULL, 723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 724 CTLTYPE_INT, "esp_trans_deflev", 725 SYSCTL_DESCR("Default required security level for " 726 "transport mode traffic"), 727 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0, 728 CTL_NET, PF_INET6, IPPROTO_AH, 729 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 730 sysctl_createv(clog, 0, NULL, NULL, 731 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 732 CTLTYPE_INT, "esp_net_deflev", 733 SYSCTL_DESCR("Default required security level for " 734 "tunneled traffic"), 735 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0, 736 CTL_NET, PF_INET6, IPPROTO_AH, 737 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 738 sysctl_createv(clog, 0, NULL, NULL, 739 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 740 CTLTYPE_INT, "ah_trans_deflev", 741 SYSCTL_DESCR("Default required security level for " 742 "transport mode headers"), 743 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0, 744 CTL_NET, PF_INET6, IPPROTO_AH, 745 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 746 sysctl_createv(clog, 0, NULL, NULL, 747 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 748 CTLTYPE_INT, "ah_net_deflev", 749 SYSCTL_DESCR("Default required security level for " 750 "tunneled headers"), 751 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0, 752 CTL_NET, PF_INET6, IPPROTO_AH, 753 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 754 sysctl_createv(clog, 0, NULL, NULL, 755 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 756 CTLTYPE_INT, "ecn", 757 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 758 NULL, 0, &ip6_ipsec_ecn, 0, 759 CTL_NET, PF_INET6, IPPROTO_AH, 760 IPSECCTL_ECN, CTL_EOL); 761 sysctl_createv(clog, 0, NULL, NULL, 762 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 763 CTLTYPE_INT, "debug", 764 SYSCTL_DESCR("Enable IPSec debugging output"), 765 NULL, 0, &ipsec_debug, 0, 766 CTL_NET, PF_INET6, IPPROTO_AH, 767 IPSECCTL_DEBUG, CTL_EOL); 768 769 /* 770 * "aliases" for the ipsec6 subtree 771 */ 772 sysctl_createv(clog, 0, NULL, NULL, 773 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 774 CTLTYPE_NODE, "esp6", NULL, 775 NULL, IPPROTO_AH, NULL, 0, 776 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 777 sysctl_createv(clog, 0, NULL, NULL, 778 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 779 CTLTYPE_NODE, "ipcomp6", NULL, 780 NULL, IPPROTO_AH, NULL, 0, 781 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 782 sysctl_createv(clog, 0, NULL, NULL, 783 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 784 CTLTYPE_NODE, "ah6", NULL, 785 NULL, IPPROTO_AH, NULL, 0, 786 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 787 } 788 #endif /* INET6 */ 789