1 /* $NetBSD: ipsec_netbsd.c,v 1.54 2018/04/28 13:44:19 maxv Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.54 2018/04/28 13:44:19 maxv Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/mbuf.h> 45 #include <sys/domain.h> 46 #include <sys/protosw.h> 47 #include <sys/socket.h> 48 #include <sys/errno.h> 49 #include <sys/time.h> 50 #include <sys/kernel.h> 51 #include <sys/sysctl.h> 52 53 #include <net/if.h> 54 #include <net/route.h> 55 #include <net/netisr.h> 56 #include <sys/cpu.h> 57 58 #include <netinet/in.h> 59 #include <netinet/in_systm.h> 60 #include <netinet/in_var.h> 61 #include <netinet/ip.h> 62 #include <netinet/ip_var.h> 63 #include <netinet/ip_ecn.h> 64 #include <netinet/ip_icmp.h> 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/key.h> 70 #include <netipsec/keydb.h> 71 #include <netipsec/key_debug.h> 72 #include <netipsec/ah.h> 73 #include <netipsec/ah_var.h> 74 #include <netipsec/esp.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipip_var.h> 77 #include <netipsec/ipcomp_var.h> 78 79 #ifdef INET6 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/ip6protosw.h> 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <netipsec/key.h> 86 87 /* assumes that ip header and ah header are contiguous on mbuf */ 88 void * 89 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 90 { 91 struct ip *ip = v; 92 struct ah *ah; 93 struct icmp *icp; 94 struct secasvar *sav; 95 96 if (sa->sa_family != AF_INET || 97 sa->sa_len != sizeof(struct sockaddr_in)) 98 return NULL; 99 if ((unsigned)cmd >= PRC_NCMDS) 100 return NULL; 101 102 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 103 /* 104 * Check to see if we have a valid SA corresponding to 105 * the address in the ICMP message payload. 106 */ 107 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 108 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 109 IPPROTO_AH, ah->ah_spi, 0, 0); 110 111 if (sav) { 112 if (SADB_SASTATE_USABLE_P(sav)) { 113 /* 114 * Now that we've validated that we are actually 115 * communicating with the host indicated in the 116 * ICMP message, locate the ICMP header, 117 * recalculate the new MTU, and create the 118 * corresponding routing entry. 119 */ 120 icp = (struct icmp *)((char *)ip - 121 offsetof(struct icmp, icmp_ip)); 122 icmp_mtudisc(icp, ip->ip_dst); 123 } 124 KEY_SA_UNREF(&sav); 125 } 126 } 127 return NULL; 128 } 129 130 /* assumes that ip header and esp header are contiguous on mbuf */ 131 void * 132 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 133 { 134 struct ip *ip = v; 135 struct esp *esp; 136 struct icmp *icp; 137 struct secasvar *sav; 138 139 if (sa->sa_family != AF_INET || 140 sa->sa_len != sizeof(struct sockaddr_in)) 141 return NULL; 142 if ((unsigned)cmd >= PRC_NCMDS) 143 return NULL; 144 145 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 146 /* 147 * Check to see if we have a valid SA corresponding to 148 * the address in the ICMP message payload. 149 */ 150 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 151 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 152 IPPROTO_ESP, esp->esp_spi, 0, 0); 153 154 if (sav) { 155 if (SADB_SASTATE_USABLE_P(sav)) { 156 /* 157 * Now that we've validated that we are actually 158 * communicating with the host indicated in the 159 * ICMP message, locate the ICMP header, 160 * recalculate the new MTU, and create the 161 * corresponding routing entry. 162 */ 163 icp = (struct icmp *)((char *)ip - 164 offsetof(struct icmp, icmp_ip)); 165 icmp_mtudisc(icp, ip->ip_dst); 166 } 167 KEY_SA_UNREF(&sav); 168 } 169 } 170 return NULL; 171 } 172 173 #ifdef INET6 174 void * 175 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 176 { 177 const struct newah *ahp; 178 struct newah ah; 179 struct secasvar *sav; 180 struct ip6_hdr *ip6; 181 struct mbuf *m; 182 struct ip6ctlparam *ip6cp = NULL; 183 int off; 184 185 if (sa->sa_family != AF_INET6 || 186 sa->sa_len != sizeof(struct sockaddr_in6)) 187 return NULL; 188 if ((unsigned)cmd >= PRC_NCMDS) 189 return NULL; 190 191 /* if the parameter is from icmp6, decode it. */ 192 if (d != NULL) { 193 ip6cp = (struct ip6ctlparam *)d; 194 m = ip6cp->ip6c_m; 195 ip6 = ip6cp->ip6c_ip6; 196 off = ip6cp->ip6c_off; 197 } else { 198 m = NULL; 199 ip6 = NULL; 200 off = 0; 201 } 202 203 if (ip6) { 204 /* check if we can safely examine src and dst ports */ 205 if (m->m_pkthdr.len < off + sizeof(ah)) 206 return NULL; 207 208 if (m->m_len < off + sizeof(ah)) { 209 /* 210 * this should be rare case, 211 * so we compromise on this copy... 212 */ 213 m_copydata(m, off, sizeof(ah), &ah); 214 ahp = &ah; 215 } else 216 ahp = (struct newah *)(mtod(m, char *) + off); 217 218 if (cmd == PRC_MSGSIZE) { 219 int valid = 0; 220 221 /* 222 * Check to see if we have a valid SA corresponding 223 * to the address in the ICMP message payload. 224 */ 225 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 226 IPPROTO_AH, ahp->ah_spi, 0, 0); 227 228 if (sav) { 229 if (SADB_SASTATE_USABLE_P(sav)) 230 valid++; 231 KEY_SA_UNREF(&sav); 232 } 233 234 /* XXX Further validation? */ 235 236 /* 237 * Depending on the value of "valid" and routing 238 * table size (mtudisc_{hi,lo}wat), we will: 239 * - recalculate the new MTU and create the 240 * corresponding routing entry, or 241 * - ignore the MTU change notification. 242 */ 243 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 244 } 245 246 /* we normally notify single pcb here */ 247 } else { 248 /* we normally notify any pcb here */ 249 } 250 return NULL; 251 } 252 253 void * 254 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 255 { 256 const struct newesp *espp; 257 struct newesp esp; 258 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 259 struct secasvar *sav; 260 struct ip6_hdr *ip6; 261 struct mbuf *m; 262 int off; 263 264 if (sa->sa_family != AF_INET6 || 265 sa->sa_len != sizeof(struct sockaddr_in6)) 266 return NULL; 267 if ((unsigned)cmd >= PRC_NCMDS) 268 return NULL; 269 270 /* if the parameter is from icmp6, decode it. */ 271 if (d != NULL) { 272 ip6cp = (struct ip6ctlparam *)d; 273 m = ip6cp->ip6c_m; 274 ip6 = ip6cp->ip6c_ip6; 275 off = ip6cp->ip6c_off; 276 } else { 277 m = NULL; 278 ip6 = NULL; 279 off = 0; 280 } 281 282 if (ip6) { 283 /* 284 * Notify the error to all possible sockets via pfctlinput2. 285 * Since the upper layer information (such as protocol type, 286 * source and destination ports) is embedded in the encrypted 287 * data and might have been cut, we can't directly call 288 * an upper layer ctlinput function. However, the pcbnotify 289 * function will consider source and destination addresses 290 * as well as the flow info value, and may be able to find 291 * some PCB that should be notified. 292 * Although pfctlinput2 will call esp6_ctlinput(), there is 293 * no possibility of an infinite loop of function calls, 294 * because we don't pass the inner IPv6 header. 295 */ 296 memset(&ip6cp1, 0, sizeof(ip6cp1)); 297 ip6cp1.ip6c_src = ip6cp->ip6c_src; 298 pfctlinput2(cmd, sa, &ip6cp1); 299 300 /* check if we can safely examine src and dst ports */ 301 if (m->m_pkthdr.len < off + sizeof(esp)) 302 return NULL; 303 304 if (m->m_len < off + sizeof(esp)) { 305 /* 306 * this should be rare case, 307 * so we compromise on this copy... 308 */ 309 m_copydata(m, off, sizeof(esp), &esp); 310 espp = &esp; 311 } else 312 espp = (struct newesp *)(mtod(m, char *) + off); 313 314 if (cmd == PRC_MSGSIZE) { 315 int valid = 0; 316 317 /* 318 * Check to see if we have a valid SA corresponding to 319 * the address in the ICMP message payload. 320 */ 321 322 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 323 IPPROTO_ESP, espp->esp_spi, 0, 0); 324 325 if (sav) { 326 if (SADB_SASTATE_USABLE_P(sav)) 327 valid++; 328 KEY_SA_UNREF(&sav); 329 } 330 331 /* XXX Further validation? */ 332 333 /* 334 * Depending on the value of "valid" and routing table 335 * size (mtudisc_{hi,lo}wat), we will: 336 * - recalcurate the new MTU and create the 337 * corresponding routing entry, or 338 * - ignore the MTU change notification. 339 */ 340 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 341 } 342 } else { 343 /* we normally notify any pcb here */ 344 } 345 return NULL; 346 } 347 #endif /* INET6 */ 348 349 static int 350 sysctl_ipsec(SYSCTLFN_ARGS) 351 { 352 int error, t; 353 struct sysctlnode node; 354 355 node = *rnode; 356 t = *(int *)rnode->sysctl_data; 357 node.sysctl_data = &t; 358 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 359 if (error || newp == NULL) 360 return error; 361 362 switch (rnode->sysctl_num) { 363 case IPSECCTL_DEF_ESP_TRANSLEV: 364 case IPSECCTL_DEF_ESP_NETLEV: 365 case IPSECCTL_DEF_AH_TRANSLEV: 366 case IPSECCTL_DEF_AH_NETLEV: 367 if (t != IPSEC_LEVEL_USE && 368 t != IPSEC_LEVEL_REQUIRE) 369 return EINVAL; 370 ipsec_invalpcbcacheall(); 371 break; 372 case IPSECCTL_DEF_POLICY: 373 if (t != IPSEC_POLICY_DISCARD && 374 t != IPSEC_POLICY_NONE) 375 return EINVAL; 376 ipsec_invalpcbcacheall(); 377 break; 378 default: 379 return EINVAL; 380 } 381 382 *(int *)rnode->sysctl_data = t; 383 384 return 0; 385 } 386 387 #ifdef IPSEC_DEBUG 388 static int 389 sysctl_ipsec_test(SYSCTLFN_ARGS) 390 { 391 int t, error; 392 struct sysctlnode node; 393 394 node = *rnode; 395 t = *(int *)rnode->sysctl_data; 396 node.sysctl_data = &t; 397 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 398 if (error || newp == NULL) 399 return error; 400 401 if (t < 0 || t > 1) 402 return EINVAL; 403 404 if (rnode->sysctl_data == &ipsec_replay) 405 printf("ipsec: Anti-Replay service %s\n", 406 (t == 1) ? "deactivated" : "activated"); 407 else if (rnode->sysctl_data == &ipsec_integrity) 408 printf("ipsec: HMAC corruption %s\n", 409 (t == 0) ? "deactivated" : "activated"); 410 411 *(int *)rnode->sysctl_data = t; 412 413 return 0; 414 } 415 #endif 416 417 static int 418 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 419 { 420 421 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 422 } 423 424 static int 425 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 426 { 427 428 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 429 } 430 431 static int 432 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 433 { 434 435 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 436 } 437 438 static int 439 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 440 { 441 442 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 443 } 444 445 static int 446 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 447 { 448 449 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 450 } 451 452 static int 453 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 454 { 455 int newenabled, error; 456 struct sysctlnode node; 457 node = *rnode; 458 node.sysctl_data = &newenabled; 459 460 newenabled = ipsec_enabled; 461 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 462 if (error || newp == NULL) 463 return error; 464 465 switch (newenabled) { 466 case 0: 467 if (key_get_used()) 468 return EBUSY; 469 /*FALLTHROUGH*/ 470 case 1: 471 case 2: 472 ipsec_enabled = newenabled; 473 key_update_used(); 474 return 0; 475 default: 476 return EINVAL; 477 } 478 } 479 480 /* XXX will need a different oid at parent */ 481 void 482 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 483 { 484 const struct sysctlnode *_ipsec; 485 int ipproto_ipsec; 486 487 sysctl_createv(clog, 0, NULL, NULL, 488 CTLFLAG_PERMANENT, 489 CTLTYPE_NODE, "inet", NULL, 490 NULL, 0, NULL, 0, 491 CTL_NET, PF_INET, CTL_EOL); 492 493 /* 494 * in numerical order: 495 * 496 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 497 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 498 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 499 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 500 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 501 * 502 * this creates separate trees by name, but maintains that the 503 * ipsec name leads to all the old leaves. 504 */ 505 506 /* create net.inet.ipip */ 507 sysctl_createv(clog, 0, NULL, NULL, 508 CTLFLAG_PERMANENT, 509 CTLTYPE_NODE, "ipip", NULL, 510 NULL, 0, NULL, 0, 511 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 512 sysctl_createv(clog, 0, NULL, NULL, 513 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 514 CTLTYPE_STRUCT, "ipip_stats", NULL, 515 sysctl_net_inet_ipip_stats, 0, NULL, 0, 516 CTL_NET, PF_INET, IPPROTO_IPIP, 517 CTL_CREATE, CTL_EOL); 518 519 /* create net.inet.esp subtree under IPPROTO_ESP */ 520 sysctl_createv(clog, 0, NULL, NULL, 521 CTLFLAG_PERMANENT, 522 CTLTYPE_NODE, "esp", NULL, 523 NULL, 0, NULL, 0, 524 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 525 sysctl_createv(clog, 0, NULL, NULL, 526 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 527 CTLTYPE_STRUCT, "esp_stats", NULL, 528 sysctl_net_inet_esp_stats, 0, NULL, 0, 529 CTL_NET, PF_INET, IPPROTO_ESP, 530 CTL_CREATE, CTL_EOL); 531 532 /* create net.inet.ah subtree under IPPROTO_AH */ 533 sysctl_createv(clog, 0, NULL, NULL, 534 CTLFLAG_PERMANENT, 535 CTLTYPE_NODE, "ah", NULL, 536 NULL, 0, NULL, 0, 537 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 538 sysctl_createv(clog, 0, NULL, NULL, 539 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 540 CTLTYPE_STRUCT, "ah_stats", NULL, 541 sysctl_net_inet_ah_stats, 0, NULL, 0, 542 CTL_NET, PF_INET, IPPROTO_AH, 543 CTL_CREATE, CTL_EOL); 544 545 /* create net.inet.ipcomp */ 546 sysctl_createv(clog, 0, NULL, NULL, 547 CTLFLAG_PERMANENT, 548 CTLTYPE_NODE, "ipcomp", NULL, 549 NULL, 0, NULL, 0, 550 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 551 sysctl_createv(clog, 0, NULL, NULL, 552 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 553 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 554 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 555 CTL_NET, PF_INET, IPPROTO_IPCOMP, 556 CTL_CREATE, CTL_EOL); 557 558 /* create net.inet.ipsec subtree under dynamic oid */ 559 sysctl_createv(clog, 0, NULL, &_ipsec, 560 CTLFLAG_PERMANENT, 561 CTLTYPE_NODE, "ipsec", NULL, 562 NULL, 0, NULL, 0, 563 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 564 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 565 566 sysctl_createv(clog, 0, NULL, NULL, 567 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 568 CTLTYPE_INT, "def_policy", NULL, 569 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 570 CTL_NET, PF_INET, ipproto_ipsec, 571 IPSECCTL_DEF_POLICY, CTL_EOL); 572 sysctl_createv(clog, 0, NULL, NULL, 573 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 574 CTLTYPE_INT, "esp_trans_deflev", NULL, 575 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 576 CTL_NET, PF_INET, ipproto_ipsec, 577 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 578 sysctl_createv(clog, 0, NULL, NULL, 579 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 580 CTLTYPE_INT, "esp_net_deflev", NULL, 581 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 582 CTL_NET, PF_INET, ipproto_ipsec, 583 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 584 sysctl_createv(clog, 0, NULL, NULL, 585 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 586 CTLTYPE_INT, "ah_trans_deflev", NULL, 587 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 588 CTL_NET, PF_INET, ipproto_ipsec, 589 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 590 sysctl_createv(clog, 0, NULL, NULL, 591 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 592 CTLTYPE_INT, "ah_net_deflev", NULL, 593 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 594 CTL_NET, PF_INET, ipproto_ipsec, 595 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 596 sysctl_createv(clog, 0, NULL, NULL, 597 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 598 CTLTYPE_INT, "ah_cleartos", NULL, 599 NULL, 0, &ip4_ah_cleartos, 0, 600 CTL_NET, PF_INET, ipproto_ipsec, 601 IPSECCTL_AH_CLEARTOS, CTL_EOL); 602 sysctl_createv(clog, 0, NULL, NULL, 603 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 604 CTLTYPE_INT, "ah_offsetmask", NULL, 605 NULL, 0, &ip4_ah_offsetmask, 0, 606 CTL_NET, PF_INET, ipproto_ipsec, 607 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 608 sysctl_createv(clog, 0, NULL, NULL, 609 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 610 CTLTYPE_INT, "dfbit", NULL, 611 NULL, 0, &ip4_ipsec_dfbit, 0, 612 CTL_NET, PF_INET, ipproto_ipsec, 613 IPSECCTL_DFBIT, CTL_EOL); 614 sysctl_createv(clog, 0, NULL, NULL, 615 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 616 CTLTYPE_INT, "ecn", NULL, 617 NULL, 0, &ip4_ipsec_ecn, 0, 618 CTL_NET, PF_INET, ipproto_ipsec, 619 IPSECCTL_ECN, CTL_EOL); 620 sysctl_createv(clog, 0, NULL, NULL, 621 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 622 CTLTYPE_INT, "debug", NULL, 623 NULL, 0, &ipsec_debug, 0, 624 CTL_NET, PF_INET, ipproto_ipsec, 625 IPSECCTL_DEBUG, CTL_EOL); 626 sysctl_createv(clog, 0, NULL, NULL, 627 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 628 CTLTYPE_INT, "ipip_spoofcheck", NULL, 629 NULL, 0, &ipip_spoofcheck, 0, 630 CTL_NET, PF_INET, ipproto_ipsec, 631 CTL_CREATE, CTL_EOL); 632 sysctl_createv(clog, 0, NULL, NULL, 633 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 634 CTLTYPE_STRUCT, "ipsecstats", NULL, 635 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 636 CTL_NET, PF_INET, ipproto_ipsec, 637 CTL_CREATE, CTL_EOL); 638 sysctl_createv(clog, 0, NULL, NULL, 639 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 640 CTLTYPE_INT, "enabled", 641 SYSCTL_DESCR("Enable IPSec processing"), 642 sysctl_net_ipsec_enabled, 0, NULL, 0, 643 CTL_NET, PF_INET, ipproto_ipsec, 644 CTL_CREATE, CTL_EOL); 645 sysctl_createv(clog, 0, NULL, NULL, 646 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 647 CTLTYPE_INT, "used", 648 SYSCTL_DESCR("Is IPSec active?"), 649 NULL, 0, &ipsec_used, 0, 650 CTL_NET, PF_INET, ipproto_ipsec, 651 CTL_CREATE, CTL_EOL); 652 sysctl_createv(clog, 0, NULL, NULL, 653 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 654 CTLTYPE_INT, "ah_enable", NULL, 655 NULL, 0, &ah_enable, 0, 656 CTL_NET, PF_INET, ipproto_ipsec, 657 CTL_CREATE, CTL_EOL); 658 sysctl_createv(clog, 0, NULL, NULL, 659 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 660 CTLTYPE_INT, "esp_enable", NULL, 661 NULL, 0, &esp_enable, 0, 662 CTL_NET, PF_INET, ipproto_ipsec, 663 CTL_CREATE, CTL_EOL); 664 sysctl_createv(clog, 0, NULL, NULL, 665 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 666 CTLTYPE_INT, "ipcomp_enable", NULL, 667 NULL, 0, &ipcomp_enable, 0, 668 CTL_NET, PF_INET, ipproto_ipsec, 669 CTL_CREATE, CTL_EOL); 670 sysctl_createv(clog, 0, NULL, NULL, 671 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 672 CTLTYPE_INT, "crypto_support", NULL, 673 NULL, 0, &crypto_support, 0, 674 CTL_NET, PF_INET, ipproto_ipsec, 675 CTL_CREATE, CTL_EOL); 676 677 #ifdef IPSEC_DEBUG 678 sysctl_createv(clog, 0, NULL, NULL, 679 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 680 CTLTYPE_INT, "test_replay", 681 SYSCTL_DESCR("Emulate replay attack"), 682 sysctl_ipsec_test, 0, &ipsec_replay, 0, 683 CTL_NET, PF_INET, ipproto_ipsec, 684 CTL_CREATE, CTL_EOL); 685 sysctl_createv(clog, 0, NULL, NULL, 686 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 687 CTLTYPE_INT, "test_integrity", 688 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 689 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 690 CTL_NET, PF_INET, ipproto_ipsec, 691 CTL_CREATE, CTL_EOL); 692 #endif 693 } 694 695 #ifdef INET6 696 void 697 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 698 { 699 700 sysctl_createv(clog, 0, NULL, NULL, 701 CTLFLAG_PERMANENT, 702 CTLTYPE_NODE, "inet6", NULL, 703 NULL, 0, NULL, 0, 704 CTL_NET, PF_INET6, CTL_EOL); 705 sysctl_createv(clog, 0, NULL, NULL, 706 CTLFLAG_PERMANENT, 707 CTLTYPE_NODE, "ipsec6", 708 SYSCTL_DESCR("IPv6 related IPSec settings"), 709 NULL, 0, NULL, 0, 710 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 711 712 sysctl_createv(clog, 0, NULL, NULL, 713 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 714 CTLTYPE_STRUCT, "stats", 715 SYSCTL_DESCR("IPSec statistics and counters"), 716 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 717 CTL_NET, PF_INET6, IPPROTO_AH, 718 IPSECCTL_STATS, CTL_EOL); 719 sysctl_createv(clog, 0, NULL, NULL, 720 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 721 CTLTYPE_INT, "def_policy", 722 SYSCTL_DESCR("Default action for non-IPSec packets"), 723 sysctl_ipsec, 0, &ip6_def_policy.policy, 0, 724 CTL_NET, PF_INET6, IPPROTO_AH, 725 IPSECCTL_DEF_POLICY, CTL_EOL); 726 sysctl_createv(clog, 0, NULL, NULL, 727 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 728 CTLTYPE_INT, "esp_trans_deflev", 729 SYSCTL_DESCR("Default required security level for " 730 "transport mode traffic"), 731 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 732 CTL_NET, PF_INET6, IPPROTO_AH, 733 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 734 sysctl_createv(clog, 0, NULL, NULL, 735 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 736 CTLTYPE_INT, "esp_net_deflev", 737 SYSCTL_DESCR("Default required security level for " 738 "tunneled traffic"), 739 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 740 CTL_NET, PF_INET6, IPPROTO_AH, 741 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 742 sysctl_createv(clog, 0, NULL, NULL, 743 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 744 CTLTYPE_INT, "ah_trans_deflev", 745 SYSCTL_DESCR("Default required security level for " 746 "transport mode headers"), 747 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 748 CTL_NET, PF_INET6, IPPROTO_AH, 749 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 750 sysctl_createv(clog, 0, NULL, NULL, 751 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 752 CTLTYPE_INT, "ah_net_deflev", 753 SYSCTL_DESCR("Default required security level for " 754 "tunneled headers"), 755 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 756 CTL_NET, PF_INET6, IPPROTO_AH, 757 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 758 sysctl_createv(clog, 0, NULL, NULL, 759 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 760 CTLTYPE_INT, "ecn", 761 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 762 NULL, 0, &ip6_ipsec_ecn, 0, 763 CTL_NET, PF_INET6, IPPROTO_AH, 764 IPSECCTL_ECN, CTL_EOL); 765 sysctl_createv(clog, 0, NULL, NULL, 766 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 767 CTLTYPE_INT, "debug", 768 SYSCTL_DESCR("Enable IPSec debugging output"), 769 NULL, 0, &ipsec_debug, 0, 770 CTL_NET, PF_INET6, IPPROTO_AH, 771 IPSECCTL_DEBUG, CTL_EOL); 772 sysctl_createv(clog, 0, NULL, NULL, 773 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 774 CTLTYPE_INT, "enabled", 775 SYSCTL_DESCR("Enable IPSec processing"), 776 sysctl_net_ipsec_enabled, 0, NULL, 0, 777 CTL_NET, PF_INET6, IPPROTO_AH, 778 CTL_CREATE, CTL_EOL); 779 sysctl_createv(clog, 0, NULL, NULL, 780 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 781 CTLTYPE_INT, "used", 782 SYSCTL_DESCR("Is IPSec active?"), 783 NULL, 0, &ipsec_used, 0, 784 CTL_NET, PF_INET6, IPPROTO_AH, 785 CTL_CREATE, CTL_EOL); 786 } 787 #endif /* INET6 */ 788