1 /* $NetBSD: ipsec_netbsd.c,v 1.45 2017/08/03 06:32:51 ozaki-r Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.45 2017/08/03 06:32:51 ozaki-r Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/domain.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/sysctl.h> 53 54 #include <net/if.h> 55 #include <net/route.h> 56 #include <net/netisr.h> 57 #include <sys/cpu.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/ip_ecn.h> 65 #include <netinet/ip_icmp.h> 66 67 68 #include <netipsec/ipsec.h> 69 #include <netipsec/ipsec_var.h> 70 #include <netipsec/ipsec_private.h> 71 #include <netipsec/key.h> 72 #include <netipsec/keydb.h> 73 #include <netipsec/key_debug.h> 74 #include <netipsec/ah.h> 75 #include <netipsec/ah_var.h> 76 #include <netipsec/esp.h> 77 #include <netipsec/esp_var.h> 78 #include <netipsec/ipip_var.h> 79 #include <netipsec/ipcomp_var.h> 80 81 #ifdef INET6 82 #include <netipsec/ipsec6.h> 83 #include <netinet6/ip6protosw.h> 84 #include <netinet/icmp6.h> 85 #endif 86 87 #include <netipsec/key.h> 88 89 /* assumes that ip header and ah header are contiguous on mbuf */ 90 void* 91 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 92 { 93 struct ip *ip = v; 94 struct ah *ah; 95 struct icmp *icp; 96 struct secasvar *sav; 97 98 if (sa->sa_family != AF_INET || 99 sa->sa_len != sizeof(struct sockaddr_in)) 100 return NULL; 101 if ((unsigned)cmd >= PRC_NCMDS) 102 return NULL; 103 104 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 105 /* 106 * Check to see if we have a valid SA corresponding to 107 * the address in the ICMP message payload. 108 */ 109 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 110 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 111 IPPROTO_AH, ah->ah_spi, 0, 0); 112 113 if (sav) { 114 if (SADB_SASTATE_USABLE_P(sav)) { 115 /* 116 * Now that we've validated that we are actually 117 * communicating with the host indicated in the 118 * ICMP message, locate the ICMP header, 119 * recalculate the new MTU, and create the 120 * corresponding routing entry. 121 */ 122 icp = (struct icmp *)((char *)ip - 123 offsetof(struct icmp, icmp_ip)); 124 icmp_mtudisc(icp, ip->ip_dst); 125 } 126 KEY_SA_UNREF(&sav); 127 } 128 } 129 return NULL; 130 } 131 132 133 134 /* assumes that ip header and esp header are contiguous on mbuf */ 135 void* 136 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 137 { 138 struct ip *ip = v; 139 struct esp *esp; 140 struct icmp *icp; 141 struct secasvar *sav; 142 143 if (sa->sa_family != AF_INET || 144 sa->sa_len != sizeof(struct sockaddr_in)) 145 return NULL; 146 if ((unsigned)cmd >= PRC_NCMDS) 147 return NULL; 148 149 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 150 /* 151 * Check to see if we have a valid SA corresponding to 152 * the address in the ICMP message payload. 153 */ 154 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 155 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 156 IPPROTO_ESP, esp->esp_spi, 0, 0); 157 158 if (sav) { 159 if (SADB_SASTATE_USABLE_P(sav)) { 160 /* 161 * Now that we've validated that we are actually 162 * communicating with the host indicated in the 163 * ICMP message, locate the ICMP header, 164 * recalculate the new MTU, and create the 165 * corresponding routing entry. 166 */ 167 icp = (struct icmp *)((char *)ip - 168 offsetof(struct icmp, icmp_ip)); 169 icmp_mtudisc(icp, ip->ip_dst); 170 } 171 KEY_SA_UNREF(&sav); 172 } 173 } 174 return NULL; 175 } 176 177 #ifdef INET6 178 void * 179 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 180 { 181 const struct newah *ahp; 182 struct newah ah; 183 struct secasvar *sav; 184 struct ip6_hdr *ip6; 185 struct mbuf *m; 186 struct ip6ctlparam *ip6cp = NULL; 187 int off; 188 189 if (sa->sa_family != AF_INET6 || 190 sa->sa_len != sizeof(struct sockaddr_in6)) 191 return NULL; 192 if ((unsigned)cmd >= PRC_NCMDS) 193 return NULL; 194 195 /* if the parameter is from icmp6, decode it. */ 196 if (d != NULL) { 197 ip6cp = (struct ip6ctlparam *)d; 198 m = ip6cp->ip6c_m; 199 ip6 = ip6cp->ip6c_ip6; 200 off = ip6cp->ip6c_off; 201 } else { 202 m = NULL; 203 ip6 = NULL; 204 off = 0; 205 } 206 207 if (ip6) { 208 /* 209 * XXX: We assume that when ip6 is non NULL, 210 * M and OFF are valid. 211 */ 212 213 /* check if we can safely examine src and dst ports */ 214 if (m->m_pkthdr.len < off + sizeof(ah)) 215 return NULL; 216 217 if (m->m_len < off + sizeof(ah)) { 218 /* 219 * this should be rare case, 220 * so we compromise on this copy... 221 */ 222 m_copydata(m, off, sizeof(ah), &ah); 223 ahp = &ah; 224 } else 225 ahp = (struct newah *)(mtod(m, char *) + off); 226 227 if (cmd == PRC_MSGSIZE) { 228 int valid = 0; 229 230 /* 231 * Check to see if we have a valid SA corresponding 232 * to the address in the ICMP message payload. 233 */ 234 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 235 IPPROTO_AH, ahp->ah_spi, 0, 0); 236 237 if (sav) { 238 if (SADB_SASTATE_USABLE_P(sav)) 239 valid++; 240 KEY_SA_UNREF(&sav); 241 } 242 243 /* XXX Further validation? */ 244 245 /* 246 * Depending on the value of "valid" and routing 247 * table size (mtudisc_{hi,lo}wat), we will: 248 * - recalcurate the new MTU and create the 249 * corresponding routing entry, or 250 * - ignore the MTU change notification. 251 */ 252 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 253 } 254 255 /* we normally notify single pcb here */ 256 } else { 257 /* we normally notify any pcb here */ 258 } 259 return NULL; 260 } 261 262 263 264 void * 265 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 266 { 267 const struct newesp *espp; 268 struct newesp esp; 269 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 270 struct secasvar *sav; 271 struct ip6_hdr *ip6; 272 struct mbuf *m; 273 int off; 274 275 if (sa->sa_family != AF_INET6 || 276 sa->sa_len != sizeof(struct sockaddr_in6)) 277 return NULL; 278 if ((unsigned)cmd >= PRC_NCMDS) 279 return NULL; 280 281 /* if the parameter is from icmp6, decode it. */ 282 if (d != NULL) { 283 ip6cp = (struct ip6ctlparam *)d; 284 m = ip6cp->ip6c_m; 285 ip6 = ip6cp->ip6c_ip6; 286 off = ip6cp->ip6c_off; 287 } else { 288 m = NULL; 289 ip6 = NULL; 290 off = 0; 291 } 292 293 if (ip6) { 294 /* 295 * Notify the error to all possible sockets via pfctlinput2. 296 * Since the upper layer information (such as protocol type, 297 * source and destination ports) is embedded in the encrypted 298 * data and might have been cut, we can't directly call 299 * an upper layer ctlinput function. However, the pcbnotify 300 * function will consider source and destination addresses 301 * as well as the flow info value, and may be able to find 302 * some PCB that should be notified. 303 * Although pfctlinput2 will call esp6_ctlinput(), there is 304 * no possibility of an infinite loop of function calls, 305 * because we don't pass the inner IPv6 header. 306 */ 307 memset(&ip6cp1, 0, sizeof(ip6cp1)); 308 ip6cp1.ip6c_src = ip6cp->ip6c_src; 309 pfctlinput2(cmd, sa, &ip6cp1); 310 311 /* 312 * Then go to special cases that need ESP header information. 313 * XXX: We assume that when ip6 is non NULL, 314 * M and OFF are valid. 315 */ 316 317 /* check if we can safely examine src and dst ports */ 318 if (m->m_pkthdr.len < off + sizeof(esp)) 319 return NULL; 320 321 if (m->m_len < off + sizeof(esp)) { 322 /* 323 * this should be rare case, 324 * so we compromise on this copy... 325 */ 326 m_copydata(m, off, sizeof(esp), &esp); 327 espp = &esp; 328 } else 329 espp = (struct newesp*)(mtod(m, char *) + off); 330 331 if (cmd == PRC_MSGSIZE) { 332 int valid = 0; 333 334 /* 335 * Check to see if we have a valid SA corresponding to 336 * the address in the ICMP message payload. 337 */ 338 339 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 340 IPPROTO_ESP, espp->esp_spi, 0, 0); 341 342 if (sav) { 343 if (SADB_SASTATE_USABLE_P(sav)) 344 valid++; 345 KEY_SA_UNREF(&sav); 346 } 347 348 /* XXX Further validation? */ 349 350 /* 351 * Depending on the value of "valid" and routing table 352 * size (mtudisc_{hi,lo}wat), we will: 353 * - recalcurate the new MTU and create the 354 * corresponding routing entry, or 355 * - ignore the MTU change notification. 356 */ 357 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 358 } 359 } else { 360 /* we normally notify any pcb here */ 361 } 362 return NULL; 363 } 364 #endif /* INET6 */ 365 366 static int 367 sysctl_ipsec(SYSCTLFN_ARGS) 368 { 369 int error, t; 370 struct sysctlnode node; 371 372 node = *rnode; 373 t = *(int*)rnode->sysctl_data; 374 node.sysctl_data = &t; 375 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 376 if (error || newp == NULL) 377 return (error); 378 379 switch (rnode->sysctl_num) { 380 case IPSECCTL_DEF_ESP_TRANSLEV: 381 case IPSECCTL_DEF_ESP_NETLEV: 382 case IPSECCTL_DEF_AH_TRANSLEV: 383 case IPSECCTL_DEF_AH_NETLEV: 384 if (t != IPSEC_LEVEL_USE && 385 t != IPSEC_LEVEL_REQUIRE) 386 return (EINVAL); 387 ipsec_invalpcbcacheall(); 388 break; 389 case IPSECCTL_DEF_POLICY: 390 if (t != IPSEC_POLICY_DISCARD && 391 t != IPSEC_POLICY_NONE) 392 return (EINVAL); 393 ipsec_invalpcbcacheall(); 394 break; 395 default: 396 return (EINVAL); 397 } 398 399 *(int*)rnode->sysctl_data = t; 400 401 return (0); 402 } 403 404 #ifdef IPSEC_DEBUG 405 static int 406 sysctl_ipsec_test(SYSCTLFN_ARGS) 407 { 408 int t, error; 409 struct sysctlnode node; 410 411 node = *rnode; 412 t = *(int*)rnode->sysctl_data; 413 node.sysctl_data = &t; 414 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 415 if (error || newp == NULL) 416 return (error); 417 418 if (t < 0 || t > 1) 419 return EINVAL; 420 421 if (rnode->sysctl_data == &ipsec_replay) 422 printf("ipsec: Anti-Replay service %s\n", 423 (t == 1) ? "deactivated" : "activated"); 424 else if (rnode->sysctl_data == &ipsec_integrity) 425 printf("ipsec: HMAC corruption %s\n", 426 (t == 0) ? "deactivated" : "activated"); 427 428 *(int*)rnode->sysctl_data = t; 429 430 return 0; 431 } 432 #endif 433 434 static int 435 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 436 { 437 438 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 439 } 440 441 static int 442 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 443 { 444 445 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 446 } 447 448 static int 449 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 450 { 451 452 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 453 } 454 455 static int 456 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 457 { 458 459 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 460 } 461 462 static int 463 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 464 { 465 466 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 467 } 468 469 static int 470 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 471 { 472 int newenabled, error; 473 struct sysctlnode node; 474 node = *rnode; 475 node.sysctl_data = &newenabled; 476 477 newenabled = ipsec_enabled; 478 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 479 if (error || newp == NULL) 480 return error; 481 482 switch (newenabled) { 483 case 0: 484 if (key_get_used()) 485 return EBUSY; 486 /*FALLTHROUGH*/ 487 case 1: 488 case 2: 489 ipsec_enabled = newenabled; 490 key_update_used(); 491 return 0; 492 default: 493 return EINVAL; 494 } 495 } 496 497 /* XXX will need a different oid at parent */ 498 void 499 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 500 { 501 const struct sysctlnode *_ipsec; 502 int ipproto_ipsec; 503 504 sysctl_createv(clog, 0, NULL, NULL, 505 CTLFLAG_PERMANENT, 506 CTLTYPE_NODE, "inet", NULL, 507 NULL, 0, NULL, 0, 508 CTL_NET, PF_INET, CTL_EOL); 509 510 /* 511 * in numerical order: 512 * 513 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 514 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 515 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 516 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 517 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 518 * 519 * this creates separate trees by name, but maintains that the 520 * ipsec name leads to all the old leaves. 521 */ 522 523 /* create net.inet.ipip */ 524 sysctl_createv(clog, 0, NULL, NULL, 525 CTLFLAG_PERMANENT, 526 CTLTYPE_NODE, "ipip", NULL, 527 NULL, 0, NULL, 0, 528 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 529 sysctl_createv(clog, 0, NULL, NULL, 530 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 531 CTLTYPE_STRUCT, "ipip_stats", NULL, 532 sysctl_net_inet_ipip_stats, 0, NULL, 0, 533 CTL_NET, PF_INET, IPPROTO_IPIP, 534 CTL_CREATE, CTL_EOL); 535 536 /* create net.inet.esp subtree under IPPROTO_ESP */ 537 sysctl_createv(clog, 0, NULL, NULL, 538 CTLFLAG_PERMANENT, 539 CTLTYPE_NODE, "esp", NULL, 540 NULL, 0, NULL, 0, 541 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 542 sysctl_createv(clog, 0, NULL, NULL, 543 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 544 CTLTYPE_INT, "trans_deflev", NULL, 545 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 546 CTL_NET, PF_INET, IPPROTO_ESP, 547 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 548 sysctl_createv(clog, 0, NULL, NULL, 549 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 550 CTLTYPE_INT, "net_deflev", NULL, 551 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 552 CTL_NET, PF_INET, IPPROTO_ESP, 553 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 554 sysctl_createv(clog, 0, NULL, NULL, 555 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 556 CTLTYPE_STRUCT, "esp_stats", NULL, 557 sysctl_net_inet_esp_stats, 0, NULL, 0, 558 CTL_NET, PF_INET, IPPROTO_ESP, 559 CTL_CREATE, CTL_EOL); 560 561 /* create net.inet.ah subtree under IPPROTO_AH */ 562 sysctl_createv(clog, 0, NULL, NULL, 563 CTLFLAG_PERMANENT, 564 CTLTYPE_NODE, "ah", NULL, 565 NULL, 0, NULL, 0, 566 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 567 sysctl_createv(clog, 0, NULL, NULL, 568 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 569 CTLTYPE_INT, "cleartos", NULL, 570 NULL, 0, &ip4_ah_cleartos, 0, 571 CTL_NET, PF_INET, IPPROTO_AH, 572 IPSECCTL_AH_CLEARTOS, CTL_EOL); 573 sysctl_createv(clog, 0, NULL, NULL, 574 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 575 CTLTYPE_INT, "offsetmask", NULL, 576 NULL, 0, &ip4_ah_offsetmask, 0, 577 CTL_NET, PF_INET, IPPROTO_AH, 578 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 579 sysctl_createv(clog, 0, NULL, NULL, 580 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 581 CTLTYPE_INT, "trans_deflev", NULL, 582 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 583 CTL_NET, PF_INET, IPPROTO_AH, 584 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 585 sysctl_createv(clog, 0, NULL, NULL, 586 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 587 CTLTYPE_INT, "net_deflev", NULL, 588 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 589 CTL_NET, PF_INET, IPPROTO_AH, 590 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 591 sysctl_createv(clog, 0, NULL, NULL, 592 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 593 CTLTYPE_STRUCT, "ah_stats", NULL, 594 sysctl_net_inet_ah_stats, 0, NULL, 0, 595 CTL_NET, PF_INET, IPPROTO_AH, 596 CTL_CREATE, CTL_EOL); 597 598 /* create net.inet.ipcomp */ 599 sysctl_createv(clog, 0, NULL, NULL, 600 CTLFLAG_PERMANENT, 601 CTLTYPE_NODE, "ipcomp", NULL, 602 NULL, 0, NULL, 0, 603 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 604 sysctl_createv(clog, 0, NULL, NULL, 605 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 606 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 607 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 608 CTL_NET, PF_INET, IPPROTO_IPCOMP, 609 CTL_CREATE, CTL_EOL); 610 611 /* create net.inet.ipsec subtree under dynamic oid */ 612 sysctl_createv(clog, 0, NULL, &_ipsec, 613 CTLFLAG_PERMANENT, 614 CTLTYPE_NODE, "ipsec", NULL, 615 NULL, 0, NULL, 0, 616 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 617 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 618 619 sysctl_createv(clog, 0, NULL, NULL, 620 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 621 CTLTYPE_INT, "def_policy", NULL, 622 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 623 CTL_NET, PF_INET, ipproto_ipsec, 624 IPSECCTL_DEF_POLICY, CTL_EOL); 625 sysctl_createv(clog, 0, NULL, NULL, 626 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 627 CTLTYPE_INT, "esp_trans_deflev", NULL, 628 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 629 CTL_NET, PF_INET, ipproto_ipsec, 630 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 631 sysctl_createv(clog, 0, NULL, NULL, 632 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 633 CTLTYPE_INT, "esp_net_deflev", NULL, 634 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 635 CTL_NET, PF_INET, ipproto_ipsec, 636 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 637 sysctl_createv(clog, 0, NULL, NULL, 638 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 639 CTLTYPE_INT, "ah_trans_deflev", NULL, 640 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 641 CTL_NET, PF_INET, ipproto_ipsec, 642 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 643 sysctl_createv(clog, 0, NULL, NULL, 644 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 645 CTLTYPE_INT, "ah_net_deflev", NULL, 646 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 647 CTL_NET, PF_INET, ipproto_ipsec, 648 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 649 sysctl_createv(clog, 0, NULL, NULL, 650 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 651 CTLTYPE_INT, "ah_cleartos", NULL, 652 NULL, 0, &ip4_ah_cleartos, 0, 653 CTL_NET, PF_INET, ipproto_ipsec, 654 IPSECCTL_AH_CLEARTOS, CTL_EOL); 655 sysctl_createv(clog, 0, NULL, NULL, 656 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 657 CTLTYPE_INT, "ah_offsetmask", NULL, 658 NULL, 0, &ip4_ah_offsetmask, 0, 659 CTL_NET, PF_INET, ipproto_ipsec, 660 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 661 sysctl_createv(clog, 0, NULL, NULL, 662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 663 CTLTYPE_INT, "dfbit", NULL, 664 NULL, 0, &ip4_ipsec_dfbit, 0, 665 CTL_NET, PF_INET, ipproto_ipsec, 666 IPSECCTL_DFBIT, CTL_EOL); 667 sysctl_createv(clog, 0, NULL, NULL, 668 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 669 CTLTYPE_INT, "ecn", NULL, 670 NULL, 0, &ip4_ipsec_ecn, 0, 671 CTL_NET, PF_INET, ipproto_ipsec, 672 IPSECCTL_ECN, CTL_EOL); 673 sysctl_createv(clog, 0, NULL, NULL, 674 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 675 CTLTYPE_INT, "debug", NULL, 676 NULL, 0, &ipsec_debug, 0, 677 CTL_NET, PF_INET, ipproto_ipsec, 678 IPSECCTL_DEBUG, CTL_EOL); 679 sysctl_createv(clog, 0, NULL, NULL, 680 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 681 CTLTYPE_STRUCT, "ipsecstats", NULL, 682 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 683 CTL_NET, PF_INET, ipproto_ipsec, 684 CTL_CREATE, CTL_EOL); 685 sysctl_createv(clog, 0, NULL, NULL, 686 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 687 CTLTYPE_INT, "enabled", 688 SYSCTL_DESCR("Enable IPSec processing"), 689 sysctl_net_ipsec_enabled, 0, NULL, 0, 690 CTL_NET, PF_INET, ipproto_ipsec, 691 CTL_CREATE, CTL_EOL); 692 sysctl_createv(clog, 0, NULL, NULL, 693 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 694 CTLTYPE_INT, "used", 695 SYSCTL_DESCR("Is IPSec active?"), 696 NULL, 0, &ipsec_used, 0, 697 CTL_NET, PF_INET, ipproto_ipsec, 698 CTL_CREATE, CTL_EOL); 699 sysctl_createv(clog, 0, NULL, NULL, 700 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 701 CTLTYPE_INT, "crypto_support", NULL, 702 NULL, 0, &crypto_support, 0, 703 CTL_NET, PF_INET, ipproto_ipsec, 704 CTL_CREATE, CTL_EOL); 705 #ifdef IPSEC_DEBUG 706 sysctl_createv(clog, 0, NULL, NULL, 707 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 708 CTLTYPE_INT, "test_replay", 709 SYSCTL_DESCR("Emulate replay attack"), 710 sysctl_ipsec_test, 0, &ipsec_replay, 0, 711 CTL_NET, PF_INET, ipproto_ipsec, 712 CTL_CREATE, CTL_EOL); 713 sysctl_createv(clog, 0, NULL, NULL, 714 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 715 CTLTYPE_INT, "test_integrity", 716 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 717 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 718 CTL_NET, PF_INET, ipproto_ipsec, 719 CTL_CREATE, CTL_EOL); 720 #endif 721 } 722 723 #ifdef INET6 724 void 725 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 726 { 727 728 sysctl_createv(clog, 0, NULL, NULL, 729 CTLFLAG_PERMANENT, 730 CTLTYPE_NODE, "inet6", NULL, 731 NULL, 0, NULL, 0, 732 CTL_NET, PF_INET6, CTL_EOL); 733 sysctl_createv(clog, 0, NULL, NULL, 734 CTLFLAG_PERMANENT, 735 CTLTYPE_NODE, "ipsec6", 736 SYSCTL_DESCR("IPv6 related IPSec settings"), 737 NULL, 0, NULL, 0, 738 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 739 740 sysctl_createv(clog, 0, NULL, NULL, 741 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 742 CTLTYPE_STRUCT, "stats", 743 SYSCTL_DESCR("IPSec statistics and counters"), 744 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 745 CTL_NET, PF_INET6, IPPROTO_AH, 746 IPSECCTL_STATS, CTL_EOL); 747 sysctl_createv(clog, 0, NULL, NULL, 748 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 749 CTLTYPE_INT, "def_policy", 750 SYSCTL_DESCR("Default action for non-IPSec packets"), 751 sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, 752 CTL_NET, PF_INET6, IPPROTO_AH, 753 IPSECCTL_DEF_POLICY, CTL_EOL); 754 sysctl_createv(clog, 0, NULL, NULL, 755 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 756 CTLTYPE_INT, "esp_trans_deflev", 757 SYSCTL_DESCR("Default required security level for " 758 "transport mode traffic"), 759 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 760 CTL_NET, PF_INET6, IPPROTO_AH, 761 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 762 sysctl_createv(clog, 0, NULL, NULL, 763 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 764 CTLTYPE_INT, "esp_net_deflev", 765 SYSCTL_DESCR("Default required security level for " 766 "tunneled traffic"), 767 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 768 CTL_NET, PF_INET6, IPPROTO_AH, 769 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 770 sysctl_createv(clog, 0, NULL, NULL, 771 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 772 CTLTYPE_INT, "ah_trans_deflev", 773 SYSCTL_DESCR("Default required security level for " 774 "transport mode headers"), 775 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 776 CTL_NET, PF_INET6, IPPROTO_AH, 777 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 778 sysctl_createv(clog, 0, NULL, NULL, 779 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 780 CTLTYPE_INT, "ah_net_deflev", 781 SYSCTL_DESCR("Default required security level for " 782 "tunneled headers"), 783 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 784 CTL_NET, PF_INET6, IPPROTO_AH, 785 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 786 sysctl_createv(clog, 0, NULL, NULL, 787 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 788 CTLTYPE_INT, "ecn", 789 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 790 NULL, 0, &ip6_ipsec_ecn, 0, 791 CTL_NET, PF_INET6, IPPROTO_AH, 792 IPSECCTL_ECN, CTL_EOL); 793 sysctl_createv(clog, 0, NULL, NULL, 794 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 795 CTLTYPE_INT, "debug", 796 SYSCTL_DESCR("Enable IPSec debugging output"), 797 NULL, 0, &ipsec_debug, 0, 798 CTL_NET, PF_INET6, IPPROTO_AH, 799 IPSECCTL_DEBUG, CTL_EOL); 800 sysctl_createv(clog, 0, NULL, NULL, 801 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 802 CTLTYPE_INT, "enabled", 803 SYSCTL_DESCR("Enable IPSec processing"), 804 sysctl_net_ipsec_enabled, 0, NULL, 0, 805 CTL_NET, PF_INET6, IPPROTO_AH, 806 CTL_CREATE, CTL_EOL); 807 sysctl_createv(clog, 0, NULL, NULL, 808 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 809 CTLTYPE_INT, "used", 810 SYSCTL_DESCR("Is IPSec active?"), 811 NULL, 0, &ipsec_used, 0, 812 CTL_NET, PF_INET6, IPPROTO_AH, 813 CTL_CREATE, CTL_EOL); 814 /* 815 * "aliases" for the ipsec6 subtree 816 */ 817 sysctl_createv(clog, 0, NULL, NULL, 818 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 819 CTLTYPE_NODE, "esp6", NULL, 820 NULL, IPPROTO_AH, NULL, 0, 821 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 822 sysctl_createv(clog, 0, NULL, NULL, 823 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 824 CTLTYPE_NODE, "ipcomp6", NULL, 825 NULL, IPPROTO_AH, NULL, 0, 826 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 827 sysctl_createv(clog, 0, NULL, NULL, 828 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 829 CTLTYPE_NODE, "ah6", NULL, 830 NULL, IPPROTO_AH, NULL, 0, 831 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 832 } 833 #endif /* INET6 */ 834