1 /* $NetBSD: ipsec_netbsd.c,v 1.31 2008/04/27 12:58:48 degroote Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.31 2008/04/27 12:58:48 degroote Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <sys/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/key.h> 70 #include <netipsec/keydb.h> 71 #include <netipsec/key_debug.h> 72 #include <netipsec/ah.h> 73 #include <netipsec/ah_var.h> 74 #include <netipsec/esp.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipip_var.h> 77 #include <netipsec/ipcomp_var.h> 78 79 #ifdef INET6 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/ip6protosw.h> 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <machine/stdarg.h> 86 87 88 89 #include <netipsec/key.h> 90 91 /* assumes that ip header and ah header are contiguous on mbuf */ 92 void* 93 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 94 { 95 struct ip *ip = v; 96 struct ah *ah; 97 struct icmp *icp; 98 struct secasvar *sav; 99 100 if (sa->sa_family != AF_INET || 101 sa->sa_len != sizeof(struct sockaddr_in)) 102 return NULL; 103 if ((unsigned)cmd >= PRC_NCMDS) 104 return NULL; 105 106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 107 /* 108 * Check to see if we have a valid SA corresponding to 109 * the address in the ICMP message payload. 110 */ 111 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 112 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 113 IPPROTO_AH, ah->ah_spi, 0, 0); 114 115 if (sav) { 116 if (sav->state == SADB_SASTATE_MATURE || 117 sav->state == SADB_SASTATE_DYING) { 118 119 /* 120 * Now that we've validated that we are actually 121 * communicating with the host indicated in the 122 * ICMP message, locate the ICMP header, 123 * recalculate the new MTU, and create the 124 * corresponding routing entry. 125 */ 126 icp = (struct icmp *)((char *)ip - 127 offsetof(struct icmp, icmp_ip)); 128 icmp_mtudisc(icp, ip->ip_dst); 129 130 } 131 KEY_FREESAV(&sav); 132 } 133 } 134 return NULL; 135 } 136 137 138 139 /* assumes that ip header and esp header are contiguous on mbuf */ 140 void* 141 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 142 { 143 struct ip *ip = v; 144 struct esp *esp; 145 struct icmp *icp; 146 struct secasvar *sav; 147 148 if (sa->sa_family != AF_INET || 149 sa->sa_len != sizeof(struct sockaddr_in)) 150 return NULL; 151 if ((unsigned)cmd >= PRC_NCMDS) 152 return NULL; 153 154 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 155 /* 156 * Check to see if we have a valid SA corresponding to 157 * the address in the ICMP message payload. 158 */ 159 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 160 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 161 IPPROTO_ESP, esp->esp_spi, 0, 0); 162 163 if (sav) { 164 if (sav->state == SADB_SASTATE_MATURE || 165 sav->state == SADB_SASTATE_DYING) { 166 167 /* 168 * Now that we've validated that we are actually 169 * communicating with the host indicated in the 170 * ICMP message, locate the ICMP header, 171 * recalculate the new MTU, and create the 172 * corresponding routing entry. 173 */ 174 175 icp = (struct icmp *)((char *)ip - 176 offsetof(struct icmp, icmp_ip)); 177 icmp_mtudisc(icp, ip->ip_dst); 178 179 } 180 KEY_FREESAV(&sav); 181 } 182 } 183 return NULL; 184 } 185 186 #ifdef INET6 187 void * 188 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 189 { 190 const struct newah *ahp; 191 struct newah ah; 192 struct secasvar *sav; 193 struct ip6_hdr *ip6; 194 struct mbuf *m; 195 struct ip6ctlparam *ip6cp = NULL; 196 int off; 197 198 if (sa->sa_family != AF_INET6 || 199 sa->sa_len != sizeof(struct sockaddr_in6)) 200 return NULL; 201 if ((unsigned)cmd >= PRC_NCMDS) 202 return NULL; 203 204 /* if the parameter is from icmp6, decode it. */ 205 if (d != NULL) { 206 ip6cp = (struct ip6ctlparam *)d; 207 m = ip6cp->ip6c_m; 208 ip6 = ip6cp->ip6c_ip6; 209 off = ip6cp->ip6c_off; 210 } else { 211 m = NULL; 212 ip6 = NULL; 213 off = 0; 214 } 215 216 if (ip6) { 217 /* 218 * XXX: We assume that when ip6 is non NULL, 219 * M and OFF are valid. 220 */ 221 222 /* check if we can safely examine src and dst ports */ 223 if (m->m_pkthdr.len < off + sizeof(ah)) 224 return NULL; 225 226 if (m->m_len < off + sizeof(ah)) { 227 /* 228 * this should be rare case, 229 * so we compromise on this copy... 230 */ 231 m_copydata(m, off, sizeof(ah), &ah); 232 ahp = &ah; 233 } else 234 ahp = (struct newah *)(mtod(m, char *) + off); 235 236 if (cmd == PRC_MSGSIZE) { 237 int valid = 0; 238 239 /* 240 * Check to see if we have a valid SA corresponding 241 * to the address in the ICMP message payload. 242 */ 243 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 244 IPPROTO_AH, ahp->ah_spi, 0, 0); 245 246 if (sav) { 247 if (sav->state == SADB_SASTATE_MATURE || 248 sav->state == SADB_SASTATE_DYING) 249 valid++; 250 KEY_FREESAV(&sav); 251 } 252 253 /* XXX Further validation? */ 254 255 /* 256 * Depending on the value of "valid" and routing 257 * table size (mtudisc_{hi,lo}wat), we will: 258 * - recalcurate the new MTU and create the 259 * corresponding routing entry, or 260 * - ignore the MTU change notification. 261 */ 262 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 263 } 264 265 /* we normally notify single pcb here */ 266 } else { 267 /* we normally notify any pcb here */ 268 } 269 return NULL; 270 } 271 272 273 274 void * 275 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 276 { 277 const struct newesp *espp; 278 struct newesp esp; 279 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 280 struct secasvar *sav; 281 struct ip6_hdr *ip6; 282 struct mbuf *m; 283 int off; 284 285 if (sa->sa_family != AF_INET6 || 286 sa->sa_len != sizeof(struct sockaddr_in6)) 287 return NULL; 288 if ((unsigned)cmd >= PRC_NCMDS) 289 return NULL; 290 291 /* if the parameter is from icmp6, decode it. */ 292 if (d != NULL) { 293 ip6cp = (struct ip6ctlparam *)d; 294 m = ip6cp->ip6c_m; 295 ip6 = ip6cp->ip6c_ip6; 296 off = ip6cp->ip6c_off; 297 } else { 298 m = NULL; 299 ip6 = NULL; 300 off = 0; 301 } 302 303 if (ip6) { 304 /* 305 * Notify the error to all possible sockets via pfctlinput2. 306 * Since the upper layer information (such as protocol type, 307 * source and destination ports) is embedded in the encrypted 308 * data and might have been cut, we can't directly call 309 * an upper layer ctlinput function. However, the pcbnotify 310 * function will consider source and destination addresses 311 * as well as the flow info value, and may be able to find 312 * some PCB that should be notified. 313 * Although pfctlinput2 will call esp6_ctlinput(), there is 314 * no possibility of an infinite loop of function calls, 315 * because we don't pass the inner IPv6 header. 316 */ 317 memset(&ip6cp1, 0, sizeof(ip6cp1)); 318 ip6cp1.ip6c_src = ip6cp->ip6c_src; 319 pfctlinput2(cmd, sa, &ip6cp1); 320 321 /* 322 * Then go to special cases that need ESP header information. 323 * XXX: We assume that when ip6 is non NULL, 324 * M and OFF are valid. 325 */ 326 327 /* check if we can safely examine src and dst ports */ 328 if (m->m_pkthdr.len < off + sizeof(esp)) 329 return NULL; 330 331 if (m->m_len < off + sizeof(esp)) { 332 /* 333 * this should be rare case, 334 * so we compromise on this copy... 335 */ 336 m_copydata(m, off, sizeof(esp), &esp); 337 espp = &esp; 338 } else 339 espp = (struct newesp*)(mtod(m, char *) + off); 340 341 if (cmd == PRC_MSGSIZE) { 342 int valid = 0; 343 344 /* 345 * Check to see if we have a valid SA corresponding to 346 * the address in the ICMP message payload. 347 */ 348 349 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 350 IPPROTO_ESP, espp->esp_spi, 0, 0); 351 352 if (sav) { 353 if (sav->state == SADB_SASTATE_MATURE || 354 sav->state == SADB_SASTATE_DYING) 355 valid++; 356 KEY_FREESAV(&sav); 357 } 358 359 /* XXX Further validation? */ 360 361 /* 362 * Depending on the value of "valid" and routing table 363 * size (mtudisc_{hi,lo}wat), we will: 364 * - recalcurate the new MTU and create the 365 * corresponding routing entry, or 366 * - ignore the MTU change notification. 367 */ 368 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 369 } 370 } else { 371 /* we normally notify any pcb here */ 372 } 373 return NULL; 374 } 375 #endif /* INET6 */ 376 377 static int 378 sysctl_fast_ipsec(SYSCTLFN_ARGS) 379 { 380 int error, t; 381 struct sysctlnode node; 382 383 node = *rnode; 384 t = *(int*)rnode->sysctl_data; 385 node.sysctl_data = &t; 386 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 387 if (error || newp == NULL) 388 return (error); 389 390 switch (rnode->sysctl_num) { 391 case IPSECCTL_DEF_ESP_TRANSLEV: 392 case IPSECCTL_DEF_ESP_NETLEV: 393 case IPSECCTL_DEF_AH_TRANSLEV: 394 case IPSECCTL_DEF_AH_NETLEV: 395 if (t != IPSEC_LEVEL_USE && 396 t != IPSEC_LEVEL_REQUIRE) 397 return (EINVAL); 398 ipsec_invalpcbcacheall(); 399 break; 400 case IPSECCTL_DEF_POLICY: 401 if (t != IPSEC_POLICY_DISCARD && 402 t != IPSEC_POLICY_NONE) 403 return (EINVAL); 404 ipsec_invalpcbcacheall(); 405 break; 406 default: 407 return (EINVAL); 408 } 409 410 *(int*)rnode->sysctl_data = t; 411 412 return (0); 413 } 414 415 #ifdef IPSEC_DEBUG 416 static int 417 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 418 { 419 int t, error; 420 struct sysctlnode node; 421 422 node = *rnode; 423 t = *(int*)rnode->sysctl_data; 424 node.sysctl_data = &t; 425 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 426 if (error || newp == NULL) 427 return (error); 428 429 if (t < 0 || t > 1) 430 return EINVAL; 431 432 if (rnode->sysctl_data == &ipsec_replay) 433 printf("fast_ipsec: Anti-Replay service %s\n", 434 (t == 1) ? "deactivated" : "activated"); 435 else if (rnode->sysctl_data == &ipsec_integrity) 436 printf("fast_ipsec: HMAC corruption %s\n", 437 (t == 0) ? "deactivated" : "activated"); 438 439 *(int*)rnode->sysctl_data = t; 440 441 return 0; 442 } 443 #endif 444 445 static int 446 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS) 447 { 448 netstat_sysctl_context ctx; 449 uint64_t ipss[IPSEC_NSTATS]; 450 451 ctx.ctx_stat = ipsecstat_percpu; 452 ctx.ctx_counters = ipss; 453 ctx.ctx_ncounters = IPSEC_NSTATS; 454 return (NETSTAT_SYSCTL(&ctx)); 455 } 456 457 static int 458 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 459 { 460 netstat_sysctl_context ctx; 461 uint64_t ipss[AH_NSTATS]; 462 463 ctx.ctx_stat = ahstat_percpu; 464 ctx.ctx_counters = ipss; 465 ctx.ctx_ncounters = AH_NSTATS; 466 return (NETSTAT_SYSCTL(&ctx)); 467 } 468 469 static int 470 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 471 { 472 netstat_sysctl_context ctx; 473 uint64_t ipss[ESP_NSTATS]; 474 475 ctx.ctx_stat = espstat_percpu; 476 ctx.ctx_counters = ipss; 477 ctx.ctx_ncounters = ESP_NSTATS; 478 return (NETSTAT_SYSCTL(&ctx)); 479 } 480 481 static int 482 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 483 { 484 netstat_sysctl_context ctx; 485 uint64_t ipss[IPCOMP_NSTATS]; 486 487 ctx.ctx_stat = ipcompstat_percpu; 488 ctx.ctx_counters = ipss; 489 ctx.ctx_ncounters = IPCOMP_NSTATS; 490 return (NETSTAT_SYSCTL(&ctx)); 491 } 492 493 static int 494 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 495 { 496 netstat_sysctl_context ctx; 497 uint64_t ipss[IPIP_NSTATS]; 498 499 ctx.ctx_stat = ipipstat_percpu; 500 ctx.ctx_counters = ipss; 501 ctx.ctx_ncounters = IPIP_NSTATS; 502 return (NETSTAT_SYSCTL(&ctx)); 503 } 504 505 /* XXX will need a different oid at parent */ 506 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 507 { 508 const struct sysctlnode *_ipsec; 509 int ipproto_ipsec; 510 511 sysctl_createv(clog, 0, NULL, NULL, 512 CTLFLAG_PERMANENT, 513 CTLTYPE_NODE, "net", NULL, 514 NULL, 0, NULL, 0, 515 CTL_NET, CTL_EOL); 516 sysctl_createv(clog, 0, NULL, NULL, 517 CTLFLAG_PERMANENT, 518 CTLTYPE_NODE, "inet", NULL, 519 NULL, 0, NULL, 0, 520 CTL_NET, PF_INET, CTL_EOL); 521 522 /* 523 * in numerical order: 524 * 525 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 526 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 527 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 528 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 529 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 530 * 531 * this creates separate trees by name, but maintains that the 532 * ipsec name leads to all the old leaves. 533 */ 534 535 /* create net.inet.ipip */ 536 sysctl_createv(clog, 0, NULL, NULL, 537 CTLFLAG_PERMANENT, 538 CTLTYPE_NODE, "ipip", NULL, 539 NULL, 0, NULL, 0, 540 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 541 sysctl_createv(clog, 0, NULL, NULL, 542 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 543 CTLTYPE_STRUCT, "ipip_stats", NULL, 544 sysctl_net_inet_ipip_stats, 0, NULL, 0, 545 CTL_NET, PF_INET, IPPROTO_IPIP, 546 CTL_CREATE, CTL_EOL); 547 548 /* create net.inet.esp subtree under IPPROTO_ESP */ 549 sysctl_createv(clog, 0, NULL, NULL, 550 CTLFLAG_PERMANENT, 551 CTLTYPE_NODE, "esp", NULL, 552 NULL, 0, NULL, 0, 553 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 554 sysctl_createv(clog, 0, NULL, NULL, 555 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 556 CTLTYPE_INT, "trans_deflev", NULL, 557 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 558 CTL_NET, PF_INET, IPPROTO_ESP, 559 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 560 sysctl_createv(clog, 0, NULL, NULL, 561 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 562 CTLTYPE_INT, "net_deflev", NULL, 563 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 564 CTL_NET, PF_INET, IPPROTO_ESP, 565 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 566 sysctl_createv(clog, 0, NULL, NULL, 567 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 568 CTLTYPE_STRUCT, "esp_stats", NULL, 569 sysctl_net_inet_esp_stats, 0, NULL, 0, 570 CTL_NET, PF_INET, IPPROTO_ESP, 571 CTL_CREATE, CTL_EOL); 572 573 /* create net.inet.ah subtree under IPPROTO_AH */ 574 sysctl_createv(clog, 0, NULL, NULL, 575 CTLFLAG_PERMANENT, 576 CTLTYPE_NODE, "ah", NULL, 577 NULL, 0, NULL, 0, 578 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 579 sysctl_createv(clog, 0, NULL, NULL, 580 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 581 CTLTYPE_INT, "cleartos", NULL, 582 NULL, 0, &ip4_ah_cleartos, 0, 583 CTL_NET, PF_INET, IPPROTO_AH, 584 IPSECCTL_AH_CLEARTOS, CTL_EOL); 585 sysctl_createv(clog, 0, NULL, NULL, 586 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 587 CTLTYPE_INT, "offsetmask", NULL, 588 NULL, 0, &ip4_ah_offsetmask, 0, 589 CTL_NET, PF_INET, IPPROTO_AH, 590 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 591 sysctl_createv(clog, 0, NULL, NULL, 592 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 593 CTLTYPE_INT, "trans_deflev", NULL, 594 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 595 CTL_NET, PF_INET, IPPROTO_AH, 596 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 597 sysctl_createv(clog, 0, NULL, NULL, 598 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 599 CTLTYPE_INT, "net_deflev", NULL, 600 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 601 CTL_NET, PF_INET, IPPROTO_AH, 602 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 603 sysctl_createv(clog, 0, NULL, NULL, 604 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 605 CTLTYPE_STRUCT, "ah_stats", NULL, 606 sysctl_net_inet_ah_stats, 0, NULL, 0, 607 CTL_NET, PF_INET, IPPROTO_AH, 608 CTL_CREATE, CTL_EOL); 609 610 /* create net.inet.ipcomp */ 611 sysctl_createv(clog, 0, NULL, NULL, 612 CTLFLAG_PERMANENT, 613 CTLTYPE_NODE, "ipcomp", NULL, 614 NULL, 0, NULL, 0, 615 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 616 sysctl_createv(clog, 0, NULL, NULL, 617 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 618 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 619 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 620 CTL_NET, PF_INET, IPPROTO_IPCOMP, 621 CTL_CREATE, CTL_EOL); 622 623 /* create net.inet.ipsec subtree under dynamic oid */ 624 sysctl_createv(clog, 0, NULL, &_ipsec, 625 CTLFLAG_PERMANENT, 626 CTLTYPE_NODE, "ipsec", NULL, 627 NULL, 0, NULL, 0, 628 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 629 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 630 631 sysctl_createv(clog, 0, NULL, NULL, 632 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 633 CTLTYPE_INT, "def_policy", NULL, 634 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 635 CTL_NET, PF_INET, ipproto_ipsec, 636 IPSECCTL_DEF_POLICY, CTL_EOL); 637 sysctl_createv(clog, 0, NULL, NULL, 638 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 639 CTLTYPE_INT, "esp_trans_deflev", NULL, 640 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 641 CTL_NET, PF_INET, ipproto_ipsec, 642 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 643 sysctl_createv(clog, 0, NULL, NULL, 644 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 645 CTLTYPE_INT, "esp_net_deflev", NULL, 646 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 647 CTL_NET, PF_INET, ipproto_ipsec, 648 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 649 sysctl_createv(clog, 0, NULL, NULL, 650 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 651 CTLTYPE_INT, "ah_trans_deflev", NULL, 652 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 653 CTL_NET, PF_INET, ipproto_ipsec, 654 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 655 sysctl_createv(clog, 0, NULL, NULL, 656 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 657 CTLTYPE_INT, "ah_net_deflev", NULL, 658 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 659 CTL_NET, PF_INET, ipproto_ipsec, 660 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 661 sysctl_createv(clog, 0, NULL, NULL, 662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 663 CTLTYPE_INT, "ah_cleartos", NULL, 664 NULL, 0, &ip4_ah_cleartos, 0, 665 CTL_NET, PF_INET, ipproto_ipsec, 666 IPSECCTL_AH_CLEARTOS, CTL_EOL); 667 sysctl_createv(clog, 0, NULL, NULL, 668 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 669 CTLTYPE_INT, "ah_offsetmask", NULL, 670 NULL, 0, &ip4_ah_offsetmask, 0, 671 CTL_NET, PF_INET, ipproto_ipsec, 672 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 673 sysctl_createv(clog, 0, NULL, NULL, 674 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 675 CTLTYPE_INT, "dfbit", NULL, 676 NULL, 0, &ip4_ipsec_dfbit, 0, 677 CTL_NET, PF_INET, ipproto_ipsec, 678 IPSECCTL_DFBIT, CTL_EOL); 679 sysctl_createv(clog, 0, NULL, NULL, 680 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 681 CTLTYPE_INT, "ecn", NULL, 682 NULL, 0, &ip4_ipsec_ecn, 0, 683 CTL_NET, PF_INET, ipproto_ipsec, 684 IPSECCTL_ECN, CTL_EOL); 685 sysctl_createv(clog, 0, NULL, NULL, 686 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 687 CTLTYPE_INT, "debug", NULL, 688 NULL, 0, &ipsec_debug, 0, 689 CTL_NET, PF_INET, ipproto_ipsec, 690 IPSECCTL_DEBUG, CTL_EOL); 691 sysctl_createv(clog, 0, NULL, NULL, 692 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 693 CTLTYPE_STRUCT, "ipsecstats", NULL, 694 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 695 CTL_NET, PF_INET, ipproto_ipsec, 696 CTL_CREATE, CTL_EOL); 697 #ifdef IPSEC_DEBUG 698 sysctl_createv(clog, 0, NULL, NULL, 699 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 700 CTLTYPE_INT, "test_replay", 701 SYSCTL_DESCR("Emulate replay attack"), 702 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 703 CTL_NET, PF_INET, ipproto_ipsec, 704 CTL_CREATE, CTL_EOL); 705 sysctl_createv(clog, 0, NULL, NULL, 706 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 707 CTLTYPE_INT, "test_integrity", 708 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 709 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 710 CTL_NET, PF_INET, ipproto_ipsec, 711 CTL_CREATE, CTL_EOL); 712 #endif 713 } 714 715 #ifdef INET6 716 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup, 717 "sysctl net.inet6.ipsec6 subtree setup") 718 { 719 720 sysctl_createv(clog, 0, NULL, NULL, 721 CTLFLAG_PERMANENT, 722 CTLTYPE_NODE, "net", NULL, 723 NULL, 0, NULL, 0, 724 CTL_NET, CTL_EOL); 725 sysctl_createv(clog, 0, NULL, NULL, 726 CTLFLAG_PERMANENT, 727 CTLTYPE_NODE, "inet6", NULL, 728 NULL, 0, NULL, 0, 729 CTL_NET, PF_INET6, CTL_EOL); 730 sysctl_createv(clog, 0, NULL, NULL, 731 CTLFLAG_PERMANENT, 732 CTLTYPE_NODE, "ipsec6", 733 SYSCTL_DESCR("IPv6 related IPSec settings"), 734 NULL, 0, NULL, 0, 735 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 736 737 sysctl_createv(clog, 0, NULL, NULL, 738 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 739 CTLTYPE_STRUCT, "stats", 740 SYSCTL_DESCR("IPSec statistics and counters"), 741 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 742 CTL_NET, PF_INET6, IPPROTO_AH, 743 IPSECCTL_STATS, CTL_EOL); 744 sysctl_createv(clog, 0, NULL, NULL, 745 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 746 CTLTYPE_INT, "def_policy", 747 SYSCTL_DESCR("Default action for non-IPSec packets"), 748 sysctl_fast_ipsec, 0, &ip6_def_policy, 0, 749 CTL_NET, PF_INET6, IPPROTO_AH, 750 IPSECCTL_DEF_POLICY, CTL_EOL); 751 sysctl_createv(clog, 0, NULL, NULL, 752 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 753 CTLTYPE_INT, "esp_trans_deflev", 754 SYSCTL_DESCR("Default required security level for " 755 "transport mode traffic"), 756 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0, 757 CTL_NET, PF_INET6, IPPROTO_AH, 758 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 759 sysctl_createv(clog, 0, NULL, NULL, 760 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 761 CTLTYPE_INT, "esp_net_deflev", 762 SYSCTL_DESCR("Default required security level for " 763 "tunneled traffic"), 764 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0, 765 CTL_NET, PF_INET6, IPPROTO_AH, 766 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 767 sysctl_createv(clog, 0, NULL, NULL, 768 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 769 CTLTYPE_INT, "ah_trans_deflev", 770 SYSCTL_DESCR("Default required security level for " 771 "transport mode headers"), 772 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0, 773 CTL_NET, PF_INET6, IPPROTO_AH, 774 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 775 sysctl_createv(clog, 0, NULL, NULL, 776 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 777 CTLTYPE_INT, "ah_net_deflev", 778 SYSCTL_DESCR("Default required security level for " 779 "tunneled headers"), 780 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0, 781 CTL_NET, PF_INET6, IPPROTO_AH, 782 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 783 sysctl_createv(clog, 0, NULL, NULL, 784 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 785 CTLTYPE_INT, "ecn", 786 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 787 NULL, 0, &ip6_ipsec_ecn, 0, 788 CTL_NET, PF_INET6, IPPROTO_AH, 789 IPSECCTL_ECN, CTL_EOL); 790 sysctl_createv(clog, 0, NULL, NULL, 791 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 792 CTLTYPE_INT, "debug", 793 SYSCTL_DESCR("Enable IPSec debugging output"), 794 NULL, 0, &ipsec_debug, 0, 795 CTL_NET, PF_INET6, IPPROTO_AH, 796 IPSECCTL_DEBUG, CTL_EOL); 797 798 /* 799 * "aliases" for the ipsec6 subtree 800 */ 801 sysctl_createv(clog, 0, NULL, NULL, 802 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 803 CTLTYPE_NODE, "esp6", NULL, 804 NULL, IPPROTO_AH, NULL, 0, 805 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 806 sysctl_createv(clog, 0, NULL, NULL, 807 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 808 CTLTYPE_NODE, "ipcomp6", NULL, 809 NULL, IPPROTO_AH, NULL, 0, 810 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 811 sysctl_createv(clog, 0, NULL, NULL, 812 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 813 CTLTYPE_NODE, "ah6", NULL, 814 NULL, IPPROTO_AH, NULL, 0, 815 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 816 } 817 #endif /* INET6 */ 818