1 /* $NetBSD: ipsec_netbsd.c,v 1.30 2008/04/23 06:09:05 thorpej Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.30 2008/04/23 06:09:05 thorpej Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <sys/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/key.h> 70 #include <netipsec/keydb.h> 71 #include <netipsec/key_debug.h> 72 #include <netipsec/ah.h> 73 #include <netipsec/ah_var.h> 74 #include <netipsec/esp.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipip_var.h> 77 #include <netipsec/ipcomp_var.h> 78 79 #ifdef INET6 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/ip6protosw.h> 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <machine/stdarg.h> 86 87 88 89 #include <netipsec/key.h> 90 91 /* assumes that ip header and ah header are contiguous on mbuf */ 92 void* 93 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 94 { 95 struct ip *ip = v; 96 struct ah *ah; 97 struct icmp *icp; 98 struct secasvar *sav; 99 100 if (sa->sa_family != AF_INET || 101 sa->sa_len != sizeof(struct sockaddr_in)) 102 return NULL; 103 if ((unsigned)cmd >= PRC_NCMDS) 104 return NULL; 105 106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 107 /* 108 * Check to see if we have a valid SA corresponding to 109 * the address in the ICMP message payload. 110 */ 111 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 112 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 113 IPPROTO_AH, ah->ah_spi, 0, 0); 114 115 if (sav) { 116 if (sav->state == SADB_SASTATE_MATURE || 117 sav->state == SADB_SASTATE_DYING) { 118 119 /* 120 * Now that we've validated that we are actually 121 * communicating with the host indicated in the 122 * ICMP message, locate the ICMP header, 123 * recalculate the new MTU, and create the 124 * corresponding routing entry. 125 */ 126 icp = (struct icmp *)((char *)ip - 127 offsetof(struct icmp, icmp_ip)); 128 icmp_mtudisc(icp, ip->ip_dst); 129 130 } 131 KEY_FREESAV(&sav); 132 } 133 } 134 return NULL; 135 } 136 137 138 139 /* assumes that ip header and esp header are contiguous on mbuf */ 140 void* 141 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 142 { 143 struct ip *ip = v; 144 struct esp *esp; 145 struct icmp *icp; 146 struct secasvar *sav; 147 148 if (sa->sa_family != AF_INET || 149 sa->sa_len != sizeof(struct sockaddr_in)) 150 return NULL; 151 if ((unsigned)cmd >= PRC_NCMDS) 152 return NULL; 153 154 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 155 /* 156 * Check to see if we have a valid SA corresponding to 157 * the address in the ICMP message payload. 158 */ 159 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 160 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 161 IPPROTO_ESP, esp->esp_spi, 0, 0); 162 163 if (sav) { 164 if (sav->state == SADB_SASTATE_MATURE || 165 sav->state == SADB_SASTATE_DYING) { 166 167 /* 168 * Now that we've validated that we are actually 169 * communicating with the host indicated in the 170 * ICMP message, locate the ICMP header, 171 * recalculate the new MTU, and create the 172 * corresponding routing entry. 173 */ 174 175 icp = (struct icmp *)((char *)ip - 176 offsetof(struct icmp, icmp_ip)); 177 icmp_mtudisc(icp, ip->ip_dst); 178 179 } 180 KEY_FREESAV(&sav); 181 } 182 } 183 return NULL; 184 } 185 186 #ifdef INET6 187 void 188 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 189 { 190 const struct newah *ahp; 191 struct newah ah; 192 struct secasvar *sav; 193 struct ip6_hdr *ip6; 194 struct mbuf *m; 195 struct ip6ctlparam *ip6cp = NULL; 196 int off; 197 198 if (sa->sa_family != AF_INET6 || 199 sa->sa_len != sizeof(struct sockaddr_in6)) 200 return; 201 if ((unsigned)cmd >= PRC_NCMDS) 202 return; 203 204 /* if the parameter is from icmp6, decode it. */ 205 if (d != NULL) { 206 ip6cp = (struct ip6ctlparam *)d; 207 m = ip6cp->ip6c_m; 208 ip6 = ip6cp->ip6c_ip6; 209 off = ip6cp->ip6c_off; 210 } else { 211 m = NULL; 212 ip6 = NULL; 213 off = 0; 214 } 215 216 if (ip6) { 217 /* 218 * XXX: We assume that when ip6 is non NULL, 219 * M and OFF are valid. 220 */ 221 222 /* check if we can safely examine src and dst ports */ 223 if (m->m_pkthdr.len < off + sizeof(ah)) 224 return; 225 226 if (m->m_len < off + sizeof(ah)) { 227 /* 228 * this should be rare case, 229 * so we compromise on this copy... 230 */ 231 m_copydata(m, off, sizeof(ah), &ah); 232 ahp = &ah; 233 } else 234 ahp = (struct newah *)(mtod(m, char *) + off); 235 236 if (cmd == PRC_MSGSIZE) { 237 int valid = 0; 238 239 /* 240 * Check to see if we have a valid SA corresponding 241 * to the address in the ICMP message payload. 242 */ 243 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 244 IPPROTO_AH, ahp->ah_spi, 0, 0); 245 246 if (sav) { 247 if (sav->state == SADB_SASTATE_MATURE || 248 sav->state == SADB_SASTATE_DYING) 249 valid++; 250 KEY_FREESAV(&sav); 251 } 252 253 /* XXX Further validation? */ 254 255 /* 256 * Depending on the value of "valid" and routing 257 * table size (mtudisc_{hi,lo}wat), we will: 258 * - recalcurate the new MTU and create the 259 * corresponding routing entry, or 260 * - ignore the MTU change notification. 261 */ 262 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 263 } 264 265 /* we normally notify single pcb here */ 266 } else { 267 /* we normally notify any pcb here */ 268 } 269 } 270 271 272 273 void 274 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 275 { 276 const struct newesp *espp; 277 struct newesp esp; 278 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 279 struct secasvar *sav; 280 struct ip6_hdr *ip6; 281 struct mbuf *m; 282 int off; 283 284 if (sa->sa_family != AF_INET6 || 285 sa->sa_len != sizeof(struct sockaddr_in6)) 286 return; 287 if ((unsigned)cmd >= PRC_NCMDS) 288 return; 289 290 /* if the parameter is from icmp6, decode it. */ 291 if (d != NULL) { 292 ip6cp = (struct ip6ctlparam *)d; 293 m = ip6cp->ip6c_m; 294 ip6 = ip6cp->ip6c_ip6; 295 off = ip6cp->ip6c_off; 296 } else { 297 m = NULL; 298 ip6 = NULL; 299 off = 0; 300 } 301 302 if (ip6) { 303 /* 304 * Notify the error to all possible sockets via pfctlinput2. 305 * Since the upper layer information (such as protocol type, 306 * source and destination ports) is embedded in the encrypted 307 * data and might have been cut, we can't directly call 308 * an upper layer ctlinput function. However, the pcbnotify 309 * function will consider source and destination addresses 310 * as well as the flow info value, and may be able to find 311 * some PCB that should be notified. 312 * Although pfctlinput2 will call esp6_ctlinput(), there is 313 * no possibility of an infinite loop of function calls, 314 * because we don't pass the inner IPv6 header. 315 */ 316 memset(&ip6cp1, 0, sizeof(ip6cp1)); 317 ip6cp1.ip6c_src = ip6cp->ip6c_src; 318 pfctlinput2(cmd, sa, &ip6cp1); 319 320 /* 321 * Then go to special cases that need ESP header information. 322 * XXX: We assume that when ip6 is non NULL, 323 * M and OFF are valid. 324 */ 325 326 /* check if we can safely examine src and dst ports */ 327 if (m->m_pkthdr.len < off + sizeof(esp)) 328 return; 329 330 if (m->m_len < off + sizeof(esp)) { 331 /* 332 * this should be rare case, 333 * so we compromise on this copy... 334 */ 335 m_copydata(m, off, sizeof(esp), &esp); 336 espp = &esp; 337 } else 338 espp = (struct newesp*)(mtod(m, char *) + off); 339 340 if (cmd == PRC_MSGSIZE) { 341 int valid = 0; 342 343 /* 344 * Check to see if we have a valid SA corresponding to 345 * the address in the ICMP message payload. 346 */ 347 348 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 349 IPPROTO_ESP, espp->esp_spi, 0, 0); 350 351 if (sav) { 352 if (sav->state == SADB_SASTATE_MATURE || 353 sav->state == SADB_SASTATE_DYING) 354 valid++; 355 KEY_FREESAV(&sav); 356 } 357 358 /* XXX Further validation? */ 359 360 /* 361 * Depending on the value of "valid" and routing table 362 * size (mtudisc_{hi,lo}wat), we will: 363 * - recalcurate the new MTU and create the 364 * corresponding routing entry, or 365 * - ignore the MTU change notification. 366 */ 367 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 368 } 369 } else { 370 /* we normally notify any pcb here */ 371 } 372 } 373 #endif /* INET6 */ 374 375 static int 376 sysctl_fast_ipsec(SYSCTLFN_ARGS) 377 { 378 int error, t; 379 struct sysctlnode node; 380 381 node = *rnode; 382 t = *(int*)rnode->sysctl_data; 383 node.sysctl_data = &t; 384 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 385 if (error || newp == NULL) 386 return (error); 387 388 switch (rnode->sysctl_num) { 389 case IPSECCTL_DEF_ESP_TRANSLEV: 390 case IPSECCTL_DEF_ESP_NETLEV: 391 case IPSECCTL_DEF_AH_TRANSLEV: 392 case IPSECCTL_DEF_AH_NETLEV: 393 if (t != IPSEC_LEVEL_USE && 394 t != IPSEC_LEVEL_REQUIRE) 395 return (EINVAL); 396 ipsec_invalpcbcacheall(); 397 break; 398 case IPSECCTL_DEF_POLICY: 399 if (t != IPSEC_POLICY_DISCARD && 400 t != IPSEC_POLICY_NONE) 401 return (EINVAL); 402 ipsec_invalpcbcacheall(); 403 break; 404 default: 405 return (EINVAL); 406 } 407 408 *(int*)rnode->sysctl_data = t; 409 410 return (0); 411 } 412 413 #ifdef IPSEC_DEBUG 414 static int 415 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 416 { 417 int t, error; 418 struct sysctlnode node; 419 420 node = *rnode; 421 t = *(int*)rnode->sysctl_data; 422 node.sysctl_data = &t; 423 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 424 if (error || newp == NULL) 425 return (error); 426 427 if (t < 0 || t > 1) 428 return EINVAL; 429 430 if (rnode->sysctl_data == &ipsec_replay) 431 printf("fast_ipsec: Anti-Replay service %s\n", 432 (t == 1) ? "deactivated" : "activated"); 433 else if (rnode->sysctl_data == &ipsec_integrity) 434 printf("fast_ipsec: HMAC corruption %s\n", 435 (t == 0) ? "deactivated" : "activated"); 436 437 *(int*)rnode->sysctl_data = t; 438 439 return 0; 440 } 441 #endif 442 443 static int 444 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS) 445 { 446 netstat_sysctl_context ctx; 447 uint64_t ipss[IPSEC_NSTATS]; 448 449 ctx.ctx_stat = ipsecstat_percpu; 450 ctx.ctx_counters = ipss; 451 ctx.ctx_ncounters = IPSEC_NSTATS; 452 return (NETSTAT_SYSCTL(&ctx)); 453 } 454 455 static int 456 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 457 { 458 netstat_sysctl_context ctx; 459 uint64_t ipss[AH_NSTATS]; 460 461 ctx.ctx_stat = ahstat_percpu; 462 ctx.ctx_counters = ipss; 463 ctx.ctx_ncounters = AH_NSTATS; 464 return (NETSTAT_SYSCTL(&ctx)); 465 } 466 467 static int 468 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 469 { 470 netstat_sysctl_context ctx; 471 uint64_t ipss[ESP_NSTATS]; 472 473 ctx.ctx_stat = espstat_percpu; 474 ctx.ctx_counters = ipss; 475 ctx.ctx_ncounters = ESP_NSTATS; 476 return (NETSTAT_SYSCTL(&ctx)); 477 } 478 479 static int 480 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 481 { 482 netstat_sysctl_context ctx; 483 uint64_t ipss[IPCOMP_NSTATS]; 484 485 ctx.ctx_stat = ipcompstat_percpu; 486 ctx.ctx_counters = ipss; 487 ctx.ctx_ncounters = IPCOMP_NSTATS; 488 return (NETSTAT_SYSCTL(&ctx)); 489 } 490 491 static int 492 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 493 { 494 netstat_sysctl_context ctx; 495 uint64_t ipss[IPIP_NSTATS]; 496 497 ctx.ctx_stat = ipipstat_percpu; 498 ctx.ctx_counters = ipss; 499 ctx.ctx_ncounters = IPIP_NSTATS; 500 return (NETSTAT_SYSCTL(&ctx)); 501 } 502 503 /* XXX will need a different oid at parent */ 504 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 505 { 506 const struct sysctlnode *_ipsec; 507 int ipproto_ipsec; 508 509 sysctl_createv(clog, 0, NULL, NULL, 510 CTLFLAG_PERMANENT, 511 CTLTYPE_NODE, "net", NULL, 512 NULL, 0, NULL, 0, 513 CTL_NET, CTL_EOL); 514 sysctl_createv(clog, 0, NULL, NULL, 515 CTLFLAG_PERMANENT, 516 CTLTYPE_NODE, "inet", NULL, 517 NULL, 0, NULL, 0, 518 CTL_NET, PF_INET, CTL_EOL); 519 520 /* 521 * in numerical order: 522 * 523 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 524 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 525 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 526 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 527 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 528 * 529 * this creates separate trees by name, but maintains that the 530 * ipsec name leads to all the old leaves. 531 */ 532 533 /* create net.inet.ipip */ 534 sysctl_createv(clog, 0, NULL, NULL, 535 CTLFLAG_PERMANENT, 536 CTLTYPE_NODE, "ipip", NULL, 537 NULL, 0, NULL, 0, 538 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 539 sysctl_createv(clog, 0, NULL, NULL, 540 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 541 CTLTYPE_STRUCT, "ipip_stats", NULL, 542 sysctl_net_inet_ipip_stats, 0, NULL, 0, 543 CTL_NET, PF_INET, IPPROTO_IPIP, 544 CTL_CREATE, CTL_EOL); 545 546 /* create net.inet.esp subtree under IPPROTO_ESP */ 547 sysctl_createv(clog, 0, NULL, NULL, 548 CTLFLAG_PERMANENT, 549 CTLTYPE_NODE, "esp", NULL, 550 NULL, 0, NULL, 0, 551 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 552 sysctl_createv(clog, 0, NULL, NULL, 553 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 554 CTLTYPE_INT, "trans_deflev", NULL, 555 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 556 CTL_NET, PF_INET, IPPROTO_ESP, 557 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 558 sysctl_createv(clog, 0, NULL, NULL, 559 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 560 CTLTYPE_INT, "net_deflev", NULL, 561 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 562 CTL_NET, PF_INET, IPPROTO_ESP, 563 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 564 sysctl_createv(clog, 0, NULL, NULL, 565 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 566 CTLTYPE_STRUCT, "esp_stats", NULL, 567 sysctl_net_inet_esp_stats, 0, NULL, 0, 568 CTL_NET, PF_INET, IPPROTO_ESP, 569 CTL_CREATE, CTL_EOL); 570 571 /* create net.inet.ah subtree under IPPROTO_AH */ 572 sysctl_createv(clog, 0, NULL, NULL, 573 CTLFLAG_PERMANENT, 574 CTLTYPE_NODE, "ah", NULL, 575 NULL, 0, NULL, 0, 576 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 577 sysctl_createv(clog, 0, NULL, NULL, 578 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 579 CTLTYPE_INT, "cleartos", NULL, 580 NULL, 0, &ip4_ah_cleartos, 0, 581 CTL_NET, PF_INET, IPPROTO_AH, 582 IPSECCTL_AH_CLEARTOS, CTL_EOL); 583 sysctl_createv(clog, 0, NULL, NULL, 584 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 585 CTLTYPE_INT, "offsetmask", NULL, 586 NULL, 0, &ip4_ah_offsetmask, 0, 587 CTL_NET, PF_INET, IPPROTO_AH, 588 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 589 sysctl_createv(clog, 0, NULL, NULL, 590 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 591 CTLTYPE_INT, "trans_deflev", NULL, 592 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 593 CTL_NET, PF_INET, IPPROTO_AH, 594 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 595 sysctl_createv(clog, 0, NULL, NULL, 596 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 597 CTLTYPE_INT, "net_deflev", NULL, 598 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 599 CTL_NET, PF_INET, IPPROTO_AH, 600 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 601 sysctl_createv(clog, 0, NULL, NULL, 602 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 603 CTLTYPE_STRUCT, "ah_stats", NULL, 604 sysctl_net_inet_ah_stats, 0, NULL, 0, 605 CTL_NET, PF_INET, IPPROTO_AH, 606 CTL_CREATE, CTL_EOL); 607 608 /* create net.inet.ipcomp */ 609 sysctl_createv(clog, 0, NULL, NULL, 610 CTLFLAG_PERMANENT, 611 CTLTYPE_NODE, "ipcomp", NULL, 612 NULL, 0, NULL, 0, 613 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 614 sysctl_createv(clog, 0, NULL, NULL, 615 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 616 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 617 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 618 CTL_NET, PF_INET, IPPROTO_IPCOMP, 619 CTL_CREATE, CTL_EOL); 620 621 /* create net.inet.ipsec subtree under dynamic oid */ 622 sysctl_createv(clog, 0, NULL, &_ipsec, 623 CTLFLAG_PERMANENT, 624 CTLTYPE_NODE, "ipsec", NULL, 625 NULL, 0, NULL, 0, 626 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 627 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 628 629 sysctl_createv(clog, 0, NULL, NULL, 630 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 631 CTLTYPE_INT, "def_policy", NULL, 632 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 633 CTL_NET, PF_INET, ipproto_ipsec, 634 IPSECCTL_DEF_POLICY, CTL_EOL); 635 sysctl_createv(clog, 0, NULL, NULL, 636 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 637 CTLTYPE_INT, "esp_trans_deflev", NULL, 638 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 639 CTL_NET, PF_INET, ipproto_ipsec, 640 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 641 sysctl_createv(clog, 0, NULL, NULL, 642 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 643 CTLTYPE_INT, "esp_net_deflev", NULL, 644 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 645 CTL_NET, PF_INET, ipproto_ipsec, 646 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 647 sysctl_createv(clog, 0, NULL, NULL, 648 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 649 CTLTYPE_INT, "ah_trans_deflev", NULL, 650 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 651 CTL_NET, PF_INET, ipproto_ipsec, 652 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 653 sysctl_createv(clog, 0, NULL, NULL, 654 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 655 CTLTYPE_INT, "ah_net_deflev", NULL, 656 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 657 CTL_NET, PF_INET, ipproto_ipsec, 658 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 659 sysctl_createv(clog, 0, NULL, NULL, 660 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 661 CTLTYPE_INT, "ah_cleartos", NULL, 662 NULL, 0, &ip4_ah_cleartos, 0, 663 CTL_NET, PF_INET, ipproto_ipsec, 664 IPSECCTL_AH_CLEARTOS, CTL_EOL); 665 sysctl_createv(clog, 0, NULL, NULL, 666 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 667 CTLTYPE_INT, "ah_offsetmask", NULL, 668 NULL, 0, &ip4_ah_offsetmask, 0, 669 CTL_NET, PF_INET, ipproto_ipsec, 670 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 671 sysctl_createv(clog, 0, NULL, NULL, 672 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 673 CTLTYPE_INT, "dfbit", NULL, 674 NULL, 0, &ip4_ipsec_dfbit, 0, 675 CTL_NET, PF_INET, ipproto_ipsec, 676 IPSECCTL_DFBIT, CTL_EOL); 677 sysctl_createv(clog, 0, NULL, NULL, 678 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 679 CTLTYPE_INT, "ecn", NULL, 680 NULL, 0, &ip4_ipsec_ecn, 0, 681 CTL_NET, PF_INET, ipproto_ipsec, 682 IPSECCTL_ECN, CTL_EOL); 683 sysctl_createv(clog, 0, NULL, NULL, 684 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 685 CTLTYPE_INT, "debug", NULL, 686 NULL, 0, &ipsec_debug, 0, 687 CTL_NET, PF_INET, ipproto_ipsec, 688 IPSECCTL_DEBUG, CTL_EOL); 689 sysctl_createv(clog, 0, NULL, NULL, 690 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 691 CTLTYPE_STRUCT, "ipsecstats", NULL, 692 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 693 CTL_NET, PF_INET, ipproto_ipsec, 694 CTL_CREATE, CTL_EOL); 695 #ifdef IPSEC_DEBUG 696 sysctl_createv(clog, 0, NULL, NULL, 697 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 698 CTLTYPE_INT, "test_replay", 699 SYSCTL_DESCR("Emulate replay attack"), 700 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 701 CTL_NET, PF_INET, ipproto_ipsec, 702 CTL_CREATE, CTL_EOL); 703 sysctl_createv(clog, 0, NULL, NULL, 704 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 705 CTLTYPE_INT, "test_integrity", 706 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 707 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 708 CTL_NET, PF_INET, ipproto_ipsec, 709 CTL_CREATE, CTL_EOL); 710 #endif 711 } 712 713 #ifdef INET6 714 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup, 715 "sysctl net.inet6.ipsec6 subtree setup") 716 { 717 718 sysctl_createv(clog, 0, NULL, NULL, 719 CTLFLAG_PERMANENT, 720 CTLTYPE_NODE, "net", NULL, 721 NULL, 0, NULL, 0, 722 CTL_NET, CTL_EOL); 723 sysctl_createv(clog, 0, NULL, NULL, 724 CTLFLAG_PERMANENT, 725 CTLTYPE_NODE, "inet6", NULL, 726 NULL, 0, NULL, 0, 727 CTL_NET, PF_INET6, CTL_EOL); 728 sysctl_createv(clog, 0, NULL, NULL, 729 CTLFLAG_PERMANENT, 730 CTLTYPE_NODE, "ipsec6", 731 SYSCTL_DESCR("IPv6 related IPSec settings"), 732 NULL, 0, NULL, 0, 733 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 734 735 sysctl_createv(clog, 0, NULL, NULL, 736 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 737 CTLTYPE_STRUCT, "stats", 738 SYSCTL_DESCR("IPSec statistics and counters"), 739 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 740 CTL_NET, PF_INET6, IPPROTO_AH, 741 IPSECCTL_STATS, CTL_EOL); 742 sysctl_createv(clog, 0, NULL, NULL, 743 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 744 CTLTYPE_INT, "def_policy", 745 SYSCTL_DESCR("Default action for non-IPSec packets"), 746 sysctl_fast_ipsec, 0, &ip6_def_policy, 0, 747 CTL_NET, PF_INET6, IPPROTO_AH, 748 IPSECCTL_DEF_POLICY, CTL_EOL); 749 sysctl_createv(clog, 0, NULL, NULL, 750 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 751 CTLTYPE_INT, "esp_trans_deflev", 752 SYSCTL_DESCR("Default required security level for " 753 "transport mode traffic"), 754 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0, 755 CTL_NET, PF_INET6, IPPROTO_AH, 756 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 757 sysctl_createv(clog, 0, NULL, NULL, 758 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 759 CTLTYPE_INT, "esp_net_deflev", 760 SYSCTL_DESCR("Default required security level for " 761 "tunneled traffic"), 762 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0, 763 CTL_NET, PF_INET6, IPPROTO_AH, 764 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 765 sysctl_createv(clog, 0, NULL, NULL, 766 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 767 CTLTYPE_INT, "ah_trans_deflev", 768 SYSCTL_DESCR("Default required security level for " 769 "transport mode headers"), 770 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0, 771 CTL_NET, PF_INET6, IPPROTO_AH, 772 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 773 sysctl_createv(clog, 0, NULL, NULL, 774 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 775 CTLTYPE_INT, "ah_net_deflev", 776 SYSCTL_DESCR("Default required security level for " 777 "tunneled headers"), 778 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0, 779 CTL_NET, PF_INET6, IPPROTO_AH, 780 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 781 sysctl_createv(clog, 0, NULL, NULL, 782 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 783 CTLTYPE_INT, "ecn", 784 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 785 NULL, 0, &ip6_ipsec_ecn, 0, 786 CTL_NET, PF_INET6, IPPROTO_AH, 787 IPSECCTL_ECN, CTL_EOL); 788 sysctl_createv(clog, 0, NULL, NULL, 789 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 790 CTLTYPE_INT, "debug", 791 SYSCTL_DESCR("Enable IPSec debugging output"), 792 NULL, 0, &ipsec_debug, 0, 793 CTL_NET, PF_INET6, IPPROTO_AH, 794 IPSECCTL_DEBUG, CTL_EOL); 795 796 /* 797 * "aliases" for the ipsec6 subtree 798 */ 799 sysctl_createv(clog, 0, NULL, NULL, 800 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 801 CTLTYPE_NODE, "esp6", NULL, 802 NULL, IPPROTO_AH, NULL, 0, 803 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 804 sysctl_createv(clog, 0, NULL, NULL, 805 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 806 CTLTYPE_NODE, "ipcomp6", NULL, 807 NULL, IPPROTO_AH, NULL, 0, 808 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 809 sysctl_createv(clog, 0, NULL, NULL, 810 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 811 CTLTYPE_NODE, "ah6", NULL, 812 NULL, IPPROTO_AH, NULL, 0, 813 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 814 } 815 #endif /* INET6 */ 816