1 /* $NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/domain.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/sysctl.h> 53 54 #include <net/if.h> 55 #include <net/route.h> 56 #include <net/netisr.h> 57 #include <sys/cpu.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/ip_ecn.h> 65 #include <netinet/ip_icmp.h> 66 67 #include <netipsec/ipsec.h> 68 #include <netipsec/ipsec_var.h> 69 #include <netipsec/ipsec_private.h> 70 #include <netipsec/key.h> 71 #include <netipsec/keydb.h> 72 #include <netipsec/key_debug.h> 73 #include <netipsec/ah.h> 74 #include <netipsec/ah_var.h> 75 #include <netipsec/esp.h> 76 #include <netipsec/esp_var.h> 77 #include <netipsec/ipip_var.h> 78 #include <netipsec/ipcomp_var.h> 79 80 #ifdef INET6 81 #include <netipsec/ipsec6.h> 82 #include <netinet6/ip6protosw.h> 83 #include <netinet/icmp6.h> 84 #endif 85 86 #include <netipsec/key.h> 87 88 /* assumes that ip header and ah header are contiguous on mbuf */ 89 void * 90 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 91 { 92 struct ip *ip = v; 93 struct ah *ah; 94 struct icmp *icp; 95 struct secasvar *sav; 96 97 if (sa->sa_family != AF_INET || 98 sa->sa_len != sizeof(struct sockaddr_in)) 99 return NULL; 100 if ((unsigned)cmd >= PRC_NCMDS) 101 return NULL; 102 103 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 104 /* 105 * Check to see if we have a valid SA corresponding to 106 * the address in the ICMP message payload. 107 */ 108 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 109 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 110 IPPROTO_AH, ah->ah_spi, 0, 0); 111 112 if (sav) { 113 if (SADB_SASTATE_USABLE_P(sav)) { 114 /* 115 * Now that we've validated that we are actually 116 * communicating with the host indicated in the 117 * ICMP message, locate the ICMP header, 118 * recalculate the new MTU, and create the 119 * corresponding routing entry. 120 */ 121 icp = (struct icmp *)((char *)ip - 122 offsetof(struct icmp, icmp_ip)); 123 icmp_mtudisc(icp, ip->ip_dst); 124 } 125 KEY_SA_UNREF(&sav); 126 } 127 } 128 return NULL; 129 } 130 131 /* assumes that ip header and esp header are contiguous on mbuf */ 132 void * 133 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 134 { 135 struct ip *ip = v; 136 struct esp *esp; 137 struct icmp *icp; 138 struct secasvar *sav; 139 140 if (sa->sa_family != AF_INET || 141 sa->sa_len != sizeof(struct sockaddr_in)) 142 return NULL; 143 if ((unsigned)cmd >= PRC_NCMDS) 144 return NULL; 145 146 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 147 /* 148 * Check to see if we have a valid SA corresponding to 149 * the address in the ICMP message payload. 150 */ 151 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 152 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 153 IPPROTO_ESP, esp->esp_spi, 0, 0); 154 155 if (sav) { 156 if (SADB_SASTATE_USABLE_P(sav)) { 157 /* 158 * Now that we've validated that we are actually 159 * communicating with the host indicated in the 160 * ICMP message, locate the ICMP header, 161 * recalculate the new MTU, and create the 162 * corresponding routing entry. 163 */ 164 icp = (struct icmp *)((char *)ip - 165 offsetof(struct icmp, icmp_ip)); 166 icmp_mtudisc(icp, ip->ip_dst); 167 } 168 KEY_SA_UNREF(&sav); 169 } 170 } 171 return NULL; 172 } 173 174 #ifdef INET6 175 void * 176 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 177 { 178 const struct newah *ahp; 179 struct newah ah; 180 struct secasvar *sav; 181 struct ip6_hdr *ip6; 182 struct mbuf *m; 183 struct ip6ctlparam *ip6cp = NULL; 184 int off; 185 186 if (sa->sa_family != AF_INET6 || 187 sa->sa_len != sizeof(struct sockaddr_in6)) 188 return NULL; 189 if ((unsigned)cmd >= PRC_NCMDS) 190 return NULL; 191 192 /* if the parameter is from icmp6, decode it. */ 193 if (d != NULL) { 194 ip6cp = (struct ip6ctlparam *)d; 195 m = ip6cp->ip6c_m; 196 ip6 = ip6cp->ip6c_ip6; 197 off = ip6cp->ip6c_off; 198 } else { 199 m = NULL; 200 ip6 = NULL; 201 off = 0; 202 } 203 204 if (ip6) { 205 /* 206 * XXX: We assume that when ip6 is non NULL, 207 * M and OFF are valid. 208 */ 209 210 /* check if we can safely examine src and dst ports */ 211 if (m->m_pkthdr.len < off + sizeof(ah)) 212 return NULL; 213 214 if (m->m_len < off + sizeof(ah)) { 215 /* 216 * this should be rare case, 217 * so we compromise on this copy... 218 */ 219 m_copydata(m, off, sizeof(ah), &ah); 220 ahp = &ah; 221 } else 222 ahp = (struct newah *)(mtod(m, char *) + off); 223 224 if (cmd == PRC_MSGSIZE) { 225 int valid = 0; 226 227 /* 228 * Check to see if we have a valid SA corresponding 229 * to the address in the ICMP message payload. 230 */ 231 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 232 IPPROTO_AH, ahp->ah_spi, 0, 0); 233 234 if (sav) { 235 if (SADB_SASTATE_USABLE_P(sav)) 236 valid++; 237 KEY_SA_UNREF(&sav); 238 } 239 240 /* XXX Further validation? */ 241 242 /* 243 * Depending on the value of "valid" and routing 244 * table size (mtudisc_{hi,lo}wat), we will: 245 * - recalculate the new MTU and create the 246 * corresponding routing entry, or 247 * - ignore the MTU change notification. 248 */ 249 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 250 } 251 252 /* we normally notify single pcb here */ 253 } else { 254 /* we normally notify any pcb here */ 255 } 256 return NULL; 257 } 258 259 void * 260 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 261 { 262 const struct newesp *espp; 263 struct newesp esp; 264 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 265 struct secasvar *sav; 266 struct ip6_hdr *ip6; 267 struct mbuf *m; 268 int off; 269 270 if (sa->sa_family != AF_INET6 || 271 sa->sa_len != sizeof(struct sockaddr_in6)) 272 return NULL; 273 if ((unsigned)cmd >= PRC_NCMDS) 274 return NULL; 275 276 /* if the parameter is from icmp6, decode it. */ 277 if (d != NULL) { 278 ip6cp = (struct ip6ctlparam *)d; 279 m = ip6cp->ip6c_m; 280 ip6 = ip6cp->ip6c_ip6; 281 off = ip6cp->ip6c_off; 282 } else { 283 m = NULL; 284 ip6 = NULL; 285 off = 0; 286 } 287 288 if (ip6) { 289 /* 290 * Notify the error to all possible sockets via pfctlinput2. 291 * Since the upper layer information (such as protocol type, 292 * source and destination ports) is embedded in the encrypted 293 * data and might have been cut, we can't directly call 294 * an upper layer ctlinput function. However, the pcbnotify 295 * function will consider source and destination addresses 296 * as well as the flow info value, and may be able to find 297 * some PCB that should be notified. 298 * Although pfctlinput2 will call esp6_ctlinput(), there is 299 * no possibility of an infinite loop of function calls, 300 * because we don't pass the inner IPv6 header. 301 */ 302 memset(&ip6cp1, 0, sizeof(ip6cp1)); 303 ip6cp1.ip6c_src = ip6cp->ip6c_src; 304 pfctlinput2(cmd, sa, &ip6cp1); 305 306 /* 307 * Then go to special cases that need ESP header information. 308 * XXX: We assume that when ip6 is non NULL, 309 * M and OFF are valid. 310 */ 311 312 /* check if we can safely examine src and dst ports */ 313 if (m->m_pkthdr.len < off + sizeof(esp)) 314 return NULL; 315 316 if (m->m_len < off + sizeof(esp)) { 317 /* 318 * this should be rare case, 319 * so we compromise on this copy... 320 */ 321 m_copydata(m, off, sizeof(esp), &esp); 322 espp = &esp; 323 } else 324 espp = (struct newesp*)(mtod(m, char *) + off); 325 326 if (cmd == PRC_MSGSIZE) { 327 int valid = 0; 328 329 /* 330 * Check to see if we have a valid SA corresponding to 331 * the address in the ICMP message payload. 332 */ 333 334 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 335 IPPROTO_ESP, espp->esp_spi, 0, 0); 336 337 if (sav) { 338 if (SADB_SASTATE_USABLE_P(sav)) 339 valid++; 340 KEY_SA_UNREF(&sav); 341 } 342 343 /* XXX Further validation? */ 344 345 /* 346 * Depending on the value of "valid" and routing table 347 * size (mtudisc_{hi,lo}wat), we will: 348 * - recalcurate the new MTU and create the 349 * corresponding routing entry, or 350 * - ignore the MTU change notification. 351 */ 352 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 353 } 354 } else { 355 /* we normally notify any pcb here */ 356 } 357 return NULL; 358 } 359 #endif /* INET6 */ 360 361 static int 362 sysctl_ipsec(SYSCTLFN_ARGS) 363 { 364 int error, t; 365 struct sysctlnode node; 366 367 node = *rnode; 368 t = *(int*)rnode->sysctl_data; 369 node.sysctl_data = &t; 370 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 371 if (error || newp == NULL) 372 return (error); 373 374 switch (rnode->sysctl_num) { 375 case IPSECCTL_DEF_ESP_TRANSLEV: 376 case IPSECCTL_DEF_ESP_NETLEV: 377 case IPSECCTL_DEF_AH_TRANSLEV: 378 case IPSECCTL_DEF_AH_NETLEV: 379 if (t != IPSEC_LEVEL_USE && 380 t != IPSEC_LEVEL_REQUIRE) 381 return (EINVAL); 382 ipsec_invalpcbcacheall(); 383 break; 384 case IPSECCTL_DEF_POLICY: 385 if (t != IPSEC_POLICY_DISCARD && 386 t != IPSEC_POLICY_NONE) 387 return (EINVAL); 388 ipsec_invalpcbcacheall(); 389 break; 390 default: 391 return (EINVAL); 392 } 393 394 *(int*)rnode->sysctl_data = t; 395 396 return (0); 397 } 398 399 #ifdef IPSEC_DEBUG 400 static int 401 sysctl_ipsec_test(SYSCTLFN_ARGS) 402 { 403 int t, error; 404 struct sysctlnode node; 405 406 node = *rnode; 407 t = *(int*)rnode->sysctl_data; 408 node.sysctl_data = &t; 409 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 410 if (error || newp == NULL) 411 return (error); 412 413 if (t < 0 || t > 1) 414 return EINVAL; 415 416 if (rnode->sysctl_data == &ipsec_replay) 417 printf("ipsec: Anti-Replay service %s\n", 418 (t == 1) ? "deactivated" : "activated"); 419 else if (rnode->sysctl_data == &ipsec_integrity) 420 printf("ipsec: HMAC corruption %s\n", 421 (t == 0) ? "deactivated" : "activated"); 422 423 *(int*)rnode->sysctl_data = t; 424 425 return 0; 426 } 427 #endif 428 429 static int 430 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 431 { 432 433 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 434 } 435 436 static int 437 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 438 { 439 440 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 441 } 442 443 static int 444 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 445 { 446 447 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 448 } 449 450 static int 451 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 452 { 453 454 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 455 } 456 457 static int 458 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 459 { 460 461 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 462 } 463 464 static int 465 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 466 { 467 int newenabled, error; 468 struct sysctlnode node; 469 node = *rnode; 470 node.sysctl_data = &newenabled; 471 472 newenabled = ipsec_enabled; 473 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 474 if (error || newp == NULL) 475 return error; 476 477 switch (newenabled) { 478 case 0: 479 if (key_get_used()) 480 return EBUSY; 481 /*FALLTHROUGH*/ 482 case 1: 483 case 2: 484 ipsec_enabled = newenabled; 485 key_update_used(); 486 return 0; 487 default: 488 return EINVAL; 489 } 490 } 491 492 /* XXX will need a different oid at parent */ 493 void 494 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 495 { 496 const struct sysctlnode *_ipsec; 497 int ipproto_ipsec; 498 499 sysctl_createv(clog, 0, NULL, NULL, 500 CTLFLAG_PERMANENT, 501 CTLTYPE_NODE, "inet", NULL, 502 NULL, 0, NULL, 0, 503 CTL_NET, PF_INET, CTL_EOL); 504 505 /* 506 * in numerical order: 507 * 508 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 509 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 510 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 511 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 512 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 513 * 514 * this creates separate trees by name, but maintains that the 515 * ipsec name leads to all the old leaves. 516 */ 517 518 /* create net.inet.ipip */ 519 sysctl_createv(clog, 0, NULL, NULL, 520 CTLFLAG_PERMANENT, 521 CTLTYPE_NODE, "ipip", NULL, 522 NULL, 0, NULL, 0, 523 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 524 sysctl_createv(clog, 0, NULL, NULL, 525 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 526 CTLTYPE_STRUCT, "ipip_stats", NULL, 527 sysctl_net_inet_ipip_stats, 0, NULL, 0, 528 CTL_NET, PF_INET, IPPROTO_IPIP, 529 CTL_CREATE, CTL_EOL); 530 531 /* create net.inet.esp subtree under IPPROTO_ESP */ 532 sysctl_createv(clog, 0, NULL, NULL, 533 CTLFLAG_PERMANENT, 534 CTLTYPE_NODE, "esp", NULL, 535 NULL, 0, NULL, 0, 536 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 537 sysctl_createv(clog, 0, NULL, NULL, 538 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 539 CTLTYPE_INT, "trans_deflev", NULL, 540 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 541 CTL_NET, PF_INET, IPPROTO_ESP, 542 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 543 sysctl_createv(clog, 0, NULL, NULL, 544 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 545 CTLTYPE_INT, "net_deflev", NULL, 546 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 547 CTL_NET, PF_INET, IPPROTO_ESP, 548 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 549 sysctl_createv(clog, 0, NULL, NULL, 550 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 551 CTLTYPE_STRUCT, "esp_stats", NULL, 552 sysctl_net_inet_esp_stats, 0, NULL, 0, 553 CTL_NET, PF_INET, IPPROTO_ESP, 554 CTL_CREATE, CTL_EOL); 555 556 /* create net.inet.ah subtree under IPPROTO_AH */ 557 sysctl_createv(clog, 0, NULL, NULL, 558 CTLFLAG_PERMANENT, 559 CTLTYPE_NODE, "ah", NULL, 560 NULL, 0, NULL, 0, 561 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 562 sysctl_createv(clog, 0, NULL, NULL, 563 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 564 CTLTYPE_INT, "cleartos", NULL, 565 NULL, 0, &ip4_ah_cleartos, 0, 566 CTL_NET, PF_INET, IPPROTO_AH, 567 IPSECCTL_AH_CLEARTOS, CTL_EOL); 568 sysctl_createv(clog, 0, NULL, NULL, 569 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 570 CTLTYPE_INT, "offsetmask", NULL, 571 NULL, 0, &ip4_ah_offsetmask, 0, 572 CTL_NET, PF_INET, IPPROTO_AH, 573 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 574 sysctl_createv(clog, 0, NULL, NULL, 575 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 576 CTLTYPE_INT, "trans_deflev", NULL, 577 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 578 CTL_NET, PF_INET, IPPROTO_AH, 579 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 580 sysctl_createv(clog, 0, NULL, NULL, 581 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 582 CTLTYPE_INT, "net_deflev", NULL, 583 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 584 CTL_NET, PF_INET, IPPROTO_AH, 585 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 586 sysctl_createv(clog, 0, NULL, NULL, 587 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 588 CTLTYPE_STRUCT, "ah_stats", NULL, 589 sysctl_net_inet_ah_stats, 0, NULL, 0, 590 CTL_NET, PF_INET, IPPROTO_AH, 591 CTL_CREATE, CTL_EOL); 592 593 /* create net.inet.ipcomp */ 594 sysctl_createv(clog, 0, NULL, NULL, 595 CTLFLAG_PERMANENT, 596 CTLTYPE_NODE, "ipcomp", NULL, 597 NULL, 0, NULL, 0, 598 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 599 sysctl_createv(clog, 0, NULL, NULL, 600 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 601 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 602 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 603 CTL_NET, PF_INET, IPPROTO_IPCOMP, 604 CTL_CREATE, CTL_EOL); 605 606 /* create net.inet.ipsec subtree under dynamic oid */ 607 sysctl_createv(clog, 0, NULL, &_ipsec, 608 CTLFLAG_PERMANENT, 609 CTLTYPE_NODE, "ipsec", NULL, 610 NULL, 0, NULL, 0, 611 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 612 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 613 614 sysctl_createv(clog, 0, NULL, NULL, 615 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 616 CTLTYPE_INT, "def_policy", NULL, 617 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 618 CTL_NET, PF_INET, ipproto_ipsec, 619 IPSECCTL_DEF_POLICY, CTL_EOL); 620 sysctl_createv(clog, 0, NULL, NULL, 621 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 622 CTLTYPE_INT, "esp_trans_deflev", NULL, 623 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 624 CTL_NET, PF_INET, ipproto_ipsec, 625 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 626 sysctl_createv(clog, 0, NULL, NULL, 627 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 628 CTLTYPE_INT, "esp_net_deflev", NULL, 629 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 630 CTL_NET, PF_INET, ipproto_ipsec, 631 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 632 sysctl_createv(clog, 0, NULL, NULL, 633 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 634 CTLTYPE_INT, "ah_trans_deflev", NULL, 635 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 636 CTL_NET, PF_INET, ipproto_ipsec, 637 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 638 sysctl_createv(clog, 0, NULL, NULL, 639 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 640 CTLTYPE_INT, "ah_net_deflev", NULL, 641 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 642 CTL_NET, PF_INET, ipproto_ipsec, 643 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 644 sysctl_createv(clog, 0, NULL, NULL, 645 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 646 CTLTYPE_INT, "ah_cleartos", NULL, 647 NULL, 0, &ip4_ah_cleartos, 0, 648 CTL_NET, PF_INET, ipproto_ipsec, 649 IPSECCTL_AH_CLEARTOS, CTL_EOL); 650 sysctl_createv(clog, 0, NULL, NULL, 651 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 652 CTLTYPE_INT, "ah_offsetmask", NULL, 653 NULL, 0, &ip4_ah_offsetmask, 0, 654 CTL_NET, PF_INET, ipproto_ipsec, 655 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 656 sysctl_createv(clog, 0, NULL, NULL, 657 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 658 CTLTYPE_INT, "dfbit", NULL, 659 NULL, 0, &ip4_ipsec_dfbit, 0, 660 CTL_NET, PF_INET, ipproto_ipsec, 661 IPSECCTL_DFBIT, CTL_EOL); 662 sysctl_createv(clog, 0, NULL, NULL, 663 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 664 CTLTYPE_INT, "ecn", NULL, 665 NULL, 0, &ip4_ipsec_ecn, 0, 666 CTL_NET, PF_INET, ipproto_ipsec, 667 IPSECCTL_ECN, CTL_EOL); 668 sysctl_createv(clog, 0, NULL, NULL, 669 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 670 CTLTYPE_INT, "debug", NULL, 671 NULL, 0, &ipsec_debug, 0, 672 CTL_NET, PF_INET, ipproto_ipsec, 673 IPSECCTL_DEBUG, CTL_EOL); 674 sysctl_createv(clog, 0, NULL, NULL, 675 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 676 CTLTYPE_STRUCT, "ipsecstats", NULL, 677 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 678 CTL_NET, PF_INET, ipproto_ipsec, 679 CTL_CREATE, CTL_EOL); 680 sysctl_createv(clog, 0, NULL, NULL, 681 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 682 CTLTYPE_INT, "enabled", 683 SYSCTL_DESCR("Enable IPSec processing"), 684 sysctl_net_ipsec_enabled, 0, NULL, 0, 685 CTL_NET, PF_INET, ipproto_ipsec, 686 CTL_CREATE, CTL_EOL); 687 sysctl_createv(clog, 0, NULL, NULL, 688 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 689 CTLTYPE_INT, "used", 690 SYSCTL_DESCR("Is IPSec active?"), 691 NULL, 0, &ipsec_used, 0, 692 CTL_NET, PF_INET, ipproto_ipsec, 693 CTL_CREATE, CTL_EOL); 694 sysctl_createv(clog, 0, NULL, NULL, 695 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 696 CTLTYPE_INT, "ah_enable", NULL, 697 NULL, 0, &ah_enable, 0, 698 CTL_NET, PF_INET, ipproto_ipsec, 699 CTL_CREATE, CTL_EOL); 700 sysctl_createv(clog, 0, NULL, NULL, 701 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 702 CTLTYPE_INT, "esp_enable", NULL, 703 NULL, 0, &esp_enable, 0, 704 CTL_NET, PF_INET, ipproto_ipsec, 705 CTL_CREATE, CTL_EOL); 706 sysctl_createv(clog, 0, NULL, NULL, 707 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 708 CTLTYPE_INT, "ipcomp_enable", NULL, 709 NULL, 0, &ipcomp_enable, 0, 710 CTL_NET, PF_INET, ipproto_ipsec, 711 CTL_CREATE, CTL_EOL); 712 sysctl_createv(clog, 0, NULL, NULL, 713 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 714 CTLTYPE_INT, "crypto_support", NULL, 715 NULL, 0, &crypto_support, 0, 716 CTL_NET, PF_INET, ipproto_ipsec, 717 CTL_CREATE, CTL_EOL); 718 719 #ifdef IPSEC_DEBUG 720 sysctl_createv(clog, 0, NULL, NULL, 721 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 722 CTLTYPE_INT, "test_replay", 723 SYSCTL_DESCR("Emulate replay attack"), 724 sysctl_ipsec_test, 0, &ipsec_replay, 0, 725 CTL_NET, PF_INET, ipproto_ipsec, 726 CTL_CREATE, CTL_EOL); 727 sysctl_createv(clog, 0, NULL, NULL, 728 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 729 CTLTYPE_INT, "test_integrity", 730 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 731 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 732 CTL_NET, PF_INET, ipproto_ipsec, 733 CTL_CREATE, CTL_EOL); 734 #endif 735 } 736 737 #ifdef INET6 738 void 739 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 740 { 741 742 sysctl_createv(clog, 0, NULL, NULL, 743 CTLFLAG_PERMANENT, 744 CTLTYPE_NODE, "inet6", NULL, 745 NULL, 0, NULL, 0, 746 CTL_NET, PF_INET6, CTL_EOL); 747 sysctl_createv(clog, 0, NULL, NULL, 748 CTLFLAG_PERMANENT, 749 CTLTYPE_NODE, "ipsec6", 750 SYSCTL_DESCR("IPv6 related IPSec settings"), 751 NULL, 0, NULL, 0, 752 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 753 754 sysctl_createv(clog, 0, NULL, NULL, 755 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 756 CTLTYPE_STRUCT, "stats", 757 SYSCTL_DESCR("IPSec statistics and counters"), 758 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 759 CTL_NET, PF_INET6, IPPROTO_AH, 760 IPSECCTL_STATS, CTL_EOL); 761 sysctl_createv(clog, 0, NULL, NULL, 762 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 763 CTLTYPE_INT, "def_policy", 764 SYSCTL_DESCR("Default action for non-IPSec packets"), 765 sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, 766 CTL_NET, PF_INET6, IPPROTO_AH, 767 IPSECCTL_DEF_POLICY, CTL_EOL); 768 sysctl_createv(clog, 0, NULL, NULL, 769 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 770 CTLTYPE_INT, "esp_trans_deflev", 771 SYSCTL_DESCR("Default required security level for " 772 "transport mode traffic"), 773 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 774 CTL_NET, PF_INET6, IPPROTO_AH, 775 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 776 sysctl_createv(clog, 0, NULL, NULL, 777 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 778 CTLTYPE_INT, "esp_net_deflev", 779 SYSCTL_DESCR("Default required security level for " 780 "tunneled traffic"), 781 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 782 CTL_NET, PF_INET6, IPPROTO_AH, 783 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 784 sysctl_createv(clog, 0, NULL, NULL, 785 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 786 CTLTYPE_INT, "ah_trans_deflev", 787 SYSCTL_DESCR("Default required security level for " 788 "transport mode headers"), 789 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 790 CTL_NET, PF_INET6, IPPROTO_AH, 791 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 792 sysctl_createv(clog, 0, NULL, NULL, 793 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 794 CTLTYPE_INT, "ah_net_deflev", 795 SYSCTL_DESCR("Default required security level for " 796 "tunneled headers"), 797 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 798 CTL_NET, PF_INET6, IPPROTO_AH, 799 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 800 sysctl_createv(clog, 0, NULL, NULL, 801 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 802 CTLTYPE_INT, "ecn", 803 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 804 NULL, 0, &ip6_ipsec_ecn, 0, 805 CTL_NET, PF_INET6, IPPROTO_AH, 806 IPSECCTL_ECN, CTL_EOL); 807 sysctl_createv(clog, 0, NULL, NULL, 808 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 809 CTLTYPE_INT, "debug", 810 SYSCTL_DESCR("Enable IPSec debugging output"), 811 NULL, 0, &ipsec_debug, 0, 812 CTL_NET, PF_INET6, IPPROTO_AH, 813 IPSECCTL_DEBUG, CTL_EOL); 814 sysctl_createv(clog, 0, NULL, NULL, 815 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 816 CTLTYPE_INT, "enabled", 817 SYSCTL_DESCR("Enable IPSec processing"), 818 sysctl_net_ipsec_enabled, 0, NULL, 0, 819 CTL_NET, PF_INET6, IPPROTO_AH, 820 CTL_CREATE, CTL_EOL); 821 sysctl_createv(clog, 0, NULL, NULL, 822 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 823 CTLTYPE_INT, "used", 824 SYSCTL_DESCR("Is IPSec active?"), 825 NULL, 0, &ipsec_used, 0, 826 CTL_NET, PF_INET6, IPPROTO_AH, 827 CTL_CREATE, CTL_EOL); 828 /* 829 * "aliases" for the ipsec6 subtree 830 */ 831 sysctl_createv(clog, 0, NULL, NULL, 832 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 833 CTLTYPE_NODE, "esp6", NULL, 834 NULL, IPPROTO_AH, NULL, 0, 835 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 836 sysctl_createv(clog, 0, NULL, NULL, 837 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 838 CTLTYPE_NODE, "ipcomp6", NULL, 839 NULL, IPPROTO_AH, NULL, 0, 840 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 841 sysctl_createv(clog, 0, NULL, NULL, 842 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 843 CTLTYPE_NODE, "ah6", NULL, 844 NULL, IPPROTO_AH, NULL, 0, 845 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 846 } 847 #endif /* INET6 */ 848