1 /* $NetBSD: ipsec_netbsd.c,v 1.32 2008/05/04 07:22:15 thorpej Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.32 2008/05/04 07:22:15 thorpej Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <sys/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/ipsec_private.h> 69 #include <netipsec/key.h> 70 #include <netipsec/keydb.h> 71 #include <netipsec/key_debug.h> 72 #include <netipsec/ah.h> 73 #include <netipsec/ah_var.h> 74 #include <netipsec/esp.h> 75 #include <netipsec/esp_var.h> 76 #include <netipsec/ipip_var.h> 77 #include <netipsec/ipcomp_var.h> 78 79 #ifdef INET6 80 #include <netipsec/ipsec6.h> 81 #include <netinet6/ip6protosw.h> 82 #include <netinet/icmp6.h> 83 #endif 84 85 #include <machine/stdarg.h> 86 87 88 89 #include <netipsec/key.h> 90 91 /* assumes that ip header and ah header are contiguous on mbuf */ 92 void* 93 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 94 { 95 struct ip *ip = v; 96 struct ah *ah; 97 struct icmp *icp; 98 struct secasvar *sav; 99 100 if (sa->sa_family != AF_INET || 101 sa->sa_len != sizeof(struct sockaddr_in)) 102 return NULL; 103 if ((unsigned)cmd >= PRC_NCMDS) 104 return NULL; 105 106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 107 /* 108 * Check to see if we have a valid SA corresponding to 109 * the address in the ICMP message payload. 110 */ 111 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 112 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 113 IPPROTO_AH, ah->ah_spi, 0, 0); 114 115 if (sav) { 116 if (sav->state == SADB_SASTATE_MATURE || 117 sav->state == SADB_SASTATE_DYING) { 118 119 /* 120 * Now that we've validated that we are actually 121 * communicating with the host indicated in the 122 * ICMP message, locate the ICMP header, 123 * recalculate the new MTU, and create the 124 * corresponding routing entry. 125 */ 126 icp = (struct icmp *)((char *)ip - 127 offsetof(struct icmp, icmp_ip)); 128 icmp_mtudisc(icp, ip->ip_dst); 129 130 } 131 KEY_FREESAV(&sav); 132 } 133 } 134 return NULL; 135 } 136 137 138 139 /* assumes that ip header and esp header are contiguous on mbuf */ 140 void* 141 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 142 { 143 struct ip *ip = v; 144 struct esp *esp; 145 struct icmp *icp; 146 struct secasvar *sav; 147 148 if (sa->sa_family != AF_INET || 149 sa->sa_len != sizeof(struct sockaddr_in)) 150 return NULL; 151 if ((unsigned)cmd >= PRC_NCMDS) 152 return NULL; 153 154 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 155 /* 156 * Check to see if we have a valid SA corresponding to 157 * the address in the ICMP message payload. 158 */ 159 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 160 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 161 IPPROTO_ESP, esp->esp_spi, 0, 0); 162 163 if (sav) { 164 if (sav->state == SADB_SASTATE_MATURE || 165 sav->state == SADB_SASTATE_DYING) { 166 167 /* 168 * Now that we've validated that we are actually 169 * communicating with the host indicated in the 170 * ICMP message, locate the ICMP header, 171 * recalculate the new MTU, and create the 172 * corresponding routing entry. 173 */ 174 175 icp = (struct icmp *)((char *)ip - 176 offsetof(struct icmp, icmp_ip)); 177 icmp_mtudisc(icp, ip->ip_dst); 178 179 } 180 KEY_FREESAV(&sav); 181 } 182 } 183 return NULL; 184 } 185 186 #ifdef INET6 187 void * 188 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 189 { 190 const struct newah *ahp; 191 struct newah ah; 192 struct secasvar *sav; 193 struct ip6_hdr *ip6; 194 struct mbuf *m; 195 struct ip6ctlparam *ip6cp = NULL; 196 int off; 197 198 if (sa->sa_family != AF_INET6 || 199 sa->sa_len != sizeof(struct sockaddr_in6)) 200 return NULL; 201 if ((unsigned)cmd >= PRC_NCMDS) 202 return NULL; 203 204 /* if the parameter is from icmp6, decode it. */ 205 if (d != NULL) { 206 ip6cp = (struct ip6ctlparam *)d; 207 m = ip6cp->ip6c_m; 208 ip6 = ip6cp->ip6c_ip6; 209 off = ip6cp->ip6c_off; 210 } else { 211 m = NULL; 212 ip6 = NULL; 213 off = 0; 214 } 215 216 if (ip6) { 217 /* 218 * XXX: We assume that when ip6 is non NULL, 219 * M and OFF are valid. 220 */ 221 222 /* check if we can safely examine src and dst ports */ 223 if (m->m_pkthdr.len < off + sizeof(ah)) 224 return NULL; 225 226 if (m->m_len < off + sizeof(ah)) { 227 /* 228 * this should be rare case, 229 * so we compromise on this copy... 230 */ 231 m_copydata(m, off, sizeof(ah), &ah); 232 ahp = &ah; 233 } else 234 ahp = (struct newah *)(mtod(m, char *) + off); 235 236 if (cmd == PRC_MSGSIZE) { 237 int valid = 0; 238 239 /* 240 * Check to see if we have a valid SA corresponding 241 * to the address in the ICMP message payload. 242 */ 243 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 244 IPPROTO_AH, ahp->ah_spi, 0, 0); 245 246 if (sav) { 247 if (sav->state == SADB_SASTATE_MATURE || 248 sav->state == SADB_SASTATE_DYING) 249 valid++; 250 KEY_FREESAV(&sav); 251 } 252 253 /* XXX Further validation? */ 254 255 /* 256 * Depending on the value of "valid" and routing 257 * table size (mtudisc_{hi,lo}wat), we will: 258 * - recalcurate the new MTU and create the 259 * corresponding routing entry, or 260 * - ignore the MTU change notification. 261 */ 262 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 263 } 264 265 /* we normally notify single pcb here */ 266 } else { 267 /* we normally notify any pcb here */ 268 } 269 return NULL; 270 } 271 272 273 274 void * 275 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 276 { 277 const struct newesp *espp; 278 struct newesp esp; 279 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 280 struct secasvar *sav; 281 struct ip6_hdr *ip6; 282 struct mbuf *m; 283 int off; 284 285 if (sa->sa_family != AF_INET6 || 286 sa->sa_len != sizeof(struct sockaddr_in6)) 287 return NULL; 288 if ((unsigned)cmd >= PRC_NCMDS) 289 return NULL; 290 291 /* if the parameter is from icmp6, decode it. */ 292 if (d != NULL) { 293 ip6cp = (struct ip6ctlparam *)d; 294 m = ip6cp->ip6c_m; 295 ip6 = ip6cp->ip6c_ip6; 296 off = ip6cp->ip6c_off; 297 } else { 298 m = NULL; 299 ip6 = NULL; 300 off = 0; 301 } 302 303 if (ip6) { 304 /* 305 * Notify the error to all possible sockets via pfctlinput2. 306 * Since the upper layer information (such as protocol type, 307 * source and destination ports) is embedded in the encrypted 308 * data and might have been cut, we can't directly call 309 * an upper layer ctlinput function. However, the pcbnotify 310 * function will consider source and destination addresses 311 * as well as the flow info value, and may be able to find 312 * some PCB that should be notified. 313 * Although pfctlinput2 will call esp6_ctlinput(), there is 314 * no possibility of an infinite loop of function calls, 315 * because we don't pass the inner IPv6 header. 316 */ 317 memset(&ip6cp1, 0, sizeof(ip6cp1)); 318 ip6cp1.ip6c_src = ip6cp->ip6c_src; 319 pfctlinput2(cmd, sa, &ip6cp1); 320 321 /* 322 * Then go to special cases that need ESP header information. 323 * XXX: We assume that when ip6 is non NULL, 324 * M and OFF are valid. 325 */ 326 327 /* check if we can safely examine src and dst ports */ 328 if (m->m_pkthdr.len < off + sizeof(esp)) 329 return NULL; 330 331 if (m->m_len < off + sizeof(esp)) { 332 /* 333 * this should be rare case, 334 * so we compromise on this copy... 335 */ 336 m_copydata(m, off, sizeof(esp), &esp); 337 espp = &esp; 338 } else 339 espp = (struct newesp*)(mtod(m, char *) + off); 340 341 if (cmd == PRC_MSGSIZE) { 342 int valid = 0; 343 344 /* 345 * Check to see if we have a valid SA corresponding to 346 * the address in the ICMP message payload. 347 */ 348 349 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 350 IPPROTO_ESP, espp->esp_spi, 0, 0); 351 352 if (sav) { 353 if (sav->state == SADB_SASTATE_MATURE || 354 sav->state == SADB_SASTATE_DYING) 355 valid++; 356 KEY_FREESAV(&sav); 357 } 358 359 /* XXX Further validation? */ 360 361 /* 362 * Depending on the value of "valid" and routing table 363 * size (mtudisc_{hi,lo}wat), we will: 364 * - recalcurate the new MTU and create the 365 * corresponding routing entry, or 366 * - ignore the MTU change notification. 367 */ 368 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 369 } 370 } else { 371 /* we normally notify any pcb here */ 372 } 373 return NULL; 374 } 375 #endif /* INET6 */ 376 377 static int 378 sysctl_fast_ipsec(SYSCTLFN_ARGS) 379 { 380 int error, t; 381 struct sysctlnode node; 382 383 node = *rnode; 384 t = *(int*)rnode->sysctl_data; 385 node.sysctl_data = &t; 386 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 387 if (error || newp == NULL) 388 return (error); 389 390 switch (rnode->sysctl_num) { 391 case IPSECCTL_DEF_ESP_TRANSLEV: 392 case IPSECCTL_DEF_ESP_NETLEV: 393 case IPSECCTL_DEF_AH_TRANSLEV: 394 case IPSECCTL_DEF_AH_NETLEV: 395 if (t != IPSEC_LEVEL_USE && 396 t != IPSEC_LEVEL_REQUIRE) 397 return (EINVAL); 398 ipsec_invalpcbcacheall(); 399 break; 400 case IPSECCTL_DEF_POLICY: 401 if (t != IPSEC_POLICY_DISCARD && 402 t != IPSEC_POLICY_NONE) 403 return (EINVAL); 404 ipsec_invalpcbcacheall(); 405 break; 406 default: 407 return (EINVAL); 408 } 409 410 *(int*)rnode->sysctl_data = t; 411 412 return (0); 413 } 414 415 #ifdef IPSEC_DEBUG 416 static int 417 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 418 { 419 int t, error; 420 struct sysctlnode node; 421 422 node = *rnode; 423 t = *(int*)rnode->sysctl_data; 424 node.sysctl_data = &t; 425 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 426 if (error || newp == NULL) 427 return (error); 428 429 if (t < 0 || t > 1) 430 return EINVAL; 431 432 if (rnode->sysctl_data == &ipsec_replay) 433 printf("fast_ipsec: Anti-Replay service %s\n", 434 (t == 1) ? "deactivated" : "activated"); 435 else if (rnode->sysctl_data == &ipsec_integrity) 436 printf("fast_ipsec: HMAC corruption %s\n", 437 (t == 0) ? "deactivated" : "activated"); 438 439 *(int*)rnode->sysctl_data = t; 440 441 return 0; 442 } 443 #endif 444 445 static int 446 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS) 447 { 448 449 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 450 } 451 452 static int 453 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 454 { 455 456 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 457 } 458 459 static int 460 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 461 { 462 463 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 464 } 465 466 static int 467 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 468 { 469 470 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 471 } 472 473 static int 474 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 475 { 476 477 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 478 } 479 480 /* XXX will need a different oid at parent */ 481 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 482 { 483 const struct sysctlnode *_ipsec; 484 int ipproto_ipsec; 485 486 sysctl_createv(clog, 0, NULL, NULL, 487 CTLFLAG_PERMANENT, 488 CTLTYPE_NODE, "net", NULL, 489 NULL, 0, NULL, 0, 490 CTL_NET, CTL_EOL); 491 sysctl_createv(clog, 0, NULL, NULL, 492 CTLFLAG_PERMANENT, 493 CTLTYPE_NODE, "inet", NULL, 494 NULL, 0, NULL, 0, 495 CTL_NET, PF_INET, CTL_EOL); 496 497 /* 498 * in numerical order: 499 * 500 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 501 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 502 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 503 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 504 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 505 * 506 * this creates separate trees by name, but maintains that the 507 * ipsec name leads to all the old leaves. 508 */ 509 510 /* create net.inet.ipip */ 511 sysctl_createv(clog, 0, NULL, NULL, 512 CTLFLAG_PERMANENT, 513 CTLTYPE_NODE, "ipip", NULL, 514 NULL, 0, NULL, 0, 515 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 516 sysctl_createv(clog, 0, NULL, NULL, 517 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 518 CTLTYPE_STRUCT, "ipip_stats", NULL, 519 sysctl_net_inet_ipip_stats, 0, NULL, 0, 520 CTL_NET, PF_INET, IPPROTO_IPIP, 521 CTL_CREATE, CTL_EOL); 522 523 /* create net.inet.esp subtree under IPPROTO_ESP */ 524 sysctl_createv(clog, 0, NULL, NULL, 525 CTLFLAG_PERMANENT, 526 CTLTYPE_NODE, "esp", NULL, 527 NULL, 0, NULL, 0, 528 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 529 sysctl_createv(clog, 0, NULL, NULL, 530 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 531 CTLTYPE_INT, "trans_deflev", NULL, 532 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 533 CTL_NET, PF_INET, IPPROTO_ESP, 534 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 535 sysctl_createv(clog, 0, NULL, NULL, 536 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 537 CTLTYPE_INT, "net_deflev", NULL, 538 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 539 CTL_NET, PF_INET, IPPROTO_ESP, 540 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 541 sysctl_createv(clog, 0, NULL, NULL, 542 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 543 CTLTYPE_STRUCT, "esp_stats", NULL, 544 sysctl_net_inet_esp_stats, 0, NULL, 0, 545 CTL_NET, PF_INET, IPPROTO_ESP, 546 CTL_CREATE, CTL_EOL); 547 548 /* create net.inet.ah subtree under IPPROTO_AH */ 549 sysctl_createv(clog, 0, NULL, NULL, 550 CTLFLAG_PERMANENT, 551 CTLTYPE_NODE, "ah", NULL, 552 NULL, 0, NULL, 0, 553 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 554 sysctl_createv(clog, 0, NULL, NULL, 555 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 556 CTLTYPE_INT, "cleartos", NULL, 557 NULL, 0, &ip4_ah_cleartos, 0, 558 CTL_NET, PF_INET, IPPROTO_AH, 559 IPSECCTL_AH_CLEARTOS, CTL_EOL); 560 sysctl_createv(clog, 0, NULL, NULL, 561 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 562 CTLTYPE_INT, "offsetmask", NULL, 563 NULL, 0, &ip4_ah_offsetmask, 0, 564 CTL_NET, PF_INET, IPPROTO_AH, 565 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 566 sysctl_createv(clog, 0, NULL, NULL, 567 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 568 CTLTYPE_INT, "trans_deflev", NULL, 569 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 570 CTL_NET, PF_INET, IPPROTO_AH, 571 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 572 sysctl_createv(clog, 0, NULL, NULL, 573 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 574 CTLTYPE_INT, "net_deflev", NULL, 575 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 576 CTL_NET, PF_INET, IPPROTO_AH, 577 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 578 sysctl_createv(clog, 0, NULL, NULL, 579 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 580 CTLTYPE_STRUCT, "ah_stats", NULL, 581 sysctl_net_inet_ah_stats, 0, NULL, 0, 582 CTL_NET, PF_INET, IPPROTO_AH, 583 CTL_CREATE, CTL_EOL); 584 585 /* create net.inet.ipcomp */ 586 sysctl_createv(clog, 0, NULL, NULL, 587 CTLFLAG_PERMANENT, 588 CTLTYPE_NODE, "ipcomp", NULL, 589 NULL, 0, NULL, 0, 590 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 591 sysctl_createv(clog, 0, NULL, NULL, 592 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 593 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 594 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 595 CTL_NET, PF_INET, IPPROTO_IPCOMP, 596 CTL_CREATE, CTL_EOL); 597 598 /* create net.inet.ipsec subtree under dynamic oid */ 599 sysctl_createv(clog, 0, NULL, &_ipsec, 600 CTLFLAG_PERMANENT, 601 CTLTYPE_NODE, "ipsec", NULL, 602 NULL, 0, NULL, 0, 603 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 604 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 605 606 sysctl_createv(clog, 0, NULL, NULL, 607 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 608 CTLTYPE_INT, "def_policy", NULL, 609 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 610 CTL_NET, PF_INET, ipproto_ipsec, 611 IPSECCTL_DEF_POLICY, CTL_EOL); 612 sysctl_createv(clog, 0, NULL, NULL, 613 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 614 CTLTYPE_INT, "esp_trans_deflev", NULL, 615 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 616 CTL_NET, PF_INET, ipproto_ipsec, 617 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 618 sysctl_createv(clog, 0, NULL, NULL, 619 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 620 CTLTYPE_INT, "esp_net_deflev", NULL, 621 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 622 CTL_NET, PF_INET, ipproto_ipsec, 623 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 624 sysctl_createv(clog, 0, NULL, NULL, 625 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 626 CTLTYPE_INT, "ah_trans_deflev", NULL, 627 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 628 CTL_NET, PF_INET, ipproto_ipsec, 629 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 630 sysctl_createv(clog, 0, NULL, NULL, 631 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 632 CTLTYPE_INT, "ah_net_deflev", NULL, 633 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 634 CTL_NET, PF_INET, ipproto_ipsec, 635 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 636 sysctl_createv(clog, 0, NULL, NULL, 637 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 638 CTLTYPE_INT, "ah_cleartos", NULL, 639 NULL, 0, &ip4_ah_cleartos, 0, 640 CTL_NET, PF_INET, ipproto_ipsec, 641 IPSECCTL_AH_CLEARTOS, CTL_EOL); 642 sysctl_createv(clog, 0, NULL, NULL, 643 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 644 CTLTYPE_INT, "ah_offsetmask", NULL, 645 NULL, 0, &ip4_ah_offsetmask, 0, 646 CTL_NET, PF_INET, ipproto_ipsec, 647 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 648 sysctl_createv(clog, 0, NULL, NULL, 649 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 650 CTLTYPE_INT, "dfbit", NULL, 651 NULL, 0, &ip4_ipsec_dfbit, 0, 652 CTL_NET, PF_INET, ipproto_ipsec, 653 IPSECCTL_DFBIT, CTL_EOL); 654 sysctl_createv(clog, 0, NULL, NULL, 655 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 656 CTLTYPE_INT, "ecn", NULL, 657 NULL, 0, &ip4_ipsec_ecn, 0, 658 CTL_NET, PF_INET, ipproto_ipsec, 659 IPSECCTL_ECN, CTL_EOL); 660 sysctl_createv(clog, 0, NULL, NULL, 661 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 662 CTLTYPE_INT, "debug", NULL, 663 NULL, 0, &ipsec_debug, 0, 664 CTL_NET, PF_INET, ipproto_ipsec, 665 IPSECCTL_DEBUG, CTL_EOL); 666 sysctl_createv(clog, 0, NULL, NULL, 667 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 668 CTLTYPE_STRUCT, "ipsecstats", NULL, 669 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 670 CTL_NET, PF_INET, ipproto_ipsec, 671 CTL_CREATE, CTL_EOL); 672 #ifdef IPSEC_DEBUG 673 sysctl_createv(clog, 0, NULL, NULL, 674 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 675 CTLTYPE_INT, "test_replay", 676 SYSCTL_DESCR("Emulate replay attack"), 677 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 678 CTL_NET, PF_INET, ipproto_ipsec, 679 CTL_CREATE, CTL_EOL); 680 sysctl_createv(clog, 0, NULL, NULL, 681 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 682 CTLTYPE_INT, "test_integrity", 683 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 684 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 685 CTL_NET, PF_INET, ipproto_ipsec, 686 CTL_CREATE, CTL_EOL); 687 #endif 688 } 689 690 #ifdef INET6 691 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup, 692 "sysctl net.inet6.ipsec6 subtree setup") 693 { 694 695 sysctl_createv(clog, 0, NULL, NULL, 696 CTLFLAG_PERMANENT, 697 CTLTYPE_NODE, "net", NULL, 698 NULL, 0, NULL, 0, 699 CTL_NET, CTL_EOL); 700 sysctl_createv(clog, 0, NULL, NULL, 701 CTLFLAG_PERMANENT, 702 CTLTYPE_NODE, "inet6", NULL, 703 NULL, 0, NULL, 0, 704 CTL_NET, PF_INET6, CTL_EOL); 705 sysctl_createv(clog, 0, NULL, NULL, 706 CTLFLAG_PERMANENT, 707 CTLTYPE_NODE, "ipsec6", 708 SYSCTL_DESCR("IPv6 related IPSec settings"), 709 NULL, 0, NULL, 0, 710 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 711 712 sysctl_createv(clog, 0, NULL, NULL, 713 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 714 CTLTYPE_STRUCT, "stats", 715 SYSCTL_DESCR("IPSec statistics and counters"), 716 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0, 717 CTL_NET, PF_INET6, IPPROTO_AH, 718 IPSECCTL_STATS, CTL_EOL); 719 sysctl_createv(clog, 0, NULL, NULL, 720 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 721 CTLTYPE_INT, "def_policy", 722 SYSCTL_DESCR("Default action for non-IPSec packets"), 723 sysctl_fast_ipsec, 0, &ip6_def_policy, 0, 724 CTL_NET, PF_INET6, IPPROTO_AH, 725 IPSECCTL_DEF_POLICY, CTL_EOL); 726 sysctl_createv(clog, 0, NULL, NULL, 727 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 728 CTLTYPE_INT, "esp_trans_deflev", 729 SYSCTL_DESCR("Default required security level for " 730 "transport mode traffic"), 731 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0, 732 CTL_NET, PF_INET6, IPPROTO_AH, 733 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 734 sysctl_createv(clog, 0, NULL, NULL, 735 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 736 CTLTYPE_INT, "esp_net_deflev", 737 SYSCTL_DESCR("Default required security level for " 738 "tunneled traffic"), 739 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0, 740 CTL_NET, PF_INET6, IPPROTO_AH, 741 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 742 sysctl_createv(clog, 0, NULL, NULL, 743 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 744 CTLTYPE_INT, "ah_trans_deflev", 745 SYSCTL_DESCR("Default required security level for " 746 "transport mode headers"), 747 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0, 748 CTL_NET, PF_INET6, IPPROTO_AH, 749 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 750 sysctl_createv(clog, 0, NULL, NULL, 751 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 752 CTLTYPE_INT, "ah_net_deflev", 753 SYSCTL_DESCR("Default required security level for " 754 "tunneled headers"), 755 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0, 756 CTL_NET, PF_INET6, IPPROTO_AH, 757 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 758 sysctl_createv(clog, 0, NULL, NULL, 759 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 760 CTLTYPE_INT, "ecn", 761 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 762 NULL, 0, &ip6_ipsec_ecn, 0, 763 CTL_NET, PF_INET6, IPPROTO_AH, 764 IPSECCTL_ECN, CTL_EOL); 765 sysctl_createv(clog, 0, NULL, NULL, 766 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 767 CTLTYPE_INT, "debug", 768 SYSCTL_DESCR("Enable IPSec debugging output"), 769 NULL, 0, &ipsec_debug, 0, 770 CTL_NET, PF_INET6, IPPROTO_AH, 771 IPSECCTL_DEBUG, CTL_EOL); 772 773 /* 774 * "aliases" for the ipsec6 subtree 775 */ 776 sysctl_createv(clog, 0, NULL, NULL, 777 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 778 CTLTYPE_NODE, "esp6", NULL, 779 NULL, IPPROTO_AH, NULL, 0, 780 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 781 sysctl_createv(clog, 0, NULL, NULL, 782 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 783 CTLTYPE_NODE, "ipcomp6", NULL, 784 NULL, IPPROTO_AH, NULL, 0, 785 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 786 sysctl_createv(clog, 0, NULL, NULL, 787 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 788 CTLTYPE_NODE, "ah6", NULL, 789 NULL, IPPROTO_AH, NULL, 0, 790 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 791 } 792 #endif /* INET6 */ 793