ipsec_netbsd.c revision 1.47
1 1.47 maxv /* $NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $ */ 2 1.1 jonathan /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 1.1 jonathan /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 1.1 jonathan 5 1.1 jonathan /* 6 1.1 jonathan * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 1.1 jonathan * All rights reserved. 8 1.1 jonathan * 9 1.1 jonathan * Redistribution and use in source and binary forms, with or without 10 1.1 jonathan * modification, are permitted provided that the following conditions 11 1.1 jonathan * are met: 12 1.1 jonathan * 1. Redistributions of source code must retain the above copyright 13 1.1 jonathan * notice, this list of conditions and the following disclaimer. 14 1.1 jonathan * 2. Redistributions in binary form must reproduce the above copyright 15 1.1 jonathan * notice, this list of conditions and the following disclaimer in the 16 1.1 jonathan * documentation and/or other materials provided with the distribution. 17 1.1 jonathan * 3. Neither the name of the project nor the names of its contributors 18 1.1 jonathan * may be used to endorse or promote products derived from this software 19 1.1 jonathan * without specific prior written permission. 20 1.1 jonathan * 21 1.1 jonathan * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 1.1 jonathan * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 1.1 jonathan * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 1.1 jonathan * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 1.1 jonathan * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 1.1 jonathan * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 1.1 jonathan * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 1.1 jonathan * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 1.1 jonathan * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 1.1 jonathan * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 1.1 jonathan * SUCH DAMAGE. 32 1.1 jonathan */ 33 1.1 jonathan 34 1.1 jonathan #include <sys/cdefs.h> 35 1.47 maxv __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.47 2018/02/26 06:17:01 maxv Exp $"); 36 1.1 jonathan 37 1.40 ozaki #if defined(_KERNEL_OPT) 38 1.1 jonathan #include "opt_inet.h" 39 1.1 jonathan #include "opt_ipsec.h" 40 1.40 ozaki #endif 41 1.1 jonathan 42 1.1 jonathan #include <sys/param.h> 43 1.1 jonathan #include <sys/systm.h> 44 1.1 jonathan #include <sys/malloc.h> 45 1.1 jonathan #include <sys/mbuf.h> 46 1.1 jonathan #include <sys/domain.h> 47 1.1 jonathan #include <sys/protosw.h> 48 1.1 jonathan #include <sys/socket.h> 49 1.1 jonathan #include <sys/errno.h> 50 1.1 jonathan #include <sys/time.h> 51 1.1 jonathan #include <sys/kernel.h> 52 1.1 jonathan #include <sys/sysctl.h> 53 1.1 jonathan 54 1.1 jonathan #include <net/if.h> 55 1.1 jonathan #include <net/route.h> 56 1.1 jonathan #include <net/netisr.h> 57 1.29 ad #include <sys/cpu.h> 58 1.1 jonathan 59 1.1 jonathan #include <netinet/in.h> 60 1.1 jonathan #include <netinet/in_systm.h> 61 1.1 jonathan #include <netinet/in_var.h> 62 1.1 jonathan #include <netinet/ip.h> 63 1.1 jonathan #include <netinet/ip_var.h> 64 1.1 jonathan #include <netinet/ip_ecn.h> 65 1.1 jonathan #include <netinet/ip_icmp.h> 66 1.1 jonathan 67 1.1 jonathan #include <netipsec/ipsec.h> 68 1.10 jonathan #include <netipsec/ipsec_var.h> 69 1.30 thorpej #include <netipsec/ipsec_private.h> 70 1.3 tls #include <netipsec/key.h> 71 1.3 tls #include <netipsec/keydb.h> 72 1.3 tls #include <netipsec/key_debug.h> 73 1.18 degroote #include <netipsec/ah.h> 74 1.1 jonathan #include <netipsec/ah_var.h> 75 1.5 jonathan #include <netipsec/esp.h> 76 1.10 jonathan #include <netipsec/esp_var.h> 77 1.10 jonathan #include <netipsec/ipip_var.h> 78 1.10 jonathan #include <netipsec/ipcomp_var.h> 79 1.5 jonathan 80 1.5 jonathan #ifdef INET6 81 1.5 jonathan #include <netipsec/ipsec6.h> 82 1.5 jonathan #include <netinet6/ip6protosw.h> 83 1.5 jonathan #include <netinet/icmp6.h> 84 1.1 jonathan #endif 85 1.1 jonathan 86 1.3 tls #include <netipsec/key.h> 87 1.1 jonathan 88 1.1 jonathan /* assumes that ip header and ah header are contiguous on mbuf */ 89 1.47 maxv void * 90 1.28 degroote ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 91 1.1 jonathan { 92 1.1 jonathan struct ip *ip = v; 93 1.1 jonathan struct ah *ah; 94 1.1 jonathan struct icmp *icp; 95 1.1 jonathan struct secasvar *sav; 96 1.1 jonathan 97 1.1 jonathan if (sa->sa_family != AF_INET || 98 1.47 maxv sa->sa_len != sizeof(struct sockaddr_in)) 99 1.38 msaitoh return NULL; 100 1.1 jonathan if ((unsigned)cmd >= PRC_NCMDS) 101 1.1 jonathan return NULL; 102 1.20 degroote 103 1.1 jonathan if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 104 1.1 jonathan /* 105 1.1 jonathan * Check to see if we have a valid SA corresponding to 106 1.1 jonathan * the address in the ICMP message payload. 107 1.1 jonathan */ 108 1.23 degroote ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 109 1.44 ozaki sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 110 1.47 maxv IPPROTO_AH, ah->ah_spi, 0, 0); 111 1.1 jonathan 112 1.20 degroote if (sav) { 113 1.42 ozaki if (SADB_SASTATE_USABLE_P(sav)) { 114 1.20 degroote /* 115 1.47 maxv * Now that we've validated that we are actually 116 1.47 maxv * communicating with the host indicated in the 117 1.47 maxv * ICMP message, locate the ICMP header, 118 1.20 degroote * recalculate the new MTU, and create the 119 1.47 maxv * corresponding routing entry. 120 1.47 maxv */ 121 1.47 maxv icp = (struct icmp *)((char *)ip - 122 1.43 ozaki offsetof(struct icmp, icmp_ip)); 123 1.20 degroote icmp_mtudisc(icp, ip->ip_dst); 124 1.20 degroote } 125 1.45 ozaki KEY_SA_UNREF(&sav); 126 1.20 degroote } 127 1.1 jonathan } 128 1.1 jonathan return NULL; 129 1.1 jonathan } 130 1.1 jonathan 131 1.1 jonathan /* assumes that ip header and esp header are contiguous on mbuf */ 132 1.47 maxv void * 133 1.28 degroote esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 134 1.1 jonathan { 135 1.1 jonathan struct ip *ip = v; 136 1.1 jonathan struct esp *esp; 137 1.1 jonathan struct icmp *icp; 138 1.1 jonathan struct secasvar *sav; 139 1.1 jonathan 140 1.1 jonathan if (sa->sa_family != AF_INET || 141 1.1 jonathan sa->sa_len != sizeof(struct sockaddr_in)) 142 1.1 jonathan return NULL; 143 1.1 jonathan if ((unsigned)cmd >= PRC_NCMDS) 144 1.1 jonathan return NULL; 145 1.20 degroote 146 1.1 jonathan if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 147 1.1 jonathan /* 148 1.1 jonathan * Check to see if we have a valid SA corresponding to 149 1.1 jonathan * the address in the ICMP message payload. 150 1.1 jonathan */ 151 1.23 degroote esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 152 1.44 ozaki sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 153 1.47 maxv IPPROTO_ESP, esp->esp_spi, 0, 0); 154 1.1 jonathan 155 1.20 degroote if (sav) { 156 1.42 ozaki if (SADB_SASTATE_USABLE_P(sav)) { 157 1.20 degroote /* 158 1.47 maxv * Now that we've validated that we are actually 159 1.47 maxv * communicating with the host indicated in the 160 1.47 maxv * ICMP message, locate the ICMP header, 161 1.20 degroote * recalculate the new MTU, and create the 162 1.47 maxv * corresponding routing entry. 163 1.47 maxv */ 164 1.47 maxv icp = (struct icmp *)((char *)ip - 165 1.43 ozaki offsetof(struct icmp, icmp_ip)); 166 1.20 degroote icmp_mtudisc(icp, ip->ip_dst); 167 1.20 degroote } 168 1.45 ozaki KEY_SA_UNREF(&sav); 169 1.20 degroote } 170 1.1 jonathan } 171 1.1 jonathan return NULL; 172 1.1 jonathan } 173 1.1 jonathan 174 1.1 jonathan #ifdef INET6 175 1.31 degroote void * 176 1.28 degroote ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 177 1.18 degroote { 178 1.41 ozaki const struct newah *ahp; 179 1.41 ozaki struct newah ah; 180 1.41 ozaki struct secasvar *sav; 181 1.41 ozaki struct ip6_hdr *ip6; 182 1.41 ozaki struct mbuf *m; 183 1.41 ozaki struct ip6ctlparam *ip6cp = NULL; 184 1.41 ozaki int off; 185 1.41 ozaki 186 1.41 ozaki if (sa->sa_family != AF_INET6 || 187 1.41 ozaki sa->sa_len != sizeof(struct sockaddr_in6)) 188 1.41 ozaki return NULL; 189 1.41 ozaki if ((unsigned)cmd >= PRC_NCMDS) 190 1.41 ozaki return NULL; 191 1.41 ozaki 192 1.41 ozaki /* if the parameter is from icmp6, decode it. */ 193 1.41 ozaki if (d != NULL) { 194 1.41 ozaki ip6cp = (struct ip6ctlparam *)d; 195 1.41 ozaki m = ip6cp->ip6c_m; 196 1.41 ozaki ip6 = ip6cp->ip6c_ip6; 197 1.41 ozaki off = ip6cp->ip6c_off; 198 1.41 ozaki } else { 199 1.41 ozaki m = NULL; 200 1.41 ozaki ip6 = NULL; 201 1.41 ozaki off = 0; 202 1.41 ozaki } 203 1.41 ozaki 204 1.41 ozaki if (ip6) { 205 1.41 ozaki /* 206 1.41 ozaki * XXX: We assume that when ip6 is non NULL, 207 1.41 ozaki * M and OFF are valid. 208 1.41 ozaki */ 209 1.41 ozaki 210 1.41 ozaki /* check if we can safely examine src and dst ports */ 211 1.41 ozaki if (m->m_pkthdr.len < off + sizeof(ah)) 212 1.41 ozaki return NULL; 213 1.41 ozaki 214 1.41 ozaki if (m->m_len < off + sizeof(ah)) { 215 1.41 ozaki /* 216 1.41 ozaki * this should be rare case, 217 1.41 ozaki * so we compromise on this copy... 218 1.41 ozaki */ 219 1.41 ozaki m_copydata(m, off, sizeof(ah), &ah); 220 1.41 ozaki ahp = &ah; 221 1.41 ozaki } else 222 1.41 ozaki ahp = (struct newah *)(mtod(m, char *) + off); 223 1.41 ozaki 224 1.41 ozaki if (cmd == PRC_MSGSIZE) { 225 1.41 ozaki int valid = 0; 226 1.41 ozaki 227 1.41 ozaki /* 228 1.41 ozaki * Check to see if we have a valid SA corresponding 229 1.41 ozaki * to the address in the ICMP message payload. 230 1.41 ozaki */ 231 1.44 ozaki sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 232 1.41 ozaki IPPROTO_AH, ahp->ah_spi, 0, 0); 233 1.41 ozaki 234 1.41 ozaki if (sav) { 235 1.42 ozaki if (SADB_SASTATE_USABLE_P(sav)) 236 1.41 ozaki valid++; 237 1.45 ozaki KEY_SA_UNREF(&sav); 238 1.41 ozaki } 239 1.41 ozaki 240 1.41 ozaki /* XXX Further validation? */ 241 1.41 ozaki 242 1.41 ozaki /* 243 1.41 ozaki * Depending on the value of "valid" and routing 244 1.41 ozaki * table size (mtudisc_{hi,lo}wat), we will: 245 1.47 maxv * - recalculate the new MTU and create the 246 1.41 ozaki * corresponding routing entry, or 247 1.41 ozaki * - ignore the MTU change notification. 248 1.41 ozaki */ 249 1.47 maxv icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 250 1.41 ozaki } 251 1.41 ozaki 252 1.41 ozaki /* we normally notify single pcb here */ 253 1.41 ozaki } else { 254 1.41 ozaki /* we normally notify any pcb here */ 255 1.41 ozaki } 256 1.41 ozaki return NULL; 257 1.18 degroote } 258 1.18 degroote 259 1.31 degroote void * 260 1.28 degroote esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 261 1.1 jonathan { 262 1.1 jonathan const struct newesp *espp; 263 1.1 jonathan struct newesp esp; 264 1.1 jonathan struct ip6ctlparam *ip6cp = NULL, ip6cp1; 265 1.1 jonathan struct secasvar *sav; 266 1.1 jonathan struct ip6_hdr *ip6; 267 1.1 jonathan struct mbuf *m; 268 1.1 jonathan int off; 269 1.1 jonathan 270 1.1 jonathan if (sa->sa_family != AF_INET6 || 271 1.1 jonathan sa->sa_len != sizeof(struct sockaddr_in6)) 272 1.31 degroote return NULL; 273 1.1 jonathan if ((unsigned)cmd >= PRC_NCMDS) 274 1.31 degroote return NULL; 275 1.1 jonathan 276 1.1 jonathan /* if the parameter is from icmp6, decode it. */ 277 1.1 jonathan if (d != NULL) { 278 1.1 jonathan ip6cp = (struct ip6ctlparam *)d; 279 1.1 jonathan m = ip6cp->ip6c_m; 280 1.1 jonathan ip6 = ip6cp->ip6c_ip6; 281 1.1 jonathan off = ip6cp->ip6c_off; 282 1.1 jonathan } else { 283 1.1 jonathan m = NULL; 284 1.1 jonathan ip6 = NULL; 285 1.7 jonathan off = 0; 286 1.1 jonathan } 287 1.1 jonathan 288 1.1 jonathan if (ip6) { 289 1.1 jonathan /* 290 1.1 jonathan * Notify the error to all possible sockets via pfctlinput2. 291 1.1 jonathan * Since the upper layer information (such as protocol type, 292 1.1 jonathan * source and destination ports) is embedded in the encrypted 293 1.1 jonathan * data and might have been cut, we can't directly call 294 1.1 jonathan * an upper layer ctlinput function. However, the pcbnotify 295 1.1 jonathan * function will consider source and destination addresses 296 1.1 jonathan * as well as the flow info value, and may be able to find 297 1.1 jonathan * some PCB that should be notified. 298 1.1 jonathan * Although pfctlinput2 will call esp6_ctlinput(), there is 299 1.1 jonathan * no possibility of an infinite loop of function calls, 300 1.1 jonathan * because we don't pass the inner IPv6 header. 301 1.1 jonathan */ 302 1.20 degroote memset(&ip6cp1, 0, sizeof(ip6cp1)); 303 1.1 jonathan ip6cp1.ip6c_src = ip6cp->ip6c_src; 304 1.24 degroote pfctlinput2(cmd, sa, &ip6cp1); 305 1.1 jonathan 306 1.1 jonathan /* 307 1.1 jonathan * Then go to special cases that need ESP header information. 308 1.1 jonathan * XXX: We assume that when ip6 is non NULL, 309 1.1 jonathan * M and OFF are valid. 310 1.1 jonathan */ 311 1.1 jonathan 312 1.1 jonathan /* check if we can safely examine src and dst ports */ 313 1.1 jonathan if (m->m_pkthdr.len < off + sizeof(esp)) 314 1.31 degroote return NULL; 315 1.1 jonathan 316 1.1 jonathan if (m->m_len < off + sizeof(esp)) { 317 1.1 jonathan /* 318 1.1 jonathan * this should be rare case, 319 1.1 jonathan * so we compromise on this copy... 320 1.1 jonathan */ 321 1.24 degroote m_copydata(m, off, sizeof(esp), &esp); 322 1.1 jonathan espp = &esp; 323 1.1 jonathan } else 324 1.23 degroote espp = (struct newesp*)(mtod(m, char *) + off); 325 1.1 jonathan 326 1.1 jonathan if (cmd == PRC_MSGSIZE) { 327 1.1 jonathan int valid = 0; 328 1.1 jonathan 329 1.1 jonathan /* 330 1.1 jonathan * Check to see if we have a valid SA corresponding to 331 1.1 jonathan * the address in the ICMP message payload. 332 1.1 jonathan */ 333 1.19 degroote 334 1.44 ozaki sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 335 1.47 maxv IPPROTO_ESP, espp->esp_spi, 0, 0); 336 1.7 jonathan 337 1.1 jonathan if (sav) { 338 1.42 ozaki if (SADB_SASTATE_USABLE_P(sav)) 339 1.1 jonathan valid++; 340 1.45 ozaki KEY_SA_UNREF(&sav); 341 1.1 jonathan } 342 1.1 jonathan 343 1.1 jonathan /* XXX Further validation? */ 344 1.1 jonathan 345 1.1 jonathan /* 346 1.1 jonathan * Depending on the value of "valid" and routing table 347 1.1 jonathan * size (mtudisc_{hi,lo}wat), we will: 348 1.1 jonathan * - recalcurate the new MTU and create the 349 1.1 jonathan * corresponding routing entry, or 350 1.1 jonathan * - ignore the MTU change notification. 351 1.1 jonathan */ 352 1.1 jonathan icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 353 1.1 jonathan } 354 1.1 jonathan } else { 355 1.1 jonathan /* we normally notify any pcb here */ 356 1.1 jonathan } 357 1.31 degroote return NULL; 358 1.1 jonathan } 359 1.1 jonathan #endif /* INET6 */ 360 1.1 jonathan 361 1.4 atatat static int 362 1.35 christos sysctl_ipsec(SYSCTLFN_ARGS) 363 1.1 jonathan { 364 1.4 atatat int error, t; 365 1.4 atatat struct sysctlnode node; 366 1.4 atatat 367 1.4 atatat node = *rnode; 368 1.4 atatat t = *(int*)rnode->sysctl_data; 369 1.4 atatat node.sysctl_data = &t; 370 1.4 atatat error = sysctl_lookup(SYSCTLFN_CALL(&node)); 371 1.4 atatat if (error || newp == NULL) 372 1.4 atatat return (error); 373 1.1 jonathan 374 1.4 atatat switch (rnode->sysctl_num) { 375 1.1 jonathan case IPSECCTL_DEF_ESP_TRANSLEV: 376 1.1 jonathan case IPSECCTL_DEF_ESP_NETLEV: 377 1.1 jonathan case IPSECCTL_DEF_AH_TRANSLEV: 378 1.1 jonathan case IPSECCTL_DEF_AH_NETLEV: 379 1.13 perry if (t != IPSEC_LEVEL_USE && 380 1.4 atatat t != IPSEC_LEVEL_REQUIRE) 381 1.4 atatat return (EINVAL); 382 1.4 atatat ipsec_invalpcbcacheall(); 383 1.1 jonathan break; 384 1.47 maxv case IPSECCTL_DEF_POLICY: 385 1.4 atatat if (t != IPSEC_POLICY_DISCARD && 386 1.4 atatat t != IPSEC_POLICY_NONE) 387 1.4 atatat return (EINVAL); 388 1.4 atatat ipsec_invalpcbcacheall(); 389 1.1 jonathan break; 390 1.4 atatat default: 391 1.4 atatat return (EINVAL); 392 1.1 jonathan } 393 1.1 jonathan 394 1.4 atatat *(int*)rnode->sysctl_data = t; 395 1.4 atatat 396 1.4 atatat return (0); 397 1.4 atatat } 398 1.4 atatat 399 1.16 rpaulo #ifdef IPSEC_DEBUG 400 1.16 rpaulo static int 401 1.35 christos sysctl_ipsec_test(SYSCTLFN_ARGS) 402 1.16 rpaulo { 403 1.16 rpaulo int t, error; 404 1.16 rpaulo struct sysctlnode node; 405 1.16 rpaulo 406 1.38 msaitoh node = *rnode; 407 1.16 rpaulo t = *(int*)rnode->sysctl_data; 408 1.16 rpaulo node.sysctl_data = &t; 409 1.16 rpaulo error = sysctl_lookup(SYSCTLFN_CALL(&node)); 410 1.16 rpaulo if (error || newp == NULL) 411 1.16 rpaulo return (error); 412 1.16 rpaulo 413 1.16 rpaulo if (t < 0 || t > 1) 414 1.16 rpaulo return EINVAL; 415 1.16 rpaulo 416 1.16 rpaulo if (rnode->sysctl_data == &ipsec_replay) 417 1.35 christos printf("ipsec: Anti-Replay service %s\n", 418 1.16 rpaulo (t == 1) ? "deactivated" : "activated"); 419 1.16 rpaulo else if (rnode->sysctl_data == &ipsec_integrity) 420 1.35 christos printf("ipsec: HMAC corruption %s\n", 421 1.16 rpaulo (t == 0) ? "deactivated" : "activated"); 422 1.16 rpaulo 423 1.16 rpaulo *(int*)rnode->sysctl_data = t; 424 1.16 rpaulo 425 1.16 rpaulo return 0; 426 1.16 rpaulo } 427 1.16 rpaulo #endif 428 1.16 rpaulo 429 1.30 thorpej static int 430 1.35 christos sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 431 1.30 thorpej { 432 1.30 thorpej 433 1.32 thorpej return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 434 1.30 thorpej } 435 1.30 thorpej 436 1.30 thorpej static int 437 1.30 thorpej sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 438 1.30 thorpej { 439 1.30 thorpej 440 1.32 thorpej return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 441 1.30 thorpej } 442 1.30 thorpej 443 1.30 thorpej static int 444 1.30 thorpej sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 445 1.30 thorpej { 446 1.30 thorpej 447 1.32 thorpej return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 448 1.30 thorpej } 449 1.30 thorpej 450 1.30 thorpej static int 451 1.30 thorpej sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 452 1.30 thorpej { 453 1.30 thorpej 454 1.32 thorpej return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 455 1.30 thorpej } 456 1.30 thorpej 457 1.30 thorpej static int 458 1.30 thorpej sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 459 1.30 thorpej { 460 1.30 thorpej 461 1.32 thorpej return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 462 1.30 thorpej } 463 1.30 thorpej 464 1.37 christos static int 465 1.37 christos sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 466 1.37 christos { 467 1.37 christos int newenabled, error; 468 1.37 christos struct sysctlnode node; 469 1.37 christos node = *rnode; 470 1.37 christos node.sysctl_data = &newenabled; 471 1.37 christos 472 1.37 christos newenabled = ipsec_enabled; 473 1.37 christos error = sysctl_lookup(SYSCTLFN_CALL(&node)); 474 1.37 christos if (error || newp == NULL) 475 1.37 christos return error; 476 1.37 christos 477 1.37 christos switch (newenabled) { 478 1.37 christos case 0: 479 1.37 christos if (key_get_used()) 480 1.37 christos return EBUSY; 481 1.37 christos /*FALLTHROUGH*/ 482 1.37 christos case 1: 483 1.37 christos case 2: 484 1.37 christos ipsec_enabled = newenabled; 485 1.37 christos key_update_used(); 486 1.37 christos return 0; 487 1.37 christos default: 488 1.37 christos return EINVAL; 489 1.37 christos } 490 1.37 christos } 491 1.37 christos 492 1.4 atatat /* XXX will need a different oid at parent */ 493 1.40 ozaki void 494 1.40 ozaki sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 495 1.4 atatat { 496 1.14 atatat const struct sysctlnode *_ipsec; 497 1.11 atatat int ipproto_ipsec; 498 1.4 atatat 499 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 500 1.8 atatat CTLFLAG_PERMANENT, 501 1.4 atatat CTLTYPE_NODE, "inet", NULL, 502 1.4 atatat NULL, 0, NULL, 0, 503 1.4 atatat CTL_NET, PF_INET, CTL_EOL); 504 1.10 jonathan 505 1.11 atatat /* 506 1.11 atatat * in numerical order: 507 1.11 atatat * 508 1.11 atatat * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 509 1.11 atatat * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 510 1.11 atatat * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 511 1.11 atatat * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 512 1.11 atatat * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 513 1.11 atatat * 514 1.11 atatat * this creates separate trees by name, but maintains that the 515 1.11 atatat * ipsec name leads to all the old leaves. 516 1.11 atatat */ 517 1.11 atatat 518 1.11 atatat /* create net.inet.ipip */ 519 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 520 1.8 atatat CTLFLAG_PERMANENT, 521 1.11 atatat CTLTYPE_NODE, "ipip", NULL, 522 1.4 atatat NULL, 0, NULL, 0, 523 1.11 atatat CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 524 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 525 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READONLY, 526 1.11 atatat CTLTYPE_STRUCT, "ipip_stats", NULL, 527 1.30 thorpej sysctl_net_inet_ipip_stats, 0, NULL, 0, 528 1.11 atatat CTL_NET, PF_INET, IPPROTO_IPIP, 529 1.11 atatat CTL_CREATE, CTL_EOL); 530 1.4 atatat 531 1.11 atatat /* create net.inet.esp subtree under IPPROTO_ESP */ 532 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 533 1.11 atatat CTLFLAG_PERMANENT, 534 1.11 atatat CTLTYPE_NODE, "esp", NULL, 535 1.11 atatat NULL, 0, NULL, 0, 536 1.11 atatat CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 537 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 538 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 539 1.11 atatat CTLTYPE_INT, "trans_deflev", NULL, 540 1.35 christos sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 541 1.11 atatat CTL_NET, PF_INET, IPPROTO_ESP, 542 1.11 atatat IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 543 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 544 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 545 1.11 atatat CTLTYPE_INT, "net_deflev", NULL, 546 1.35 christos sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 547 1.11 atatat CTL_NET, PF_INET, IPPROTO_ESP, 548 1.11 atatat IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 549 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 550 1.10 jonathan CTLFLAG_PERMANENT|CTLFLAG_READONLY, 551 1.11 atatat CTLTYPE_STRUCT, "esp_stats", NULL, 552 1.30 thorpej sysctl_net_inet_esp_stats, 0, NULL, 0, 553 1.11 atatat CTL_NET, PF_INET, IPPROTO_ESP, 554 1.11 atatat CTL_CREATE, CTL_EOL); 555 1.10 jonathan 556 1.11 atatat /* create net.inet.ah subtree under IPPROTO_AH */ 557 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 558 1.11 atatat CTLFLAG_PERMANENT, 559 1.11 atatat CTLTYPE_NODE, "ah", NULL, 560 1.11 atatat NULL, 0, NULL, 0, 561 1.11 atatat CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 562 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 563 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 564 1.10 jonathan CTLTYPE_INT, "cleartos", NULL, 565 1.25 degroote NULL, 0, &ip4_ah_cleartos, 0, 566 1.4 atatat CTL_NET, PF_INET, IPPROTO_AH, 567 1.10 jonathan IPSECCTL_AH_CLEARTOS, CTL_EOL); 568 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 569 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 570 1.10 jonathan CTLTYPE_INT, "offsetmask", NULL, 571 1.10 jonathan NULL, 0, &ip4_ah_offsetmask, 0, 572 1.4 atatat CTL_NET, PF_INET, IPPROTO_AH, 573 1.10 jonathan IPSECCTL_AH_OFFSETMASK, CTL_EOL); 574 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 575 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 576 1.10 jonathan CTLTYPE_INT, "trans_deflev", NULL, 577 1.35 christos sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 578 1.11 atatat CTL_NET, PF_INET, IPPROTO_AH, 579 1.4 atatat IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 580 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 581 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 582 1.10 jonathan CTLTYPE_INT, "net_deflev", NULL, 583 1.35 christos sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 584 1.11 atatat CTL_NET, PF_INET, IPPROTO_AH, 585 1.4 atatat IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 586 1.10 jonathan sysctl_createv(clog, 0, NULL, NULL, 587 1.10 jonathan CTLFLAG_PERMANENT|CTLFLAG_READONLY, 588 1.11 atatat CTLTYPE_STRUCT, "ah_stats", NULL, 589 1.30 thorpej sysctl_net_inet_ah_stats, 0, NULL, 0, 590 1.11 atatat CTL_NET, PF_INET, IPPROTO_AH, 591 1.11 atatat CTL_CREATE, CTL_EOL); 592 1.10 jonathan 593 1.10 jonathan /* create net.inet.ipcomp */ 594 1.10 jonathan sysctl_createv(clog, 0, NULL, NULL, 595 1.10 jonathan CTLFLAG_PERMANENT, 596 1.10 jonathan CTLTYPE_NODE, "ipcomp", NULL, 597 1.10 jonathan NULL, 0, NULL, 0, 598 1.10 jonathan CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 599 1.10 jonathan sysctl_createv(clog, 0, NULL, NULL, 600 1.10 jonathan CTLFLAG_PERMANENT|CTLFLAG_READONLY, 601 1.11 atatat CTLTYPE_STRUCT, "ipcomp_stats", NULL, 602 1.30 thorpej sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 603 1.10 jonathan CTL_NET, PF_INET, IPPROTO_IPCOMP, 604 1.11 atatat CTL_CREATE, CTL_EOL); 605 1.10 jonathan 606 1.11 atatat /* create net.inet.ipsec subtree under dynamic oid */ 607 1.11 atatat sysctl_createv(clog, 0, NULL, &_ipsec, 608 1.10 jonathan CTLFLAG_PERMANENT, 609 1.10 jonathan CTLTYPE_NODE, "ipsec", NULL, 610 1.10 jonathan NULL, 0, NULL, 0, 611 1.11 atatat CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 612 1.11 atatat ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 613 1.10 jonathan 614 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 615 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 616 1.10 jonathan CTLTYPE_INT, "def_policy", NULL, 617 1.35 christos sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 618 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 619 1.10 jonathan IPSECCTL_DEF_POLICY, CTL_EOL); 620 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 621 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 622 1.11 atatat CTLTYPE_INT, "esp_trans_deflev", NULL, 623 1.35 christos sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 624 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 625 1.11 atatat IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 626 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 627 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 628 1.11 atatat CTLTYPE_INT, "esp_net_deflev", NULL, 629 1.35 christos sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 630 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 631 1.11 atatat IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 632 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 633 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 634 1.11 atatat CTLTYPE_INT, "ah_trans_deflev", NULL, 635 1.35 christos sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 636 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 637 1.11 atatat IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 638 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 639 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 640 1.11 atatat CTLTYPE_INT, "ah_net_deflev", NULL, 641 1.35 christos sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 642 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 643 1.11 atatat IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 644 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 645 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 646 1.11 atatat CTLTYPE_INT, "ah_cleartos", NULL, 647 1.25 degroote NULL, 0, &ip4_ah_cleartos, 0, 648 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 649 1.11 atatat IPSECCTL_AH_CLEARTOS, CTL_EOL); 650 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 651 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 652 1.11 atatat CTLTYPE_INT, "ah_offsetmask", NULL, 653 1.11 atatat NULL, 0, &ip4_ah_offsetmask, 0, 654 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 655 1.11 atatat IPSECCTL_AH_OFFSETMASK, CTL_EOL); 656 1.11 atatat sysctl_createv(clog, 0, NULL, NULL, 657 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 658 1.4 atatat CTLTYPE_INT, "dfbit", NULL, 659 1.4 atatat NULL, 0, &ip4_ipsec_dfbit, 0, 660 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 661 1.4 atatat IPSECCTL_DFBIT, CTL_EOL); 662 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 663 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 664 1.4 atatat CTLTYPE_INT, "ecn", NULL, 665 1.4 atatat NULL, 0, &ip4_ipsec_ecn, 0, 666 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 667 1.4 atatat IPSECCTL_ECN, CTL_EOL); 668 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 669 1.8 atatat CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 670 1.4 atatat CTLTYPE_INT, "debug", NULL, 671 1.4 atatat NULL, 0, &ipsec_debug, 0, 672 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 673 1.4 atatat IPSECCTL_DEBUG, CTL_EOL); 674 1.8 atatat sysctl_createv(clog, 0, NULL, NULL, 675 1.11 atatat CTLFLAG_PERMANENT|CTLFLAG_READONLY, 676 1.11 atatat CTLTYPE_STRUCT, "ipsecstats", NULL, 677 1.35 christos sysctl_net_inet_ipsec_stats, 0, NULL, 0, 678 1.11 atatat CTL_NET, PF_INET, ipproto_ipsec, 679 1.11 atatat CTL_CREATE, CTL_EOL); 680 1.37 christos sysctl_createv(clog, 0, NULL, NULL, 681 1.37 christos CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 682 1.37 christos CTLTYPE_INT, "enabled", 683 1.37 christos SYSCTL_DESCR("Enable IPSec processing"), 684 1.37 christos sysctl_net_ipsec_enabled, 0, NULL, 0, 685 1.37 christos CTL_NET, PF_INET, ipproto_ipsec, 686 1.37 christos CTL_CREATE, CTL_EOL); 687 1.37 christos sysctl_createv(clog, 0, NULL, NULL, 688 1.37 christos CTLFLAG_PERMANENT|CTLFLAG_READONLY, 689 1.37 christos CTLTYPE_INT, "used", 690 1.37 christos SYSCTL_DESCR("Is IPSec active?"), 691 1.37 christos NULL, 0, &ipsec_used, 0, 692 1.37 christos CTL_NET, PF_INET, ipproto_ipsec, 693 1.37 christos CTL_CREATE, CTL_EOL); 694 1.39 knakahar sysctl_createv(clog, 0, NULL, NULL, 695 1.39 knakahar CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 696 1.46 maxv CTLTYPE_INT, "ah_enable", NULL, 697 1.46 maxv NULL, 0, &ah_enable, 0, 698 1.46 maxv CTL_NET, PF_INET, ipproto_ipsec, 699 1.46 maxv CTL_CREATE, CTL_EOL); 700 1.46 maxv sysctl_createv(clog, 0, NULL, NULL, 701 1.46 maxv CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 702 1.46 maxv CTLTYPE_INT, "esp_enable", NULL, 703 1.46 maxv NULL, 0, &esp_enable, 0, 704 1.46 maxv CTL_NET, PF_INET, ipproto_ipsec, 705 1.46 maxv CTL_CREATE, CTL_EOL); 706 1.46 maxv sysctl_createv(clog, 0, NULL, NULL, 707 1.46 maxv CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 708 1.46 maxv CTLTYPE_INT, "ipcomp_enable", NULL, 709 1.46 maxv NULL, 0, &ipcomp_enable, 0, 710 1.46 maxv CTL_NET, PF_INET, ipproto_ipsec, 711 1.46 maxv CTL_CREATE, CTL_EOL); 712 1.46 maxv sysctl_createv(clog, 0, NULL, NULL, 713 1.46 maxv CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 714 1.39 knakahar CTLTYPE_INT, "crypto_support", NULL, 715 1.39 knakahar NULL, 0, &crypto_support, 0, 716 1.39 knakahar CTL_NET, PF_INET, ipproto_ipsec, 717 1.39 knakahar CTL_CREATE, CTL_EOL); 718 1.46 maxv 719 1.16 rpaulo #ifdef IPSEC_DEBUG 720 1.16 rpaulo sysctl_createv(clog, 0, NULL, NULL, 721 1.16 rpaulo CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 722 1.16 rpaulo CTLTYPE_INT, "test_replay", 723 1.16 rpaulo SYSCTL_DESCR("Emulate replay attack"), 724 1.35 christos sysctl_ipsec_test, 0, &ipsec_replay, 0, 725 1.16 rpaulo CTL_NET, PF_INET, ipproto_ipsec, 726 1.16 rpaulo CTL_CREATE, CTL_EOL); 727 1.16 rpaulo sysctl_createv(clog, 0, NULL, NULL, 728 1.16 rpaulo CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 729 1.16 rpaulo CTLTYPE_INT, "test_integrity", 730 1.16 rpaulo SYSCTL_DESCR("Emulate man-in-the-middle attack"), 731 1.35 christos sysctl_ipsec_test, 0, &ipsec_integrity, 0, 732 1.16 rpaulo CTL_NET, PF_INET, ipproto_ipsec, 733 1.16 rpaulo CTL_CREATE, CTL_EOL); 734 1.16 rpaulo #endif 735 1.1 jonathan } 736 1.26 degroote 737 1.26 degroote #ifdef INET6 738 1.40 ozaki void 739 1.40 ozaki sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 740 1.26 degroote { 741 1.26 degroote 742 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 743 1.26 degroote CTLFLAG_PERMANENT, 744 1.26 degroote CTLTYPE_NODE, "inet6", NULL, 745 1.26 degroote NULL, 0, NULL, 0, 746 1.26 degroote CTL_NET, PF_INET6, CTL_EOL); 747 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 748 1.26 degroote CTLFLAG_PERMANENT, 749 1.26 degroote CTLTYPE_NODE, "ipsec6", 750 1.26 degroote SYSCTL_DESCR("IPv6 related IPSec settings"), 751 1.26 degroote NULL, 0, NULL, 0, 752 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 753 1.26 degroote 754 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 755 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 756 1.26 degroote CTLTYPE_STRUCT, "stats", 757 1.26 degroote SYSCTL_DESCR("IPSec statistics and counters"), 758 1.35 christos sysctl_net_inet_ipsec_stats, 0, NULL, 0, 759 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 760 1.26 degroote IPSECCTL_STATS, CTL_EOL); 761 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 762 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 763 1.26 degroote CTLTYPE_INT, "def_policy", 764 1.26 degroote SYSCTL_DESCR("Default action for non-IPSec packets"), 765 1.35 christos sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, 766 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 767 1.26 degroote IPSECCTL_DEF_POLICY, CTL_EOL); 768 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 769 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 770 1.26 degroote CTLTYPE_INT, "esp_trans_deflev", 771 1.26 degroote SYSCTL_DESCR("Default required security level for " 772 1.26 degroote "transport mode traffic"), 773 1.35 christos sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 774 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 775 1.26 degroote IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 776 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 777 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 778 1.26 degroote CTLTYPE_INT, "esp_net_deflev", 779 1.26 degroote SYSCTL_DESCR("Default required security level for " 780 1.26 degroote "tunneled traffic"), 781 1.35 christos sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 782 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 783 1.26 degroote IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 784 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 785 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 786 1.26 degroote CTLTYPE_INT, "ah_trans_deflev", 787 1.26 degroote SYSCTL_DESCR("Default required security level for " 788 1.26 degroote "transport mode headers"), 789 1.35 christos sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 790 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 791 1.26 degroote IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 792 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 793 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 794 1.26 degroote CTLTYPE_INT, "ah_net_deflev", 795 1.26 degroote SYSCTL_DESCR("Default required security level for " 796 1.26 degroote "tunneled headers"), 797 1.35 christos sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 798 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 799 1.26 degroote IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 800 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 801 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 802 1.26 degroote CTLTYPE_INT, "ecn", 803 1.26 degroote SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 804 1.26 degroote NULL, 0, &ip6_ipsec_ecn, 0, 805 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 806 1.26 degroote IPSECCTL_ECN, CTL_EOL); 807 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 808 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 809 1.26 degroote CTLTYPE_INT, "debug", 810 1.26 degroote SYSCTL_DESCR("Enable IPSec debugging output"), 811 1.26 degroote NULL, 0, &ipsec_debug, 0, 812 1.26 degroote CTL_NET, PF_INET6, IPPROTO_AH, 813 1.26 degroote IPSECCTL_DEBUG, CTL_EOL); 814 1.37 christos sysctl_createv(clog, 0, NULL, NULL, 815 1.37 christos CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 816 1.37 christos CTLTYPE_INT, "enabled", 817 1.37 christos SYSCTL_DESCR("Enable IPSec processing"), 818 1.37 christos sysctl_net_ipsec_enabled, 0, NULL, 0, 819 1.37 christos CTL_NET, PF_INET6, IPPROTO_AH, 820 1.37 christos CTL_CREATE, CTL_EOL); 821 1.37 christos sysctl_createv(clog, 0, NULL, NULL, 822 1.37 christos CTLFLAG_PERMANENT|CTLFLAG_READONLY, 823 1.37 christos CTLTYPE_INT, "used", 824 1.37 christos SYSCTL_DESCR("Is IPSec active?"), 825 1.37 christos NULL, 0, &ipsec_used, 0, 826 1.37 christos CTL_NET, PF_INET6, IPPROTO_AH, 827 1.37 christos CTL_CREATE, CTL_EOL); 828 1.26 degroote /* 829 1.26 degroote * "aliases" for the ipsec6 subtree 830 1.26 degroote */ 831 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 832 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 833 1.26 degroote CTLTYPE_NODE, "esp6", NULL, 834 1.26 degroote NULL, IPPROTO_AH, NULL, 0, 835 1.26 degroote CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 836 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 837 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 838 1.26 degroote CTLTYPE_NODE, "ipcomp6", NULL, 839 1.26 degroote NULL, IPPROTO_AH, NULL, 0, 840 1.26 degroote CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 841 1.26 degroote sysctl_createv(clog, 0, NULL, NULL, 842 1.26 degroote CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 843 1.26 degroote CTLTYPE_NODE, "ah6", NULL, 844 1.26 degroote NULL, IPPROTO_AH, NULL, 0, 845 1.26 degroote CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 846 1.26 degroote } 847 1.26 degroote #endif /* INET6 */ 848
Indexes created Wed Sep 24 22:09:59 GMT 2025