ipsec_netbsd.c revision 1.18
1 /* $NetBSD: ipsec_netbsd.c,v 1.18 2007/02/10 09:43:05 degroote Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.18 2007/02/10 09:43:05 degroote Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <machine/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/key.h> 69 #include <netipsec/keydb.h> 70 #include <netipsec/key_debug.h> 71 #include <netipsec/ah.h> 72 #include <netipsec/ah_var.h> 73 #include <netipsec/esp.h> 74 #include <netipsec/esp_var.h> 75 #include <netipsec/ipip_var.h> 76 #include <netipsec/ipcomp_var.h> 77 78 #ifdef INET6 79 #include <netipsec/ipsec6.h> 80 #include <netinet6/ip6protosw.h> 81 #include <netinet/icmp6.h> 82 #endif 83 84 #include <machine/stdarg.h> 85 86 87 88 #include <netipsec/key.h> 89 90 /* assumes that ip header and ah header are contiguous on mbuf */ 91 void * 92 ah4_ctlinput(cmd, sa, v) 93 int cmd; 94 struct sockaddr *sa; 95 void *v; 96 { 97 struct ip *ip = v; 98 struct ah *ah; 99 struct icmp *icp; 100 struct secasvar *sav; 101 102 if (sa->sa_family != AF_INET || 103 sa->sa_len != sizeof(struct sockaddr_in)) 104 return NULL; 105 if ((unsigned)cmd >= PRC_NCMDS) 106 return NULL; 107 #ifndef notyet 108 /* jonathan (at) NetBSD.org: XXX FIXME */ 109 (void) ip; (void) ah; (void) icp; (void) sav; 110 #else 111 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 112 /* 113 * Check to see if we have a valid SA corresponding to 114 * the address in the ICMP message payload. 115 */ 116 ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2)); 117 if ((sav = key_allocsa(AF_INET, 118 (caddr_t) &ip->ip_src, 119 (caddr_t) &ip->ip_dst, 120 IPPROTO_AH, ah->ah_spi)) == NULL) 121 return NULL; 122 if (sav->state != SADB_SASTATE_MATURE && 123 sav->state != SADB_SASTATE_DYING) { 124 key_freesav(sav); 125 return NULL; 126 } 127 128 /* XXX Further validation? */ 129 130 key_freesav(sav); 131 132 /* 133 * Now that we've validated that we are actually communicating 134 * with the host indicated in the ICMP message, locate the 135 * ICMP header, recalculate the new MTU, and create the 136 * corresponding routing entry. 137 */ 138 icp = (struct icmp *)((caddr_t)ip - 139 offsetof(struct icmp, icmp_ip)); 140 icmp_mtudisc(icp, ip->ip_dst); 141 142 return NULL; 143 } 144 #endif 145 146 return NULL; 147 } 148 149 /* assumes that ip header and esp header are contiguous on mbuf */ 150 void * 151 esp4_ctlinput(cmd, sa, v) 152 int cmd; 153 struct sockaddr *sa; 154 void *v; 155 { 156 struct ip *ip = v; 157 struct esp *esp; 158 struct icmp *icp; 159 struct secasvar *sav; 160 161 if (sa->sa_family != AF_INET || 162 sa->sa_len != sizeof(struct sockaddr_in)) 163 return NULL; 164 if ((unsigned)cmd >= PRC_NCMDS) 165 return NULL; 166 #ifndef notyet 167 /* jonathan (at) NetBSD.org: XXX FIXME */ 168 (void) ip; (void) esp; (void) icp; (void) sav; 169 #else 170 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 171 /* 172 * Check to see if we have a valid SA corresponding to 173 * the address in the ICMP message payload. 174 */ 175 esp = (struct esp *)((caddr_t)ip + (ip->ip_hl << 2)); 176 if ((sav = key_allocsa(AF_INET, 177 (caddr_t) &ip->ip_src, 178 (caddr_t) &ip->ip_dst, 179 IPPROTO_ESP, esp->esp_spi)) == NULL) 180 return NULL; 181 if (sav->state != SADB_SASTATE_MATURE && 182 sav->state != SADB_SASTATE_DYING) { 183 key_freesav(sav); 184 return NULL; 185 } 186 187 /* XXX Further validation? */ 188 189 key_freesav(sav); 190 191 /* 192 * Now that we've validated that we are actually communicating 193 * with the host indicated in the ICMP message, locate the 194 * ICMP header, recalculate the new MTU, and create the 195 * corresponding routing entry. 196 */ 197 icp = (struct icmp *)((caddr_t)ip - 198 offsetof(struct icmp, icmp_ip)); 199 icmp_mtudisc(icp, ip->ip_dst); 200 201 return NULL; 202 } 203 #endif 204 205 return NULL; 206 } 207 208 #ifdef INET6 209 void 210 ah6_ctlinput(cmd, sa, d) 211 int cmd; 212 struct sockaddr *sa; 213 void *d; 214 { 215 const struct newah *ahp; 216 struct newah ah; 217 struct secasvar *sav; 218 struct ip6_hdr *ip6; 219 struct mbuf *m; 220 struct ip6ctlparam *ip6cp = NULL; 221 int off; 222 223 if (sa->sa_family != AF_INET6 || 224 sa->sa_len != sizeof(struct sockaddr_in6)) 225 return; 226 if ((unsigned)cmd >= PRC_NCMDS) 227 return; 228 229 /* if the parameter is from icmp6, decode it. */ 230 if (d != NULL) { 231 ip6cp = (struct ip6ctlparam *)d; 232 m = ip6cp->ip6c_m; 233 ip6 = ip6cp->ip6c_ip6; 234 off = ip6cp->ip6c_off; 235 } else { 236 m = NULL; 237 ip6 = NULL; 238 off = 0; 239 } 240 241 if (ip6) { 242 /* 243 * XXX: We assume that when ip6 is non NULL, 244 * M and OFF are valid. 245 */ 246 247 /* check if we can safely examine src and dst ports */ 248 if (m->m_pkthdr.len < off + sizeof(ah)) 249 return; 250 251 if (m->m_len < off + sizeof(ah)) { 252 /* 253 * this should be rare case, 254 * so we compromise on this copy... 255 */ 256 m_copydata(m, off, sizeof(ah), (caddr_t)&ah); 257 ahp = &ah; 258 } else 259 ahp = (struct newah *)(mtod(m, caddr_t) + off); 260 261 if (cmd == PRC_MSGSIZE) { 262 int valid = 0; 263 264 /* 265 * Check to see if we have a valid SA corresponding 266 * to the address in the ICMP message payload. 267 */ 268 sav = KEY_ALLOCSA((union sockaddr_union*)sa, 269 IPPROTO_AH, ahp->ah_spi); 270 271 if (sav) { 272 if (sav->state == SADB_SASTATE_MATURE || 273 sav->state == SADB_SASTATE_DYING) 274 valid++; 275 KEY_FREESAV(&sav); 276 } 277 278 /* XXX Further validation? */ 279 280 /* 281 * Depending on the value of "valid" and routing 282 * table size (mtudisc_{hi,lo}wat), we will: 283 * - recalcurate the new MTU and create the 284 * corresponding routing entry, or 285 * - ignore the MTU change notification. 286 */ 287 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 288 } 289 290 /* we normally notify single pcb here */ 291 } else { 292 /* we normally notify any pcb here */ 293 } 294 } 295 296 297 298 void 299 esp6_ctlinput(cmd, sa, d) 300 int cmd; 301 struct sockaddr *sa; 302 void *d; 303 { 304 const struct newesp *espp; 305 struct newesp esp; 306 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 307 struct secasvar *sav; 308 struct ip6_hdr *ip6; 309 struct mbuf *m; 310 int off; 311 struct sockaddr_in6 *sa6_src, *sa6_dst; 312 313 if (sa->sa_family != AF_INET6 || 314 sa->sa_len != sizeof(struct sockaddr_in6)) 315 return; 316 if ((unsigned)cmd >= PRC_NCMDS) 317 return; 318 319 /* if the parameter is from icmp6, decode it. */ 320 if (d != NULL) { 321 ip6cp = (struct ip6ctlparam *)d; 322 m = ip6cp->ip6c_m; 323 ip6 = ip6cp->ip6c_ip6; 324 off = ip6cp->ip6c_off; 325 } else { 326 m = NULL; 327 ip6 = NULL; 328 off = 0; 329 } 330 331 if (ip6) { 332 /* 333 * Notify the error to all possible sockets via pfctlinput2. 334 * Since the upper layer information (such as protocol type, 335 * source and destination ports) is embedded in the encrypted 336 * data and might have been cut, we can't directly call 337 * an upper layer ctlinput function. However, the pcbnotify 338 * function will consider source and destination addresses 339 * as well as the flow info value, and may be able to find 340 * some PCB that should be notified. 341 * Although pfctlinput2 will call esp6_ctlinput(), there is 342 * no possibility of an infinite loop of function calls, 343 * because we don't pass the inner IPv6 header. 344 */ 345 bzero(&ip6cp1, sizeof(ip6cp1)); 346 ip6cp1.ip6c_src = ip6cp->ip6c_src; 347 pfctlinput2(cmd, sa, (void *)&ip6cp1); 348 349 /* 350 * Then go to special cases that need ESP header information. 351 * XXX: We assume that when ip6 is non NULL, 352 * M and OFF are valid. 353 */ 354 355 /* check if we can safely examine src and dst ports */ 356 if (m->m_pkthdr.len < off + sizeof(esp)) 357 return; 358 359 if (m->m_len < off + sizeof(esp)) { 360 /* 361 * this should be rare case, 362 * so we compromise on this copy... 363 */ 364 m_copydata(m, off, sizeof(esp), (caddr_t)&esp); 365 espp = &esp; 366 } else 367 espp = (struct newesp*)(mtod(m, caddr_t) + off); 368 369 if (cmd == PRC_MSGSIZE) { 370 int valid = 0; 371 372 /* 373 * Check to see if we have a valid SA corresponding to 374 * the address in the ICMP message payload. 375 */ 376 sa6_src = ip6cp->ip6c_src; 377 sa6_dst = (struct sockaddr_in6 *)sa; 378 #ifdef KAME 379 sav = key_allocsa(AF_INET6, 380 (caddr_t)&sa6_src->sin6_addr, 381 (caddr_t)&sa6_dst->sin6_addr, 382 IPPROTO_ESP, espp->esp_spi); 383 #else 384 /* jonathan (at) NetBSD.org: XXX FIXME */ 385 (void)sa6_src; (void)sa6_dst; 386 sav = KEY_ALLOCSA((union sockaddr_union*)sa, 387 IPPROTO_ESP, espp->esp_spi); 388 389 #endif 390 if (sav) { 391 if (sav->state == SADB_SASTATE_MATURE || 392 sav->state == SADB_SASTATE_DYING) 393 valid++; 394 KEY_FREESAV(&sav); 395 } 396 397 /* XXX Further validation? */ 398 399 /* 400 * Depending on the value of "valid" and routing table 401 * size (mtudisc_{hi,lo}wat), we will: 402 * - recalcurate the new MTU and create the 403 * corresponding routing entry, or 404 * - ignore the MTU change notification. 405 */ 406 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 407 } 408 } else { 409 /* we normally notify any pcb here */ 410 } 411 } 412 #endif /* INET6 */ 413 414 static int 415 sysctl_fast_ipsec(SYSCTLFN_ARGS) 416 { 417 int error, t; 418 struct sysctlnode node; 419 420 node = *rnode; 421 t = *(int*)rnode->sysctl_data; 422 node.sysctl_data = &t; 423 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 424 if (error || newp == NULL) 425 return (error); 426 427 switch (rnode->sysctl_num) { 428 case IPSECCTL_DEF_ESP_TRANSLEV: 429 case IPSECCTL_DEF_ESP_NETLEV: 430 case IPSECCTL_DEF_AH_TRANSLEV: 431 case IPSECCTL_DEF_AH_NETLEV: 432 if (t != IPSEC_LEVEL_USE && 433 t != IPSEC_LEVEL_REQUIRE) 434 return (EINVAL); 435 ipsec_invalpcbcacheall(); 436 break; 437 case IPSECCTL_DEF_POLICY: 438 if (t != IPSEC_POLICY_DISCARD && 439 t != IPSEC_POLICY_NONE) 440 return (EINVAL); 441 ipsec_invalpcbcacheall(); 442 break; 443 default: 444 return (EINVAL); 445 } 446 447 *(int*)rnode->sysctl_data = t; 448 449 return (0); 450 } 451 452 #ifdef IPSEC_DEBUG 453 static int 454 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 455 { 456 int t, error; 457 struct sysctlnode node; 458 459 node = *rnode; 460 t = *(int*)rnode->sysctl_data; 461 node.sysctl_data = &t; 462 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 463 if (error || newp == NULL) 464 return (error); 465 466 if (t < 0 || t > 1) 467 return EINVAL; 468 469 if (rnode->sysctl_data == &ipsec_replay) 470 printf("fast_ipsec: Anti-Replay service %s\n", 471 (t == 1) ? "deactivated" : "activated"); 472 else if (rnode->sysctl_data == &ipsec_integrity) 473 printf("fast_ipsec: HMAC corruption %s\n", 474 (t == 0) ? "deactivated" : "activated"); 475 476 *(int*)rnode->sysctl_data = t; 477 478 return 0; 479 } 480 #endif 481 482 /* XXX will need a different oid at parent */ 483 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 484 { 485 const struct sysctlnode *_ipsec; 486 int ipproto_ipsec; 487 488 sysctl_createv(clog, 0, NULL, NULL, 489 CTLFLAG_PERMANENT, 490 CTLTYPE_NODE, "net", NULL, 491 NULL, 0, NULL, 0, 492 CTL_NET, CTL_EOL); 493 sysctl_createv(clog, 0, NULL, NULL, 494 CTLFLAG_PERMANENT, 495 CTLTYPE_NODE, "inet", NULL, 496 NULL, 0, NULL, 0, 497 CTL_NET, PF_INET, CTL_EOL); 498 499 /* 500 * in numerical order: 501 * 502 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 503 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 504 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 505 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 506 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 507 * 508 * this creates separate trees by name, but maintains that the 509 * ipsec name leads to all the old leaves. 510 */ 511 512 /* create net.inet.ipip */ 513 sysctl_createv(clog, 0, NULL, NULL, 514 CTLFLAG_PERMANENT, 515 CTLTYPE_NODE, "ipip", NULL, 516 NULL, 0, NULL, 0, 517 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 518 sysctl_createv(clog, 0, NULL, NULL, 519 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 520 CTLTYPE_STRUCT, "ipip_stats", NULL, 521 NULL, 0, &ipipstat, sizeof(ipipstat), 522 CTL_NET, PF_INET, IPPROTO_IPIP, 523 CTL_CREATE, CTL_EOL); 524 525 /* create net.inet.esp subtree under IPPROTO_ESP */ 526 sysctl_createv(clog, 0, NULL, NULL, 527 CTLFLAG_PERMANENT, 528 CTLTYPE_NODE, "esp", NULL, 529 NULL, 0, NULL, 0, 530 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 531 sysctl_createv(clog, 0, NULL, NULL, 532 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 533 CTLTYPE_INT, "trans_deflev", NULL, 534 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 535 CTL_NET, PF_INET, IPPROTO_ESP, 536 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 537 sysctl_createv(clog, 0, NULL, NULL, 538 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 539 CTLTYPE_INT, "net_deflev", NULL, 540 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 541 CTL_NET, PF_INET, IPPROTO_ESP, 542 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 543 sysctl_createv(clog, 0, NULL, NULL, 544 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 545 CTLTYPE_STRUCT, "esp_stats", NULL, 546 NULL, 0, &espstat, sizeof(espstat), 547 CTL_NET, PF_INET, IPPROTO_ESP, 548 CTL_CREATE, CTL_EOL); 549 550 /* create net.inet.ah subtree under IPPROTO_AH */ 551 sysctl_createv(clog, 0, NULL, NULL, 552 CTLFLAG_PERMANENT, 553 CTLTYPE_NODE, "ah", NULL, 554 NULL, 0, NULL, 0, 555 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 556 sysctl_createv(clog, 0, NULL, NULL, 557 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 558 CTLTYPE_INT, "cleartos", NULL, 559 NULL, 0, &/*ip4_*/ah_cleartos, 0, 560 CTL_NET, PF_INET, IPPROTO_AH, 561 IPSECCTL_AH_CLEARTOS, CTL_EOL); 562 sysctl_createv(clog, 0, NULL, NULL, 563 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 564 CTLTYPE_INT, "offsetmask", NULL, 565 NULL, 0, &ip4_ah_offsetmask, 0, 566 CTL_NET, PF_INET, IPPROTO_AH, 567 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 568 sysctl_createv(clog, 0, NULL, NULL, 569 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 570 CTLTYPE_INT, "trans_deflev", NULL, 571 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 572 CTL_NET, PF_INET, IPPROTO_AH, 573 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 574 sysctl_createv(clog, 0, NULL, NULL, 575 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 576 CTLTYPE_INT, "net_deflev", NULL, 577 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 578 CTL_NET, PF_INET, IPPROTO_AH, 579 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 580 sysctl_createv(clog, 0, NULL, NULL, 581 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 582 CTLTYPE_STRUCT, "ah_stats", NULL, 583 NULL, 0, &ahstat, sizeof(ahstat), 584 CTL_NET, PF_INET, IPPROTO_AH, 585 CTL_CREATE, CTL_EOL); 586 587 /* create net.inet.ipcomp */ 588 sysctl_createv(clog, 0, NULL, NULL, 589 CTLFLAG_PERMANENT, 590 CTLTYPE_NODE, "ipcomp", NULL, 591 NULL, 0, NULL, 0, 592 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 593 sysctl_createv(clog, 0, NULL, NULL, 594 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 595 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 596 NULL, 0, &ipcompstat, sizeof(ipcompstat), 597 CTL_NET, PF_INET, IPPROTO_IPCOMP, 598 CTL_CREATE, CTL_EOL); 599 600 /* create net.inet.ipsec subtree under dynamic oid */ 601 sysctl_createv(clog, 0, NULL, &_ipsec, 602 CTLFLAG_PERMANENT, 603 CTLTYPE_NODE, "ipsec", NULL, 604 NULL, 0, NULL, 0, 605 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 606 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 607 608 sysctl_createv(clog, 0, NULL, NULL, 609 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 610 CTLTYPE_INT, "def_policy", NULL, 611 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 612 CTL_NET, PF_INET, ipproto_ipsec, 613 IPSECCTL_DEF_POLICY, CTL_EOL); 614 sysctl_createv(clog, 0, NULL, NULL, 615 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 616 CTLTYPE_INT, "esp_trans_deflev", NULL, 617 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 618 CTL_NET, PF_INET, ipproto_ipsec, 619 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 620 sysctl_createv(clog, 0, NULL, NULL, 621 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 622 CTLTYPE_INT, "esp_net_deflev", NULL, 623 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 624 CTL_NET, PF_INET, ipproto_ipsec, 625 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 626 sysctl_createv(clog, 0, NULL, NULL, 627 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 628 CTLTYPE_INT, "ah_trans_deflev", NULL, 629 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 630 CTL_NET, PF_INET, ipproto_ipsec, 631 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 632 sysctl_createv(clog, 0, NULL, NULL, 633 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 634 CTLTYPE_INT, "ah_net_deflev", NULL, 635 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 636 CTL_NET, PF_INET, ipproto_ipsec, 637 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 638 sysctl_createv(clog, 0, NULL, NULL, 639 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 640 CTLTYPE_INT, "ah_cleartos", NULL, 641 NULL, 0, &/*ip4_*/ah_cleartos, 0, 642 CTL_NET, PF_INET, ipproto_ipsec, 643 IPSECCTL_AH_CLEARTOS, CTL_EOL); 644 sysctl_createv(clog, 0, NULL, NULL, 645 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 646 CTLTYPE_INT, "ah_offsetmask", NULL, 647 NULL, 0, &ip4_ah_offsetmask, 0, 648 CTL_NET, PF_INET, ipproto_ipsec, 649 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 650 sysctl_createv(clog, 0, NULL, NULL, 651 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 652 CTLTYPE_INT, "dfbit", NULL, 653 NULL, 0, &ip4_ipsec_dfbit, 0, 654 CTL_NET, PF_INET, ipproto_ipsec, 655 IPSECCTL_DFBIT, CTL_EOL); 656 sysctl_createv(clog, 0, NULL, NULL, 657 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 658 CTLTYPE_INT, "ecn", NULL, 659 NULL, 0, &ip4_ipsec_ecn, 0, 660 CTL_NET, PF_INET, ipproto_ipsec, 661 IPSECCTL_ECN, CTL_EOL); 662 sysctl_createv(clog, 0, NULL, NULL, 663 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 664 CTLTYPE_INT, "debug", NULL, 665 NULL, 0, &ipsec_debug, 0, 666 CTL_NET, PF_INET, ipproto_ipsec, 667 IPSECCTL_DEBUG, CTL_EOL); 668 sysctl_createv(clog, 0, NULL, NULL, 669 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 670 CTLTYPE_STRUCT, "ipsecstats", NULL, 671 NULL, 0, &ipsecstat, sizeof(ipsecstat), 672 CTL_NET, PF_INET, ipproto_ipsec, 673 CTL_CREATE, CTL_EOL); 674 #ifdef IPSEC_DEBUG 675 sysctl_createv(clog, 0, NULL, NULL, 676 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 677 CTLTYPE_INT, "test_replay", 678 SYSCTL_DESCR("Emulate replay attack"), 679 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 680 CTL_NET, PF_INET, ipproto_ipsec, 681 CTL_CREATE, CTL_EOL); 682 sysctl_createv(clog, 0, NULL, NULL, 683 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 684 CTLTYPE_INT, "test_integrity", 685 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 686 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 687 CTL_NET, PF_INET, ipproto_ipsec, 688 CTL_CREATE, CTL_EOL); 689 #endif 690 } 691
Indexes created Mon Sep 22 05:09:51 GMT 2025