ipsec_netbsd.c revision 1.19
1 /* $NetBSD: ipsec_netbsd.c,v 1.19 2007/02/18 13:55:25 degroote Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.19 2007/02/18 13:55:25 degroote Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <machine/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/key.h> 69 #include <netipsec/keydb.h> 70 #include <netipsec/key_debug.h> 71 #include <netipsec/ah.h> 72 #include <netipsec/ah_var.h> 73 #include <netipsec/esp.h> 74 #include <netipsec/esp_var.h> 75 #include <netipsec/ipip_var.h> 76 #include <netipsec/ipcomp_var.h> 77 78 #ifdef INET6 79 #include <netipsec/ipsec6.h> 80 #include <netinet6/ip6protosw.h> 81 #include <netinet/icmp6.h> 82 #endif 83 84 #include <machine/stdarg.h> 85 86 87 88 #include <netipsec/key.h> 89 90 /* assumes that ip header and ah header are contiguous on mbuf */ 91 void * 92 ah4_ctlinput(cmd, sa, v) 93 int cmd; 94 const struct sockaddr *sa; 95 void *v; 96 { 97 struct ip *ip = v; 98 struct ah *ah; 99 struct icmp *icp; 100 struct secasvar *sav; 101 102 if (sa->sa_family != AF_INET || 103 sa->sa_len != sizeof(struct sockaddr_in)) 104 return NULL; 105 if ((unsigned)cmd >= PRC_NCMDS) 106 return NULL; 107 #ifndef notyet 108 /* jonathan (at) NetBSD.org: XXX FIXME */ 109 (void) ip; (void) ah; (void) icp; (void) sav; 110 #else 111 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 112 /* 113 * Check to see if we have a valid SA corresponding to 114 * the address in the ICMP message payload. 115 */ 116 ah = (struct ah *)((caddr_t)ip + (ip->ip_hl << 2)); 117 if ((sav = key_allocsa(AF_INET, 118 (caddr_t) &ip->ip_src, 119 (caddr_t) &ip->ip_dst, 120 IPPROTO_AH, ah->ah_spi)) == NULL) 121 return NULL; 122 if (sav->state != SADB_SASTATE_MATURE && 123 sav->state != SADB_SASTATE_DYING) { 124 key_freesav(sav); 125 return NULL; 126 } 127 128 /* XXX Further validation? */ 129 130 key_freesav(sav); 131 132 /* 133 * Now that we've validated that we are actually communicating 134 * with the host indicated in the ICMP message, locate the 135 * ICMP header, recalculate the new MTU, and create the 136 * corresponding routing entry. 137 */ 138 icp = (struct icmp *)((caddr_t)ip - 139 offsetof(struct icmp, icmp_ip)); 140 icmp_mtudisc(icp, ip->ip_dst); 141 142 return NULL; 143 } 144 #endif 145 146 return NULL; 147 } 148 149 /* assumes that ip header and esp header are contiguous on mbuf */ 150 void * 151 esp4_ctlinput(cmd, sa, v) 152 int cmd; 153 const struct sockaddr *sa; 154 void *v; 155 { 156 struct ip *ip = v; 157 struct esp *esp; 158 struct icmp *icp; 159 struct secasvar *sav; 160 161 if (sa->sa_family != AF_INET || 162 sa->sa_len != sizeof(struct sockaddr_in)) 163 return NULL; 164 if ((unsigned)cmd >= PRC_NCMDS) 165 return NULL; 166 #ifndef notyet 167 /* jonathan (at) NetBSD.org: XXX FIXME */ 168 (void) ip; (void) esp; (void) icp; (void) sav; 169 #else 170 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 171 /* 172 * Check to see if we have a valid SA corresponding to 173 * the address in the ICMP message payload. 174 */ 175 esp = (struct esp *)((caddr_t)ip + (ip->ip_hl << 2)); 176 if ((sav = key_allocsa(AF_INET, 177 (caddr_t) &ip->ip_src, 178 (caddr_t) &ip->ip_dst, 179 IPPROTO_ESP, esp->esp_spi)) == NULL) 180 return NULL; 181 if (sav->state != SADB_SASTATE_MATURE && 182 sav->state != SADB_SASTATE_DYING) { 183 key_freesav(sav); 184 return NULL; 185 } 186 187 /* XXX Further validation? */ 188 189 key_freesav(sav); 190 191 /* 192 * Now that we've validated that we are actually communicating 193 * with the host indicated in the ICMP message, locate the 194 * ICMP header, recalculate the new MTU, and create the 195 * corresponding routing entry. 196 */ 197 icp = (struct icmp *)((caddr_t)ip - 198 offsetof(struct icmp, icmp_ip)); 199 icmp_mtudisc(icp, ip->ip_dst); 200 201 return NULL; 202 } 203 #endif 204 205 return NULL; 206 } 207 208 #ifdef INET6 209 void 210 ah6_ctlinput(cmd, sa, d) 211 int cmd; 212 const struct sockaddr *sa; 213 void *d; 214 { 215 const struct newah *ahp; 216 struct newah ah; 217 struct secasvar *sav; 218 struct ip6_hdr *ip6; 219 struct mbuf *m; 220 struct ip6ctlparam *ip6cp = NULL; 221 int off; 222 223 if (sa->sa_family != AF_INET6 || 224 sa->sa_len != sizeof(struct sockaddr_in6)) 225 return; 226 if ((unsigned)cmd >= PRC_NCMDS) 227 return; 228 229 /* if the parameter is from icmp6, decode it. */ 230 if (d != NULL) { 231 ip6cp = (struct ip6ctlparam *)d; 232 m = ip6cp->ip6c_m; 233 ip6 = ip6cp->ip6c_ip6; 234 off = ip6cp->ip6c_off; 235 } else { 236 m = NULL; 237 ip6 = NULL; 238 off = 0; 239 } 240 241 if (ip6) { 242 /* 243 * XXX: We assume that when ip6 is non NULL, 244 * M and OFF are valid. 245 */ 246 247 /* check if we can safely examine src and dst ports */ 248 if (m->m_pkthdr.len < off + sizeof(ah)) 249 return; 250 251 if (m->m_len < off + sizeof(ah)) { 252 /* 253 * this should be rare case, 254 * so we compromise on this copy... 255 */ 256 m_copydata(m, off, sizeof(ah), (caddr_t)&ah); 257 ahp = &ah; 258 } else 259 ahp = (struct newah *)(mtod(m, caddr_t) + off); 260 261 if (cmd == PRC_MSGSIZE) { 262 int valid = 0; 263 264 /* 265 * Check to see if we have a valid SA corresponding 266 * to the address in the ICMP message payload. 267 */ 268 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 269 IPPROTO_AH, ahp->ah_spi); 270 271 if (sav) { 272 if (sav->state == SADB_SASTATE_MATURE || 273 sav->state == SADB_SASTATE_DYING) 274 valid++; 275 KEY_FREESAV(&sav); 276 } 277 278 /* XXX Further validation? */ 279 280 /* 281 * Depending on the value of "valid" and routing 282 * table size (mtudisc_{hi,lo}wat), we will: 283 * - recalcurate the new MTU and create the 284 * corresponding routing entry, or 285 * - ignore the MTU change notification. 286 */ 287 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 288 } 289 290 /* we normally notify single pcb here */ 291 } else { 292 /* we normally notify any pcb here */ 293 } 294 } 295 296 297 298 void 299 esp6_ctlinput(cmd, sa, d) 300 int cmd; 301 const struct sockaddr *sa; 302 void *d; 303 { 304 const struct newesp *espp; 305 struct newesp esp; 306 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 307 struct secasvar *sav; 308 struct ip6_hdr *ip6; 309 struct mbuf *m; 310 int off; 311 312 if (sa->sa_family != AF_INET6 || 313 sa->sa_len != sizeof(struct sockaddr_in6)) 314 return; 315 if ((unsigned)cmd >= PRC_NCMDS) 316 return; 317 318 /* if the parameter is from icmp6, decode it. */ 319 if (d != NULL) { 320 ip6cp = (struct ip6ctlparam *)d; 321 m = ip6cp->ip6c_m; 322 ip6 = ip6cp->ip6c_ip6; 323 off = ip6cp->ip6c_off; 324 } else { 325 m = NULL; 326 ip6 = NULL; 327 off = 0; 328 } 329 330 if (ip6) { 331 /* 332 * Notify the error to all possible sockets via pfctlinput2. 333 * Since the upper layer information (such as protocol type, 334 * source and destination ports) is embedded in the encrypted 335 * data and might have been cut, we can't directly call 336 * an upper layer ctlinput function. However, the pcbnotify 337 * function will consider source and destination addresses 338 * as well as the flow info value, and may be able to find 339 * some PCB that should be notified. 340 * Although pfctlinput2 will call esp6_ctlinput(), there is 341 * no possibility of an infinite loop of function calls, 342 * because we don't pass the inner IPv6 header. 343 */ 344 bzero(&ip6cp1, sizeof(ip6cp1)); 345 ip6cp1.ip6c_src = ip6cp->ip6c_src; 346 pfctlinput2(cmd, sa, (void *)&ip6cp1); 347 348 /* 349 * Then go to special cases that need ESP header information. 350 * XXX: We assume that when ip6 is non NULL, 351 * M and OFF are valid. 352 */ 353 354 /* check if we can safely examine src and dst ports */ 355 if (m->m_pkthdr.len < off + sizeof(esp)) 356 return; 357 358 if (m->m_len < off + sizeof(esp)) { 359 /* 360 * this should be rare case, 361 * so we compromise on this copy... 362 */ 363 m_copydata(m, off, sizeof(esp), (caddr_t)&esp); 364 espp = &esp; 365 } else 366 espp = (struct newesp*)(mtod(m, caddr_t) + off); 367 368 if (cmd == PRC_MSGSIZE) { 369 int valid = 0; 370 371 /* 372 * Check to see if we have a valid SA corresponding to 373 * the address in the ICMP message payload. 374 */ 375 376 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 377 IPPROTO_ESP, espp->esp_spi); 378 379 if (sav) { 380 if (sav->state == SADB_SASTATE_MATURE || 381 sav->state == SADB_SASTATE_DYING) 382 valid++; 383 KEY_FREESAV(&sav); 384 } 385 386 /* XXX Further validation? */ 387 388 /* 389 * Depending on the value of "valid" and routing table 390 * size (mtudisc_{hi,lo}wat), we will: 391 * - recalcurate the new MTU and create the 392 * corresponding routing entry, or 393 * - ignore the MTU change notification. 394 */ 395 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 396 } 397 } else { 398 /* we normally notify any pcb here */ 399 } 400 } 401 #endif /* INET6 */ 402 403 static int 404 sysctl_fast_ipsec(SYSCTLFN_ARGS) 405 { 406 int error, t; 407 struct sysctlnode node; 408 409 node = *rnode; 410 t = *(int*)rnode->sysctl_data; 411 node.sysctl_data = &t; 412 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 413 if (error || newp == NULL) 414 return (error); 415 416 switch (rnode->sysctl_num) { 417 case IPSECCTL_DEF_ESP_TRANSLEV: 418 case IPSECCTL_DEF_ESP_NETLEV: 419 case IPSECCTL_DEF_AH_TRANSLEV: 420 case IPSECCTL_DEF_AH_NETLEV: 421 if (t != IPSEC_LEVEL_USE && 422 t != IPSEC_LEVEL_REQUIRE) 423 return (EINVAL); 424 ipsec_invalpcbcacheall(); 425 break; 426 case IPSECCTL_DEF_POLICY: 427 if (t != IPSEC_POLICY_DISCARD && 428 t != IPSEC_POLICY_NONE) 429 return (EINVAL); 430 ipsec_invalpcbcacheall(); 431 break; 432 default: 433 return (EINVAL); 434 } 435 436 *(int*)rnode->sysctl_data = t; 437 438 return (0); 439 } 440 441 #ifdef IPSEC_DEBUG 442 static int 443 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 444 { 445 int t, error; 446 struct sysctlnode node; 447 448 node = *rnode; 449 t = *(int*)rnode->sysctl_data; 450 node.sysctl_data = &t; 451 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 452 if (error || newp == NULL) 453 return (error); 454 455 if (t < 0 || t > 1) 456 return EINVAL; 457 458 if (rnode->sysctl_data == &ipsec_replay) 459 printf("fast_ipsec: Anti-Replay service %s\n", 460 (t == 1) ? "deactivated" : "activated"); 461 else if (rnode->sysctl_data == &ipsec_integrity) 462 printf("fast_ipsec: HMAC corruption %s\n", 463 (t == 0) ? "deactivated" : "activated"); 464 465 *(int*)rnode->sysctl_data = t; 466 467 return 0; 468 } 469 #endif 470 471 /* XXX will need a different oid at parent */ 472 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 473 { 474 const struct sysctlnode *_ipsec; 475 int ipproto_ipsec; 476 477 sysctl_createv(clog, 0, NULL, NULL, 478 CTLFLAG_PERMANENT, 479 CTLTYPE_NODE, "net", NULL, 480 NULL, 0, NULL, 0, 481 CTL_NET, CTL_EOL); 482 sysctl_createv(clog, 0, NULL, NULL, 483 CTLFLAG_PERMANENT, 484 CTLTYPE_NODE, "inet", NULL, 485 NULL, 0, NULL, 0, 486 CTL_NET, PF_INET, CTL_EOL); 487 488 /* 489 * in numerical order: 490 * 491 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 492 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 493 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 494 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 495 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 496 * 497 * this creates separate trees by name, but maintains that the 498 * ipsec name leads to all the old leaves. 499 */ 500 501 /* create net.inet.ipip */ 502 sysctl_createv(clog, 0, NULL, NULL, 503 CTLFLAG_PERMANENT, 504 CTLTYPE_NODE, "ipip", NULL, 505 NULL, 0, NULL, 0, 506 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 507 sysctl_createv(clog, 0, NULL, NULL, 508 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 509 CTLTYPE_STRUCT, "ipip_stats", NULL, 510 NULL, 0, &ipipstat, sizeof(ipipstat), 511 CTL_NET, PF_INET, IPPROTO_IPIP, 512 CTL_CREATE, CTL_EOL); 513 514 /* create net.inet.esp subtree under IPPROTO_ESP */ 515 sysctl_createv(clog, 0, NULL, NULL, 516 CTLFLAG_PERMANENT, 517 CTLTYPE_NODE, "esp", NULL, 518 NULL, 0, NULL, 0, 519 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 520 sysctl_createv(clog, 0, NULL, NULL, 521 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 522 CTLTYPE_INT, "trans_deflev", NULL, 523 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 524 CTL_NET, PF_INET, IPPROTO_ESP, 525 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 526 sysctl_createv(clog, 0, NULL, NULL, 527 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 528 CTLTYPE_INT, "net_deflev", NULL, 529 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 530 CTL_NET, PF_INET, IPPROTO_ESP, 531 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 532 sysctl_createv(clog, 0, NULL, NULL, 533 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 534 CTLTYPE_STRUCT, "esp_stats", NULL, 535 NULL, 0, &espstat, sizeof(espstat), 536 CTL_NET, PF_INET, IPPROTO_ESP, 537 CTL_CREATE, CTL_EOL); 538 539 /* create net.inet.ah subtree under IPPROTO_AH */ 540 sysctl_createv(clog, 0, NULL, NULL, 541 CTLFLAG_PERMANENT, 542 CTLTYPE_NODE, "ah", NULL, 543 NULL, 0, NULL, 0, 544 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 545 sysctl_createv(clog, 0, NULL, NULL, 546 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 547 CTLTYPE_INT, "cleartos", NULL, 548 NULL, 0, &/*ip4_*/ah_cleartos, 0, 549 CTL_NET, PF_INET, IPPROTO_AH, 550 IPSECCTL_AH_CLEARTOS, CTL_EOL); 551 sysctl_createv(clog, 0, NULL, NULL, 552 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 553 CTLTYPE_INT, "offsetmask", NULL, 554 NULL, 0, &ip4_ah_offsetmask, 0, 555 CTL_NET, PF_INET, IPPROTO_AH, 556 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 557 sysctl_createv(clog, 0, NULL, NULL, 558 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 559 CTLTYPE_INT, "trans_deflev", NULL, 560 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 561 CTL_NET, PF_INET, IPPROTO_AH, 562 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 563 sysctl_createv(clog, 0, NULL, NULL, 564 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 565 CTLTYPE_INT, "net_deflev", NULL, 566 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 567 CTL_NET, PF_INET, IPPROTO_AH, 568 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 569 sysctl_createv(clog, 0, NULL, NULL, 570 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 571 CTLTYPE_STRUCT, "ah_stats", NULL, 572 NULL, 0, &ahstat, sizeof(ahstat), 573 CTL_NET, PF_INET, IPPROTO_AH, 574 CTL_CREATE, CTL_EOL); 575 576 /* create net.inet.ipcomp */ 577 sysctl_createv(clog, 0, NULL, NULL, 578 CTLFLAG_PERMANENT, 579 CTLTYPE_NODE, "ipcomp", NULL, 580 NULL, 0, NULL, 0, 581 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 582 sysctl_createv(clog, 0, NULL, NULL, 583 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 584 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 585 NULL, 0, &ipcompstat, sizeof(ipcompstat), 586 CTL_NET, PF_INET, IPPROTO_IPCOMP, 587 CTL_CREATE, CTL_EOL); 588 589 /* create net.inet.ipsec subtree under dynamic oid */ 590 sysctl_createv(clog, 0, NULL, &_ipsec, 591 CTLFLAG_PERMANENT, 592 CTLTYPE_NODE, "ipsec", NULL, 593 NULL, 0, NULL, 0, 594 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 595 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 596 597 sysctl_createv(clog, 0, NULL, NULL, 598 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 599 CTLTYPE_INT, "def_policy", NULL, 600 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 601 CTL_NET, PF_INET, ipproto_ipsec, 602 IPSECCTL_DEF_POLICY, CTL_EOL); 603 sysctl_createv(clog, 0, NULL, NULL, 604 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 605 CTLTYPE_INT, "esp_trans_deflev", NULL, 606 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 607 CTL_NET, PF_INET, ipproto_ipsec, 608 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 609 sysctl_createv(clog, 0, NULL, NULL, 610 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 611 CTLTYPE_INT, "esp_net_deflev", NULL, 612 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 613 CTL_NET, PF_INET, ipproto_ipsec, 614 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 615 sysctl_createv(clog, 0, NULL, NULL, 616 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 617 CTLTYPE_INT, "ah_trans_deflev", NULL, 618 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 619 CTL_NET, PF_INET, ipproto_ipsec, 620 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 621 sysctl_createv(clog, 0, NULL, NULL, 622 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 623 CTLTYPE_INT, "ah_net_deflev", NULL, 624 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 625 CTL_NET, PF_INET, ipproto_ipsec, 626 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 627 sysctl_createv(clog, 0, NULL, NULL, 628 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 629 CTLTYPE_INT, "ah_cleartos", NULL, 630 NULL, 0, &/*ip4_*/ah_cleartos, 0, 631 CTL_NET, PF_INET, ipproto_ipsec, 632 IPSECCTL_AH_CLEARTOS, CTL_EOL); 633 sysctl_createv(clog, 0, NULL, NULL, 634 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 635 CTLTYPE_INT, "ah_offsetmask", NULL, 636 NULL, 0, &ip4_ah_offsetmask, 0, 637 CTL_NET, PF_INET, ipproto_ipsec, 638 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 639 sysctl_createv(clog, 0, NULL, NULL, 640 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 641 CTLTYPE_INT, "dfbit", NULL, 642 NULL, 0, &ip4_ipsec_dfbit, 0, 643 CTL_NET, PF_INET, ipproto_ipsec, 644 IPSECCTL_DFBIT, CTL_EOL); 645 sysctl_createv(clog, 0, NULL, NULL, 646 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 647 CTLTYPE_INT, "ecn", NULL, 648 NULL, 0, &ip4_ipsec_ecn, 0, 649 CTL_NET, PF_INET, ipproto_ipsec, 650 IPSECCTL_ECN, CTL_EOL); 651 sysctl_createv(clog, 0, NULL, NULL, 652 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 653 CTLTYPE_INT, "debug", NULL, 654 NULL, 0, &ipsec_debug, 0, 655 CTL_NET, PF_INET, ipproto_ipsec, 656 IPSECCTL_DEBUG, CTL_EOL); 657 sysctl_createv(clog, 0, NULL, NULL, 658 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 659 CTLTYPE_STRUCT, "ipsecstats", NULL, 660 NULL, 0, &ipsecstat, sizeof(ipsecstat), 661 CTL_NET, PF_INET, ipproto_ipsec, 662 CTL_CREATE, CTL_EOL); 663 #ifdef IPSEC_DEBUG 664 sysctl_createv(clog, 0, NULL, NULL, 665 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 666 CTLTYPE_INT, "test_replay", 667 SYSCTL_DESCR("Emulate replay attack"), 668 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 669 CTL_NET, PF_INET, ipproto_ipsec, 670 CTL_CREATE, CTL_EOL); 671 sysctl_createv(clog, 0, NULL, NULL, 672 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 673 CTLTYPE_INT, "test_integrity", 674 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 675 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 676 CTL_NET, PF_INET, ipproto_ipsec, 677 CTL_CREATE, CTL_EOL); 678 #endif 679 } 680
Indexes created Tue Sep 23 23:09:58 GMT 2025