ipsec_netbsd.c revision 1.23 1 /* $NetBSD: ipsec_netbsd.c,v 1.23 2007/03/04 19:54:48 degroote Exp $ */
2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.23 2007/03/04 19:54:48 degroote Exp $");
36
37 #include "opt_inet.h"
38 #include "opt_ipsec.h"
39
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/mbuf.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/kernel.h>
50 #include <sys/sysctl.h>
51
52 #include <net/if.h>
53 #include <net/route.h>
54 #include <net/netisr.h>
55 #include <machine/cpu.h>
56
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
64
65
66 #include <netipsec/ipsec.h>
67 #include <netipsec/ipsec_var.h>
68 #include <netipsec/key.h>
69 #include <netipsec/keydb.h>
70 #include <netipsec/key_debug.h>
71 #include <netipsec/ah.h>
72 #include <netipsec/ah_var.h>
73 #include <netipsec/esp.h>
74 #include <netipsec/esp_var.h>
75 #include <netipsec/ipip_var.h>
76 #include <netipsec/ipcomp_var.h>
77
78 #ifdef INET6
79 #include <netipsec/ipsec6.h>
80 #include <netinet6/ip6protosw.h>
81 #include <netinet/icmp6.h>
82 #endif
83
84 #include <machine/stdarg.h>
85
86
87
88 #include <netipsec/key.h>
89
90 /* assumes that ip header and ah header are contiguous on mbuf */
91 void*
92 ah4_ctlinput(cmd, sa, v)
93 int cmd;
94 const struct sockaddr *sa;
95 void *v;
96 {
97 struct ip *ip = v;
98 struct ah *ah;
99 struct icmp *icp;
100 struct secasvar *sav;
101
102 if (sa->sa_family != AF_INET ||
103 sa->sa_len != sizeof(struct sockaddr_in))
104 return NULL;
105 if ((unsigned)cmd >= PRC_NCMDS)
106 return NULL;
107
108 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
109 /*
110 * Check to see if we have a valid SA corresponding to
111 * the address in the ICMP message payload.
112 */
113 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
114 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
115 IPPROTO_AH, ah->ah_spi);
116
117 if (sav) {
118 if (sav->state == SADB_SASTATE_MATURE ||
119 sav->state == SADB_SASTATE_DYING) {
120
121 /*
122 * Now that we've validated that we are actually
123 * communicating with the host indicated in the
124 * ICMP message, locate the ICMP header,
125 * recalculate the new MTU, and create the
126 * corresponding routing entry.
127 */
128 icp = (struct icmp *)((char *)ip -
129 offsetof(struct icmp, icmp_ip));
130 icmp_mtudisc(icp, ip->ip_dst);
131
132 }
133 KEY_FREESAV(&sav);
134 }
135 }
136 return NULL;
137 }
138
139
140
141 /* assumes that ip header and esp header are contiguous on mbuf */
142 void*
143 esp4_ctlinput(cmd, sa, v)
144 int cmd;
145 const struct sockaddr *sa;
146 void *v;
147 {
148 struct ip *ip = v;
149 struct esp *esp;
150 struct icmp *icp;
151 struct secasvar *sav;
152
153 if (sa->sa_family != AF_INET ||
154 sa->sa_len != sizeof(struct sockaddr_in))
155 return NULL;
156 if ((unsigned)cmd >= PRC_NCMDS)
157 return NULL;
158
159 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
160 /*
161 * Check to see if we have a valid SA corresponding to
162 * the address in the ICMP message payload.
163 */
164 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
165 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
166 IPPROTO_ESP, esp->esp_spi);
167
168 if (sav) {
169 if (sav->state == SADB_SASTATE_MATURE ||
170 sav->state == SADB_SASTATE_DYING) {
171
172 /*
173 * Now that we've validated that we are actually
174 * communicating with the host indicated in the
175 * ICMP message, locate the ICMP header,
176 * recalculate the new MTU, and create the
177 * corresponding routing entry.
178 */
179
180 icp = (struct icmp *)((char *)ip -
181 offsetof(struct icmp, icmp_ip));
182 icmp_mtudisc(icp, ip->ip_dst);
183
184 }
185 KEY_FREESAV(&sav);
186 }
187 }
188 return NULL;
189 }
190
191 #ifdef INET6
192 void
193 ah6_ctlinput(cmd, sa, d)
194 int cmd;
195 const struct sockaddr *sa;
196 void *d;
197 {
198 const struct newah *ahp;
199 struct newah ah;
200 struct secasvar *sav;
201 struct ip6_hdr *ip6;
202 struct mbuf *m;
203 struct ip6ctlparam *ip6cp = NULL;
204 int off;
205
206 if (sa->sa_family != AF_INET6 ||
207 sa->sa_len != sizeof(struct sockaddr_in6))
208 return;
209 if ((unsigned)cmd >= PRC_NCMDS)
210 return;
211
212 /* if the parameter is from icmp6, decode it. */
213 if (d != NULL) {
214 ip6cp = (struct ip6ctlparam *)d;
215 m = ip6cp->ip6c_m;
216 ip6 = ip6cp->ip6c_ip6;
217 off = ip6cp->ip6c_off;
218 } else {
219 m = NULL;
220 ip6 = NULL;
221 off = 0;
222 }
223
224 if (ip6) {
225 /*
226 * XXX: We assume that when ip6 is non NULL,
227 * M and OFF are valid.
228 */
229
230 /* check if we can safely examine src and dst ports */
231 if (m->m_pkthdr.len < off + sizeof(ah))
232 return;
233
234 if (m->m_len < off + sizeof(ah)) {
235 /*
236 * this should be rare case,
237 * so we compromise on this copy...
238 */
239 m_copydata(m, off, sizeof(ah), (void *)&ah);
240 ahp = &ah;
241 } else
242 ahp = (struct newah *)(mtod(m, char *) + off);
243
244 if (cmd == PRC_MSGSIZE) {
245 int valid = 0;
246
247 /*
248 * Check to see if we have a valid SA corresponding
249 * to the address in the ICMP message payload.
250 */
251 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
252 IPPROTO_AH, ahp->ah_spi);
253
254 if (sav) {
255 if (sav->state == SADB_SASTATE_MATURE ||
256 sav->state == SADB_SASTATE_DYING)
257 valid++;
258 KEY_FREESAV(&sav);
259 }
260
261 /* XXX Further validation? */
262
263 /*
264 * Depending on the value of "valid" and routing
265 * table size (mtudisc_{hi,lo}wat), we will:
266 * - recalcurate the new MTU and create the
267 * corresponding routing entry, or
268 * - ignore the MTU change notification.
269 */
270 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
271 }
272
273 /* we normally notify single pcb here */
274 } else {
275 /* we normally notify any pcb here */
276 }
277 }
278
279
280
281 void
282 esp6_ctlinput(cmd, sa, d)
283 int cmd;
284 const struct sockaddr *sa;
285 void *d;
286 {
287 const struct newesp *espp;
288 struct newesp esp;
289 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
290 struct secasvar *sav;
291 struct ip6_hdr *ip6;
292 struct mbuf *m;
293 int off;
294
295 if (sa->sa_family != AF_INET6 ||
296 sa->sa_len != sizeof(struct sockaddr_in6))
297 return;
298 if ((unsigned)cmd >= PRC_NCMDS)
299 return;
300
301 /* if the parameter is from icmp6, decode it. */
302 if (d != NULL) {
303 ip6cp = (struct ip6ctlparam *)d;
304 m = ip6cp->ip6c_m;
305 ip6 = ip6cp->ip6c_ip6;
306 off = ip6cp->ip6c_off;
307 } else {
308 m = NULL;
309 ip6 = NULL;
310 off = 0;
311 }
312
313 if (ip6) {
314 /*
315 * Notify the error to all possible sockets via pfctlinput2.
316 * Since the upper layer information (such as protocol type,
317 * source and destination ports) is embedded in the encrypted
318 * data and might have been cut, we can't directly call
319 * an upper layer ctlinput function. However, the pcbnotify
320 * function will consider source and destination addresses
321 * as well as the flow info value, and may be able to find
322 * some PCB that should be notified.
323 * Although pfctlinput2 will call esp6_ctlinput(), there is
324 * no possibility of an infinite loop of function calls,
325 * because we don't pass the inner IPv6 header.
326 */
327 memset(&ip6cp1, 0, sizeof(ip6cp1));
328 ip6cp1.ip6c_src = ip6cp->ip6c_src;
329 pfctlinput2(cmd, sa, (void *)&ip6cp1);
330
331 /*
332 * Then go to special cases that need ESP header information.
333 * XXX: We assume that when ip6 is non NULL,
334 * M and OFF are valid.
335 */
336
337 /* check if we can safely examine src and dst ports */
338 if (m->m_pkthdr.len < off + sizeof(esp))
339 return;
340
341 if (m->m_len < off + sizeof(esp)) {
342 /*
343 * this should be rare case,
344 * so we compromise on this copy...
345 */
346 m_copydata(m, off, sizeof(esp), (void *)&esp);
347 espp = &esp;
348 } else
349 espp = (struct newesp*)(mtod(m, char *) + off);
350
351 if (cmd == PRC_MSGSIZE) {
352 int valid = 0;
353
354 /*
355 * Check to see if we have a valid SA corresponding to
356 * the address in the ICMP message payload.
357 */
358
359 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
360 IPPROTO_ESP, espp->esp_spi);
361
362 if (sav) {
363 if (sav->state == SADB_SASTATE_MATURE ||
364 sav->state == SADB_SASTATE_DYING)
365 valid++;
366 KEY_FREESAV(&sav);
367 }
368
369 /* XXX Further validation? */
370
371 /*
372 * Depending on the value of "valid" and routing table
373 * size (mtudisc_{hi,lo}wat), we will:
374 * - recalcurate the new MTU and create the
375 * corresponding routing entry, or
376 * - ignore the MTU change notification.
377 */
378 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
379 }
380 } else {
381 /* we normally notify any pcb here */
382 }
383 }
384 #endif /* INET6 */
385
386 static int
387 sysctl_fast_ipsec(SYSCTLFN_ARGS)
388 {
389 int error, t;
390 struct sysctlnode node;
391
392 node = *rnode;
393 t = *(int*)rnode->sysctl_data;
394 node.sysctl_data = &t;
395 error = sysctl_lookup(SYSCTLFN_CALL(&node));
396 if (error || newp == NULL)
397 return (error);
398
399 switch (rnode->sysctl_num) {
400 case IPSECCTL_DEF_ESP_TRANSLEV:
401 case IPSECCTL_DEF_ESP_NETLEV:
402 case IPSECCTL_DEF_AH_TRANSLEV:
403 case IPSECCTL_DEF_AH_NETLEV:
404 if (t != IPSEC_LEVEL_USE &&
405 t != IPSEC_LEVEL_REQUIRE)
406 return (EINVAL);
407 ipsec_invalpcbcacheall();
408 break;
409 case IPSECCTL_DEF_POLICY:
410 if (t != IPSEC_POLICY_DISCARD &&
411 t != IPSEC_POLICY_NONE)
412 return (EINVAL);
413 ipsec_invalpcbcacheall();
414 break;
415 default:
416 return (EINVAL);
417 }
418
419 *(int*)rnode->sysctl_data = t;
420
421 return (0);
422 }
423
424 #ifdef IPSEC_DEBUG
425 static int
426 sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
427 {
428 int t, error;
429 struct sysctlnode node;
430
431 node = *rnode;
432 t = *(int*)rnode->sysctl_data;
433 node.sysctl_data = &t;
434 error = sysctl_lookup(SYSCTLFN_CALL(&node));
435 if (error || newp == NULL)
436 return (error);
437
438 if (t < 0 || t > 1)
439 return EINVAL;
440
441 if (rnode->sysctl_data == &ipsec_replay)
442 printf("fast_ipsec: Anti-Replay service %s\n",
443 (t == 1) ? "deactivated" : "activated");
444 else if (rnode->sysctl_data == &ipsec_integrity)
445 printf("fast_ipsec: HMAC corruption %s\n",
446 (t == 0) ? "deactivated" : "activated");
447
448 *(int*)rnode->sysctl_data = t;
449
450 return 0;
451 }
452 #endif
453
454 /* XXX will need a different oid at parent */
455 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
456 {
457 const struct sysctlnode *_ipsec;
458 int ipproto_ipsec;
459
460 sysctl_createv(clog, 0, NULL, NULL,
461 CTLFLAG_PERMANENT,
462 CTLTYPE_NODE, "net", NULL,
463 NULL, 0, NULL, 0,
464 CTL_NET, CTL_EOL);
465 sysctl_createv(clog, 0, NULL, NULL,
466 CTLFLAG_PERMANENT,
467 CTLTYPE_NODE, "inet", NULL,
468 NULL, 0, NULL, 0,
469 CTL_NET, PF_INET, CTL_EOL);
470
471 /*
472 * in numerical order:
473 *
474 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
475 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
476 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
477 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
478 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
479 *
480 * this creates separate trees by name, but maintains that the
481 * ipsec name leads to all the old leaves.
482 */
483
484 /* create net.inet.ipip */
485 sysctl_createv(clog, 0, NULL, NULL,
486 CTLFLAG_PERMANENT,
487 CTLTYPE_NODE, "ipip", NULL,
488 NULL, 0, NULL, 0,
489 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
490 sysctl_createv(clog, 0, NULL, NULL,
491 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
492 CTLTYPE_STRUCT, "ipip_stats", NULL,
493 NULL, 0, &ipipstat, sizeof(ipipstat),
494 CTL_NET, PF_INET, IPPROTO_IPIP,
495 CTL_CREATE, CTL_EOL);
496
497 /* create net.inet.esp subtree under IPPROTO_ESP */
498 sysctl_createv(clog, 0, NULL, NULL,
499 CTLFLAG_PERMANENT,
500 CTLTYPE_NODE, "esp", NULL,
501 NULL, 0, NULL, 0,
502 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
503 sysctl_createv(clog, 0, NULL, NULL,
504 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
505 CTLTYPE_INT, "trans_deflev", NULL,
506 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
507 CTL_NET, PF_INET, IPPROTO_ESP,
508 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
509 sysctl_createv(clog, 0, NULL, NULL,
510 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
511 CTLTYPE_INT, "net_deflev", NULL,
512 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
513 CTL_NET, PF_INET, IPPROTO_ESP,
514 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
515 sysctl_createv(clog, 0, NULL, NULL,
516 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
517 CTLTYPE_STRUCT, "esp_stats", NULL,
518 NULL, 0, &espstat, sizeof(espstat),
519 CTL_NET, PF_INET, IPPROTO_ESP,
520 CTL_CREATE, CTL_EOL);
521
522 /* create net.inet.ah subtree under IPPROTO_AH */
523 sysctl_createv(clog, 0, NULL, NULL,
524 CTLFLAG_PERMANENT,
525 CTLTYPE_NODE, "ah", NULL,
526 NULL, 0, NULL, 0,
527 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
528 sysctl_createv(clog, 0, NULL, NULL,
529 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
530 CTLTYPE_INT, "cleartos", NULL,
531 NULL, 0, &/*ip4_*/ah_cleartos, 0,
532 CTL_NET, PF_INET, IPPROTO_AH,
533 IPSECCTL_AH_CLEARTOS, CTL_EOL);
534 sysctl_createv(clog, 0, NULL, NULL,
535 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
536 CTLTYPE_INT, "offsetmask", NULL,
537 NULL, 0, &ip4_ah_offsetmask, 0,
538 CTL_NET, PF_INET, IPPROTO_AH,
539 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
540 sysctl_createv(clog, 0, NULL, NULL,
541 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
542 CTLTYPE_INT, "trans_deflev", NULL,
543 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
544 CTL_NET, PF_INET, IPPROTO_AH,
545 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
546 sysctl_createv(clog, 0, NULL, NULL,
547 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
548 CTLTYPE_INT, "net_deflev", NULL,
549 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
550 CTL_NET, PF_INET, IPPROTO_AH,
551 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
552 sysctl_createv(clog, 0, NULL, NULL,
553 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
554 CTLTYPE_STRUCT, "ah_stats", NULL,
555 NULL, 0, &ahstat, sizeof(ahstat),
556 CTL_NET, PF_INET, IPPROTO_AH,
557 CTL_CREATE, CTL_EOL);
558
559 /* create net.inet.ipcomp */
560 sysctl_createv(clog, 0, NULL, NULL,
561 CTLFLAG_PERMANENT,
562 CTLTYPE_NODE, "ipcomp", NULL,
563 NULL, 0, NULL, 0,
564 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
565 sysctl_createv(clog, 0, NULL, NULL,
566 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
567 CTLTYPE_STRUCT, "ipcomp_stats", NULL,
568 NULL, 0, &ipcompstat, sizeof(ipcompstat),
569 CTL_NET, PF_INET, IPPROTO_IPCOMP,
570 CTL_CREATE, CTL_EOL);
571
572 /* create net.inet.ipsec subtree under dynamic oid */
573 sysctl_createv(clog, 0, NULL, &_ipsec,
574 CTLFLAG_PERMANENT,
575 CTLTYPE_NODE, "ipsec", NULL,
576 NULL, 0, NULL, 0,
577 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
578 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
579
580 sysctl_createv(clog, 0, NULL, NULL,
581 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
582 CTLTYPE_INT, "def_policy", NULL,
583 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
584 CTL_NET, PF_INET, ipproto_ipsec,
585 IPSECCTL_DEF_POLICY, CTL_EOL);
586 sysctl_createv(clog, 0, NULL, NULL,
587 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
588 CTLTYPE_INT, "esp_trans_deflev", NULL,
589 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
590 CTL_NET, PF_INET, ipproto_ipsec,
591 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
592 sysctl_createv(clog, 0, NULL, NULL,
593 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
594 CTLTYPE_INT, "esp_net_deflev", NULL,
595 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
596 CTL_NET, PF_INET, ipproto_ipsec,
597 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
598 sysctl_createv(clog, 0, NULL, NULL,
599 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
600 CTLTYPE_INT, "ah_trans_deflev", NULL,
601 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
602 CTL_NET, PF_INET, ipproto_ipsec,
603 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
604 sysctl_createv(clog, 0, NULL, NULL,
605 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
606 CTLTYPE_INT, "ah_net_deflev", NULL,
607 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
608 CTL_NET, PF_INET, ipproto_ipsec,
609 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
610 sysctl_createv(clog, 0, NULL, NULL,
611 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
612 CTLTYPE_INT, "ah_cleartos", NULL,
613 NULL, 0, &/*ip4_*/ah_cleartos, 0,
614 CTL_NET, PF_INET, ipproto_ipsec,
615 IPSECCTL_AH_CLEARTOS, CTL_EOL);
616 sysctl_createv(clog, 0, NULL, NULL,
617 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
618 CTLTYPE_INT, "ah_offsetmask", NULL,
619 NULL, 0, &ip4_ah_offsetmask, 0,
620 CTL_NET, PF_INET, ipproto_ipsec,
621 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
622 sysctl_createv(clog, 0, NULL, NULL,
623 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
624 CTLTYPE_INT, "dfbit", NULL,
625 NULL, 0, &ip4_ipsec_dfbit, 0,
626 CTL_NET, PF_INET, ipproto_ipsec,
627 IPSECCTL_DFBIT, CTL_EOL);
628 sysctl_createv(clog, 0, NULL, NULL,
629 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
630 CTLTYPE_INT, "ecn", NULL,
631 NULL, 0, &ip4_ipsec_ecn, 0,
632 CTL_NET, PF_INET, ipproto_ipsec,
633 IPSECCTL_ECN, CTL_EOL);
634 sysctl_createv(clog, 0, NULL, NULL,
635 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
636 CTLTYPE_INT, "debug", NULL,
637 NULL, 0, &ipsec_debug, 0,
638 CTL_NET, PF_INET, ipproto_ipsec,
639 IPSECCTL_DEBUG, CTL_EOL);
640 sysctl_createv(clog, 0, NULL, NULL,
641 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
642 CTLTYPE_STRUCT, "ipsecstats", NULL,
643 NULL, 0, &ipsecstat, sizeof(ipsecstat),
644 CTL_NET, PF_INET, ipproto_ipsec,
645 CTL_CREATE, CTL_EOL);
646 #ifdef IPSEC_DEBUG
647 sysctl_createv(clog, 0, NULL, NULL,
648 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
649 CTLTYPE_INT, "test_replay",
650 SYSCTL_DESCR("Emulate replay attack"),
651 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
652 CTL_NET, PF_INET, ipproto_ipsec,
653 CTL_CREATE, CTL_EOL);
654 sysctl_createv(clog, 0, NULL, NULL,
655 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
656 CTLTYPE_INT, "test_integrity",
657 SYSCTL_DESCR("Emulate man-in-the-middle attack"),
658 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
659 CTL_NET, PF_INET, ipproto_ipsec,
660 CTL_CREATE, CTL_EOL);
661 #endif
662 }
663