ipsec_netbsd.c revision 1.23
1 /* $NetBSD: ipsec_netbsd.c,v 1.23 2007/03/04 19:54:48 degroote Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.23 2007/03/04 19:54:48 degroote Exp $"); 36 37 #include "opt_inet.h" 38 #include "opt_ipsec.h" 39 40 #include <sys/param.h> 41 #include <sys/systm.h> 42 #include <sys/malloc.h> 43 #include <sys/mbuf.h> 44 #include <sys/domain.h> 45 #include <sys/protosw.h> 46 #include <sys/socket.h> 47 #include <sys/errno.h> 48 #include <sys/time.h> 49 #include <sys/kernel.h> 50 #include <sys/sysctl.h> 51 52 #include <net/if.h> 53 #include <net/route.h> 54 #include <net/netisr.h> 55 #include <machine/cpu.h> 56 57 #include <netinet/in.h> 58 #include <netinet/in_systm.h> 59 #include <netinet/in_var.h> 60 #include <netinet/ip.h> 61 #include <netinet/ip_var.h> 62 #include <netinet/ip_ecn.h> 63 #include <netinet/ip_icmp.h> 64 65 66 #include <netipsec/ipsec.h> 67 #include <netipsec/ipsec_var.h> 68 #include <netipsec/key.h> 69 #include <netipsec/keydb.h> 70 #include <netipsec/key_debug.h> 71 #include <netipsec/ah.h> 72 #include <netipsec/ah_var.h> 73 #include <netipsec/esp.h> 74 #include <netipsec/esp_var.h> 75 #include <netipsec/ipip_var.h> 76 #include <netipsec/ipcomp_var.h> 77 78 #ifdef INET6 79 #include <netipsec/ipsec6.h> 80 #include <netinet6/ip6protosw.h> 81 #include <netinet/icmp6.h> 82 #endif 83 84 #include <machine/stdarg.h> 85 86 87 88 #include <netipsec/key.h> 89 90 /* assumes that ip header and ah header are contiguous on mbuf */ 91 void* 92 ah4_ctlinput(cmd, sa, v) 93 int cmd; 94 const struct sockaddr *sa; 95 void *v; 96 { 97 struct ip *ip = v; 98 struct ah *ah; 99 struct icmp *icp; 100 struct secasvar *sav; 101 102 if (sa->sa_family != AF_INET || 103 sa->sa_len != sizeof(struct sockaddr_in)) 104 return NULL; 105 if ((unsigned)cmd >= PRC_NCMDS) 106 return NULL; 107 108 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 109 /* 110 * Check to see if we have a valid SA corresponding to 111 * the address in the ICMP message payload. 112 */ 113 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 114 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 115 IPPROTO_AH, ah->ah_spi); 116 117 if (sav) { 118 if (sav->state == SADB_SASTATE_MATURE || 119 sav->state == SADB_SASTATE_DYING) { 120 121 /* 122 * Now that we've validated that we are actually 123 * communicating with the host indicated in the 124 * ICMP message, locate the ICMP header, 125 * recalculate the new MTU, and create the 126 * corresponding routing entry. 127 */ 128 icp = (struct icmp *)((char *)ip - 129 offsetof(struct icmp, icmp_ip)); 130 icmp_mtudisc(icp, ip->ip_dst); 131 132 } 133 KEY_FREESAV(&sav); 134 } 135 } 136 return NULL; 137 } 138 139 140 141 /* assumes that ip header and esp header are contiguous on mbuf */ 142 void* 143 esp4_ctlinput(cmd, sa, v) 144 int cmd; 145 const struct sockaddr *sa; 146 void *v; 147 { 148 struct ip *ip = v; 149 struct esp *esp; 150 struct icmp *icp; 151 struct secasvar *sav; 152 153 if (sa->sa_family != AF_INET || 154 sa->sa_len != sizeof(struct sockaddr_in)) 155 return NULL; 156 if ((unsigned)cmd >= PRC_NCMDS) 157 return NULL; 158 159 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 160 /* 161 * Check to see if we have a valid SA corresponding to 162 * the address in the ICMP message payload. 163 */ 164 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 165 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 166 IPPROTO_ESP, esp->esp_spi); 167 168 if (sav) { 169 if (sav->state == SADB_SASTATE_MATURE || 170 sav->state == SADB_SASTATE_DYING) { 171 172 /* 173 * Now that we've validated that we are actually 174 * communicating with the host indicated in the 175 * ICMP message, locate the ICMP header, 176 * recalculate the new MTU, and create the 177 * corresponding routing entry. 178 */ 179 180 icp = (struct icmp *)((char *)ip - 181 offsetof(struct icmp, icmp_ip)); 182 icmp_mtudisc(icp, ip->ip_dst); 183 184 } 185 KEY_FREESAV(&sav); 186 } 187 } 188 return NULL; 189 } 190 191 #ifdef INET6 192 void 193 ah6_ctlinput(cmd, sa, d) 194 int cmd; 195 const struct sockaddr *sa; 196 void *d; 197 { 198 const struct newah *ahp; 199 struct newah ah; 200 struct secasvar *sav; 201 struct ip6_hdr *ip6; 202 struct mbuf *m; 203 struct ip6ctlparam *ip6cp = NULL; 204 int off; 205 206 if (sa->sa_family != AF_INET6 || 207 sa->sa_len != sizeof(struct sockaddr_in6)) 208 return; 209 if ((unsigned)cmd >= PRC_NCMDS) 210 return; 211 212 /* if the parameter is from icmp6, decode it. */ 213 if (d != NULL) { 214 ip6cp = (struct ip6ctlparam *)d; 215 m = ip6cp->ip6c_m; 216 ip6 = ip6cp->ip6c_ip6; 217 off = ip6cp->ip6c_off; 218 } else { 219 m = NULL; 220 ip6 = NULL; 221 off = 0; 222 } 223 224 if (ip6) { 225 /* 226 * XXX: We assume that when ip6 is non NULL, 227 * M and OFF are valid. 228 */ 229 230 /* check if we can safely examine src and dst ports */ 231 if (m->m_pkthdr.len < off + sizeof(ah)) 232 return; 233 234 if (m->m_len < off + sizeof(ah)) { 235 /* 236 * this should be rare case, 237 * so we compromise on this copy... 238 */ 239 m_copydata(m, off, sizeof(ah), (void *)&ah); 240 ahp = &ah; 241 } else 242 ahp = (struct newah *)(mtod(m, char *) + off); 243 244 if (cmd == PRC_MSGSIZE) { 245 int valid = 0; 246 247 /* 248 * Check to see if we have a valid SA corresponding 249 * to the address in the ICMP message payload. 250 */ 251 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 252 IPPROTO_AH, ahp->ah_spi); 253 254 if (sav) { 255 if (sav->state == SADB_SASTATE_MATURE || 256 sav->state == SADB_SASTATE_DYING) 257 valid++; 258 KEY_FREESAV(&sav); 259 } 260 261 /* XXX Further validation? */ 262 263 /* 264 * Depending on the value of "valid" and routing 265 * table size (mtudisc_{hi,lo}wat), we will: 266 * - recalcurate the new MTU and create the 267 * corresponding routing entry, or 268 * - ignore the MTU change notification. 269 */ 270 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 271 } 272 273 /* we normally notify single pcb here */ 274 } else { 275 /* we normally notify any pcb here */ 276 } 277 } 278 279 280 281 void 282 esp6_ctlinput(cmd, sa, d) 283 int cmd; 284 const struct sockaddr *sa; 285 void *d; 286 { 287 const struct newesp *espp; 288 struct newesp esp; 289 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 290 struct secasvar *sav; 291 struct ip6_hdr *ip6; 292 struct mbuf *m; 293 int off; 294 295 if (sa->sa_family != AF_INET6 || 296 sa->sa_len != sizeof(struct sockaddr_in6)) 297 return; 298 if ((unsigned)cmd >= PRC_NCMDS) 299 return; 300 301 /* if the parameter is from icmp6, decode it. */ 302 if (d != NULL) { 303 ip6cp = (struct ip6ctlparam *)d; 304 m = ip6cp->ip6c_m; 305 ip6 = ip6cp->ip6c_ip6; 306 off = ip6cp->ip6c_off; 307 } else { 308 m = NULL; 309 ip6 = NULL; 310 off = 0; 311 } 312 313 if (ip6) { 314 /* 315 * Notify the error to all possible sockets via pfctlinput2. 316 * Since the upper layer information (such as protocol type, 317 * source and destination ports) is embedded in the encrypted 318 * data and might have been cut, we can't directly call 319 * an upper layer ctlinput function. However, the pcbnotify 320 * function will consider source and destination addresses 321 * as well as the flow info value, and may be able to find 322 * some PCB that should be notified. 323 * Although pfctlinput2 will call esp6_ctlinput(), there is 324 * no possibility of an infinite loop of function calls, 325 * because we don't pass the inner IPv6 header. 326 */ 327 memset(&ip6cp1, 0, sizeof(ip6cp1)); 328 ip6cp1.ip6c_src = ip6cp->ip6c_src; 329 pfctlinput2(cmd, sa, (void *)&ip6cp1); 330 331 /* 332 * Then go to special cases that need ESP header information. 333 * XXX: We assume that when ip6 is non NULL, 334 * M and OFF are valid. 335 */ 336 337 /* check if we can safely examine src and dst ports */ 338 if (m->m_pkthdr.len < off + sizeof(esp)) 339 return; 340 341 if (m->m_len < off + sizeof(esp)) { 342 /* 343 * this should be rare case, 344 * so we compromise on this copy... 345 */ 346 m_copydata(m, off, sizeof(esp), (void *)&esp); 347 espp = &esp; 348 } else 349 espp = (struct newesp*)(mtod(m, char *) + off); 350 351 if (cmd == PRC_MSGSIZE) { 352 int valid = 0; 353 354 /* 355 * Check to see if we have a valid SA corresponding to 356 * the address in the ICMP message payload. 357 */ 358 359 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 360 IPPROTO_ESP, espp->esp_spi); 361 362 if (sav) { 363 if (sav->state == SADB_SASTATE_MATURE || 364 sav->state == SADB_SASTATE_DYING) 365 valid++; 366 KEY_FREESAV(&sav); 367 } 368 369 /* XXX Further validation? */ 370 371 /* 372 * Depending on the value of "valid" and routing table 373 * size (mtudisc_{hi,lo}wat), we will: 374 * - recalcurate the new MTU and create the 375 * corresponding routing entry, or 376 * - ignore the MTU change notification. 377 */ 378 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 379 } 380 } else { 381 /* we normally notify any pcb here */ 382 } 383 } 384 #endif /* INET6 */ 385 386 static int 387 sysctl_fast_ipsec(SYSCTLFN_ARGS) 388 { 389 int error, t; 390 struct sysctlnode node; 391 392 node = *rnode; 393 t = *(int*)rnode->sysctl_data; 394 node.sysctl_data = &t; 395 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 396 if (error || newp == NULL) 397 return (error); 398 399 switch (rnode->sysctl_num) { 400 case IPSECCTL_DEF_ESP_TRANSLEV: 401 case IPSECCTL_DEF_ESP_NETLEV: 402 case IPSECCTL_DEF_AH_TRANSLEV: 403 case IPSECCTL_DEF_AH_NETLEV: 404 if (t != IPSEC_LEVEL_USE && 405 t != IPSEC_LEVEL_REQUIRE) 406 return (EINVAL); 407 ipsec_invalpcbcacheall(); 408 break; 409 case IPSECCTL_DEF_POLICY: 410 if (t != IPSEC_POLICY_DISCARD && 411 t != IPSEC_POLICY_NONE) 412 return (EINVAL); 413 ipsec_invalpcbcacheall(); 414 break; 415 default: 416 return (EINVAL); 417 } 418 419 *(int*)rnode->sysctl_data = t; 420 421 return (0); 422 } 423 424 #ifdef IPSEC_DEBUG 425 static int 426 sysctl_fast_ipsec_test(SYSCTLFN_ARGS) 427 { 428 int t, error; 429 struct sysctlnode node; 430 431 node = *rnode; 432 t = *(int*)rnode->sysctl_data; 433 node.sysctl_data = &t; 434 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 435 if (error || newp == NULL) 436 return (error); 437 438 if (t < 0 || t > 1) 439 return EINVAL; 440 441 if (rnode->sysctl_data == &ipsec_replay) 442 printf("fast_ipsec: Anti-Replay service %s\n", 443 (t == 1) ? "deactivated" : "activated"); 444 else if (rnode->sysctl_data == &ipsec_integrity) 445 printf("fast_ipsec: HMAC corruption %s\n", 446 (t == 0) ? "deactivated" : "activated"); 447 448 *(int*)rnode->sysctl_data = t; 449 450 return 0; 451 } 452 #endif 453 454 /* XXX will need a different oid at parent */ 455 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") 456 { 457 const struct sysctlnode *_ipsec; 458 int ipproto_ipsec; 459 460 sysctl_createv(clog, 0, NULL, NULL, 461 CTLFLAG_PERMANENT, 462 CTLTYPE_NODE, "net", NULL, 463 NULL, 0, NULL, 0, 464 CTL_NET, CTL_EOL); 465 sysctl_createv(clog, 0, NULL, NULL, 466 CTLFLAG_PERMANENT, 467 CTLTYPE_NODE, "inet", NULL, 468 NULL, 0, NULL, 0, 469 CTL_NET, PF_INET, CTL_EOL); 470 471 /* 472 * in numerical order: 473 * 474 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 475 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 476 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 477 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 478 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 479 * 480 * this creates separate trees by name, but maintains that the 481 * ipsec name leads to all the old leaves. 482 */ 483 484 /* create net.inet.ipip */ 485 sysctl_createv(clog, 0, NULL, NULL, 486 CTLFLAG_PERMANENT, 487 CTLTYPE_NODE, "ipip", NULL, 488 NULL, 0, NULL, 0, 489 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 490 sysctl_createv(clog, 0, NULL, NULL, 491 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 492 CTLTYPE_STRUCT, "ipip_stats", NULL, 493 NULL, 0, &ipipstat, sizeof(ipipstat), 494 CTL_NET, PF_INET, IPPROTO_IPIP, 495 CTL_CREATE, CTL_EOL); 496 497 /* create net.inet.esp subtree under IPPROTO_ESP */ 498 sysctl_createv(clog, 0, NULL, NULL, 499 CTLFLAG_PERMANENT, 500 CTLTYPE_NODE, "esp", NULL, 501 NULL, 0, NULL, 0, 502 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 503 sysctl_createv(clog, 0, NULL, NULL, 504 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 505 CTLTYPE_INT, "trans_deflev", NULL, 506 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 507 CTL_NET, PF_INET, IPPROTO_ESP, 508 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 509 sysctl_createv(clog, 0, NULL, NULL, 510 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 511 CTLTYPE_INT, "net_deflev", NULL, 512 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 513 CTL_NET, PF_INET, IPPROTO_ESP, 514 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 515 sysctl_createv(clog, 0, NULL, NULL, 516 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 517 CTLTYPE_STRUCT, "esp_stats", NULL, 518 NULL, 0, &espstat, sizeof(espstat), 519 CTL_NET, PF_INET, IPPROTO_ESP, 520 CTL_CREATE, CTL_EOL); 521 522 /* create net.inet.ah subtree under IPPROTO_AH */ 523 sysctl_createv(clog, 0, NULL, NULL, 524 CTLFLAG_PERMANENT, 525 CTLTYPE_NODE, "ah", NULL, 526 NULL, 0, NULL, 0, 527 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 528 sysctl_createv(clog, 0, NULL, NULL, 529 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 530 CTLTYPE_INT, "cleartos", NULL, 531 NULL, 0, &/*ip4_*/ah_cleartos, 0, 532 CTL_NET, PF_INET, IPPROTO_AH, 533 IPSECCTL_AH_CLEARTOS, CTL_EOL); 534 sysctl_createv(clog, 0, NULL, NULL, 535 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 536 CTLTYPE_INT, "offsetmask", NULL, 537 NULL, 0, &ip4_ah_offsetmask, 0, 538 CTL_NET, PF_INET, IPPROTO_AH, 539 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 540 sysctl_createv(clog, 0, NULL, NULL, 541 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 542 CTLTYPE_INT, "trans_deflev", NULL, 543 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 544 CTL_NET, PF_INET, IPPROTO_AH, 545 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 546 sysctl_createv(clog, 0, NULL, NULL, 547 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 548 CTLTYPE_INT, "net_deflev", NULL, 549 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 550 CTL_NET, PF_INET, IPPROTO_AH, 551 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 552 sysctl_createv(clog, 0, NULL, NULL, 553 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 554 CTLTYPE_STRUCT, "ah_stats", NULL, 555 NULL, 0, &ahstat, sizeof(ahstat), 556 CTL_NET, PF_INET, IPPROTO_AH, 557 CTL_CREATE, CTL_EOL); 558 559 /* create net.inet.ipcomp */ 560 sysctl_createv(clog, 0, NULL, NULL, 561 CTLFLAG_PERMANENT, 562 CTLTYPE_NODE, "ipcomp", NULL, 563 NULL, 0, NULL, 0, 564 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 565 sysctl_createv(clog, 0, NULL, NULL, 566 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 567 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 568 NULL, 0, &ipcompstat, sizeof(ipcompstat), 569 CTL_NET, PF_INET, IPPROTO_IPCOMP, 570 CTL_CREATE, CTL_EOL); 571 572 /* create net.inet.ipsec subtree under dynamic oid */ 573 sysctl_createv(clog, 0, NULL, &_ipsec, 574 CTLFLAG_PERMANENT, 575 CTLTYPE_NODE, "ipsec", NULL, 576 NULL, 0, NULL, 0, 577 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 578 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 579 580 sysctl_createv(clog, 0, NULL, NULL, 581 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 582 CTLTYPE_INT, "def_policy", NULL, 583 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, 584 CTL_NET, PF_INET, ipproto_ipsec, 585 IPSECCTL_DEF_POLICY, CTL_EOL); 586 sysctl_createv(clog, 0, NULL, NULL, 587 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 588 CTLTYPE_INT, "esp_trans_deflev", NULL, 589 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, 590 CTL_NET, PF_INET, ipproto_ipsec, 591 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 592 sysctl_createv(clog, 0, NULL, NULL, 593 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 594 CTLTYPE_INT, "esp_net_deflev", NULL, 595 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, 596 CTL_NET, PF_INET, ipproto_ipsec, 597 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 598 sysctl_createv(clog, 0, NULL, NULL, 599 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 600 CTLTYPE_INT, "ah_trans_deflev", NULL, 601 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, 602 CTL_NET, PF_INET, ipproto_ipsec, 603 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 604 sysctl_createv(clog, 0, NULL, NULL, 605 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 606 CTLTYPE_INT, "ah_net_deflev", NULL, 607 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, 608 CTL_NET, PF_INET, ipproto_ipsec, 609 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 610 sysctl_createv(clog, 0, NULL, NULL, 611 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 612 CTLTYPE_INT, "ah_cleartos", NULL, 613 NULL, 0, &/*ip4_*/ah_cleartos, 0, 614 CTL_NET, PF_INET, ipproto_ipsec, 615 IPSECCTL_AH_CLEARTOS, CTL_EOL); 616 sysctl_createv(clog, 0, NULL, NULL, 617 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 618 CTLTYPE_INT, "ah_offsetmask", NULL, 619 NULL, 0, &ip4_ah_offsetmask, 0, 620 CTL_NET, PF_INET, ipproto_ipsec, 621 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 622 sysctl_createv(clog, 0, NULL, NULL, 623 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 624 CTLTYPE_INT, "dfbit", NULL, 625 NULL, 0, &ip4_ipsec_dfbit, 0, 626 CTL_NET, PF_INET, ipproto_ipsec, 627 IPSECCTL_DFBIT, CTL_EOL); 628 sysctl_createv(clog, 0, NULL, NULL, 629 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 630 CTLTYPE_INT, "ecn", NULL, 631 NULL, 0, &ip4_ipsec_ecn, 0, 632 CTL_NET, PF_INET, ipproto_ipsec, 633 IPSECCTL_ECN, CTL_EOL); 634 sysctl_createv(clog, 0, NULL, NULL, 635 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 636 CTLTYPE_INT, "debug", NULL, 637 NULL, 0, &ipsec_debug, 0, 638 CTL_NET, PF_INET, ipproto_ipsec, 639 IPSECCTL_DEBUG, CTL_EOL); 640 sysctl_createv(clog, 0, NULL, NULL, 641 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 642 CTLTYPE_STRUCT, "ipsecstats", NULL, 643 NULL, 0, &ipsecstat, sizeof(ipsecstat), 644 CTL_NET, PF_INET, ipproto_ipsec, 645 CTL_CREATE, CTL_EOL); 646 #ifdef IPSEC_DEBUG 647 sysctl_createv(clog, 0, NULL, NULL, 648 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 649 CTLTYPE_INT, "test_replay", 650 SYSCTL_DESCR("Emulate replay attack"), 651 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0, 652 CTL_NET, PF_INET, ipproto_ipsec, 653 CTL_CREATE, CTL_EOL); 654 sysctl_createv(clog, 0, NULL, NULL, 655 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 656 CTLTYPE_INT, "test_integrity", 657 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 658 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0, 659 CTL_NET, PF_INET, ipproto_ipsec, 660 CTL_CREATE, CTL_EOL); 661 #endif 662 } 663
Indexes created Mon Sep 22 13:09:51 GMT 2025