ipsec_netbsd.c revision 1.41
1 /* $NetBSD: ipsec_netbsd.c,v 1.41 2017/07/04 08:09:19 ozaki-r Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.41 2017/07/04 08:09:19 ozaki-r Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/domain.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/sysctl.h> 53 54 #include <net/if.h> 55 #include <net/route.h> 56 #include <net/netisr.h> 57 #include <sys/cpu.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/ip_ecn.h> 65 #include <netinet/ip_icmp.h> 66 67 68 #include <netipsec/ipsec.h> 69 #include <netipsec/ipsec_var.h> 70 #include <netipsec/ipsec_private.h> 71 #include <netipsec/key.h> 72 #include <netipsec/keydb.h> 73 #include <netipsec/key_debug.h> 74 #include <netipsec/ah.h> 75 #include <netipsec/ah_var.h> 76 #include <netipsec/esp.h> 77 #include <netipsec/esp_var.h> 78 #include <netipsec/ipip_var.h> 79 #include <netipsec/ipcomp_var.h> 80 81 #ifdef INET6 82 #include <netipsec/ipsec6.h> 83 #include <netinet6/ip6protosw.h> 84 #include <netinet/icmp6.h> 85 #endif 86 87 #include <netipsec/key.h> 88 89 /* assumes that ip header and ah header are contiguous on mbuf */ 90 void* 91 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 92 { 93 struct ip *ip = v; 94 struct ah *ah; 95 struct icmp *icp; 96 struct secasvar *sav; 97 98 if (sa->sa_family != AF_INET || 99 sa->sa_len != sizeof(struct sockaddr_in)) 100 return NULL; 101 if ((unsigned)cmd >= PRC_NCMDS) 102 return NULL; 103 104 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 105 /* 106 * Check to see if we have a valid SA corresponding to 107 * the address in the ICMP message payload. 108 */ 109 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 110 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 111 IPPROTO_AH, ah->ah_spi, 0, 0); 112 113 if (sav) { 114 if (sav->state == SADB_SASTATE_MATURE || 115 sav->state == SADB_SASTATE_DYING) { 116 117 /* 118 * Now that we've validated that we are actually 119 * communicating with the host indicated in the 120 * ICMP message, locate the ICMP header, 121 * recalculate the new MTU, and create the 122 * corresponding routing entry. 123 */ 124 icp = (struct icmp *)((char *)ip - 125 offsetof(struct icmp, icmp_ip)); 126 icmp_mtudisc(icp, ip->ip_dst); 127 128 } 129 KEY_FREESAV(&sav); 130 } 131 } 132 return NULL; 133 } 134 135 136 137 /* assumes that ip header and esp header are contiguous on mbuf */ 138 void* 139 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 140 { 141 struct ip *ip = v; 142 struct esp *esp; 143 struct icmp *icp; 144 struct secasvar *sav; 145 146 if (sa->sa_family != AF_INET || 147 sa->sa_len != sizeof(struct sockaddr_in)) 148 return NULL; 149 if ((unsigned)cmd >= PRC_NCMDS) 150 return NULL; 151 152 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 153 /* 154 * Check to see if we have a valid SA corresponding to 155 * the address in the ICMP message payload. 156 */ 157 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 158 sav = KEY_ALLOCSA((const union sockaddr_union *)sa, 159 IPPROTO_ESP, esp->esp_spi, 0, 0); 160 161 if (sav) { 162 if (sav->state == SADB_SASTATE_MATURE || 163 sav->state == SADB_SASTATE_DYING) { 164 165 /* 166 * Now that we've validated that we are actually 167 * communicating with the host indicated in the 168 * ICMP message, locate the ICMP header, 169 * recalculate the new MTU, and create the 170 * corresponding routing entry. 171 */ 172 173 icp = (struct icmp *)((char *)ip - 174 offsetof(struct icmp, icmp_ip)); 175 icmp_mtudisc(icp, ip->ip_dst); 176 177 } 178 KEY_FREESAV(&sav); 179 } 180 } 181 return NULL; 182 } 183 184 #ifdef INET6 185 void * 186 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 187 { 188 const struct newah *ahp; 189 struct newah ah; 190 struct secasvar *sav; 191 struct ip6_hdr *ip6; 192 struct mbuf *m; 193 struct ip6ctlparam *ip6cp = NULL; 194 int off; 195 196 if (sa->sa_family != AF_INET6 || 197 sa->sa_len != sizeof(struct sockaddr_in6)) 198 return NULL; 199 if ((unsigned)cmd >= PRC_NCMDS) 200 return NULL; 201 202 /* if the parameter is from icmp6, decode it. */ 203 if (d != NULL) { 204 ip6cp = (struct ip6ctlparam *)d; 205 m = ip6cp->ip6c_m; 206 ip6 = ip6cp->ip6c_ip6; 207 off = ip6cp->ip6c_off; 208 } else { 209 m = NULL; 210 ip6 = NULL; 211 off = 0; 212 } 213 214 if (ip6) { 215 /* 216 * XXX: We assume that when ip6 is non NULL, 217 * M and OFF are valid. 218 */ 219 220 /* check if we can safely examine src and dst ports */ 221 if (m->m_pkthdr.len < off + sizeof(ah)) 222 return NULL; 223 224 if (m->m_len < off + sizeof(ah)) { 225 /* 226 * this should be rare case, 227 * so we compromise on this copy... 228 */ 229 m_copydata(m, off, sizeof(ah), &ah); 230 ahp = &ah; 231 } else 232 ahp = (struct newah *)(mtod(m, char *) + off); 233 234 if (cmd == PRC_MSGSIZE) { 235 int valid = 0; 236 237 /* 238 * Check to see if we have a valid SA corresponding 239 * to the address in the ICMP message payload. 240 */ 241 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 242 IPPROTO_AH, ahp->ah_spi, 0, 0); 243 244 if (sav) { 245 if (sav->state == SADB_SASTATE_MATURE || 246 sav->state == SADB_SASTATE_DYING) 247 valid++; 248 KEY_FREESAV(&sav); 249 } 250 251 /* XXX Further validation? */ 252 253 /* 254 * Depending on the value of "valid" and routing 255 * table size (mtudisc_{hi,lo}wat), we will: 256 * - recalcurate the new MTU and create the 257 * corresponding routing entry, or 258 * - ignore the MTU change notification. 259 */ 260 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid); 261 } 262 263 /* we normally notify single pcb here */ 264 } else { 265 /* we normally notify any pcb here */ 266 } 267 return NULL; 268 } 269 270 271 272 void * 273 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 274 { 275 const struct newesp *espp; 276 struct newesp esp; 277 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 278 struct secasvar *sav; 279 struct ip6_hdr *ip6; 280 struct mbuf *m; 281 int off; 282 283 if (sa->sa_family != AF_INET6 || 284 sa->sa_len != sizeof(struct sockaddr_in6)) 285 return NULL; 286 if ((unsigned)cmd >= PRC_NCMDS) 287 return NULL; 288 289 /* if the parameter is from icmp6, decode it. */ 290 if (d != NULL) { 291 ip6cp = (struct ip6ctlparam *)d; 292 m = ip6cp->ip6c_m; 293 ip6 = ip6cp->ip6c_ip6; 294 off = ip6cp->ip6c_off; 295 } else { 296 m = NULL; 297 ip6 = NULL; 298 off = 0; 299 } 300 301 if (ip6) { 302 /* 303 * Notify the error to all possible sockets via pfctlinput2. 304 * Since the upper layer information (such as protocol type, 305 * source and destination ports) is embedded in the encrypted 306 * data and might have been cut, we can't directly call 307 * an upper layer ctlinput function. However, the pcbnotify 308 * function will consider source and destination addresses 309 * as well as the flow info value, and may be able to find 310 * some PCB that should be notified. 311 * Although pfctlinput2 will call esp6_ctlinput(), there is 312 * no possibility of an infinite loop of function calls, 313 * because we don't pass the inner IPv6 header. 314 */ 315 memset(&ip6cp1, 0, sizeof(ip6cp1)); 316 ip6cp1.ip6c_src = ip6cp->ip6c_src; 317 pfctlinput2(cmd, sa, &ip6cp1); 318 319 /* 320 * Then go to special cases that need ESP header information. 321 * XXX: We assume that when ip6 is non NULL, 322 * M and OFF are valid. 323 */ 324 325 /* check if we can safely examine src and dst ports */ 326 if (m->m_pkthdr.len < off + sizeof(esp)) 327 return NULL; 328 329 if (m->m_len < off + sizeof(esp)) { 330 /* 331 * this should be rare case, 332 * so we compromise on this copy... 333 */ 334 m_copydata(m, off, sizeof(esp), &esp); 335 espp = &esp; 336 } else 337 espp = (struct newesp*)(mtod(m, char *) + off); 338 339 if (cmd == PRC_MSGSIZE) { 340 int valid = 0; 341 342 /* 343 * Check to see if we have a valid SA corresponding to 344 * the address in the ICMP message payload. 345 */ 346 347 sav = KEY_ALLOCSA((const union sockaddr_union*)sa, 348 IPPROTO_ESP, espp->esp_spi, 0, 0); 349 350 if (sav) { 351 if (sav->state == SADB_SASTATE_MATURE || 352 sav->state == SADB_SASTATE_DYING) 353 valid++; 354 KEY_FREESAV(&sav); 355 } 356 357 /* XXX Further validation? */ 358 359 /* 360 * Depending on the value of "valid" and routing table 361 * size (mtudisc_{hi,lo}wat), we will: 362 * - recalcurate the new MTU and create the 363 * corresponding routing entry, or 364 * - ignore the MTU change notification. 365 */ 366 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 367 } 368 } else { 369 /* we normally notify any pcb here */ 370 } 371 return NULL; 372 } 373 #endif /* INET6 */ 374 375 static int 376 sysctl_ipsec(SYSCTLFN_ARGS) 377 { 378 int error, t; 379 struct sysctlnode node; 380 381 node = *rnode; 382 t = *(int*)rnode->sysctl_data; 383 node.sysctl_data = &t; 384 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 385 if (error || newp == NULL) 386 return (error); 387 388 switch (rnode->sysctl_num) { 389 case IPSECCTL_DEF_ESP_TRANSLEV: 390 case IPSECCTL_DEF_ESP_NETLEV: 391 case IPSECCTL_DEF_AH_TRANSLEV: 392 case IPSECCTL_DEF_AH_NETLEV: 393 if (t != IPSEC_LEVEL_USE && 394 t != IPSEC_LEVEL_REQUIRE) 395 return (EINVAL); 396 ipsec_invalpcbcacheall(); 397 break; 398 case IPSECCTL_DEF_POLICY: 399 if (t != IPSEC_POLICY_DISCARD && 400 t != IPSEC_POLICY_NONE) 401 return (EINVAL); 402 ipsec_invalpcbcacheall(); 403 break; 404 default: 405 return (EINVAL); 406 } 407 408 *(int*)rnode->sysctl_data = t; 409 410 return (0); 411 } 412 413 #ifdef IPSEC_DEBUG 414 static int 415 sysctl_ipsec_test(SYSCTLFN_ARGS) 416 { 417 int t, error; 418 struct sysctlnode node; 419 420 node = *rnode; 421 t = *(int*)rnode->sysctl_data; 422 node.sysctl_data = &t; 423 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 424 if (error || newp == NULL) 425 return (error); 426 427 if (t < 0 || t > 1) 428 return EINVAL; 429 430 if (rnode->sysctl_data == &ipsec_replay) 431 printf("ipsec: Anti-Replay service %s\n", 432 (t == 1) ? "deactivated" : "activated"); 433 else if (rnode->sysctl_data == &ipsec_integrity) 434 printf("ipsec: HMAC corruption %s\n", 435 (t == 0) ? "deactivated" : "activated"); 436 437 *(int*)rnode->sysctl_data = t; 438 439 return 0; 440 } 441 #endif 442 443 static int 444 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 445 { 446 447 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 448 } 449 450 static int 451 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 452 { 453 454 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 455 } 456 457 static int 458 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 459 { 460 461 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 462 } 463 464 static int 465 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 466 { 467 468 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 469 } 470 471 static int 472 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 473 { 474 475 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 476 } 477 478 static int 479 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 480 { 481 int newenabled, error; 482 struct sysctlnode node; 483 node = *rnode; 484 node.sysctl_data = &newenabled; 485 486 newenabled = ipsec_enabled; 487 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 488 if (error || newp == NULL) 489 return error; 490 491 switch (newenabled) { 492 case 0: 493 if (key_get_used()) 494 return EBUSY; 495 /*FALLTHROUGH*/ 496 case 1: 497 case 2: 498 ipsec_enabled = newenabled; 499 key_update_used(); 500 return 0; 501 default: 502 return EINVAL; 503 } 504 } 505 506 /* XXX will need a different oid at parent */ 507 void 508 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 509 { 510 const struct sysctlnode *_ipsec; 511 int ipproto_ipsec; 512 513 sysctl_createv(clog, 0, NULL, NULL, 514 CTLFLAG_PERMANENT, 515 CTLTYPE_NODE, "inet", NULL, 516 NULL, 0, NULL, 0, 517 CTL_NET, PF_INET, CTL_EOL); 518 519 /* 520 * in numerical order: 521 * 522 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 523 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 524 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 525 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 526 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 527 * 528 * this creates separate trees by name, but maintains that the 529 * ipsec name leads to all the old leaves. 530 */ 531 532 /* create net.inet.ipip */ 533 sysctl_createv(clog, 0, NULL, NULL, 534 CTLFLAG_PERMANENT, 535 CTLTYPE_NODE, "ipip", NULL, 536 NULL, 0, NULL, 0, 537 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 538 sysctl_createv(clog, 0, NULL, NULL, 539 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 540 CTLTYPE_STRUCT, "ipip_stats", NULL, 541 sysctl_net_inet_ipip_stats, 0, NULL, 0, 542 CTL_NET, PF_INET, IPPROTO_IPIP, 543 CTL_CREATE, CTL_EOL); 544 545 /* create net.inet.esp subtree under IPPROTO_ESP */ 546 sysctl_createv(clog, 0, NULL, NULL, 547 CTLFLAG_PERMANENT, 548 CTLTYPE_NODE, "esp", NULL, 549 NULL, 0, NULL, 0, 550 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 551 sysctl_createv(clog, 0, NULL, NULL, 552 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 553 CTLTYPE_INT, "trans_deflev", NULL, 554 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 555 CTL_NET, PF_INET, IPPROTO_ESP, 556 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 557 sysctl_createv(clog, 0, NULL, NULL, 558 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 559 CTLTYPE_INT, "net_deflev", NULL, 560 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 561 CTL_NET, PF_INET, IPPROTO_ESP, 562 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 563 sysctl_createv(clog, 0, NULL, NULL, 564 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 565 CTLTYPE_STRUCT, "esp_stats", NULL, 566 sysctl_net_inet_esp_stats, 0, NULL, 0, 567 CTL_NET, PF_INET, IPPROTO_ESP, 568 CTL_CREATE, CTL_EOL); 569 570 /* create net.inet.ah subtree under IPPROTO_AH */ 571 sysctl_createv(clog, 0, NULL, NULL, 572 CTLFLAG_PERMANENT, 573 CTLTYPE_NODE, "ah", NULL, 574 NULL, 0, NULL, 0, 575 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 576 sysctl_createv(clog, 0, NULL, NULL, 577 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 578 CTLTYPE_INT, "cleartos", NULL, 579 NULL, 0, &ip4_ah_cleartos, 0, 580 CTL_NET, PF_INET, IPPROTO_AH, 581 IPSECCTL_AH_CLEARTOS, CTL_EOL); 582 sysctl_createv(clog, 0, NULL, NULL, 583 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 584 CTLTYPE_INT, "offsetmask", NULL, 585 NULL, 0, &ip4_ah_offsetmask, 0, 586 CTL_NET, PF_INET, IPPROTO_AH, 587 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 588 sysctl_createv(clog, 0, NULL, NULL, 589 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 590 CTLTYPE_INT, "trans_deflev", NULL, 591 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 592 CTL_NET, PF_INET, IPPROTO_AH, 593 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 594 sysctl_createv(clog, 0, NULL, NULL, 595 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 596 CTLTYPE_INT, "net_deflev", NULL, 597 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 598 CTL_NET, PF_INET, IPPROTO_AH, 599 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 600 sysctl_createv(clog, 0, NULL, NULL, 601 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 602 CTLTYPE_STRUCT, "ah_stats", NULL, 603 sysctl_net_inet_ah_stats, 0, NULL, 0, 604 CTL_NET, PF_INET, IPPROTO_AH, 605 CTL_CREATE, CTL_EOL); 606 607 /* create net.inet.ipcomp */ 608 sysctl_createv(clog, 0, NULL, NULL, 609 CTLFLAG_PERMANENT, 610 CTLTYPE_NODE, "ipcomp", NULL, 611 NULL, 0, NULL, 0, 612 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 613 sysctl_createv(clog, 0, NULL, NULL, 614 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 615 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 616 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 617 CTL_NET, PF_INET, IPPROTO_IPCOMP, 618 CTL_CREATE, CTL_EOL); 619 620 /* create net.inet.ipsec subtree under dynamic oid */ 621 sysctl_createv(clog, 0, NULL, &_ipsec, 622 CTLFLAG_PERMANENT, 623 CTLTYPE_NODE, "ipsec", NULL, 624 NULL, 0, NULL, 0, 625 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 626 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 627 628 sysctl_createv(clog, 0, NULL, NULL, 629 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 630 CTLTYPE_INT, "def_policy", NULL, 631 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 632 CTL_NET, PF_INET, ipproto_ipsec, 633 IPSECCTL_DEF_POLICY, CTL_EOL); 634 sysctl_createv(clog, 0, NULL, NULL, 635 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 636 CTLTYPE_INT, "esp_trans_deflev", NULL, 637 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 638 CTL_NET, PF_INET, ipproto_ipsec, 639 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 640 sysctl_createv(clog, 0, NULL, NULL, 641 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 642 CTLTYPE_INT, "esp_net_deflev", NULL, 643 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 644 CTL_NET, PF_INET, ipproto_ipsec, 645 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 646 sysctl_createv(clog, 0, NULL, NULL, 647 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 648 CTLTYPE_INT, "ah_trans_deflev", NULL, 649 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 650 CTL_NET, PF_INET, ipproto_ipsec, 651 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 652 sysctl_createv(clog, 0, NULL, NULL, 653 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 654 CTLTYPE_INT, "ah_net_deflev", NULL, 655 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 656 CTL_NET, PF_INET, ipproto_ipsec, 657 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 658 sysctl_createv(clog, 0, NULL, NULL, 659 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 660 CTLTYPE_INT, "ah_cleartos", NULL, 661 NULL, 0, &ip4_ah_cleartos, 0, 662 CTL_NET, PF_INET, ipproto_ipsec, 663 IPSECCTL_AH_CLEARTOS, CTL_EOL); 664 sysctl_createv(clog, 0, NULL, NULL, 665 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 666 CTLTYPE_INT, "ah_offsetmask", NULL, 667 NULL, 0, &ip4_ah_offsetmask, 0, 668 CTL_NET, PF_INET, ipproto_ipsec, 669 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 670 sysctl_createv(clog, 0, NULL, NULL, 671 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 672 CTLTYPE_INT, "dfbit", NULL, 673 NULL, 0, &ip4_ipsec_dfbit, 0, 674 CTL_NET, PF_INET, ipproto_ipsec, 675 IPSECCTL_DFBIT, CTL_EOL); 676 sysctl_createv(clog, 0, NULL, NULL, 677 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 678 CTLTYPE_INT, "ecn", NULL, 679 NULL, 0, &ip4_ipsec_ecn, 0, 680 CTL_NET, PF_INET, ipproto_ipsec, 681 IPSECCTL_ECN, CTL_EOL); 682 sysctl_createv(clog, 0, NULL, NULL, 683 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 684 CTLTYPE_INT, "debug", NULL, 685 NULL, 0, &ipsec_debug, 0, 686 CTL_NET, PF_INET, ipproto_ipsec, 687 IPSECCTL_DEBUG, CTL_EOL); 688 sysctl_createv(clog, 0, NULL, NULL, 689 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 690 CTLTYPE_STRUCT, "ipsecstats", NULL, 691 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 692 CTL_NET, PF_INET, ipproto_ipsec, 693 CTL_CREATE, CTL_EOL); 694 sysctl_createv(clog, 0, NULL, NULL, 695 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 696 CTLTYPE_INT, "enabled", 697 SYSCTL_DESCR("Enable IPSec processing"), 698 sysctl_net_ipsec_enabled, 0, NULL, 0, 699 CTL_NET, PF_INET, ipproto_ipsec, 700 CTL_CREATE, CTL_EOL); 701 sysctl_createv(clog, 0, NULL, NULL, 702 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 703 CTLTYPE_INT, "used", 704 SYSCTL_DESCR("Is IPSec active?"), 705 NULL, 0, &ipsec_used, 0, 706 CTL_NET, PF_INET, ipproto_ipsec, 707 CTL_CREATE, CTL_EOL); 708 sysctl_createv(clog, 0, NULL, NULL, 709 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 710 CTLTYPE_INT, "crypto_support", NULL, 711 NULL, 0, &crypto_support, 0, 712 CTL_NET, PF_INET, ipproto_ipsec, 713 CTL_CREATE, CTL_EOL); 714 #ifdef IPSEC_DEBUG 715 sysctl_createv(clog, 0, NULL, NULL, 716 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 717 CTLTYPE_INT, "test_replay", 718 SYSCTL_DESCR("Emulate replay attack"), 719 sysctl_ipsec_test, 0, &ipsec_replay, 0, 720 CTL_NET, PF_INET, ipproto_ipsec, 721 CTL_CREATE, CTL_EOL); 722 sysctl_createv(clog, 0, NULL, NULL, 723 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 724 CTLTYPE_INT, "test_integrity", 725 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 726 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 727 CTL_NET, PF_INET, ipproto_ipsec, 728 CTL_CREATE, CTL_EOL); 729 #endif 730 } 731 732 #ifdef INET6 733 void 734 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 735 { 736 737 sysctl_createv(clog, 0, NULL, NULL, 738 CTLFLAG_PERMANENT, 739 CTLTYPE_NODE, "inet6", NULL, 740 NULL, 0, NULL, 0, 741 CTL_NET, PF_INET6, CTL_EOL); 742 sysctl_createv(clog, 0, NULL, NULL, 743 CTLFLAG_PERMANENT, 744 CTLTYPE_NODE, "ipsec6", 745 SYSCTL_DESCR("IPv6 related IPSec settings"), 746 NULL, 0, NULL, 0, 747 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 748 749 sysctl_createv(clog, 0, NULL, NULL, 750 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 751 CTLTYPE_STRUCT, "stats", 752 SYSCTL_DESCR("IPSec statistics and counters"), 753 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 754 CTL_NET, PF_INET6, IPPROTO_AH, 755 IPSECCTL_STATS, CTL_EOL); 756 sysctl_createv(clog, 0, NULL, NULL, 757 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 758 CTLTYPE_INT, "def_policy", 759 SYSCTL_DESCR("Default action for non-IPSec packets"), 760 sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, 761 CTL_NET, PF_INET6, IPPROTO_AH, 762 IPSECCTL_DEF_POLICY, CTL_EOL); 763 sysctl_createv(clog, 0, NULL, NULL, 764 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 765 CTLTYPE_INT, "esp_trans_deflev", 766 SYSCTL_DESCR("Default required security level for " 767 "transport mode traffic"), 768 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 769 CTL_NET, PF_INET6, IPPROTO_AH, 770 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 771 sysctl_createv(clog, 0, NULL, NULL, 772 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 773 CTLTYPE_INT, "esp_net_deflev", 774 SYSCTL_DESCR("Default required security level for " 775 "tunneled traffic"), 776 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 777 CTL_NET, PF_INET6, IPPROTO_AH, 778 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 779 sysctl_createv(clog, 0, NULL, NULL, 780 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 781 CTLTYPE_INT, "ah_trans_deflev", 782 SYSCTL_DESCR("Default required security level for " 783 "transport mode headers"), 784 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 785 CTL_NET, PF_INET6, IPPROTO_AH, 786 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 787 sysctl_createv(clog, 0, NULL, NULL, 788 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 789 CTLTYPE_INT, "ah_net_deflev", 790 SYSCTL_DESCR("Default required security level for " 791 "tunneled headers"), 792 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 793 CTL_NET, PF_INET6, IPPROTO_AH, 794 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 795 sysctl_createv(clog, 0, NULL, NULL, 796 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 797 CTLTYPE_INT, "ecn", 798 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 799 NULL, 0, &ip6_ipsec_ecn, 0, 800 CTL_NET, PF_INET6, IPPROTO_AH, 801 IPSECCTL_ECN, CTL_EOL); 802 sysctl_createv(clog, 0, NULL, NULL, 803 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 804 CTLTYPE_INT, "debug", 805 SYSCTL_DESCR("Enable IPSec debugging output"), 806 NULL, 0, &ipsec_debug, 0, 807 CTL_NET, PF_INET6, IPPROTO_AH, 808 IPSECCTL_DEBUG, CTL_EOL); 809 sysctl_createv(clog, 0, NULL, NULL, 810 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 811 CTLTYPE_INT, "enabled", 812 SYSCTL_DESCR("Enable IPSec processing"), 813 sysctl_net_ipsec_enabled, 0, NULL, 0, 814 CTL_NET, PF_INET6, IPPROTO_AH, 815 CTL_CREATE, CTL_EOL); 816 sysctl_createv(clog, 0, NULL, NULL, 817 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 818 CTLTYPE_INT, "used", 819 SYSCTL_DESCR("Is IPSec active?"), 820 NULL, 0, &ipsec_used, 0, 821 CTL_NET, PF_INET6, IPPROTO_AH, 822 CTL_CREATE, CTL_EOL); 823 /* 824 * "aliases" for the ipsec6 subtree 825 */ 826 sysctl_createv(clog, 0, NULL, NULL, 827 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 828 CTLTYPE_NODE, "esp6", NULL, 829 NULL, IPPROTO_AH, NULL, 0, 830 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL); 831 sysctl_createv(clog, 0, NULL, NULL, 832 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 833 CTLTYPE_NODE, "ipcomp6", NULL, 834 NULL, IPPROTO_AH, NULL, 0, 835 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL); 836 sysctl_createv(clog, 0, NULL, NULL, 837 CTLFLAG_PERMANENT|CTLFLAG_ALIAS, 838 CTLTYPE_NODE, "ah6", NULL, 839 NULL, IPPROTO_AH, NULL, 0, 840 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL); 841 } 842 #endif /* INET6 */ 843
Indexes created Mon Sep 22 13:09:51 GMT 2025