ipsec_netbsd.c revision 1.50
1 /* $NetBSD: ipsec_netbsd.c,v 1.50 2018/04/18 06:17:44 maxv Exp $ */ 2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ 3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include <sys/cdefs.h> 35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.50 2018/04/18 06:17:44 maxv Exp $"); 36 37 #if defined(_KERNEL_OPT) 38 #include "opt_inet.h" 39 #include "opt_ipsec.h" 40 #endif 41 42 #include <sys/param.h> 43 #include <sys/systm.h> 44 #include <sys/malloc.h> 45 #include <sys/mbuf.h> 46 #include <sys/domain.h> 47 #include <sys/protosw.h> 48 #include <sys/socket.h> 49 #include <sys/errno.h> 50 #include <sys/time.h> 51 #include <sys/kernel.h> 52 #include <sys/sysctl.h> 53 54 #include <net/if.h> 55 #include <net/route.h> 56 #include <net/netisr.h> 57 #include <sys/cpu.h> 58 59 #include <netinet/in.h> 60 #include <netinet/in_systm.h> 61 #include <netinet/in_var.h> 62 #include <netinet/ip.h> 63 #include <netinet/ip_var.h> 64 #include <netinet/ip_ecn.h> 65 #include <netinet/ip_icmp.h> 66 67 #include <netipsec/ipsec.h> 68 #include <netipsec/ipsec_var.h> 69 #include <netipsec/ipsec_private.h> 70 #include <netipsec/key.h> 71 #include <netipsec/keydb.h> 72 #include <netipsec/key_debug.h> 73 #include <netipsec/ah.h> 74 #include <netipsec/ah_var.h> 75 #include <netipsec/esp.h> 76 #include <netipsec/esp_var.h> 77 #include <netipsec/ipip_var.h> 78 #include <netipsec/ipcomp_var.h> 79 80 #ifdef INET6 81 #include <netipsec/ipsec6.h> 82 #include <netinet6/ip6protosw.h> 83 #include <netinet/icmp6.h> 84 #endif 85 86 #include <netipsec/key.h> 87 88 /* assumes that ip header and ah header are contiguous on mbuf */ 89 void * 90 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 91 { 92 struct ip *ip = v; 93 struct ah *ah; 94 struct icmp *icp; 95 struct secasvar *sav; 96 97 if (sa->sa_family != AF_INET || 98 sa->sa_len != sizeof(struct sockaddr_in)) 99 return NULL; 100 if ((unsigned)cmd >= PRC_NCMDS) 101 return NULL; 102 103 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 104 /* 105 * Check to see if we have a valid SA corresponding to 106 * the address in the ICMP message payload. 107 */ 108 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2)); 109 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 110 IPPROTO_AH, ah->ah_spi, 0, 0); 111 112 if (sav) { 113 if (SADB_SASTATE_USABLE_P(sav)) { 114 /* 115 * Now that we've validated that we are actually 116 * communicating with the host indicated in the 117 * ICMP message, locate the ICMP header, 118 * recalculate the new MTU, and create the 119 * corresponding routing entry. 120 */ 121 icp = (struct icmp *)((char *)ip - 122 offsetof(struct icmp, icmp_ip)); 123 icmp_mtudisc(icp, ip->ip_dst); 124 } 125 KEY_SA_UNREF(&sav); 126 } 127 } 128 return NULL; 129 } 130 131 /* assumes that ip header and esp header are contiguous on mbuf */ 132 void * 133 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v) 134 { 135 struct ip *ip = v; 136 struct esp *esp; 137 struct icmp *icp; 138 struct secasvar *sav; 139 140 if (sa->sa_family != AF_INET || 141 sa->sa_len != sizeof(struct sockaddr_in)) 142 return NULL; 143 if ((unsigned)cmd >= PRC_NCMDS) 144 return NULL; 145 146 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) { 147 /* 148 * Check to see if we have a valid SA corresponding to 149 * the address in the ICMP message payload. 150 */ 151 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2)); 152 sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa, 153 IPPROTO_ESP, esp->esp_spi, 0, 0); 154 155 if (sav) { 156 if (SADB_SASTATE_USABLE_P(sav)) { 157 /* 158 * Now that we've validated that we are actually 159 * communicating with the host indicated in the 160 * ICMP message, locate the ICMP header, 161 * recalculate the new MTU, and create the 162 * corresponding routing entry. 163 */ 164 icp = (struct icmp *)((char *)ip - 165 offsetof(struct icmp, icmp_ip)); 166 icmp_mtudisc(icp, ip->ip_dst); 167 } 168 KEY_SA_UNREF(&sav); 169 } 170 } 171 return NULL; 172 } 173 174 #ifdef INET6 175 void * 176 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 177 { 178 const struct newah *ahp; 179 struct newah ah; 180 struct secasvar *sav; 181 struct ip6_hdr *ip6; 182 struct mbuf *m; 183 struct ip6ctlparam *ip6cp = NULL; 184 int off; 185 186 if (sa->sa_family != AF_INET6 || 187 sa->sa_len != sizeof(struct sockaddr_in6)) 188 return NULL; 189 if ((unsigned)cmd >= PRC_NCMDS) 190 return NULL; 191 192 /* if the parameter is from icmp6, decode it. */ 193 if (d != NULL) { 194 ip6cp = (struct ip6ctlparam *)d; 195 m = ip6cp->ip6c_m; 196 ip6 = ip6cp->ip6c_ip6; 197 off = ip6cp->ip6c_off; 198 } else { 199 m = NULL; 200 ip6 = NULL; 201 off = 0; 202 } 203 204 if (ip6) { 205 /* check if we can safely examine src and dst ports */ 206 if (m->m_pkthdr.len < off + sizeof(ah)) 207 return NULL; 208 209 if (m->m_len < off + sizeof(ah)) { 210 /* 211 * this should be rare case, 212 * so we compromise on this copy... 213 */ 214 m_copydata(m, off, sizeof(ah), &ah); 215 ahp = &ah; 216 } else 217 ahp = (struct newah *)(mtod(m, char *) + off); 218 219 if (cmd == PRC_MSGSIZE) { 220 int valid = 0; 221 222 /* 223 * Check to see if we have a valid SA corresponding 224 * to the address in the ICMP message payload. 225 */ 226 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 227 IPPROTO_AH, ahp->ah_spi, 0, 0); 228 229 if (sav) { 230 if (SADB_SASTATE_USABLE_P(sav)) 231 valid++; 232 KEY_SA_UNREF(&sav); 233 } 234 235 /* XXX Further validation? */ 236 237 /* 238 * Depending on the value of "valid" and routing 239 * table size (mtudisc_{hi,lo}wat), we will: 240 * - recalculate the new MTU and create the 241 * corresponding routing entry, or 242 * - ignore the MTU change notification. 243 */ 244 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 245 } 246 247 /* we normally notify single pcb here */ 248 } else { 249 /* we normally notify any pcb here */ 250 } 251 return NULL; 252 } 253 254 void * 255 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d) 256 { 257 const struct newesp *espp; 258 struct newesp esp; 259 struct ip6ctlparam *ip6cp = NULL, ip6cp1; 260 struct secasvar *sav; 261 struct ip6_hdr *ip6; 262 struct mbuf *m; 263 int off; 264 265 if (sa->sa_family != AF_INET6 || 266 sa->sa_len != sizeof(struct sockaddr_in6)) 267 return NULL; 268 if ((unsigned)cmd >= PRC_NCMDS) 269 return NULL; 270 271 /* if the parameter is from icmp6, decode it. */ 272 if (d != NULL) { 273 ip6cp = (struct ip6ctlparam *)d; 274 m = ip6cp->ip6c_m; 275 ip6 = ip6cp->ip6c_ip6; 276 off = ip6cp->ip6c_off; 277 } else { 278 m = NULL; 279 ip6 = NULL; 280 off = 0; 281 } 282 283 if (ip6) { 284 /* 285 * Notify the error to all possible sockets via pfctlinput2. 286 * Since the upper layer information (such as protocol type, 287 * source and destination ports) is embedded in the encrypted 288 * data and might have been cut, we can't directly call 289 * an upper layer ctlinput function. However, the pcbnotify 290 * function will consider source and destination addresses 291 * as well as the flow info value, and may be able to find 292 * some PCB that should be notified. 293 * Although pfctlinput2 will call esp6_ctlinput(), there is 294 * no possibility of an infinite loop of function calls, 295 * because we don't pass the inner IPv6 header. 296 */ 297 memset(&ip6cp1, 0, sizeof(ip6cp1)); 298 ip6cp1.ip6c_src = ip6cp->ip6c_src; 299 pfctlinput2(cmd, sa, &ip6cp1); 300 301 /* 302 * Then go to special cases that need ESP header information. 303 * XXX: We assume that when ip6 is non NULL, 304 * M and OFF are valid. 305 */ 306 307 /* check if we can safely examine src and dst ports */ 308 if (m->m_pkthdr.len < off + sizeof(esp)) 309 return NULL; 310 311 if (m->m_len < off + sizeof(esp)) { 312 /* 313 * this should be rare case, 314 * so we compromise on this copy... 315 */ 316 m_copydata(m, off, sizeof(esp), &esp); 317 espp = &esp; 318 } else 319 espp = (struct newesp*)(mtod(m, char *) + off); 320 321 if (cmd == PRC_MSGSIZE) { 322 int valid = 0; 323 324 /* 325 * Check to see if we have a valid SA corresponding to 326 * the address in the ICMP message payload. 327 */ 328 329 sav = KEY_LOOKUP_SA((const union sockaddr_union*)sa, 330 IPPROTO_ESP, espp->esp_spi, 0, 0); 331 332 if (sav) { 333 if (SADB_SASTATE_USABLE_P(sav)) 334 valid++; 335 KEY_SA_UNREF(&sav); 336 } 337 338 /* XXX Further validation? */ 339 340 /* 341 * Depending on the value of "valid" and routing table 342 * size (mtudisc_{hi,lo}wat), we will: 343 * - recalcurate the new MTU and create the 344 * corresponding routing entry, or 345 * - ignore the MTU change notification. 346 */ 347 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid); 348 } 349 } else { 350 /* we normally notify any pcb here */ 351 } 352 return NULL; 353 } 354 #endif /* INET6 */ 355 356 static int 357 sysctl_ipsec(SYSCTLFN_ARGS) 358 { 359 int error, t; 360 struct sysctlnode node; 361 362 node = *rnode; 363 t = *(int*)rnode->sysctl_data; 364 node.sysctl_data = &t; 365 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 366 if (error || newp == NULL) 367 return (error); 368 369 switch (rnode->sysctl_num) { 370 case IPSECCTL_DEF_ESP_TRANSLEV: 371 case IPSECCTL_DEF_ESP_NETLEV: 372 case IPSECCTL_DEF_AH_TRANSLEV: 373 case IPSECCTL_DEF_AH_NETLEV: 374 if (t != IPSEC_LEVEL_USE && 375 t != IPSEC_LEVEL_REQUIRE) 376 return (EINVAL); 377 ipsec_invalpcbcacheall(); 378 break; 379 case IPSECCTL_DEF_POLICY: 380 if (t != IPSEC_POLICY_DISCARD && 381 t != IPSEC_POLICY_NONE) 382 return (EINVAL); 383 ipsec_invalpcbcacheall(); 384 break; 385 default: 386 return (EINVAL); 387 } 388 389 *(int*)rnode->sysctl_data = t; 390 391 return (0); 392 } 393 394 #ifdef IPSEC_DEBUG 395 static int 396 sysctl_ipsec_test(SYSCTLFN_ARGS) 397 { 398 int t, error; 399 struct sysctlnode node; 400 401 node = *rnode; 402 t = *(int*)rnode->sysctl_data; 403 node.sysctl_data = &t; 404 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 405 if (error || newp == NULL) 406 return (error); 407 408 if (t < 0 || t > 1) 409 return EINVAL; 410 411 if (rnode->sysctl_data == &ipsec_replay) 412 printf("ipsec: Anti-Replay service %s\n", 413 (t == 1) ? "deactivated" : "activated"); 414 else if (rnode->sysctl_data == &ipsec_integrity) 415 printf("ipsec: HMAC corruption %s\n", 416 (t == 0) ? "deactivated" : "activated"); 417 418 *(int*)rnode->sysctl_data = t; 419 420 return 0; 421 } 422 #endif 423 424 static int 425 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS) 426 { 427 428 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS)); 429 } 430 431 static int 432 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS) 433 { 434 435 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS)); 436 } 437 438 static int 439 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS) 440 { 441 442 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS)); 443 } 444 445 static int 446 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS) 447 { 448 449 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS)); 450 } 451 452 static int 453 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS) 454 { 455 456 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS)); 457 } 458 459 static int 460 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS) 461 { 462 int newenabled, error; 463 struct sysctlnode node; 464 node = *rnode; 465 node.sysctl_data = &newenabled; 466 467 newenabled = ipsec_enabled; 468 error = sysctl_lookup(SYSCTLFN_CALL(&node)); 469 if (error || newp == NULL) 470 return error; 471 472 switch (newenabled) { 473 case 0: 474 if (key_get_used()) 475 return EBUSY; 476 /*FALLTHROUGH*/ 477 case 1: 478 case 2: 479 ipsec_enabled = newenabled; 480 key_update_used(); 481 return 0; 482 default: 483 return EINVAL; 484 } 485 } 486 487 /* XXX will need a different oid at parent */ 488 void 489 sysctl_net_inet_ipsec_setup(struct sysctllog **clog) 490 { 491 const struct sysctlnode *_ipsec; 492 int ipproto_ipsec; 493 494 sysctl_createv(clog, 0, NULL, NULL, 495 CTLFLAG_PERMANENT, 496 CTLTYPE_NODE, "inet", NULL, 497 NULL, 0, NULL, 0, 498 CTL_NET, PF_INET, CTL_EOL); 499 500 /* 501 * in numerical order: 502 * 503 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP 504 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP 505 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH 506 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP 507 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE 508 * 509 * this creates separate trees by name, but maintains that the 510 * ipsec name leads to all the old leaves. 511 */ 512 513 /* create net.inet.ipip */ 514 sysctl_createv(clog, 0, NULL, NULL, 515 CTLFLAG_PERMANENT, 516 CTLTYPE_NODE, "ipip", NULL, 517 NULL, 0, NULL, 0, 518 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); 519 sysctl_createv(clog, 0, NULL, NULL, 520 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 521 CTLTYPE_STRUCT, "ipip_stats", NULL, 522 sysctl_net_inet_ipip_stats, 0, NULL, 0, 523 CTL_NET, PF_INET, IPPROTO_IPIP, 524 CTL_CREATE, CTL_EOL); 525 526 /* create net.inet.esp subtree under IPPROTO_ESP */ 527 sysctl_createv(clog, 0, NULL, NULL, 528 CTLFLAG_PERMANENT, 529 CTLTYPE_NODE, "esp", NULL, 530 NULL, 0, NULL, 0, 531 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); 532 sysctl_createv(clog, 0, NULL, NULL, 533 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 534 CTLTYPE_STRUCT, "esp_stats", NULL, 535 sysctl_net_inet_esp_stats, 0, NULL, 0, 536 CTL_NET, PF_INET, IPPROTO_ESP, 537 CTL_CREATE, CTL_EOL); 538 539 /* create net.inet.ah subtree under IPPROTO_AH */ 540 sysctl_createv(clog, 0, NULL, NULL, 541 CTLFLAG_PERMANENT, 542 CTLTYPE_NODE, "ah", NULL, 543 NULL, 0, NULL, 0, 544 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); 545 sysctl_createv(clog, 0, NULL, NULL, 546 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 547 CTLTYPE_STRUCT, "ah_stats", NULL, 548 sysctl_net_inet_ah_stats, 0, NULL, 0, 549 CTL_NET, PF_INET, IPPROTO_AH, 550 CTL_CREATE, CTL_EOL); 551 552 /* create net.inet.ipcomp */ 553 sysctl_createv(clog, 0, NULL, NULL, 554 CTLFLAG_PERMANENT, 555 CTLTYPE_NODE, "ipcomp", NULL, 556 NULL, 0, NULL, 0, 557 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); 558 sysctl_createv(clog, 0, NULL, NULL, 559 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 560 CTLTYPE_STRUCT, "ipcomp_stats", NULL, 561 sysctl_net_inet_ipcomp_stats, 0, NULL, 0, 562 CTL_NET, PF_INET, IPPROTO_IPCOMP, 563 CTL_CREATE, CTL_EOL); 564 565 /* create net.inet.ipsec subtree under dynamic oid */ 566 sysctl_createv(clog, 0, NULL, &_ipsec, 567 CTLFLAG_PERMANENT, 568 CTLTYPE_NODE, "ipsec", NULL, 569 NULL, 0, NULL, 0, 570 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); 571 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; 572 573 sysctl_createv(clog, 0, NULL, NULL, 574 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 575 CTLTYPE_INT, "def_policy", NULL, 576 sysctl_ipsec, 0, &ip4_def_policy.policy, 0, 577 CTL_NET, PF_INET, ipproto_ipsec, 578 IPSECCTL_DEF_POLICY, CTL_EOL); 579 sysctl_createv(clog, 0, NULL, NULL, 580 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 581 CTLTYPE_INT, "esp_trans_deflev", NULL, 582 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0, 583 CTL_NET, PF_INET, ipproto_ipsec, 584 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 585 sysctl_createv(clog, 0, NULL, NULL, 586 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 587 CTLTYPE_INT, "esp_net_deflev", NULL, 588 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0, 589 CTL_NET, PF_INET, ipproto_ipsec, 590 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 591 sysctl_createv(clog, 0, NULL, NULL, 592 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 593 CTLTYPE_INT, "ah_trans_deflev", NULL, 594 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0, 595 CTL_NET, PF_INET, ipproto_ipsec, 596 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 597 sysctl_createv(clog, 0, NULL, NULL, 598 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 599 CTLTYPE_INT, "ah_net_deflev", NULL, 600 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0, 601 CTL_NET, PF_INET, ipproto_ipsec, 602 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 603 sysctl_createv(clog, 0, NULL, NULL, 604 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 605 CTLTYPE_INT, "ah_cleartos", NULL, 606 NULL, 0, &ip4_ah_cleartos, 0, 607 CTL_NET, PF_INET, ipproto_ipsec, 608 IPSECCTL_AH_CLEARTOS, CTL_EOL); 609 sysctl_createv(clog, 0, NULL, NULL, 610 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 611 CTLTYPE_INT, "ah_offsetmask", NULL, 612 NULL, 0, &ip4_ah_offsetmask, 0, 613 CTL_NET, PF_INET, ipproto_ipsec, 614 IPSECCTL_AH_OFFSETMASK, CTL_EOL); 615 sysctl_createv(clog, 0, NULL, NULL, 616 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 617 CTLTYPE_INT, "dfbit", NULL, 618 NULL, 0, &ip4_ipsec_dfbit, 0, 619 CTL_NET, PF_INET, ipproto_ipsec, 620 IPSECCTL_DFBIT, CTL_EOL); 621 sysctl_createv(clog, 0, NULL, NULL, 622 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 623 CTLTYPE_INT, "ecn", NULL, 624 NULL, 0, &ip4_ipsec_ecn, 0, 625 CTL_NET, PF_INET, ipproto_ipsec, 626 IPSECCTL_ECN, CTL_EOL); 627 sysctl_createv(clog, 0, NULL, NULL, 628 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 629 CTLTYPE_INT, "debug", NULL, 630 NULL, 0, &ipsec_debug, 0, 631 CTL_NET, PF_INET, ipproto_ipsec, 632 IPSECCTL_DEBUG, CTL_EOL); 633 sysctl_createv(clog, 0, NULL, NULL, 634 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 635 CTLTYPE_STRUCT, "ipsecstats", NULL, 636 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 637 CTL_NET, PF_INET, ipproto_ipsec, 638 CTL_CREATE, CTL_EOL); 639 sysctl_createv(clog, 0, NULL, NULL, 640 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 641 CTLTYPE_INT, "enabled", 642 SYSCTL_DESCR("Enable IPSec processing"), 643 sysctl_net_ipsec_enabled, 0, NULL, 0, 644 CTL_NET, PF_INET, ipproto_ipsec, 645 CTL_CREATE, CTL_EOL); 646 sysctl_createv(clog, 0, NULL, NULL, 647 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 648 CTLTYPE_INT, "used", 649 SYSCTL_DESCR("Is IPSec active?"), 650 NULL, 0, &ipsec_used, 0, 651 CTL_NET, PF_INET, ipproto_ipsec, 652 CTL_CREATE, CTL_EOL); 653 sysctl_createv(clog, 0, NULL, NULL, 654 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 655 CTLTYPE_INT, "ah_enable", NULL, 656 NULL, 0, &ah_enable, 0, 657 CTL_NET, PF_INET, ipproto_ipsec, 658 CTL_CREATE, CTL_EOL); 659 sysctl_createv(clog, 0, NULL, NULL, 660 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 661 CTLTYPE_INT, "esp_enable", NULL, 662 NULL, 0, &esp_enable, 0, 663 CTL_NET, PF_INET, ipproto_ipsec, 664 CTL_CREATE, CTL_EOL); 665 sysctl_createv(clog, 0, NULL, NULL, 666 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 667 CTLTYPE_INT, "ipcomp_enable", NULL, 668 NULL, 0, &ipcomp_enable, 0, 669 CTL_NET, PF_INET, ipproto_ipsec, 670 CTL_CREATE, CTL_EOL); 671 sysctl_createv(clog, 0, NULL, NULL, 672 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 673 CTLTYPE_INT, "crypto_support", NULL, 674 NULL, 0, &crypto_support, 0, 675 CTL_NET, PF_INET, ipproto_ipsec, 676 CTL_CREATE, CTL_EOL); 677 678 #ifdef IPSEC_DEBUG 679 sysctl_createv(clog, 0, NULL, NULL, 680 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 681 CTLTYPE_INT, "test_replay", 682 SYSCTL_DESCR("Emulate replay attack"), 683 sysctl_ipsec_test, 0, &ipsec_replay, 0, 684 CTL_NET, PF_INET, ipproto_ipsec, 685 CTL_CREATE, CTL_EOL); 686 sysctl_createv(clog, 0, NULL, NULL, 687 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 688 CTLTYPE_INT, "test_integrity", 689 SYSCTL_DESCR("Emulate man-in-the-middle attack"), 690 sysctl_ipsec_test, 0, &ipsec_integrity, 0, 691 CTL_NET, PF_INET, ipproto_ipsec, 692 CTL_CREATE, CTL_EOL); 693 #endif 694 } 695 696 #ifdef INET6 697 void 698 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog) 699 { 700 701 sysctl_createv(clog, 0, NULL, NULL, 702 CTLFLAG_PERMANENT, 703 CTLTYPE_NODE, "inet6", NULL, 704 NULL, 0, NULL, 0, 705 CTL_NET, PF_INET6, CTL_EOL); 706 sysctl_createv(clog, 0, NULL, NULL, 707 CTLFLAG_PERMANENT, 708 CTLTYPE_NODE, "ipsec6", 709 SYSCTL_DESCR("IPv6 related IPSec settings"), 710 NULL, 0, NULL, 0, 711 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL); 712 713 sysctl_createv(clog, 0, NULL, NULL, 714 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 715 CTLTYPE_STRUCT, "stats", 716 SYSCTL_DESCR("IPSec statistics and counters"), 717 sysctl_net_inet_ipsec_stats, 0, NULL, 0, 718 CTL_NET, PF_INET6, IPPROTO_AH, 719 IPSECCTL_STATS, CTL_EOL); 720 sysctl_createv(clog, 0, NULL, NULL, 721 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 722 CTLTYPE_INT, "def_policy", 723 SYSCTL_DESCR("Default action for non-IPSec packets"), 724 sysctl_ipsec, 0, (void *)&ip6_def_policy, 0, 725 CTL_NET, PF_INET6, IPPROTO_AH, 726 IPSECCTL_DEF_POLICY, CTL_EOL); 727 sysctl_createv(clog, 0, NULL, NULL, 728 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 729 CTLTYPE_INT, "esp_trans_deflev", 730 SYSCTL_DESCR("Default required security level for " 731 "transport mode traffic"), 732 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0, 733 CTL_NET, PF_INET6, IPPROTO_AH, 734 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); 735 sysctl_createv(clog, 0, NULL, NULL, 736 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 737 CTLTYPE_INT, "esp_net_deflev", 738 SYSCTL_DESCR("Default required security level for " 739 "tunneled traffic"), 740 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0, 741 CTL_NET, PF_INET6, IPPROTO_AH, 742 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); 743 sysctl_createv(clog, 0, NULL, NULL, 744 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 745 CTLTYPE_INT, "ah_trans_deflev", 746 SYSCTL_DESCR("Default required security level for " 747 "transport mode headers"), 748 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0, 749 CTL_NET, PF_INET6, IPPROTO_AH, 750 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); 751 sysctl_createv(clog, 0, NULL, NULL, 752 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 753 CTLTYPE_INT, "ah_net_deflev", 754 SYSCTL_DESCR("Default required security level for " 755 "tunneled headers"), 756 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0, 757 CTL_NET, PF_INET6, IPPROTO_AH, 758 IPSECCTL_DEF_AH_NETLEV, CTL_EOL); 759 sysctl_createv(clog, 0, NULL, NULL, 760 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 761 CTLTYPE_INT, "ecn", 762 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"), 763 NULL, 0, &ip6_ipsec_ecn, 0, 764 CTL_NET, PF_INET6, IPPROTO_AH, 765 IPSECCTL_ECN, CTL_EOL); 766 sysctl_createv(clog, 0, NULL, NULL, 767 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 768 CTLTYPE_INT, "debug", 769 SYSCTL_DESCR("Enable IPSec debugging output"), 770 NULL, 0, &ipsec_debug, 0, 771 CTL_NET, PF_INET6, IPPROTO_AH, 772 IPSECCTL_DEBUG, CTL_EOL); 773 sysctl_createv(clog, 0, NULL, NULL, 774 CTLFLAG_PERMANENT|CTLFLAG_READWRITE, 775 CTLTYPE_INT, "enabled", 776 SYSCTL_DESCR("Enable IPSec processing"), 777 sysctl_net_ipsec_enabled, 0, NULL, 0, 778 CTL_NET, PF_INET6, IPPROTO_AH, 779 CTL_CREATE, CTL_EOL); 780 sysctl_createv(clog, 0, NULL, NULL, 781 CTLFLAG_PERMANENT|CTLFLAG_READONLY, 782 CTLTYPE_INT, "used", 783 SYSCTL_DESCR("Is IPSec active?"), 784 NULL, 0, &ipsec_used, 0, 785 CTL_NET, PF_INET6, IPPROTO_AH, 786 CTL_CREATE, CTL_EOL); 787 } 788 #endif /* INET6 */ 789
Indexes created Fri Sep 26 08:10:20 GMT 2025