ipsecif.c revision 1.10.2.2
1 1.10.2.2 martin /* $NetBSD: ipsecif.c,v 1.10.2.2 2020/04/08 14:08:58 martin Exp $ */ 2 1.1 knakahar 3 1.1 knakahar /* 4 1.1 knakahar * Copyright (c) 2017 Internet Initiative Japan Inc. 5 1.1 knakahar * All rights reserved. 6 1.1 knakahar * 7 1.1 knakahar * Redistribution and use in source and binary forms, with or without 8 1.1 knakahar * modification, are permitted provided that the following conditions 9 1.1 knakahar * are met: 10 1.1 knakahar * 1. Redistributions of source code must retain the above copyright 11 1.1 knakahar * notice, this list of conditions and the following disclaimer. 12 1.1 knakahar * 2. Redistributions in binary form must reproduce the above copyright 13 1.1 knakahar * notice, this list of conditions and the following disclaimer in the 14 1.1 knakahar * documentation and/or other materials provided with the distribution. 15 1.1 knakahar * 16 1.1 knakahar * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 17 1.1 knakahar * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 18 1.1 knakahar * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 19 1.1 knakahar * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 20 1.1 knakahar * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 21 1.1 knakahar * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 22 1.1 knakahar * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 23 1.1 knakahar * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 24 1.1 knakahar * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 25 1.1 knakahar * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 1.1 knakahar * POSSIBILITY OF SUCH DAMAGE. 27 1.1 knakahar */ 28 1.1 knakahar 29 1.1 knakahar #include <sys/cdefs.h> 30 1.10.2.2 martin __KERNEL_RCSID(0, "$NetBSD: ipsecif.c,v 1.10.2.2 2020/04/08 14:08:58 martin Exp $"); 31 1.1 knakahar 32 1.1 knakahar #ifdef _KERNEL_OPT 33 1.1 knakahar #include "opt_inet.h" 34 1.1 knakahar #include "opt_ipsec.h" 35 1.1 knakahar #endif 36 1.1 knakahar 37 1.1 knakahar #include <sys/param.h> 38 1.1 knakahar #include <sys/systm.h> 39 1.1 knakahar #include <sys/socket.h> 40 1.1 knakahar #include <sys/sockio.h> 41 1.1 knakahar #include <sys/mbuf.h> 42 1.1 knakahar #include <sys/errno.h> 43 1.1 knakahar #include <sys/ioctl.h> 44 1.1 knakahar #include <sys/syslog.h> 45 1.1 knakahar #include <sys/kernel.h> 46 1.1 knakahar 47 1.1 knakahar #include <net/if.h> 48 1.1 knakahar #include <net/route.h> 49 1.1 knakahar 50 1.1 knakahar #include <netinet/in.h> 51 1.1 knakahar #include <netinet/in_systm.h> 52 1.1 knakahar #include <netinet/ip.h> 53 1.1 knakahar #include <netinet/ip_var.h> 54 1.1 knakahar #include <netinet/in_var.h> 55 1.1 knakahar #include <netinet/ip_encap.h> 56 1.1 knakahar #include <netinet/ip_ecn.h> 57 1.1 knakahar #include <netinet/ip_private.h> 58 1.1 knakahar #include <netinet/udp.h> 59 1.1 knakahar 60 1.1 knakahar #ifdef INET6 61 1.1 knakahar #include <netinet/ip6.h> 62 1.1 knakahar #include <netinet6/ip6_var.h> 63 1.1 knakahar #include <netinet6/ip6_private.h> 64 1.1 knakahar #include <netinet6/in6_var.h> 65 1.1 knakahar #include <netinet6/ip6protosw.h> /* for struct ip6ctlparam */ 66 1.1 knakahar #include <netinet/ip_ecn.h> 67 1.1 knakahar #endif 68 1.1 knakahar 69 1.1 knakahar #include <netipsec/key.h> 70 1.1 knakahar #include <netipsec/ipsecif.h> 71 1.1 knakahar 72 1.1 knakahar #include <net/if_ipsec.h> 73 1.1 knakahar 74 1.10.2.1 christos static int ipsecif_set_natt_ports(struct ipsec_variant *, struct mbuf *); 75 1.1 knakahar static void ipsecif4_input(struct mbuf *, int, int, void *); 76 1.1 knakahar static int ipsecif4_output(struct ipsec_variant *, int, struct mbuf *); 77 1.1 knakahar static int ipsecif4_filter4(const struct ip *, struct ipsec_variant *, 78 1.1 knakahar struct ifnet *); 79 1.1 knakahar 80 1.1 knakahar #ifdef INET6 81 1.1 knakahar static int ipsecif6_input(struct mbuf **, int *, int, void *); 82 1.1 knakahar static int ipsecif6_output(struct ipsec_variant *, int, struct mbuf *); 83 1.1 knakahar static int ipsecif6_filter6(const struct ip6_hdr *, struct ipsec_variant *, 84 1.1 knakahar struct ifnet *); 85 1.1 knakahar #endif 86 1.1 knakahar 87 1.1 knakahar static int ip_ipsec_ttl = IPSEC_TTL; 88 1.1 knakahar static int ip_ipsec_copy_tos = 0; 89 1.1 knakahar #ifdef INET6 90 1.1 knakahar static int ip6_ipsec_hlim = IPSEC_HLIM; 91 1.1 knakahar static int ip6_ipsec_pmtu = 0; /* XXX: per interface configuration?? */ 92 1.1 knakahar static int ip6_ipsec_copy_tos = 0; 93 1.1 knakahar #endif 94 1.1 knakahar 95 1.9 maxv static const struct encapsw ipsecif4_encapsw = { 96 1.1 knakahar .encapsw4 = { 97 1.1 knakahar .pr_input = ipsecif4_input, 98 1.1 knakahar .pr_ctlinput = NULL, 99 1.1 knakahar } 100 1.1 knakahar }; 101 1.1 knakahar 102 1.1 knakahar #ifdef INET6 103 1.1 knakahar static const struct encapsw ipsecif6_encapsw; 104 1.1 knakahar #endif 105 1.1 knakahar 106 1.10.2.1 christos static int 107 1.10.2.1 christos ipsecif_set_natt_ports(struct ipsec_variant *var, struct mbuf *m) 108 1.10.2.1 christos { 109 1.10.2.1 christos 110 1.10.2.1 christos KASSERT(if_ipsec_heldref_variant(var)); 111 1.10.2.1 christos 112 1.10.2.1 christos if (var->iv_sport || var->iv_dport) { 113 1.10.2.1 christos struct m_tag *mtag; 114 1.10.2.1 christos 115 1.10.2.1 christos mtag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS, 116 1.10.2.1 christos sizeof(uint16_t) + sizeof(uint16_t), M_DONTWAIT); 117 1.10.2.1 christos if (mtag) { 118 1.10.2.1 christos uint16_t *natt_port; 119 1.10.2.1 christos 120 1.10.2.1 christos natt_port = (uint16_t *)(mtag + 1); 121 1.10.2.1 christos natt_port[0] = var->iv_dport; 122 1.10.2.1 christos natt_port[1] = var->iv_sport; 123 1.10.2.1 christos m_tag_prepend(m, mtag); 124 1.10.2.1 christos } else { 125 1.10.2.1 christos return ENOBUFS; 126 1.10.2.1 christos } 127 1.10.2.1 christos } 128 1.10.2.1 christos 129 1.10.2.1 christos return 0; 130 1.10.2.1 christos } 131 1.10.2.1 christos 132 1.1 knakahar static struct mbuf * 133 1.1 knakahar ipsecif4_prepend_hdr(struct ipsec_variant *var, struct mbuf *m, 134 1.1 knakahar uint8_t proto, uint8_t tos) 135 1.1 knakahar { 136 1.1 knakahar struct ip *ip; 137 1.1 knakahar struct sockaddr_in *src, *dst; 138 1.1 knakahar 139 1.1 knakahar src = satosin(var->iv_psrc); 140 1.1 knakahar dst = satosin(var->iv_pdst); 141 1.1 knakahar 142 1.1 knakahar if (in_nullhost(src->sin_addr) || in_nullhost(src->sin_addr) || 143 1.1 knakahar src->sin_addr.s_addr == INADDR_BROADCAST || 144 1.1 knakahar dst->sin_addr.s_addr == INADDR_BROADCAST) { 145 1.1 knakahar m_freem(m); 146 1.1 knakahar return NULL; 147 1.1 knakahar } 148 1.1 knakahar m->m_flags &= ~M_BCAST; 149 1.1 knakahar 150 1.1 knakahar if (IN_MULTICAST(src->sin_addr.s_addr) || 151 1.2 maxv IN_MULTICAST(dst->sin_addr.s_addr)) { 152 1.1 knakahar m_freem(m); 153 1.1 knakahar return NULL; 154 1.1 knakahar } 155 1.1 knakahar 156 1.1 knakahar M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); 157 1.1 knakahar if (m && M_UNWRITABLE(m, sizeof(struct ip))) 158 1.1 knakahar m = m_pullup(m, sizeof(struct ip)); 159 1.1 knakahar if (m == NULL) 160 1.1 knakahar return NULL; 161 1.1 knakahar 162 1.1 knakahar ip = mtod(m, struct ip *); 163 1.1 knakahar ip->ip_v = IPVERSION; 164 1.1 knakahar ip->ip_off = htons(0); 165 1.6 knakahar if (m->m_pkthdr.len < IP_MINFRAGSIZE) 166 1.6 knakahar ip->ip_id = 0; 167 1.6 knakahar else 168 1.6 knakahar ip->ip_id = ip_newid(NULL); 169 1.1 knakahar ip->ip_hl = sizeof(*ip) >> 2; 170 1.1 knakahar if (ip_ipsec_copy_tos) 171 1.1 knakahar ip->ip_tos = tos; 172 1.1 knakahar else 173 1.1 knakahar ip->ip_tos = 0; 174 1.1 knakahar ip->ip_sum = 0; 175 1.1 knakahar ip->ip_src = src->sin_addr; 176 1.1 knakahar ip->ip_dst = dst->sin_addr; 177 1.1 knakahar ip->ip_p = proto; 178 1.1 knakahar ip->ip_ttl = ip_ipsec_ttl; 179 1.1 knakahar ip->ip_len = htons(m->m_pkthdr.len); 180 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 181 1.1 knakahar struct ifnet *ifp = &var->iv_softc->ipsec_if; 182 1.1 knakahar if (ifp->if_flags & IFF_ECN) 183 1.1 knakahar ip_ecn_ingress(ECN_ALLOWED, &ip->ip_tos, &tos); 184 1.1 knakahar else 185 1.1 knakahar ip_ecn_ingress(ECN_NOCARE, &ip->ip_tos, &tos); 186 1.1 knakahar #endif 187 1.1 knakahar 188 1.1 knakahar return m; 189 1.1 knakahar } 190 1.1 knakahar 191 1.1 knakahar static int 192 1.1 knakahar ipsecif4_needfrag(struct mbuf *m, struct ipsecrequest *isr) 193 1.1 knakahar { 194 1.1 knakahar struct ip ip0; 195 1.1 knakahar struct ip *ip; 196 1.1 knakahar int mtu; 197 1.1 knakahar struct secasvar *sav; 198 1.1 knakahar 199 1.1 knakahar sav = key_lookup_sa_bysaidx(&isr->saidx); 200 1.1 knakahar if (sav == NULL) 201 1.1 knakahar return 0; 202 1.1 knakahar 203 1.10 maxv if (!(sav->natt_type & UDP_ENCAP_ESPINUDP)) { 204 1.1 knakahar mtu = 0; 205 1.1 knakahar goto out; 206 1.1 knakahar } 207 1.1 knakahar 208 1.1 knakahar if (m->m_len < sizeof(struct ip)) { 209 1.1 knakahar m_copydata(m, 0, sizeof(ip0), &ip0); 210 1.1 knakahar ip = &ip0; 211 1.1 knakahar } else { 212 1.1 knakahar ip = mtod(m, struct ip *); 213 1.1 knakahar } 214 1.1 knakahar mtu = sav->esp_frag; 215 1.1 knakahar if (ntohs(ip->ip_len) <= mtu) 216 1.1 knakahar mtu = 0; 217 1.1 knakahar 218 1.1 knakahar out: 219 1.1 knakahar KEY_SA_UNREF(&sav); 220 1.1 knakahar return mtu; 221 1.1 knakahar } 222 1.1 knakahar 223 1.1 knakahar static struct mbuf * 224 1.1 knakahar ipsecif4_flowinfo(struct mbuf *m, int family, int *proto0, u_int8_t *tos0) 225 1.1 knakahar { 226 1.1 knakahar const struct ip *ip; 227 1.1 knakahar int proto; 228 1.1 knakahar int tos; 229 1.1 knakahar 230 1.1 knakahar KASSERT(proto0 != NULL); 231 1.1 knakahar KASSERT(tos0 != NULL); 232 1.1 knakahar 233 1.1 knakahar switch (family) { 234 1.1 knakahar case AF_INET: 235 1.1 knakahar proto = IPPROTO_IPV4; 236 1.1 knakahar if (m->m_len < sizeof(*ip)) { 237 1.1 knakahar m = m_pullup(m, sizeof(*ip)); 238 1.2 maxv if (m == NULL) { 239 1.1 knakahar *tos0 = 0; 240 1.1 knakahar *proto0 = 0; 241 1.2 maxv return NULL; 242 1.1 knakahar } 243 1.1 knakahar } 244 1.1 knakahar ip = mtod(m, const struct ip *); 245 1.1 knakahar tos = ip->ip_tos; 246 1.1 knakahar /* TODO: support ALTQ for innner packet */ 247 1.1 knakahar break; 248 1.1 knakahar #ifdef INET6 249 1.1 knakahar case AF_INET6: { 250 1.1 knakahar const struct ip6_hdr *ip6; 251 1.1 knakahar proto = IPPROTO_IPV6; 252 1.1 knakahar if (m->m_len < sizeof(*ip6)) { 253 1.1 knakahar m = m_pullup(m, sizeof(*ip6)); 254 1.2 maxv if (m == NULL) { 255 1.1 knakahar *tos0 = 0; 256 1.1 knakahar *proto0 = 0; 257 1.1 knakahar return NULL; 258 1.1 knakahar } 259 1.1 knakahar } 260 1.1 knakahar ip6 = mtod(m, const struct ip6_hdr *); 261 1.1 knakahar tos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 262 1.1 knakahar /* TODO: support ALTQ for innner packet */ 263 1.1 knakahar break; 264 1.1 knakahar } 265 1.1 knakahar #endif /* INET6 */ 266 1.1 knakahar default: 267 1.1 knakahar *tos0 = 0; 268 1.1 knakahar *proto0 = 0; 269 1.1 knakahar return NULL; 270 1.1 knakahar } 271 1.1 knakahar 272 1.1 knakahar *proto0 = proto; 273 1.1 knakahar *tos0 = tos; 274 1.1 knakahar return m; 275 1.1 knakahar } 276 1.1 knakahar 277 1.1 knakahar static int 278 1.1 knakahar ipsecif4_fragout(struct ipsec_variant *var, int family, struct mbuf *m, int mtu) 279 1.1 knakahar { 280 1.1 knakahar struct ifnet *ifp = &var->iv_softc->ipsec_if; 281 1.1 knakahar struct mbuf *next; 282 1.1 knakahar struct m_tag *mtag; 283 1.1 knakahar int error; 284 1.1 knakahar 285 1.1 knakahar KASSERT(if_ipsec_heldref_variant(var)); 286 1.1 knakahar 287 1.10.2.1 christos mtag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS); 288 1.1 knakahar if (mtag) 289 1.1 knakahar m_tag_delete(m, mtag); 290 1.1 knakahar 291 1.4 knakahar /* consider new IP header prepended in ipsecif4_output() */ 292 1.4 knakahar if (mtu <= sizeof(struct ip)) { 293 1.4 knakahar m_freem(m); 294 1.4 knakahar return ENETUNREACH; 295 1.4 knakahar } 296 1.4 knakahar m->m_pkthdr.csum_flags |= M_CSUM_IPv4; 297 1.4 knakahar error = ip_fragment(m, ifp, mtu - sizeof(struct ip)); 298 1.1 knakahar if (error) 299 1.1 knakahar return error; 300 1.1 knakahar 301 1.1 knakahar for (error = 0; m; m = next) { 302 1.1 knakahar next = m->m_nextpkt; 303 1.3 knakahar m->m_nextpkt = NULL; 304 1.1 knakahar if (error) { 305 1.1 knakahar m_freem(m); 306 1.1 knakahar continue; 307 1.1 knakahar } 308 1.1 knakahar 309 1.1 knakahar error = ipsecif4_output(var, family, m); 310 1.1 knakahar } 311 1.1 knakahar if (error == 0) 312 1.1 knakahar IP_STATINC(IP_STAT_FRAGMENTED); 313 1.1 knakahar 314 1.1 knakahar return error; 315 1.1 knakahar } 316 1.1 knakahar 317 1.1 knakahar int 318 1.1 knakahar ipsecif4_encap_func(struct mbuf *m, struct ip *ip, struct ipsec_variant *var) 319 1.1 knakahar { 320 1.1 knakahar struct m_tag *mtag; 321 1.1 knakahar struct sockaddr_in *src, *dst; 322 1.1 knakahar u_int16_t src_port = 0; 323 1.1 knakahar u_int16_t dst_port = 0; 324 1.1 knakahar 325 1.1 knakahar KASSERT(var != NULL); 326 1.1 knakahar 327 1.1 knakahar src = satosin(var->iv_psrc); 328 1.1 knakahar dst = satosin(var->iv_pdst); 329 1.10.2.1 christos mtag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS); 330 1.1 knakahar if (mtag) { 331 1.1 knakahar u_int16_t *ports; 332 1.1 knakahar 333 1.1 knakahar ports = (u_int16_t *)(mtag + 1); 334 1.1 knakahar src_port = ports[0]; 335 1.1 knakahar dst_port = ports[1]; 336 1.1 knakahar } 337 1.1 knakahar 338 1.1 knakahar /* address match */ 339 1.1 knakahar if (src->sin_addr.s_addr != ip->ip_dst.s_addr || 340 1.1 knakahar dst->sin_addr.s_addr != ip->ip_src.s_addr) 341 1.1 knakahar return 0; 342 1.1 knakahar 343 1.1 knakahar /* UDP encap? */ 344 1.1 knakahar if (mtag == NULL && var->iv_sport == 0 && var->iv_dport == 0) 345 1.1 knakahar goto match; 346 1.1 knakahar 347 1.1 knakahar /* port match */ 348 1.1 knakahar if (src_port != var->iv_dport || 349 1.1 knakahar dst_port != var->iv_sport) { 350 1.1 knakahar #ifdef DEBUG 351 1.1 knakahar printf("%s: port mismatch: pkt(%u, %u), if(%u, %u)\n", 352 1.1 knakahar __func__, ntohs(src_port), ntohs(dst_port), 353 1.1 knakahar ntohs(var->iv_sport), ntohs(var->iv_dport)); 354 1.1 knakahar #endif 355 1.1 knakahar return 0; 356 1.1 knakahar } 357 1.1 knakahar 358 1.1 knakahar match: 359 1.1 knakahar /* 360 1.1 knakahar * hide NAT-T information from encapsulated traffics. 361 1.1 knakahar * they don't know about IPsec. 362 1.1 knakahar */ 363 1.1 knakahar if (mtag) 364 1.1 knakahar m_tag_delete(m, mtag); 365 1.1 knakahar return sizeof(src->sin_addr) + sizeof(dst->sin_addr); 366 1.1 knakahar } 367 1.1 knakahar 368 1.1 knakahar static int 369 1.1 knakahar ipsecif4_output(struct ipsec_variant *var, int family, struct mbuf *m) 370 1.1 knakahar { 371 1.1 knakahar struct secpolicy *sp = NULL; 372 1.1 knakahar u_int8_t tos; 373 1.1 knakahar int proto; 374 1.1 knakahar int error; 375 1.1 knakahar int mtu; 376 1.1 knakahar u_long sa_mtu = 0; 377 1.1 knakahar 378 1.1 knakahar KASSERT(if_ipsec_heldref_variant(var)); 379 1.1 knakahar KASSERT(if_ipsec_variant_is_configured(var)); 380 1.1 knakahar KASSERT(var->iv_psrc->sa_family == AF_INET); 381 1.1 knakahar KASSERT(var->iv_pdst->sa_family == AF_INET); 382 1.1 knakahar 383 1.10.2.2 martin switch (family) { 384 1.10.2.2 martin case AF_INET: 385 1.10.2.2 martin sp = IV_SP_OUT(var); 386 1.10.2.2 martin break; 387 1.10.2.2 martin case AF_INET6: 388 1.10.2.2 martin sp = IV_SP_OUT6(var); 389 1.10.2.2 martin break; 390 1.10.2.2 martin default: 391 1.10.2.2 martin m_freem(m); 392 1.10.2.2 martin return EAFNOSUPPORT; 393 1.10.2.2 martin } 394 1.1 knakahar KASSERT(sp != NULL); 395 1.1 knakahar /* 396 1.1 knakahar * The SPs in ipsec_variant are prevented from freed by 397 1.1 knakahar * ipsec_variant->iv_psref. So, KEY_SP_REF() is unnecessary here. 398 1.1 knakahar */ 399 1.1 knakahar 400 1.1 knakahar KASSERT(sp->policy != IPSEC_POLICY_NONE); 401 1.1 knakahar KASSERT(sp->policy != IPSEC_POLICY_ENTRUST); 402 1.1 knakahar KASSERT(sp->policy != IPSEC_POLICY_BYPASS); 403 1.2 maxv if (sp->policy != IPSEC_POLICY_IPSEC) { 404 1.1 knakahar m_freem(m); 405 1.10.2.1 christos error = ENETUNREACH; 406 1.10.2.1 christos goto done; 407 1.1 knakahar } 408 1.1 knakahar 409 1.1 knakahar /* get flowinfo */ 410 1.1 knakahar m = ipsecif4_flowinfo(m, family, &proto, &tos); 411 1.1 knakahar if (m == NULL) { 412 1.1 knakahar error = ENETUNREACH; 413 1.1 knakahar goto done; 414 1.1 knakahar } 415 1.1 knakahar 416 1.1 knakahar /* prepend new IP header */ 417 1.1 knakahar m = ipsecif4_prepend_hdr(var, m, proto, tos); 418 1.1 knakahar if (m == NULL) { 419 1.1 knakahar error = ENETUNREACH; 420 1.1 knakahar goto done; 421 1.1 knakahar } 422 1.1 knakahar 423 1.1 knakahar /* 424 1.1 knakahar * Normal netipsec's NAT-T fragmentation is done in ip_output(). 425 1.1 knakahar * See "natt_frag" processing. 426 1.1 knakahar * However, ipsec(4) interface's one is not done in the same way, 427 1.1 knakahar * so we must do NAT-T fragmentation by own code. 428 1.1 knakahar */ 429 1.1 knakahar /* NAT-T ESP fragmentation */ 430 1.1 knakahar mtu = ipsecif4_needfrag(m, sp->req); 431 1.1 knakahar if (mtu > 0) 432 1.1 knakahar return ipsecif4_fragout(var, family, m, mtu); 433 1.1 knakahar 434 1.10.2.1 christos /* set NAT-T ports */ 435 1.10.2.1 christos error = ipsecif_set_natt_ports(var, m); 436 1.10.2.1 christos if (error) { 437 1.10.2.1 christos m_freem(m); 438 1.10.2.1 christos goto done; 439 1.10.2.1 christos } 440 1.10.2.1 christos 441 1.1 knakahar /* IPsec output */ 442 1.1 knakahar IP_STATINC(IP_STAT_LOCALOUT); 443 1.1 knakahar error = ipsec4_process_packet(m, sp->req, &sa_mtu); 444 1.1 knakahar if (error == ENOENT) 445 1.1 knakahar error = 0; 446 1.1 knakahar /* 447 1.1 knakahar * frangmentation is already done in ipsecif4_fragout(), 448 1.1 knakahar * so ipsec4_process_packet() must not do fragmentation here. 449 1.1 knakahar */ 450 1.4 knakahar KASSERT(sa_mtu == 0); 451 1.1 knakahar 452 1.1 knakahar done: 453 1.1 knakahar return error; 454 1.1 knakahar } 455 1.1 knakahar 456 1.1 knakahar #ifdef INET6 457 1.7 knakahar int 458 1.7 knakahar ipsecif6_encap_func(struct mbuf *m, struct ip6_hdr *ip6, struct ipsec_variant *var) 459 1.7 knakahar { 460 1.7 knakahar struct m_tag *mtag; 461 1.7 knakahar struct sockaddr_in6 *src, *dst; 462 1.7 knakahar u_int16_t src_port = 0; 463 1.7 knakahar u_int16_t dst_port = 0; 464 1.7 knakahar 465 1.7 knakahar KASSERT(var != NULL); 466 1.7 knakahar 467 1.7 knakahar src = satosin6(var->iv_psrc); 468 1.7 knakahar dst = satosin6(var->iv_pdst); 469 1.10.2.1 christos mtag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS); 470 1.7 knakahar if (mtag) { 471 1.7 knakahar u_int16_t *ports; 472 1.7 knakahar 473 1.7 knakahar ports = (u_int16_t *)(mtag + 1); 474 1.7 knakahar src_port = ports[0]; 475 1.7 knakahar dst_port = ports[1]; 476 1.7 knakahar } 477 1.7 knakahar 478 1.7 knakahar /* address match */ 479 1.7 knakahar if (!IN6_ARE_ADDR_EQUAL(&src->sin6_addr, &ip6->ip6_dst) || 480 1.7 knakahar !IN6_ARE_ADDR_EQUAL(&dst->sin6_addr, &ip6->ip6_src)) 481 1.7 knakahar return 0; 482 1.7 knakahar 483 1.7 knakahar /* UDP encap? */ 484 1.7 knakahar if (mtag == NULL && var->iv_sport == 0 && var->iv_dport == 0) 485 1.7 knakahar goto match; 486 1.7 knakahar 487 1.7 knakahar /* port match */ 488 1.7 knakahar if (src_port != var->iv_dport || 489 1.7 knakahar dst_port != var->iv_sport) { 490 1.7 knakahar #ifdef DEBUG 491 1.7 knakahar printf("%s: port mismatch: pkt(%u, %u), if(%u, %u)\n", 492 1.7 knakahar __func__, ntohs(src_port), ntohs(dst_port), 493 1.7 knakahar ntohs(var->iv_sport), ntohs(var->iv_dport)); 494 1.7 knakahar #endif 495 1.7 knakahar return 0; 496 1.7 knakahar } 497 1.7 knakahar 498 1.7 knakahar match: 499 1.7 knakahar /* 500 1.7 knakahar * hide NAT-T information from encapsulated traffics. 501 1.7 knakahar * they don't know about IPsec. 502 1.7 knakahar */ 503 1.7 knakahar if (mtag) 504 1.7 knakahar m_tag_delete(m, mtag); 505 1.7 knakahar return sizeof(src->sin6_addr) + sizeof(dst->sin6_addr); 506 1.7 knakahar } 507 1.7 knakahar 508 1.1 knakahar static int 509 1.1 knakahar ipsecif6_output(struct ipsec_variant *var, int family, struct mbuf *m) 510 1.1 knakahar { 511 1.1 knakahar struct ifnet *ifp = &var->iv_softc->ipsec_if; 512 1.1 knakahar struct ipsec_softc *sc = ifp->if_softc; 513 1.1 knakahar struct ipsec_ro *iro; 514 1.1 knakahar struct rtentry *rt; 515 1.1 knakahar struct sockaddr_in6 *sin6_src; 516 1.1 knakahar struct sockaddr_in6 *sin6_dst; 517 1.1 knakahar struct ip6_hdr *ip6; 518 1.1 knakahar int proto, error; 519 1.1 knakahar u_int8_t itos, otos; 520 1.1 knakahar union { 521 1.1 knakahar struct sockaddr dst; 522 1.1 knakahar struct sockaddr_in6 dst6; 523 1.1 knakahar } u; 524 1.1 knakahar 525 1.1 knakahar KASSERT(if_ipsec_heldref_variant(var)); 526 1.1 knakahar KASSERT(if_ipsec_variant_is_configured(var)); 527 1.1 knakahar 528 1.1 knakahar sin6_src = satosin6(var->iv_psrc); 529 1.1 knakahar sin6_dst = satosin6(var->iv_pdst); 530 1.1 knakahar 531 1.1 knakahar KASSERT(sin6_src->sin6_family == AF_INET6); 532 1.1 knakahar KASSERT(sin6_dst->sin6_family == AF_INET6); 533 1.1 knakahar 534 1.1 knakahar switch (family) { 535 1.1 knakahar #ifdef INET 536 1.1 knakahar case AF_INET: 537 1.1 knakahar { 538 1.1 knakahar struct ip *ip; 539 1.1 knakahar 540 1.1 knakahar proto = IPPROTO_IPV4; 541 1.1 knakahar if (m->m_len < sizeof(*ip)) { 542 1.1 knakahar m = m_pullup(m, sizeof(*ip)); 543 1.2 maxv if (m == NULL) 544 1.1 knakahar return ENOBUFS; 545 1.1 knakahar } 546 1.1 knakahar ip = mtod(m, struct ip *); 547 1.1 knakahar itos = ip->ip_tos; 548 1.2 maxv /* TODO: support ALTQ for innner packet */ 549 1.1 knakahar break; 550 1.1 knakahar } 551 1.1 knakahar #endif /* INET */ 552 1.1 knakahar case AF_INET6: 553 1.1 knakahar { 554 1.1 knakahar struct ip6_hdr *xip6; 555 1.1 knakahar proto = IPPROTO_IPV6; 556 1.1 knakahar if (m->m_len < sizeof(*xip6)) { 557 1.1 knakahar m = m_pullup(m, sizeof(*xip6)); 558 1.2 maxv if (m == NULL) 559 1.1 knakahar return ENOBUFS; 560 1.1 knakahar } 561 1.1 knakahar xip6 = mtod(m, struct ip6_hdr *); 562 1.1 knakahar itos = (ntohl(xip6->ip6_flow) >> 20) & 0xff; 563 1.2 maxv /* TODO: support ALTQ for innner packet */ 564 1.1 knakahar break; 565 1.1 knakahar } 566 1.1 knakahar default: 567 1.1 knakahar m_freem(m); 568 1.1 knakahar return EAFNOSUPPORT; 569 1.1 knakahar } 570 1.1 knakahar 571 1.1 knakahar /* prepend new IP header */ 572 1.1 knakahar M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); 573 1.1 knakahar if (m && M_UNWRITABLE(m, sizeof(struct ip6_hdr))) 574 1.1 knakahar m = m_pullup(m, sizeof(struct ip6_hdr)); 575 1.1 knakahar if (m == NULL) 576 1.1 knakahar return ENOBUFS; 577 1.1 knakahar 578 1.1 knakahar ip6 = mtod(m, struct ip6_hdr *); 579 1.1 knakahar ip6->ip6_flow = 0; 580 1.1 knakahar ip6->ip6_vfc &= ~IPV6_VERSION_MASK; 581 1.1 knakahar ip6->ip6_vfc |= IPV6_VERSION; 582 1.5 knakahar #if 0 /* ip6->ip6_plen will be filled by ip6_output */ 583 1.5 knakahar ip6->ip6_plen = htons((u_short)m->m_pkthdr.len - sizeof(*ip6)); 584 1.5 knakahar #endif 585 1.1 knakahar ip6->ip6_nxt = proto; 586 1.1 knakahar ip6->ip6_hlim = ip6_ipsec_hlim; 587 1.1 knakahar ip6->ip6_src = sin6_src->sin6_addr; 588 1.1 knakahar /* bidirectional configured tunnel mode */ 589 1.1 knakahar if (!IN6_IS_ADDR_UNSPECIFIED(&sin6_dst->sin6_addr)) { 590 1.1 knakahar ip6->ip6_dst = sin6_dst->sin6_addr; 591 1.1 knakahar } else { 592 1.1 knakahar m_freem(m); 593 1.1 knakahar return ENETUNREACH; 594 1.1 knakahar } 595 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 596 1.10.2.1 christos if (!ip6_ipsec_copy_tos) 597 1.10.2.1 christos otos = 0; 598 1.10.2.1 christos 599 1.1 knakahar if (ifp->if_flags & IFF_ECN) 600 1.1 knakahar ip_ecn_ingress(ECN_ALLOWED, &otos, &itos); 601 1.1 knakahar else 602 1.1 knakahar ip_ecn_ingress(ECN_NOCARE, &otos, &itos); 603 1.1 knakahar #else 604 1.1 knakahar if (ip6_ipsec_copy_tos) 605 1.1 knakahar otos = itos; 606 1.1 knakahar else 607 1.1 knakahar otos = 0; 608 1.1 knakahar #endif 609 1.1 knakahar ip6->ip6_flow &= ~ntohl(0xff00000); 610 1.1 knakahar ip6->ip6_flow |= htonl((u_int32_t)otos << 20); 611 1.1 knakahar 612 1.1 knakahar sockaddr_in6_init(&u.dst6, &sin6_dst->sin6_addr, 0, 0, 0); 613 1.1 knakahar 614 1.1 knakahar iro = percpu_getref(sc->ipsec_ro_percpu); 615 1.8 knakahar mutex_enter(iro->ir_lock); 616 1.1 knakahar if ((rt = rtcache_lookup(&iro->ir_ro, &u.dst)) == NULL) { 617 1.8 knakahar mutex_exit(iro->ir_lock); 618 1.1 knakahar percpu_putref(sc->ipsec_ro_percpu); 619 1.1 knakahar m_freem(m); 620 1.1 knakahar return ENETUNREACH; 621 1.1 knakahar } 622 1.1 knakahar 623 1.1 knakahar if (rt->rt_ifp == ifp) { 624 1.1 knakahar rtcache_unref(rt, &iro->ir_ro); 625 1.1 knakahar rtcache_free(&iro->ir_ro); 626 1.8 knakahar mutex_exit(iro->ir_lock); 627 1.1 knakahar percpu_putref(sc->ipsec_ro_percpu); 628 1.1 knakahar m_freem(m); 629 1.1 knakahar return ENETUNREACH; 630 1.1 knakahar } 631 1.1 knakahar rtcache_unref(rt, &iro->ir_ro); 632 1.1 knakahar 633 1.10.2.1 christos /* set NAT-T ports */ 634 1.10.2.1 christos error = ipsecif_set_natt_ports(var, m); 635 1.10.2.1 christos if (error) { 636 1.10.2.1 christos m_freem(m); 637 1.10.2.1 christos goto out; 638 1.10.2.1 christos } 639 1.10.2.1 christos 640 1.1 knakahar /* 641 1.1 knakahar * force fragmentation to minimum MTU, to avoid path MTU discovery. 642 1.1 knakahar * it is too painful to ask for resend of inner packet, to achieve 643 1.1 knakahar * path MTU discovery for encapsulated packets. 644 1.1 knakahar */ 645 1.1 knakahar error = ip6_output(m, 0, &iro->ir_ro, 646 1.1 knakahar ip6_ipsec_pmtu ? 0 : IPV6_MINMTU, 0, NULL, NULL); 647 1.10.2.1 christos 648 1.10.2.1 christos out: 649 1.1 knakahar if (error) 650 1.1 knakahar rtcache_free(&iro->ir_ro); 651 1.8 knakahar mutex_exit(iro->ir_lock); 652 1.1 knakahar percpu_putref(sc->ipsec_ro_percpu); 653 1.1 knakahar 654 1.1 knakahar return error; 655 1.1 knakahar } 656 1.1 knakahar #endif /* INET6 */ 657 1.1 knakahar 658 1.1 knakahar static void 659 1.1 knakahar ipsecif4_input(struct mbuf *m, int off, int proto, void *eparg) 660 1.1 knakahar { 661 1.1 knakahar struct ifnet *ipsecp; 662 1.1 knakahar struct ipsec_softc *sc = eparg; 663 1.1 knakahar struct ipsec_variant *var; 664 1.1 knakahar const struct ip *ip; 665 1.1 knakahar int af; 666 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 667 1.1 knakahar u_int8_t otos; 668 1.1 knakahar #endif 669 1.1 knakahar struct psref psref_rcvif; 670 1.1 knakahar struct psref psref_var; 671 1.1 knakahar struct ifnet *rcvif; 672 1.1 knakahar 673 1.1 knakahar KASSERT(sc != NULL); 674 1.1 knakahar 675 1.1 knakahar ipsecp = &sc->ipsec_if; 676 1.1 knakahar if ((ipsecp->if_flags & IFF_UP) == 0) { 677 1.1 knakahar m_freem(m); 678 1.1 knakahar ip_statinc(IP_STAT_NOIPSEC); 679 1.1 knakahar return; 680 1.1 knakahar } 681 1.1 knakahar 682 1.1 knakahar var = if_ipsec_getref_variant(sc, &psref_var); 683 1.1 knakahar if (if_ipsec_variant_is_unconfigured(var)) { 684 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 685 1.1 knakahar m_freem(m); 686 1.1 knakahar ip_statinc(IP_STAT_NOIPSEC); 687 1.1 knakahar return; 688 1.1 knakahar } 689 1.1 knakahar 690 1.1 knakahar ip = mtod(m, const struct ip *); 691 1.1 knakahar 692 1.1 knakahar rcvif = m_get_rcvif_psref(m, &psref_rcvif); 693 1.1 knakahar if (rcvif == NULL || !ipsecif4_filter4(ip, var, rcvif)) { 694 1.1 knakahar m_put_rcvif_psref(rcvif, &psref_rcvif); 695 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 696 1.1 knakahar m_freem(m); 697 1.1 knakahar ip_statinc(IP_STAT_NOIPSEC); 698 1.1 knakahar return; 699 1.1 knakahar } 700 1.1 knakahar m_put_rcvif_psref(rcvif, &psref_rcvif); 701 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 702 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 703 1.1 knakahar otos = ip->ip_tos; 704 1.1 knakahar #endif 705 1.1 knakahar m_adj(m, off); 706 1.1 knakahar 707 1.1 knakahar switch (proto) { 708 1.1 knakahar case IPPROTO_IPV4: 709 1.1 knakahar { 710 1.1 knakahar struct ip *xip; 711 1.1 knakahar af = AF_INET; 712 1.1 knakahar if (M_UNWRITABLE(m, sizeof(*xip))) { 713 1.1 knakahar m = m_pullup(m, sizeof(*xip)); 714 1.2 maxv if (m == NULL) 715 1.1 knakahar return; 716 1.1 knakahar } 717 1.1 knakahar xip = mtod(m, struct ip *); 718 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 719 1.1 knakahar if (ipsecp->if_flags & IFF_ECN) 720 1.1 knakahar ip_ecn_egress(ECN_ALLOWED, &otos, &xip->ip_tos); 721 1.1 knakahar else 722 1.1 knakahar ip_ecn_egress(ECN_NOCARE, &otos, &xip->ip_tos); 723 1.1 knakahar #endif 724 1.1 knakahar break; 725 1.1 knakahar } 726 1.1 knakahar #ifdef INET6 727 1.1 knakahar case IPPROTO_IPV6: 728 1.1 knakahar { 729 1.1 knakahar struct ip6_hdr *ip6; 730 1.1 knakahar u_int8_t itos; 731 1.1 knakahar af = AF_INET6; 732 1.1 knakahar if (M_UNWRITABLE(m, sizeof(*ip6))) { 733 1.1 knakahar m = m_pullup(m, sizeof(*ip6)); 734 1.2 maxv if (m == NULL) 735 1.1 knakahar return; 736 1.1 knakahar } 737 1.1 knakahar ip6 = mtod(m, struct ip6_hdr *); 738 1.1 knakahar itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; 739 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 740 1.1 knakahar if (ipsecp->if_flags & IFF_ECN) 741 1.1 knakahar ip_ecn_egress(ECN_ALLOWED, &otos, &itos); 742 1.1 knakahar else 743 1.1 knakahar ip_ecn_egress(ECN_NOCARE, &otos, &itos); 744 1.1 knakahar #endif 745 1.1 knakahar ip6->ip6_flow &= ~htonl(0xff << 20); 746 1.1 knakahar ip6->ip6_flow |= htonl((u_int32_t)itos << 20); 747 1.1 knakahar break; 748 1.1 knakahar } 749 1.1 knakahar #endif /* INET6 */ 750 1.1 knakahar default: 751 1.1 knakahar ip_statinc(IP_STAT_NOIPSEC); 752 1.1 knakahar m_freem(m); 753 1.1 knakahar return; 754 1.1 knakahar } 755 1.1 knakahar if_ipsec_input(m, af, ipsecp); 756 1.1 knakahar 757 1.1 knakahar return; 758 1.1 knakahar } 759 1.1 knakahar 760 1.1 knakahar /* 761 1.10.2.1 christos * validate and filter the packet 762 1.1 knakahar */ 763 1.1 knakahar static int 764 1.1 knakahar ipsecif4_filter4(const struct ip *ip, struct ipsec_variant *var, 765 1.1 knakahar struct ifnet *ifp) 766 1.1 knakahar { 767 1.1 knakahar struct sockaddr_in *src, *dst; 768 1.1 knakahar 769 1.1 knakahar src = satosin(var->iv_psrc); 770 1.1 knakahar dst = satosin(var->iv_pdst); 771 1.1 knakahar 772 1.1 knakahar return in_tunnel_validate(ip, src->sin_addr, dst->sin_addr); 773 1.1 knakahar } 774 1.1 knakahar 775 1.1 knakahar #ifdef INET6 776 1.1 knakahar static int 777 1.1 knakahar ipsecif6_input(struct mbuf **mp, int *offp, int proto, void *eparg) 778 1.1 knakahar { 779 1.1 knakahar struct mbuf *m = *mp; 780 1.1 knakahar struct ifnet *ipsecp; 781 1.1 knakahar struct ipsec_softc *sc = eparg; 782 1.1 knakahar struct ipsec_variant *var; 783 1.1 knakahar struct ip6_hdr *ip6; 784 1.1 knakahar int af = 0; 785 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 786 1.1 knakahar u_int32_t otos; 787 1.1 knakahar #endif 788 1.1 knakahar struct psref psref_rcvif; 789 1.1 knakahar struct psref psref_var; 790 1.1 knakahar struct ifnet *rcvif; 791 1.1 knakahar 792 1.1 knakahar KASSERT(eparg != NULL); 793 1.1 knakahar 794 1.1 knakahar ipsecp = &sc->ipsec_if; 795 1.1 knakahar if ((ipsecp->if_flags & IFF_UP) == 0) { 796 1.1 knakahar m_freem(m); 797 1.1 knakahar IP6_STATINC(IP6_STAT_NOIPSEC); 798 1.1 knakahar return IPPROTO_DONE; 799 1.1 knakahar } 800 1.1 knakahar 801 1.1 knakahar var = if_ipsec_getref_variant(sc, &psref_var); 802 1.1 knakahar if (if_ipsec_variant_is_unconfigured(var)) { 803 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 804 1.1 knakahar m_freem(m); 805 1.1 knakahar IP6_STATINC(IP6_STAT_NOIPSEC); 806 1.1 knakahar return IPPROTO_DONE; 807 1.1 knakahar } 808 1.1 knakahar 809 1.1 knakahar ip6 = mtod(m, struct ip6_hdr *); 810 1.1 knakahar 811 1.1 knakahar rcvif = m_get_rcvif_psref(m, &psref_rcvif); 812 1.1 knakahar if (rcvif == NULL || !ipsecif6_filter6(ip6, var, rcvif)) { 813 1.1 knakahar m_put_rcvif_psref(rcvif, &psref_rcvif); 814 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 815 1.1 knakahar m_freem(m); 816 1.1 knakahar IP6_STATINC(IP6_STAT_NOIPSEC); 817 1.1 knakahar return IPPROTO_DONE; 818 1.1 knakahar } 819 1.1 knakahar m_put_rcvif_psref(rcvif, &psref_rcvif); 820 1.1 knakahar if_ipsec_putref_variant(var, &psref_var); 821 1.1 knakahar 822 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 823 1.1 knakahar otos = ip6->ip6_flow; 824 1.1 knakahar #endif 825 1.1 knakahar m_adj(m, *offp); 826 1.1 knakahar 827 1.1 knakahar switch (proto) { 828 1.1 knakahar #ifdef INET 829 1.1 knakahar case IPPROTO_IPV4: 830 1.1 knakahar { 831 1.1 knakahar af = AF_INET; 832 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 833 1.1 knakahar struct ip *ip; 834 1.1 knakahar u_int8_t otos8; 835 1.1 knakahar otos8 = (ntohl(otos) >> 20) & 0xff; 836 1.1 knakahar 837 1.1 knakahar if (M_UNWRITABLE(m, sizeof(*ip))) { 838 1.1 knakahar m = m_pullup(m, sizeof(*ip)); 839 1.2 maxv if (m == NULL) 840 1.1 knakahar return IPPROTO_DONE; 841 1.1 knakahar } 842 1.1 knakahar ip = mtod(m, struct ip *); 843 1.1 knakahar if (ipsecp->if_flags & IFF_ECN) 844 1.1 knakahar ip_ecn_egress(ECN_ALLOWED, &otos8, &ip->ip_tos); 845 1.1 knakahar else 846 1.1 knakahar ip_ecn_egress(ECN_NOCARE, &otos8, &ip->ip_tos); 847 1.1 knakahar #endif 848 1.1 knakahar break; 849 1.1 knakahar } 850 1.1 knakahar #endif /* INET */ 851 1.1 knakahar case IPPROTO_IPV6: 852 1.1 knakahar { 853 1.1 knakahar af = AF_INET6; 854 1.1 knakahar #ifndef IPSEC_TX_TOS_CLEAR 855 1.1 knakahar struct ip6_hdr *xip6; 856 1.1 knakahar 857 1.1 knakahar if (M_UNWRITABLE(m, sizeof(*xip6))) { 858 1.1 knakahar m = m_pullup(m, sizeof(*xip6)); 859 1.2 maxv if (m == NULL) 860 1.1 knakahar return IPPROTO_DONE; 861 1.1 knakahar } 862 1.1 knakahar xip6 = mtod(m, struct ip6_hdr *); 863 1.1 knakahar if (ipsecp->if_flags & IFF_ECN) 864 1.1 knakahar ip6_ecn_egress(ECN_ALLOWED, &otos, &xip6->ip6_flow); 865 1.1 knakahar else 866 1.1 knakahar ip6_ecn_egress(ECN_NOCARE, &otos, &xip6->ip6_flow); 867 1.1 knakahar break; 868 1.1 knakahar #endif 869 1.1 knakahar } 870 1.1 knakahar default: 871 1.1 knakahar IP6_STATINC(IP6_STAT_NOIPSEC); 872 1.1 knakahar m_freem(m); 873 1.1 knakahar return IPPROTO_DONE; 874 1.1 knakahar } 875 1.1 knakahar 876 1.1 knakahar if_ipsec_input(m, af, ipsecp); 877 1.1 knakahar return IPPROTO_DONE; 878 1.1 knakahar } 879 1.1 knakahar 880 1.1 knakahar /* 881 1.1 knakahar * validate and filter the packet. 882 1.1 knakahar */ 883 1.1 knakahar static int 884 1.1 knakahar ipsecif6_filter6(const struct ip6_hdr *ip6, struct ipsec_variant *var, 885 1.1 knakahar struct ifnet *ifp) 886 1.1 knakahar { 887 1.1 knakahar struct sockaddr_in6 *src, *dst; 888 1.1 knakahar 889 1.1 knakahar src = satosin6(var->iv_psrc); 890 1.1 knakahar dst = satosin6(var->iv_pdst); 891 1.1 knakahar 892 1.1 knakahar return in6_tunnel_validate(ip6, &src->sin6_addr, &dst->sin6_addr); 893 1.1 knakahar } 894 1.1 knakahar #endif /* INET6 */ 895 1.1 knakahar 896 1.1 knakahar int 897 1.1 knakahar ipsecif4_attach(struct ipsec_variant *var) 898 1.1 knakahar { 899 1.1 knakahar struct ipsec_softc *sc = var->iv_softc; 900 1.1 knakahar 901 1.1 knakahar KASSERT(if_ipsec_variant_is_configured(var)); 902 1.1 knakahar 903 1.1 knakahar if (var->iv_encap_cookie4 != NULL) 904 1.1 knakahar return EALREADY; 905 1.1 knakahar var->iv_encap_cookie4 = encap_attach_func(AF_INET, -1, if_ipsec_encap_func, 906 1.1 knakahar &ipsecif4_encapsw, sc); 907 1.1 knakahar if (var->iv_encap_cookie4 == NULL) 908 1.1 knakahar return EEXIST; 909 1.1 knakahar 910 1.1 knakahar var->iv_output = ipsecif4_output; 911 1.1 knakahar return 0; 912 1.1 knakahar } 913 1.1 knakahar 914 1.1 knakahar int 915 1.1 knakahar ipsecif4_detach(struct ipsec_variant *var) 916 1.1 knakahar { 917 1.1 knakahar int error; 918 1.1 knakahar 919 1.1 knakahar if (var->iv_encap_cookie4 == NULL) 920 1.1 knakahar return 0; 921 1.1 knakahar 922 1.1 knakahar var->iv_output = NULL; 923 1.1 knakahar error = encap_detach(var->iv_encap_cookie4); 924 1.1 knakahar if (error == 0) 925 1.1 knakahar var->iv_encap_cookie4 = NULL; 926 1.1 knakahar 927 1.1 knakahar return error; 928 1.1 knakahar } 929 1.1 knakahar 930 1.1 knakahar #ifdef INET6 931 1.1 knakahar int 932 1.1 knakahar ipsecif6_attach(struct ipsec_variant *var) 933 1.1 knakahar { 934 1.1 knakahar struct ipsec_softc *sc = var->iv_softc; 935 1.1 knakahar 936 1.1 knakahar KASSERT(if_ipsec_variant_is_configured(var)); 937 1.1 knakahar KASSERT(var->iv_encap_cookie6 == NULL); 938 1.1 knakahar 939 1.7 knakahar var->iv_encap_cookie6 = encap_attach_func(AF_INET6, -1, if_ipsec_encap_func, 940 1.1 knakahar &ipsecif6_encapsw, sc); 941 1.1 knakahar if (var->iv_encap_cookie6 == NULL) 942 1.1 knakahar return EEXIST; 943 1.1 knakahar 944 1.1 knakahar var->iv_output = ipsecif6_output; 945 1.1 knakahar return 0; 946 1.1 knakahar } 947 1.1 knakahar 948 1.1 knakahar static void 949 1.1 knakahar ipsecif6_rtcache_free_pc(void *p, void *arg __unused, struct cpu_info *ci __unused) 950 1.1 knakahar { 951 1.1 knakahar struct ipsec_ro *iro = p; 952 1.1 knakahar 953 1.8 knakahar mutex_enter(iro->ir_lock); 954 1.1 knakahar rtcache_free(&iro->ir_ro); 955 1.8 knakahar mutex_exit(iro->ir_lock); 956 1.1 knakahar } 957 1.1 knakahar 958 1.1 knakahar int 959 1.1 knakahar ipsecif6_detach(struct ipsec_variant *var) 960 1.1 knakahar { 961 1.1 knakahar struct ipsec_softc *sc = var->iv_softc; 962 1.1 knakahar int error; 963 1.1 knakahar 964 1.1 knakahar KASSERT(var->iv_encap_cookie6 != NULL); 965 1.1 knakahar 966 1.1 knakahar percpu_foreach(sc->ipsec_ro_percpu, ipsecif6_rtcache_free_pc, NULL); 967 1.1 knakahar 968 1.1 knakahar var->iv_output = NULL; 969 1.1 knakahar error = encap_detach(var->iv_encap_cookie6); 970 1.1 knakahar if (error == 0) 971 1.1 knakahar var->iv_encap_cookie6 = NULL; 972 1.1 knakahar return error; 973 1.1 knakahar } 974 1.1 knakahar 975 1.1 knakahar void * 976 1.1 knakahar ipsecif6_ctlinput(int cmd, const struct sockaddr *sa, void *d, void *eparg) 977 1.1 knakahar { 978 1.1 knakahar struct ipsec_softc *sc = eparg; 979 1.1 knakahar struct ip6ctlparam *ip6cp = NULL; 980 1.1 knakahar struct ip6_hdr *ip6; 981 1.1 knakahar const struct sockaddr_in6 *dst6; 982 1.1 knakahar struct ipsec_ro *iro; 983 1.1 knakahar 984 1.1 knakahar if (sa->sa_family != AF_INET6 || 985 1.1 knakahar sa->sa_len != sizeof(struct sockaddr_in6)) 986 1.1 knakahar return NULL; 987 1.1 knakahar 988 1.1 knakahar if ((unsigned)cmd >= PRC_NCMDS) 989 1.1 knakahar return NULL; 990 1.1 knakahar if (cmd == PRC_HOSTDEAD) 991 1.1 knakahar d = NULL; 992 1.1 knakahar else if (inet6ctlerrmap[cmd] == 0) 993 1.1 knakahar return NULL; 994 1.1 knakahar 995 1.1 knakahar /* if the parameter is from icmp6, decode it. */ 996 1.1 knakahar if (d != NULL) { 997 1.1 knakahar ip6cp = (struct ip6ctlparam *)d; 998 1.1 knakahar ip6 = ip6cp->ip6c_ip6; 999 1.1 knakahar } else { 1000 1.1 knakahar ip6 = NULL; 1001 1.1 knakahar } 1002 1.1 knakahar 1003 1.1 knakahar if (!ip6) 1004 1.1 knakahar return NULL; 1005 1.1 knakahar 1006 1.1 knakahar iro = percpu_getref(sc->ipsec_ro_percpu); 1007 1.8 knakahar mutex_enter(iro->ir_lock); 1008 1.1 knakahar dst6 = satocsin6(rtcache_getdst(&iro->ir_ro)); 1009 1.1 knakahar /* XXX scope */ 1010 1.1 knakahar if (dst6 == NULL) 1011 1.1 knakahar ; 1012 1.1 knakahar else if (IN6_ARE_ADDR_EQUAL(&ip6->ip6_dst, &dst6->sin6_addr)) 1013 1.1 knakahar /* flush route cache */ 1014 1.1 knakahar rtcache_free(&iro->ir_ro); 1015 1.1 knakahar 1016 1.8 knakahar mutex_exit(iro->ir_lock); 1017 1.1 knakahar percpu_putref(sc->ipsec_ro_percpu); 1018 1.1 knakahar 1019 1.1 knakahar return NULL; 1020 1.1 knakahar } 1021 1.1 knakahar 1022 1.1 knakahar ENCAP_PR_WRAP_CTLINPUT(ipsecif6_ctlinput) 1023 1.1 knakahar #define ipsecif6_ctlinput ipsecif6_ctlinput_wrapper 1024 1.1 knakahar 1025 1.1 knakahar static const struct encapsw ipsecif6_encapsw = { 1026 1.1 knakahar .encapsw6 = { 1027 1.1 knakahar .pr_input = ipsecif6_input, 1028 1.1 knakahar .pr_ctlinput = ipsecif6_ctlinput, 1029 1.1 knakahar } 1030 1.1 knakahar }; 1031 1.1 knakahar #endif /* INET6 */ 1032
Indexes created Thu Oct 02 14:10:14 GMT 2025