1/* $NetBSD: ipsec_netbsd.c,v 1.38 2016/07/07 06:55:43 msaitoh Exp $ */
2/* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
3/* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#include <sys/cdefs.h>
35__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.38 2016/07/07 06:55:43 msaitoh Exp $");
36
37#include "opt_inet.h"
38#include "opt_ipsec.h"
39
40#include <sys/param.h>
41#include <sys/systm.h>
42#include <sys/malloc.h>
43#include <sys/mbuf.h>
44#include <sys/domain.h>
45#include <sys/protosw.h>
46#include <sys/socket.h>
47#include <sys/errno.h>
48#include <sys/time.h>
49#include <sys/kernel.h>
50#include <sys/sysctl.h>
51
52#include <net/if.h>
53#include <net/route.h>
54#include <net/netisr.h>
55#include <sys/cpu.h>
56
57#include <netinet/in.h>
58#include <netinet/in_systm.h>
59#include <netinet/in_var.h>
60#include <netinet/ip.h>
61#include <netinet/ip_var.h>
62#include <netinet/ip_ecn.h>
63#include <netinet/ip_icmp.h>
64
65
66#include <netipsec/ipsec.h>
67#include <netipsec/ipsec_var.h>
68#include <netipsec/ipsec_private.h>
69#include <netipsec/key.h>
70#include <netipsec/keydb.h>
71#include <netipsec/key_debug.h>
72#include <netipsec/ah.h>
73#include <netipsec/ah_var.h>
74#include <netipsec/esp.h>
75#include <netipsec/esp_var.h>
76#include <netipsec/ipip_var.h>
77#include <netipsec/ipcomp_var.h>
78
79#ifdef INET6
80#include <netipsec/ipsec6.h>
81#include <netinet6/ip6protosw.h>
82#include <netinet/icmp6.h>
83#endif
84
85#include <netipsec/key.h>
86
87/* assumes that ip header and ah header are contiguous on mbuf */
88void*
89ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
90{
91 struct ip *ip = v;
92 struct ah *ah;
93 struct icmp *icp;
94 struct secasvar *sav;
95
96 if (sa->sa_family != AF_INET ||
97 sa->sa_len != sizeof(struct sockaddr_in))
98 return NULL;
99 if ((unsigned)cmd >= PRC_NCMDS)
100 return NULL;
101
102 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
103 /*
104 * Check to see if we have a valid SA corresponding to
105 * the address in the ICMP message payload.
106 */
107 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
108 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
109 IPPROTO_AH, ah->ah_spi, 0, 0);
110
111 if (sav) {
112 if (sav->state == SADB_SASTATE_MATURE ||
113 sav->state == SADB_SASTATE_DYING) {
114
115 /*
116 * Now that we've validated that we are actually
117 * communicating with the host indicated in the
118 * ICMP message, locate the ICMP header,
119 * recalculate the new MTU, and create the
120 * corresponding routing entry.
121 */
122 icp = (struct icmp *)((char *)ip -
123 offsetof(struct icmp, icmp_ip));
124 icmp_mtudisc(icp, ip->ip_dst);
125
126 }
127 KEY_FREESAV(&sav);
128 }
129 }
130 return NULL;
131}
132
133
134
135/* assumes that ip header and esp header are contiguous on mbuf */
136void*
137esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
138{
139 struct ip *ip = v;
140 struct esp *esp;
141 struct icmp *icp;
142 struct secasvar *sav;
143
144 if (sa->sa_family != AF_INET ||
145 sa->sa_len != sizeof(struct sockaddr_in))
146 return NULL;
147 if ((unsigned)cmd >= PRC_NCMDS)
148 return NULL;
149
150 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
151 /*
152 * Check to see if we have a valid SA corresponding to
153 * the address in the ICMP message payload.
154 */
155 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
156 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
157 IPPROTO_ESP, esp->esp_spi, 0, 0);
158
159 if (sav) {
160 if (sav->state == SADB_SASTATE_MATURE ||
161 sav->state == SADB_SASTATE_DYING) {
162
163 /*
164 * Now that we've validated that we are actually
165 * communicating with the host indicated in the
166 * ICMP message, locate the ICMP header,
167 * recalculate the new MTU, and create the
168 * corresponding routing entry.
169 */
170
171 icp = (struct icmp *)((char *)ip -
172 offsetof(struct icmp, icmp_ip));
173 icmp_mtudisc(icp, ip->ip_dst);
174
175 }
176 KEY_FREESAV(&sav);
177 }
178 }
179 return NULL;
180}
181
182#ifdef INET6
183void *
184ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
185{
186 const struct newah *ahp;
187 struct newah ah;
188 struct secasvar *sav;
189 struct ip6_hdr *ip6;
190 struct mbuf *m;
191 struct ip6ctlparam *ip6cp = NULL;
192 int off;
193
194 if (sa->sa_family != AF_INET6 ||
195 sa->sa_len != sizeof(struct sockaddr_in6))
196 return NULL;
197 if ((unsigned)cmd >= PRC_NCMDS)
198 return NULL;
199
200 /* if the parameter is from icmp6, decode it. */
201 if (d != NULL) {
202 ip6cp = (struct ip6ctlparam *)d;
203 m = ip6cp->ip6c_m;
204 ip6 = ip6cp->ip6c_ip6;
205 off = ip6cp->ip6c_off;
206 } else {
207 m = NULL;
208 ip6 = NULL;
209 off = 0;
210 }
211
212 if (ip6) {
213 /*
214 * XXX: We assume that when ip6 is non NULL,
215 * M and OFF are valid.
216 */
217
218 /* check if we can safely examine src and dst ports */
219 if (m->m_pkthdr.len < off + sizeof(ah))
220 return NULL;
221
222 if (m->m_len < off + sizeof(ah)) {
223 /*
224 * this should be rare case,
225 * so we compromise on this copy...
226 */
227 m_copydata(m, off, sizeof(ah), &ah);
228 ahp = &ah;
229 } else
230 ahp = (struct newah *)(mtod(m, char *) + off);
231
232 if (cmd == PRC_MSGSIZE) {
233 int valid = 0;
234
235 /*
236 * Check to see if we have a valid SA corresponding
237 * to the address in the ICMP message payload.
238 */
239 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
240 IPPROTO_AH, ahp->ah_spi, 0, 0);
241
242 if (sav) {
243 if (sav->state == SADB_SASTATE_MATURE ||
244 sav->state == SADB_SASTATE_DYING)
245 valid++;
246 KEY_FREESAV(&sav);
247 }
248
249 /* XXX Further validation? */
250
251 /*
252 * Depending on the value of "valid" and routing
253 * table size (mtudisc_{hi,lo}wat), we will:
254 * - recalcurate the new MTU and create the
255 * corresponding routing entry, or
256 * - ignore the MTU change notification.
257 */
258 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
259 }
260
261 /* we normally notify single pcb here */
262 } else {
263 /* we normally notify any pcb here */
264 }
265 return NULL;
266}
267
268
269
270void *
271esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
272{
273 const struct newesp *espp;
274 struct newesp esp;
275 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
276 struct secasvar *sav;
277 struct ip6_hdr *ip6;
278 struct mbuf *m;
279 int off;
280
281 if (sa->sa_family != AF_INET6 ||
282 sa->sa_len != sizeof(struct sockaddr_in6))
283 return NULL;
284 if ((unsigned)cmd >= PRC_NCMDS)
285 return NULL;
286
287 /* if the parameter is from icmp6, decode it. */
288 if (d != NULL) {
289 ip6cp = (struct ip6ctlparam *)d;
290 m = ip6cp->ip6c_m;
291 ip6 = ip6cp->ip6c_ip6;
292 off = ip6cp->ip6c_off;
293 } else {
294 m = NULL;
295 ip6 = NULL;
296 off = 0;
297 }
298
299 if (ip6) {
300 /*
301 * Notify the error to all possible sockets via pfctlinput2.
302 * Since the upper layer information (such as protocol type,
303 * source and destination ports) is embedded in the encrypted
304 * data and might have been cut, we can't directly call
305 * an upper layer ctlinput function. However, the pcbnotify
306 * function will consider source and destination addresses
307 * as well as the flow info value, and may be able to find
308 * some PCB that should be notified.
309 * Although pfctlinput2 will call esp6_ctlinput(), there is
310 * no possibility of an infinite loop of function calls,
311 * because we don't pass the inner IPv6 header.
312 */
313 memset(&ip6cp1, 0, sizeof(ip6cp1));
314 ip6cp1.ip6c_src = ip6cp->ip6c_src;
315 pfctlinput2(cmd, sa, &ip6cp1);
316
317 /*
318 * Then go to special cases that need ESP header information.
319 * XXX: We assume that when ip6 is non NULL,
320 * M and OFF are valid.
321 */
322
323 /* check if we can safely examine src and dst ports */
324 if (m->m_pkthdr.len < off + sizeof(esp))
325 return NULL;
326
327 if (m->m_len < off + sizeof(esp)) {
328 /*
329 * this should be rare case,
330 * so we compromise on this copy...
331 */
332 m_copydata(m, off, sizeof(esp), &esp);
333 espp = &esp;
334 } else
335 espp = (struct newesp*)(mtod(m, char *) + off);
336
337 if (cmd == PRC_MSGSIZE) {
338 int valid = 0;
339
340 /*
341 * Check to see if we have a valid SA corresponding to
342 * the address in the ICMP message payload.
343 */
344
345 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
346 IPPROTO_ESP, espp->esp_spi, 0, 0);
347
348 if (sav) {
349 if (sav->state == SADB_SASTATE_MATURE ||
350 sav->state == SADB_SASTATE_DYING)
351 valid++;
352 KEY_FREESAV(&sav);
353 }
354
355 /* XXX Further validation? */
356
357 /*
358 * Depending on the value of "valid" and routing table
359 * size (mtudisc_{hi,lo}wat), we will:
360 * - recalcurate the new MTU and create the
361 * corresponding routing entry, or
362 * - ignore the MTU change notification.
363 */
364 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
365 }
366 } else {
367 /* we normally notify any pcb here */
368 }
369 return NULL;
370}
371#endif /* INET6 */
372
373static int
374sysctl_ipsec(SYSCTLFN_ARGS)
375{
376 int error, t;
377 struct sysctlnode node;
378
379 node = *rnode;
380 t = *(int*)rnode->sysctl_data;
381 node.sysctl_data = &t;
382 error = sysctl_lookup(SYSCTLFN_CALL(&node));
383 if (error || newp == NULL)
384 return (error);
385
386 switch (rnode->sysctl_num) {
387 case IPSECCTL_DEF_ESP_TRANSLEV:
388 case IPSECCTL_DEF_ESP_NETLEV:
389 case IPSECCTL_DEF_AH_TRANSLEV:
390 case IPSECCTL_DEF_AH_NETLEV:
391 if (t != IPSEC_LEVEL_USE &&
392 t != IPSEC_LEVEL_REQUIRE)
393 return (EINVAL);
394 ipsec_invalpcbcacheall();
395 break;
396 case IPSECCTL_DEF_POLICY:
397 if (t != IPSEC_POLICY_DISCARD &&
398 t != IPSEC_POLICY_NONE)
399 return (EINVAL);
400 ipsec_invalpcbcacheall();
401 break;
402 default:
403 return (EINVAL);
404 }
405
406 *(int*)rnode->sysctl_data = t;
407
408 return (0);
409}
410
411#ifdef IPSEC_DEBUG
412static int
413sysctl_ipsec_test(SYSCTLFN_ARGS)
414{
415 int t, error;
416 struct sysctlnode node;
417
418 node = *rnode;
419 t = *(int*)rnode->sysctl_data;
420 node.sysctl_data = &t;
421 error = sysctl_lookup(SYSCTLFN_CALL(&node));
422 if (error || newp == NULL)
423 return (error);
424
425 if (t < 0 || t > 1)
426 return EINVAL;
427
428 if (rnode->sysctl_data == &ipsec_replay)
429 printf("ipsec: Anti-Replay service %s\n",
430 (t == 1) ? "deactivated" : "activated");
431 else if (rnode->sysctl_data == &ipsec_integrity)
432 printf("ipsec: HMAC corruption %s\n",
433 (t == 0) ? "deactivated" : "activated");
434
435 *(int*)rnode->sysctl_data = t;
436
437 return 0;
438}
439#endif
440
441static int
442sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS)
443{
444
445 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
446}
447
448static int
449sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
450{
451
452 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
453}
454
455static int
456sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
457{
458
459 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
460}
461
462static int
463sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
464{
465
466 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
467}
468
469static int
470sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
471{
472
473 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
474}
475
476static int
477sysctl_net_ipsec_enabled(SYSCTLFN_ARGS)
478{
479 int newenabled, error;
480 struct sysctlnode node;
481 node = *rnode;
482 node.sysctl_data = &newenabled;
483
484 newenabled = ipsec_enabled;
485 error = sysctl_lookup(SYSCTLFN_CALL(&node));
486 if (error || newp == NULL)
487 return error;
488
489 switch (newenabled) {
490 case 0:
491 if (key_get_used())
492 return EBUSY;
493 /*FALLTHROUGH*/
494 case 1:
495 case 2:
496 ipsec_enabled = newenabled;
497 key_update_used();
498 return 0;
499 default:
500 return EINVAL;
501 }
502}
503
504/* XXX will need a different oid at parent */
505SYSCTL_SETUP(sysctl_net_inet_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
506{
507 const struct sysctlnode *_ipsec;
508 int ipproto_ipsec;
509
510 sysctl_createv(clog, 0, NULL, NULL,
511 CTLFLAG_PERMANENT,
512 CTLTYPE_NODE, "inet", NULL,
513 NULL, 0, NULL, 0,
514 CTL_NET, PF_INET, CTL_EOL);
515
516 /*
517 * in numerical order:
518 *
519 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
520 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
521 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
522 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
523 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
524 *
525 * this creates separate trees by name, but maintains that the
526 * ipsec name leads to all the old leaves.
527 */
528
529 /* create net.inet.ipip */
530 sysctl_createv(clog, 0, NULL, NULL,
531 CTLFLAG_PERMANENT,
532 CTLTYPE_NODE, "ipip", NULL,
533 NULL, 0, NULL, 0,
534 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
535 sysctl_createv(clog, 0, NULL, NULL,
536 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
537 CTLTYPE_STRUCT, "ipip_stats", NULL,
538 sysctl_net_inet_ipip_stats, 0, NULL, 0,
539 CTL_NET, PF_INET, IPPROTO_IPIP,
540 CTL_CREATE, CTL_EOL);
541
542 /* create net.inet.esp subtree under IPPROTO_ESP */
543 sysctl_createv(clog, 0, NULL, NULL,
544 CTLFLAG_PERMANENT,
545 CTLTYPE_NODE, "esp", NULL,
546 NULL, 0, NULL, 0,
547 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
548 sysctl_createv(clog, 0, NULL, NULL,
549 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
550 CTLTYPE_INT, "trans_deflev", NULL,
551 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
552 CTL_NET, PF_INET, IPPROTO_ESP,
553 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
554 sysctl_createv(clog, 0, NULL, NULL,
555 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
556 CTLTYPE_INT, "net_deflev", NULL,
557 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
558 CTL_NET, PF_INET, IPPROTO_ESP,
559 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
560 sysctl_createv(clog, 0, NULL, NULL,
561 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
562 CTLTYPE_STRUCT, "esp_stats", NULL,
563 sysctl_net_inet_esp_stats, 0, NULL, 0,
564 CTL_NET, PF_INET, IPPROTO_ESP,
565 CTL_CREATE, CTL_EOL);
566
567 /* create net.inet.ah subtree under IPPROTO_AH */
568 sysctl_createv(clog, 0, NULL, NULL,
569 CTLFLAG_PERMANENT,
570 CTLTYPE_NODE, "ah", NULL,
571 NULL, 0, NULL, 0,
572 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
573 sysctl_createv(clog, 0, NULL, NULL,
574 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
575 CTLTYPE_INT, "cleartos", NULL,
576 NULL, 0, &ip4_ah_cleartos, 0,
577 CTL_NET, PF_INET, IPPROTO_AH,
578 IPSECCTL_AH_CLEARTOS, CTL_EOL);
579 sysctl_createv(clog, 0, NULL, NULL,
580 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
581 CTLTYPE_INT, "offsetmask", NULL,
582 NULL, 0, &ip4_ah_offsetmask, 0,
583 CTL_NET, PF_INET, IPPROTO_AH,
584 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
585 sysctl_createv(clog, 0, NULL, NULL,
586 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
587 CTLTYPE_INT, "trans_deflev", NULL,
588 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
589 CTL_NET, PF_INET, IPPROTO_AH,
590 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
591 sysctl_createv(clog, 0, NULL, NULL,
592 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
593 CTLTYPE_INT, "net_deflev", NULL,
594 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
595 CTL_NET, PF_INET, IPPROTO_AH,
596 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
597 sysctl_createv(clog, 0, NULL, NULL,
598 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
599 CTLTYPE_STRUCT, "ah_stats", NULL,
600 sysctl_net_inet_ah_stats, 0, NULL, 0,
601 CTL_NET, PF_INET, IPPROTO_AH,
602 CTL_CREATE, CTL_EOL);
603
604 /* create net.inet.ipcomp */
605 sysctl_createv(clog, 0, NULL, NULL,
606 CTLFLAG_PERMANENT,
607 CTLTYPE_NODE, "ipcomp", NULL,
608 NULL, 0, NULL, 0,
609 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
610 sysctl_createv(clog, 0, NULL, NULL,
611 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
612 CTLTYPE_STRUCT, "ipcomp_stats", NULL,
613 sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
614 CTL_NET, PF_INET, IPPROTO_IPCOMP,
615 CTL_CREATE, CTL_EOL);
616
617 /* create net.inet.ipsec subtree under dynamic oid */
618 sysctl_createv(clog, 0, NULL, &_ipsec,
619 CTLFLAG_PERMANENT,
620 CTLTYPE_NODE, "ipsec", NULL,
621 NULL, 0, NULL, 0,
622 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
623 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
624
625 sysctl_createv(clog, 0, NULL, NULL,
626 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
627 CTLTYPE_INT, "def_policy", NULL,
628 sysctl_ipsec, 0, &ip4_def_policy.policy, 0,
629 CTL_NET, PF_INET, ipproto_ipsec,
630 IPSECCTL_DEF_POLICY, CTL_EOL);
631 sysctl_createv(clog, 0, NULL, NULL,
632 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
633 CTLTYPE_INT, "esp_trans_deflev", NULL,
634 sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
635 CTL_NET, PF_INET, ipproto_ipsec,
636 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
637 sysctl_createv(clog, 0, NULL, NULL,
638 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
639 CTLTYPE_INT, "esp_net_deflev", NULL,
640 sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
641 CTL_NET, PF_INET, ipproto_ipsec,
642 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
643 sysctl_createv(clog, 0, NULL, NULL,
644 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
645 CTLTYPE_INT, "ah_trans_deflev", NULL,
646 sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
647 CTL_NET, PF_INET, ipproto_ipsec,
648 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
649 sysctl_createv(clog, 0, NULL, NULL,
650 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
651 CTLTYPE_INT, "ah_net_deflev", NULL,
652 sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
653 CTL_NET, PF_INET, ipproto_ipsec,
654 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
655 sysctl_createv(clog, 0, NULL, NULL,
656 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
657 CTLTYPE_INT, "ah_cleartos", NULL,
658 NULL, 0, &ip4_ah_cleartos, 0,
659 CTL_NET, PF_INET, ipproto_ipsec,
660 IPSECCTL_AH_CLEARTOS, CTL_EOL);
661 sysctl_createv(clog, 0, NULL, NULL,
662 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
663 CTLTYPE_INT, "ah_offsetmask", NULL,
664 NULL, 0, &ip4_ah_offsetmask, 0,
665 CTL_NET, PF_INET, ipproto_ipsec,
666 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
667 sysctl_createv(clog, 0, NULL, NULL,
668 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
669 CTLTYPE_INT, "dfbit", NULL,
670 NULL, 0, &ip4_ipsec_dfbit, 0,
671 CTL_NET, PF_INET, ipproto_ipsec,
672 IPSECCTL_DFBIT, CTL_EOL);
673 sysctl_createv(clog, 0, NULL, NULL,
674 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
675 CTLTYPE_INT, "ecn", NULL,
676 NULL, 0, &ip4_ipsec_ecn, 0,
677 CTL_NET, PF_INET, ipproto_ipsec,
678 IPSECCTL_ECN, CTL_EOL);
679 sysctl_createv(clog, 0, NULL, NULL,
680 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
681 CTLTYPE_INT, "debug", NULL,
682 NULL, 0, &ipsec_debug, 0,
683 CTL_NET, PF_INET, ipproto_ipsec,
684 IPSECCTL_DEBUG, CTL_EOL);
685 sysctl_createv(clog, 0, NULL, NULL,
686 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
687 CTLTYPE_STRUCT, "ipsecstats", NULL,
688 sysctl_net_inet_ipsec_stats, 0, NULL, 0,
689 CTL_NET, PF_INET, ipproto_ipsec,
690 CTL_CREATE, CTL_EOL);
691 sysctl_createv(clog, 0, NULL, NULL,
692 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
693 CTLTYPE_INT, "enabled",
694 SYSCTL_DESCR("Enable IPSec processing"),
695 sysctl_net_ipsec_enabled, 0, NULL, 0,
696 CTL_NET, PF_INET, ipproto_ipsec,
697 CTL_CREATE, CTL_EOL);
698 sysctl_createv(clog, 0, NULL, NULL,
699 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
700 CTLTYPE_INT, "used",
701 SYSCTL_DESCR("Is IPSec active?"),
702 NULL, 0, &ipsec_used, 0,
703 CTL_NET, PF_INET, ipproto_ipsec,
704 CTL_CREATE, CTL_EOL);
705#ifdef IPSEC_DEBUG
706 sysctl_createv(clog, 0, NULL, NULL,
707 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
708 CTLTYPE_INT, "test_replay",
709 SYSCTL_DESCR("Emulate replay attack"),
710 sysctl_ipsec_test, 0, &ipsec_replay, 0,
711 CTL_NET, PF_INET, ipproto_ipsec,
712 CTL_CREATE, CTL_EOL);
713 sysctl_createv(clog, 0, NULL, NULL,
714 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
715 CTLTYPE_INT, "test_integrity",
716 SYSCTL_DESCR("Emulate man-in-the-middle attack"),
717 sysctl_ipsec_test, 0, &ipsec_integrity, 0,
718 CTL_NET, PF_INET, ipproto_ipsec,
719 CTL_CREATE, CTL_EOL);
720#endif
721}
722
723#ifdef INET6
724SYSCTL_SETUP(sysctl_net_inet6_ipsec6_setup,
725 "sysctl net.inet6.ipsec6 subtree setup")
726{
727
728 sysctl_createv(clog, 0, NULL, NULL,
729 CTLFLAG_PERMANENT,
730 CTLTYPE_NODE, "inet6", NULL,
731 NULL, 0, NULL, 0,
732 CTL_NET, PF_INET6, CTL_EOL);
733 sysctl_createv(clog, 0, NULL, NULL,
734 CTLFLAG_PERMANENT,
735 CTLTYPE_NODE, "ipsec6",
736 SYSCTL_DESCR("IPv6 related IPSec settings"),
737 NULL, 0, NULL, 0,
738 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
739
740 sysctl_createv(clog, 0, NULL, NULL,
741 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
742 CTLTYPE_STRUCT, "stats",
743 SYSCTL_DESCR("IPSec statistics and counters"),
744 sysctl_net_inet_ipsec_stats, 0, NULL, 0,
745 CTL_NET, PF_INET6, IPPROTO_AH,
746 IPSECCTL_STATS, CTL_EOL);
747 sysctl_createv(clog, 0, NULL, NULL,
748 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
749 CTLTYPE_INT, "def_policy",
750 SYSCTL_DESCR("Default action for non-IPSec packets"),
751 sysctl_ipsec, 0, (void *)&ip6_def_policy, 0,
752 CTL_NET, PF_INET6, IPPROTO_AH,
753 IPSECCTL_DEF_POLICY, CTL_EOL);
754 sysctl_createv(clog, 0, NULL, NULL,
755 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
756 CTLTYPE_INT, "esp_trans_deflev",
757 SYSCTL_DESCR("Default required security level for "
758 "transport mode traffic"),
759 sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
760 CTL_NET, PF_INET6, IPPROTO_AH,
761 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
762 sysctl_createv(clog, 0, NULL, NULL,
763 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
764 CTLTYPE_INT, "esp_net_deflev",
765 SYSCTL_DESCR("Default required security level for "
766 "tunneled traffic"),
767 sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
768 CTL_NET, PF_INET6, IPPROTO_AH,
769 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
770 sysctl_createv(clog, 0, NULL, NULL,
771 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
772 CTLTYPE_INT, "ah_trans_deflev",
773 SYSCTL_DESCR("Default required security level for "
774 "transport mode headers"),
775 sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
776 CTL_NET, PF_INET6, IPPROTO_AH,
777 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
778 sysctl_createv(clog, 0, NULL, NULL,
779 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
780 CTLTYPE_INT, "ah_net_deflev",
781 SYSCTL_DESCR("Default required security level for "
782 "tunneled headers"),
783 sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
784 CTL_NET, PF_INET6, IPPROTO_AH,
785 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
786 sysctl_createv(clog, 0, NULL, NULL,
787 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
788 CTLTYPE_INT, "ecn",
789 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
790 NULL, 0, &ip6_ipsec_ecn, 0,
791 CTL_NET, PF_INET6, IPPROTO_AH,
792 IPSECCTL_ECN, CTL_EOL);
793 sysctl_createv(clog, 0, NULL, NULL,
794 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
795 CTLTYPE_INT, "debug",
796 SYSCTL_DESCR("Enable IPSec debugging output"),
797 NULL, 0, &ipsec_debug, 0,
798 CTL_NET, PF_INET6, IPPROTO_AH,
799 IPSECCTL_DEBUG, CTL_EOL);
800 sysctl_createv(clog, 0, NULL, NULL,
801 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
802 CTLTYPE_INT, "enabled",
803 SYSCTL_DESCR("Enable IPSec processing"),
804 sysctl_net_ipsec_enabled, 0, NULL, 0,
805 CTL_NET, PF_INET6, IPPROTO_AH,
806 CTL_CREATE, CTL_EOL);
807 sysctl_createv(clog, 0, NULL, NULL,
808 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
809 CTLTYPE_INT, "used",
810 SYSCTL_DESCR("Is IPSec active?"),
811 NULL, 0, &ipsec_used, 0,
812 CTL_NET, PF_INET6, IPPROTO_AH,
813 CTL_CREATE, CTL_EOL);
814 /*
815 * "aliases" for the ipsec6 subtree
816 */
817 sysctl_createv(clog, 0, NULL, NULL,
818 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
819 CTLTYPE_NODE, "esp6", NULL,
820 NULL, IPPROTO_AH, NULL, 0,
821 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
822 sysctl_createv(clog, 0, NULL, NULL,
823 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
824 CTLTYPE_NODE, "ipcomp6", NULL,
825 NULL, IPPROTO_AH, NULL, 0,
826 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
827 sysctl_createv(clog, 0, NULL, NULL,
828 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
829 CTLTYPE_NODE, "ah6", NULL,
830 NULL, IPPROTO_AH, NULL, 0,
831 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
832}
833#endif /* INET6 */
834