search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Expand PMF_FN_* macros.
[netbsd-mini2440.git] / sys / netipsec / xform_ipip.c
blob38fbfb2aaf5233b84f9f31601bddb50beb9c305b
1 /* $NetBSD: xform_ipip.c,v 1.23 2008/04/24 11:38:38 ad Exp $ */
2 /* $FreeBSD: src/sys/netipsec/xform_ipip.c,v 1.3.2.1 2003/01/24 05:11:36 sam Exp $ */
3 /* $OpenBSD: ip_ipip.c,v 1.25 2002/06/10 18:04:55 itojun Exp $ */
4
5 /*
6 * The authors of this code are John Ioannidis (ji@tla.org),
7 * Angelos D. Keromytis (kermit@csd.uch.gr) and
8 * Niels Provos (provos@physnet.uni-hamburg.de).
9 *
10 * The original version of this code was written by John Ioannidis
11 * for BSD/OS in Athens, Greece, in November 1995.
12 *
13 * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
14 * by Angelos D. Keromytis.
15 *
16 * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
17 * and Niels Provos.
18 *
19 * Additional features in 1999 by Angelos D. Keromytis.
20 *
21 * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
22 * Angelos D. Keromytis and Niels Provos.
23 * Copyright (c) 2001, Angelos D. Keromytis.
24 *
25 * Permission to use, copy, and modify this software with or without fee
26 * is hereby granted, provided that this entire notice is included in
27 * all copies of any software which is or includes a copy or
28 * modification of this software.
29 * You may use this code under the GNU public license if you so wish. Please
30 * contribute changes back to the authors under this freer than GPL license
31 * so that we may further the use of strong encryption without limitations to
32 * all.
33 *
34 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
35 * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
36 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
37 * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
38 * PURPOSE.
39 */
40
41 #include <sys/cdefs.h>
42 __KERNEL_RCSID(0, "$NetBSD: xform_ipip.c,v 1.23 2008/04/24 11:38:38 ad Exp $");
43
44 /*
45 * IP-inside-IP processing
46 */
47 #include "opt_inet.h"
48 #ifdef __FreeBSD__
49 #include "opt_inet6.h"
50 #include "opt_random_ip_id.h"
51 #endif /* __FreeBSD__ */
52
53
54 #include <sys/param.h>
55 #include <sys/systm.h>
56 #include <sys/mbuf.h>
57 #include <sys/socket.h>
58 #include <sys/kernel.h>
59 #include <sys/protosw.h>
60 #include <sys/sysctl.h>
61
62 #include <net/if.h>
63 #include <net/route.h>
64 #include <net/netisr.h>
65
66 #include <netinet/in.h>
67 #include <netinet/in_systm.h>
68 #include <netinet/in_var.h>
69 #include <netinet/ip.h>
70 #include <netinet/ip_ecn.h>
71 #include <netinet/ip_var.h>
72 #include <netinet/ip_encap.h>
73 #ifdef __FreeBSD__
74 #include <netinet/ipprotosw.h>
75 #endif
76
77 #include <netipsec/ipsec.h>
78 #include <netipsec/ipsec_private.h>
79 #include <netipsec/xform.h>
80
81 #include <netipsec/ipip_var.h>
82
83 #ifdef MROUTING
84 #include <netinet/ip_mroute.h>
85 #endif
86
87 #ifdef INET6
88 #include <netinet/ip6.h>
89 #include <netipsec/ipsec6.h>
90 # ifdef __FreeBSD__
91 # include <netinet6/ip6_ecn.h>
92 # endif
93 #include <netinet6/in6_var.h>
94 #include <netinet6/ip6protosw.h>
95 #endif
96
97 #include <netipsec/key.h>
98 #include <netipsec/key_debug.h>
99 #include <netipsec/ipsec_osdep.h>
100
101 #include <machine/stdarg.h>
102
103 #ifdef __FreeBSD__
104 typedef void pr_in_input_t (struct mbuf *, int, int); /* XXX FIX THIS */
105 #else
106 typedef void pr_in_input_t (struct mbuf *m, ...);
107 #endif
108
109 /*
110 * We can control the acceptance of IP4 packets by altering the sysctl
111 * net.inet.ipip.allow value. Zero means drop them, all else is acceptance.
112 */
113 int ipip_allow = 0;
114
115 percpu_t *ipipstat_percpu;
116
117 #ifdef SYSCTL_DECL
118 SYSCTL_DECL(_net_inet_ipip);
119
120 SYSCTL_INT(_net_inet_ipip, OID_AUTO,
121 ipip_allow, CTLFLAG_RW, &ipip_allow, 0, "");
122 SYSCTL_STRUCT(_net_inet_ipip, IPSECCTL_STATS,
123 stats, CTLFLAG_RD, &ipipstat, ipipstat, "");
124
125 #endif
126
127 #ifdef __FreeBSD__
128 static
129 #endif
130 void ipe4_attach(void);
131
132
133 /* XXX IPCOMP */
134 #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED)
135
136 static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp);
137
138 #ifdef INET6
139 /*
140 * Really only a wrapper for ipip_input(), for use with IPv6.
141 */
142 int
143 ip4_input6(struct mbuf **m, int *offp, int proto)
144 {
145 #if 0
146 /* If we do not accept IP-in-IP explicitly, drop. */
147 if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) {
148 DPRINTF(("ip4_input6: dropped due to policy\n"));
149 IPIP_STATINC(IPIP_STAT_PDROPS);
150 m_freem(*m);
151 return IPPROTO_DONE;
152 }
153 #endif
154 _ipip_input(*m, *offp, NULL);
155 return IPPROTO_DONE;
156 }
157 #endif /* INET6 */
158
159 #ifdef INET
160 /*
161 * Really only a wrapper for ipip_input(), for use with IPv4.
162 */
163 void
164 ip4_input(struct mbuf *m, ...)
165 {
166 va_list ap;
167 int iphlen;
168
169 #if 0
170 /* If we do not accept IP-in-IP explicitly, drop. */
171 if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) {
172 DPRINTF(("ip4_input: dropped due to policy\n"));
173 IPIP_STATINC(IPIP_STAT_PDROPS);
174 m_freem(m);
175 return;
176 }
177 #endif
178 va_start(ap, m);
179 iphlen = va_arg(ap, int);
180 va_end(ap);
181
182 _ipip_input(m, iphlen, NULL);
183 }
184 #endif /* INET */
185
186 /*
187 * ipip_input gets called when we receive an IP{46} encapsulated packet,
188 * either because we got it at a real interface, or because AH or ESP
189 * were being used in tunnel mode (in which case the rcvif element will
190 * contain the address of the encX interface associated with the tunnel.
191 */
192
193 static void
194 _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
195 {
196 register struct sockaddr_in *sin;
197 register struct ifnet *ifp;
198 register struct ifaddr *ifa;
199 struct ifqueue *ifq = NULL;
200 struct ip *ipo;
201 #ifdef INET6
202 register struct sockaddr_in6 *sin6;
203 struct ip6_hdr *ip6 = NULL;
204 u_int8_t itos;
205 #endif
206 u_int8_t nxt;
207 int isr;
208 u_int8_t otos;
209 u_int8_t v;
210 int hlen;
211
212 IPIP_STATINC(IPIP_STAT_IPACKETS);
213
214 m_copydata(m, 0, 1, &v);
215
216 switch (v >> 4) {
217 #ifdef INET
218 case 4:
219 hlen = sizeof(struct ip);
220 break;
221 #endif /* INET */
222 #ifdef INET6
223 case 6:
224 hlen = sizeof(struct ip6_hdr);
225 break;
226 #endif
227 default:
228 DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) "
229 "for outer header\n", v, v>>4));
230 IPIP_STATINC(IPIP_STAT_FAMILY);
231 m_freem(m);
232 return /* EAFNOSUPPORT */;
233 }
234
235 /* Bring the IP header in the first mbuf, if not there already */
236 if (m->m_len < hlen) {
237 if ((m = m_pullup(m, hlen)) == NULL) {
238 DPRINTF(("ipip_input: m_pullup (1) failed\n"));
239 IPIP_STATINC(IPIP_STAT_HDROPS);
240 return;
241 }
242 }
243
244 ipo = mtod(m, struct ip *);
245
246 #ifdef MROUTING
247 if (ipo->ip_v == IPVERSION && ipo->ip_p == IPPROTO_IPV4) {
248 if (IN_MULTICAST(((struct ip *)((char *) ipo + iphlen))->ip_dst.s_addr)) {
249 ipip_mroute_input (m, iphlen);
250 return;
251 }
252 }
253 #endif /* MROUTING */
254
255 /* Keep outer ecn field. */
256 switch (v >> 4) {
257 #ifdef INET
258 case 4:
259 otos = ipo->ip_tos;
260 break;
261 #endif /* INET */
262 #ifdef INET6
263 case 6:
264 otos = (ntohl(mtod(m, struct ip6_hdr *)->ip6_flow) >> 20) & 0xff;
265 break;
266 #endif
267 default:
268 panic("ipip_input: unknown ip version %u (outer)", v>>4);
269 }
270
271 /* Remove outer IP header */
272 m_adj(m, iphlen);
273
274 /* Sanity check */
275 if (m->m_pkthdr.len < sizeof(struct ip)) {
276 IPIP_STATINC(IPIP_STAT_HDROPS);
277 m_freem(m);
278 return;
279 }
280
281 m_copydata(m, 0, 1, &v);
282
283 switch (v >> 4) {
284 #ifdef INET
285 case 4:
286 hlen = sizeof(struct ip);
287 break;
288 #endif /* INET */
289
290 #ifdef INET6
291 case 6:
292 hlen = sizeof(struct ip6_hdr);
293 break;
294 #endif
295 default:
296 DPRINTF(("_ipip_input: bad protocol version 0x%x (%u) "
297 "for inner header\n", v, v>>4));
298 IPIP_STATINC(IPIP_STAT_FAMILY);
299 m_freem(m);
300 return; /* EAFNOSUPPORT */
301 }
302
303 /*
304 * Bring the inner IP header in the first mbuf, if not there already.
305 */
306 if (m->m_len < hlen) {
307 if ((m = m_pullup(m, hlen)) == NULL) {
308 DPRINTF(("ipip_input: m_pullup (2) failed\n"));
309 IPIP_STATINC(IPIP_STAT_HDROPS);
310 return;
311 }
312 }
313
314 /*
315 * RFC 1853 specifies that the inner TTL should not be touched on
316 * decapsulation. There's no reason this comment should be here, but
317 * this is as good as any a position.
318 */
319
320 /* Some sanity checks in the inner IP header */
321 switch (v >> 4) {
322 #ifdef INET
323 case 4:
324 ipo = mtod(m, struct ip *);
325 nxt = ipo->ip_p;
326 ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos);
327 break;
328 #endif /* INET */
329 #ifdef INET6
330 case 6:
331 ip6 = (struct ip6_hdr *) ipo;
332 nxt = ip6->ip6_nxt;
333 itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff;
334 ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos);
335 ip6->ip6_flow &= ~htonl(0xff << 20);
336 ip6->ip6_flow |= htonl((u_int32_t) itos << 20);
337 break;
338 #endif
339 default:
340 panic("ipip_input: unknown ip version %u (inner)", v>>4);
341 }
342
343 /* Check for local address spoofing. */
344 if ((m->m_pkthdr.rcvif == NULL ||
345 !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) &&
346 ipip_allow != 2) {
347 IFNET_FOREACH(ifp) {
348 IFADDR_FOREACH(ifa, ifp) {
349 #ifdef INET
350 if (ipo) {
351 if (ifa->ifa_addr->sa_family !=
352 AF_INET)
353 continue;
354
355 sin = (struct sockaddr_in *) ifa->ifa_addr;
356
357 if (sin->sin_addr.s_addr ==
358 ipo->ip_src.s_addr) {
359 IPIP_STATINC(IPIP_STAT_SPOOF);
360 m_freem(m);
361 return;
362 }
363 }
364 #endif /* INET */
365
366 #ifdef INET6
367 if (ip6) {
368 if (ifa->ifa_addr->sa_family !=
369 AF_INET6)
370 continue;
371
372 sin6 = (struct sockaddr_in6 *) ifa->ifa_addr;
373
374 if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) {
375 IPIP_STATINC(IPIP_STAT_SPOOF);
376 m_freem(m);
377 return;
378 }
379
380 }
381 #endif /* INET6 */
382 }
383 }
384 }
385
386 /* Statistics */
387 IPIP_STATADD(IPIP_STAT_IBYTES, m->m_pkthdr.len - iphlen);
388
389 /*
390 * Interface pointer stays the same; if no IPsec processing has
391 * been done (or will be done), this will point to a normal
392 * interface. Otherwise, it'll point to an enc interface, which
393 * will allow a packet filter to distinguish between secure and
394 * untrusted packets.
395 */
396
397 switch (v >> 4) {
398 #ifdef INET
399 case 4:
400 ifq = &ipintrq;
401 isr = NETISR_IP;
402 break;
403 #endif
404 #ifdef INET6
405 case 6:
406 ifq = &ip6intrq;
407 isr = NETISR_IPV6;
408 break;
409 #endif
410 default:
411 panic("ipip_input: should never reach here");
412 }
413
414 if (!IF_HANDOFF(ifq, m, NULL)) {
415 IPIP_STATINC(IPIP_STAT_QFULL);
416
417 DPRINTF(("ipip_input: packet dropped because of full queue\n"));
418 } else {
419 schednetisr(isr);
420 }
421 }
422
423 int
424 ipip_output(
425 struct mbuf *m,
426 struct ipsecrequest *isr,
427 struct mbuf **mp,
428 int skip,
429 int protoff
430 )
431 {
432 struct secasvar *sav;
433 u_int8_t tp, otos;
434 struct secasindex *saidx;
435 int error;
436 #ifdef INET
437 u_int8_t itos;
438 struct ip *ipo;
439 #endif /* INET */
440 #ifdef INET6
441 struct ip6_hdr *ip6, *ip6o;
442 #endif /* INET6 */
443
444 IPSEC_SPLASSERT_SOFTNET("ipip_output");
445
446 sav = isr->sav;
447 IPSEC_ASSERT(sav != NULL, ("ipip_output: null SA"));
448 IPSEC_ASSERT(sav->sah != NULL, ("ipip_output: null SAH"));
449
450 /* XXX Deal with empty TDB source/destination addresses. */
451
452 m_copydata(m, 0, 1, &tp);
453 tp = (tp >> 4) & 0xff; /* Get the IP version number. */
454
455 saidx = &sav->sah->saidx;
456 switch (saidx->dst.sa.sa_family) {
457 #ifdef INET
458 case AF_INET:
459 if (saidx->src.sa.sa_family != AF_INET ||
460 saidx->src.sin.sin_addr.s_addr == INADDR_ANY ||
461 saidx->dst.sin.sin_addr.s_addr == INADDR_ANY) {
462 DPRINTF(("ipip_output: unspecified tunnel endpoint "
463 "address in SA %s/%08lx\n",
464 ipsec_address(&saidx->dst),
465 (u_long) ntohl(sav->spi)));
466 IPIP_STATINC(IPIP_STAT_UNSPEC);
467 error = EINVAL;
468 goto bad;
469 }
470
471 M_PREPEND(m, sizeof(struct ip), M_DONTWAIT);
472 if (m == 0) {
473 DPRINTF(("ipip_output: M_PREPEND failed\n"));
474 IPIP_STATINC(IPIP_STAT_HDROPS);
475 error = ENOBUFS;
476 goto bad;
477 }
478
479 ipo = mtod(m, struct ip *);
480
481 ipo->ip_v = IPVERSION;
482 ipo->ip_hl = 5;
483 ipo->ip_len = htons(m->m_pkthdr.len);
484 ipo->ip_ttl = ip_defttl;
485 ipo->ip_sum = 0;
486 ipo->ip_src = saidx->src.sin.sin_addr;
487 ipo->ip_dst = saidx->dst.sin.sin_addr;
488
489 #if defined(__NetBSD__)
490 ipo->ip_id = ip_newid(NULL);
491 #elif defined(RANDOM_IP_ID)
492 ipo->ip_id = ip_randomid();
493 #else
494 ipo->ip_id = htons(ip_id++);
495 #endif
496
497 /* If the inner protocol is IP... */
498 if (tp == IPVERSION) {
499 /* Save ECN notification */
500 m_copydata(m, sizeof(struct ip) +
501 offsetof(struct ip, ip_tos),
502 sizeof(u_int8_t), &itos);
503
504 ipo->ip_p = IPPROTO_IPIP;
505
506 /*
507 * We should be keeping tunnel soft-state and
508 * send back ICMPs if needed.
509 */
510 m_copydata(m, sizeof(struct ip) +
511 offsetof(struct ip, ip_off),
512 sizeof(u_int16_t), &ipo->ip_off);
513 ipo->ip_off &= ~ IP_OFF_CONVERT(IP_DF | IP_MF | IP_OFFMASK);
514 }
515 #ifdef INET6
516 else if (tp == (IPV6_VERSION >> 4)) {
517 u_int32_t itos32;
518
519 /* Save ECN notification. */
520 m_copydata(m, sizeof(struct ip) +
521 offsetof(struct ip6_hdr, ip6_flow),
522 sizeof(u_int32_t), &itos32);
523 itos = ntohl(itos32) >> 20;
524 ipo->ip_p = IPPROTO_IPV6;
525 ipo->ip_off = 0;
526 }
527 #endif /* INET6 */
528 else {
529 goto nofamily;
530 }
531
532 otos = 0;
533 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
534 ipo->ip_tos = otos;
535 break;
536 #endif /* INET */
537
538 #ifdef INET6
539 case AF_INET6:
540 if (IN6_IS_ADDR_UNSPECIFIED(&saidx->dst.sin6.sin6_addr) ||
541 saidx->src.sa.sa_family != AF_INET6 ||
542 IN6_IS_ADDR_UNSPECIFIED(&saidx->src.sin6.sin6_addr)) {
543 DPRINTF(("ipip_output: unspecified tunnel endpoint "
544 "address in SA %s/%08lx\n",
545 ipsec_address(&saidx->dst),
546 (u_long) ntohl(sav->spi)));
547 IPIP_STATINC(IPIP_STAT_UNSPEC);
548 error = ENOBUFS;
549 goto bad;
550 }
551
552 /* scoped address handling */
553 ip6 = mtod(m, struct ip6_hdr *);
554 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_src))
555 ip6->ip6_src.s6_addr16[1] = 0;
556 if (IN6_IS_SCOPE_LINKLOCAL(&ip6->ip6_dst))
557 ip6->ip6_dst.s6_addr16[1] = 0;
558
559 M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT);
560 if (m == 0) {
561 DPRINTF(("ipip_output: M_PREPEND failed\n"));
562 IPIP_STATINC(IPIP_STAT_HDROPS);
563 error = ENOBUFS;
564 goto bad;
565 }
566
567 /* Initialize IPv6 header */
568 ip6o = mtod(m, struct ip6_hdr *);
569 ip6o->ip6_flow = 0;
570 ip6o->ip6_vfc &= ~IPV6_VERSION_MASK;
571 ip6o->ip6_vfc |= IPV6_VERSION;
572 ip6o->ip6_plen = htons(m->m_pkthdr.len);
573 ip6o->ip6_hlim = ip_defttl;
574 ip6o->ip6_dst = saidx->dst.sin6.sin6_addr;
575 ip6o->ip6_src = saidx->src.sin6.sin6_addr;
576
577 #ifdef INET
578 if (tp == IPVERSION) {
579 /* Save ECN notification */
580 m_copydata(m, sizeof(struct ip6_hdr) +
581 offsetof(struct ip, ip_tos), sizeof(u_int8_t),
582 &itos);
583
584 /* This is really IPVERSION. */
585 ip6o->ip6_nxt = IPPROTO_IPIP;
586 } else
587 #endif /* INET */
588 if (tp == (IPV6_VERSION >> 4)) {
589 u_int32_t itos32;
590
591 /* Save ECN notification. */
592 m_copydata(m, sizeof(struct ip6_hdr) +
593 offsetof(struct ip6_hdr, ip6_flow),
594 sizeof(u_int32_t), &itos32);
595 itos = ntohl(itos32) >> 20;
596
597 ip6o->ip6_nxt = IPPROTO_IPV6;
598 } else {
599 goto nofamily;
600 }
601
602 otos = 0;
603 ip_ecn_ingress(ECN_ALLOWED, &otos, &itos);
604 ip6o->ip6_flow |= htonl((u_int32_t) otos << 20);
605 break;
606 #endif /* INET6 */
607
608 default:
609 nofamily:
610 DPRINTF(("ipip_output: unsupported protocol family %u\n",
611 saidx->dst.sa.sa_family));
612 IPIP_STATINC(IPIP_STAT_FAMILY);
613 error = EAFNOSUPPORT; /* XXX diffs from openbsd */
614 goto bad;
615 }
616
617 IPIP_STATINC(IPIP_STAT_OPACKETS);
618 *mp = m;
619
620 #ifdef INET
621 if (saidx->dst.sa.sa_family == AF_INET) {
622 #if 0
623 if (sav->tdb_xform->xf_type == XF_IP4)
624 tdb->tdb_cur_bytes +=
625 m->m_pkthdr.len - sizeof(struct ip);
626 #endif
627 IPIP_STATADD(IPIP_STAT_OBYTES,
628 m->m_pkthdr.len - sizeof(struct ip));
629 }
630 #endif /* INET */
631
632 #ifdef INET6
633 if (saidx->dst.sa.sa_family == AF_INET6) {
634 #if 0
635 if (sav->tdb_xform->xf_type == XF_IP4)
636 tdb->tdb_cur_bytes +=
637 m->m_pkthdr.len - sizeof(struct ip6_hdr);
638 #endif
639 IPIP_STATADD(IPIP_STAT_IBYTES,
640 m->m_pkthdr.len - sizeof(struct ip6_hdr));
641 }
642 #endif /* INET6 */
643
644 return 0;
645 bad:
646 if (m)
647 m_freem(m);
648 *mp = NULL;
649 return (error);
650 }
651
652 #ifdef FAST_IPSEC
653 static int
654 ipe4_init(struct secasvar *sav, struct xformsw *xsp)
655 {
656 sav->tdb_xform = xsp;
657 return 0;
658 }
659
660 static int
661 ipe4_zeroize(struct secasvar *sav)
662 {
663 sav->tdb_xform = NULL;
664 return 0;
665 }
666
667 static int
668 ipe4_input(
669 struct mbuf *m,
670 struct secasvar *sav,
671 int skip,
672 int protoff
673 )
674 {
675 /* This is a rather serious mistake, so no conditional printing. */
676 printf("ipe4_input: should never be called\n");
677 if (m)
678 m_freem(m);
679 return EOPNOTSUPP;
680 }
681
682 static struct xformsw ipe4_xformsw = {
683 XF_IP4, 0, "IPv4 Simple Encapsulation",
684 ipe4_init, ipe4_zeroize, ipe4_input, ipip_output,
685 NULL,
686 };
687
688 #ifdef INET
689 PR_WRAP_CTLOUTPUT(rip_ctloutput)
690 PR_WRAP_USRREQ(rip_usrreq)
691 #define rip_ctloutput rip_ctloutput_wrapper
692 #define rip_usrreq rip_usrreq_wrapper
693
694 extern struct domain inetdomain;
695 static struct ipprotosw ipe4_protosw = {
696 .pr_type = SOCK_RAW,
697 .pr_domain = &inetdomain,
698 .pr_protocol = IPPROTO_IPV4,
699 .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
700 .pr_input = ip4_input,
701 .pr_output = 0,
702 .pr_ctlinput = 0,
703 .pr_ctloutput = rip_ctloutput,
704 .pr_usrreq = rip_usrreq,
705 .pr_init = 0,
706 .pr_fasttimo = 0,
707 .pr_slowtimo = 0,
708 .pr_drain = 0,
709 };
710 #endif
711 #ifdef INET6
712 PR_WRAP_CTLOUTPUT(rip6_ctloutput)
713 PR_WRAP_USRREQ(rip6_usrreq)
714 #define rip6_ctloutput rip6_ctloutput_wrapper
715 #define rip6_usrreq rip6_usrreq_wrapper
716
717 extern struct domain inet6domain;
718 static struct ip6protosw ipe4_protosw6 = {
719 .pr_type = SOCK_RAW,
720 .pr_domain = &inet6domain,
721 .pr_protocol = IPPROTO_IPV6,
722 .pr_flags = PR_ATOMIC|PR_ADDR|PR_LASTHDR,
723 .pr_input = ip4_input6,
724 .pr_output = 0,
725 .pr_ctlinput = 0,
726 .pr_ctloutput = rip6_ctloutput,
727 .pr_usrreq = rip6_usrreq,
728 .pr_init = 0,
729 .pr_fasttimo = 0,
730 .pr_slowtimo = 0,
731 .pr_drain = 0,
732 };
733 #endif
734
735 #endif /* FAST_IPSEC */
736
737 /*
738 * Check the encapsulated packet to see if we want it
739 */
740 static int
741 ipe4_encapcheck(struct mbuf *m,
742 int off,
743 int proto,
744 void *arg
745 )
746 {
747 /*
748 * Only take packets coming from IPSEC tunnels; the rest
749 * must be handled by the gif tunnel code. Note that we
750 * also return a minimum priority when we want the packet
751 * so any explicit gif tunnels take precedence.
752 */
753 return ((m->m_flags & M_IPSEC) != 0 ? 1 : 0);
754 }
755
756 INITFN void
757 ipe4_attach(void)
758 {
759
760 ipipstat_percpu = percpu_alloc(sizeof(uint64_t) * IPIP_NSTATS);
761
762 xform_register(&ipe4_xformsw);
763 /* attach to encapsulation framework */
764 /* XXX save return cookie for detach on module remove */
765 #ifdef INET
766 (void) encap_attach_func(AF_INET, -1,
767 ipe4_encapcheck, (struct protosw*) &ipe4_protosw, NULL);
768 #endif
769 #ifdef INET6
770 (void) encap_attach_func(AF_INET6, -1,
771 ipe4_encapcheck, (struct protosw*) &ipe4_protosw6, NULL);
772 #endif
773 }
774
775 #ifdef SYSINIT
776 SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
777 #endif
778
NetBSD on the FriendlyARM MINI2440