4 * Copyright (C) 2001-2003 by Darren Reed
6 * See the IPFILTER.LICENCE file for details on licencing.
8 * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
11 * Id: ip_ipsec_pxy.c,v 2.20.2.11 2008/11/06 21:18:34 darrenr Exp
15 #include <sys/cdefs.h>
16 __KERNEL_RCSID(1, "$NetBSD$");
18 #define IPF_IPSEC_PROXY
21 int ippr_ipsec_init
__P((void));
22 void ippr_ipsec_fini
__P((void));
23 int ippr_ipsec_new
__P((fr_info_t
*, ap_session_t
*, nat_t
*));
24 void ippr_ipsec_del
__P((ap_session_t
*));
25 int ippr_ipsec_inout
__P((fr_info_t
*, ap_session_t
*, nat_t
*));
26 int ippr_ipsec_match
__P((fr_info_t
*, ap_session_t
*, nat_t
*));
28 static frentry_t ipsecfr
;
29 static ipftq_t
*ipsecnattqe
;
30 static ipftq_t
*ipsecstatetqe
;
31 static char ipsec_buffer
[1500];
33 int ipsec_proxy_init
= 0;
34 int ipsec_proxy_ttl
= 60;
37 * IPSec application proxy initialization.
41 bzero((char *)&ipsecfr
, sizeof(ipsecfr
));
43 ipsecfr
.fr_flags
= FR_OUTQUE
|FR_PASS
|FR_QUICK
|FR_KEEPSTATE
;
44 MUTEX_INIT(&ipsecfr
.fr_lock
, "IPsec proxy rule lock");
47 ipsecnattqe
= fr_addtimeoutqueue(&nat_utqe
, ipsec_proxy_ttl
);
48 if (ipsecnattqe
== NULL
)
50 ipsecstatetqe
= fr_addtimeoutqueue(&ips_utqe
, ipsec_proxy_ttl
);
51 if (ipsecstatetqe
== NULL
) {
52 if (fr_deletetimeoutqueue(ipsecnattqe
) == 0)
53 fr_freetimeoutqueue(ipsecnattqe
);
58 ipsecnattqe
->ifq_flags
|= IFQF_PROXY
;
59 ipsecstatetqe
->ifq_flags
|= IFQF_PROXY
;
61 ipsecfr
.fr_age
[0] = ipsec_proxy_ttl
;
62 ipsecfr
.fr_age
[1] = ipsec_proxy_ttl
;
67 void ippr_ipsec_fini()
69 if (ipsecnattqe
!= NULL
) {
70 if (fr_deletetimeoutqueue(ipsecnattqe
) == 0)
71 fr_freetimeoutqueue(ipsecnattqe
);
74 if (ipsecstatetqe
!= NULL
) {
75 if (fr_deletetimeoutqueue(ipsecstatetqe
) == 0)
76 fr_freetimeoutqueue(ipsecstatetqe
);
80 if (ipsec_proxy_init
== 1) {
81 MUTEX_DESTROY(&ipsecfr
.fr_lock
);
88 * Setup for a new IPSEC proxy.
90 int ippr_ipsec_new(fin
, aps
, nat
)
99 int p
, off
, dlen
, ttl
;
103 off
= fin
->fin_plen
- fin
->fin_dlen
+ fin
->fin_ipoff
;
104 bzero(ipsec_buffer
, sizeof(ipsec_buffer
));
108 dlen
= M_LEN(m
) - off
;
111 COPYDATA(m
, off
, MIN(sizeof(ipsec_buffer
), dlen
), ipsec_buffer
);
113 if (nat_outlookup(fin
, 0, IPPROTO_ESP
, nat
->nat_inip
,
117 aps
->aps_psiz
= sizeof(*ipsec
);
118 KMALLOCS(aps
->aps_data
, ipsec_pxy_t
*, sizeof(*ipsec
));
119 if (aps
->aps_data
== NULL
)
122 ipsec
= aps
->aps_data
;
123 bzero((char *)ipsec
, sizeof(*ipsec
));
126 * Create NAT rule against which the tunnel/transport mapping is
127 * created. This is required because the current NAT rule does not
128 * describe ESP but UDP instead.
130 ipn
= &ipsec
->ipsc_rule
;
131 ttl
= IPF_TTLVAL(ipsecnattqe
->ifq_ttl
);
132 ipn
->in_tqehead
[0] = fr_addtimeoutqueue(&nat_utqe
, ttl
);
133 ipn
->in_tqehead
[1] = fr_addtimeoutqueue(&nat_utqe
, ttl
);
134 ipn
->in_ifps
[0] = fin
->fin_ifp
;
138 ipn
->in_nip
= ntohl(nat
->nat_outip
.s_addr
);
140 ipn
->in_inip
= nat
->nat_inip
.s_addr
;
141 ipn
->in_inmsk
= 0xffffffff;
142 ipn
->in_outip
= fin
->fin_saddr
;
143 ipn
->in_outmsk
= nat
->nat_outip
.s_addr
;
144 ipn
->in_srcip
= fin
->fin_saddr
;
145 ipn
->in_srcmsk
= 0xffffffff;
146 ipn
->in_redir
= NAT_MAP
;
147 bcopy(nat
->nat_ptr
->in_ifnames
[0], ipn
->in_ifnames
[0],
148 sizeof(ipn
->in_ifnames
[0]));
149 ipn
->in_p
= IPPROTO_ESP
;
151 bcopy((char *)fin
, (char *)&fi
, sizeof(fi
));
152 fi
.fin_fi
.fi_p
= IPPROTO_ESP
;
153 fi
.fin_fr
= &ipsecfr
;
157 ip
->ip_p
= IPPROTO_ESP
;
158 fi
.fin_flx
&= ~(FI_TCPUDP
|FI_STATE
|FI_FRAG
);
159 fi
.fin_flx
|= FI_IGNORE
;
162 bcopy(ptr
, (char *)ipsec
->ipsc_icookie
, sizeof(ipsec_cookie_t
));
163 ptr
+= sizeof(ipsec_cookie_t
);
164 bcopy(ptr
, (char *)ipsec
->ipsc_rcookie
, sizeof(ipsec_cookie_t
));
166 * The responder cookie should only be non-zero if the initiator
167 * cookie is non-zero. Therefore, it is safe to assume(!) that the
168 * cookies are both set after copying if the responder is non-zero.
170 if ((ipsec
->ipsc_rcookie
[0]|ipsec
->ipsc_rcookie
[1]) != 0)
171 ipsec
->ipsc_rckset
= 1;
173 MUTEX_ENTER(&ipf_nat_new
);
174 ipsec
->ipsc_nat
= nat_new(&fi
, ipn
, &ipsec
->ipsc_nat
,
175 NAT_SLAVE
|SI_WILDP
, NAT_OUTBOUND
);
176 MUTEX_EXIT(&ipf_nat_new
);
177 if (ipsec
->ipsc_nat
!= NULL
) {
178 (void) nat_proto(&fi
, ipsec
->ipsc_nat
, 0);
179 MUTEX_ENTER(&ipsec
->ipsc_nat
->nat_lock
);
180 nat_update(&fi
, ipsec
->ipsc_nat
);
181 MUTEX_EXIT(&ipsec
->ipsc_nat
->nat_lock
);
185 ipsec
->ipsc_state
= fr_addstate(&fi
, &ipsec
->ipsc_state
,
194 * For outgoing IKE packets. refresh timeouts for NAT & state entries, if
195 * we can. If they have disappeared, recreate them.
197 int ippr_ipsec_inout(fin
, aps
, nat
)
207 if ((fin
->fin_out
== 1) && (nat
->nat_dir
== NAT_INBOUND
))
210 if ((fin
->fin_out
== 0) && (nat
->nat_dir
== NAT_OUTBOUND
))
213 ipsec
= aps
->aps_data
;
219 if ((ipsec
->ipsc_nat
== NULL
) || (ipsec
->ipsc_state
== NULL
)) {
220 bcopy((char *)fin
, (char *)&fi
, sizeof(fi
));
221 fi
.fin_fi
.fi_p
= IPPROTO_ESP
;
222 fi
.fin_fr
= &ipsecfr
;
225 ip
->ip_p
= IPPROTO_ESP
;
226 fi
.fin_flx
&= ~(FI_TCPUDP
|FI_STATE
|FI_FRAG
);
227 fi
.fin_flx
|= FI_IGNORE
;
231 * Update NAT timeout/create NAT if missing.
233 if (ipsec
->ipsc_nat
!= NULL
)
234 fr_queueback(&ipsec
->ipsc_nat
->nat_tqe
);
236 MUTEX_ENTER(&ipf_nat_new
);
237 ipsec
->ipsc_nat
= nat_new(&fi
, &ipsec
->ipsc_rule
,
241 MUTEX_EXIT(&ipf_nat_new
);
242 if (ipsec
->ipsc_nat
!= NULL
) {
243 (void) nat_proto(&fi
, ipsec
->ipsc_nat
, 0);
244 MUTEX_ENTER(&ipsec
->ipsc_nat
->nat_lock
);
245 nat_update(&fi
, ipsec
->ipsc_nat
);
246 MUTEX_EXIT(&ipsec
->ipsc_nat
->nat_lock
);
251 * Update state timeout/create state if missing.
253 READ_ENTER(&ipf_state
);
254 if (ipsec
->ipsc_state
!= NULL
) {
255 fr_queueback(&ipsec
->ipsc_state
->is_sti
);
256 ipsec
->ipsc_state
->is_die
= nat
->nat_age
;
257 RWLOCK_EXIT(&ipf_state
);
259 RWLOCK_EXIT(&ipf_state
);
262 ipsec
->ipsc_state
= fr_addstate(&fi
,
273 * This extends the NAT matching to be based on the cookies associated with
274 * a session and found at the front of IKE packets. The cookies are always
275 * in the same order (not reversed depending on packet flow direction as with
276 * UDP/TCP port numbers).
278 int ippr_ipsec_match(fin
, aps
, nat
)
288 nat
= nat
; /* LINT */
290 if ((fin
->fin_dlen
< sizeof(cookies
)) || (fin
->fin_flx
& FI_FRAG
))
293 off
= fin
->fin_plen
- fin
->fin_dlen
+ fin
->fin_ipoff
;
294 ipsec
= aps
->aps_data
;
296 COPYDATA(m
, off
, sizeof(cookies
), (char *)cookies
);
298 if ((cookies
[0] != ipsec
->ipsc_icookie
[0]) ||
299 (cookies
[1] != ipsec
->ipsc_icookie
[1]))
302 if (ipsec
->ipsc_rckset
== 0) {
303 if ((cookies
[2]|cookies
[3]) == 0) {
306 ipsec
->ipsc_rckset
= 1;
307 ipsec
->ipsc_rcookie
[0] = cookies
[2];
308 ipsec
->ipsc_rcookie
[1] = cookies
[3];
312 if ((cookies
[2] != ipsec
->ipsc_rcookie
[0]) ||
313 (cookies
[3] != ipsec
->ipsc_rcookie
[1]))
320 * clean up after ourselves.
322 void ippr_ipsec_del(aps
)
327 ipsec
= aps
->aps_data
;
331 * Don't bother changing any of the NAT structure details,
332 * *_del() is on a callback from aps_free(), from nat_delete()
335 READ_ENTER(&ipf_state
);
336 if (ipsec
->ipsc_state
!= NULL
) {
337 ipsec
->ipsc_state
->is_die
= fr_ticks
+ 1;
338 ipsec
->ipsc_state
->is_me
= NULL
;
339 fr_queuefront(&ipsec
->ipsc_state
->is_sti
);
341 RWLOCK_EXIT(&ipf_state
);
343 ipsec
->ipsc_state
= NULL
;
344 ipsec
->ipsc_nat
= NULL
;
