No empty .Rs/.Re
[netbsd-mini2440.git] / sys / netipsec / ipsec_netbsd.c
blobf54e18e8ca98bca592ac5fb42413dc75d8320552
1 /* $NetBSD: ipsec_netbsd.c,v 1.31 2008/04/27 12:58:48 degroote Exp $ */
2 /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
3 /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.31 2008/04/27 12:58:48 degroote Exp $");
37 #include "opt_inet.h"
38 #include "opt_ipsec.h"
40 #include <sys/param.h>
41 #include <sys/systm.h>
42 #include <sys/malloc.h>
43 #include <sys/mbuf.h>
44 #include <sys/domain.h>
45 #include <sys/protosw.h>
46 #include <sys/socket.h>
47 #include <sys/errno.h>
48 #include <sys/time.h>
49 #include <sys/kernel.h>
50 #include <sys/sysctl.h>
52 #include <net/if.h>
53 #include <net/route.h>
54 #include <net/netisr.h>
55 #include <sys/cpu.h>
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
66 #include <netipsec/ipsec.h>
67 #include <netipsec/ipsec_var.h>
68 #include <netipsec/ipsec_private.h>
69 #include <netipsec/key.h>
70 #include <netipsec/keydb.h>
71 #include <netipsec/key_debug.h>
72 #include <netipsec/ah.h>
73 #include <netipsec/ah_var.h>
74 #include <netipsec/esp.h>
75 #include <netipsec/esp_var.h>
76 #include <netipsec/ipip_var.h>
77 #include <netipsec/ipcomp_var.h>
79 #ifdef INET6
80 #include <netipsec/ipsec6.h>
81 #include <netinet6/ip6protosw.h>
82 #include <netinet/icmp6.h>
83 #endif
85 #include <machine/stdarg.h>
89 #include <netipsec/key.h>
91 /* assumes that ip header and ah header are contiguous on mbuf */
92 void*
93 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
95 struct ip *ip = v;
96 struct ah *ah;
97 struct icmp *icp;
98 struct secasvar *sav;
100 if (sa->sa_family != AF_INET ||
101 sa->sa_len != sizeof(struct sockaddr_in))
102 return NULL;
103 if ((unsigned)cmd >= PRC_NCMDS)
104 return NULL;
106 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
108 * Check to see if we have a valid SA corresponding to
109 * the address in the ICMP message payload.
111 ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
112 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
113 IPPROTO_AH, ah->ah_spi, 0, 0);
115 if (sav) {
116 if (sav->state == SADB_SASTATE_MATURE ||
117 sav->state == SADB_SASTATE_DYING) {
120 * Now that we've validated that we are actually
121 * communicating with the host indicated in the
122 * ICMP message, locate the ICMP header,
123 * recalculate the new MTU, and create the
124 * corresponding routing entry.
126 icp = (struct icmp *)((char *)ip -
127 offsetof(struct icmp, icmp_ip));
128 icmp_mtudisc(icp, ip->ip_dst);
131 KEY_FREESAV(&sav);
134 return NULL;
139 /* assumes that ip header and esp header are contiguous on mbuf */
140 void*
141 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
143 struct ip *ip = v;
144 struct esp *esp;
145 struct icmp *icp;
146 struct secasvar *sav;
148 if (sa->sa_family != AF_INET ||
149 sa->sa_len != sizeof(struct sockaddr_in))
150 return NULL;
151 if ((unsigned)cmd >= PRC_NCMDS)
152 return NULL;
154 if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
156 * Check to see if we have a valid SA corresponding to
157 * the address in the ICMP message payload.
159 esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
160 sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
161 IPPROTO_ESP, esp->esp_spi, 0, 0);
163 if (sav) {
164 if (sav->state == SADB_SASTATE_MATURE ||
165 sav->state == SADB_SASTATE_DYING) {
168 * Now that we've validated that we are actually
169 * communicating with the host indicated in the
170 * ICMP message, locate the ICMP header,
171 * recalculate the new MTU, and create the
172 * corresponding routing entry.
175 icp = (struct icmp *)((char *)ip -
176 offsetof(struct icmp, icmp_ip));
177 icmp_mtudisc(icp, ip->ip_dst);
180 KEY_FREESAV(&sav);
183 return NULL;
186 #ifdef INET6
187 void *
188 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
190 const struct newah *ahp;
191 struct newah ah;
192 struct secasvar *sav;
193 struct ip6_hdr *ip6;
194 struct mbuf *m;
195 struct ip6ctlparam *ip6cp = NULL;
196 int off;
198 if (sa->sa_family != AF_INET6 ||
199 sa->sa_len != sizeof(struct sockaddr_in6))
200 return NULL;
201 if ((unsigned)cmd >= PRC_NCMDS)
202 return NULL;
204 /* if the parameter is from icmp6, decode it. */
205 if (d != NULL) {
206 ip6cp = (struct ip6ctlparam *)d;
207 m = ip6cp->ip6c_m;
208 ip6 = ip6cp->ip6c_ip6;
209 off = ip6cp->ip6c_off;
210 } else {
211 m = NULL;
212 ip6 = NULL;
213 off = 0;
216 if (ip6) {
218 * XXX: We assume that when ip6 is non NULL,
219 * M and OFF are valid.
222 /* check if we can safely examine src and dst ports */
223 if (m->m_pkthdr.len < off + sizeof(ah))
224 return NULL;
226 if (m->m_len < off + sizeof(ah)) {
228 * this should be rare case,
229 * so we compromise on this copy...
231 m_copydata(m, off, sizeof(ah), &ah);
232 ahp = &ah;
233 } else
234 ahp = (struct newah *)(mtod(m, char *) + off);
236 if (cmd == PRC_MSGSIZE) {
237 int valid = 0;
240 * Check to see if we have a valid SA corresponding
241 * to the address in the ICMP message payload.
243 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
244 IPPROTO_AH, ahp->ah_spi, 0, 0);
246 if (sav) {
247 if (sav->state == SADB_SASTATE_MATURE ||
248 sav->state == SADB_SASTATE_DYING)
249 valid++;
250 KEY_FREESAV(&sav);
253 /* XXX Further validation? */
256 * Depending on the value of "valid" and routing
257 * table size (mtudisc_{hi,lo}wat), we will:
258 * - recalcurate the new MTU and create the
259 * corresponding routing entry, or
260 * - ignore the MTU change notification.
262 icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
265 /* we normally notify single pcb here */
266 } else {
267 /* we normally notify any pcb here */
269 return NULL;
274 void *
275 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
277 const struct newesp *espp;
278 struct newesp esp;
279 struct ip6ctlparam *ip6cp = NULL, ip6cp1;
280 struct secasvar *sav;
281 struct ip6_hdr *ip6;
282 struct mbuf *m;
283 int off;
285 if (sa->sa_family != AF_INET6 ||
286 sa->sa_len != sizeof(struct sockaddr_in6))
287 return NULL;
288 if ((unsigned)cmd >= PRC_NCMDS)
289 return NULL;
291 /* if the parameter is from icmp6, decode it. */
292 if (d != NULL) {
293 ip6cp = (struct ip6ctlparam *)d;
294 m = ip6cp->ip6c_m;
295 ip6 = ip6cp->ip6c_ip6;
296 off = ip6cp->ip6c_off;
297 } else {
298 m = NULL;
299 ip6 = NULL;
300 off = 0;
303 if (ip6) {
305 * Notify the error to all possible sockets via pfctlinput2.
306 * Since the upper layer information (such as protocol type,
307 * source and destination ports) is embedded in the encrypted
308 * data and might have been cut, we can't directly call
309 * an upper layer ctlinput function. However, the pcbnotify
310 * function will consider source and destination addresses
311 * as well as the flow info value, and may be able to find
312 * some PCB that should be notified.
313 * Although pfctlinput2 will call esp6_ctlinput(), there is
314 * no possibility of an infinite loop of function calls,
315 * because we don't pass the inner IPv6 header.
317 memset(&ip6cp1, 0, sizeof(ip6cp1));
318 ip6cp1.ip6c_src = ip6cp->ip6c_src;
319 pfctlinput2(cmd, sa, &ip6cp1);
322 * Then go to special cases that need ESP header information.
323 * XXX: We assume that when ip6 is non NULL,
324 * M and OFF are valid.
327 /* check if we can safely examine src and dst ports */
328 if (m->m_pkthdr.len < off + sizeof(esp))
329 return NULL;
331 if (m->m_len < off + sizeof(esp)) {
333 * this should be rare case,
334 * so we compromise on this copy...
336 m_copydata(m, off, sizeof(esp), &esp);
337 espp = &esp;
338 } else
339 espp = (struct newesp*)(mtod(m, char *) + off);
341 if (cmd == PRC_MSGSIZE) {
342 int valid = 0;
345 * Check to see if we have a valid SA corresponding to
346 * the address in the ICMP message payload.
349 sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
350 IPPROTO_ESP, espp->esp_spi, 0, 0);
352 if (sav) {
353 if (sav->state == SADB_SASTATE_MATURE ||
354 sav->state == SADB_SASTATE_DYING)
355 valid++;
356 KEY_FREESAV(&sav);
359 /* XXX Further validation? */
362 * Depending on the value of "valid" and routing table
363 * size (mtudisc_{hi,lo}wat), we will:
364 * - recalcurate the new MTU and create the
365 * corresponding routing entry, or
366 * - ignore the MTU change notification.
368 icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
370 } else {
371 /* we normally notify any pcb here */
373 return NULL;
375 #endif /* INET6 */
377 static int
378 sysctl_fast_ipsec(SYSCTLFN_ARGS)
380 int error, t;
381 struct sysctlnode node;
383 node = *rnode;
384 t = *(int*)rnode->sysctl_data;
385 node.sysctl_data = &t;
386 error = sysctl_lookup(SYSCTLFN_CALL(&node));
387 if (error || newp == NULL)
388 return (error);
390 switch (rnode->sysctl_num) {
391 case IPSECCTL_DEF_ESP_TRANSLEV:
392 case IPSECCTL_DEF_ESP_NETLEV:
393 case IPSECCTL_DEF_AH_TRANSLEV:
394 case IPSECCTL_DEF_AH_NETLEV:
395 if (t != IPSEC_LEVEL_USE &&
396 t != IPSEC_LEVEL_REQUIRE)
397 return (EINVAL);
398 ipsec_invalpcbcacheall();
399 break;
400 case IPSECCTL_DEF_POLICY:
401 if (t != IPSEC_POLICY_DISCARD &&
402 t != IPSEC_POLICY_NONE)
403 return (EINVAL);
404 ipsec_invalpcbcacheall();
405 break;
406 default:
407 return (EINVAL);
410 *(int*)rnode->sysctl_data = t;
412 return (0);
415 #ifdef IPSEC_DEBUG
416 static int
417 sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
419 int t, error;
420 struct sysctlnode node;
422 node = *rnode;
423 t = *(int*)rnode->sysctl_data;
424 node.sysctl_data = &t;
425 error = sysctl_lookup(SYSCTLFN_CALL(&node));
426 if (error || newp == NULL)
427 return (error);
429 if (t < 0 || t > 1)
430 return EINVAL;
432 if (rnode->sysctl_data == &ipsec_replay)
433 printf("fast_ipsec: Anti-Replay service %s\n",
434 (t == 1) ? "deactivated" : "activated");
435 else if (rnode->sysctl_data == &ipsec_integrity)
436 printf("fast_ipsec: HMAC corruption %s\n",
437 (t == 0) ? "deactivated" : "activated");
439 *(int*)rnode->sysctl_data = t;
441 return 0;
443 #endif
445 static int
446 sysctl_net_inet_fast_ipsec_stats(SYSCTLFN_ARGS)
449 return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
452 static int
453 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
456 return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
459 static int
460 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
463 return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
466 static int
467 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
470 return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
473 static int
474 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
477 return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
480 /* XXX will need a different oid at parent */
481 SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
483 const struct sysctlnode *_ipsec;
484 int ipproto_ipsec;
486 sysctl_createv(clog, 0, NULL, NULL,
487 CTLFLAG_PERMANENT,
488 CTLTYPE_NODE, "net", NULL,
489 NULL, 0, NULL, 0,
490 CTL_NET, CTL_EOL);
491 sysctl_createv(clog, 0, NULL, NULL,
492 CTLFLAG_PERMANENT,
493 CTLTYPE_NODE, "inet", NULL,
494 NULL, 0, NULL, 0,
495 CTL_NET, PF_INET, CTL_EOL);
498 * in numerical order:
500 * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
501 * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
502 * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
503 * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
504 * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
506 * this creates separate trees by name, but maintains that the
507 * ipsec name leads to all the old leaves.
510 /* create net.inet.ipip */
511 sysctl_createv(clog, 0, NULL, NULL,
512 CTLFLAG_PERMANENT,
513 CTLTYPE_NODE, "ipip", NULL,
514 NULL, 0, NULL, 0,
515 CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
516 sysctl_createv(clog, 0, NULL, NULL,
517 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
518 CTLTYPE_STRUCT, "ipip_stats", NULL,
519 sysctl_net_inet_ipip_stats, 0, NULL, 0,
520 CTL_NET, PF_INET, IPPROTO_IPIP,
521 CTL_CREATE, CTL_EOL);
523 /* create net.inet.esp subtree under IPPROTO_ESP */
524 sysctl_createv(clog, 0, NULL, NULL,
525 CTLFLAG_PERMANENT,
526 CTLTYPE_NODE, "esp", NULL,
527 NULL, 0, NULL, 0,
528 CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
529 sysctl_createv(clog, 0, NULL, NULL,
530 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
531 CTLTYPE_INT, "trans_deflev", NULL,
532 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
533 CTL_NET, PF_INET, IPPROTO_ESP,
534 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
535 sysctl_createv(clog, 0, NULL, NULL,
536 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
537 CTLTYPE_INT, "net_deflev", NULL,
538 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
539 CTL_NET, PF_INET, IPPROTO_ESP,
540 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
541 sysctl_createv(clog, 0, NULL, NULL,
542 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
543 CTLTYPE_STRUCT, "esp_stats", NULL,
544 sysctl_net_inet_esp_stats, 0, NULL, 0,
545 CTL_NET, PF_INET, IPPROTO_ESP,
546 CTL_CREATE, CTL_EOL);
548 /* create net.inet.ah subtree under IPPROTO_AH */
549 sysctl_createv(clog, 0, NULL, NULL,
550 CTLFLAG_PERMANENT,
551 CTLTYPE_NODE, "ah", NULL,
552 NULL, 0, NULL, 0,
553 CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
554 sysctl_createv(clog, 0, NULL, NULL,
555 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
556 CTLTYPE_INT, "cleartos", NULL,
557 NULL, 0, &ip4_ah_cleartos, 0,
558 CTL_NET, PF_INET, IPPROTO_AH,
559 IPSECCTL_AH_CLEARTOS, CTL_EOL);
560 sysctl_createv(clog, 0, NULL, NULL,
561 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
562 CTLTYPE_INT, "offsetmask", NULL,
563 NULL, 0, &ip4_ah_offsetmask, 0,
564 CTL_NET, PF_INET, IPPROTO_AH,
565 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
566 sysctl_createv(clog, 0, NULL, NULL,
567 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
568 CTLTYPE_INT, "trans_deflev", NULL,
569 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
570 CTL_NET, PF_INET, IPPROTO_AH,
571 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
572 sysctl_createv(clog, 0, NULL, NULL,
573 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
574 CTLTYPE_INT, "net_deflev", NULL,
575 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
576 CTL_NET, PF_INET, IPPROTO_AH,
577 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
578 sysctl_createv(clog, 0, NULL, NULL,
579 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
580 CTLTYPE_STRUCT, "ah_stats", NULL,
581 sysctl_net_inet_ah_stats, 0, NULL, 0,
582 CTL_NET, PF_INET, IPPROTO_AH,
583 CTL_CREATE, CTL_EOL);
585 /* create net.inet.ipcomp */
586 sysctl_createv(clog, 0, NULL, NULL,
587 CTLFLAG_PERMANENT,
588 CTLTYPE_NODE, "ipcomp", NULL,
589 NULL, 0, NULL, 0,
590 CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
591 sysctl_createv(clog, 0, NULL, NULL,
592 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
593 CTLTYPE_STRUCT, "ipcomp_stats", NULL,
594 sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
595 CTL_NET, PF_INET, IPPROTO_IPCOMP,
596 CTL_CREATE, CTL_EOL);
598 /* create net.inet.ipsec subtree under dynamic oid */
599 sysctl_createv(clog, 0, NULL, &_ipsec,
600 CTLFLAG_PERMANENT,
601 CTLTYPE_NODE, "ipsec", NULL,
602 NULL, 0, NULL, 0,
603 CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
604 ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
606 sysctl_createv(clog, 0, NULL, NULL,
607 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
608 CTLTYPE_INT, "def_policy", NULL,
609 sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
610 CTL_NET, PF_INET, ipproto_ipsec,
611 IPSECCTL_DEF_POLICY, CTL_EOL);
612 sysctl_createv(clog, 0, NULL, NULL,
613 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
614 CTLTYPE_INT, "esp_trans_deflev", NULL,
615 sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
616 CTL_NET, PF_INET, ipproto_ipsec,
617 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
618 sysctl_createv(clog, 0, NULL, NULL,
619 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
620 CTLTYPE_INT, "esp_net_deflev", NULL,
621 sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
622 CTL_NET, PF_INET, ipproto_ipsec,
623 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
624 sysctl_createv(clog, 0, NULL, NULL,
625 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
626 CTLTYPE_INT, "ah_trans_deflev", NULL,
627 sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
628 CTL_NET, PF_INET, ipproto_ipsec,
629 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
630 sysctl_createv(clog, 0, NULL, NULL,
631 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
632 CTLTYPE_INT, "ah_net_deflev", NULL,
633 sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
634 CTL_NET, PF_INET, ipproto_ipsec,
635 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
636 sysctl_createv(clog, 0, NULL, NULL,
637 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
638 CTLTYPE_INT, "ah_cleartos", NULL,
639 NULL, 0, &ip4_ah_cleartos, 0,
640 CTL_NET, PF_INET, ipproto_ipsec,
641 IPSECCTL_AH_CLEARTOS, CTL_EOL);
642 sysctl_createv(clog, 0, NULL, NULL,
643 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
644 CTLTYPE_INT, "ah_offsetmask", NULL,
645 NULL, 0, &ip4_ah_offsetmask, 0,
646 CTL_NET, PF_INET, ipproto_ipsec,
647 IPSECCTL_AH_OFFSETMASK, CTL_EOL);
648 sysctl_createv(clog, 0, NULL, NULL,
649 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
650 CTLTYPE_INT, "dfbit", NULL,
651 NULL, 0, &ip4_ipsec_dfbit, 0,
652 CTL_NET, PF_INET, ipproto_ipsec,
653 IPSECCTL_DFBIT, CTL_EOL);
654 sysctl_createv(clog, 0, NULL, NULL,
655 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
656 CTLTYPE_INT, "ecn", NULL,
657 NULL, 0, &ip4_ipsec_ecn, 0,
658 CTL_NET, PF_INET, ipproto_ipsec,
659 IPSECCTL_ECN, CTL_EOL);
660 sysctl_createv(clog, 0, NULL, NULL,
661 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
662 CTLTYPE_INT, "debug", NULL,
663 NULL, 0, &ipsec_debug, 0,
664 CTL_NET, PF_INET, ipproto_ipsec,
665 IPSECCTL_DEBUG, CTL_EOL);
666 sysctl_createv(clog, 0, NULL, NULL,
667 CTLFLAG_PERMANENT|CTLFLAG_READONLY,
668 CTLTYPE_STRUCT, "ipsecstats", NULL,
669 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
670 CTL_NET, PF_INET, ipproto_ipsec,
671 CTL_CREATE, CTL_EOL);
672 #ifdef IPSEC_DEBUG
673 sysctl_createv(clog, 0, NULL, NULL,
674 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
675 CTLTYPE_INT, "test_replay",
676 SYSCTL_DESCR("Emulate replay attack"),
677 sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
678 CTL_NET, PF_INET, ipproto_ipsec,
679 CTL_CREATE, CTL_EOL);
680 sysctl_createv(clog, 0, NULL, NULL,
681 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
682 CTLTYPE_INT, "test_integrity",
683 SYSCTL_DESCR("Emulate man-in-the-middle attack"),
684 sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
685 CTL_NET, PF_INET, ipproto_ipsec,
686 CTL_CREATE, CTL_EOL);
687 #endif
690 #ifdef INET6
691 SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup,
692 "sysctl net.inet6.ipsec6 subtree setup")
695 sysctl_createv(clog, 0, NULL, NULL,
696 CTLFLAG_PERMANENT,
697 CTLTYPE_NODE, "net", NULL,
698 NULL, 0, NULL, 0,
699 CTL_NET, CTL_EOL);
700 sysctl_createv(clog, 0, NULL, NULL,
701 CTLFLAG_PERMANENT,
702 CTLTYPE_NODE, "inet6", NULL,
703 NULL, 0, NULL, 0,
704 CTL_NET, PF_INET6, CTL_EOL);
705 sysctl_createv(clog, 0, NULL, NULL,
706 CTLFLAG_PERMANENT,
707 CTLTYPE_NODE, "ipsec6",
708 SYSCTL_DESCR("IPv6 related IPSec settings"),
709 NULL, 0, NULL, 0,
710 CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
712 sysctl_createv(clog, 0, NULL, NULL,
713 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
714 CTLTYPE_STRUCT, "stats",
715 SYSCTL_DESCR("IPSec statistics and counters"),
716 sysctl_net_inet_fast_ipsec_stats, 0, NULL, 0,
717 CTL_NET, PF_INET6, IPPROTO_AH,
718 IPSECCTL_STATS, CTL_EOL);
719 sysctl_createv(clog, 0, NULL, NULL,
720 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
721 CTLTYPE_INT, "def_policy",
722 SYSCTL_DESCR("Default action for non-IPSec packets"),
723 sysctl_fast_ipsec, 0, &ip6_def_policy, 0,
724 CTL_NET, PF_INET6, IPPROTO_AH,
725 IPSECCTL_DEF_POLICY, CTL_EOL);
726 sysctl_createv(clog, 0, NULL, NULL,
727 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
728 CTLTYPE_INT, "esp_trans_deflev",
729 SYSCTL_DESCR("Default required security level for "
730 "transport mode traffic"),
731 sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0,
732 CTL_NET, PF_INET6, IPPROTO_AH,
733 IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
734 sysctl_createv(clog, 0, NULL, NULL,
735 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
736 CTLTYPE_INT, "esp_net_deflev",
737 SYSCTL_DESCR("Default required security level for "
738 "tunneled traffic"),
739 sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0,
740 CTL_NET, PF_INET6, IPPROTO_AH,
741 IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
742 sysctl_createv(clog, 0, NULL, NULL,
743 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
744 CTLTYPE_INT, "ah_trans_deflev",
745 SYSCTL_DESCR("Default required security level for "
746 "transport mode headers"),
747 sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0,
748 CTL_NET, PF_INET6, IPPROTO_AH,
749 IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
750 sysctl_createv(clog, 0, NULL, NULL,
751 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
752 CTLTYPE_INT, "ah_net_deflev",
753 SYSCTL_DESCR("Default required security level for "
754 "tunneled headers"),
755 sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0,
756 CTL_NET, PF_INET6, IPPROTO_AH,
757 IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
758 sysctl_createv(clog, 0, NULL, NULL,
759 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
760 CTLTYPE_INT, "ecn",
761 SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
762 NULL, 0, &ip6_ipsec_ecn, 0,
763 CTL_NET, PF_INET6, IPPROTO_AH,
764 IPSECCTL_ECN, CTL_EOL);
765 sysctl_createv(clog, 0, NULL, NULL,
766 CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
767 CTLTYPE_INT, "debug",
768 SYSCTL_DESCR("Enable IPSec debugging output"),
769 NULL, 0, &ipsec_debug, 0,
770 CTL_NET, PF_INET6, IPPROTO_AH,
771 IPSECCTL_DEBUG, CTL_EOL);
774 * "aliases" for the ipsec6 subtree
776 sysctl_createv(clog, 0, NULL, NULL,
777 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
778 CTLTYPE_NODE, "esp6", NULL,
779 NULL, IPPROTO_AH, NULL, 0,
780 CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
781 sysctl_createv(clog, 0, NULL, NULL,
782 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
783 CTLTYPE_NODE, "ipcomp6", NULL,
784 NULL, IPPROTO_AH, NULL, 0,
785 CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
786 sysctl_createv(clog, 0, NULL, NULL,
787 CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
788 CTLTYPE_NODE, "ah6", NULL,
789 NULL, IPPROTO_AH, NULL, 0,
790 CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
792 #endif /* INET6 */