2 * Copyright (c) 2006 The FreeBSD Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 #include "opt_inet6.h"
34 #include <sys/param.h>
35 #include <sys/systm.h>
36 #include <sys/kernel.h>
37 #include <sys/malloc.h>
39 #include <sys/module.h>
40 #include <machine/bus.h>
42 #include <sys/socket.h>
43 #include <sys/sockio.h>
44 #include <sys/sysctl.h>
47 #include <net/if_clone.h>
48 #include <net/if_types.h>
50 #include <net/route.h>
51 #include <net/netisr.h>
55 #include <netinet/in.h>
56 #include <netinet/in_systm.h>
57 #include <netinet/ip.h>
58 #include <netinet/ip_var.h>
59 #include <netinet/in_var.h>
62 #include <netinet/ip6.h>
63 #include <netinet6/ip6_var.h>
66 #include <netipsec/ipsec.h>
67 #include <netipsec/xform.h>
69 #define ENCMTU (1024+512)
71 /* XXX this define must have the same value as in OpenBSD */
72 #define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */
73 #define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */
74 #define M_AUTH_AH 0x2000 /* header was authenticated (AH) */
83 static struct mtx enc_mtx;
89 static int enc_ioctl(struct ifnet *, u_long, caddr_t);
90 static int enc_output(struct ifnet *ifp, struct mbuf *m,
91 const struct sockaddr *dst, struct route *ro);
92 static int enc_clone_create(struct if_clone *, int, caddr_t);
93 static void enc_clone_destroy(struct ifnet *);
94 static struct if_clone *enc_cloner;
95 static const char encname[] = "enc";
102 * Before and after are relative to when we are stripping the
105 static SYSCTL_NODE(_net, OID_AUTO, enc, CTLFLAG_RW, 0, "enc sysctl");
107 static SYSCTL_NODE(_net_enc, OID_AUTO, in, CTLFLAG_RW, 0, "enc input sysctl");
108 static int ipsec_filter_mask_in = ENC_BEFORE;
109 SYSCTL_INT(_net_enc_in, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
110 &ipsec_filter_mask_in, 0, "IPsec input firewall filter mask");
111 static int ipsec_bpf_mask_in = ENC_BEFORE;
112 SYSCTL_INT(_net_enc_in, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
113 &ipsec_bpf_mask_in, 0, "IPsec input bpf mask");
115 static SYSCTL_NODE(_net_enc, OID_AUTO, out, CTLFLAG_RW, 0, "enc output sysctl");
116 static int ipsec_filter_mask_out = ENC_BEFORE;
117 SYSCTL_INT(_net_enc_out, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
118 &ipsec_filter_mask_out, 0, "IPsec output firewall filter mask");
119 static int ipsec_bpf_mask_out = ENC_BEFORE|ENC_AFTER;
120 SYSCTL_INT(_net_enc_out, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
121 &ipsec_bpf_mask_out, 0, "IPsec output bpf mask");
124 enc_clone_destroy(struct ifnet *ifp)
126 KASSERT(ifp != encif, ("%s: destroying encif", __func__));
134 enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
137 struct enc_softc *sc;
139 sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
140 ifp = sc->sc_ifp = if_alloc(IFT_ENC);
146 if_initname(ifp, encname, unit);
147 ifp->if_mtu = ENCMTU;
148 ifp->if_ioctl = enc_ioctl;
149 ifp->if_output = enc_output;
150 ifp->if_snd.ifq_maxlen = ifqmaxlen;
153 bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
156 /* grab a pointer to enc0, ignore the rest */
159 mtx_unlock(&enc_mtx);
165 enc_modevent(module_t mod, int type, void *data)
169 mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
170 enc_cloner = if_clone_simple(encname, enc_clone_create,
171 enc_clone_destroy, 1);
174 printf("enc module unload - not possible for this module\n");
182 static moduledata_t enc_mod = {
188 DECLARE_MODULE(if_enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
191 enc_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
199 * Process an ioctl request.
203 enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
212 if (ifp->if_flags & IFF_UP)
213 ifp->if_drv_flags |= IFF_DRV_RUNNING;
215 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
223 mtx_unlock(&enc_mtx);
228 ipsec_filter(struct mbuf **mp, int dir, int flags)
233 KASSERT(encif != NULL, ("%s: encif is null", __func__));
234 KASSERT(flags & (ENC_IN|ENC_OUT),
235 ("%s: invalid flags: %04x", __func__, flags));
237 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
240 if (flags & ENC_IN) {
241 if ((flags & ipsec_filter_mask_in) == 0)
244 if ((flags & ipsec_filter_mask_out) == 0)
248 /* Skip pfil(9) if no filters are loaded */
251 && !PFIL_HOOKED(&V_inet_pfil_hook)
254 && !PFIL_HOOKED(&V_inet6_pfil_hook)
260 i = min((*mp)->m_pkthdr.len, max_protohdr);
261 if ((*mp)->m_len < i) {
262 *mp = m_pullup(*mp, i);
264 printf("%s: m_pullup failed\n", __func__);
270 ip = mtod(*mp, struct ip *);
274 error = pfil_run_hooks(&V_inet_pfil_hook, mp,
280 error = pfil_run_hooks(&V_inet6_pfil_hook, mp,
285 printf("%s: unknown IP version\n", __func__);
289 * If the mbuf was consumed by the filter for requeueing (dummynet, etc)
290 * then error will be zero but we still want to return an error to our
291 * caller so the null mbuf isn't forwarded further.
293 if (*mp == NULL && error == 0)
294 return (-1); /* Consumed by the filter */
309 ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af, int flags)
314 KASSERT(encif != NULL, ("%s: encif is null", __func__));
315 KASSERT(flags & (ENC_IN|ENC_OUT),
316 ("%s: invalid flags: %04x", __func__, flags));
318 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
321 if (flags & ENC_IN) {
322 if ((flags & ipsec_bpf_mask_in) == 0)
325 if ((flags & ipsec_bpf_mask_out) == 0)
329 if (bpf_peers_present(encif->if_bpf)) {
334 mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
336 struct tdb_ident *tdbi;
337 tdbi = (struct tdb_ident *) (mtag + 1);
338 if (tdbi->alg_enc != SADB_EALG_NONE)
340 if (tdbi->alg_auth != SADB_AALG_NONE)
345 if (sav->alg_enc != SADB_EALG_NONE)
347 if (sav->alg_auth != SADB_AALG_NONE)
353 * We need to prepend the address family as a four byte
354 * field. Cons up a dummy header to pacify bpf. This
355 * is safe because bpf will only read from the mbuf
356 * (i.e., it won't try to free it or keep a pointer a
360 /* hdr.spi already set above */
363 bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m);