2 * Copyright (c) 2006 The FreeBSD Project.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 #include <sys/param.h>
31 #include <sys/systm.h>
32 #include <sys/kernel.h>
33 #include <sys/malloc.h>
35 #include <sys/module.h>
36 #include <machine/bus.h>
38 #include <sys/socket.h>
39 #include <sys/sockio.h>
40 #include <sys/sysctl.h>
43 #include <net/if_clone.h>
44 #include <net/if_types.h>
46 #include <net/route.h>
47 #include <net/netisr.h>
49 #include <net/bpfdesc.h>
51 #include <netinet/in.h>
52 #include <netinet/in_systm.h>
53 #include <netinet/ip.h>
54 #include <netinet/ip_var.h>
55 #include <netinet/in_var.h>
56 #include "opt_inet6.h"
59 #include <netinet/ip6.h>
60 #include <netinet6/ip6_var.h>
63 #include <netipsec/ipsec.h>
65 #define ENCMTU (1024+512)
67 /* XXX this define must have the same value as in OpenBSD */
68 #define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */
69 #define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */
70 #define M_AUTH_AH 0x2000 /* header was authenticated (AH) */
78 static struct ifnet *encif;
79 static struct mtx enc_mtx;
85 static int enc_ioctl(struct ifnet *, u_long, caddr_t);
86 static int enc_output(struct ifnet *ifp, struct mbuf *m,
87 struct sockaddr *dst, struct rtentry *rt);
88 static int enc_clone_create(struct if_clone *, int, caddr_t);
89 static void enc_clone_destroy(struct ifnet *);
91 IFC_SIMPLE_DECLARE(enc, 1);
94 enc_clone_destroy(struct ifnet *ifp)
96 KASSERT(ifp != encif, ("%s: destroying encif", __func__));
104 enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
107 struct enc_softc *sc;
109 sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
110 ifp = sc->sc_ifp = if_alloc(IFT_ENC);
116 if_initname(ifp, ifc->ifc_name, unit);
117 ifp->if_mtu = ENCMTU;
118 ifp->if_ioctl = enc_ioctl;
119 ifp->if_output = enc_output;
120 ifp->if_snd.ifq_maxlen = ifqmaxlen;
123 bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
126 /* grab a pointer to enc0, ignore the rest */
129 mtx_unlock(&enc_mtx);
135 enc_modevent(module_t mod, int type, void *data)
139 mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
140 if_clone_attach(&enc_cloner);
143 printf("enc module unload - not possible for this module\n");
151 static moduledata_t enc_mod = {
157 DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
160 enc_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
168 * Process an ioctl request.
172 enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
181 if (ifp->if_flags & IFF_UP)
182 ifp->if_drv_flags |= IFF_DRV_RUNNING;
184 ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
192 mtx_unlock(&enc_mtx);
197 ipsec_filter(struct mbuf **mp, int dir)
202 KASSERT(encif != NULL, ("%s: encif is null", __func__));
204 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
207 /* Skip pfil(9) if no filters are loaded */
208 if (!(PFIL_HOOKED(&inet_pfil_hook)
210 || PFIL_HOOKED(&inet6_pfil_hook)
216 i = min((*mp)->m_pkthdr.len, max_protohdr);
217 if ((*mp)->m_len < i) {
218 *mp = m_pullup(*mp, i);
220 printf("%s: m_pullup failed\n", __func__);
226 ip = mtod(*mp, struct ip *);
230 * before calling the firewall, swap fields the same as
231 * IP does. here we assume the header is contiguous
233 ip->ip_len = ntohs(ip->ip_len);
234 ip->ip_off = ntohs(ip->ip_off);
236 error = pfil_run_hooks(&inet_pfil_hook, mp,
239 if (*mp == NULL || error != 0)
242 /* restore byte ordering */
243 ip = mtod(*mp, struct ip *);
244 ip->ip_len = htons(ip->ip_len);
245 ip->ip_off = htons(ip->ip_off);
250 error = pfil_run_hooks(&inet6_pfil_hook, mp,
255 printf("%s: unknown IP version\n", __func__);
272 ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af)
277 KASSERT(encif != NULL, ("%s: encif is null", __func__));
278 KASSERT(sav != NULL, ("%s: sav is null", __func__));
280 if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
283 if (bpf_peers_present(encif->if_bpf)) {
285 if (sav->alg_enc != SADB_EALG_NONE)
287 if (sav->alg_auth != SADB_AALG_NONE)
291 * We need to prepend the address family as a four byte
292 * field. Cons up a dummy header to pacify bpf. This
293 * is safe because bpf will only read from the mbuf
294 * (i.e., it won't try to free it or keep a pointer a
301 bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m);