2 * Copyright (c) 2016-2018 Yandex LLC
3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
30 #include "opt_inet6.h"
31 #include "opt_ipsec.h"
33 #include <sys/param.h>
34 #include <sys/systm.h>
35 #include <sys/kernel.h>
36 #include <sys/fnv_hash.h>
39 #include <sys/malloc.h>
41 #include <sys/module.h>
42 #include <sys/socket.h>
43 #include <sys/sockio.h>
45 #include <sys/errno.h>
46 #include <sys/sysctl.h>
52 #include <net/if_var.h>
53 #include <net/if_clone.h>
54 #include <net/if_types.h>
56 #include <net/route.h>
59 #include <netinet/in.h>
60 #include <netinet/in_var.h>
61 #include <netinet/ip.h>
62 #include <netinet/ip_encap.h>
64 #include <netinet/ip6.h>
65 #include <netinet6/in6_var.h>
66 #include <netinet6/scope6_var.h>
68 #include <netipsec/ipsec.h>
70 #include <netipsec/ipsec6.h>
73 #include <net/if_ipsec.h>
74 #include <netipsec/key.h>
76 #include <security/mac/mac_framework.h>
78 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
79 static const char ipsecname[] = "ipsec";
81 #if defined(INET) && defined(INET6)
82 #define IPSEC_SPCOUNT 4
84 #define IPSEC_SPCOUNT 2
89 struct secpolicy *sp[IPSEC_SPCOUNT];
94 CK_LIST_ENTRY(ipsec_softc) idhash;
95 CK_LIST_ENTRY(ipsec_softc) srchash;
98 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et
99 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et)
100 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et)
101 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt)
103 #ifndef IPSEC_HASH_SIZE
104 #define IPSEC_HASH_SIZE (1 << 5)
107 CK_LIST_HEAD(ipsec_iflist, ipsec_softc);
108 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL;
109 #define V_ipsec_idhtbl VNET(ipsec_idhtbl)
112 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL;
113 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl)
114 static const struct srcaddrtab *ipsec4_srctab = NULL;
118 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL;
119 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl)
120 static const struct srcaddrtab *ipsec6_srctab = NULL;
123 static struct ipsec_iflist *
124 ipsec_idhash(uint32_t id)
127 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id),
128 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]);
131 static struct ipsec_iflist *
132 ipsec_srchash(const struct sockaddr *sa)
136 switch (sa->sa_family) {
140 &((const struct sockaddr_in *)sa)->sin_addr.s_addr,
141 sizeof(in_addr_t), FNV1_32_INIT);
142 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
147 &((const struct sockaddr_in6 *)sa)->sin6_addr,
148 sizeof(struct in6_addr), FNV1_32_INIT);
149 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
156 * ipsec_ioctl_sx protects from concurrent ioctls.
158 static struct sx ipsec_ioctl_sx;
159 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
161 static int ipsec_init_reqid(struct ipsec_softc *);
162 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
163 struct sockaddr *, uint32_t);
164 static void ipsec_delete_tunnel(struct ipsec_softc *);
166 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *,
168 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t);
169 static void ipsec_set_running(struct ipsec_softc *);
172 static void ipsec_reassign(struct ifnet *, struct vnet *, char *);
174 static void ipsec_srcaddr(void *, const struct sockaddr *, int);
175 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t);
176 static int ipsec_transmit(struct ifnet *, struct mbuf *);
177 static int ipsec_output(struct ifnet *, struct mbuf *,
178 const struct sockaddr *, struct route *);
179 static void ipsec_qflush(struct ifnet *);
180 static int ipsec_clone_create(struct if_clone *, int, caddr_t);
181 static void ipsec_clone_destroy(struct ifnet *);
183 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner);
184 #define V_ipsec_cloner VNET(ipsec_cloner)
187 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
189 struct ipsec_softc *sc;
192 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
193 sc->fibnum = curthread->td_proc->p_fibnum;
194 sc->ifp = ifp = if_alloc(IFT_TUNNEL);
196 if_initname(ifp, ipsecname, unit);
199 ifp->if_mtu = IPSEC_MTU;
200 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
201 ifp->if_ioctl = ipsec_ioctl;
202 ifp->if_transmit = ipsec_transmit;
203 ifp->if_qflush = ipsec_qflush;
204 ifp->if_output = ipsec_output;
206 ifp->if_reassign = ipsec_reassign;
209 bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
216 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
217 char *unused __unused)
219 struct ipsec_softc *sc;
221 sx_xlock(&ipsec_ioctl_sx);
224 ipsec_delete_tunnel(sc);
225 sx_xunlock(&ipsec_ioctl_sx);
230 ipsec_clone_destroy(struct ifnet *ifp)
232 struct ipsec_softc *sc;
234 sx_xlock(&ipsec_ioctl_sx);
236 ipsec_delete_tunnel(sc);
238 * Delete softc from idhash on interface destroy, since
239 * ipsec_delete_tunnel() keeps reqid unchanged.
242 CK_LIST_REMOVE(sc, idhash);
245 ifp->if_softc = NULL;
246 sx_xunlock(&ipsec_ioctl_sx);
253 static struct ipsec_iflist *
256 struct ipsec_iflist *hash;
259 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE,
261 for (i = 0; i < IPSEC_HASH_SIZE; i++)
262 CK_LIST_INIT(&hash[i]);
268 vnet_ipsec_init(const void *unused __unused)
271 V_ipsec_idhtbl = ipsec_hashinit();
273 V_ipsec4_srchtbl = ipsec_hashinit();
274 if (IS_DEFAULT_VNET(curvnet))
275 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr,
279 V_ipsec6_srchtbl = ipsec_hashinit();
280 if (IS_DEFAULT_VNET(curvnet))
281 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr,
284 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
285 ipsec_clone_destroy, 0);
287 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
288 vnet_ipsec_init, NULL);
291 vnet_ipsec_uninit(const void *unused __unused)
294 if_clone_detach(V_ipsec_cloner);
295 free(V_ipsec_idhtbl, M_IPSEC);
297 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be
298 * destroyed, it is used by ipsec_srcaddr() callback.
300 V_ipsec_idhtbl = NULL;
304 if (IS_DEFAULT_VNET(curvnet))
305 ip_encap_unregister_srcaddr(ipsec4_srctab);
306 free(V_ipsec4_srchtbl, M_IPSEC);
309 if (IS_DEFAULT_VNET(curvnet))
310 ip6_encap_unregister_srcaddr(ipsec6_srctab);
311 free(V_ipsec6_srchtbl, M_IPSEC);
314 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
315 vnet_ipsec_uninit, NULL);
317 static struct secpolicy *
318 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
324 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
328 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
338 static struct secasindex *
339 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
341 struct secpolicy *sp;
343 sp = ipsec_getpolicy(sc, dir, af);
346 return (&sp->req[0]->saidx);
350 ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
353 struct ipsec_softc *sc;
354 struct secpolicy *sp;
361 error = mac_ifnet_check_transmit(ifp, m);
369 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
370 (ifp->if_flags & IFF_MONITOR) != 0 ||
371 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) {
376 /* Determine address family to correctly handle packet in BPF */
377 ip = mtod(m, struct ip *);
385 case (IPV6_VERSION >> 4):
390 error = EAFNOSUPPORT;
397 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
398 * We can read full chain and compare destination address,
399 * proto and mode from xform_history with values from softc.
401 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
406 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
408 M_SETFIB(m, sc->fibnum);
410 BPF_MTAP2(ifp, &af, sizeof(af), m);
411 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
412 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
417 error = ipsec4_process_packet(m, sp, NULL);
422 error = ipsec6_process_packet(m, sp, NULL);
426 panic("%s: unknown address family\n", __func__);
430 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
436 ipsec_qflush(struct ifnet *ifp __unused)
442 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
446 return (ifp->if_transmit(ifp, m));
450 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af)
453 struct secasindex *saidx;
454 struct ipsec_softc *sc;
457 if (sav->state != SADB_SASTATE_MATURE &&
458 sav->state != SADB_SASTATE_DYING) {
463 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
464 sav->sah->saidx.proto != IPPROTO_ESP)
468 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) {
471 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
472 sav->sah->saidx.src.sa.sa_family);
473 /* SA's reqid should match reqid in SP */
475 sav->sah->saidx.reqid != saidx->reqid)
477 /* SAH's addresses should match tunnel endpoints. */
478 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
479 &saidx->dst.sa, 0) != 0)
481 if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
482 &saidx->src.sa, 0) == 0)
487 /* Tunnel was not found. Nothing to do. */
491 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
492 (ifp->if_flags & IFF_UP) == 0) {
498 * We found matching and working tunnel.
499 * Set its ifnet as receiving interface.
501 m->m_pkthdr.rcvif = ifp;
504 M_SETFIB(m, ifp->if_fib);
505 BPF_MTAP2(ifp, &af, sizeof(af), m);
506 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
507 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
508 if ((ifp->if_flags & IFF_MONITOR) != 0) {
518 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
520 struct ifreq *ifr = (struct ifreq*)data;
521 struct sockaddr *dst, *src;
522 struct ipsec_softc *sc;
523 struct secasindex *saidx;
525 struct sockaddr_in *sin = NULL;
528 struct sockaddr_in6 *sin6 = NULL;
535 ifp->if_flags |= IFF_UP;
542 if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
543 ifr->ifr_mtu > IPSEC_MTU_MAX)
546 ifp->if_mtu = ifr->ifr_mtu;
549 sx_xlock(&ipsec_ioctl_sx);
551 /* Check that softc is still here */
560 case SIOCSIFPHYADDR_IN6:
566 src = (struct sockaddr *)
567 &(((struct in_aliasreq *)data)->ifra_addr);
568 dst = (struct sockaddr *)
569 &(((struct in_aliasreq *)data)->ifra_dstaddr);
573 case SIOCSIFPHYADDR_IN6:
574 src = (struct sockaddr *)
575 &(((struct in6_aliasreq *)data)->ifra_addr);
576 dst = (struct sockaddr *)
577 &(((struct in6_aliasreq *)data)->ifra_dstaddr);
583 /* sa_family must be equal */
584 if (src->sa_family != dst->sa_family ||
585 src->sa_len != dst->sa_len)
588 /* validate sa_len */
589 switch (src->sa_family) {
592 if (src->sa_len != sizeof(struct sockaddr_in))
598 if (src->sa_len != sizeof(struct sockaddr_in6))
603 error = EAFNOSUPPORT;
606 /* check sa_family looks sane for the cmd */
607 error = EAFNOSUPPORT;
611 if (src->sa_family == AF_INET)
616 case SIOCSIFPHYADDR_IN6:
617 if (src->sa_family == AF_INET6)
622 error = EADDRNOTAVAIL;
623 switch (src->sa_family) {
626 if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
627 satosin(dst)->sin_addr.s_addr == INADDR_ANY)
633 if (IN6_IS_ADDR_UNSPECIFIED(
634 &satosin6(src)->sin6_addr) ||
635 IN6_IS_ADDR_UNSPECIFIED(
636 &satosin6(dst)->sin6_addr))
639 * Check validity of the scope zone ID of the
640 * addresses, and convert it into the kernel
641 * internal form if necessary.
643 error = sa6_embedscope(satosin6(src), 0);
646 error = sa6_embedscope(satosin6(dst), 0);
651 error = ipsec_set_addresses(ifp, src, dst);
654 ipsec_delete_tunnel(sc);
656 case SIOCGIFPSRCADDR:
657 case SIOCGIFPDSTADDR:
659 case SIOCGIFPSRCADDR_IN6:
660 case SIOCGIFPDSTADDR_IN6:
662 if (sc->family == 0) {
663 error = EADDRNOTAVAIL;
666 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
673 case SIOCGIFPSRCADDR:
674 case SIOCGIFPDSTADDR:
675 if (saidx->src.sa.sa_family != AF_INET) {
676 error = EADDRNOTAVAIL;
679 sin = (struct sockaddr_in *)&ifr->ifr_addr;
680 memset(sin, 0, sizeof(*sin));
681 sin->sin_family = AF_INET;
682 sin->sin_len = sizeof(*sin);
686 case SIOCGIFPSRCADDR_IN6:
687 case SIOCGIFPDSTADDR_IN6:
688 if (saidx->src.sa.sa_family != AF_INET6) {
689 error = EADDRNOTAVAIL;
692 sin6 = (struct sockaddr_in6 *)
693 &(((struct in6_ifreq *)data)->ifr_addr);
694 memset(sin6, 0, sizeof(*sin6));
695 sin6->sin6_family = AF_INET6;
696 sin6->sin6_len = sizeof(*sin6);
700 error = EAFNOSUPPORT;
705 case SIOCGIFPSRCADDR:
706 sin->sin_addr = saidx->src.sin.sin_addr;
708 case SIOCGIFPDSTADDR:
709 sin->sin_addr = saidx->dst.sin.sin_addr;
713 case SIOCGIFPSRCADDR_IN6:
714 sin6->sin6_addr = saidx->src.sin6.sin6_addr;
716 case SIOCGIFPDSTADDR_IN6:
717 sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
726 case SIOCGIFPSRCADDR:
727 case SIOCGIFPDSTADDR:
728 error = prison_if(curthread->td_ucred,
729 (struct sockaddr *)sin);
731 memset(sin, 0, sizeof(*sin));
735 case SIOCGIFPSRCADDR_IN6:
736 case SIOCGIFPDSTADDR_IN6:
737 error = prison_if(curthread->td_ucred,
738 (struct sockaddr *)sin6);
740 error = sa6_recoverscope(sin6);
742 memset(sin6, 0, sizeof(*sin6));
747 ifr->ifr_fib = sc->fibnum;
750 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
752 if (ifr->ifr_fib >= rt_numfibs)
755 sc->fibnum = ifr->ifr_fib;
759 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid));
762 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
764 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid));
767 error = ipsec_set_reqid(sc, reqid);
774 sx_xunlock(&ipsec_ioctl_sx);
779 * Check that ingress address belongs to local host.
782 ipsec_set_running(struct ipsec_softc *sc)
784 struct secasindex *saidx;
787 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
791 switch (sc->family) {
794 localip = in_localip(saidx->src.sin.sin_addr);
799 localip = in6_localip(&saidx->src.sin6.sin6_addr);
804 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
806 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
810 * ifaddr_event handler.
811 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent
812 * source address spoofing.
815 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa,
818 struct ipsec_softc *sc;
819 struct secasindex *saidx;
820 struct ipsec_iflist *iflist;
822 /* Check that VNET is ready */
823 if (V_ipsec_idhtbl == NULL)
827 iflist = ipsec_srchash(sa);
830 CK_LIST_FOREACH(sc, iflist, srchash) {
833 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family);
835 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0)
837 ipsec_set_running(sc);
842 * Allocate new private security policies for tunneling interface.
843 * Each tunneling interface has following security policies for
845 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
846 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
847 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
848 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
851 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
852 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
854 struct ipsecrequest *isr;
857 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
858 for (i = 0; i < IPSEC_SPCOUNT; i++) {
859 if ((sp[i] = key_newsp()) == NULL)
861 if ((isr = ipsec_newisr()) == NULL)
864 sp[i]->policy = IPSEC_POLICY_IPSEC;
865 sp[i]->state = IPSEC_SPSTATE_DEAD;
866 sp[i]->req[sp[i]->tcount++] = isr;
867 sp[i]->created = time_second;
868 /* Use priority field to store if_index */
869 sp[i]->priority = sc->ifp->if_index;
870 isr->level = IPSEC_LEVEL_UNIQUE;
871 isr->saidx.proto = IPPROTO_ESP;
872 isr->saidx.mode = IPSEC_MODE_TUNNEL;
873 isr->saidx.reqid = reqid;
875 sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
876 bcopy(src, &isr->saidx.dst, src->sa_len);
877 bcopy(dst, &isr->saidx.src, dst->sa_len);
879 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
880 bcopy(src, &isr->saidx.src, src->sa_len);
881 bcopy(dst, &isr->saidx.dst, dst->sa_len);
883 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
886 sp[i]->spidx.src.sa.sa_family =
887 sp[i]->spidx.dst.sa.sa_family = AF_INET;
888 sp[i]->spidx.src.sa.sa_len =
889 sp[i]->spidx.dst.sa.sa_len =
890 sizeof(struct sockaddr_in);
895 sp[i]->spidx.src.sa.sa_family =
896 sp[i]->spidx.dst.sa.sa_family = AF_INET6;
897 sp[i]->spidx.src.sa.sa_len =
898 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
903 for (i = 0; i < IPSEC_SPCOUNT; i++)
909 ipsec_check_reqid(uint32_t reqid)
911 struct ipsec_softc *sc;
913 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
914 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) {
915 if (sc->reqid == reqid)
922 * We use key_newreqid() to automatically obtain unique reqid.
923 * Then we check that given id is unique, i.e. it is not used by
924 * another if_ipsec(4) interface. This macro limits the number of
925 * tries to get unique id.
927 #define IPSEC_REQID_TRYCNT 64
929 ipsec_init_reqid(struct ipsec_softc *sc)
934 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
935 if (sc->reqid != 0) /* already initialized */
938 trycount = IPSEC_REQID_TRYCNT;
939 while (--trycount > 0) {
940 reqid = key_newreqid();
941 if (ipsec_check_reqid(reqid) == 0)
947 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
952 * Set or update reqid for given tunneling interface.
953 * When specified reqid is zero, generate new one.
954 * We are protected by ioctl_sx lock from concurrent id generation.
955 * Also softc would not disappear while we hold ioctl_sx lock.
958 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid)
960 struct secasindex *saidx;
962 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
964 if (sc->reqid == reqid && reqid != 0)
968 /* Check that specified reqid doesn't exist */
969 if (ipsec_check_reqid(reqid) != 0)
971 if (sc->reqid != 0) {
972 CK_LIST_REMOVE(sc, idhash);
976 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
978 /* Generate new reqid */
979 if (ipsec_init_reqid(sc) != 0)
983 /* Tunnel isn't fully configured, just return. */
987 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
988 KASSERT(saidx != NULL,
989 ("saidx is NULL, but family is %d", sc->family));
990 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
995 * Set tunnel endpoints addresses.
998 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
999 struct sockaddr *dst)
1001 struct ipsec_softc *sc;
1002 struct secasindex *saidx;
1004 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1007 if (sc->family != 0) {
1008 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
1010 if (saidx != NULL && saidx->reqid == sc->reqid &&
1011 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
1012 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
1013 return (0); /* Nothing has been changed. */
1015 /* If reqid is not set, generate new one. */
1016 if (ipsec_init_reqid(sc) != 0)
1018 return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
1022 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
1023 struct sockaddr *dst, uint32_t reqid)
1025 struct ipsec_iflist *iflist;
1026 struct secpolicy *sp[IPSEC_SPCOUNT];
1029 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1031 /* Allocate SP with new addresses. */
1032 iflist = ipsec_srchash(src);
1033 if (iflist == NULL) {
1034 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1035 return (EAFNOSUPPORT);
1037 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
1038 /* Add new policies to SPDB */
1039 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
1040 for (i = 0; i < IPSEC_SPCOUNT; i++)
1044 if (sc->family != 0)
1045 ipsec_delete_tunnel(sc);
1046 for (i = 0; i < IPSEC_SPCOUNT; i++)
1048 sc->family = src->sa_family;
1049 CK_LIST_INSERT_HEAD(iflist, sc, srchash);
1051 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1054 ipsec_set_running(sc);
1059 ipsec_delete_tunnel(struct ipsec_softc *sc)
1063 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1065 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1066 if (sc->family != 0) {
1067 CK_LIST_REMOVE(sc, srchash);
1070 * Make sure that ipsec_if_input() will not do access
1071 * to softc's policies.
1075 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT);
1076 for (i = 0; i < IPSEC_SPCOUNT; i++)
1077 key_freesp(&sc->sp[i]);