2 * Copyright (c) 2016-2018 Yandex LLC
3 * Copyright (c) 2016-2018 Andrey V. Elsukov <ae@FreeBSD.org>
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
17 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
18 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
19 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
20 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
21 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
22 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
23 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
24 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
25 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 #include <sys/cdefs.h>
29 __FBSDID("$FreeBSD$");
32 #include "opt_inet6.h"
33 #include "opt_ipsec.h"
35 #include <sys/param.h>
36 #include <sys/systm.h>
37 #include <sys/kernel.h>
38 #include <sys/fnv_hash.h>
41 #include <sys/malloc.h>
43 #include <sys/module.h>
44 #include <sys/socket.h>
45 #include <sys/sockio.h>
47 #include <sys/errno.h>
48 #include <sys/sysctl.h>
54 #include <net/if_var.h>
55 #include <net/if_clone.h>
56 #include <net/if_types.h>
58 #include <net/route.h>
61 #include <netinet/in.h>
62 #include <netinet/in_var.h>
63 #include <netinet/ip.h>
64 #include <netinet/ip_encap.h>
66 #include <netinet/ip6.h>
67 #include <netinet6/in6_var.h>
68 #include <netinet6/scope6_var.h>
70 #include <netipsec/ipsec.h>
72 #include <netipsec/ipsec6.h>
75 #include <net/if_ipsec.h>
76 #include <netipsec/key.h>
78 #include <security/mac/mac_framework.h>
80 static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
81 static const char ipsecname[] = "ipsec";
83 #if defined(INET) && defined(INET6)
84 #define IPSEC_SPCOUNT 4
86 #define IPSEC_SPCOUNT 2
91 struct secpolicy *sp[IPSEC_SPCOUNT];
96 CK_LIST_ENTRY(ipsec_softc) idhash;
97 CK_LIST_ENTRY(ipsec_softc) srchash;
100 #define IPSEC_RLOCK_TRACKER struct epoch_tracker ipsec_et
101 #define IPSEC_RLOCK() epoch_enter_preempt(net_epoch_preempt, &ipsec_et)
102 #define IPSEC_RUNLOCK() epoch_exit_preempt(net_epoch_preempt, &ipsec_et)
103 #define IPSEC_WAIT() epoch_wait_preempt(net_epoch_preempt)
105 #ifndef IPSEC_HASH_SIZE
106 #define IPSEC_HASH_SIZE (1 << 5)
109 CK_LIST_HEAD(ipsec_iflist, ipsec_softc);
110 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec_idhtbl) = NULL;
111 #define V_ipsec_idhtbl VNET(ipsec_idhtbl)
114 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec4_srchtbl) = NULL;
115 #define V_ipsec4_srchtbl VNET(ipsec4_srchtbl)
116 static const struct srcaddrtab *ipsec4_srctab = NULL;
120 VNET_DEFINE_STATIC(struct ipsec_iflist *, ipsec6_srchtbl) = NULL;
121 #define V_ipsec6_srchtbl VNET(ipsec6_srchtbl)
122 static const struct srcaddrtab *ipsec6_srctab = NULL;
125 static struct ipsec_iflist *
126 ipsec_idhash(uint32_t id)
129 return (&V_ipsec_idhtbl[fnv_32_buf(&id, sizeof(id),
130 FNV1_32_INIT) & (IPSEC_HASH_SIZE - 1)]);
133 static struct ipsec_iflist *
134 ipsec_srchash(const struct sockaddr *sa)
138 switch (sa->sa_family) {
142 &((const struct sockaddr_in *)sa)->sin_addr.s_addr,
143 sizeof(in_addr_t), FNV1_32_INIT);
144 return (&V_ipsec4_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
149 &((const struct sockaddr_in6 *)sa)->sin6_addr,
150 sizeof(struct in6_addr), FNV1_32_INIT);
151 return (&V_ipsec6_srchtbl[hval & (IPSEC_HASH_SIZE - 1)]);
158 * ipsec_ioctl_sx protects from concurrent ioctls.
160 static struct sx ipsec_ioctl_sx;
161 SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
163 static int ipsec_init_reqid(struct ipsec_softc *);
164 static int ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
165 struct sockaddr *, uint32_t);
166 static void ipsec_delete_tunnel(struct ipsec_softc *);
168 static int ipsec_set_addresses(struct ifnet *, struct sockaddr *,
170 static int ipsec_set_reqid(struct ipsec_softc *, uint32_t);
171 static void ipsec_set_running(struct ipsec_softc *);
174 static void ipsec_reassign(struct ifnet *, struct vnet *, char *);
176 static void ipsec_srcaddr(void *, const struct sockaddr *, int);
177 static int ipsec_ioctl(struct ifnet *, u_long, caddr_t);
178 static int ipsec_transmit(struct ifnet *, struct mbuf *);
179 static int ipsec_output(struct ifnet *, struct mbuf *,
180 const struct sockaddr *, struct route *);
181 static void ipsec_qflush(struct ifnet *);
182 static int ipsec_clone_create(struct if_clone *, int, caddr_t);
183 static void ipsec_clone_destroy(struct ifnet *);
185 VNET_DEFINE_STATIC(struct if_clone *, ipsec_cloner);
186 #define V_ipsec_cloner VNET(ipsec_cloner)
189 ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
191 struct ipsec_softc *sc;
194 sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
195 sc->fibnum = curthread->td_proc->p_fibnum;
196 sc->ifp = ifp = if_alloc(IFT_TUNNEL);
198 if_initname(ifp, ipsecname, unit);
201 ifp->if_mtu = IPSEC_MTU;
202 ifp->if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
203 ifp->if_ioctl = ipsec_ioctl;
204 ifp->if_transmit = ipsec_transmit;
205 ifp->if_qflush = ipsec_qflush;
206 ifp->if_output = ipsec_output;
208 ifp->if_reassign = ipsec_reassign;
211 bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
218 ipsec_reassign(struct ifnet *ifp, struct vnet *new_vnet __unused,
219 char *unused __unused)
221 struct ipsec_softc *sc;
223 sx_xlock(&ipsec_ioctl_sx);
226 ipsec_delete_tunnel(sc);
227 sx_xunlock(&ipsec_ioctl_sx);
232 ipsec_clone_destroy(struct ifnet *ifp)
234 struct ipsec_softc *sc;
236 sx_xlock(&ipsec_ioctl_sx);
238 ipsec_delete_tunnel(sc);
240 * Delete softc from idhash on interface destroy, since
241 * ipsec_delete_tunnel() keeps reqid unchanged.
244 CK_LIST_REMOVE(sc, idhash);
247 ifp->if_softc = NULL;
248 sx_xunlock(&ipsec_ioctl_sx);
255 static struct ipsec_iflist *
258 struct ipsec_iflist *hash;
261 hash = malloc(sizeof(struct ipsec_iflist) * IPSEC_HASH_SIZE,
263 for (i = 0; i < IPSEC_HASH_SIZE; i++)
264 CK_LIST_INIT(&hash[i]);
270 vnet_ipsec_init(const void *unused __unused)
273 V_ipsec_idhtbl = ipsec_hashinit();
275 V_ipsec4_srchtbl = ipsec_hashinit();
276 if (IS_DEFAULT_VNET(curvnet))
277 ipsec4_srctab = ip_encap_register_srcaddr(ipsec_srcaddr,
281 V_ipsec6_srchtbl = ipsec_hashinit();
282 if (IS_DEFAULT_VNET(curvnet))
283 ipsec6_srctab = ip6_encap_register_srcaddr(ipsec_srcaddr,
286 V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
287 ipsec_clone_destroy, 0);
289 VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
290 vnet_ipsec_init, NULL);
293 vnet_ipsec_uninit(const void *unused __unused)
296 if_clone_detach(V_ipsec_cloner);
297 free(V_ipsec_idhtbl, M_IPSEC);
299 * Use V_ipsec_idhtbl pointer as indicator that VNET is going to be
300 * destroyed, it is used by ipsec_srcaddr() callback.
302 V_ipsec_idhtbl = NULL;
306 if (IS_DEFAULT_VNET(curvnet))
307 ip_encap_unregister_srcaddr(ipsec4_srctab);
308 free(V_ipsec4_srchtbl, M_IPSEC);
311 if (IS_DEFAULT_VNET(curvnet))
312 ip6_encap_unregister_srcaddr(ipsec6_srctab);
313 free(V_ipsec6_srchtbl, M_IPSEC);
316 VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
317 vnet_ipsec_uninit, NULL);
319 static struct secpolicy *
320 ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
326 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
330 return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
340 static struct secasindex *
341 ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
343 struct secpolicy *sp;
345 sp = ipsec_getpolicy(sc, dir, af);
348 return (&sp->req[0]->saidx);
352 ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
355 struct ipsec_softc *sc;
356 struct secpolicy *sp;
363 error = mac_ifnet_check_transmit(ifp, m);
371 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
372 (ifp->if_flags & IFF_MONITOR) != 0 ||
373 (ifp->if_flags & IFF_UP) == 0 || sc->family == 0) {
378 /* Determine address family to correctly handle packet in BPF */
379 ip = mtod(m, struct ip *);
387 case (IPV6_VERSION >> 4):
392 error = EAFNOSUPPORT;
399 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
400 * We can read full chain and compare destination address,
401 * proto and mode from xform_history with values from softc.
403 if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
408 sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
410 M_SETFIB(m, sc->fibnum);
412 BPF_MTAP2(ifp, &af, sizeof(af), m);
413 if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
414 if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
419 error = ipsec4_process_packet(m, sp, NULL);
424 error = ipsec6_process_packet(m, sp, NULL);
428 panic("%s: unknown address family\n", __func__);
432 if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
438 ipsec_qflush(struct ifnet *ifp __unused)
444 ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
448 return (ifp->if_transmit(ifp, m));
452 ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af)
455 struct secasindex *saidx;
456 struct ipsec_softc *sc;
459 if (sav->state != SADB_SASTATE_MATURE &&
460 sav->state != SADB_SASTATE_DYING) {
465 if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
466 sav->sah->saidx.proto != IPPROTO_ESP)
470 CK_LIST_FOREACH(sc, ipsec_idhash(sav->sah->saidx.reqid), idhash) {
473 saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
474 sav->sah->saidx.src.sa.sa_family);
475 /* SA's reqid should match reqid in SP */
477 sav->sah->saidx.reqid != saidx->reqid)
479 /* SAH's addresses should match tunnel endpoints. */
480 if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
481 &saidx->dst.sa, 0) != 0)
483 if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
484 &saidx->src.sa, 0) == 0)
489 /* Tunnel was not found. Nothing to do. */
493 if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
494 (ifp->if_flags & IFF_UP) == 0) {
500 * We found matching and working tunnel.
501 * Set its ifnet as receiving interface.
503 m->m_pkthdr.rcvif = ifp;
506 M_SETFIB(m, ifp->if_fib);
507 BPF_MTAP2(ifp, &af, sizeof(af), m);
508 if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
509 if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
510 if ((ifp->if_flags & IFF_MONITOR) != 0) {
520 ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
522 struct ifreq *ifr = (struct ifreq*)data;
523 struct sockaddr *dst, *src;
524 struct ipsec_softc *sc;
525 struct secasindex *saidx;
527 struct sockaddr_in *sin = NULL;
530 struct sockaddr_in6 *sin6 = NULL;
537 ifp->if_flags |= IFF_UP;
544 if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
545 ifr->ifr_mtu > IPSEC_MTU_MAX)
548 ifp->if_mtu = ifr->ifr_mtu;
551 sx_xlock(&ipsec_ioctl_sx);
553 /* Check that softc is still here */
562 case SIOCSIFPHYADDR_IN6:
568 src = (struct sockaddr *)
569 &(((struct in_aliasreq *)data)->ifra_addr);
570 dst = (struct sockaddr *)
571 &(((struct in_aliasreq *)data)->ifra_dstaddr);
575 case SIOCSIFPHYADDR_IN6:
576 src = (struct sockaddr *)
577 &(((struct in6_aliasreq *)data)->ifra_addr);
578 dst = (struct sockaddr *)
579 &(((struct in6_aliasreq *)data)->ifra_dstaddr);
585 /* sa_family must be equal */
586 if (src->sa_family != dst->sa_family ||
587 src->sa_len != dst->sa_len)
590 /* validate sa_len */
591 switch (src->sa_family) {
594 if (src->sa_len != sizeof(struct sockaddr_in))
600 if (src->sa_len != sizeof(struct sockaddr_in6))
605 error = EAFNOSUPPORT;
608 /* check sa_family looks sane for the cmd */
609 error = EAFNOSUPPORT;
613 if (src->sa_family == AF_INET)
618 case SIOCSIFPHYADDR_IN6:
619 if (src->sa_family == AF_INET6)
624 error = EADDRNOTAVAIL;
625 switch (src->sa_family) {
628 if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
629 satosin(dst)->sin_addr.s_addr == INADDR_ANY)
635 if (IN6_IS_ADDR_UNSPECIFIED(
636 &satosin6(src)->sin6_addr) ||
637 IN6_IS_ADDR_UNSPECIFIED(
638 &satosin6(dst)->sin6_addr))
641 * Check validity of the scope zone ID of the
642 * addresses, and convert it into the kernel
643 * internal form if necessary.
645 error = sa6_embedscope(satosin6(src), 0);
648 error = sa6_embedscope(satosin6(dst), 0);
653 error = ipsec_set_addresses(ifp, src, dst);
656 ipsec_delete_tunnel(sc);
658 case SIOCGIFPSRCADDR:
659 case SIOCGIFPDSTADDR:
661 case SIOCGIFPSRCADDR_IN6:
662 case SIOCGIFPDSTADDR_IN6:
664 if (sc->family == 0) {
665 error = EADDRNOTAVAIL;
668 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
671 case SIOCGIFPSRCADDR:
672 case SIOCGIFPDSTADDR:
673 if (saidx->src.sa.sa_family != AF_INET) {
674 error = EADDRNOTAVAIL;
677 sin = (struct sockaddr_in *)&ifr->ifr_addr;
678 memset(sin, 0, sizeof(*sin));
679 sin->sin_family = AF_INET;
680 sin->sin_len = sizeof(*sin);
684 case SIOCGIFPSRCADDR_IN6:
685 case SIOCGIFPDSTADDR_IN6:
686 if (saidx->src.sa.sa_family != AF_INET6) {
687 error = EADDRNOTAVAIL;
690 sin6 = (struct sockaddr_in6 *)
691 &(((struct in6_ifreq *)data)->ifr_addr);
692 memset(sin6, 0, sizeof(*sin6));
693 sin6->sin6_family = AF_INET6;
694 sin6->sin6_len = sizeof(*sin6);
698 error = EAFNOSUPPORT;
703 case SIOCGIFPSRCADDR:
704 sin->sin_addr = saidx->src.sin.sin_addr;
706 case SIOCGIFPDSTADDR:
707 sin->sin_addr = saidx->dst.sin.sin_addr;
711 case SIOCGIFPSRCADDR_IN6:
712 sin6->sin6_addr = saidx->src.sin6.sin6_addr;
714 case SIOCGIFPDSTADDR_IN6:
715 sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
724 case SIOCGIFPSRCADDR:
725 case SIOCGIFPDSTADDR:
726 error = prison_if(curthread->td_ucred,
727 (struct sockaddr *)sin);
729 memset(sin, 0, sizeof(*sin));
733 case SIOCGIFPSRCADDR_IN6:
734 case SIOCGIFPDSTADDR_IN6:
735 error = prison_if(curthread->td_ucred,
736 (struct sockaddr *)sin6);
738 error = sa6_recoverscope(sin6);
740 memset(sin6, 0, sizeof(*sin6));
745 ifr->ifr_fib = sc->fibnum;
748 if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
750 if (ifr->ifr_fib >= rt_numfibs)
753 sc->fibnum = ifr->ifr_fib;
757 error = copyout(&reqid, ifr_data_get_ptr(ifr), sizeof(reqid));
760 if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
762 error = copyin(ifr_data_get_ptr(ifr), &reqid, sizeof(reqid));
765 error = ipsec_set_reqid(sc, reqid);
772 sx_xunlock(&ipsec_ioctl_sx);
777 * Check that ingress address belongs to local host.
780 ipsec_set_running(struct ipsec_softc *sc)
782 struct secasindex *saidx;
785 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
787 switch (sc->family) {
790 localip = in_localip(saidx->src.sin.sin_addr);
795 localip = in6_localip(&saidx->src.sin6.sin6_addr);
800 sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
802 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
806 * ifaddr_event handler.
807 * Clear IFF_DRV_RUNNING flag when ingress address disappears to prevent
808 * source address spoofing.
811 ipsec_srcaddr(void *arg __unused, const struct sockaddr *sa,
814 struct ipsec_softc *sc;
815 struct secasindex *saidx;
817 /* Check that VNET is ready */
818 if (V_ipsec_idhtbl == NULL)
822 CK_LIST_FOREACH(sc, ipsec_srchash(sa), srchash) {
825 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sa->sa_family);
827 key_sockaddrcmp(&saidx->src.sa, sa, 0) != 0)
829 ipsec_set_running(sc);
834 * Allocate new private security policies for tunneling interface.
835 * Each tunneling interface has following security policies for
837 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
838 * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
839 * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
840 * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
843 ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
844 const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
846 struct ipsecrequest *isr;
849 memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
850 for (i = 0; i < IPSEC_SPCOUNT; i++) {
851 if ((sp[i] = key_newsp()) == NULL)
853 if ((isr = ipsec_newisr()) == NULL)
856 sp[i]->policy = IPSEC_POLICY_IPSEC;
857 sp[i]->state = IPSEC_SPSTATE_DEAD;
858 sp[i]->req[sp[i]->tcount++] = isr;
859 sp[i]->created = time_second;
860 /* Use priority field to store if_index */
861 sp[i]->priority = sc->ifp->if_index;
862 isr->level = IPSEC_LEVEL_UNIQUE;
863 isr->saidx.proto = IPPROTO_ESP;
864 isr->saidx.mode = IPSEC_MODE_TUNNEL;
865 isr->saidx.reqid = reqid;
867 sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
868 bcopy(src, &isr->saidx.dst, src->sa_len);
869 bcopy(dst, &isr->saidx.src, dst->sa_len);
871 sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
872 bcopy(src, &isr->saidx.src, src->sa_len);
873 bcopy(dst, &isr->saidx.dst, dst->sa_len);
875 sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
878 sp[i]->spidx.src.sa.sa_family =
879 sp[i]->spidx.dst.sa.sa_family = AF_INET;
880 sp[i]->spidx.src.sa.sa_len =
881 sp[i]->spidx.dst.sa.sa_len =
882 sizeof(struct sockaddr_in);
887 sp[i]->spidx.src.sa.sa_family =
888 sp[i]->spidx.dst.sa.sa_family = AF_INET6;
889 sp[i]->spidx.src.sa.sa_len =
890 sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
895 for (i = 0; i < IPSEC_SPCOUNT; i++)
901 ipsec_check_reqid(uint32_t reqid)
903 struct ipsec_softc *sc;
905 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
906 CK_LIST_FOREACH(sc, ipsec_idhash(reqid), idhash) {
907 if (sc->reqid == reqid)
914 * We use key_newreqid() to automatically obtain unique reqid.
915 * Then we check that given id is unique, i.e. it is not used by
916 * another if_ipsec(4) interface. This macro limits the number of
917 * tries to get unique id.
919 #define IPSEC_REQID_TRYCNT 64
921 ipsec_init_reqid(struct ipsec_softc *sc)
926 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
927 if (sc->reqid != 0) /* already initialized */
930 trycount = IPSEC_REQID_TRYCNT;
931 while (--trycount > 0) {
932 reqid = key_newreqid();
933 if (ipsec_check_reqid(reqid) == 0)
939 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
944 * Set or update reqid for given tunneling interface.
945 * When specified reqid is zero, generate new one.
946 * We are protected by ioctl_sx lock from concurrent id generation.
947 * Also softc would not disappear while we hold ioctl_sx lock.
950 ipsec_set_reqid(struct ipsec_softc *sc, uint32_t reqid)
952 struct secasindex *saidx;
954 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
956 if (sc->reqid == reqid && reqid != 0)
960 /* Check that specified reqid doesn't exist */
961 if (ipsec_check_reqid(reqid) != 0)
963 if (sc->reqid != 0) {
964 CK_LIST_REMOVE(sc, idhash);
968 CK_LIST_INSERT_HEAD(ipsec_idhash(reqid), sc, idhash);
970 /* Generate new reqid */
971 if (ipsec_init_reqid(sc) != 0)
975 /* Tunnel isn't fully configured, just return. */
979 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
980 KASSERT(saidx != NULL,
981 ("saidx is NULL, but family is %d", sc->family));
982 return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
987 * Set tunnel endpoints addresses.
990 ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
991 struct sockaddr *dst)
993 struct ipsec_softc *sc;
994 struct secasindex *saidx;
996 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
999 if (sc->family != 0) {
1000 saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
1002 if (saidx != NULL && saidx->reqid == sc->reqid &&
1003 key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
1004 key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
1005 return (0); /* Nothing has been changed. */
1007 /* If reqid is not set, generate new one. */
1008 if (ipsec_init_reqid(sc) != 0)
1010 return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
1014 ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
1015 struct sockaddr *dst, uint32_t reqid)
1017 struct secpolicy *sp[IPSEC_SPCOUNT];
1020 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1022 /* Allocate SP with new addresses. */
1023 if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
1024 /* Add new policies to SPDB */
1025 if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
1026 for (i = 0; i < IPSEC_SPCOUNT; i++)
1030 if (sc->family != 0)
1031 ipsec_delete_tunnel(sc);
1032 for (i = 0; i < IPSEC_SPCOUNT; i++)
1034 sc->family = src->sa_family;
1035 CK_LIST_INSERT_HEAD(ipsec_srchash(src), sc, srchash);
1037 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1040 ipsec_set_running(sc);
1045 ipsec_delete_tunnel(struct ipsec_softc *sc)
1049 sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
1051 sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
1052 if (sc->family != 0) {
1053 CK_LIST_REMOVE(sc, srchash);
1056 * Make sure that ipsec_if_input() will not do access
1057 * to softc's policies.
1061 key_unregister_ifnet(sc->sp, IPSEC_SPCOUNT);
1062 for (i = 0; i < IPSEC_SPCOUNT; i++)
1063 key_freesp(&sc->sp[i]);
projects / FreeBSD / FreeBSD.git / blob