2007-04-12 02:21:41 +04:00
|
|
|
/* $NetBSD: ipsec_netbsd.c,v 1.26 2007/04/11 22:21:41 degroote Exp $ */
|
2003-08-14 00:06:49 +04:00
|
|
|
/* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */
|
|
|
|
/* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of the project nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <sys/cdefs.h>
|
2007-04-12 02:21:41 +04:00
|
|
|
__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.26 2007/04/11 22:21:41 degroote Exp $");
|
2003-08-14 00:06:49 +04:00
|
|
|
|
|
|
|
#include "opt_inet.h"
|
|
|
|
#include "opt_ipsec.h"
|
|
|
|
|
|
|
|
#include <sys/param.h>
|
|
|
|
#include <sys/systm.h>
|
|
|
|
#include <sys/malloc.h>
|
|
|
|
#include <sys/mbuf.h>
|
|
|
|
#include <sys/domain.h>
|
|
|
|
#include <sys/protosw.h>
|
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <sys/errno.h>
|
|
|
|
#include <sys/time.h>
|
|
|
|
#include <sys/kernel.h>
|
|
|
|
#include <sys/sysctl.h>
|
|
|
|
|
|
|
|
#include <net/if.h>
|
|
|
|
#include <net/route.h>
|
|
|
|
#include <net/netisr.h>
|
|
|
|
#include <machine/cpu.h>
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
#include <netinet/in_var.h>
|
|
|
|
#include <netinet/ip.h>
|
|
|
|
#include <netinet/ip_var.h>
|
|
|
|
#include <netinet/ip_ecn.h>
|
|
|
|
#include <netinet/ip_icmp.h>
|
|
|
|
|
|
|
|
|
|
|
|
#include <netipsec/ipsec.h>
|
2004-05-07 04:55:14 +04:00
|
|
|
#include <netipsec/ipsec_var.h>
|
2003-10-07 02:05:15 +04:00
|
|
|
#include <netipsec/key.h>
|
|
|
|
#include <netipsec/keydb.h>
|
|
|
|
#include <netipsec/key_debug.h>
|
2007-02-10 12:43:05 +03:00
|
|
|
#include <netipsec/ah.h>
|
2003-08-14 00:06:49 +04:00
|
|
|
#include <netipsec/ah_var.h>
|
2004-01-23 05:39:49 +03:00
|
|
|
#include <netipsec/esp.h>
|
2004-05-07 04:55:14 +04:00
|
|
|
#include <netipsec/esp_var.h>
|
|
|
|
#include <netipsec/ipip_var.h>
|
|
|
|
#include <netipsec/ipcomp_var.h>
|
2003-08-14 00:06:49 +04:00
|
|
|
|
2004-01-23 05:39:49 +03:00
|
|
|
#ifdef INET6
|
|
|
|
#include <netipsec/ipsec6.h>
|
|
|
|
#include <netinet6/ip6protosw.h>
|
|
|
|
#include <netinet/icmp6.h>
|
|
|
|
#endif
|
2003-08-14 00:06:49 +04:00
|
|
|
|
|
|
|
#include <machine/stdarg.h>
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-10-07 02:05:15 +04:00
|
|
|
#include <netipsec/key.h>
|
2003-08-14 00:06:49 +04:00
|
|
|
|
|
|
|
/* assumes that ip header and ah header are contiguous on mbuf */
|
2007-02-18 17:28:25 +03:00
|
|
|
void*
|
2003-08-14 00:06:49 +04:00
|
|
|
ah4_ctlinput(cmd, sa, v)
|
|
|
|
int cmd;
|
2007-02-18 16:55:25 +03:00
|
|
|
const struct sockaddr *sa;
|
2003-08-14 00:06:49 +04:00
|
|
|
void *v;
|
|
|
|
{
|
|
|
|
struct ip *ip = v;
|
|
|
|
struct ah *ah;
|
|
|
|
struct icmp *icp;
|
|
|
|
struct secasvar *sav;
|
|
|
|
|
|
|
|
if (sa->sa_family != AF_INET ||
|
2007-02-10 12:43:05 +03:00
|
|
|
sa->sa_len != sizeof(struct sockaddr_in))
|
2007-02-18 17:28:25 +03:00
|
|
|
return NULL;
|
2003-08-14 00:06:49 +04:00
|
|
|
if ((unsigned)cmd >= PRC_NCMDS)
|
|
|
|
return NULL;
|
2007-02-18 17:28:25 +03:00
|
|
|
|
2003-08-14 00:06:49 +04:00
|
|
|
if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
|
|
|
|
/*
|
|
|
|
* Check to see if we have a valid SA corresponding to
|
|
|
|
* the address in the ICMP message payload.
|
|
|
|
*/
|
2007-03-04 22:54:48 +03:00
|
|
|
ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
|
2007-02-18 17:28:25 +03:00
|
|
|
sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
|
|
|
|
IPPROTO_AH, ah->ah_spi);
|
|
|
|
|
|
|
|
if (sav) {
|
|
|
|
if (sav->state == SADB_SASTATE_MATURE ||
|
|
|
|
sav->state == SADB_SASTATE_DYING) {
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now that we've validated that we are actually
|
|
|
|
* communicating with the host indicated in the
|
|
|
|
* ICMP message, locate the ICMP header,
|
|
|
|
* recalculate the new MTU, and create the
|
|
|
|
* corresponding routing entry.
|
|
|
|
*/
|
2007-03-04 22:54:48 +03:00
|
|
|
icp = (struct icmp *)((char *)ip -
|
2007-02-18 17:28:25 +03:00
|
|
|
offsetof(struct icmp, icmp_ip));
|
|
|
|
icmp_mtudisc(icp, ip->ip_dst);
|
|
|
|
|
|
|
|
}
|
2007-02-18 21:58:17 +03:00
|
|
|
KEY_FREESAV(&sav);
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2007-02-18 17:28:25 +03:00
|
|
|
|
|
|
|
|
2003-08-14 00:06:49 +04:00
|
|
|
/* assumes that ip header and esp header are contiguous on mbuf */
|
2007-02-18 17:28:25 +03:00
|
|
|
void*
|
2003-08-14 00:06:49 +04:00
|
|
|
esp4_ctlinput(cmd, sa, v)
|
|
|
|
int cmd;
|
2007-02-18 16:55:25 +03:00
|
|
|
const struct sockaddr *sa;
|
2003-08-14 00:06:49 +04:00
|
|
|
void *v;
|
|
|
|
{
|
|
|
|
struct ip *ip = v;
|
|
|
|
struct esp *esp;
|
|
|
|
struct icmp *icp;
|
|
|
|
struct secasvar *sav;
|
|
|
|
|
|
|
|
if (sa->sa_family != AF_INET ||
|
|
|
|
sa->sa_len != sizeof(struct sockaddr_in))
|
|
|
|
return NULL;
|
|
|
|
if ((unsigned)cmd >= PRC_NCMDS)
|
|
|
|
return NULL;
|
2007-02-18 17:28:25 +03:00
|
|
|
|
2003-08-14 00:06:49 +04:00
|
|
|
if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
|
|
|
|
/*
|
|
|
|
* Check to see if we have a valid SA corresponding to
|
|
|
|
* the address in the ICMP message payload.
|
|
|
|
*/
|
2007-03-04 22:54:48 +03:00
|
|
|
esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
|
2007-02-18 17:28:25 +03:00
|
|
|
sav = KEY_ALLOCSA((const union sockaddr_union *)sa,
|
|
|
|
IPPROTO_ESP, esp->esp_spi);
|
|
|
|
|
|
|
|
if (sav) {
|
|
|
|
if (sav->state == SADB_SASTATE_MATURE ||
|
|
|
|
sav->state == SADB_SASTATE_DYING) {
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Now that we've validated that we are actually
|
|
|
|
* communicating with the host indicated in the
|
|
|
|
* ICMP message, locate the ICMP header,
|
|
|
|
* recalculate the new MTU, and create the
|
|
|
|
* corresponding routing entry.
|
|
|
|
*/
|
|
|
|
|
2007-03-04 22:54:48 +03:00
|
|
|
icp = (struct icmp *)((char *)ip -
|
2007-02-18 17:28:25 +03:00
|
|
|
offsetof(struct icmp, icmp_ip));
|
|
|
|
icmp_mtudisc(icp, ip->ip_dst);
|
|
|
|
|
|
|
|
}
|
2007-02-18 21:58:17 +03:00
|
|
|
KEY_FREESAV(&sav);
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef INET6
|
2007-02-10 12:43:05 +03:00
|
|
|
void
|
|
|
|
ah6_ctlinput(cmd, sa, d)
|
|
|
|
int cmd;
|
2007-02-18 16:55:25 +03:00
|
|
|
const struct sockaddr *sa;
|
2007-02-10 12:43:05 +03:00
|
|
|
void *d;
|
|
|
|
{
|
|
|
|
const struct newah *ahp;
|
|
|
|
struct newah ah;
|
|
|
|
struct secasvar *sav;
|
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
struct mbuf *m;
|
|
|
|
struct ip6ctlparam *ip6cp = NULL;
|
|
|
|
int off;
|
|
|
|
|
|
|
|
if (sa->sa_family != AF_INET6 ||
|
|
|
|
sa->sa_len != sizeof(struct sockaddr_in6))
|
|
|
|
return;
|
|
|
|
if ((unsigned)cmd >= PRC_NCMDS)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* if the parameter is from icmp6, decode it. */
|
|
|
|
if (d != NULL) {
|
|
|
|
ip6cp = (struct ip6ctlparam *)d;
|
|
|
|
m = ip6cp->ip6c_m;
|
|
|
|
ip6 = ip6cp->ip6c_ip6;
|
|
|
|
off = ip6cp->ip6c_off;
|
|
|
|
} else {
|
|
|
|
m = NULL;
|
|
|
|
ip6 = NULL;
|
|
|
|
off = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ip6) {
|
|
|
|
/*
|
|
|
|
* XXX: We assume that when ip6 is non NULL,
|
|
|
|
* M and OFF are valid.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* check if we can safely examine src and dst ports */
|
|
|
|
if (m->m_pkthdr.len < off + sizeof(ah))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (m->m_len < off + sizeof(ah)) {
|
|
|
|
/*
|
|
|
|
* this should be rare case,
|
|
|
|
* so we compromise on this copy...
|
|
|
|
*/
|
2007-03-05 00:17:54 +03:00
|
|
|
m_copydata(m, off, sizeof(ah), &ah);
|
2007-02-10 12:43:05 +03:00
|
|
|
ahp = &ah;
|
|
|
|
} else
|
2007-03-04 22:54:48 +03:00
|
|
|
ahp = (struct newah *)(mtod(m, char *) + off);
|
2007-02-10 12:43:05 +03:00
|
|
|
|
|
|
|
if (cmd == PRC_MSGSIZE) {
|
|
|
|
int valid = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check to see if we have a valid SA corresponding
|
|
|
|
* to the address in the ICMP message payload.
|
|
|
|
*/
|
2007-02-18 16:55:25 +03:00
|
|
|
sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
|
2007-02-10 12:43:05 +03:00
|
|
|
IPPROTO_AH, ahp->ah_spi);
|
|
|
|
|
|
|
|
if (sav) {
|
|
|
|
if (sav->state == SADB_SASTATE_MATURE ||
|
|
|
|
sav->state == SADB_SASTATE_DYING)
|
|
|
|
valid++;
|
|
|
|
KEY_FREESAV(&sav);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* XXX Further validation? */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Depending on the value of "valid" and routing
|
|
|
|
* table size (mtudisc_{hi,lo}wat), we will:
|
|
|
|
* - recalcurate the new MTU and create the
|
|
|
|
* corresponding routing entry, or
|
|
|
|
* - ignore the MTU change notification.
|
|
|
|
*/
|
|
|
|
icmp6_mtudisc_update((struct ip6ctlparam *)d,valid);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* we normally notify single pcb here */
|
|
|
|
} else {
|
|
|
|
/* we normally notify any pcb here */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
2003-08-14 00:06:49 +04:00
|
|
|
void
|
|
|
|
esp6_ctlinput(cmd, sa, d)
|
|
|
|
int cmd;
|
2007-02-18 16:55:25 +03:00
|
|
|
const struct sockaddr *sa;
|
2003-08-14 00:06:49 +04:00
|
|
|
void *d;
|
|
|
|
{
|
|
|
|
const struct newesp *espp;
|
|
|
|
struct newesp esp;
|
|
|
|
struct ip6ctlparam *ip6cp = NULL, ip6cp1;
|
|
|
|
struct secasvar *sav;
|
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
struct mbuf *m;
|
|
|
|
int off;
|
|
|
|
|
|
|
|
if (sa->sa_family != AF_INET6 ||
|
|
|
|
sa->sa_len != sizeof(struct sockaddr_in6))
|
|
|
|
return;
|
|
|
|
if ((unsigned)cmd >= PRC_NCMDS)
|
|
|
|
return;
|
|
|
|
|
|
|
|
/* if the parameter is from icmp6, decode it. */
|
|
|
|
if (d != NULL) {
|
|
|
|
ip6cp = (struct ip6ctlparam *)d;
|
|
|
|
m = ip6cp->ip6c_m;
|
|
|
|
ip6 = ip6cp->ip6c_ip6;
|
|
|
|
off = ip6cp->ip6c_off;
|
|
|
|
} else {
|
|
|
|
m = NULL;
|
|
|
|
ip6 = NULL;
|
2004-03-20 06:08:55 +03:00
|
|
|
off = 0;
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
if (ip6) {
|
|
|
|
/*
|
|
|
|
* Notify the error to all possible sockets via pfctlinput2.
|
|
|
|
* Since the upper layer information (such as protocol type,
|
|
|
|
* source and destination ports) is embedded in the encrypted
|
|
|
|
* data and might have been cut, we can't directly call
|
|
|
|
* an upper layer ctlinput function. However, the pcbnotify
|
|
|
|
* function will consider source and destination addresses
|
|
|
|
* as well as the flow info value, and may be able to find
|
|
|
|
* some PCB that should be notified.
|
|
|
|
* Although pfctlinput2 will call esp6_ctlinput(), there is
|
|
|
|
* no possibility of an infinite loop of function calls,
|
|
|
|
* because we don't pass the inner IPv6 header.
|
|
|
|
*/
|
2007-02-18 17:28:25 +03:00
|
|
|
memset(&ip6cp1, 0, sizeof(ip6cp1));
|
2003-08-14 00:06:49 +04:00
|
|
|
ip6cp1.ip6c_src = ip6cp->ip6c_src;
|
2007-03-05 00:17:54 +03:00
|
|
|
pfctlinput2(cmd, sa, &ip6cp1);
|
2003-08-14 00:06:49 +04:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Then go to special cases that need ESP header information.
|
|
|
|
* XXX: We assume that when ip6 is non NULL,
|
|
|
|
* M and OFF are valid.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* check if we can safely examine src and dst ports */
|
|
|
|
if (m->m_pkthdr.len < off + sizeof(esp))
|
|
|
|
return;
|
|
|
|
|
|
|
|
if (m->m_len < off + sizeof(esp)) {
|
|
|
|
/*
|
|
|
|
* this should be rare case,
|
|
|
|
* so we compromise on this copy...
|
|
|
|
*/
|
2007-03-05 00:17:54 +03:00
|
|
|
m_copydata(m, off, sizeof(esp), &esp);
|
2003-08-14 00:06:49 +04:00
|
|
|
espp = &esp;
|
|
|
|
} else
|
2007-03-04 22:54:48 +03:00
|
|
|
espp = (struct newesp*)(mtod(m, char *) + off);
|
2003-08-14 00:06:49 +04:00
|
|
|
|
|
|
|
if (cmd == PRC_MSGSIZE) {
|
|
|
|
int valid = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check to see if we have a valid SA corresponding to
|
|
|
|
* the address in the ICMP message payload.
|
|
|
|
*/
|
2007-02-18 16:55:25 +03:00
|
|
|
|
|
|
|
sav = KEY_ALLOCSA((const union sockaddr_union*)sa,
|
2004-03-20 06:08:55 +03:00
|
|
|
IPPROTO_ESP, espp->esp_spi);
|
|
|
|
|
2003-08-14 00:06:49 +04:00
|
|
|
if (sav) {
|
|
|
|
if (sav->state == SADB_SASTATE_MATURE ||
|
|
|
|
sav->state == SADB_SASTATE_DYING)
|
|
|
|
valid++;
|
2004-03-20 06:08:55 +03:00
|
|
|
KEY_FREESAV(&sav);
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* XXX Further validation? */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Depending on the value of "valid" and routing table
|
|
|
|
* size (mtudisc_{hi,lo}wat), we will:
|
|
|
|
* - recalcurate the new MTU and create the
|
|
|
|
* corresponding routing entry, or
|
|
|
|
* - ignore the MTU change notification.
|
|
|
|
*/
|
|
|
|
icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* we normally notify any pcb here */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
static int
|
|
|
|
sysctl_fast_ipsec(SYSCTLFN_ARGS)
|
2003-08-14 00:06:49 +04:00
|
|
|
{
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
int error, t;
|
|
|
|
struct sysctlnode node;
|
|
|
|
|
|
|
|
node = *rnode;
|
|
|
|
t = *(int*)rnode->sysctl_data;
|
|
|
|
node.sysctl_data = &t;
|
|
|
|
error = sysctl_lookup(SYSCTLFN_CALL(&node));
|
|
|
|
if (error || newp == NULL)
|
|
|
|
return (error);
|
2003-08-14 00:06:49 +04:00
|
|
|
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
switch (rnode->sysctl_num) {
|
2003-08-14 00:06:49 +04:00
|
|
|
case IPSECCTL_DEF_ESP_TRANSLEV:
|
|
|
|
case IPSECCTL_DEF_ESP_NETLEV:
|
|
|
|
case IPSECCTL_DEF_AH_TRANSLEV:
|
|
|
|
case IPSECCTL_DEF_AH_NETLEV:
|
2005-02-27 01:45:09 +03:00
|
|
|
if (t != IPSEC_LEVEL_USE &&
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
t != IPSEC_LEVEL_REQUIRE)
|
|
|
|
return (EINVAL);
|
|
|
|
ipsec_invalpcbcacheall();
|
2003-08-14 00:06:49 +04:00
|
|
|
break;
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
case IPSECCTL_DEF_POLICY:
|
|
|
|
if (t != IPSEC_POLICY_DISCARD &&
|
|
|
|
t != IPSEC_POLICY_NONE)
|
|
|
|
return (EINVAL);
|
|
|
|
ipsec_invalpcbcacheall();
|
2003-08-14 00:06:49 +04:00
|
|
|
break;
|
|
|
|
default:
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
return (EINVAL);
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
|
|
|
|
*(int*)rnode->sysctl_data = t;
|
|
|
|
|
|
|
|
return (0);
|
|
|
|
}
|
|
|
|
|
2006-04-12 00:21:28 +04:00
|
|
|
#ifdef IPSEC_DEBUG
|
|
|
|
static int
|
|
|
|
sysctl_fast_ipsec_test(SYSCTLFN_ARGS)
|
|
|
|
{
|
|
|
|
int t, error;
|
|
|
|
struct sysctlnode node;
|
|
|
|
|
|
|
|
node = *rnode;
|
|
|
|
t = *(int*)rnode->sysctl_data;
|
|
|
|
node.sysctl_data = &t;
|
|
|
|
error = sysctl_lookup(SYSCTLFN_CALL(&node));
|
|
|
|
if (error || newp == NULL)
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
if (t < 0 || t > 1)
|
|
|
|
return EINVAL;
|
|
|
|
|
|
|
|
if (rnode->sysctl_data == &ipsec_replay)
|
|
|
|
printf("fast_ipsec: Anti-Replay service %s\n",
|
|
|
|
(t == 1) ? "deactivated" : "activated");
|
|
|
|
else if (rnode->sysctl_data == &ipsec_integrity)
|
|
|
|
printf("fast_ipsec: HMAC corruption %s\n",
|
|
|
|
(t == 0) ? "deactivated" : "activated");
|
|
|
|
|
|
|
|
*(int*)rnode->sysctl_data = t;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
/* XXX will need a different oid at parent */
|
2004-05-07 04:55:14 +04:00
|
|
|
SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup")
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
{
|
2005-06-20 06:49:18 +04:00
|
|
|
const struct sysctlnode *_ipsec;
|
2004-07-17 20:36:39 +04:00
|
|
|
int ipproto_ipsec;
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTLTYPE_NODE, "net", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTLTYPE_NODE, "inet", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET, CTL_EOL);
|
2004-05-07 04:55:14 +04:00
|
|
|
|
2004-07-17 20:36:39 +04:00
|
|
|
/*
|
|
|
|
* in numerical order:
|
|
|
|
*
|
|
|
|
* net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP
|
|
|
|
* net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP
|
|
|
|
* net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH
|
|
|
|
* net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
|
|
|
|
* net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE
|
|
|
|
*
|
|
|
|
* this creates separate trees by name, but maintains that the
|
|
|
|
* ipsec name leads to all the old leaves.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* create net.inet.ipip */
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTLTYPE_NODE, "ipip", NULL,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
NULL, 0, NULL, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
|
|
|
|
CTLTYPE_STRUCT, "ipip_stats", NULL,
|
|
|
|
NULL, 0, &ipipstat, sizeof(ipipstat),
|
|
|
|
CTL_NET, PF_INET, IPPROTO_IPIP,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
|
2004-07-17 20:36:39 +04:00
|
|
|
/* create net.inet.esp subtree under IPPROTO_ESP */
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "esp", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "trans_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, IPPROTO_ESP,
|
|
|
|
IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "net_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, IPPROTO_ESP,
|
|
|
|
IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTLTYPE_STRUCT, "esp_stats", NULL,
|
|
|
|
NULL, 0, &espstat, sizeof(espstat),
|
|
|
|
CTL_NET, PF_INET, IPPROTO_ESP,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
2004-05-07 04:55:14 +04:00
|
|
|
|
2004-07-17 20:36:39 +04:00
|
|
|
/* create net.inet.ah subtree under IPPROTO_AH */
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "ah", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLTYPE_INT, "cleartos", NULL,
|
2007-03-26 02:06:33 +04:00
|
|
|
NULL, 0, &ip4_ah_cleartos, 0,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTL_NET, PF_INET, IPPROTO_AH,
|
2004-05-07 04:55:14 +04:00
|
|
|
IPSECCTL_AH_CLEARTOS, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLTYPE_INT, "offsetmask", NULL,
|
|
|
|
NULL, 0, &ip4_ah_offsetmask, 0,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTL_NET, PF_INET, IPPROTO_AH,
|
2004-05-07 04:55:14 +04:00
|
|
|
IPSECCTL_AH_OFFSETMASK, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLTYPE_INT, "trans_deflev", NULL,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, IPPROTO_AH,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLTYPE_INT, "net_deflev", NULL,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, IPPROTO_AH,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
|
2004-05-07 04:55:14 +04:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTLTYPE_STRUCT, "ah_stats", NULL,
|
|
|
|
NULL, 0, &ahstat, sizeof(ahstat),
|
|
|
|
CTL_NET, PF_INET, IPPROTO_AH,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
2004-05-07 04:55:14 +04:00
|
|
|
|
|
|
|
/* create net.inet.ipcomp */
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "ipcomp", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTLTYPE_STRUCT, "ipcomp_stats", NULL,
|
2004-05-07 04:55:14 +04:00
|
|
|
NULL, 0, &ipcompstat, sizeof(ipcompstat),
|
|
|
|
CTL_NET, PF_INET, IPPROTO_IPCOMP,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_CREATE, CTL_EOL);
|
2004-05-07 04:55:14 +04:00
|
|
|
|
2004-07-17 20:36:39 +04:00
|
|
|
/* create net.inet.ipsec subtree under dynamic oid */
|
|
|
|
sysctl_createv(clog, 0, NULL, &_ipsec,
|
2004-05-07 04:55:14 +04:00
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "ipsec", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
|
|
|
|
ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
|
2004-05-07 04:55:14 +04:00
|
|
|
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "def_policy", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
2004-05-07 04:55:14 +04:00
|
|
|
IPSECCTL_DEF_POLICY, CTL_EOL);
|
2004-07-17 20:36:39 +04:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "esp_trans_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "esp_net_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_trans_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_net_deflev", NULL,
|
|
|
|
sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_cleartos", NULL,
|
2007-03-26 02:06:33 +04:00
|
|
|
NULL, 0, &ip4_ah_cleartos, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_AH_CLEARTOS, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_offsetmask", NULL,
|
|
|
|
NULL, 0, &ip4_ah_offsetmask, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
IPSECCTL_AH_OFFSETMASK, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTLTYPE_INT, "dfbit", NULL,
|
|
|
|
NULL, 0, &ip4_ipsec_dfbit, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
IPSECCTL_DFBIT, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTLTYPE_INT, "ecn", NULL,
|
|
|
|
NULL, 0, &ip4_ipsec_ecn, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
IPSECCTL_ECN, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
CTLTYPE_INT, "debug", NULL,
|
|
|
|
NULL, 0, &ipsec_debug, 0,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
Dynamic sysctl.
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 22:38:21 +03:00
|
|
|
IPSECCTL_DEBUG, CTL_EOL);
|
2004-03-24 18:34:46 +03:00
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
2004-07-17 20:36:39 +04:00
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READONLY,
|
|
|
|
CTLTYPE_STRUCT, "ipsecstats", NULL,
|
|
|
|
NULL, 0, &ipsecstat, sizeof(ipsecstat),
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
2006-04-12 00:21:28 +04:00
|
|
|
#ifdef IPSEC_DEBUG
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "test_replay",
|
|
|
|
SYSCTL_DESCR("Emulate replay attack"),
|
|
|
|
sysctl_fast_ipsec_test, 0, &ipsec_replay, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "test_integrity",
|
|
|
|
SYSCTL_DESCR("Emulate man-in-the-middle attack"),
|
|
|
|
sysctl_fast_ipsec_test, 0, &ipsec_integrity, 0,
|
|
|
|
CTL_NET, PF_INET, ipproto_ipsec,
|
|
|
|
CTL_CREATE, CTL_EOL);
|
|
|
|
#endif
|
2003-08-14 00:06:49 +04:00
|
|
|
}
|
2007-04-12 02:21:41 +04:00
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
SYSCTL_SETUP(sysctl_net_inet6_fast_ipsec6_setup,
|
|
|
|
"sysctl net.inet6.ipsec6 subtree setup")
|
|
|
|
{
|
|
|
|
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "net", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "inet6", NULL,
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET6, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT,
|
|
|
|
CTLTYPE_NODE, "ipsec6",
|
|
|
|
SYSCTL_DESCR("IPv6 related IPSec settings"),
|
|
|
|
NULL, 0, NULL, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
|
|
|
|
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_STRUCT, "stats",
|
|
|
|
SYSCTL_DESCR("IPSec statistics and counters"),
|
|
|
|
NULL, 0, &ipsec6stat, sizeof(ipsec6stat),
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_STATS, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "def_policy",
|
|
|
|
SYSCTL_DESCR("Default action for non-IPSec packets"),
|
|
|
|
sysctl_fast_ipsec, 0, &ip6_def_policy, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEF_POLICY, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "esp_trans_deflev",
|
|
|
|
SYSCTL_DESCR("Default required security level for "
|
|
|
|
"transport mode traffic"),
|
|
|
|
sysctl_fast_ipsec, 0, &ip6_esp_trans_deflev, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "esp_net_deflev",
|
|
|
|
SYSCTL_DESCR("Default required security level for "
|
|
|
|
"tunneled traffic"),
|
|
|
|
sysctl_fast_ipsec, 0, &ip6_esp_net_deflev, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_trans_deflev",
|
|
|
|
SYSCTL_DESCR("Default required security level for "
|
|
|
|
"transport mode headers"),
|
|
|
|
sysctl_fast_ipsec, 0, &ip6_ah_trans_deflev, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ah_net_deflev",
|
|
|
|
SYSCTL_DESCR("Default required security level for "
|
|
|
|
"tunneled headers"),
|
|
|
|
sysctl_fast_ipsec, 0, &ip6_ah_net_deflev, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "ecn",
|
|
|
|
SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
|
|
|
|
NULL, 0, &ip6_ipsec_ecn, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_ECN, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
|
|
|
|
CTLTYPE_INT, "debug",
|
|
|
|
SYSCTL_DESCR("Enable IPSec debugging output"),
|
|
|
|
NULL, 0, &ipsec_debug, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_AH,
|
|
|
|
IPSECCTL_DEBUG, CTL_EOL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* "aliases" for the ipsec6 subtree
|
|
|
|
*/
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
|
|
|
|
CTLTYPE_NODE, "esp6", NULL,
|
|
|
|
NULL, IPPROTO_AH, NULL, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_ESP, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
|
|
|
|
CTLTYPE_NODE, "ipcomp6", NULL,
|
|
|
|
NULL, IPPROTO_AH, NULL, 0,
|
|
|
|
CTL_NET, PF_INET6, IPPROTO_IPCOMP, CTL_EOL);
|
|
|
|
sysctl_createv(clog, 0, NULL, NULL,
|
|
|
|
CTLFLAG_PERMANENT|CTLFLAG_ALIAS,
|
|
|
|
CTLTYPE_NODE, "ah6", NULL,
|
|
|
|
NULL, IPPROTO_AH, NULL, 0,
|
|
|
|
CTL_NET, PF_INET6, CTL_CREATE, CTL_EOL);
|
|
|
|
}
|
|
|
|
#endif /* INET6 */
|