1810 lines
43 KiB
C
1810 lines
43 KiB
C
/* $NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $ */
|
|
|
|
/*
|
|
* Copyright (c) 2017 Internet Initiative Japan Inc.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include <sys/cdefs.h>
|
|
__KERNEL_RCSID(0, "$NetBSD: if_ipsec.c,v 1.19 2018/12/07 05:09:39 knakahara Exp $");
|
|
|
|
#ifdef _KERNEL_OPT
|
|
#include "opt_inet.h"
|
|
#endif
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/mbuf.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/sockio.h>
|
|
#include <sys/errno.h>
|
|
#include <sys/ioctl.h>
|
|
#include <sys/time.h>
|
|
#include <sys/syslog.h>
|
|
#include <sys/cpu.h>
|
|
#include <sys/kmem.h>
|
|
#include <sys/mutex.h>
|
|
#include <sys/pserialize.h>
|
|
#include <sys/psref.h>
|
|
|
|
#include <net/if.h>
|
|
#include <net/if_types.h>
|
|
#include <net/route.h>
|
|
#include <net/bpf.h>
|
|
#include <net/pfkeyv2.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#ifdef INET
|
|
#include <netinet/in_var.h>
|
|
#endif /* INET */
|
|
|
|
#ifdef INET6
|
|
#include <netinet6/in6_var.h>
|
|
#include <netinet/ip6.h>
|
|
#include <netinet6/ip6_var.h>
|
|
#endif /* INET6 */
|
|
|
|
#include <netinet/ip_encap.h>
|
|
|
|
#include <net/if_ipsec.h>
|
|
|
|
#include <net/raw_cb.h>
|
|
#include <net/pfkeyv2.h>
|
|
|
|
#include <netipsec/key.h>
|
|
#include <netipsec/keydb.h> /* for union sockaddr_union */
|
|
#include <netipsec/ipsec.h>
|
|
#include <netipsec/ipsecif.h>
|
|
|
|
static void if_ipsec_ro_init_pc(void *, void *, struct cpu_info *);
|
|
static void if_ipsec_ro_fini_pc(void *, void *, struct cpu_info *);
|
|
|
|
static int if_ipsec_clone_create(struct if_clone *, int);
|
|
static int if_ipsec_clone_destroy(struct ifnet *);
|
|
|
|
static inline int if_ipsec_out_direct(struct ipsec_variant *, struct mbuf *, int);
|
|
static inline void if_ipsec_in_enqueue(struct mbuf *, int, struct ifnet *);
|
|
|
|
static int if_ipsec_encap_attach(struct ipsec_variant *);
|
|
static int if_ipsec_encap_detach(struct ipsec_variant *);
|
|
static int if_ipsec_set_tunnel(struct ifnet *,
|
|
struct sockaddr *, struct sockaddr *);
|
|
static void if_ipsec_delete_tunnel(struct ifnet *);
|
|
static int if_ipsec_ensure_flags(struct ifnet *, short);
|
|
static void if_ipsec_attach0(struct ipsec_softc *);
|
|
|
|
static int if_ipsec_update_variant(struct ipsec_softc *,
|
|
struct ipsec_variant *, struct ipsec_variant *);
|
|
|
|
/* sadb_msg */
|
|
static inline void if_ipsec_add_mbuf(struct mbuf *, void *, size_t);
|
|
static inline void if_ipsec_add_pad(struct mbuf *, size_t);
|
|
static inline size_t if_ipsec_set_sadb_addr(struct sadb_address *,
|
|
struct sockaddr *, int, uint16_t);
|
|
static inline size_t if_ipsec_set_sadb_src(struct sadb_address *,
|
|
struct sockaddr *, int);
|
|
static inline size_t if_ipsec_set_sadb_dst(struct sadb_address *,
|
|
struct sockaddr *, int);
|
|
static inline size_t if_ipsec_set_sadb_x_policy(struct sadb_x_policy *,
|
|
struct sadb_x_ipsecrequest *, uint16_t, uint8_t, uint32_t, uint8_t,
|
|
struct sockaddr *, struct sockaddr *);
|
|
static inline void if_ipsec_set_sadb_msg(struct sadb_msg *, uint16_t, uint8_t);
|
|
static inline void if_ipsec_set_sadb_msg_add(struct sadb_msg *, uint16_t);
|
|
static inline void if_ipsec_set_sadb_msg_del(struct sadb_msg *, uint16_t);
|
|
/* SPD */
|
|
static int if_ipsec_share_sp(struct ipsec_variant *);
|
|
static int if_ipsec_unshare_sp(struct ipsec_variant *);
|
|
static inline struct secpolicy *if_ipsec_add_sp0(struct sockaddr *,
|
|
in_port_t, struct sockaddr *, in_port_t, int, int, int, u_int);
|
|
static inline int if_ipsec_del_sp0(struct secpolicy *);
|
|
static int if_ipsec_add_sp(struct ipsec_variant *,
|
|
struct sockaddr *, in_port_t, struct sockaddr *, in_port_t);
|
|
static void if_ipsec_del_sp(struct ipsec_variant *);
|
|
static int if_ipsec_replace_sp(struct ipsec_softc *, struct ipsec_variant *,
|
|
struct ipsec_variant *);
|
|
|
|
static int if_ipsec_set_addr_port(struct sockaddr *, struct sockaddr *,
|
|
in_port_t);
|
|
#define IF_IPSEC_GATHER_PSRC_ADDR_PORT(var, target) \
|
|
if_ipsec_set_addr_port(target, (var)->iv_psrc, (var)->iv_sport)
|
|
#define IF_IPSEC_GATHER_PDST_ADDR_PORT(var, target) \
|
|
if_ipsec_set_addr_port(target, (var)->iv_pdst, (var)->iv_dport)
|
|
|
|
/*
|
|
* ipsec global variable definitions
|
|
*/
|
|
|
|
/* This list is used in ioctl context only. */
|
|
LIST_HEAD(ipsec_sclist, ipsec_softc);
|
|
static struct {
|
|
struct ipsec_sclist list;
|
|
kmutex_t lock;
|
|
} ipsec_softcs __cacheline_aligned;
|
|
|
|
struct psref_class *iv_psref_class __read_mostly;
|
|
|
|
struct if_clone ipsec_cloner =
|
|
IF_CLONE_INITIALIZER("ipsec", if_ipsec_clone_create, if_ipsec_clone_destroy);
|
|
static int max_ipsec_nesting = MAX_IPSEC_NEST;
|
|
|
|
/* ARGSUSED */
|
|
void
|
|
ipsecifattach(int count)
|
|
{
|
|
|
|
mutex_init(&ipsec_softcs.lock, MUTEX_DEFAULT, IPL_NONE);
|
|
LIST_INIT(&ipsec_softcs.list);
|
|
|
|
iv_psref_class = psref_class_create("ipsecvar", IPL_SOFTNET);
|
|
|
|
if_clone_attach(&ipsec_cloner);
|
|
}
|
|
|
|
static int
|
|
if_ipsec_clone_create(struct if_clone *ifc, int unit)
|
|
{
|
|
struct ipsec_softc *sc;
|
|
struct ipsec_variant *var;
|
|
|
|
sc = kmem_zalloc(sizeof(*sc), KM_SLEEP);
|
|
|
|
if_initname(&sc->ipsec_if, ifc->ifc_name, unit);
|
|
|
|
if_ipsec_attach0(sc);
|
|
|
|
var = kmem_zalloc(sizeof(*var), KM_SLEEP);
|
|
var->iv_softc = sc;
|
|
psref_target_init(&var->iv_psref, iv_psref_class);
|
|
|
|
sc->ipsec_var = var;
|
|
mutex_init(&sc->ipsec_lock, MUTEX_DEFAULT, IPL_NONE);
|
|
sc->ipsec_psz = pserialize_create();
|
|
sc->ipsec_ro_percpu = percpu_alloc(sizeof(struct ipsec_ro));
|
|
percpu_foreach(sc->ipsec_ro_percpu, if_ipsec_ro_init_pc, NULL);
|
|
|
|
mutex_enter(&ipsec_softcs.lock);
|
|
LIST_INSERT_HEAD(&ipsec_softcs.list, sc, ipsec_list);
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
return 0;
|
|
}
|
|
|
|
static void
|
|
if_ipsec_attach0(struct ipsec_softc *sc)
|
|
{
|
|
|
|
sc->ipsec_if.if_addrlen = 0;
|
|
sc->ipsec_if.if_mtu = IPSEC_MTU;
|
|
sc->ipsec_if.if_flags = IFF_POINTOPOINT | IFF_MULTICAST;
|
|
/* set ipsec(4) specific default flags. */
|
|
sc->ipsec_if.if_flags |= IFF_FWD_IPV6;
|
|
sc->ipsec_if.if_extflags = IFEF_NO_LINK_STATE_CHANGE | IFEF_MPSAFE;
|
|
sc->ipsec_if.if_ioctl = if_ipsec_ioctl;
|
|
sc->ipsec_if.if_output = if_ipsec_output;
|
|
sc->ipsec_if.if_type = IFT_IPSEC;
|
|
sc->ipsec_if.if_dlt = DLT_NULL;
|
|
sc->ipsec_if.if_softc = sc;
|
|
IFQ_SET_READY(&sc->ipsec_if.if_snd);
|
|
if_initialize(&sc->ipsec_if);
|
|
if_alloc_sadl(&sc->ipsec_if);
|
|
bpf_attach(&sc->ipsec_if, DLT_NULL, sizeof(u_int));
|
|
if_register(&sc->ipsec_if);
|
|
}
|
|
|
|
static void
|
|
if_ipsec_ro_init_pc(void *p, void *arg __unused, struct cpu_info *ci __unused)
|
|
{
|
|
struct ipsec_ro *iro = p;
|
|
|
|
iro->ir_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE);
|
|
}
|
|
|
|
static void
|
|
if_ipsec_ro_fini_pc(void *p, void *arg __unused, struct cpu_info *ci __unused)
|
|
{
|
|
struct ipsec_ro *iro = p;
|
|
|
|
rtcache_free(&iro->ir_ro);
|
|
|
|
mutex_obj_free(iro->ir_lock);
|
|
}
|
|
|
|
static int
|
|
if_ipsec_clone_destroy(struct ifnet *ifp)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_variant *var;
|
|
int bound;
|
|
|
|
mutex_enter(&ipsec_softcs.lock);
|
|
LIST_REMOVE(sc, ipsec_list);
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
|
|
bound = curlwp_bind();
|
|
if_ipsec_delete_tunnel(&sc->ipsec_if);
|
|
curlwp_bindx(bound);
|
|
|
|
bpf_detach(ifp);
|
|
if_detach(ifp);
|
|
|
|
percpu_foreach(sc->ipsec_ro_percpu, if_ipsec_ro_fini_pc, NULL);
|
|
percpu_free(sc->ipsec_ro_percpu, sizeof(struct ipsec_ro));
|
|
|
|
pserialize_destroy(sc->ipsec_psz);
|
|
mutex_destroy(&sc->ipsec_lock);
|
|
|
|
var = sc->ipsec_var;
|
|
kmem_free(var, sizeof(*var));
|
|
kmem_free(sc, sizeof(*sc));
|
|
|
|
return 0;
|
|
}
|
|
|
|
static inline bool
|
|
if_ipsec_nat_t(struct ipsec_softc *sc)
|
|
{
|
|
|
|
return (sc->ipsec_if.if_flags & IFF_NAT_T) != 0;
|
|
}
|
|
|
|
static inline bool
|
|
if_ipsec_fwd_ipv6(struct ipsec_softc *sc)
|
|
{
|
|
|
|
return (sc->ipsec_if.if_flags & IFF_FWD_IPV6) != 0;
|
|
}
|
|
|
|
int
|
|
if_ipsec_encap_func(struct mbuf *m, int off, int proto, void *arg)
|
|
{
|
|
uint8_t v;
|
|
struct ipsec_softc *sc;
|
|
struct ipsec_variant *var = NULL;
|
|
struct psref psref;
|
|
int ret = 0;
|
|
|
|
sc = arg;
|
|
KASSERT(sc != NULL);
|
|
|
|
if ((sc->ipsec_if.if_flags & IFF_UP) == 0)
|
|
goto out;
|
|
|
|
var = if_ipsec_getref_variant(sc, &psref);
|
|
if (if_ipsec_variant_is_unconfigured(var))
|
|
goto out;
|
|
|
|
switch (proto) {
|
|
case IPPROTO_IPV4:
|
|
case IPPROTO_IPV6:
|
|
break;
|
|
default:
|
|
goto out;
|
|
}
|
|
|
|
m_copydata(m, 0, sizeof(v), &v);
|
|
v = (v >> 4) & 0xff; /* Get the IP version number. */
|
|
|
|
switch (v) {
|
|
#ifdef INET
|
|
case IPVERSION: {
|
|
struct ip ip;
|
|
|
|
if (m->m_pkthdr.len < sizeof(ip))
|
|
goto out;
|
|
|
|
m_copydata(m, 0, sizeof(ip), &ip);
|
|
if (var->iv_psrc->sa_family != AF_INET ||
|
|
var->iv_pdst->sa_family != AF_INET)
|
|
goto out;
|
|
ret = ipsecif4_encap_func(m, &ip, var);
|
|
break;
|
|
}
|
|
#endif
|
|
#ifdef INET6
|
|
case (IPV6_VERSION >> 4): {
|
|
struct ip6_hdr ip6;
|
|
|
|
if (m->m_pkthdr.len < sizeof(ip6))
|
|
goto out;
|
|
|
|
m_copydata(m, 0, sizeof(ip6), &ip6);
|
|
if (var->iv_psrc->sa_family != AF_INET6 ||
|
|
var->iv_pdst->sa_family != AF_INET6)
|
|
goto out;
|
|
ret = ipsecif6_encap_func(m, &ip6, var);
|
|
break;
|
|
}
|
|
#endif
|
|
default:
|
|
goto out;
|
|
}
|
|
|
|
out:
|
|
if (var != NULL)
|
|
if_ipsec_putref_variant(var, &psref);
|
|
return ret;
|
|
}
|
|
|
|
/*
|
|
* ipsec(4) I/F may cause infinite recursion calls when misconfigured.
|
|
* We'll prevent this by introducing upper limit.
|
|
*/
|
|
static int
|
|
if_ipsec_check_nesting(struct ifnet *ifp, struct mbuf *m)
|
|
{
|
|
|
|
return if_tunnel_check_nesting(ifp, m, max_ipsec_nesting);
|
|
}
|
|
|
|
int
|
|
if_ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
|
|
const struct rtentry *rt)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_variant *var;
|
|
struct psref psref;
|
|
int error;
|
|
int bound;
|
|
|
|
IFQ_CLASSIFY(&ifp->if_snd, m, dst->sa_family);
|
|
|
|
error = if_ipsec_check_nesting(ifp, m);
|
|
if (error) {
|
|
m_freem(m);
|
|
goto noref_end;
|
|
}
|
|
|
|
if ((ifp->if_flags & IFF_UP) == 0) {
|
|
m_freem(m);
|
|
error = ENETDOWN;
|
|
goto noref_end;
|
|
}
|
|
|
|
|
|
bound = curlwp_bind();
|
|
var = if_ipsec_getref_variant(sc, &psref);
|
|
if (if_ipsec_variant_is_unconfigured(var)) {
|
|
m_freem(m);
|
|
error = ENETDOWN;
|
|
goto end;
|
|
}
|
|
|
|
m->m_flags &= ~(M_BCAST|M_MCAST);
|
|
|
|
/* use DLT_NULL encapsulation here to pass inner af type */
|
|
M_PREPEND(m, sizeof(int), M_DONTWAIT);
|
|
if (!m) {
|
|
error = ENOBUFS;
|
|
goto end;
|
|
}
|
|
*mtod(m, int *) = dst->sa_family;
|
|
|
|
#if INET6
|
|
/* drop IPv6 packet if IFF_FWD_IPV6 is not set */
|
|
if (dst->sa_family == AF_INET6 &&
|
|
!if_ipsec_fwd_ipv6(sc)) {
|
|
/*
|
|
* IPv6 packet is not allowed to forward,that is not error.
|
|
*/
|
|
error = 0;
|
|
IF_DROP(&ifp->if_snd);
|
|
m_freem(m);
|
|
goto end;
|
|
}
|
|
#endif
|
|
|
|
error = if_ipsec_out_direct(var, m, dst->sa_family);
|
|
|
|
end:
|
|
if_ipsec_putref_variant(var, &psref);
|
|
curlwp_bindx(bound);
|
|
noref_end:
|
|
if (error)
|
|
ifp->if_oerrors++;
|
|
|
|
return error;
|
|
}
|
|
|
|
static inline int
|
|
if_ipsec_out_direct(struct ipsec_variant *var, struct mbuf *m, int family)
|
|
{
|
|
struct ifnet *ifp = &var->iv_softc->ipsec_if;
|
|
int error;
|
|
int len;
|
|
|
|
KASSERT(if_ipsec_heldref_variant(var));
|
|
KASSERT(var->iv_output != NULL);
|
|
|
|
len = m->m_pkthdr.len;
|
|
|
|
/* input DLT_NULL frame to BPF */
|
|
bpf_mtap(ifp, m, BPF_D_OUT);
|
|
|
|
/* grab and chop off inner af type */
|
|
/* XXX need pullup? */
|
|
m_adj(m, sizeof(int));
|
|
|
|
error = var->iv_output(var, family, m);
|
|
if (error)
|
|
return error;
|
|
|
|
ifp->if_opackets++;
|
|
ifp->if_obytes += len;
|
|
|
|
return 0;
|
|
}
|
|
|
|
void
|
|
if_ipsec_input(struct mbuf *m, int af, struct ifnet *ifp)
|
|
{
|
|
|
|
KASSERT(ifp != NULL);
|
|
|
|
m_set_rcvif(m, ifp);
|
|
|
|
bpf_mtap_af(ifp, af, m, BPF_D_IN);
|
|
|
|
if_ipsec_in_enqueue(m, af, ifp);
|
|
|
|
return;
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_in_enqueue(struct mbuf *m, int af, struct ifnet *ifp)
|
|
{
|
|
pktqueue_t *pktq;
|
|
int pktlen;
|
|
|
|
/*
|
|
* Put the packet to the network layer input queue according to the
|
|
* specified address family.
|
|
*/
|
|
switch (af) {
|
|
#ifdef INET
|
|
case AF_INET:
|
|
pktq = ip_pktq;
|
|
break;
|
|
#endif
|
|
#ifdef INET6
|
|
case AF_INET6:
|
|
pktq = ip6_pktq;
|
|
break;
|
|
#endif
|
|
default:
|
|
ifp->if_ierrors++;
|
|
m_freem(m);
|
|
return;
|
|
}
|
|
|
|
#if 1
|
|
const u_int h = curcpu()->ci_index;
|
|
#else
|
|
const uint32_t h = pktq_rps_hash(m);
|
|
#endif
|
|
pktlen = m->m_pkthdr.len;
|
|
if (__predict_true(pktq_enqueue(pktq, m, h))) {
|
|
ifp->if_ibytes += pktlen;
|
|
ifp->if_ipackets++;
|
|
} else {
|
|
ifp->if_iqdrops++;
|
|
m_freem(m);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
static inline int
|
|
if_ipsec_check_salen(struct sockaddr *addr)
|
|
{
|
|
|
|
switch (addr->sa_family) {
|
|
#ifdef INET
|
|
case AF_INET:
|
|
if (addr->sa_len != sizeof(struct sockaddr_in))
|
|
return EINVAL;
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6:
|
|
if (addr->sa_len != sizeof(struct sockaddr_in6))
|
|
return EINVAL;
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
return EAFNOSUPPORT;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
/* XXX how should we handle IPv6 scope on SIOC[GS]IFPHYADDR? */
|
|
int
|
|
if_ipsec_ioctl(struct ifnet *ifp, u_long cmd, void *data)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_variant *var = NULL;
|
|
struct ifreq *ifr = (struct ifreq*)data;
|
|
struct ifaddr *ifa = (struct ifaddr*)data;
|
|
int error = 0, size;
|
|
struct sockaddr *dst, *src;
|
|
u_long mtu;
|
|
short oflags = ifp->if_flags;
|
|
int bound;
|
|
struct psref psref;
|
|
|
|
switch (cmd) {
|
|
case SIOCINITIFADDR:
|
|
ifp->if_flags |= IFF_UP;
|
|
ifa->ifa_rtrequest = p2p_rtrequest;
|
|
break;
|
|
|
|
case SIOCSIFDSTADDR:
|
|
break;
|
|
|
|
case SIOCADDMULTI:
|
|
case SIOCDELMULTI:
|
|
switch (ifr->ifr_addr.sa_family) {
|
|
#ifdef INET
|
|
case AF_INET: /* IP supports Multicast */
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6: /* IP6 supports Multicast */
|
|
break;
|
|
#endif /* INET6 */
|
|
default: /* Other protocols doesn't support Multicast */
|
|
error = EAFNOSUPPORT;
|
|
break;
|
|
}
|
|
break;
|
|
|
|
case SIOCSIFMTU:
|
|
mtu = ifr->ifr_mtu;
|
|
if (mtu < IPSEC_MTU_MIN || mtu > IPSEC_MTU_MAX)
|
|
return EINVAL;
|
|
else if ((error = ifioctl_common(ifp, cmd, data)) == ENETRESET)
|
|
error = 0;
|
|
break;
|
|
|
|
#ifdef INET
|
|
case SIOCSIFPHYADDR:
|
|
#endif
|
|
#ifdef INET6
|
|
case SIOCSIFPHYADDR_IN6:
|
|
#endif /* INET6 */
|
|
case SIOCSLIFPHYADDR:
|
|
switch (cmd) {
|
|
#ifdef INET
|
|
case SIOCSIFPHYADDR:
|
|
src = (struct sockaddr *)
|
|
&(((struct in_aliasreq *)data)->ifra_addr);
|
|
dst = (struct sockaddr *)
|
|
&(((struct in_aliasreq *)data)->ifra_dstaddr);
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case SIOCSIFPHYADDR_IN6:
|
|
src = (struct sockaddr *)
|
|
&(((struct in6_aliasreq *)data)->ifra_addr);
|
|
dst = (struct sockaddr *)
|
|
&(((struct in6_aliasreq *)data)->ifra_dstaddr);
|
|
break;
|
|
#endif /* INET6 */
|
|
case SIOCSLIFPHYADDR:
|
|
src = (struct sockaddr *)
|
|
&(((struct if_laddrreq *)data)->addr);
|
|
dst = (struct sockaddr *)
|
|
&(((struct if_laddrreq *)data)->dstaddr);
|
|
break;
|
|
default:
|
|
return EINVAL;
|
|
}
|
|
|
|
/* sa_family must be equal */
|
|
if (src->sa_family != dst->sa_family)
|
|
return EINVAL;
|
|
|
|
error = if_ipsec_check_salen(src);
|
|
if (error)
|
|
return error;
|
|
error = if_ipsec_check_salen(dst);
|
|
if (error)
|
|
return error;
|
|
|
|
/* check sa_family looks sane for the cmd */
|
|
switch (cmd) {
|
|
#ifdef INET
|
|
case SIOCSIFPHYADDR:
|
|
if (src->sa_family == AF_INET)
|
|
break;
|
|
return EAFNOSUPPORT;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case SIOCSIFPHYADDR_IN6:
|
|
if (src->sa_family == AF_INET6)
|
|
break;
|
|
return EAFNOSUPPORT;
|
|
#endif /* INET6 */
|
|
case SIOCSLIFPHYADDR:
|
|
/* checks done in the above */
|
|
break;
|
|
}
|
|
/*
|
|
* calls if_ipsec_getref_variant() for other softcs to check
|
|
* address pair duplicattion
|
|
*/
|
|
bound = curlwp_bind();
|
|
error = if_ipsec_set_tunnel(&sc->ipsec_if, src, dst);
|
|
if (error)
|
|
goto bad;
|
|
curlwp_bindx(bound);
|
|
break;
|
|
|
|
case SIOCDIFPHYADDR:
|
|
bound = curlwp_bind();
|
|
if_ipsec_delete_tunnel(&sc->ipsec_if);
|
|
curlwp_bindx(bound);
|
|
break;
|
|
|
|
case SIOCGIFPSRCADDR:
|
|
#ifdef INET6
|
|
case SIOCGIFPSRCADDR_IN6:
|
|
#endif /* INET6 */
|
|
bound = curlwp_bind();
|
|
var = if_ipsec_getref_variant(sc, &psref);
|
|
if (var->iv_psrc == NULL) {
|
|
error = EADDRNOTAVAIL;
|
|
goto bad;
|
|
}
|
|
src = var->iv_psrc;
|
|
switch (cmd) {
|
|
#ifdef INET
|
|
case SIOCGIFPSRCADDR:
|
|
dst = &ifr->ifr_addr;
|
|
size = sizeof(ifr->ifr_addr);
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case SIOCGIFPSRCADDR_IN6:
|
|
dst = (struct sockaddr *)
|
|
&(((struct in6_ifreq *)data)->ifr_addr);
|
|
size = sizeof(((struct in6_ifreq *)data)->ifr_addr);
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
error = EADDRNOTAVAIL;
|
|
goto bad;
|
|
}
|
|
if (src->sa_len > size) {
|
|
error = EINVAL;
|
|
goto bad;
|
|
}
|
|
error = IF_IPSEC_GATHER_PSRC_ADDR_PORT(var, dst);
|
|
if (error)
|
|
goto bad;
|
|
if_ipsec_putref_variant(var, &psref);
|
|
curlwp_bindx(bound);
|
|
break;
|
|
|
|
case SIOCGIFPDSTADDR:
|
|
#ifdef INET6
|
|
case SIOCGIFPDSTADDR_IN6:
|
|
#endif /* INET6 */
|
|
bound = curlwp_bind();
|
|
var = if_ipsec_getref_variant(sc, &psref);
|
|
if (var->iv_pdst == NULL) {
|
|
error = EADDRNOTAVAIL;
|
|
goto bad;
|
|
}
|
|
src = var->iv_pdst;
|
|
switch (cmd) {
|
|
#ifdef INET
|
|
case SIOCGIFPDSTADDR:
|
|
dst = &ifr->ifr_addr;
|
|
size = sizeof(ifr->ifr_addr);
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case SIOCGIFPDSTADDR_IN6:
|
|
dst = (struct sockaddr *)
|
|
&(((struct in6_ifreq *)data)->ifr_addr);
|
|
size = sizeof(((struct in6_ifreq *)data)->ifr_addr);
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
error = EADDRNOTAVAIL;
|
|
goto bad;
|
|
}
|
|
if (src->sa_len > size) {
|
|
error = EINVAL;
|
|
goto bad;
|
|
}
|
|
error = IF_IPSEC_GATHER_PDST_ADDR_PORT(var, dst);
|
|
if (error)
|
|
goto bad;
|
|
if_ipsec_putref_variant(var, &psref);
|
|
curlwp_bindx(bound);
|
|
break;
|
|
|
|
case SIOCGLIFPHYADDR:
|
|
bound = curlwp_bind();
|
|
var = if_ipsec_getref_variant(sc, &psref);
|
|
if (if_ipsec_variant_is_unconfigured(var)) {
|
|
error = EADDRNOTAVAIL;
|
|
goto bad;
|
|
}
|
|
|
|
/* copy src */
|
|
src = var->iv_psrc;
|
|
dst = (struct sockaddr *)
|
|
&(((struct if_laddrreq *)data)->addr);
|
|
size = sizeof(((struct if_laddrreq *)data)->addr);
|
|
if (src->sa_len > size) {
|
|
error = EINVAL;
|
|
goto bad;
|
|
}
|
|
error = IF_IPSEC_GATHER_PSRC_ADDR_PORT(var, dst);
|
|
if (error)
|
|
goto bad;
|
|
|
|
/* copy dst */
|
|
src = var->iv_pdst;
|
|
dst = (struct sockaddr *)
|
|
&(((struct if_laddrreq *)data)->dstaddr);
|
|
size = sizeof(((struct if_laddrreq *)data)->dstaddr);
|
|
if (src->sa_len > size) {
|
|
error = EINVAL;
|
|
goto bad;
|
|
}
|
|
error = IF_IPSEC_GATHER_PDST_ADDR_PORT(var, dst);
|
|
if (error)
|
|
goto bad;
|
|
if_ipsec_putref_variant(var, &psref);
|
|
curlwp_bindx(bound);
|
|
break;
|
|
|
|
default:
|
|
error = ifioctl_common(ifp, cmd, data);
|
|
if (!error) {
|
|
bound = curlwp_bind();
|
|
error = if_ipsec_ensure_flags(&sc->ipsec_if, oflags);
|
|
if (error)
|
|
goto bad;
|
|
curlwp_bindx(bound);
|
|
}
|
|
break;
|
|
}
|
|
return error;
|
|
|
|
bad:
|
|
if (var != NULL)
|
|
if_ipsec_putref_variant(var, &psref);
|
|
curlwp_bindx(bound);
|
|
|
|
return error;
|
|
}
|
|
|
|
struct encap_funcs {
|
|
#ifdef INET
|
|
int (*ef_inet)(struct ipsec_variant *);
|
|
#endif
|
|
#ifdef INET6
|
|
int (*ef_inet6)(struct ipsec_variant *);
|
|
#endif
|
|
};
|
|
|
|
static struct encap_funcs ipsec_encap_attach = {
|
|
#ifdef INET
|
|
.ef_inet = ipsecif4_attach,
|
|
#endif
|
|
#ifdef INET6
|
|
.ef_inet6 = &ipsecif6_attach,
|
|
#endif
|
|
};
|
|
|
|
static struct encap_funcs ipsec_encap_detach = {
|
|
#ifdef INET
|
|
.ef_inet = ipsecif4_detach,
|
|
#endif
|
|
#ifdef INET6
|
|
.ef_inet6 = &ipsecif6_detach,
|
|
#endif
|
|
};
|
|
|
|
static int
|
|
if_ipsec_encap_common(struct ipsec_variant *var, struct encap_funcs *funcs)
|
|
{
|
|
int error;
|
|
|
|
KASSERT(var != NULL);
|
|
KASSERT(if_ipsec_variant_is_configured(var));
|
|
|
|
switch (var->iv_psrc->sa_family) {
|
|
#ifdef INET
|
|
case AF_INET:
|
|
error = (funcs->ef_inet)(var);
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6:
|
|
error = (funcs->ef_inet6)(var);
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
error = EINVAL;
|
|
break;
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
static int
|
|
if_ipsec_encap_attach(struct ipsec_variant *var)
|
|
{
|
|
|
|
return if_ipsec_encap_common(var, &ipsec_encap_attach);
|
|
}
|
|
|
|
static int
|
|
if_ipsec_encap_detach(struct ipsec_variant *var)
|
|
{
|
|
|
|
return if_ipsec_encap_common(var, &ipsec_encap_detach);
|
|
}
|
|
|
|
/*
|
|
* Validate and set ipsec(4) I/F configurations.
|
|
* (1) validate
|
|
* (1-1) Check the argument src and dst address pair will change
|
|
* configuration from current src and dst address pair.
|
|
* (1-2) Check any ipsec(4) I/F uses duplicated src and dst address pair
|
|
* with argument src and dst address pair, except for NAT-T shared
|
|
* tunnels.
|
|
* (2) set
|
|
* (2-1) Create variant for new configuration.
|
|
* (2-2) Create temporary "null" variant used to avoid to access
|
|
* dangling variant while SPs are deleted and added.
|
|
* (2-3) Swap variant include its SPs.
|
|
* (2-4) Cleanup last configurations.
|
|
*/
|
|
static int
|
|
if_ipsec_set_tunnel(struct ifnet *ifp,
|
|
struct sockaddr *src, struct sockaddr *dst)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_softc *sc2;
|
|
struct ipsec_variant *ovar, *nvar, *nullvar;
|
|
struct sockaddr *osrc, *odst;
|
|
struct sockaddr *nsrc, *ndst;
|
|
in_port_t nsport = 0, ndport = 0;
|
|
int error;
|
|
|
|
error = encap_lock_enter();
|
|
if (error)
|
|
return error;
|
|
|
|
nsrc = sockaddr_dup(src, M_WAITOK);
|
|
ndst = sockaddr_dup(dst, M_WAITOK);
|
|
nvar = kmem_zalloc(sizeof(*nvar), KM_SLEEP);
|
|
nullvar = kmem_zalloc(sizeof(*nullvar), KM_SLEEP);
|
|
|
|
mutex_enter(&sc->ipsec_lock);
|
|
|
|
ovar = sc->ipsec_var;
|
|
|
|
switch(nsrc->sa_family) {
|
|
#ifdef INET
|
|
case AF_INET:
|
|
nsport = satosin(src)->sin_port;
|
|
/*
|
|
* avoid confuse SP when NAT-T disabled,
|
|
* e.g.
|
|
* expected: 10.0.1.2[any] 10.0.1.1[any] 4(ipv4)
|
|
* confuse : 10.0.1.2[600] 10.0.1.1[600] 4(ipv4)
|
|
*/
|
|
satosin(nsrc)->sin_port = 0;
|
|
ndport = satosin(dst)->sin_port;
|
|
satosin(ndst)->sin_port = 0;
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6:
|
|
nsport = satosin6(src)->sin6_port;
|
|
satosin6(nsrc)->sin6_port = 0;
|
|
ndport = satosin6(dst)->sin6_port;
|
|
satosin6(ndst)->sin6_port = 0;
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
log(LOG_DEBUG,
|
|
"%s: Invalid address family: %d.\n",
|
|
__func__, src->sa_family);
|
|
error = EINVAL;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* (1-1) Check the argument src and dst address pair will change
|
|
* configuration from current src and dst address pair.
|
|
*/
|
|
if ((ovar->iv_pdst && sockaddr_cmp(ovar->iv_pdst, dst) == 0) &&
|
|
(ovar->iv_psrc && sockaddr_cmp(ovar->iv_psrc, src) == 0) &&
|
|
(ovar->iv_sport == nsport && ovar->iv_dport == ndport)) {
|
|
/* address and port pair not changed. */
|
|
error = 0;
|
|
goto out;
|
|
}
|
|
|
|
/*
|
|
* (1-2) Check any ipsec(4) I/F uses duplicated src and dst address pair
|
|
* with argument src and dst address pair, except for NAT-T shared
|
|
* tunnels.
|
|
*/
|
|
mutex_enter(&ipsec_softcs.lock);
|
|
LIST_FOREACH(sc2, &ipsec_softcs.list, ipsec_list) {
|
|
struct ipsec_variant *var2;
|
|
struct psref psref;
|
|
|
|
if (sc2 == sc)
|
|
continue;
|
|
var2 = if_ipsec_getref_variant(sc2, &psref);
|
|
if (if_ipsec_variant_is_unconfigured(var2)) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue;
|
|
}
|
|
if (if_ipsec_nat_t(sc) || if_ipsec_nat_t(sc2)) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue; /* NAT-T shared tunnel */
|
|
}
|
|
if (sockaddr_cmp(var2->iv_pdst, dst) == 0 &&
|
|
sockaddr_cmp(var2->iv_psrc, src) == 0) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
error = EADDRNOTAVAIL;
|
|
goto out;
|
|
}
|
|
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
/* XXX both end must be valid? (I mean, not 0.0.0.0) */
|
|
}
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
|
|
|
|
osrc = ovar->iv_psrc;
|
|
odst = ovar->iv_pdst;
|
|
|
|
/*
|
|
* (2-1) Create ipsec_variant for new configuration.
|
|
*/
|
|
if_ipsec_copy_variant(nvar, ovar);
|
|
nvar->iv_psrc = nsrc;
|
|
nvar->iv_pdst = ndst;
|
|
nvar->iv_sport = nsport;
|
|
nvar->iv_dport = ndport;
|
|
nvar->iv_encap_cookie4 = NULL;
|
|
nvar->iv_encap_cookie6 = NULL;
|
|
psref_target_init(&nvar->iv_psref, iv_psref_class);
|
|
error = if_ipsec_encap_attach(nvar);
|
|
if (error)
|
|
goto out;
|
|
|
|
/*
|
|
* (2-2) Create temporary "null" variant.
|
|
*/
|
|
if_ipsec_copy_variant(nullvar, ovar);
|
|
if_ipsec_clear_config(nullvar);
|
|
psref_target_init(&nullvar->iv_psref, iv_psref_class);
|
|
membar_producer();
|
|
/*
|
|
* (2-3) Swap variant include its SPs.
|
|
*/
|
|
error = if_ipsec_update_variant(sc, nvar, nullvar);
|
|
if (error) {
|
|
if_ipsec_encap_detach(nvar);
|
|
goto out;
|
|
}
|
|
|
|
mutex_exit(&sc->ipsec_lock);
|
|
|
|
/*
|
|
* (2-4) Cleanup last configurations.
|
|
*/
|
|
if (if_ipsec_variant_is_configured(ovar))
|
|
if_ipsec_encap_detach(ovar);
|
|
encap_lock_exit();
|
|
|
|
if (osrc != NULL)
|
|
sockaddr_free(osrc);
|
|
if (odst != NULL)
|
|
sockaddr_free(odst);
|
|
kmem_free(ovar, sizeof(*ovar));
|
|
kmem_free(nullvar, sizeof(*nullvar));
|
|
|
|
return 0;
|
|
|
|
out:
|
|
mutex_exit(&sc->ipsec_lock);
|
|
encap_lock_exit();
|
|
|
|
sockaddr_free(nsrc);
|
|
sockaddr_free(ndst);
|
|
kmem_free(nvar, sizeof(*nvar));
|
|
kmem_free(nullvar, sizeof(*nullvar));
|
|
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* Validate and delete ipsec(4) I/F configurations.
|
|
* (1) validate
|
|
* (1-1) Check current src and dst address pair are null,
|
|
* which means the ipsec(4) I/F is already done deletetunnel.
|
|
* (2) delete
|
|
* (2-1) Create variant for deleted status.
|
|
* (2-2) Create temporary "null" variant used to avoid to access
|
|
* dangling variant while SPs are deleted and added.
|
|
* NOTE:
|
|
* The contents of temporary "null" variant equal to the variant
|
|
* of (2-1), however two psref_target_destroy() synchronization
|
|
* points are necessary to avoid to access dangling variant
|
|
* while SPs are deleted and added. To implement that simply,
|
|
* we use the same manner as if_ipsec_set_tunnel(), that is,
|
|
* create extra "null" variant and use it temporarily.
|
|
* (2-3) Swap variant include its SPs.
|
|
* (2-4) Cleanup last configurations.
|
|
*/
|
|
static void
|
|
if_ipsec_delete_tunnel(struct ifnet *ifp)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_variant *ovar, *nvar, *nullvar;
|
|
struct sockaddr *osrc, *odst;
|
|
int error;
|
|
|
|
error = encap_lock_enter();
|
|
if (error)
|
|
return;
|
|
|
|
nvar = kmem_zalloc(sizeof(*nvar), KM_SLEEP);
|
|
nullvar = kmem_zalloc(sizeof(*nullvar), KM_SLEEP);
|
|
|
|
mutex_enter(&sc->ipsec_lock);
|
|
|
|
ovar = sc->ipsec_var;
|
|
osrc = ovar->iv_psrc;
|
|
odst = ovar->iv_pdst;
|
|
/*
|
|
* (1-1) Check current src and dst address pair are null,
|
|
* which means the ipsec(4) I/F is already done deletetunnel.
|
|
*/
|
|
if (osrc == NULL || odst == NULL) {
|
|
/* address pair not changed. */
|
|
mutex_exit(&sc->ipsec_lock);
|
|
encap_lock_exit();
|
|
kmem_free(nvar, sizeof(*nvar));
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* (2-1) Create variant for deleted status.
|
|
*/
|
|
if_ipsec_copy_variant(nvar, ovar);
|
|
if_ipsec_clear_config(nvar);
|
|
psref_target_init(&nvar->iv_psref, iv_psref_class);
|
|
|
|
/*
|
|
* (2-2) Create temporary "null" variant used to avoid to access
|
|
* dangling variant while SPs are deleted and added.
|
|
*/
|
|
if_ipsec_copy_variant(nullvar, ovar);
|
|
if_ipsec_clear_config(nullvar);
|
|
psref_target_init(&nullvar->iv_psref, iv_psref_class);
|
|
membar_producer();
|
|
/*
|
|
* (2-3) Swap variant include its SPs.
|
|
*/
|
|
/* if_ipsec_update_variant() does not fail when delete SP only. */
|
|
(void)if_ipsec_update_variant(sc, nvar, nullvar);
|
|
|
|
mutex_exit(&sc->ipsec_lock);
|
|
|
|
/*
|
|
* (2-4) Cleanup last configurations.
|
|
*/
|
|
if (if_ipsec_variant_is_configured(ovar))
|
|
if_ipsec_encap_detach(ovar);
|
|
encap_lock_exit();
|
|
|
|
sockaddr_free(osrc);
|
|
sockaddr_free(odst);
|
|
kmem_free(ovar, sizeof(*ovar));
|
|
kmem_free(nullvar, sizeof(*nullvar));
|
|
}
|
|
|
|
/*
|
|
* Check IFF_NAT_T and IFF_FWD_IPV6 flags, therefore update SPs if needed.
|
|
* (1) check
|
|
* (1-1) Check flags are changed.
|
|
* (1-2) Check current src and dst address pair. If they are null,
|
|
* that means the ipsec(4) I/F is deletetunnel'ed, so it is
|
|
* not needed to update.
|
|
* (2) update
|
|
* (2-1) Create variant for new SPs.
|
|
* (2-2) Create temporary "null" variant used to avoid to access
|
|
* dangling variant while SPs are deleted and added.
|
|
* NOTE:
|
|
* There is the same problem as if_ipsec_delete_tunnel().
|
|
* (2-3) Swap variant include its SPs.
|
|
* (2-4) Cleanup unused configurations.
|
|
* NOTE: use the same encap_cookies.
|
|
*/
|
|
static int
|
|
if_ipsec_ensure_flags(struct ifnet *ifp, short oflags)
|
|
{
|
|
struct ipsec_softc *sc = ifp->if_softc;
|
|
struct ipsec_variant *ovar, *nvar, *nullvar;
|
|
int error;
|
|
|
|
/*
|
|
* (1) Check flags are changed.
|
|
*/
|
|
if ((oflags & (IFF_NAT_T|IFF_FWD_IPV6)) ==
|
|
(ifp->if_flags & (IFF_NAT_T|IFF_FWD_IPV6)))
|
|
return 0; /* flags not changed. */
|
|
|
|
error = encap_lock_enter();
|
|
if (error)
|
|
return error;
|
|
|
|
nvar = kmem_zalloc(sizeof(*nvar), KM_SLEEP);
|
|
nullvar = kmem_zalloc(sizeof(*nullvar), KM_SLEEP);
|
|
|
|
mutex_enter(&sc->ipsec_lock);
|
|
|
|
ovar = sc->ipsec_var;
|
|
/*
|
|
* (1-2) Check current src and dst address pair.
|
|
*/
|
|
if (if_ipsec_variant_is_unconfigured(ovar)) {
|
|
/* nothing to do */
|
|
mutex_exit(&sc->ipsec_lock);
|
|
encap_lock_exit();
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* (2-1) Create variant for new SPs.
|
|
*/
|
|
if_ipsec_copy_variant(nvar, ovar);
|
|
psref_target_init(&nvar->iv_psref, iv_psref_class);
|
|
/*
|
|
* (2-2) Create temporary "null" variant used to avoid to access
|
|
* dangling variant while SPs are deleted and added.
|
|
*/
|
|
if_ipsec_copy_variant(nullvar, ovar);
|
|
if_ipsec_clear_config(nullvar);
|
|
psref_target_init(&nullvar->iv_psref, iv_psref_class);
|
|
membar_producer();
|
|
/*
|
|
* (2-3) Swap variant include its SPs.
|
|
*/
|
|
error = if_ipsec_update_variant(sc, nvar, nullvar);
|
|
|
|
mutex_exit(&sc->ipsec_lock);
|
|
encap_lock_exit();
|
|
|
|
/*
|
|
* (2-4) Cleanup unused configurations.
|
|
*/
|
|
if (!error)
|
|
kmem_free(ovar, sizeof(*ovar));
|
|
else
|
|
kmem_free(nvar, sizeof(*ovar));
|
|
kmem_free(nullvar, sizeof(*nullvar));
|
|
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* SPD management
|
|
*/
|
|
|
|
/*
|
|
* Share SP set with other NAT-T ipsec(4) I/F(s).
|
|
* Return 1, when "var" shares SP set.
|
|
* Return 0, when "var" cannot share SP set.
|
|
*
|
|
* NOTE:
|
|
* if_ipsec_share_sp() and if_ipsec_unshare_sp() would require global lock
|
|
* to exclude other ipsec(4) I/Fs set_tunnel/delete_tunnel. E.g. when ipsec0
|
|
* and ipsec1 can share SP set, running ipsec0's set_tunnel and ipsec1's
|
|
* set_tunnel causes race.
|
|
* Currently, (fortunately) encap_lock works as this global lock.
|
|
*/
|
|
static int
|
|
if_ipsec_share_sp(struct ipsec_variant *var)
|
|
{
|
|
struct ipsec_softc *sc = var->iv_softc;
|
|
struct ipsec_softc *sc2;
|
|
struct ipsec_variant *var2;
|
|
struct psref psref;
|
|
|
|
KASSERT(encap_lock_held());
|
|
KASSERT(var->iv_psrc != NULL && var->iv_pdst != NULL);
|
|
|
|
mutex_enter(&ipsec_softcs.lock);
|
|
LIST_FOREACH(sc2, &ipsec_softcs.list, ipsec_list) {
|
|
if (sc2 == sc)
|
|
continue;
|
|
var2 = if_ipsec_getref_variant(sc2, &psref);
|
|
if (if_ipsec_variant_is_unconfigured(var2)) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue;
|
|
}
|
|
if (sockaddr_cmp(var2->iv_pdst, var->iv_pdst) != 0 ||
|
|
sockaddr_cmp(var2->iv_psrc, var->iv_psrc) != 0) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue;
|
|
}
|
|
|
|
break;
|
|
}
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
if (sc2 == NULL)
|
|
return 0; /* not shared */
|
|
|
|
IV_SP_IN(var) = IV_SP_IN(var2);
|
|
IV_SP_IN6(var) = IV_SP_IN6(var2);
|
|
IV_SP_OUT(var) = IV_SP_OUT(var2);
|
|
IV_SP_OUT6(var) = IV_SP_OUT6(var2);
|
|
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
return 1; /* shared */
|
|
}
|
|
|
|
/*
|
|
* Unshare SP set with other NAT-T ipsec(4) I/F(s).
|
|
* Return 1, when "var" shared SP set, and then unshare them.
|
|
* Return 0, when "var" did not share SP set.
|
|
*
|
|
* NOTE:
|
|
* See if_ipsec_share_sp()'s note.
|
|
*/
|
|
static int
|
|
if_ipsec_unshare_sp(struct ipsec_variant *var)
|
|
{
|
|
struct ipsec_softc *sc = var->iv_softc;
|
|
struct ipsec_softc *sc2;
|
|
struct ipsec_variant *var2;
|
|
struct psref psref;
|
|
|
|
KASSERT(encap_lock_held());
|
|
|
|
if (!var->iv_pdst || !var->iv_psrc)
|
|
return 0;
|
|
|
|
mutex_enter(&ipsec_softcs.lock);
|
|
LIST_FOREACH(sc2, &ipsec_softcs.list, ipsec_list) {
|
|
if (sc2 == sc)
|
|
continue;
|
|
var2 = if_ipsec_getref_variant(sc2, &psref);
|
|
if (!var2->iv_pdst || !var2->iv_psrc) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue;
|
|
}
|
|
if (sockaddr_cmp(var2->iv_pdst, var->iv_pdst) != 0 ||
|
|
sockaddr_cmp(var2->iv_psrc, var->iv_psrc) != 0) {
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
continue;
|
|
}
|
|
|
|
break;
|
|
}
|
|
mutex_exit(&ipsec_softcs.lock);
|
|
if (sc2 == NULL)
|
|
return 0; /* not shared */
|
|
|
|
IV_SP_IN(var) = NULL;
|
|
IV_SP_IN6(var) = NULL;
|
|
IV_SP_OUT(var) = NULL;
|
|
IV_SP_OUT6(var) = NULL;
|
|
if_ipsec_putref_variant(var2, &psref);
|
|
return 1; /* shared */
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_add_mbuf_optalign(struct mbuf *m0, void *data, size_t len, bool align)
|
|
{
|
|
struct mbuf *m;
|
|
|
|
MGET(m, M_WAIT, MT_DATA);
|
|
if (align) {
|
|
m->m_len = PFKEY_ALIGN8(len);
|
|
memset(mtod(m, void *), 0, m->m_len);
|
|
} else
|
|
m->m_len = len;
|
|
m_copyback(m, 0, len, data);
|
|
m_cat(m0, m);
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_add_mbuf(struct mbuf *m0, void *data, size_t len)
|
|
{
|
|
|
|
if_ipsec_add_mbuf_optalign(m0, data, len, true);
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_add_mbuf_addr_port(struct mbuf *m0, struct sockaddr *addr, in_port_t port, bool align)
|
|
{
|
|
|
|
if (port == 0) {
|
|
if_ipsec_add_mbuf_optalign(m0, addr, addr->sa_len, align);
|
|
} else {
|
|
union sockaddr_union addrport_u;
|
|
struct sockaddr *addrport = &addrport_u.sa;
|
|
|
|
if_ipsec_set_addr_port(addrport, addr, port);
|
|
if_ipsec_add_mbuf_optalign(m0, addrport, addrport->sa_len, align);
|
|
}
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_add_pad(struct mbuf *m0, size_t len)
|
|
{
|
|
struct mbuf *m;
|
|
|
|
if (len == 0)
|
|
return;
|
|
|
|
MGET(m, M_WAIT, MT_DATA);
|
|
m->m_len = len;
|
|
memset(mtod(m, void *), 0, m->m_len);
|
|
m_cat(m0, m);
|
|
}
|
|
|
|
static inline size_t
|
|
if_ipsec_set_sadb_addr(struct sadb_address *saaddr, struct sockaddr *addr,
|
|
int proto, uint16_t exttype)
|
|
{
|
|
size_t size;
|
|
|
|
KASSERT(saaddr != NULL);
|
|
KASSERT(addr != NULL);
|
|
|
|
size = sizeof(*saaddr) + PFKEY_ALIGN8(addr->sa_len);
|
|
saaddr->sadb_address_len = PFKEY_UNIT64(size);
|
|
saaddr->sadb_address_exttype = exttype;
|
|
saaddr->sadb_address_proto = proto;
|
|
switch (addr->sa_family) {
|
|
#ifdef INET
|
|
case AF_INET:
|
|
saaddr->sadb_address_prefixlen = sizeof(struct in_addr) << 3;
|
|
break;
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6:
|
|
saaddr->sadb_address_prefixlen = sizeof(struct in6_addr) << 3;
|
|
break;
|
|
#endif /* INET6 */
|
|
default:
|
|
log(LOG_DEBUG,
|
|
"%s: Invalid address family: %d.\n",
|
|
__func__, addr->sa_family);
|
|
break;
|
|
}
|
|
saaddr->sadb_address_reserved = 0;
|
|
|
|
return size;
|
|
}
|
|
|
|
static inline size_t
|
|
if_ipsec_set_sadb_src(struct sadb_address *sasrc, struct sockaddr *src,
|
|
int proto)
|
|
{
|
|
|
|
return if_ipsec_set_sadb_addr(sasrc, src, proto,
|
|
SADB_EXT_ADDRESS_SRC);
|
|
}
|
|
|
|
static inline size_t
|
|
if_ipsec_set_sadb_dst(struct sadb_address *sadst, struct sockaddr *dst,
|
|
int proto)
|
|
{
|
|
|
|
return if_ipsec_set_sadb_addr(sadst, dst, proto,
|
|
SADB_EXT_ADDRESS_DST);
|
|
}
|
|
|
|
static inline size_t
|
|
if_ipsec_set_sadb_x_policy(struct sadb_x_policy *xpl,
|
|
struct sadb_x_ipsecrequest *xisr, uint16_t policy, uint8_t dir, uint32_t id,
|
|
uint8_t level, struct sockaddr *src, struct sockaddr *dst)
|
|
{
|
|
size_t size;
|
|
|
|
KASSERT(policy != IPSEC_POLICY_IPSEC || xisr != NULL);
|
|
|
|
size = sizeof(*xpl);
|
|
if (policy == IPSEC_POLICY_IPSEC) {
|
|
size += PFKEY_ALIGN8(sizeof(*xisr));
|
|
if (src != NULL && dst != NULL)
|
|
size += PFKEY_ALIGN8(src->sa_len + dst->sa_len);
|
|
}
|
|
xpl->sadb_x_policy_len = PFKEY_UNIT64(size);
|
|
xpl->sadb_x_policy_exttype = SADB_X_EXT_POLICY;
|
|
xpl->sadb_x_policy_type = policy;
|
|
xpl->sadb_x_policy_dir = dir;
|
|
xpl->sadb_x_policy_reserved = 0;
|
|
xpl->sadb_x_policy_id = id;
|
|
xpl->sadb_x_policy_reserved2 = 0;
|
|
|
|
if (policy == IPSEC_POLICY_IPSEC) {
|
|
xisr->sadb_x_ipsecrequest_len = PFKEY_ALIGN8(sizeof(*xisr));
|
|
if (src != NULL && dst != NULL)
|
|
xisr->sadb_x_ipsecrequest_len +=
|
|
PFKEY_ALIGN8(src->sa_len + dst->sa_len);
|
|
xisr->sadb_x_ipsecrequest_proto = IPPROTO_ESP;
|
|
xisr->sadb_x_ipsecrequest_mode = IPSEC_MODE_TRANSPORT;
|
|
xisr->sadb_x_ipsecrequest_level = level;
|
|
xisr->sadb_x_ipsecrequest_reqid = key_newreqid();
|
|
}
|
|
|
|
return size;
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_set_sadb_msg(struct sadb_msg *msg, uint16_t extlen, uint8_t msgtype)
|
|
{
|
|
|
|
KASSERT(msg != NULL);
|
|
|
|
msg->sadb_msg_version = PF_KEY_V2;
|
|
msg->sadb_msg_type = msgtype;
|
|
msg->sadb_msg_errno = 0;
|
|
msg->sadb_msg_satype = SADB_SATYPE_UNSPEC;
|
|
msg->sadb_msg_len = PFKEY_UNIT64(sizeof(*msg)) + extlen;
|
|
msg->sadb_msg_reserved = 0;
|
|
msg->sadb_msg_seq = 0; /* XXXX */
|
|
msg->sadb_msg_pid = 0; /* XXXX */
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_set_sadb_msg_add(struct sadb_msg *msg, uint16_t extlen)
|
|
{
|
|
|
|
if_ipsec_set_sadb_msg(msg, extlen, SADB_X_SPDADD);
|
|
}
|
|
|
|
static inline void
|
|
if_ipsec_set_sadb_msg_del(struct sadb_msg *msg, uint16_t extlen)
|
|
{
|
|
|
|
if_ipsec_set_sadb_msg(msg, extlen, SADB_X_SPDDELETE2);
|
|
}
|
|
|
|
static int
|
|
if_ipsec_set_addr_port(struct sockaddr *addrport, struct sockaddr *addr,
|
|
in_port_t port)
|
|
{
|
|
int error = 0;
|
|
|
|
sockaddr_copy(addrport, addr->sa_len, addr);
|
|
|
|
switch (addr->sa_family) {
|
|
#ifdef INET
|
|
case AF_INET: {
|
|
struct sockaddr_in *sin = satosin(addrport);
|
|
sin->sin_port = port;
|
|
break;
|
|
}
|
|
#endif /* INET */
|
|
#ifdef INET6
|
|
case AF_INET6: {
|
|
struct sockaddr_in6 *sin6 = satosin6(addrport);
|
|
sin6->sin6_port = port;
|
|
break;
|
|
}
|
|
#endif /* INET6 */
|
|
default:
|
|
log(LOG_DEBUG,
|
|
"%s: Invalid address family: %d.\n",
|
|
__func__, addr->sa_family);
|
|
error = EINVAL;
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
static struct secpolicy *
|
|
if_ipsec_add_sp0(struct sockaddr *src, in_port_t sport,
|
|
struct sockaddr *dst, in_port_t dport,
|
|
int dir, int proto, int level, u_int policy)
|
|
{
|
|
struct sadb_msg msg;
|
|
struct sadb_address xsrc, xdst;
|
|
struct sadb_x_policy xpl;
|
|
struct sadb_x_ipsecrequest xisr;
|
|
size_t size;
|
|
size_t padlen;
|
|
uint16_t ext_msg_len = 0;
|
|
struct mbuf *m;
|
|
|
|
memset(&msg, 0, sizeof(msg));
|
|
memset(&xsrc, 0, sizeof(xsrc));
|
|
memset(&xdst, 0, sizeof(xdst));
|
|
memset(&xpl, 0, sizeof(xpl));
|
|
memset(&xisr, 0, sizeof(xisr));
|
|
|
|
MGETHDR(m, M_WAIT, MT_DATA);
|
|
|
|
size = if_ipsec_set_sadb_src(&xsrc, src, proto);
|
|
ext_msg_len += PFKEY_UNIT64(size);
|
|
size = if_ipsec_set_sadb_dst(&xdst, dst, proto);
|
|
ext_msg_len += PFKEY_UNIT64(size);
|
|
size = if_ipsec_set_sadb_x_policy(&xpl, &xisr, policy, dir, 0, level, src, dst);
|
|
ext_msg_len += PFKEY_UNIT64(size);
|
|
if_ipsec_set_sadb_msg_add(&msg, ext_msg_len);
|
|
|
|
/* build PF_KEY message */
|
|
|
|
m->m_len = sizeof(msg);
|
|
m_copyback(m, 0, sizeof(msg), &msg);
|
|
|
|
if_ipsec_add_mbuf(m, &xsrc, sizeof(xsrc));
|
|
/*
|
|
* secpolicy.spidx.{src, dst} must not be set port number,
|
|
* even if it is used for NAT-T.
|
|
*/
|
|
if_ipsec_add_mbuf_addr_port(m, src, 0, true);
|
|
padlen = PFKEY_UNUNIT64(xsrc.sadb_address_len)
|
|
- (sizeof(xsrc) + PFKEY_ALIGN8(src->sa_len));
|
|
if_ipsec_add_pad(m, padlen);
|
|
|
|
if_ipsec_add_mbuf(m, &xdst, sizeof(xdst));
|
|
/* ditto */
|
|
if_ipsec_add_mbuf_addr_port(m, dst, 0, true);
|
|
padlen = PFKEY_UNUNIT64(xdst.sadb_address_len)
|
|
- (sizeof(xdst) + PFKEY_ALIGN8(dst->sa_len));
|
|
if_ipsec_add_pad(m, padlen);
|
|
|
|
if_ipsec_add_mbuf(m, &xpl, sizeof(xpl));
|
|
padlen = PFKEY_UNUNIT64(xpl.sadb_x_policy_len) - sizeof(xpl);
|
|
if (policy == IPSEC_POLICY_IPSEC) {
|
|
if_ipsec_add_mbuf(m, &xisr, sizeof(xisr));
|
|
/*
|
|
* secpolicy.req->saidx.{src, dst} must be set port number,
|
|
* when it is used for NAT-T.
|
|
*/
|
|
if_ipsec_add_mbuf_addr_port(m, src, sport, false);
|
|
if_ipsec_add_mbuf_addr_port(m, dst, dport, false);
|
|
padlen -= PFKEY_ALIGN8(sizeof(xisr));
|
|
padlen -= PFKEY_ALIGN8(src->sa_len + dst->sa_len);
|
|
}
|
|
if_ipsec_add_pad(m, padlen);
|
|
|
|
/* key_kpi_spdadd() has already done KEY_SP_REF(). */
|
|
return key_kpi_spdadd(m);
|
|
}
|
|
|
|
static int
|
|
if_ipsec_add_sp(struct ipsec_variant *var,
|
|
struct sockaddr *src, in_port_t sport,
|
|
struct sockaddr *dst, in_port_t dport)
|
|
{
|
|
struct ipsec_softc *sc = var->iv_softc;
|
|
int level;
|
|
u_int v6policy;
|
|
|
|
/*
|
|
* must delete sp before add it.
|
|
*/
|
|
KASSERT(IV_SP_IN(var) == NULL);
|
|
KASSERT(IV_SP_OUT(var) == NULL);
|
|
KASSERT(IV_SP_IN6(var) == NULL);
|
|
KASSERT(IV_SP_OUT6(var) == NULL);
|
|
|
|
/*
|
|
* can be shared?
|
|
*/
|
|
if (if_ipsec_share_sp(var))
|
|
return 0;
|
|
|
|
if (if_ipsec_nat_t(sc))
|
|
level = IPSEC_LEVEL_REQUIRE;
|
|
else
|
|
level = IPSEC_LEVEL_UNIQUE;
|
|
|
|
if (if_ipsec_fwd_ipv6(sc))
|
|
v6policy = IPSEC_POLICY_IPSEC;
|
|
else
|
|
v6policy = IPSEC_POLICY_DISCARD;
|
|
|
|
IV_SP_IN(var) = if_ipsec_add_sp0(dst, dport, src, sport,
|
|
IPSEC_DIR_INBOUND, IPPROTO_IPIP, level, IPSEC_POLICY_IPSEC);
|
|
if (IV_SP_IN(var) == NULL)
|
|
goto fail;
|
|
IV_SP_OUT(var) = if_ipsec_add_sp0(src, sport, dst, dport,
|
|
IPSEC_DIR_OUTBOUND, IPPROTO_IPIP, level, IPSEC_POLICY_IPSEC);
|
|
if (IV_SP_OUT(var) == NULL)
|
|
goto fail;
|
|
IV_SP_IN6(var) = if_ipsec_add_sp0(dst, dport, src, sport,
|
|
IPSEC_DIR_INBOUND, IPPROTO_IPV6, level, v6policy);
|
|
if (IV_SP_IN6(var) == NULL)
|
|
goto fail;
|
|
IV_SP_OUT6(var) = if_ipsec_add_sp0(src, sport, dst, dport,
|
|
IPSEC_DIR_OUTBOUND, IPPROTO_IPV6, level, v6policy);
|
|
if (IV_SP_OUT6(var) == NULL)
|
|
goto fail;
|
|
|
|
return 0;
|
|
|
|
fail:
|
|
if (IV_SP_IN6(var) != NULL) {
|
|
if_ipsec_del_sp0(IV_SP_IN6(var));
|
|
IV_SP_IN6(var) = NULL;
|
|
}
|
|
if (IV_SP_OUT(var) != NULL) {
|
|
if_ipsec_del_sp0(IV_SP_OUT(var));
|
|
IV_SP_OUT(var) = NULL;
|
|
}
|
|
if (IV_SP_IN(var) != NULL) {
|
|
if_ipsec_del_sp0(IV_SP_IN(var));
|
|
IV_SP_IN(var) = NULL;
|
|
}
|
|
|
|
return EEXIST;
|
|
}
|
|
|
|
static int
|
|
if_ipsec_del_sp0(struct secpolicy *sp)
|
|
{
|
|
struct sadb_msg msg;
|
|
struct sadb_x_policy xpl;
|
|
size_t size;
|
|
uint16_t ext_msg_len = 0;
|
|
int error;
|
|
struct mbuf *m;
|
|
|
|
if (sp == NULL)
|
|
return 0;
|
|
|
|
memset(&msg, 0, sizeof(msg));
|
|
memset(&xpl, 0, sizeof(xpl));
|
|
|
|
MGETHDR(m, M_WAIT, MT_DATA);
|
|
|
|
size = if_ipsec_set_sadb_x_policy(&xpl, NULL, 0, 0, sp->id, 0, NULL, NULL);
|
|
ext_msg_len += PFKEY_UNIT64(size);
|
|
|
|
if_ipsec_set_sadb_msg_del(&msg, ext_msg_len);
|
|
|
|
m->m_len = sizeof(msg);
|
|
m_copyback(m, 0, sizeof(msg), &msg);
|
|
|
|
if_ipsec_add_mbuf(m, &xpl, sizeof(xpl));
|
|
|
|
/* unreference correspond to key_kpi_spdadd(). */
|
|
KEY_SP_UNREF(&sp);
|
|
error = key_kpi_spddelete2(m);
|
|
if (error != 0) {
|
|
log(LOG_ERR, "%s: cannot delete SP(ID=%u) (error=%d).\n",
|
|
__func__, sp->id, error);
|
|
}
|
|
return error;
|
|
}
|
|
|
|
static void
|
|
if_ipsec_del_sp(struct ipsec_variant *var)
|
|
{
|
|
|
|
/* are the SPs shared? */
|
|
if (if_ipsec_unshare_sp(var))
|
|
return;
|
|
|
|
(void)if_ipsec_del_sp0(IV_SP_OUT(var));
|
|
(void)if_ipsec_del_sp0(IV_SP_IN(var));
|
|
(void)if_ipsec_del_sp0(IV_SP_OUT6(var));
|
|
(void)if_ipsec_del_sp0(IV_SP_IN6(var));
|
|
IV_SP_IN(var) = NULL;
|
|
IV_SP_IN6(var) = NULL;
|
|
IV_SP_OUT(var) = NULL;
|
|
IV_SP_OUT6(var) = NULL;
|
|
}
|
|
|
|
static int
|
|
if_ipsec_replace_sp(struct ipsec_softc *sc, struct ipsec_variant *ovar,
|
|
struct ipsec_variant *nvar)
|
|
{
|
|
in_port_t src_port = 0;
|
|
in_port_t dst_port = 0;
|
|
struct sockaddr *src;
|
|
struct sockaddr *dst;
|
|
int error = 0;
|
|
|
|
KASSERT(mutex_owned(&sc->ipsec_lock));
|
|
|
|
if_ipsec_del_sp(ovar);
|
|
|
|
src = nvar->iv_psrc;
|
|
dst = nvar->iv_pdst;
|
|
if (if_ipsec_nat_t(sc)) {
|
|
/* NAT-T enabled */
|
|
src_port = nvar->iv_sport;
|
|
dst_port = nvar->iv_dport;
|
|
}
|
|
if (src && dst)
|
|
error = if_ipsec_add_sp(nvar, src, src_port, dst, dst_port);
|
|
|
|
return error;
|
|
}
|
|
|
|
/*
|
|
* ipsec_variant and its SPs update API.
|
|
*
|
|
* Assumption:
|
|
* reader side dereferences sc->ipsec_var in reader critical section only,
|
|
* that is, all of reader sides do not reader the sc->ipsec_var after
|
|
* pserialize_perform().
|
|
*/
|
|
static int
|
|
if_ipsec_update_variant(struct ipsec_softc *sc, struct ipsec_variant *nvar,
|
|
struct ipsec_variant *nullvar)
|
|
{
|
|
struct ifnet *ifp = &sc->ipsec_if;
|
|
struct ipsec_variant *ovar = sc->ipsec_var;
|
|
int error;
|
|
|
|
KASSERT(mutex_owned(&sc->ipsec_lock));
|
|
|
|
/*
|
|
* To keep consistency between ipsec(4) I/F settings and SPs,
|
|
* we stop packet processing while replacing SPs, that is, we set
|
|
* "null" config variant to sc->ipsec_var.
|
|
*/
|
|
sc->ipsec_var = nullvar;
|
|
pserialize_perform(sc->ipsec_psz);
|
|
psref_target_destroy(&ovar->iv_psref, iv_psref_class);
|
|
|
|
error = if_ipsec_replace_sp(sc, ovar, nvar);
|
|
if (!error)
|
|
sc->ipsec_var = nvar;
|
|
else {
|
|
sc->ipsec_var = ovar; /* rollback */
|
|
psref_target_init(&ovar->iv_psref, iv_psref_class);
|
|
}
|
|
|
|
pserialize_perform(sc->ipsec_psz);
|
|
psref_target_destroy(&nullvar->iv_psref, iv_psref_class);
|
|
|
|
if (if_ipsec_variant_is_configured(sc->ipsec_var))
|
|
ifp->if_flags |= IFF_RUNNING;
|
|
else
|
|
ifp->if_flags &= ~IFF_RUNNING;
|
|
|
|
return error;
|
|
}
|