1 /*        $NetBSD: ipsec_netbsd.c,v 1.56 2025/02/26 04:49:46 andvar Exp $       */
2 /*        $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $  */
3 /*        $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $   */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/cdefs.h>
35 __KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.56 2025/02/26 04:49:46 andvar Exp $");
36 
37 #if defined(_KERNEL_OPT)
38 #include "opt_inet.h"
39 #include "opt_ipsec.h"
40 #endif
41 
42 #include <sys/param.h>
43 #include <sys/systm.h>
44 #include <sys/mbuf.h>
45 #include <sys/domain.h>
46 #include <sys/protosw.h>
47 #include <sys/socket.h>
48 #include <sys/errno.h>
49 #include <sys/time.h>
50 #include <sys/kernel.h>
51 #include <sys/sysctl.h>
52 
53 #include <net/if.h>
54 #include <net/route.h>
55 #include <sys/cpu.h>
56 
57 #include <netinet/in.h>
58 #include <netinet/in_systm.h>
59 #include <netinet/in_var.h>
60 #include <netinet/ip.h>
61 #include <netinet/ip_var.h>
62 #include <netinet/ip_ecn.h>
63 #include <netinet/ip_icmp.h>
64 
65 #include <netipsec/ipsec.h>
66 #include <netipsec/ipsec_var.h>
67 #include <netipsec/ipsec_private.h>
68 #include <netipsec/key.h>
69 #include <netipsec/keydb.h>
70 #include <netipsec/key_debug.h>
71 #include <netipsec/ah.h>
72 #include <netipsec/ah_var.h>
73 #include <netipsec/esp.h>
74 #include <netipsec/esp_var.h>
75 #include <netipsec/ipip_var.h>
76 #include <netipsec/ipcomp_var.h>
77 
78 #ifdef INET6
79 #include <netipsec/ipsec6.h>
80 #include <netinet6/ip6protosw.h>
81 #include <netinet/icmp6.h>
82 #endif
83 
84 #include <netipsec/key.h>
85 
86 /* assumes that ip header and ah header are contiguous on mbuf */
87 void *
ah4_ctlinput(int cmd,const struct sockaddr * sa,void * v)88 ah4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
89 {
90           struct ip *ip = v;
91           struct ah *ah;
92           struct icmp *icp;
93           struct secasvar *sav;
94 
95           if (sa->sa_family != AF_INET ||
96               sa->sa_len != sizeof(struct sockaddr_in))
97                     return NULL;
98           if ((unsigned)cmd >= PRC_NCMDS)
99                     return NULL;
100 
101           if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
102                     /*
103                      * Check to see if we have a valid SA corresponding to
104                      * the address in the ICMP message payload.
105                      */
106                     ah = (struct ah *)((char *)ip + (ip->ip_hl << 2));
107                     sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
108                         IPPROTO_AH, ah->ah_spi, 0, 0);
109 
110                     if (sav) {
111                               if (SADB_SASTATE_USABLE_P(sav)) {
112                                         /*
113                                          * Now that we've validated that we are actually
114                                          * communicating with the host indicated in the
115                                          * ICMP message, locate the ICMP header,
116                                          * recalculate the new MTU, and create the
117                                          * corresponding routing entry.
118                                          */
119                                         icp = (struct icmp *)((char *)ip -
120                                             offsetof(struct icmp, icmp_ip));
121                                         icmp_mtudisc(icp, ip->ip_dst);
122                               }
123                               KEY_SA_UNREF(&sav);
124                     }
125           }
126           return NULL;
127 }
128 
129 /* assumes that ip header and esp header are contiguous on mbuf */
130 void *
esp4_ctlinput(int cmd,const struct sockaddr * sa,void * v)131 esp4_ctlinput(int cmd, const struct sockaddr *sa, void *v)
132 {
133           struct ip *ip = v;
134           struct esp *esp;
135           struct icmp *icp;
136           struct secasvar *sav;
137 
138           if (sa->sa_family != AF_INET ||
139               sa->sa_len != sizeof(struct sockaddr_in))
140                     return NULL;
141           if ((unsigned)cmd >= PRC_NCMDS)
142                     return NULL;
143 
144           if (cmd == PRC_MSGSIZE && ip_mtudisc && ip && ip->ip_v == 4) {
145                     /*
146                      * Check to see if we have a valid SA corresponding to
147                      * the address in the ICMP message payload.
148                      */
149                     esp = (struct esp *)((char *)ip + (ip->ip_hl << 2));
150                     sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
151                         IPPROTO_ESP, esp->esp_spi, 0, 0);
152 
153                     if (sav) {
154                               if (SADB_SASTATE_USABLE_P(sav)) {
155                                         /*
156                                          * Now that we've validated that we are actually
157                                          * communicating with the host indicated in the
158                                          * ICMP message, locate the ICMP header,
159                                          * recalculate the new MTU, and create the
160                                          * corresponding routing entry.
161                                          */
162                                         icp = (struct icmp *)((char *)ip -
163                                             offsetof(struct icmp, icmp_ip));
164                                         icmp_mtudisc(icp, ip->ip_dst);
165                               }
166                               KEY_SA_UNREF(&sav);
167                     }
168           }
169           return NULL;
170 }
171 
172 #ifdef INET6
173 void *
ah6_ctlinput(int cmd,const struct sockaddr * sa,void * d)174 ah6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
175 {
176           const struct newah *ahp;
177           struct newah ah;
178           struct secasvar *sav;
179           struct ip6_hdr *ip6;
180           struct mbuf *m;
181           struct ip6ctlparam *ip6cp = NULL;
182           int off;
183 
184           if (sa->sa_family != AF_INET6 ||
185               sa->sa_len != sizeof(struct sockaddr_in6))
186                     return NULL;
187           if ((unsigned)cmd >= PRC_NCMDS)
188                     return NULL;
189 
190           /* if the parameter is from icmp6, decode it. */
191           if (d != NULL) {
192                     ip6cp = (struct ip6ctlparam *)d;
193                     m = ip6cp->ip6c_m;
194                     ip6 = ip6cp->ip6c_ip6;
195                     off = ip6cp->ip6c_off;
196           } else {
197                     m = NULL;
198                     ip6 = NULL;
199                     off = 0;
200           }
201 
202           if (ip6) {
203                     /* check if we can safely examine src and dst ports */
204                     if (m->m_pkthdr.len < off + sizeof(ah))
205                               return NULL;
206 
207                     if (m->m_len < off + sizeof(ah)) {
208                               /*
209                                * this should be rare case,
210                                * so we compromise on this copy...
211                                */
212                               m_copydata(m, off, sizeof(ah), &ah);
213                               ahp = &ah;
214                     } else
215                               ahp = (struct newah *)(mtod(m, char *) + off);
216 
217                     if (cmd == PRC_MSGSIZE) {
218                               int valid = 0;
219 
220                               /*
221                                * Check to see if we have a valid SA corresponding
222                                * to the address in the ICMP message payload.
223                                */
224                               sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
225                                   IPPROTO_AH, ahp->ah_spi, 0, 0);
226 
227                               if (sav) {
228                                         if (SADB_SASTATE_USABLE_P(sav))
229                                                   valid++;
230                                         KEY_SA_UNREF(&sav);
231                               }
232 
233                               /* XXX Further validation? */
234 
235                               /*
236                                * Depending on the value of "valid" and routing
237                                * table size (mtudisc_{hi,lo}wat), we will:
238                                * - recalculate the new MTU and create the
239                                *   corresponding routing entry, or
240                                * - ignore the MTU change notification.
241                                */
242                               icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
243                     }
244 
245                     /* we normally notify single pcb here */
246           } else {
247                     /* we normally notify any pcb here */
248           }
249           return NULL;
250 }
251 
252 void *
esp6_ctlinput(int cmd,const struct sockaddr * sa,void * d)253 esp6_ctlinput(int cmd, const struct sockaddr *sa, void *d)
254 {
255           const struct newesp *espp;
256           struct newesp esp;
257           struct ip6ctlparam *ip6cp = NULL, ip6cp1;
258           struct secasvar *sav;
259           struct ip6_hdr *ip6;
260           struct mbuf *m;
261           int off;
262 
263           if (sa->sa_family != AF_INET6 ||
264               sa->sa_len != sizeof(struct sockaddr_in6))
265                     return NULL;
266           if ((unsigned)cmd >= PRC_NCMDS)
267                     return NULL;
268 
269           /* if the parameter is from icmp6, decode it. */
270           if (d != NULL) {
271                     ip6cp = (struct ip6ctlparam *)d;
272                     m = ip6cp->ip6c_m;
273                     ip6 = ip6cp->ip6c_ip6;
274                     off = ip6cp->ip6c_off;
275           } else {
276                     m = NULL;
277                     ip6 = NULL;
278                     off = 0;
279           }
280 
281           if (ip6) {
282                     /*
283                      * Notify the error to all possible sockets via pfctlinput2.
284                      * Since the upper layer information (such as protocol type,
285                      * source and destination ports) is embedded in the encrypted
286                      * data and might have been cut, we can't directly call
287                      * an upper layer ctlinput function. However, the pcbnotify
288                      * function will consider source and destination addresses
289                      * as well as the flow info value, and may be able to find
290                      * some PCB that should be notified.
291                      * Although pfctlinput2 will call esp6_ctlinput(), there is
292                      * no possibility of an infinite loop of function calls,
293                      * because we don't pass the inner IPv6 header.
294                      */
295                     memset(&ip6cp1, 0, sizeof(ip6cp1));
296                     ip6cp1.ip6c_src = ip6cp->ip6c_src;
297                     pfctlinput2(cmd, sa, &ip6cp1);
298 
299                     /* check if we can safely examine src and dst ports */
300                     if (m->m_pkthdr.len < off + sizeof(esp))
301                               return NULL;
302 
303                     if (m->m_len < off + sizeof(esp)) {
304                               /*
305                                * this should be rare case,
306                                * so we compromise on this copy...
307                                */
308                               m_copydata(m, off, sizeof(esp), &esp);
309                               espp = &esp;
310                     } else
311                               espp = (struct newesp *)(mtod(m, char *) + off);
312 
313                     if (cmd == PRC_MSGSIZE) {
314                               int valid = 0;
315 
316                               /*
317                                * Check to see if we have a valid SA corresponding to
318                                * the address in the ICMP message payload.
319                                */
320 
321                               sav = KEY_LOOKUP_SA((const union sockaddr_union *)sa,
322                                   IPPROTO_ESP, espp->esp_spi, 0, 0);
323 
324                               if (sav) {
325                                         if (SADB_SASTATE_USABLE_P(sav))
326                                                   valid++;
327                                         KEY_SA_UNREF(&sav);
328                               }
329 
330                               /* XXX Further validation? */
331 
332                               /*
333                                * Depending on the value of "valid" and routing table
334                                * size (mtudisc_{hi,lo}wat), we will:
335                                * - recalculate the new MTU and create the
336                                *   corresponding routing entry, or
337                                * - ignore the MTU change notification.
338                                */
339                               icmp6_mtudisc_update((struct ip6ctlparam *)d, valid);
340                     }
341           } else {
342                     /* we normally notify any pcb here */
343           }
344           return NULL;
345 }
346 #endif /* INET6 */
347 
348 static int
sysctl_ipsec(SYSCTLFN_ARGS)349 sysctl_ipsec(SYSCTLFN_ARGS)
350 {
351           int error, t;
352           struct sysctlnode node;
353 
354           node = *rnode;
355           t = *(int *)rnode->sysctl_data;
356           node.sysctl_data = &t;
357           error = sysctl_lookup(SYSCTLFN_CALL(&node));
358           if (error || newp == NULL)
359                     return error;
360 
361           switch (rnode->sysctl_num) {
362           case IPSECCTL_DEF_ESP_TRANSLEV:
363           case IPSECCTL_DEF_ESP_NETLEV:
364           case IPSECCTL_DEF_AH_TRANSLEV:
365           case IPSECCTL_DEF_AH_NETLEV:
366                     if (t != IPSEC_LEVEL_USE &&
367                         t != IPSEC_LEVEL_REQUIRE)
368                               return EINVAL;
369                     ipsec_invalpcbcacheall();
370                     break;
371           case IPSECCTL_DEF_POLICY:
372                     if (t != IPSEC_POLICY_DISCARD &&
373                         t != IPSEC_POLICY_NONE)
374                               return EINVAL;
375                     ipsec_invalpcbcacheall();
376                     break;
377           default:
378                     return EINVAL;
379           }
380 
381           *(int *)rnode->sysctl_data = t;
382 
383           return 0;
384 }
385 
386 #ifdef IPSEC_DEBUG
387 static int
sysctl_ipsec_test(SYSCTLFN_ARGS)388 sysctl_ipsec_test(SYSCTLFN_ARGS)
389 {
390           int t, error;
391           struct sysctlnode node;
392 
393           node = *rnode;
394           t = *(int *)rnode->sysctl_data;
395           node.sysctl_data = &t;
396           error = sysctl_lookup(SYSCTLFN_CALL(&node));
397           if (error || newp == NULL)
398                     return error;
399 
400           if (t < 0 || t > 1)
401                     return EINVAL;
402 
403           if (rnode->sysctl_data == &ipsec_replay)
404                     printf("ipsec: Anti-Replay service %s\n",
405                         (t == 1) ? "deactivated" : "activated");
406           else if (rnode->sysctl_data == &ipsec_integrity)
407                      printf("ipsec: HMAC corruption %s\n",
408                          (t == 0) ? "deactivated" : "activated");
409 
410           *(int *)rnode->sysctl_data = t;
411 
412           return 0;
413 }
414 #endif
415 
416 static int
sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS)417 sysctl_net_inet_ipsec_stats(SYSCTLFN_ARGS)
418 {
419 
420           return (NETSTAT_SYSCTL(ipsecstat_percpu, IPSEC_NSTATS));
421 }
422 
423 static int
sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)424 sysctl_net_inet_ah_stats(SYSCTLFN_ARGS)
425 {
426 
427           return (NETSTAT_SYSCTL(ahstat_percpu, AH_NSTATS));
428 }
429 
430 static int
sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)431 sysctl_net_inet_esp_stats(SYSCTLFN_ARGS)
432 {
433 
434           return (NETSTAT_SYSCTL(espstat_percpu, ESP_NSTATS));
435 }
436 
437 static int
sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)438 sysctl_net_inet_ipcomp_stats(SYSCTLFN_ARGS)
439 {
440 
441           return (NETSTAT_SYSCTL(ipcompstat_percpu, IPCOMP_NSTATS));
442 }
443 
444 static int
sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)445 sysctl_net_inet_ipip_stats(SYSCTLFN_ARGS)
446 {
447 
448           return (NETSTAT_SYSCTL(ipipstat_percpu, IPIP_NSTATS));
449 }
450 
451 static int
sysctl_net_ipsec_enabled(SYSCTLFN_ARGS)452 sysctl_net_ipsec_enabled(SYSCTLFN_ARGS)
453 {
454           int newenabled, error;
455           struct sysctlnode node;
456           node = *rnode;
457           node.sysctl_data = &newenabled;
458 
459           newenabled = ipsec_enabled;
460           error = sysctl_lookup(SYSCTLFN_CALL(&node));
461           if (error || newp == NULL)
462                     return error;
463 
464           switch (newenabled) {
465           case 0:
466                     if (key_get_used())
467                               return EBUSY;
468                     /*FALLTHROUGH*/
469           case 1:
470           case 2:
471                     ipsec_enabled = newenabled;
472                     key_update_used();
473                     return 0;
474           default:
475                     return EINVAL;
476           }
477 }
478 
479 /* XXX will need a different oid at parent */
480 void
sysctl_net_inet_ipsec_setup(struct sysctllog ** clog)481 sysctl_net_inet_ipsec_setup(struct sysctllog **clog)
482 {
483           const struct sysctlnode *_ipsec;
484           int ipproto_ipsec;
485 
486           sysctl_createv(clog, 0, NULL, NULL,
487                            CTLFLAG_PERMANENT,
488                            CTLTYPE_NODE, "inet", NULL,
489                            NULL, 0, NULL, 0,
490                            CTL_NET, PF_INET, CTL_EOL);
491 
492           /*
493            * in numerical order:
494            *
495            * net.inet.ipip:   CTL_NET.PF_INET.IPPROTO_IPIP
496            * net.inet.esp:    CTL_NET.PF_INET.IPPROTO_ESP
497            * net.inet.ah:               CTL_NET.PF_INET.IPPROTO_AH
498            * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP
499            * net.inet.ipsec:  CTL_NET.PF_INET.CTL_CREATE
500            *
501            * this creates separate trees by name, but maintains that the
502            * ipsec name leads to all the old leaves.
503            */
504 
505           /* create net.inet.ipip */
506           sysctl_createv(clog, 0, NULL, NULL,
507                            CTLFLAG_PERMANENT,
508                            CTLTYPE_NODE, "ipip", NULL,
509                            NULL, 0, NULL, 0,
510                            CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL);
511           sysctl_createv(clog, 0, NULL, NULL,
512                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
513                            CTLTYPE_STRUCT, "ipip_stats", NULL,
514                            sysctl_net_inet_ipip_stats, 0, NULL, 0,
515                            CTL_NET, PF_INET, IPPROTO_IPIP,
516                            CTL_CREATE, CTL_EOL);
517 
518           /* create net.inet.esp subtree under IPPROTO_ESP */
519           sysctl_createv(clog, 0, NULL, NULL,
520                            CTLFLAG_PERMANENT,
521                            CTLTYPE_NODE, "esp", NULL,
522                            NULL, 0, NULL, 0,
523                            CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL);
524           sysctl_createv(clog, 0, NULL, NULL,
525                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
526                            CTLTYPE_STRUCT, "esp_stats", NULL,
527                            sysctl_net_inet_esp_stats, 0, NULL, 0,
528                            CTL_NET, PF_INET, IPPROTO_ESP,
529                            CTL_CREATE, CTL_EOL);
530 
531           /* create net.inet.ah subtree under IPPROTO_AH */
532           sysctl_createv(clog, 0, NULL, NULL,
533                            CTLFLAG_PERMANENT,
534                            CTLTYPE_NODE, "ah", NULL,
535                            NULL, 0, NULL, 0,
536                            CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL);
537           sysctl_createv(clog, 0, NULL, NULL,
538                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
539                            CTLTYPE_STRUCT, "ah_stats", NULL,
540                            sysctl_net_inet_ah_stats, 0, NULL, 0,
541                            CTL_NET, PF_INET, IPPROTO_AH,
542                            CTL_CREATE, CTL_EOL);
543 
544           /* create net.inet.ipcomp */
545           sysctl_createv(clog, 0, NULL, NULL,
546                            CTLFLAG_PERMANENT,
547                            CTLTYPE_NODE, "ipcomp", NULL,
548                            NULL, 0, NULL, 0,
549                            CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL);
550           sysctl_createv(clog, 0, NULL, NULL,
551                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
552                            CTLTYPE_STRUCT, "ipcomp_stats", NULL,
553                            sysctl_net_inet_ipcomp_stats, 0, NULL, 0,
554                            CTL_NET, PF_INET, IPPROTO_IPCOMP,
555                            CTL_CREATE, CTL_EOL);
556 
557           /* create net.inet.ipsec subtree under dynamic oid */
558           sysctl_createv(clog, 0, NULL, &_ipsec,
559                            CTLFLAG_PERMANENT,
560                            CTLTYPE_NODE, "ipsec", NULL,
561                            NULL, 0, NULL, 0,
562                            CTL_NET, PF_INET, CTL_CREATE, CTL_EOL);
563           ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0;
564 
565           sysctl_createv(clog, 0, NULL, NULL,
566                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
567                            CTLTYPE_INT, "def_policy", NULL,
568                            sysctl_ipsec, 0, &ip4_def_policy.policy, 0,
569                            CTL_NET, PF_INET, ipproto_ipsec,
570                            IPSECCTL_DEF_POLICY, CTL_EOL);
571           sysctl_createv(clog, 0, NULL, NULL,
572                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
573                            CTLTYPE_INT, "esp_trans_deflev", NULL,
574                            sysctl_ipsec, 0, &ip4_esp_trans_deflev, 0,
575                            CTL_NET, PF_INET, ipproto_ipsec,
576                            IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
577           sysctl_createv(clog, 0, NULL, NULL,
578                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
579                            CTLTYPE_INT, "esp_net_deflev", NULL,
580                            sysctl_ipsec, 0, &ip4_esp_net_deflev, 0,
581                            CTL_NET, PF_INET, ipproto_ipsec,
582                            IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
583           sysctl_createv(clog, 0, NULL, NULL,
584                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
585                            CTLTYPE_INT, "ah_trans_deflev", NULL,
586                            sysctl_ipsec, 0, &ip4_ah_trans_deflev, 0,
587                            CTL_NET, PF_INET, ipproto_ipsec,
588                            IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
589           sysctl_createv(clog, 0, NULL, NULL,
590                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
591                            CTLTYPE_INT, "ah_net_deflev", NULL,
592                            sysctl_ipsec, 0, &ip4_ah_net_deflev, 0,
593                            CTL_NET, PF_INET, ipproto_ipsec,
594                            IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
595           sysctl_createv(clog, 0, NULL, NULL,
596                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
597                            CTLTYPE_INT, "ah_cleartos", NULL,
598                            NULL, 0, &ip4_ah_cleartos, 0,
599                            CTL_NET, PF_INET, ipproto_ipsec,
600                            IPSECCTL_AH_CLEARTOS, CTL_EOL);
601           sysctl_createv(clog, 0, NULL, NULL,
602                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
603                            CTLTYPE_INT, "ah_offsetmask", NULL,
604                            NULL, 0, &ip4_ah_offsetmask, 0,
605                            CTL_NET, PF_INET, ipproto_ipsec,
606                            IPSECCTL_AH_OFFSETMASK, CTL_EOL);
607           sysctl_createv(clog, 0, NULL, NULL,
608                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
609                            CTLTYPE_INT, "dfbit", NULL,
610                            NULL, 0, &ip4_ipsec_dfbit, 0,
611                            CTL_NET, PF_INET, ipproto_ipsec,
612                            IPSECCTL_DFBIT, CTL_EOL);
613           sysctl_createv(clog, 0, NULL, NULL,
614                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
615                            CTLTYPE_INT, "ecn", NULL,
616                            NULL, 0, &ip4_ipsec_ecn, 0,
617                            CTL_NET, PF_INET, ipproto_ipsec,
618                            IPSECCTL_ECN, CTL_EOL);
619           sysctl_createv(clog, 0, NULL, NULL,
620                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
621                            CTLTYPE_INT, "debug", NULL,
622                            NULL, 0, &ipsec_debug, 0,
623                            CTL_NET, PF_INET, ipproto_ipsec,
624                            IPSECCTL_DEBUG, CTL_EOL);
625           sysctl_createv(clog, 0, NULL, NULL,
626                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
627                            CTLTYPE_INT, "ipip_spoofcheck", NULL,
628                            NULL, 0, &ipip_spoofcheck, 0,
629                            CTL_NET, PF_INET, ipproto_ipsec,
630                            CTL_CREATE, CTL_EOL);
631           sysctl_createv(clog, 0, NULL, NULL,
632                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
633                            CTLTYPE_STRUCT, "ipsecstats", NULL,
634                            sysctl_net_inet_ipsec_stats, 0, NULL, 0,
635                            CTL_NET, PF_INET, ipproto_ipsec,
636                            CTL_CREATE, CTL_EOL);
637           sysctl_createv(clog, 0, NULL, NULL,
638                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
639                            CTLTYPE_INT, "enabled",
640                            SYSCTL_DESCR("Enable IPSec processing"),
641                            sysctl_net_ipsec_enabled, 0, NULL, 0,
642                            CTL_NET, PF_INET, ipproto_ipsec,
643                            CTL_CREATE, CTL_EOL);
644           sysctl_createv(clog, 0, NULL, NULL,
645                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
646                            CTLTYPE_INT, "used",
647                            SYSCTL_DESCR("Is IPSec active?"),
648                            NULL, 0, &ipsec_used, 0,
649                            CTL_NET, PF_INET, ipproto_ipsec,
650                            CTL_CREATE, CTL_EOL);
651           sysctl_createv(clog, 0, NULL, NULL,
652                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
653                            CTLTYPE_INT, "ah_enable", NULL,
654                            NULL, 0, &ah_enable, 0,
655                            CTL_NET, PF_INET, ipproto_ipsec,
656                            CTL_CREATE, CTL_EOL);
657           sysctl_createv(clog, 0, NULL, NULL,
658                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
659                            CTLTYPE_INT, "esp_enable", NULL,
660                            NULL, 0, &esp_enable, 0,
661                            CTL_NET, PF_INET, ipproto_ipsec,
662                            CTL_CREATE, CTL_EOL);
663           sysctl_createv(clog, 0, NULL, NULL,
664                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
665                            CTLTYPE_INT, "ipcomp_enable", NULL,
666                            NULL, 0, &ipcomp_enable, 0,
667                            CTL_NET, PF_INET, ipproto_ipsec,
668                            CTL_CREATE, CTL_EOL);
669           sysctl_createv(clog, 0, NULL, NULL,
670                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
671                            CTLTYPE_INT, "crypto_support", NULL,
672                            NULL, 0, &crypto_support, 0,
673                            CTL_NET, PF_INET, ipproto_ipsec,
674                            CTL_CREATE, CTL_EOL);
675 
676 #ifdef IPSEC_DEBUG
677           sysctl_createv(clog, 0, NULL, NULL,
678                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
679                            CTLTYPE_INT, "test_replay",
680                            SYSCTL_DESCR("Emulate replay attack"),
681                            sysctl_ipsec_test, 0, &ipsec_replay, 0,
682                            CTL_NET, PF_INET, ipproto_ipsec,
683                            CTL_CREATE, CTL_EOL);
684           sysctl_createv(clog, 0, NULL, NULL,
685                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
686                            CTLTYPE_INT, "test_integrity",
687                            SYSCTL_DESCR("Emulate man-in-the-middle attack"),
688                            sysctl_ipsec_test, 0, &ipsec_integrity, 0,
689                            CTL_NET, PF_INET, ipproto_ipsec,
690                            CTL_CREATE, CTL_EOL);
691 #endif
692 }
693 
694 #ifdef INET6
695 void
sysctl_net_inet6_ipsec6_setup(struct sysctllog ** clog)696 sysctl_net_inet6_ipsec6_setup(struct sysctllog **clog)
697 {
698 
699           sysctl_createv(clog, 0, NULL, NULL,
700                            CTLFLAG_PERMANENT,
701                            CTLTYPE_NODE, "inet6", NULL,
702                            NULL, 0, NULL, 0,
703                            CTL_NET, PF_INET6, CTL_EOL);
704           sysctl_createv(clog, 0, NULL, NULL,
705                            CTLFLAG_PERMANENT,
706                            CTLTYPE_NODE, "ipsec6",
707                            SYSCTL_DESCR("IPv6 related IPSec settings"),
708                            NULL, 0, NULL, 0,
709                            CTL_NET, PF_INET6, IPPROTO_AH, CTL_EOL);
710 
711           sysctl_createv(clog, 0, NULL, NULL,
712                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
713                            CTLTYPE_STRUCT, "stats",
714                            SYSCTL_DESCR("IPSec statistics and counters"),
715                            sysctl_net_inet_ipsec_stats, 0, NULL, 0,
716                            CTL_NET, PF_INET6, IPPROTO_AH,
717                            IPSECCTL_STATS, CTL_EOL);
718           sysctl_createv(clog, 0, NULL, NULL,
719                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
720                            CTLTYPE_INT, "def_policy",
721                            SYSCTL_DESCR("Default action for non-IPSec packets"),
722                            sysctl_ipsec, 0, &ip6_def_policy.policy, 0,
723                            CTL_NET, PF_INET6, IPPROTO_AH,
724                            IPSECCTL_DEF_POLICY, CTL_EOL);
725           sysctl_createv(clog, 0, NULL, NULL,
726                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
727                            CTLTYPE_INT, "esp_trans_deflev",
728                            SYSCTL_DESCR("Default required security level for "
729                                             "transport mode traffic"),
730                            sysctl_ipsec, 0, &ip6_esp_trans_deflev, 0,
731                            CTL_NET, PF_INET6, IPPROTO_AH,
732                            IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL);
733           sysctl_createv(clog, 0, NULL, NULL,
734                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
735                            CTLTYPE_INT, "esp_net_deflev",
736                            SYSCTL_DESCR("Default required security level for "
737                                             "tunneled traffic"),
738                            sysctl_ipsec, 0, &ip6_esp_net_deflev, 0,
739                            CTL_NET, PF_INET6, IPPROTO_AH,
740                            IPSECCTL_DEF_ESP_NETLEV, CTL_EOL);
741           sysctl_createv(clog, 0, NULL, NULL,
742                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
743                            CTLTYPE_INT, "ah_trans_deflev",
744                            SYSCTL_DESCR("Default required security level for "
745                                             "transport mode headers"),
746                            sysctl_ipsec, 0, &ip6_ah_trans_deflev, 0,
747                            CTL_NET, PF_INET6, IPPROTO_AH,
748                            IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL);
749           sysctl_createv(clog, 0, NULL, NULL,
750                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
751                            CTLTYPE_INT, "ah_net_deflev",
752                            SYSCTL_DESCR("Default required security level for "
753                                             "tunneled headers"),
754                            sysctl_ipsec, 0, &ip6_ah_net_deflev, 0,
755                            CTL_NET, PF_INET6, IPPROTO_AH,
756                            IPSECCTL_DEF_AH_NETLEV, CTL_EOL);
757           sysctl_createv(clog, 0, NULL, NULL,
758                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
759                            CTLTYPE_INT, "ecn",
760                            SYSCTL_DESCR("Behavior of ECN for tunneled traffic"),
761                            NULL, 0, &ip6_ipsec_ecn, 0,
762                            CTL_NET, PF_INET6, IPPROTO_AH,
763                            IPSECCTL_ECN, CTL_EOL);
764           sysctl_createv(clog, 0, NULL, NULL,
765                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
766                            CTLTYPE_INT, "debug",
767                            SYSCTL_DESCR("Enable IPSec debugging output"),
768                            NULL, 0, &ipsec_debug, 0,
769                            CTL_NET, PF_INET6, IPPROTO_AH,
770                            IPSECCTL_DEBUG, CTL_EOL);
771           sysctl_createv(clog, 0, NULL, NULL,
772                            CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
773                            CTLTYPE_INT, "enabled",
774                            SYSCTL_DESCR("Enable IPSec processing"),
775                            sysctl_net_ipsec_enabled, 0, NULL, 0,
776                            CTL_NET, PF_INET6, IPPROTO_AH,
777                            CTL_CREATE, CTL_EOL);
778           sysctl_createv(clog, 0, NULL, NULL,
779                            CTLFLAG_PERMANENT|CTLFLAG_READONLY,
780                            CTLTYPE_INT, "used",
781                            SYSCTL_DESCR("Is IPSec active?"),
782                            NULL, 0, &ipsec_used, 0,
783                            CTL_NET, PF_INET6, IPPROTO_AH,
784                            CTL_CREATE, CTL_EOL);
785 }
786 #endif /* INET6 */
787