1 /*- 2 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 */ 26 27 #ifndef _NETIPSEC_IPSEC_SUPPORT_H_ 28 #define _NETIPSEC_IPSEC_SUPPORT_H_ 29 30 #ifdef _KERNEL 31 #if defined(IPSEC) || defined(IPSEC_SUPPORT) 32 struct mbuf; 33 struct inpcb; 34 struct tcphdr; 35 struct sockopt; 36 struct sockaddr; 37 struct ipsec_support; 38 struct tcpmd5_support; 39 40 size_t ipsec_hdrsiz_inpcb(struct inpcb *); 41 int ipsec_init_pcbpolicy(struct inpcb *); 42 int ipsec_delete_pcbpolicy(struct inpcb *); 43 int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); 44 45 struct ipsec_methods { 46 int (*input)(struct mbuf *, int, int); 47 int (*check_policy)(const struct mbuf *, struct inpcb *); 48 int (*forward)(struct mbuf *); 49 int (*output)(struct mbuf *, struct inpcb *); 50 int (*pcbctl)(struct inpcb *, struct sockopt *); 51 size_t (*hdrsize)(struct inpcb *); 52 int (*capability)(struct mbuf *, u_int); 53 int (*ctlinput)(int, struct sockaddr *, void *); 54 55 int (*udp_input)(struct mbuf *, int, int); 56 int (*udp_pcbctl)(struct inpcb *, struct sockopt *); 57 }; 58 #define IPSEC_CAP_OPERABLE 1 59 #define IPSEC_CAP_BYPASS_FILTER 2 60 61 struct tcpmd5_methods { 62 int (*input)(struct mbuf *, struct tcphdr *, u_char *); 63 int (*output)(struct mbuf *, struct tcphdr *, u_char *); 64 int (*pcbctl)(struct inpcb *, struct sockopt *); 65 }; 66 67 #define IPSEC_MODULE_ENABLED 0x0001 68 #define IPSEC_ENABLED(proto) \ 69 ((proto ## _ipsec_support)->enabled & IPSEC_MODULE_ENABLED) 70 #define TCPMD5_ENABLED() IPSEC_ENABLED(tcp) 71 72 #ifdef TCP_SIGNATURE 73 /* TCP-MD5 build in the kernel */ 74 struct tcpmd5_support { 75 const u_int enabled; 76 const struct tcpmd5_methods * const methods; 77 }; 78 extern const struct tcpmd5_support * const tcp_ipsec_support; 79 80 #define TCPMD5_INPUT(m, ...) \ 81 (*tcp_ipsec_support->methods->input)(m, __VA_ARGS__) 82 #define TCPMD5_OUTPUT(m, ...) \ 83 (*tcp_ipsec_support->methods->output)(m, __VA_ARGS__) 84 #define TCPMD5_PCBCTL(inp, sopt) \ 85 (*tcp_ipsec_support->methods->pcbctl)(inp, sopt) 86 #elif defined(IPSEC_SUPPORT) 87 /* TCP-MD5 build as module */ 88 struct tcpmd5_support { 89 volatile u_int enabled; 90 const struct tcpmd5_methods * volatile methods; 91 }; 92 extern struct tcpmd5_support * const tcp_ipsec_support; 93 94 void tcpmd5_support_enable(const struct tcpmd5_methods * const); 95 void tcpmd5_support_disable(void); 96 97 int tcpmd5_kmod_pcbctl(struct tcpmd5_support * const, struct inpcb *, 98 struct sockopt *); 99 int tcpmd5_kmod_input(struct tcpmd5_support * const, struct mbuf *, 100 struct tcphdr *, u_char *); 101 int tcpmd5_kmod_output(struct tcpmd5_support * const, struct mbuf *, 102 struct tcphdr *, u_char *); 103 #define TCPMD5_INPUT(m, ...) \ 104 tcpmd5_kmod_input(tcp_ipsec_support, m, __VA_ARGS__) 105 #define TCPMD5_OUTPUT(m, ...) \ 106 tcpmd5_kmod_output(tcp_ipsec_support, m, __VA_ARGS__) 107 #define TCPMD5_PCBCTL(inp, sopt) \ 108 tcpmd5_kmod_pcbctl(tcp_ipsec_support, inp, sopt) 109 #endif 110 111 #endif /* IPSEC || IPSEC_SUPPORT */ 112 113 #if defined(IPSEC) 114 struct ipsec_support { 115 const u_int enabled; 116 const struct ipsec_methods * const methods; 117 }; 118 extern const struct ipsec_support * const ipv4_ipsec_support; 119 extern const struct ipsec_support * const ipv6_ipsec_support; 120 121 #define IPSEC_INPUT(proto, m, ...) \ 122 (*(proto ## _ipsec_support)->methods->input)(m, __VA_ARGS__) 123 #define IPSEC_CHECK_POLICY(proto, m, ...) \ 124 (*(proto ## _ipsec_support)->methods->check_policy)(m, __VA_ARGS__) 125 #define IPSEC_FORWARD(proto, m) \ 126 (*(proto ## _ipsec_support)->methods->forward)(m) 127 #define IPSEC_OUTPUT(proto, m, ...) \ 128 (*(proto ## _ipsec_support)->methods->output)(m, __VA_ARGS__) 129 #define IPSEC_PCBCTL(proto, inp, sopt) \ 130 (*(proto ## _ipsec_support)->methods->pcbctl)(inp, sopt) 131 #define IPSEC_CAPS(proto, m, ...) \ 132 (*(proto ## _ipsec_support)->methods->capability)(m, __VA_ARGS__) 133 #define IPSEC_HDRSIZE(proto, inp) \ 134 (*(proto ## _ipsec_support)->methods->hdrsize)(inp) 135 136 #define UDPENCAP_INPUT(m, ...) \ 137 (*ipv4_ipsec_support->methods->udp_input)(m, __VA_ARGS__) 138 #define UDPENCAP_PCBCTL(inp, sopt) \ 139 (*ipv4_ipsec_support->methods->udp_pcbctl)(inp, sopt) 140 141 #elif defined(IPSEC_SUPPORT) 142 struct ipsec_support { 143 volatile u_int enabled; 144 const struct ipsec_methods * volatile methods; 145 }; 146 extern struct ipsec_support * const ipv4_ipsec_support; 147 extern struct ipsec_support * const ipv6_ipsec_support; 148 149 void ipsec_support_enable(struct ipsec_support * const, 150 const struct ipsec_methods * const); 151 void ipsec_support_disable(struct ipsec_support * const); 152 153 int ipsec_kmod_input(struct ipsec_support * const, struct mbuf *, int, int); 154 int ipsec_kmod_check_policy(struct ipsec_support * const, struct mbuf *, 155 struct inpcb *); 156 int ipsec_kmod_forward(struct ipsec_support * const, struct mbuf *); 157 int ipsec_kmod_output(struct ipsec_support * const, struct mbuf *, 158 struct inpcb *); 159 int ipsec_kmod_pcbctl(struct ipsec_support * const, struct inpcb *, 160 struct sockopt *); 161 int ipsec_kmod_capability(struct ipsec_support * const, struct mbuf *, u_int); 162 size_t ipsec_kmod_hdrsize(struct ipsec_support * const, struct inpcb *); 163 int ipsec_kmod_udp_input(struct ipsec_support * const, struct mbuf *, int, int); 164 int ipsec_kmod_udp_pcbctl(struct ipsec_support * const, struct inpcb *, 165 struct sockopt *); 166 167 #define UDPENCAP_INPUT(m, ...) \ 168 ipsec_kmod_udp_input(ipv4_ipsec_support, m, __VA_ARGS__) 169 #define UDPENCAP_PCBCTL(inp, sopt) \ 170 ipsec_kmod_udp_pcbctl(ipv4_ipsec_support, inp, sopt) 171 172 #define IPSEC_INPUT(proto, ...) \ 173 ipsec_kmod_input(proto ## _ipsec_support, __VA_ARGS__) 174 #define IPSEC_CHECK_POLICY(proto, ...) \ 175 ipsec_kmod_check_policy(proto ## _ipsec_support, __VA_ARGS__) 176 #define IPSEC_FORWARD(proto, ...) \ 177 ipsec_kmod_forward(proto ## _ipsec_support, __VA_ARGS__) 178 #define IPSEC_OUTPUT(proto, ...) \ 179 ipsec_kmod_output(proto ## _ipsec_support, __VA_ARGS__) 180 #define IPSEC_PCBCTL(proto, ...) \ 181 ipsec_kmod_pcbctl(proto ## _ipsec_support, __VA_ARGS__) 182 #define IPSEC_CAPS(proto, ...) \ 183 ipsec_kmod_capability(proto ## _ipsec_support, __VA_ARGS__) 184 #define IPSEC_HDRSIZE(proto, ...) \ 185 ipsec_kmod_hdrsize(proto ## _ipsec_support, __VA_ARGS__) 186 #endif /* IPSEC_SUPPORT */ 187 #endif /* _KERNEL */ 188 #endif /* _NETIPSEC_IPSEC_SUPPORT_H_ */ 189