Date: Thu, 22 Dec 2016 14:15:28 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310409 - projects/ipsec/sys/netipsec Message-ID: <201612221415.uBMEFSKQ073350@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 22 14:15:27 2016 New Revision: 310409 URL: https://svnweb.freebsd.org/changeset/base/310409 Log: Add IPSEC_CAPS() method implementation. Currently there are two capabilities defined: o IPSEC_CAP_BYPASS_FILTER: checks that packet filter processing should be skipped for inbound packet. o IPSEC_CAP_OPERABLE: checks that there are some security policies configured. Modified: projects/ipsec/sys/netipsec/ipsec.c Modified: projects/ipsec/sys/netipsec/ipsec.c ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.c Thu Dec 22 14:11:39 2016 (r310408) +++ projects/ipsec/sys/netipsec/ipsec.c Thu Dec 22 14:15:27 2016 (r310409) @@ -88,6 +88,7 @@ #include <netipsec/esp_var.h> #include <netipsec/ipcomp.h> /*XXX*/ #include <netipsec/ipcomp_var.h> +#include <netipsec/ipsec_support.h> #include <netipsec/key.h> #include <netipsec/keydb.h> @@ -124,6 +125,8 @@ VNET_DEFINE(int, ip4_ah_net_deflev) = IP VNET_DEFINE(int, ip4_ipsec_ecn) = 0; VNET_DEFINE(int, ip4_esp_randpad) = -1; +static VNET_DEFINE(int, ip4_filtertunnel) = 0; +#define V_ip4_filtertunnel VNET(ip4_filtertunnel) static VNET_DEFINE(int, check_policy_history) = 0; #define V_check_policy_history VNET(check_policy_history) static VNET_DEFINE(struct secpolicy, def_policy); @@ -190,6 +193,9 @@ SYSCTL_INT(_net_inet_ipsec, OID_AUTO, ch SYSCTL_INT(_net_inet_ipsec, OID_AUTO, natt_cksum_policy, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(natt_cksum_policy), 0, "Method to fix TCP/UDP checksum for transport mode IPsec after NAT."); +SYSCTL_INT(_net_inet_ipsec, OID_AUTO, filtertunnel, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_filtertunnel), 0, + "If set filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet_ipsec, OID_AUTO, ipsecstats, struct ipsecstat, ipsec4stat, "IPsec IPv4 statistics."); @@ -226,6 +232,9 @@ VNET_DEFINE(int, ip6_ah_trans_deflev) = VNET_DEFINE(int, ip6_ah_net_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip6_ipsec_ecn) = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ +static VNET_DEFINE(int, ip6_filtertunnel) = 0; +#define V_ip6_filtertunnel VNET(ip6_filtertunnel) + SYSCTL_DECL(_net_inet6_ipsec6); /* net.inet6.ipsec6 */ @@ -250,6 +259,9 @@ SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_E SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ipsec_debug), 0, "Enable IPsec debugging output when set."); +SYSCTL_INT(_net_inet6_ipsec6, OID_AUTO, filtertunnel, + CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip6_filtertunnel), 0, + "If set filter packets from an IPsec tunnel."); SYSCTL_VNET_PCPUSTAT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, struct ipsecstat, ipsec6stat, "IPsec IPv6 statistics."); #endif /* INET6 */ @@ -272,8 +284,6 @@ static void ipsec6_setspidx_ipaddr(const struct secpolicyindex *); #endif -MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); - /* * Return a held reference to the default SP. */ @@ -329,6 +339,7 @@ ipsec_checkpolicy(struct secpolicy *sp, sp = NULL; /* NB: force NULL result. */ break; case IPSEC_POLICY_IPSEC: + /* XXXAE: handle LARVAL SP */ break; } KEYDBG(IPSEC_DUMP, @@ -685,6 +696,33 @@ ipsec4_in_reject(const struct mbuf *m, s return (result); } +/* + * IPSEC_CAP() method implementation for IPv4. + */ +int +ipsec4_capability(struct mbuf *m, u_int cap) +{ + + switch (cap) { + case IPSEC_CAP_BYPASS_FILTER: + /* + * Bypass packet filtering for packets previously handled + * by IPsec. + */ + if (!V_ip4_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + return (1); + return (0); + case IPSEC_CAP_OPERABLE: + /* Do we have active security policies? */ + if (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0) + return (1); + return (0); + }; + return (EOPNOTSUPP); +} + #endif /* INET */ #ifdef INET6 @@ -859,7 +897,33 @@ ipsec6_in_reject(const struct mbuf *m, s return (result); } -#endif +/* + * IPSEC_CAP() method implementation for IPv6. + */ +int +ipsec6_capability(struct mbuf *m, u_int cap) +{ + + switch (cap) { + case IPSEC_CAP_BYPASS_FILTER: + /* + * Bypass packet filtering for packets previously handled + * by IPsec. + */ + if (!V_ip6_filtertunnel && + m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL) + return (1); + return (0); + case IPSEC_CAP_OPERABLE: + /* Do we have active security policies? */ + if (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0) + return (1); + return (0); + }; + return (EOPNOTSUPP); +} +#endif /* INET6 */ int ipsec_run_hhooks(struct ipsec_ctx_data *ctx, int type)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612221415.uBMEFSKQ073350>