From owner-p4-projects@FreeBSD.ORG Fri Jul 13 11:17:43 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 702A016A403; Fri, 13 Jul 2007 11:17:43 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 3CB1816A400 for ; Fri, 13 Jul 2007 11:17:43 +0000 (UTC) (envelope-from anchie@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 2B37113C48D for ; Fri, 13 Jul 2007 11:17:43 +0000 (UTC) (envelope-from anchie@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l6DBHhEG067779 for ; Fri, 13 Jul 2007 11:17:43 GMT (envelope-from anchie@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l6DBHgma067776 for perforce@freebsd.org; Fri, 13 Jul 2007 11:17:42 GMT (envelope-from anchie@FreeBSD.org) Date: Fri, 13 Jul 2007 11:17:42 GMT Message-Id: <200707131117.l6DBHgma067776@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to anchie@FreeBSD.org using -f From: Ana Kukec To: Perforce Change Reviews Cc: Subject: PERFORCE change 123432 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jul 2007 11:17:43 -0000 http://perforce.freebsd.org/chv.cgi?CH=123432 Change 123432 by anchie@anchie_malimis on 2007/07/13 11:16:45 IPSec virtualization (ESP algorithm only). Affected files ... .. //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 edit .. //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 edit .. //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 edit .. //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 edit .. //depot/projects/vimage/src/sys/netipsec/key.c#5 edit .. //depot/projects/vimage/src/sys/netipsec/key_debug.h#2 edit .. //depot/projects/vimage/src/sys/netipsec/keysock.c#4 edit .. //depot/projects/vimage/src/sys/netipsec/vipsec.h#1 add .. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#3 edit .. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#3 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#2 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ipip.c#4 edit .. //depot/projects/vimage/src/sys/sys/vimage.h#19 edit Differences ... ==== //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 (text+ko) ==== @@ -62,6 +62,8 @@ #include #include #include +#include +#include #endif /*IPSEC*/ extern struct protosw inetsw[]; @@ -94,7 +96,9 @@ ip_ipsec_fwd(struct mbuf *m) { #ifdef IPSEC + INIT_VNET_IPSEC(curvnet); INIT_VNET_INET(curvnet); + INIT_VNET_IPSEC(curvnet); struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -138,8 +142,10 @@ * 1 = drop packet, 0 = continue processing packet. */ int + INIT_VNET_IPSEC(curvnet); ip_ipsec_input(struct mbuf *m) { + INIT_VNET_IPSEC(curvnet); struct ip *ip = mtod(m, struct ip *); #ifdef IPSEC struct m_tag *mtag; ==== //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 (text+ko) ==== @@ -90,6 +90,7 @@ #ifdef IPSEC #include #include +#include #endif /*IPSEC*/ #include @@ -236,6 +237,7 @@ #ifdef INET6 INIT_VNET_INET6(curvnet); #endif + INIT_VNET_IPSEC(curvnet); struct tcphdr *th; struct ip *ip = NULL; struct ipovly *ipov; @@ -468,7 +470,7 @@ } else #endif /* INET6 */ if (inp != NULL && ipsec4_in_reject(m, inp)) { - ipsec4stat.in_polvio++; + V_ipsec4stat.in_polvio++; goto dropunlock; } #endif /* IPSEC */ ==== //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 (text+ko) ==== @@ -84,6 +84,7 @@ #ifdef IPSEC #include +#include #endif #include @@ -508,6 +509,7 @@ struct sockaddr_in *udp_in) { INIT_VNET_INET(inp->inp_vnet); + INIT_VNET_IPSEC(inp->inp_vnet); struct sockaddr *append_sa; struct socket *so; struct mbuf *opts = 0; @@ -520,7 +522,7 @@ #ifdef IPSEC /* check AH/ESP integrity. */ if (ipsec4_in_reject(n, inp)) { - ipsec4stat.in_polvio++; + V_ipsec4stat.in_polvio++; m_freem(n); return; } ==== //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 (text+ko) ==== @@ -62,6 +62,7 @@ #include #include #include +#include #ifdef IPSEC_DEBUG #include #else @@ -103,6 +104,7 @@ { #ifdef IPSEC INIT_VNET_INET6(curvnet); + INIT_VNET_IPSEC(curvnet); struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; @@ -149,6 +151,7 @@ { #ifdef IPSEC + INIT_VNET_IPSEC(curvnet); struct m_tag *mtag; struct tdb_ident *tdbi; struct secpolicy *sp; ==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 (text+ko) ==== @@ -37,6 +37,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_vimage.h" #include #include @@ -53,6 +54,7 @@ #include #include #include +#include #include #include @@ -66,6 +68,7 @@ #include #include #include +#include #include #ifdef INET6 @@ -91,18 +94,27 @@ #include #include +#include #include #include +#ifndef VIMAGE #ifdef IPSEC_DEBUG int ipsec_debug = 1; #else int ipsec_debug = 0; #endif +#endif +static int vnet_ipsec_iattach(void *); +#ifdef VIMAGE +static int vnet_ipsec_idetach(void *); +#endif + /* NB: name changed so netstat doesn't use it */ +#ifndef VIMAGE struct ipsecstat ipsec4stat; int ip4_ah_offsetmask = 0; /* maybe IP_DF? */ int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ @@ -112,7 +124,7 @@ int ip4_ah_net_deflev = IPSEC_LEVEL_USE; struct secpolicy ip4_def_policy; int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ -int ip4_esp_randpad = -1; +int ip4_esp_randpad; /* * Crypto support requirements: * @@ -121,52 +133,57 @@ * 0 take anything */ int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; +#endif SYSCTL_DECL(_net_inet_ipsec); /* net.inet.ipsec */ -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, - CTLFLAG_RW, &ip4_esp_trans_deflev, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, - CTLFLAG_RW, &ip4_esp_net_deflev, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, - CTLFLAG_RW, &ip4_ah_trans_deflev, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, - CTLFLAG_RW, &ip4_ah_net_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY, + def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, ""); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, - ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, - dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, - ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, &ipsec_debug, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, - esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, ""); -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, - crypto_support, CTLFLAG_RW, &crypto_support,0, ""); -SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, - ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, + ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT, + dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ECN, + ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG, + debug, CTLFLAG_RW, ipsec_debug, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ESP_RANDPAD, + esp_randpad, CTLFLAG_RW, ip4_esp_randpad, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, + crypto_support, CTLFLAG_RW, crypto_support,0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, + ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, ""); #ifdef REGRESSION /* * When set to 1, IPsec will send packets with the same sequence number. * This allows to verify if the other side has proper replay attacks detection. */ +#ifndef VIMAGE int ipsec_replay = 0; -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, - "Emulate replay attack"); +#endif +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, + CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ +#ifndef VIMAGE int ipsec_integrity = 0; -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, - &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); +#endif +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, + CTLFLAG_RW, &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif #ifdef INET6 @@ -185,8 +202,12 @@ SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 0,0, compat_ipsecstats_sysctl, "S", ""); #endif /* COMPAT_KAME */ +/* XXX SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, ""); +*/ +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, + def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, @@ -197,14 +218,32 @@ CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, &ipsec_debug, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, + debug, CTLFLAG_RW, ipsec_debug, 0, ""); SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); #endif /* INET6 */ +#ifdef VIMAGE +struct vnet_ipsec vnet_ipsec_0; + +struct vnet_symmap vnet_ipsec_symmap[] = { + VNET_SYMMAP_END +}; + +static struct vnet_modinfo vnet_ipsec_modinfo = { + .id = VNET_MOD_IPSEC, + .name = "ipsec", + .symmap = NULL, + .i_attach = vnet_ipsec_iattach, + .i_detach = vnet_ipsec_idetach +}; + +MALLOC_DEFINE(M_IPSEC, "ipsec", "IPSEC instance"); +#endif + static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); #ifdef INET6 static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb)); @@ -232,12 +271,13 @@ static struct secpolicy * key_allocsp_default(const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP key_allocsp_default from %s:%u\n", where, tag)); - sp = &ip4_def_policy; + sp = &V_ip4_def_policy; if (sp->policy != IPSEC_POLICY_DISCARD && sp->policy != IPSEC_POLICY_NONE) { ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", @@ -301,6 +341,7 @@ struct inpcb *inp; int *error; { + INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *pcbsp = NULL; struct secpolicy *currsp = NULL; /* policy on socket */ struct secpolicy *sp; @@ -411,6 +452,7 @@ int flag; int *error; { + INIT_VNET_IPSEC(curvnet); struct secpolicyindex spidx; struct secpolicy *sp; @@ -446,6 +488,7 @@ int *error; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; *error = 0; @@ -455,7 +498,7 @@ sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - ipsec4stat.ips_out_inval++; + V_ipsec4stat.ips_out_inval++; return NULL; } IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); @@ -465,7 +508,7 @@ printf("%s: invalid policy %u\n", __func__, sp->policy); /* fall thru... */ case IPSEC_POLICY_DISCARD: - ipsec4stat.ips_out_polvio++; + V_ipsec4stat.ips_out_polvio++; *error = -EINVAL; /* packet is discarded by caller */ break; case IPSEC_POLICY_BYPASS: @@ -517,6 +560,7 @@ struct mbuf *m; struct in6pcb *pcb; { + //INIT_VNET_IPSEC(curvnet); struct secpolicyindex *spidx; int error; @@ -560,6 +604,7 @@ struct secpolicyindex *spidx; int needport; { + INIT_VNET_IPSEC(curvnet); struct ip *ip = NULL; struct ip ipbuf; u_int v; @@ -753,6 +798,7 @@ struct secpolicyindex *spidx; int needport; { + INIT_VNET_IPSEC(curvnet); int off, nxt; struct tcphdr th; struct udphdr uh; @@ -869,6 +915,7 @@ struct socket *so; struct inpcbpolicy **pcb_sp; { + INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *new; /* sanity check. */ @@ -1012,6 +1059,7 @@ size_t len; int priv; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *newsp = NULL; int error; @@ -1058,6 +1106,7 @@ struct secpolicy *pcb_sp; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); /* sanity check. */ if (pcb_sp == NULL || mp == NULL) @@ -1084,6 +1133,7 @@ size_t len; int priv; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1118,6 +1168,7 @@ size_t len; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1177,6 +1228,7 @@ size_t len; int priv; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1211,6 +1263,7 @@ size_t len; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1269,6 +1322,7 @@ ipsec_get_reqlevel(isr) struct ipsecrequest *isr; { + INIT_VNET_IPSEC(curvnet); u_int level = 0; u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; @@ -1283,7 +1337,7 @@ #define IPSEC_CHECK_DEFAULT(lev) \ (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ && (lev) != IPSEC_LEVEL_UNIQUE) \ - ? (ipsec_debug \ + ? (V_ipsec_debug \ ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ (lev), IPSEC_LEVEL_REQUIRE) \ : 0), \ @@ -1295,10 +1349,10 @@ switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { #ifdef INET case AF_INET: - esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); - esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); - ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); - ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); + esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev); + esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev); + ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev); + ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev); break; #endif #ifdef INET6 @@ -1373,6 +1427,7 @@ int ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) { + INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; int need_auth; @@ -1448,6 +1503,7 @@ struct mbuf *m; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; int result; @@ -1466,7 +1522,7 @@ if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - ipsec4stat.ips_in_polvio++; + V_ipsec4stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; /* XXX should be panic ? @@ -1523,6 +1579,7 @@ static size_t ipsec_hdrsiz(struct secpolicy *sp) { + INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; size_t siz; @@ -1585,6 +1642,7 @@ u_int dir; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1623,6 +1681,7 @@ u_int dir; struct in6pcb *in6p; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1724,6 +1783,7 @@ u_int32_t seq; struct secasvar *sav; { + INIT_VNET_IPSEC(curvnet); struct secreplay *replay; u_int32_t diff; int fr; @@ -1932,9 +1992,71 @@ static void ipsec_attach(void) { - SECPOLICY_LOCK_INIT(&ip4_def_policy); - ip4_def_policy.refcnt = 1; /* NB: disallow free */ +#ifdef VIMAGE + vnet_mod_register(&vnet_ipsec_modinfo); +#else + vnet_ipsec_iattach(NULL); +#endif +} + +static int +vnet_ipsec_iattach(unused) + void *unused; +{ +#ifdef VIMAGE + struct vnet_ipsec *vnet_ipsec; + + if (curvnet == &vnet_0) { + vnet_ipsec = &vnet_ipsec_0; + } else { + vnet_ipsec = malloc(sizeof(struct vnet_ipsec), + M_IPSEC, M_NOWAIT | M_ZERO); + if (vnet_ipsec == NULL) + panic("couldn't allocate memory for vnet_ipsec"); + } + curvnet->mod_data[vnet_ipsec_modinfo.id] = vnet_ipsec; + vnet_ipsec->parent_vnet = curvnet; +#endif + + #ifdef IPSEC_DEBUG + V_ipsec_debug = 1; + #else + V_ipsec_debug = 0; + #endif + + SECPOLICY_LOCK_INIT(&V_ip4_def_policy); + V_ip4_def_policy.refcnt = 1; /* NB: disallow free */ + + V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */ + V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */ + V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip4_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip4_ipsec_ecn = 0; + + V_ip4_esp_randpad = -1; + V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; + V_ipsec_replay = 0; + V_ipsec_integrity = 0; + + return 0; +} + +/* XXX finish this! */ +#ifdef VIMAGE +static int +vnet_ipsec_idetach(unused) + void *unused; +{ + INIT_VNET_IPSEC(curvnet); + + curvnet->mod_data[vnet_ipsec_modinfo.id] = NULL; + free((caddr_t)vnet_ipsec, M_IPSEC); + + return 0; } +#endif SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL) ==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 (text+ko) ==== @@ -345,9 +345,9 @@ extern int ip4_esp_randpad; extern int crypto_support; -#define ipseclog(x) do { if (ipsec_debug) log x; } while (0) +#define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0) /* for openbsd compatibility */ -#define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0) +#define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); ==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 (text+ko) ==== @@ -90,6 +90,7 @@ #include #include +#include #include #include @@ -109,12 +110,13 @@ static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { + INIT_VNET_IPSEC(curvnet); union sockaddr_union dst_address; struct secasvar *sav; u_int32_t spi; int error; - IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, + IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input, ipcompstat.ipcomps_input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -123,18 +125,18 @@ sproto == IPPROTO_IPCOMP, ("unexpected security protocol %u", sproto)); - if ((sproto == IPPROTO_ESP && !esp_enable) || + if ((sproto == IPPROTO_ESP && !V_esp_enable) || (sproto == IPPROTO_AH && !ah_enable) || (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; @@ -180,7 +182,7 @@ default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf, + IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf, ipcompstat.ipcomps_nopf); return EPFNOSUPPORT; } @@ -191,7 +193,7 @@ DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb, + IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb, ipcompstat.ipcomps_notdb); m_freem(m); return ENOENT; @@ -201,7 +203,7 @@ DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform, + IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); KEY_FREESAV(&sav); m_freem(m); @@ -278,6 +280,7 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { + INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip *ip; struct m_tag *mtag; @@ -306,7 +309,7 @@ /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr, ipcompstat.ipcomps_badkcr); KEY_FREESAV(&sav); return EINVAL; @@ -318,7 +321,7 @@ DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOBUFS; goto bad; @@ -340,7 +343,7 @@ struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; @@ -371,7 +374,7 @@ ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; @@ -384,7 +387,7 @@ struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; @@ -413,7 +416,7 @@ ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; @@ -436,7 +439,7 @@ sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; @@ -471,7 +474,7 @@ * Re-dispatch via software interrupt. */ if ((error = netisr_queue(NETISR_IP, m))) { - IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull, + IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull, ipcompstat.ipcomps_qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", @@ -496,6 +499,7 @@ int ipsec6_common_input(struct mbuf **mp, int *offp, int proto) { + INIT_VNET_IPSEC(curvnet); int l = 0; int protoff; struct ip6_ext ip6e; @@ -525,7 +529,7 @@ if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, espstat.esps_hdrops, + IPSEC_ISTAT(proto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); m_freem(*mp); @@ -547,6 +551,7 @@ struct m_tag *mt) { INIT_VNET_INET6(curvnet); + INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip6_hdr *ip6; struct m_tag *mtag; @@ -573,7 +578,7 @@ /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr, ipcompstat.ipcomps_badkcr); error = EINVAL; goto bad; @@ -587,7 +592,7 @@ __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EACCES; goto bad; @@ -606,7 +611,7 @@ struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; @@ -633,7 +638,7 @@ ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTATsproto, (espstat.esps_pdrops, + IPSEC_ISTATsproto, (V_espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; @@ -646,7 +651,7 @@ struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; @@ -675,7 +680,7 @@ ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; @@ -696,7 +701,7 @@ sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; ==== //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 (text+ko) ==== @@ -31,16 +31,19 @@ */ #include "opt_param.h" +#include "opt_vimage.h" #include #include #include #include +#include #include #include #include +#include /* * Make space for a new header of length hlen at skip bytes @@ -53,6 +56,7 @@ struct mbuf * m_makespace(struct mbuf *m0, int skip, int hlen, int *off) { + INIT_VNET_IPSEC(curvnet); struct mbuf *m; unsigned remain; @@ -88,7 +92,7 @@ return (NULL); n->m_next = m->m_next; /* splice new mbuf */ m->m_next = n; - ipsec4stat.ips_mbinserted++; + V_ipsec4stat.ips_mbinserted++; if (hlen <= M_TRAILINGSPACE(m) + remain) { /* * New header fits in the old mbuf if we copy @@ -122,7 +126,7 @@ /* splice in second mbuf */ n2->m_next = n->m_next; n->m_next = n2; - ipsec4stat.ips_mbinserted++; + V_ipsec4stat.ips_mbinserted++; } else { memcpy(mtod(n, caddr_t) + hlen, mtod(m, caddr_t) + skip, remain); @@ -155,6 +159,7 @@ caddr_t m_pad(struct mbuf *m, int n) { + INIT_VNET_IPSEC(curvnet); register struct mbuf *m0, *m1; register int len, pad; caddr_t retval; @@ -227,6 +232,7 @@ int m_striphdr(struct mbuf *m, int skip, int hlen) { + INIT_VNET_IPSEC(curvnet); struct mbuf *m1; int roff; @@ -238,7 +244,7 @@ /* Remove the header and associated data from the mbuf. */ if (roff == 0) { /* The header was at the beginning of the mbuf */ - ipsec4stat.ips_input_front++; + V_ipsec4stat.ips_input_front++; m_adj(m1, hlen); if ((m1->m_flags & M_PKTHDR) == 0) m->m_pkthdr.len -= hlen; @@ -250,7 +256,7 @@ * so first let's remove the remainder of the header from * the beginning of the remainder of the mbuf chain, if any. */ - ipsec4stat.ips_input_end++; + V_ipsec4stat.ips_input_end++; if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); @@ -275,7 +281,7 @@ * The header lies in the "middle" of the mbuf; copy * the remainder of the mbuf down over the header. */ - ipsec4stat.ips_input_middle++; + V_ipsec4stat.ips_input_middle++; bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); ==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 (text+ko) ==== @@ -81,12 +81,14 @@ #include #include #include +#include #include >>> TRUNCATED FOR MAIL (1000 lines) <<<