Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 16 Jul 2007 16:42:27 GMT
From:      Ana Kukec <anchie@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 123596 for review
Message-ID:  <200707161642.l6GGgRaH011853@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=123596

Change 123596 by anchie@anchie_malimis on 2007/07/16 16:41:56

	Added support for AH crypto algorithm.	

Affected files ...

.. //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 edit
.. //depot/projects/vimage/src/sys/sys/vimage.h#20 edit

Differences ...

==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 (text+ko) ====

@@ -148,8 +148,8 @@
 	ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev,	0, "");
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
 	ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev,	0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
-	ah_cleartos, CTLFLAG_RW,	&ah_cleartos,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
+	ah_cleartos, CTLFLAG_RW,	ah_cleartos,	0, "");
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
 	ah_offsetmask, CTLFLAG_RW,	ip4_ah_offsetmask,	0, "");
 SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT,
@@ -187,6 +187,7 @@
 #endif
 
 #ifdef INET6 
+#ifndef VIMAGE
 struct ipsecstat ipsec6stat;
 int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
 int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
@@ -194,7 +195,7 @@
 int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
 int ip6_ipsec_ecn = 0;		/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 int ip6_esp_randpad = -1;
-
+#endif
 SYSCTL_DECL(_net_inet6_ipsec6);
 
 /* net.inet6.ipsec6 */
@@ -202,28 +203,24 @@
 SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
 	0,0, compat_ipsecstats_sysctl, "S", "");
 #endif /* COMPAT_KAME */
-/* XXX
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
-	def_policy, CTLFLAG_RW,	&ip4_def_policy.policy,	0, "");
-*/
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
 	def_policy, CTLFLAG_RW,	ip4_def_policy.policy,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
-	CTLFLAG_RW, &ip6_esp_trans_deflev,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
-	CTLFLAG_RW, &ip6_esp_net_deflev,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
-	CTLFLAG_RW, &ip6_ah_trans_deflev,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
-	CTLFLAG_RW, &ip6_ah_net_deflev,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
-	ecn, CTLFLAG_RW,	&ip6_ipsec_ecn,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, 
+	esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, 
+	esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, 
+	ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, 
+	ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN,
+	ecn, CTLFLAG_RW, ip6_ipsec_ecn,	0, "");
 SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
 	debug, CTLFLAG_RW,	ipsec_debug,	0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
-	esp_randpad, CTLFLAG_RW,	&ip6_esp_randpad,	0, "");
-SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
-	ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
+	esp_randpad, CTLFLAG_RW, ip6_esp_randpad,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
+	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, "");
 #endif /* INET6 */
 
 #ifdef VIMAGE
@@ -1357,10 +1354,10 @@
 #endif
 #ifdef INET6
 	case AF_INET6:
-		esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
-		esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
-		ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
-		ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
+		esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev);
+		esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev);
+		ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev);
+		ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev);
 		break;
 #endif /* INET6 */
 	default:
@@ -1542,6 +1539,7 @@
 	struct mbuf *m;
 	struct inpcb *inp;
 {
+	INIT_VNET_IPSEC(curvnet);
 	struct secpolicy *sp = NULL;
 	int error;
 	int result;
@@ -1562,7 +1560,7 @@
 	if (sp != NULL) {
 		result = ipsec_in_reject(sp, m);
 		if (result)
-			ipsec6stat.ips_in_polvio++;
+			V_ipsec6stat.ips_in_polvio++;
 		KEY_FREESP(&sp);
 	} else {
 		result = 0;
@@ -2042,6 +2040,13 @@
 	V_ipsec_integrity = 0;
 #endif
 
+	V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
+	V_ip6_ipsec_ecn = 0;      /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+	V_ip6_esp_randpad = -1;
+
 	return 0;
 }
 

==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 (text+ko) ====


==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 (text+ko) ====

@@ -116,7 +116,7 @@
 	u_int32_t spi;
 	int error;
 
-	IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input,
+	IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
 		ipcompstat.ipcomps_input);
 
 	IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -126,17 +126,17 @@
 		("unexpected security protocol %u", sproto));
 
 	if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
-	    (sproto == IPPROTO_AH && !ah_enable) ||
+	    (sproto == IPPROTO_AH && !V_ah_enable) ||
 	    (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
 		    ipcompstat.ipcomps_pdrops);
 		return EOPNOTSUPP;
 	}
 
 	if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
 		    ipcompstat.ipcomps_hdrops);
 		DPRINTF(("%s: packet too small\n", __func__));
 		return EINVAL;
@@ -182,7 +182,7 @@
 	default:
 		DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
 		m_freem(m);
-		IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf,
+		IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
 		    ipcompstat.ipcomps_nopf);
 		return EPFNOSUPPORT;
 	}
@@ -193,7 +193,7 @@
 		DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
 			  __func__, ipsec_address(&dst_address),
 			  (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb,
+		IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
 		    ipcompstat.ipcomps_notdb);
 		m_freem(m);
 		return ENOENT;
@@ -203,7 +203,7 @@
 		DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
 			 __func__, ipsec_address(&dst_address),
 			 (u_long) ntohl(spi), sproto));
-		IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform,
+		IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
 		    ipcompstat.ipcomps_noxform);
 		KEY_FREESAV(&sav);
 		m_freem(m);
@@ -309,7 +309,7 @@
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
+		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
 		    ipcompstat.ipcomps_badkcr);
 		KEY_FREESAV(&sav);
 		return EINVAL;
@@ -321,7 +321,7 @@
 			DPRINTF(("%s: processing failed for SA %s/%08lx\n",
 			    __func__, ipsec_address(&sav->sah->saidx.dst),
 			    (u_long) ntohl(sav->spi)));
-			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = ENOBUFS;
 			goto bad;
@@ -344,7 +344,7 @@
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops,
+			    V_ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
 			goto bad;
@@ -375,7 +375,7 @@
 			    (u_long) ntohl(sav->spi)));
 
 			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    ahstat.ahs_pdrops,
+			    V_ahstat.ahs_pdrops,
 			    ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
@@ -388,7 +388,7 @@
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops,
+			    V_ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
 			goto bad;
@@ -417,7 +417,7 @@
 			    (u_long) ntohl(sav->spi)));
 
 			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    ahstat.ahs_pdrops,
+			    V_ahstat.ahs_pdrops,
 			    ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
@@ -440,7 +440,7 @@
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+			    V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
 			error = ENOMEM;
 			goto bad;
 		}
@@ -474,7 +474,7 @@
 	 * Re-dispatch via software interrupt.
 	 */
 	if ((error = netisr_queue(NETISR_IP, m))) {
-		IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull,
+		IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
 			    ipcompstat.ipcomps_qfull);
 
 		DPRINTF(("%s: queue full; proto %u packet dropped\n",
@@ -530,7 +530,7 @@
 			DPRINTF(("%s: bad packet header chain, protoff %u, "
 				"l %u, off %u\n", __func__, protoff, l, *offp));
 			IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
-				    ahstat.ahs_hdrops,
+				    V_ahstat.ahs_hdrops,
 				    ipcompstat.ipcomps_hdrops);
 			m_freem(*mp);
 			*mp = NULL;
@@ -578,7 +578,7 @@
 	/* Sanity check */
 	if (m == NULL) {
 		DPRINTF(("%s: null mbuf", __func__));
-		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
+		IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
 		    ipcompstat.ipcomps_badkcr);
 		error = EINVAL;
 		goto bad;
@@ -592,7 +592,7 @@
 		    __func__, ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
 
-		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+		IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
 		    ipcompstat.ipcomps_hdrops);
 		error = EACCES;
 		goto bad;
@@ -612,7 +612,7 @@
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops,
+			    V_ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
 			goto bad;
@@ -639,7 +639,7 @@
 			    (u_long) ntohl(sav->spi)));
 
 			IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
-			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+			    V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -652,7 +652,7 @@
 
 		if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops,
+			    V_ahstat.ahs_hdrops,
 			    ipcompstat.ipcomps_hdrops);
 			error = EINVAL;
 			goto bad;
@@ -681,7 +681,7 @@
 			    (u_long) ntohl(sav->spi)));
 
 			IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
-			    ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+			    V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
 			error = EACCES;
 			goto bad;
 		}
@@ -702,7 +702,7 @@
 		if (mtag == NULL) {
 			DPRINTF(("%s: failed to get tag\n", __func__));
 			IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
-			    ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+			    V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
 			error = ENOMEM;
 			goto bad;
 		}

==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 (text+ko) ====

@@ -310,11 +310,11 @@
 	 * Check system global policy controls.
 	 */
 	if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
-	    (isr->saidx.proto == IPPROTO_AH && !ah_enable) ||
+	    (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
 	    (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
 		DPRINTF(("%s: IPsec outbound packet dropped due"
 			" to policy (check your sysctls)\n", __func__));
-		IPSEC_OSTAT(V_espstat.esps_pdrops, ahstat.ahs_pdrops,
+		IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
 		    ipcompstat.ipcomps_pdrops);
 		*error = EHOSTUNREACH;
 		goto bad;
@@ -326,7 +326,7 @@
 	 */
 	if (sav->tdb_xform == NULL) {
 		DPRINTF(("%s: no transform for SA\n", __func__));
-		IPSEC_OSTAT(V_espstat.esps_noxform, ahstat.ahs_noxform,
+		IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
 		    ipcompstat.ipcomps_noxform);
 		*error = EHOSTUNREACH;
 		goto bad;

==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 (text+ko) ====

@@ -41,6 +41,7 @@
 
 #include <netipsec/ipsec.h>
 #include <netipsec/esp_var.h>
+#include <netipsec/ah_var.h>
 #include <netipsec/ipip_var.h>
 
 #include <net/if.h>
@@ -90,6 +91,18 @@
 	int 			_ipsec_ah_keymin;
 	int 			_ipip_allow;
 	struct ipipstat 	_ipipstat;
+
+	struct ipsecstat 	_ipsec6stat;
+	int 			_ip6_esp_trans_deflev;
+	int 			_ip6_esp_net_deflev;
+	int 			_ip6_ah_trans_deflev;
+	int 			_ip6_ah_net_deflev;
+	int 			_ip6_ipsec_ecn;
+	int 			_ip6_esp_randpad;
+
+	int			_ah_enable;
+	int			_ah_cleartos;
+	struct  ahstat		_ahstat;
 };
 
 extern struct vnet_ipsec vnet_ipsec_0;
@@ -139,4 +152,14 @@
 #define V_ipsec_ah_keymin		VNET_IPSEC(ipsec_ah_keymin)
 #define V_ipip_allow			VNET_IPSEC(ipip_allow)
 #define V_ipipstat			VNET_IPSEC(ipipstat)
+#define V_ipsec6stat			VNET_IPSEC(ipsec6stat)
+#define V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
+#define V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
+#define V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
+#define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
+#define V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
+#define V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
+#define V_ah_enable			VNET_IPSEC(ah_enable)
+#define V_ah_cleartos			VNET_IPSEC(ah_cleartos)
+#define V_ahstat			VNET_IPSEC(ahstat)
 #endif /* !_NETIPSEC_VIPSEC_H_ */

==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 (text+ko) ====

@@ -90,17 +90,31 @@
 #define	AUTHSIZE(sav) \
 	((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
 
+#ifndef VIMAGE
 int	ah_enable = 1;			/* control flow of packets with AH */
 int	ah_cleartos = 1;		/* clear ip_tos when doing AH calc */
 struct	ahstat ahstat;
+#endif
 
 SYSCTL_DECL(_net_inet_ah);
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
-	ah_enable,	CTLFLAG_RW,	&ah_enable,	0, "");
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
-	ah_cleartos,	CTLFLAG_RW,	&ah_cleartos,	0, "");
-SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS,
-	stats,		CTLFLAG_RD,	&ahstat,	ahstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+	ah_enable,	CTLFLAG_RW,	ah_enable,	0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+	ah_cleartos,	CTLFLAG_RW,	ah_cleartos,	0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS,
+	stats,		CTLFLAG_RD,	ahstat,	ahstat, "");
+
+static int ah_iattach(void *);
+
+#ifdef VIMAGE
+static struct vnet_modinfo vnet_ah_modinfo = {
+	.id             = VNET_MOD_AH,
+	.name           = "esp",
+	.symmap         = NULL,
+	.i_attach       = ah_iattach,
+	.i_detach       = NULL,
+};
+#endif
 
 static unsigned char ipseczeroes[256];	/* larger than an ip6 extension hdr */
 
@@ -283,7 +297,7 @@
 
 		/* Fix the IP header */
 		ip = mtod(m, struct ip *);
-		if (ah_cleartos)
+		if (V_ah_cleartos)
 			ip->ip_tos = 0;
 		ip->ip_ttl = 0;
 		ip->ip_sum = 0;
@@ -582,14 +596,14 @@
 	IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
 	if (ah == NULL) {
 		DPRINTF(("ah_input: cannot pullup header\n"));
-		ahstat.ahs_hdrops++;		/*XXX*/
+		V_ahstat.ahs_hdrops++;		/*XXX*/
 		m_freem(m);
 		return ENOBUFS;
 	}
 
 	/* Check replay window, if applicable. */
 	if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
-		ahstat.ahs_replay++;
+		V_ahstat.ahs_replay++;
 		DPRINTF(("%s: packet replay failure: %s\n", __func__,
 			  ipsec_logsastr(sav)));
 		m_freem(m);
@@ -606,17 +620,17 @@
 			hl, (u_long) (authsize + rplen - sizeof (struct ah)),
 			ipsec_address(&sav->sah->saidx.dst),
 			(u_long) ntohl(sav->spi)));
-		ahstat.ahs_badauthl++;
+		V_ahstat.ahs_badauthl++;
 		m_freem(m);
 		return EACCES;
 	}
-	ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
+	V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
 
 	/* Get crypto descriptors. */
 	crp = crypto_getreq(1);
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		m_freem(m);
 		return ENOBUFS;
 	}
@@ -656,7 +670,7 @@
 	}
 	if (tc == NULL) {
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		crypto_freereq(crp);
 		m_freem(m);
 		return ENOBUFS;
@@ -680,7 +694,7 @@
 		    skip, ahx->type, 0);
 		if (error != 0) {
 			/* NB: mbuf is free'd by ah_massage_headers */
-			ahstat.ahs_hdrops++;
+			V_ahstat.ahs_hdrops++;
 			free(tc, M_XDATA);
 			crypto_freereq(crp);
 			return error;
@@ -757,7 +771,7 @@
 
 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 	if (sav == NULL) {
-		ahstat.ahs_notdb++;
+		V_ahstat.ahs_notdb++;
 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
@@ -781,19 +795,19 @@
 			return error;
 		}
 
-		ahstat.ahs_noxform++;
+		V_ahstat.ahs_noxform++;
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
 	} else {
-		ahstat.ahs_hist[sav->alg_auth]++;
+		V_ahstat.ahs_hist[sav->alg_auth]++;
 		crypto_freereq(crp);		/* No longer needed. */
 		crp = NULL;
 	}
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
@@ -819,7 +833,7 @@
 			    "in SA %s/%08lx\n", __func__,
 			    ipsec_address(&saidx->dst),
 			    (u_long) ntohl(sav->spi)));
-			ahstat.ahs_badauth++;
+			V_ahstat.ahs_badauth++;
 			error = EACCES;
 			goto bad;
 		}
@@ -850,7 +864,7 @@
 		m_copydata(m, skip + offsetof(struct newah, ah_seq),
 			   sizeof (seq), (caddr_t) &seq);
 		if (ipsec_updatereplay(ntohl(seq), sav)) {
-			ahstat.ahs_replay++;
+			V_ahstat.ahs_replay++;
 			error = ENOBUFS;			/*XXX as above*/
 			goto bad;
 		}
@@ -864,7 +878,7 @@
 		DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
 		    ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
 
-		ahstat.ahs_hdrops++;
+		V_ahstat.ahs_hdrops++;
 		goto bad;
 	}
 
@@ -916,7 +930,7 @@
 	ahx = sav->tdb_authalgxform;
 	IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
 
-	ahstat.ahs_output++;
+	V_ahstat.ahs_output++;
 
 	/* Figure out header size. */
 	rplen = HDRSIZE(sav);
@@ -939,7 +953,7 @@
 		    sav->sah->saidx.dst.sa.sa_family,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_nopf++;
+		V_ahstat.ahs_nopf++;
 		error = EPFNOSUPPORT;
 		goto bad;
 	}
@@ -950,20 +964,20 @@
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi),
 		    rplen + authsize + m->m_pkthdr.len, maxpacketsize));
-		ahstat.ahs_toobig++;
+		V_ahstat.ahs_toobig++;
 		error = EMSGSIZE;
 		goto bad;
 	}
 
 	/* Update the counters. */
-	ahstat.ahs_obytes += m->m_pkthdr.len - skip;
+	V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
 
 	m = m_unshare(m, M_NOWAIT);
 	if (m == NULL) {
 		DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_hdrops++;
+		V_ahstat.ahs_hdrops++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -976,7 +990,7 @@
 		    rplen + authsize,
 		    ipsec_address(&sav->sah->saidx.dst),
 		    (u_long) ntohl(sav->spi)));
-		ahstat.ahs_hdrops++;		/*XXX differs from openbsd */
+		V_ahstat.ahs_hdrops++;		/*XXX differs from openbsd */
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1004,7 +1018,7 @@
 				__func__,
 				ipsec_address(&sav->sah->saidx.dst),
 				(u_long) ntohl(sav->spi)));
-			ahstat.ahs_wrap++;
+			V_ahstat.ahs_wrap++;
 			error = EINVAL;
 			goto bad;
 		}
@@ -1021,7 +1035,7 @@
 	if (crp == NULL) {
 		DPRINTF(("%s: failed to acquire crypto descriptors\n",
 			__func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1043,7 +1057,7 @@
 	if (tc == NULL) {
 		crypto_freereq(crp);
 		DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		error = ENOBUFS;
 		goto bad;
 	}
@@ -1148,7 +1162,7 @@
 	IPSECREQUEST_LOCK(isr);
 	sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
 	if (sav == NULL) {
-		ahstat.ahs_notdb++;
+		V_ahstat.ahs_notdb++;
 		DPRINTF(("%s: SA expired while in crypto\n", __func__));
 		error = ENOBUFS;		/*XXX*/
 		goto bad;
@@ -1168,7 +1182,7 @@
 			return error;
 		}
 
-		ahstat.ahs_noxform++;
+		V_ahstat.ahs_noxform++;
 		DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
 		error = crp->crp_etype;
 		goto bad;
@@ -1176,12 +1190,12 @@
 
 	/* Shouldn't happen... */
 	if (m == NULL) {
-		ahstat.ahs_crypto++;
+		V_ahstat.ahs_crypto++;
 		DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
 		error = EINVAL;
 		goto bad;
 	}
-	ahstat.ahs_hist[sav->alg_auth]++;
+	V_ahstat.ahs_hist[sav->alg_auth]++;
 
 	/*
 	 * Copy original headers (with the new protocol number) back
@@ -1230,9 +1244,27 @@
 	ah_init,	ah_zeroize,	ah_input,	ah_output,
 };
 
+static int
+ah_iattach(unused)
+    void *unused;
+{
+    INIT_VNET_IPSEC(curvnet);
+
+	V_ah_enable = 1;          /* control flow of packets with AH */
+	V_ah_cleartos = 1;        /* clear ip_tos when doing AH calc */
+
+	xform_register(&ah_xformsw);
+
+	return 0;
+}
+
 static void
 ah_attach(void)
 {
-	xform_register(&ah_xformsw);
+#ifdef VIMAGE
+	vnet_mod_register(&vnet_ah_modinfo);
+#else
+	ah_iattach(NULL);
+#endif
 }
 SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);

==== //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 (text+ko) ====

@@ -548,7 +548,7 @@
 		 * the verification for us.  Otherwise we need to
 		 * check the authentication calculation.
 		 */
-		ahstat.ahs_hist[sav->alg_auth]++;
+		V_ahstat.ahs_hist[sav->alg_auth]++;
 		if (mtag == NULL) {
 			/* Copy the authenticator from the packet */
 			m_copydata(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
@@ -968,7 +968,7 @@
 	}
 	V_espstat.esps_hist[sav->alg_enc]++;
 	if (sav->tdb_authalgxform != NULL)
-		ahstat.ahs_hist[sav->alg_auth]++;
+		V_ahstat.ahs_hist[sav->alg_auth]++;
 
 	/* Release crypto descriptors. */
 	free(tc, M_XDATA);

==== //depot/projects/vimage/src/sys/sys/vimage.h#20 (text+ko) ====

@@ -75,9 +75,10 @@
 #define VNET_MOD_DUMMYNET	 9
 #define VNET_MOD_PF		10
 #define VNET_MOD_ALTQ		11
-#define VNET_MOD_IPSEC       12
-#define VNET_MOD_ESP         13
-#define VNET_MOD_IPIP        14
+#define VNET_MOD_IPSEC		12
+#define VNET_MOD_ESP		13
+#define VNET_MOD_IPIP		14
+#define VNET_MOD_AH		15
 #define VNET_MOD_GIF		16
 #define VNET_MOD_ARP		28
 #define VNET_MOD_RTABLE		29



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200707161642.l6GGgRaH011853>