From owner-p4-projects@FreeBSD.ORG Mon Jul 16 16:42:28 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 7D7E416A403; Mon, 16 Jul 2007 16:42:28 +0000 (UTC) X-Original-To: perforce@FreeBSD.org Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4A56B16A402 for ; Mon, 16 Jul 2007 16:42:28 +0000 (UTC) (envelope-from anchie@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 388EE13C48E for ; Mon, 16 Jul 2007 16:42:28 +0000 (UTC) (envelope-from anchie@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id l6GGgSeF011856 for ; Mon, 16 Jul 2007 16:42:28 GMT (envelope-from anchie@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id l6GGgRaH011853 for perforce@freebsd.org; Mon, 16 Jul 2007 16:42:27 GMT (envelope-from anchie@FreeBSD.org) Date: Mon, 16 Jul 2007 16:42:27 GMT Message-Id: <200707161642.l6GGgRaH011853@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to anchie@FreeBSD.org using -f From: Ana Kukec To: Perforce Change Reviews Cc: Subject: PERFORCE change 123596 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jul 2007 16:42:28 -0000 http://perforce.freebsd.org/chv.cgi?CH=123596 Change 123596 by anchie@anchie_malimis on 2007/07/16 16:41:56 Added support for AH crypto algorithm. Affected files ... .. //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 edit .. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 edit .. //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 edit .. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 edit .. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 edit .. //depot/projects/vimage/src/sys/sys/vimage.h#20 edit Differences ... ==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 (text+ko) ==== @@ -148,8 +148,8 @@ ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, ""); SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, ""); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, - ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS, + ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, ""); SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT, @@ -187,6 +187,7 @@ #endif #ifdef INET6 +#ifndef VIMAGE struct ipsecstat ipsec6stat; int ip6_esp_trans_deflev = IPSEC_LEVEL_USE; int ip6_esp_net_deflev = IPSEC_LEVEL_USE; @@ -194,7 +195,7 @@ int ip6_ah_net_deflev = IPSEC_LEVEL_USE; int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ int ip6_esp_randpad = -1; - +#endif SYSCTL_DECL(_net_inet6_ipsec6); /* net.inet6.ipsec6 */ @@ -202,28 +203,24 @@ SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 0,0, compat_ipsecstats_sysctl, "S", ""); #endif /* COMPAT_KAME */ -/* XXX -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, ""); -*/ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, - CTLFLAG_RW, &ip6_esp_trans_deflev, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, - CTLFLAG_RW, &ip6_esp_net_deflev, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, - CTLFLAG_RW, &ip6_ah_trans_deflev, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, - CTLFLAG_RW, &ip6_ah_net_deflev, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, - ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN, + ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, ""); SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, debug, CTLFLAG_RW, ipsec_debug, 0, ""); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, - esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, ""); -SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, - ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD, + esp_randpad, CTLFLAG_RW, ip6_esp_randpad, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, ""); #endif /* INET6 */ #ifdef VIMAGE @@ -1357,10 +1354,10 @@ #endif #ifdef INET6 case AF_INET6: - esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); - esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); - ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); - ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); + esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev); + esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev); + ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev); + ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev); break; #endif /* INET6 */ default: @@ -1542,6 +1539,7 @@ struct mbuf *m; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp = NULL; int error; int result; @@ -1562,7 +1560,7 @@ if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - ipsec6stat.ips_in_polvio++; + V_ipsec6stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; @@ -2042,6 +2040,13 @@ V_ipsec_integrity = 0; #endif + V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_esp_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE; + V_ip6_ah_net_deflev = IPSEC_LEVEL_USE; + V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ + V_ip6_esp_randpad = -1; + return 0; } ==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 (text+ko) ==== ==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 (text+ko) ==== @@ -116,7 +116,7 @@ u_int32_t spi; int error; - IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input, + IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, ipcompstat.ipcomps_input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -126,17 +126,17 @@ ("unexpected security protocol %u", sproto)); if ((sproto == IPPROTO_ESP && !V_esp_enable) || - (sproto == IPPROTO_AH && !ah_enable) || + (sproto == IPPROTO_AH && !V_ah_enable) || (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; @@ -182,7 +182,7 @@ default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf, + IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, ipcompstat.ipcomps_nopf); return EPFNOSUPPORT; } @@ -193,7 +193,7 @@ DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb, + IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, ipcompstat.ipcomps_notdb); m_freem(m); return ENOENT; @@ -203,7 +203,7 @@ DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform, + IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); KEY_FREESAV(&sav); m_freem(m); @@ -309,7 +309,7 @@ /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr, + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, ipcompstat.ipcomps_badkcr); KEY_FREESAV(&sav); return EINVAL; @@ -321,7 +321,7 @@ DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOBUFS; goto bad; @@ -344,7 +344,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; @@ -375,7 +375,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - ahstat.ahs_pdrops, + V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; @@ -388,7 +388,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; @@ -417,7 +417,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - ahstat.ahs_pdrops, + V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; @@ -440,7 +440,7 @@ if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -474,7 +474,7 @@ * Re-dispatch via software interrupt. */ if ((error = netisr_queue(NETISR_IP, m))) { - IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull, + IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, ipcompstat.ipcomps_qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", @@ -530,7 +530,7 @@ DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); IPSEC_ISTAT(proto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); m_freem(*mp); *mp = NULL; @@ -578,7 +578,7 @@ /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr, + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, ipcompstat.ipcomps_badkcr); error = EINVAL; goto bad; @@ -592,7 +592,7 @@ __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops, + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EACCES; goto bad; @@ -612,7 +612,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; @@ -639,7 +639,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTATsproto, (V_espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -652,7 +652,7 @@ if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; @@ -681,7 +681,7 @@ (u_long) ntohl(sav->spi))); IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -702,7 +702,7 @@ if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } ==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 (text+ko) ==== @@ -310,11 +310,11 @@ * Check system global policy controls. */ if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || - (isr->saidx.proto == IPPROTO_AH && !ah_enable) || + (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) { DPRINTF(("%s: IPsec outbound packet dropped due" " to policy (check your sysctls)\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_pdrops, ahstat.ahs_pdrops, + IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); *error = EHOSTUNREACH; goto bad; @@ -326,7 +326,7 @@ */ if (sav->tdb_xform == NULL) { DPRINTF(("%s: no transform for SA\n", __func__)); - IPSEC_OSTAT(V_espstat.esps_noxform, ahstat.ahs_noxform, + IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform, ipcompstat.ipcomps_noxform); *error = EHOSTUNREACH; goto bad; ==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 (text+ko) ==== @@ -41,6 +41,7 @@ #include #include +#include #include #include @@ -90,6 +91,18 @@ int _ipsec_ah_keymin; int _ipip_allow; struct ipipstat _ipipstat; + + struct ipsecstat _ipsec6stat; + int _ip6_esp_trans_deflev; + int _ip6_esp_net_deflev; + int _ip6_ah_trans_deflev; + int _ip6_ah_net_deflev; + int _ip6_ipsec_ecn; + int _ip6_esp_randpad; + + int _ah_enable; + int _ah_cleartos; + struct ahstat _ahstat; }; extern struct vnet_ipsec vnet_ipsec_0; @@ -139,4 +152,14 @@ #define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin) #define V_ipip_allow VNET_IPSEC(ipip_allow) #define V_ipipstat VNET_IPSEC(ipipstat) +#define V_ipsec6stat VNET_IPSEC(ipsec6stat) +#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) +#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) +#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) +#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) +#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) +#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) +#define V_ah_enable VNET_IPSEC(ah_enable) +#define V_ah_cleartos VNET_IPSEC(ah_cleartos) +#define V_ahstat VNET_IPSEC(ahstat) #endif /* !_NETIPSEC_VIPSEC_H_ */ ==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 (text+ko) ==== @@ -90,17 +90,31 @@ #define AUTHSIZE(sav) \ ((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN) +#ifndef VIMAGE int ah_enable = 1; /* control flow of packets with AH */ int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ struct ahstat ahstat; +#endif SYSCTL_DECL(_net_inet_ah); -SYSCTL_INT(_net_inet_ah, OID_AUTO, - ah_enable, CTLFLAG_RW, &ah_enable, 0, ""); -SYSCTL_INT(_net_inet_ah, OID_AUTO, - ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, ""); -SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS, - stats, CTLFLAG_RD, &ahstat, ahstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, + ah_enable, CTLFLAG_RW, ah_enable, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, + ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS, + stats, CTLFLAG_RD, ahstat, ahstat, ""); + +static int ah_iattach(void *); + +#ifdef VIMAGE +static struct vnet_modinfo vnet_ah_modinfo = { + .id = VNET_MOD_AH, + .name = "esp", + .symmap = NULL, + .i_attach = ah_iattach, + .i_detach = NULL, +}; +#endif static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -283,7 +297,7 @@ /* Fix the IP header */ ip = mtod(m, struct ip *); - if (ah_cleartos) + if (V_ah_cleartos) ip->ip_tos = 0; ip->ip_ttl = 0; ip->ip_sum = 0; @@ -582,14 +596,14 @@ IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { DPRINTF(("ah_input: cannot pullup header\n")); - ahstat.ahs_hdrops++; /*XXX*/ + V_ahstat.ahs_hdrops++; /*XXX*/ m_freem(m); return ENOBUFS; } /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav))); m_freem(m); @@ -606,17 +620,17 @@ hl, (u_long) (authsize + rplen - sizeof (struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauthl++; + V_ahstat.ahs_badauthl++; m_freem(m); return EACCES; } - ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; + V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; m_freem(m); return ENOBUFS; } @@ -656,7 +670,7 @@ } if (tc == NULL) { DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; crypto_freereq(crp); m_freem(m); return ENOBUFS; @@ -680,7 +694,7 @@ skip, ahx->type, 0); if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; free(tc, M_XDATA); crypto_freereq(crp); return error; @@ -757,7 +771,7 @@ sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -781,19 +795,19 @@ return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } else { - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; crypto_freereq(crp); /* No longer needed. */ crp = NULL; } /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; @@ -819,7 +833,7 @@ "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauth++; + V_ahstat.ahs_badauth++; error = EACCES; goto bad; } @@ -850,7 +864,7 @@ m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; error = ENOBUFS; /*XXX as above*/ goto bad; } @@ -864,7 +878,7 @@ DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; goto bad; } @@ -916,7 +930,7 @@ ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); - ahstat.ahs_output++; + V_ahstat.ahs_output++; /* Figure out header size. */ rplen = HDRSIZE(sav); @@ -939,7 +953,7 @@ sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_nopf++; + V_ahstat.ahs_nopf++; error = EPFNOSUPPORT; goto bad; } @@ -950,20 +964,20 @@ ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); - ahstat.ahs_toobig++; + V_ahstat.ahs_toobig++; error = EMSGSIZE; goto bad; } /* Update the counters. */ - ahstat.ahs_obytes += m->m_pkthdr.len - skip; + V_ahstat.ahs_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; error = ENOBUFS; goto bad; } @@ -976,7 +990,7 @@ rplen + authsize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; /*XXX differs from openbsd */ + V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */ error = ENOBUFS; goto bad; } @@ -1004,7 +1018,7 @@ __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_wrap++; + V_ahstat.ahs_wrap++; error = EINVAL; goto bad; } @@ -1021,7 +1035,7 @@ if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1043,7 +1057,7 @@ if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1148,7 +1162,7 @@ IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -1168,7 +1182,7 @@ return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -1176,12 +1190,12 @@ /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; /* * Copy original headers (with the new protocol number) back @@ -1230,9 +1244,27 @@ ah_init, ah_zeroize, ah_input, ah_output, }; +static int +ah_iattach(unused) + void *unused; +{ + INIT_VNET_IPSEC(curvnet); + + V_ah_enable = 1; /* control flow of packets with AH */ + V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */ + + xform_register(&ah_xformsw); + + return 0; +} + static void ah_attach(void) { - xform_register(&ah_xformsw); +#ifdef VIMAGE + vnet_mod_register(&vnet_ah_modinfo); +#else + ah_iattach(NULL); +#endif } SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL); ==== //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 (text+ko) ==== @@ -548,7 +548,7 @@ * the verification for us. Otherwise we need to * check the authentication calculation. */ - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - AH_HMAC_HASHLEN, @@ -968,7 +968,7 @@ } V_espstat.esps_hist[sav->alg_enc]++; if (sav->tdb_authalgxform != NULL) - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; /* Release crypto descriptors. */ free(tc, M_XDATA); ==== //depot/projects/vimage/src/sys/sys/vimage.h#20 (text+ko) ==== @@ -75,9 +75,10 @@ #define VNET_MOD_DUMMYNET 9 #define VNET_MOD_PF 10 #define VNET_MOD_ALTQ 11 -#define VNET_MOD_IPSEC 12 -#define VNET_MOD_ESP 13 -#define VNET_MOD_IPIP 14 +#define VNET_MOD_IPSEC 12 +#define VNET_MOD_ESP 13 +#define VNET_MOD_IPIP 14 +#define VNET_MOD_AH 15 #define VNET_MOD_GIF 16 #define VNET_MOD_ARP 28 #define VNET_MOD_RTABLE 29