mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-25 11:37:56 +00:00
530c006014
vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
374 lines
8.9 KiB
C
374 lines
8.9 KiB
C
/*-
|
|
* Copyright (c) 2006 The FreeBSD Project.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
* SUCH DAMAGE.
|
|
*
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/systm.h>
|
|
#include <sys/kernel.h>
|
|
#include <sys/malloc.h>
|
|
#include <sys/mbuf.h>
|
|
#include <sys/module.h>
|
|
#include <machine/bus.h>
|
|
#include <sys/rman.h>
|
|
#include <sys/socket.h>
|
|
#include <sys/sockio.h>
|
|
#include <sys/sysctl.h>
|
|
|
|
#include <net/if.h>
|
|
#include <net/if_clone.h>
|
|
#include <net/if_types.h>
|
|
#include <net/pfil.h>
|
|
#include <net/route.h>
|
|
#include <net/netisr.h>
|
|
#include <net/bpf.h>
|
|
#include <net/vnet.h>
|
|
|
|
#include <netinet/in.h>
|
|
#include <netinet/in_systm.h>
|
|
#include <netinet/ip.h>
|
|
#include <netinet/ip_var.h>
|
|
#include <netinet/in_var.h>
|
|
#include "opt_inet6.h"
|
|
|
|
#ifdef INET6
|
|
#include <netinet/ip6.h>
|
|
#include <netinet6/ip6_var.h>
|
|
#endif
|
|
|
|
#include "opt_enc.h"
|
|
#include <netipsec/ipsec.h>
|
|
#include <netipsec/xform.h>
|
|
|
|
#define ENCMTU (1024+512)
|
|
|
|
/* XXX this define must have the same value as in OpenBSD */
|
|
#define M_CONF 0x0400 /* payload was encrypted (ESP-transport) */
|
|
#define M_AUTH 0x0800 /* payload was authenticated (AH or ESP auth) */
|
|
#define M_AUTH_AH 0x2000 /* header was authenticated (AH) */
|
|
|
|
struct enchdr {
|
|
u_int32_t af;
|
|
u_int32_t spi;
|
|
u_int32_t flags;
|
|
};
|
|
|
|
struct ifnet *encif;
|
|
static struct mtx enc_mtx;
|
|
|
|
struct enc_softc {
|
|
struct ifnet *sc_ifp;
|
|
};
|
|
|
|
static int enc_ioctl(struct ifnet *, u_long, caddr_t);
|
|
static int enc_output(struct ifnet *ifp, struct mbuf *m,
|
|
struct sockaddr *dst, struct route *ro);
|
|
static int enc_clone_create(struct if_clone *, int, caddr_t);
|
|
static void enc_clone_destroy(struct ifnet *);
|
|
|
|
IFC_SIMPLE_DECLARE(enc, 1);
|
|
|
|
/*
|
|
* Sysctls.
|
|
*/
|
|
|
|
/*
|
|
* Before and after are relative to when we are stripping the
|
|
* outer IP header.
|
|
*/
|
|
SYSCTL_NODE(_net, OID_AUTO, enc, CTLFLAG_RW, 0, "enc sysctl");
|
|
|
|
SYSCTL_NODE(_net_enc, OID_AUTO, in, CTLFLAG_RW, 0, "enc input sysctl");
|
|
static int ipsec_filter_mask_in = ENC_BEFORE;
|
|
SYSCTL_XINT(_net_enc_in, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
|
|
&ipsec_filter_mask_in, 0, "IPsec input firewall filter mask");
|
|
static int ipsec_bpf_mask_in = ENC_BEFORE;
|
|
SYSCTL_XINT(_net_enc_in, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
|
|
&ipsec_bpf_mask_in, 0, "IPsec input bpf mask");
|
|
|
|
SYSCTL_NODE(_net_enc, OID_AUTO, out, CTLFLAG_RW, 0, "enc output sysctl");
|
|
static int ipsec_filter_mask_out = ENC_BEFORE;
|
|
SYSCTL_XINT(_net_enc_out, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
|
|
&ipsec_filter_mask_out, 0, "IPsec output firewall filter mask");
|
|
static int ipsec_bpf_mask_out = ENC_BEFORE|ENC_AFTER;
|
|
SYSCTL_XINT(_net_enc_out, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
|
|
&ipsec_bpf_mask_out, 0, "IPsec output bpf mask");
|
|
|
|
static void
|
|
enc_clone_destroy(struct ifnet *ifp)
|
|
{
|
|
KASSERT(ifp != encif, ("%s: destroying encif", __func__));
|
|
|
|
bpfdetach(ifp);
|
|
if_detach(ifp);
|
|
if_free(ifp);
|
|
}
|
|
|
|
static int
|
|
enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
|
|
{
|
|
struct ifnet *ifp;
|
|
struct enc_softc *sc;
|
|
|
|
sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
|
|
ifp = sc->sc_ifp = if_alloc(IFT_ENC);
|
|
if (ifp == NULL) {
|
|
free(sc, M_DEVBUF);
|
|
return (ENOSPC);
|
|
}
|
|
|
|
if_initname(ifp, ifc->ifc_name, unit);
|
|
ifp->if_mtu = ENCMTU;
|
|
ifp->if_ioctl = enc_ioctl;
|
|
ifp->if_output = enc_output;
|
|
ifp->if_snd.ifq_maxlen = ifqmaxlen;
|
|
ifp->if_softc = sc;
|
|
if_attach(ifp);
|
|
bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
|
|
|
|
mtx_lock(&enc_mtx);
|
|
/* grab a pointer to enc0, ignore the rest */
|
|
if (encif == NULL)
|
|
encif = ifp;
|
|
mtx_unlock(&enc_mtx);
|
|
|
|
return (0);
|
|
}
|
|
|
|
static int
|
|
enc_modevent(module_t mod, int type, void *data)
|
|
{
|
|
switch (type) {
|
|
case MOD_LOAD:
|
|
mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
|
|
if_clone_attach(&enc_cloner);
|
|
break;
|
|
case MOD_UNLOAD:
|
|
printf("enc module unload - not possible for this module\n");
|
|
return (EINVAL);
|
|
default:
|
|
return (EOPNOTSUPP);
|
|
}
|
|
return (0);
|
|
}
|
|
|
|
static moduledata_t enc_mod = {
|
|
"enc",
|
|
enc_modevent,
|
|
0
|
|
};
|
|
|
|
DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
|
|
|
|
static int
|
|
enc_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
|
|
struct route *ro)
|
|
{
|
|
m_freem(m);
|
|
return (0);
|
|
}
|
|
|
|
/*
|
|
* Process an ioctl request.
|
|
*/
|
|
/* ARGSUSED */
|
|
static int
|
|
enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
|
{
|
|
int error = 0;
|
|
|
|
mtx_lock(&enc_mtx);
|
|
|
|
switch (cmd) {
|
|
|
|
case SIOCSIFFLAGS:
|
|
if (ifp->if_flags & IFF_UP)
|
|
ifp->if_drv_flags |= IFF_DRV_RUNNING;
|
|
else
|
|
ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
|
|
|
|
break;
|
|
|
|
default:
|
|
error = EINVAL;
|
|
}
|
|
|
|
mtx_unlock(&enc_mtx);
|
|
return (error);
|
|
}
|
|
|
|
int
|
|
ipsec_filter(struct mbuf **mp, int dir, int flags)
|
|
{
|
|
int error, i;
|
|
struct ip *ip;
|
|
|
|
KASSERT(encif != NULL, ("%s: encif is null", __func__));
|
|
KASSERT(flags & (ENC_IN|ENC_OUT),
|
|
("%s: invalid flags: %04x", __func__, flags));
|
|
|
|
if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
|
return (0);
|
|
|
|
if (flags & ENC_IN) {
|
|
if ((flags & ipsec_filter_mask_in) == 0)
|
|
return (0);
|
|
} else {
|
|
if ((flags & ipsec_filter_mask_out) == 0)
|
|
return (0);
|
|
}
|
|
|
|
/* Skip pfil(9) if no filters are loaded */
|
|
if (!(PFIL_HOOKED(&inet_pfil_hook)
|
|
#ifdef INET6
|
|
|| PFIL_HOOKED(&inet6_pfil_hook)
|
|
#endif
|
|
)) {
|
|
return (0);
|
|
}
|
|
|
|
i = min((*mp)->m_pkthdr.len, max_protohdr);
|
|
if ((*mp)->m_len < i) {
|
|
*mp = m_pullup(*mp, i);
|
|
if (*mp == NULL) {
|
|
printf("%s: m_pullup failed\n", __func__);
|
|
return (-1);
|
|
}
|
|
}
|
|
|
|
error = 0;
|
|
ip = mtod(*mp, struct ip *);
|
|
switch (ip->ip_v) {
|
|
case 4:
|
|
/*
|
|
* before calling the firewall, swap fields the same as
|
|
* IP does. here we assume the header is contiguous
|
|
*/
|
|
ip->ip_len = ntohs(ip->ip_len);
|
|
ip->ip_off = ntohs(ip->ip_off);
|
|
|
|
error = pfil_run_hooks(&inet_pfil_hook, mp,
|
|
encif, dir, NULL);
|
|
|
|
if (*mp == NULL || error != 0)
|
|
break;
|
|
|
|
/* restore byte ordering */
|
|
ip = mtod(*mp, struct ip *);
|
|
ip->ip_len = htons(ip->ip_len);
|
|
ip->ip_off = htons(ip->ip_off);
|
|
break;
|
|
|
|
#ifdef INET6
|
|
case 6:
|
|
error = pfil_run_hooks(&inet6_pfil_hook, mp,
|
|
encif, dir, NULL);
|
|
break;
|
|
#endif
|
|
default:
|
|
printf("%s: unknown IP version\n", __func__);
|
|
}
|
|
|
|
/*
|
|
* If the mbuf was consumed by the filter for requeueing (dummynet, etc)
|
|
* then error will be zero but we still want to return an error to our
|
|
* caller so the null mbuf isn't forwarded further.
|
|
*/
|
|
if (*mp == NULL && error == 0)
|
|
return (-1); /* Consumed by the filter */
|
|
if (*mp == NULL)
|
|
return (error);
|
|
if (error != 0)
|
|
goto bad;
|
|
|
|
return (error);
|
|
|
|
bad:
|
|
m_freem(*mp);
|
|
*mp = NULL;
|
|
return (error);
|
|
}
|
|
|
|
void
|
|
ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af, int flags)
|
|
{
|
|
int mflags;
|
|
struct enchdr hdr;
|
|
|
|
KASSERT(encif != NULL, ("%s: encif is null", __func__));
|
|
KASSERT(flags & (ENC_IN|ENC_OUT),
|
|
("%s: invalid flags: %04x", __func__, flags));
|
|
|
|
if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
|
|
return;
|
|
|
|
if (flags & ENC_IN) {
|
|
if ((flags & ipsec_bpf_mask_in) == 0)
|
|
return;
|
|
} else {
|
|
if ((flags & ipsec_bpf_mask_out) == 0)
|
|
return;
|
|
}
|
|
|
|
if (bpf_peers_present(encif->if_bpf)) {
|
|
mflags = 0;
|
|
hdr.spi = 0;
|
|
if (!sav) {
|
|
struct m_tag *mtag;
|
|
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
|
|
if (mtag != NULL) {
|
|
struct tdb_ident *tdbi;
|
|
tdbi = (struct tdb_ident *) (mtag + 1);
|
|
if (tdbi->alg_enc != SADB_EALG_NONE)
|
|
mflags |= M_CONF;
|
|
if (tdbi->alg_auth != SADB_AALG_NONE)
|
|
mflags |= M_AUTH;
|
|
hdr.spi = tdbi->spi;
|
|
}
|
|
} else {
|
|
if (sav->alg_enc != SADB_EALG_NONE)
|
|
mflags |= M_CONF;
|
|
if (sav->alg_auth != SADB_AALG_NONE)
|
|
mflags |= M_AUTH;
|
|
hdr.spi = sav->spi;
|
|
}
|
|
|
|
/*
|
|
* We need to prepend the address family as a four byte
|
|
* field. Cons up a dummy header to pacify bpf. This
|
|
* is safe because bpf will only read from the mbuf
|
|
* (i.e., it won't try to free it or keep a pointer a
|
|
* to it).
|
|
*/
|
|
hdr.af = af;
|
|
/* hdr.spi already set above */
|
|
hdr.flags = mflags;
|
|
|
|
bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m);
|
|
}
|
|
}
|