PERFORCE change 123596 for review
Ana Kukec
anchie at FreeBSD.org
Mon Jul 16 16:42:28 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=123596
Change 123596 by anchie at anchie_malimis on 2007/07/16 16:41:56
Added support for AH crypto algorithm.
Affected files ...
.. //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 edit
.. //depot/projects/vimage/src/sys/sys/vimage.h#20 edit
Differences ...
==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#8 (text+ko) ====
@@ -148,8 +148,8 @@
ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, "");
SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
- ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
+ ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, "");
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, "");
SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT,
@@ -187,6 +187,7 @@
#endif
#ifdef INET6
+#ifndef VIMAGE
struct ipsecstat ipsec6stat;
int ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
int ip6_esp_net_deflev = IPSEC_LEVEL_USE;
@@ -194,7 +195,7 @@
int ip6_ah_net_deflev = IPSEC_LEVEL_USE;
int ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
int ip6_esp_randpad = -1;
-
+#endif
SYSCTL_DECL(_net_inet6_ipsec6);
/* net.inet6.ipsec6 */
@@ -202,28 +203,24 @@
SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
0,0, compat_ipsecstats_sysctl, "S", "");
#endif /* COMPAT_KAME */
-/* XXX
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
- def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
-*/
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
- CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
- CTLFLAG_RW, &ip6_esp_net_deflev, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
- CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
- CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
- ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV,
+ esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV,
+ esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV,
+ ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV,
+ ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN,
+ ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, "");
SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
debug, CTLFLAG_RW, ipsec_debug, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
- esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
-SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
- ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
+ esp_randpad, CTLFLAG_RW, ip6_esp_randpad, 0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
+ ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, "");
#endif /* INET6 */
#ifdef VIMAGE
@@ -1357,10 +1354,10 @@
#endif
#ifdef INET6
case AF_INET6:
- esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev);
- esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev);
- ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev);
- ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev);
+ esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev);
+ esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev);
+ ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev);
+ ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev);
break;
#endif /* INET6 */
default:
@@ -1542,6 +1539,7 @@
struct mbuf *m;
struct inpcb *inp;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp = NULL;
int error;
int result;
@@ -1562,7 +1560,7 @@
if (sp != NULL) {
result = ipsec_in_reject(sp, m);
if (result)
- ipsec6stat.ips_in_polvio++;
+ V_ipsec6stat.ips_in_polvio++;
KEY_FREESP(&sp);
} else {
result = 0;
@@ -2042,6 +2040,13 @@
V_ipsec_integrity = 0;
#endif
+ V_ip6_esp_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip6_esp_net_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
+ V_ip6_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
+ V_ip6_esp_randpad = -1;
+
return 0;
}
==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#4 (text+ko) ====
==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#6 (text+ko) ====
@@ -116,7 +116,7 @@
u_int32_t spi;
int error;
- IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input,
+ IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input,
ipcompstat.ipcomps_input);
IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -126,17 +126,17 @@
("unexpected security protocol %u", sproto));
if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
- (sproto == IPPROTO_AH && !ah_enable) ||
+ (sproto == IPPROTO_AH && !V_ah_enable) ||
(sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
return EOPNOTSUPP;
}
if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
@@ -182,7 +182,7 @@
default:
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
- IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf,
+ IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf,
ipcompstat.ipcomps_nopf);
return EPFNOSUPPORT;
}
@@ -193,7 +193,7 @@
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb,
+ IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb,
ipcompstat.ipcomps_notdb);
m_freem(m);
return ENOENT;
@@ -203,7 +203,7 @@
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform,
+ IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
KEY_FREESAV(&sav);
m_freem(m);
@@ -309,7 +309,7 @@
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
+ IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
KEY_FREESAV(&sav);
return EINVAL;
@@ -321,7 +321,7 @@
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = ENOBUFS;
goto bad;
@@ -344,7 +344,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops,
+ V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
@@ -375,7 +375,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- ahstat.ahs_pdrops,
+ V_ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
@@ -388,7 +388,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops,
+ V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
@@ -417,7 +417,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- ahstat.ahs_pdrops,
+ V_ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
@@ -440,7 +440,7 @@
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+ V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
@@ -474,7 +474,7 @@
* Re-dispatch via software interrupt.
*/
if ((error = netisr_queue(NETISR_IP, m))) {
- IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull,
+ IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull,
ipcompstat.ipcomps_qfull);
DPRINTF(("%s: queue full; proto %u packet dropped\n",
@@ -530,7 +530,7 @@
DPRINTF(("%s: bad packet header chain, protoff %u, "
"l %u, off %u\n", __func__, protoff, l, *offp));
IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops,
+ V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
m_freem(*mp);
*mp = NULL;
@@ -578,7 +578,7 @@
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
+ IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
error = EINVAL;
goto bad;
@@ -592,7 +592,7 @@
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EACCES;
goto bad;
@@ -612,7 +612,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops,
+ V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
@@ -639,7 +639,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
- ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+ V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -652,7 +652,7 @@
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops,
+ V_ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
goto bad;
@@ -681,7 +681,7 @@
(u_long) ntohl(sav->spi)));
IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
- ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
+ V_ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
}
@@ -702,7 +702,7 @@
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
- ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
+ V_ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
}
==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#6 (text+ko) ====
@@ -310,11 +310,11 @@
* Check system global policy controls.
*/
if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) ||
- (isr->saidx.proto == IPPROTO_AH && !ah_enable) ||
+ (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) ||
(isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) {
DPRINTF(("%s: IPsec outbound packet dropped due"
" to policy (check your sysctls)\n", __func__));
- IPSEC_OSTAT(V_espstat.esps_pdrops, ahstat.ahs_pdrops,
+ IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
*error = EHOSTUNREACH;
goto bad;
@@ -326,7 +326,7 @@
*/
if (sav->tdb_xform == NULL) {
DPRINTF(("%s: no transform for SA\n", __func__));
- IPSEC_OSTAT(V_espstat.esps_noxform, ahstat.ahs_noxform,
+ IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
*error = EHOSTUNREACH;
goto bad;
==== //depot/projects/vimage/src/sys/netipsec/vipsec.h#3 (text+ko) ====
@@ -41,6 +41,7 @@
#include <netipsec/ipsec.h>
#include <netipsec/esp_var.h>
+#include <netipsec/ah_var.h>
#include <netipsec/ipip_var.h>
#include <net/if.h>
@@ -90,6 +91,18 @@
int _ipsec_ah_keymin;
int _ipip_allow;
struct ipipstat _ipipstat;
+
+ struct ipsecstat _ipsec6stat;
+ int _ip6_esp_trans_deflev;
+ int _ip6_esp_net_deflev;
+ int _ip6_ah_trans_deflev;
+ int _ip6_ah_net_deflev;
+ int _ip6_ipsec_ecn;
+ int _ip6_esp_randpad;
+
+ int _ah_enable;
+ int _ah_cleartos;
+ struct ahstat _ahstat;
};
extern struct vnet_ipsec vnet_ipsec_0;
@@ -139,4 +152,14 @@
#define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin)
#define V_ipip_allow VNET_IPSEC(ipip_allow)
#define V_ipipstat VNET_IPSEC(ipipstat)
+#define V_ipsec6stat VNET_IPSEC(ipsec6stat)
+#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev)
+#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev)
+#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev)
+#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev)
+#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn)
+#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad)
+#define V_ah_enable VNET_IPSEC(ah_enable)
+#define V_ah_cleartos VNET_IPSEC(ah_cleartos)
+#define V_ahstat VNET_IPSEC(ahstat)
#endif /* !_NETIPSEC_VIPSEC_H_ */
==== //depot/projects/vimage/src/sys/netipsec/xform_ah.c#4 (text+ko) ====
@@ -90,17 +90,31 @@
#define AUTHSIZE(sav) \
((sav->flags & SADB_X_EXT_OLD) ? 16 : AH_HMAC_HASHLEN)
+#ifndef VIMAGE
int ah_enable = 1; /* control flow of packets with AH */
int ah_cleartos = 1; /* clear ip_tos when doing AH calc */
struct ahstat ahstat;
+#endif
SYSCTL_DECL(_net_inet_ah);
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
- ah_enable, CTLFLAG_RW, &ah_enable, 0, "");
-SYSCTL_INT(_net_inet_ah, OID_AUTO,
- ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, "");
-SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS,
- stats, CTLFLAG_RD, &ahstat, ahstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+ ah_enable, CTLFLAG_RW, ah_enable, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO,
+ ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS,
+ stats, CTLFLAG_RD, ahstat, ahstat, "");
+
+static int ah_iattach(void *);
+
+#ifdef VIMAGE
+static struct vnet_modinfo vnet_ah_modinfo = {
+ .id = VNET_MOD_AH,
+ .name = "esp",
+ .symmap = NULL,
+ .i_attach = ah_iattach,
+ .i_detach = NULL,
+};
+#endif
static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */
@@ -283,7 +297,7 @@
/* Fix the IP header */
ip = mtod(m, struct ip *);
- if (ah_cleartos)
+ if (V_ah_cleartos)
ip->ip_tos = 0;
ip->ip_ttl = 0;
ip->ip_sum = 0;
@@ -582,14 +596,14 @@
IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen);
if (ah == NULL) {
DPRINTF(("ah_input: cannot pullup header\n"));
- ahstat.ahs_hdrops++; /*XXX*/
+ V_ahstat.ahs_hdrops++; /*XXX*/
m_freem(m);
return ENOBUFS;
}
/* Check replay window, if applicable. */
if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) {
- ahstat.ahs_replay++;
+ V_ahstat.ahs_replay++;
DPRINTF(("%s: packet replay failure: %s\n", __func__,
ipsec_logsastr(sav)));
m_freem(m);
@@ -606,17 +620,17 @@
hl, (u_long) (authsize + rplen - sizeof (struct ah)),
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_badauthl++;
+ V_ahstat.ahs_badauthl++;
m_freem(m);
return EACCES;
}
- ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
+ V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl;
/* Get crypto descriptors. */
crp = crypto_getreq(1);
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__));
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
m_freem(m);
return ENOBUFS;
}
@@ -656,7 +670,7 @@
}
if (tc == NULL) {
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
crypto_freereq(crp);
m_freem(m);
return ENOBUFS;
@@ -680,7 +694,7 @@
skip, ahx->type, 0);
if (error != 0) {
/* NB: mbuf is free'd by ah_massage_headers */
- ahstat.ahs_hdrops++;
+ V_ahstat.ahs_hdrops++;
free(tc, M_XDATA);
crypto_freereq(crp);
return error;
@@ -757,7 +771,7 @@
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
- ahstat.ahs_notdb++;
+ V_ahstat.ahs_notdb++;
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -781,19 +795,19 @@
return error;
}
- ahstat.ahs_noxform++;
+ V_ahstat.ahs_noxform++;
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
} else {
- ahstat.ahs_hist[sav->alg_auth]++;
+ V_ahstat.ahs_hist[sav->alg_auth]++;
crypto_freereq(crp); /* No longer needed. */
crp = NULL;
}
/* Shouldn't happen... */
if (m == NULL) {
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
@@ -819,7 +833,7 @@
"in SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_badauth++;
+ V_ahstat.ahs_badauth++;
error = EACCES;
goto bad;
}
@@ -850,7 +864,7 @@
m_copydata(m, skip + offsetof(struct newah, ah_seq),
sizeof (seq), (caddr_t) &seq);
if (ipsec_updatereplay(ntohl(seq), sav)) {
- ahstat.ahs_replay++;
+ V_ahstat.ahs_replay++;
error = ENOBUFS; /*XXX as above*/
goto bad;
}
@@ -864,7 +878,7 @@
DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__,
ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi)));
- ahstat.ahs_hdrops++;
+ V_ahstat.ahs_hdrops++;
goto bad;
}
@@ -916,7 +930,7 @@
ahx = sav->tdb_authalgxform;
IPSEC_ASSERT(ahx != NULL, ("null authentication xform"));
- ahstat.ahs_output++;
+ V_ahstat.ahs_output++;
/* Figure out header size. */
rplen = HDRSIZE(sav);
@@ -939,7 +953,7 @@
sav->sah->saidx.dst.sa.sa_family,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_nopf++;
+ V_ahstat.ahs_nopf++;
error = EPFNOSUPPORT;
goto bad;
}
@@ -950,20 +964,20 @@
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi),
rplen + authsize + m->m_pkthdr.len, maxpacketsize));
- ahstat.ahs_toobig++;
+ V_ahstat.ahs_toobig++;
error = EMSGSIZE;
goto bad;
}
/* Update the counters. */
- ahstat.ahs_obytes += m->m_pkthdr.len - skip;
+ V_ahstat.ahs_obytes += m->m_pkthdr.len - skip;
m = m_unshare(m, M_NOWAIT);
if (m == NULL) {
DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_hdrops++;
+ V_ahstat.ahs_hdrops++;
error = ENOBUFS;
goto bad;
}
@@ -976,7 +990,7 @@
rplen + authsize,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_hdrops++; /*XXX differs from openbsd */
+ V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */
error = ENOBUFS;
goto bad;
}
@@ -1004,7 +1018,7 @@
__func__,
ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- ahstat.ahs_wrap++;
+ V_ahstat.ahs_wrap++;
error = EINVAL;
goto bad;
}
@@ -1021,7 +1035,7 @@
if (crp == NULL) {
DPRINTF(("%s: failed to acquire crypto descriptors\n",
__func__));
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
error = ENOBUFS;
goto bad;
}
@@ -1043,7 +1057,7 @@
if (tc == NULL) {
crypto_freereq(crp);
DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__));
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
error = ENOBUFS;
goto bad;
}
@@ -1148,7 +1162,7 @@
IPSECREQUEST_LOCK(isr);
sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi);
if (sav == NULL) {
- ahstat.ahs_notdb++;
+ V_ahstat.ahs_notdb++;
DPRINTF(("%s: SA expired while in crypto\n", __func__));
error = ENOBUFS; /*XXX*/
goto bad;
@@ -1168,7 +1182,7 @@
return error;
}
- ahstat.ahs_noxform++;
+ V_ahstat.ahs_noxform++;
DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype));
error = crp->crp_etype;
goto bad;
@@ -1176,12 +1190,12 @@
/* Shouldn't happen... */
if (m == NULL) {
- ahstat.ahs_crypto++;
+ V_ahstat.ahs_crypto++;
DPRINTF(("%s: bogus returned buffer from crypto\n", __func__));
error = EINVAL;
goto bad;
}
- ahstat.ahs_hist[sav->alg_auth]++;
+ V_ahstat.ahs_hist[sav->alg_auth]++;
/*
* Copy original headers (with the new protocol number) back
@@ -1230,9 +1244,27 @@
ah_init, ah_zeroize, ah_input, ah_output,
};
+static int
+ah_iattach(unused)
+ void *unused;
+{
+ INIT_VNET_IPSEC(curvnet);
+
+ V_ah_enable = 1; /* control flow of packets with AH */
+ V_ah_cleartos = 1; /* clear ip_tos when doing AH calc */
+
+ xform_register(&ah_xformsw);
+
+ return 0;
+}
+
static void
ah_attach(void)
{
- xform_register(&ah_xformsw);
+#ifdef VIMAGE
+ vnet_mod_register(&vnet_ah_modinfo);
+#else
+ ah_iattach(NULL);
+#endif
}
SYSINIT(ah_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ah_attach, NULL);
==== //depot/projects/vimage/src/sys/netipsec/xform_esp.c#4 (text+ko) ====
@@ -548,7 +548,7 @@
* the verification for us. Otherwise we need to
* check the authentication calculation.
*/
- ahstat.ahs_hist[sav->alg_auth]++;
+ V_ahstat.ahs_hist[sav->alg_auth]++;
if (mtag == NULL) {
/* Copy the authenticator from the packet */
m_copydata(m, m->m_pkthdr.len - AH_HMAC_HASHLEN,
@@ -968,7 +968,7 @@
}
V_espstat.esps_hist[sav->alg_enc]++;
if (sav->tdb_authalgxform != NULL)
- ahstat.ahs_hist[sav->alg_auth]++;
+ V_ahstat.ahs_hist[sav->alg_auth]++;
/* Release crypto descriptors. */
free(tc, M_XDATA);
==== //depot/projects/vimage/src/sys/sys/vimage.h#20 (text+ko) ====
@@ -75,9 +75,10 @@
#define VNET_MOD_DUMMYNET 9
#define VNET_MOD_PF 10
#define VNET_MOD_ALTQ 11
-#define VNET_MOD_IPSEC 12
-#define VNET_MOD_ESP 13
-#define VNET_MOD_IPIP 14
+#define VNET_MOD_IPSEC 12
+#define VNET_MOD_ESP 13
+#define VNET_MOD_IPIP 14
+#define VNET_MOD_AH 15
#define VNET_MOD_GIF 16
#define VNET_MOD_ARP 28
#define VNET_MOD_RTABLE 29
More information about the p4-projects
mailing list