PERFORCE change 123432 for review
Ana Kukec
anchie at FreeBSD.org
Fri Jul 13 11:17:43 UTC 2007
http://perforce.freebsd.org/chv.cgi?CH=123432
Change 123432 by anchie at anchie_malimis on 2007/07/13 11:16:45
IPSec virtualization (ESP algorithm only).
Affected files ...
.. //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 edit
.. //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 edit
.. //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 edit
.. //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/key.c#5 edit
.. //depot/projects/vimage/src/sys/netipsec/key_debug.h#2 edit
.. //depot/projects/vimage/src/sys/netipsec/keysock.c#4 edit
.. //depot/projects/vimage/src/sys/netipsec/vipsec.h#1 add
.. //depot/projects/vimage/src/sys/netipsec/xform_ah.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_esp.c#3 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ipcomp.c#2 edit
.. //depot/projects/vimage/src/sys/netipsec/xform_ipip.c#4 edit
.. //depot/projects/vimage/src/sys/sys/vimage.h#19 edit
Differences ...
==== //depot/projects/vimage/src/sys/netinet/ip_ipsec.c#6 (text+ko) ====
@@ -62,6 +62,8 @@
#include <netipsec/ipsec.h>
#include <netipsec/xform.h>
#include <netipsec/key.h>
+#include <netipsec/vipsec.h>
+#include <netipsec/vipsec.h>
#endif /*IPSEC*/
extern struct protosw inetsw[];
@@ -94,7 +96,9 @@
ip_ipsec_fwd(struct mbuf *m)
{
#ifdef IPSEC
+ INIT_VNET_IPSEC(curvnet);
INIT_VNET_INET(curvnet);
+ INIT_VNET_IPSEC(curvnet);
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@@ -138,8 +142,10 @@
* 1 = drop packet, 0 = continue processing packet.
*/
int
+ INIT_VNET_IPSEC(curvnet);
ip_ipsec_input(struct mbuf *m)
{
+ INIT_VNET_IPSEC(curvnet);
struct ip *ip = mtod(m, struct ip *);
#ifdef IPSEC
struct m_tag *mtag;
==== //depot/projects/vimage/src/sys/netinet/tcp_input.c#16 (text+ko) ====
@@ -90,6 +90,7 @@
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ipsec6.h>
+#include <netipsec/vipsec.h>
#endif /*IPSEC*/
#include <machine/in_cksum.h>
@@ -236,6 +237,7 @@
#ifdef INET6
INIT_VNET_INET6(curvnet);
#endif
+ INIT_VNET_IPSEC(curvnet);
struct tcphdr *th;
struct ip *ip = NULL;
struct ipovly *ipov;
@@ -468,7 +470,7 @@
} else
#endif /* INET6 */
if (inp != NULL && ipsec4_in_reject(m, inp)) {
- ipsec4stat.in_polvio++;
+ V_ipsec4stat.in_polvio++;
goto dropunlock;
}
#endif /* IPSEC */
==== //depot/projects/vimage/src/sys/netinet/udp_usrreq.c#14 (text+ko) ====
@@ -84,6 +84,7 @@
#ifdef IPSEC
#include <netipsec/ipsec.h>
+#include <netipsec/vipsec.h>
#endif
#include <machine/in_cksum.h>
@@ -508,6 +509,7 @@
struct sockaddr_in *udp_in)
{
INIT_VNET_INET(inp->inp_vnet);
+ INIT_VNET_IPSEC(inp->inp_vnet);
struct sockaddr *append_sa;
struct socket *so;
struct mbuf *opts = 0;
@@ -520,7 +522,7 @@
#ifdef IPSEC
/* check AH/ESP integrity. */
if (ipsec4_in_reject(n, inp)) {
- ipsec4stat.in_polvio++;
+ V_ipsec4stat.in_polvio++;
m_freem(n);
return;
}
==== //depot/projects/vimage/src/sys/netinet6/ip6_ipsec.c#4 (text+ko) ====
@@ -62,6 +62,7 @@
#include <netipsec/ipsec6.h>
#include <netipsec/xform.h>
#include <netipsec/key.h>
+#include <netipsec/vipsec.h>
#ifdef IPSEC_DEBUG
#include <netipsec/key_debug.h>
#else
@@ -103,6 +104,7 @@
{
#ifdef IPSEC
INIT_VNET_INET6(curvnet);
+ INIT_VNET_IPSEC(curvnet);
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
@@ -149,6 +151,7 @@
{
#ifdef IPSEC
+ INIT_VNET_IPSEC(curvnet);
struct m_tag *mtag;
struct tdb_ident *tdbi;
struct secpolicy *sp;
==== //depot/projects/vimage/src/sys/netipsec/ipsec.c#6 (text+ko) ====
@@ -37,6 +37,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
+#include "opt_vimage.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -53,6 +54,7 @@
#include <sys/syslog.h>
#include <sys/sysctl.h>
#include <sys/proc.h>
+#include <sys/vimage.h>
#include <net/if.h>
#include <net/route.h>
@@ -66,6 +68,7 @@
#include <netinet/udp_var.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
+#include <netinet/vinet.h>
#include <netinet/ip6.h>
#ifdef INET6
@@ -91,18 +94,27 @@
#include <netipsec/key_debug.h>
#include <netipsec/xform.h>
+#include <netipsec/vipsec.h>
#include <machine/in_cksum.h>
#include <opencrypto/cryptodev.h>
+#ifndef VIMAGE
#ifdef IPSEC_DEBUG
int ipsec_debug = 1;
#else
int ipsec_debug = 0;
#endif
+#endif
+static int vnet_ipsec_iattach(void *);
+#ifdef VIMAGE
+static int vnet_ipsec_idetach(void *);
+#endif
+
/* NB: name changed so netstat doesn't use it */
+#ifndef VIMAGE
struct ipsecstat ipsec4stat;
int ip4_ah_offsetmask = 0; /* maybe IP_DF? */
int ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
@@ -112,7 +124,7 @@
int ip4_ah_net_deflev = IPSEC_LEVEL_USE;
struct secpolicy ip4_def_policy;
int ip4_ipsec_ecn = 0; /* ECN ignore(-1)/forbidden(0)/allowed(1) */
-int ip4_esp_randpad = -1;
+int ip4_esp_randpad;
/*
* Crypto support requirements:
*
@@ -121,52 +133,57 @@
* 0 take anything
*/
int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+#endif
SYSCTL_DECL(_net_inet_ipsec);
/* net.inet.ipsec */
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY,
- def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
- CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
- CTLFLAG_RW, &ip4_esp_net_deflev, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev,
- CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev,
- CTLFLAG_RW, &ip4_ah_net_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY,
+ def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV,
+ esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV,
+ esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV,
+ ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV,
+ ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, "");
SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS,
ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
- ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT,
- dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN,
- ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG,
- debug, CTLFLAG_RW, &ipsec_debug, 0, "");
-SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
- esp_randpad, CTLFLAG_RW, &ip4_esp_randpad, 0, "");
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO,
- crypto_support, CTLFLAG_RW, &crypto_support,0, "");
-SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO,
- ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK,
+ ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_DFBIT,
+ dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ECN,
+ ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG,
+ debug, CTLFLAG_RW, ipsec_debug, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, IPSECCTL_ESP_RANDPAD,
+ esp_randpad, CTLFLAG_RW, ip4_esp_randpad, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO,
+ crypto_support, CTLFLAG_RW, crypto_support,0, "");
+SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+ ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, "");
#ifdef REGRESSION
/*
* When set to 1, IPsec will send packets with the same sequence number.
* This allows to verify if the other side has proper replay attacks detection.
*/
+#ifndef VIMAGE
int ipsec_replay = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0,
- "Emulate replay attack");
+#endif
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay,
+ CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack");
/*
* When set 1, IPsec will send packets with corrupted HMAC.
* This allows to verify if the other side properly detects modified packets.
*/
+#ifndef VIMAGE
int ipsec_integrity = 0;
-SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW,
- &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
+#endif
+SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity,
+ CTLFLAG_RW, &ipsec_integrity, 0, "Emulate man-in-the-middle attack");
#endif
#ifdef INET6
@@ -185,8 +202,12 @@
SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD,
0,0, compat_ipsecstats_sysctl, "S", "");
#endif /* COMPAT_KAME */
+/* XXX
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "");
+*/
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY,
+ def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev,
CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev,
@@ -197,14 +218,32 @@
CTLFLAG_RW, &ip6_ah_net_deflev, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN,
ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, "");
-SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG,
- debug, CTLFLAG_RW, &ipsec_debug, 0, "");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
+ debug, CTLFLAG_RW, ipsec_debug, 0, "");
SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ESP_RANDPAD,
esp_randpad, CTLFLAG_RW, &ip6_esp_randpad, 0, "");
SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS,
ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "");
#endif /* INET6 */
+#ifdef VIMAGE
+struct vnet_ipsec vnet_ipsec_0;
+
+struct vnet_symmap vnet_ipsec_symmap[] = {
+ VNET_SYMMAP_END
+};
+
+static struct vnet_modinfo vnet_ipsec_modinfo = {
+ .id = VNET_MOD_IPSEC,
+ .name = "ipsec",
+ .symmap = NULL,
+ .i_attach = vnet_ipsec_iattach,
+ .i_detach = vnet_ipsec_idetach
+};
+
+MALLOC_DEFINE(M_IPSEC, "ipsec", "IPSEC instance");
+#endif
+
static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb));
#ifdef INET6
static int ipsec6_setspidx_in6pcb __P((struct mbuf *, struct in6pcb *pcb));
@@ -232,12 +271,13 @@
static struct secpolicy *
key_allocsp_default(const char* where, int tag)
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
KEYDEBUG(KEYDEBUG_IPSEC_STAMP,
printf("DP key_allocsp_default from %s:%u\n", where, tag));
- sp = &ip4_def_policy;
+ sp = &V_ip4_def_policy;
if (sp->policy != IPSEC_POLICY_DISCARD &&
sp->policy != IPSEC_POLICY_NONE) {
ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n",
@@ -301,6 +341,7 @@
struct inpcb *inp;
int *error;
{
+ INIT_VNET_IPSEC(curvnet);
struct inpcbpolicy *pcbsp = NULL;
struct secpolicy *currsp = NULL; /* policy on socket */
struct secpolicy *sp;
@@ -411,6 +452,7 @@
int flag;
int *error;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicyindex spidx;
struct secpolicy *sp;
@@ -446,6 +488,7 @@
int *error;
struct inpcb *inp;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
*error = 0;
@@ -455,7 +498,7 @@
sp = ipsec_getpolicybysock(m, dir, inp, error);
if (sp == NULL) {
IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error"));
- ipsec4stat.ips_out_inval++;
+ V_ipsec4stat.ips_out_inval++;
return NULL;
}
IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error));
@@ -465,7 +508,7 @@
printf("%s: invalid policy %u\n", __func__, sp->policy);
/* fall thru... */
case IPSEC_POLICY_DISCARD:
- ipsec4stat.ips_out_polvio++;
+ V_ipsec4stat.ips_out_polvio++;
*error = -EINVAL; /* packet is discarded by caller */
break;
case IPSEC_POLICY_BYPASS:
@@ -517,6 +560,7 @@
struct mbuf *m;
struct in6pcb *pcb;
{
+ //INIT_VNET_IPSEC(curvnet);
struct secpolicyindex *spidx;
int error;
@@ -560,6 +604,7 @@
struct secpolicyindex *spidx;
int needport;
{
+ INIT_VNET_IPSEC(curvnet);
struct ip *ip = NULL;
struct ip ipbuf;
u_int v;
@@ -753,6 +798,7 @@
struct secpolicyindex *spidx;
int needport;
{
+ INIT_VNET_IPSEC(curvnet);
int off, nxt;
struct tcphdr th;
struct udphdr uh;
@@ -869,6 +915,7 @@
struct socket *so;
struct inpcbpolicy **pcb_sp;
{
+ INIT_VNET_IPSEC(curvnet);
struct inpcbpolicy *new;
/* sanity check. */
@@ -1012,6 +1059,7 @@
size_t len;
int priv;
{
+ INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy *newsp = NULL;
int error;
@@ -1058,6 +1106,7 @@
struct secpolicy *pcb_sp;
struct mbuf **mp;
{
+ INIT_VNET_IPSEC(curvnet);
/* sanity check. */
if (pcb_sp == NULL || mp == NULL)
@@ -1084,6 +1133,7 @@
size_t len;
int priv;
{
+ INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy **pcb_sp;
@@ -1118,6 +1168,7 @@
size_t len;
struct mbuf **mp;
{
+ INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy *pcb_sp;
@@ -1177,6 +1228,7 @@
size_t len;
int priv;
{
+ INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy **pcb_sp;
@@ -1211,6 +1263,7 @@
size_t len;
struct mbuf **mp;
{
+ INIT_VNET_IPSEC(curvnet);
struct sadb_x_policy *xpl;
struct secpolicy *pcb_sp;
@@ -1269,6 +1322,7 @@
ipsec_get_reqlevel(isr)
struct ipsecrequest *isr;
{
+ INIT_VNET_IPSEC(curvnet);
u_int level = 0;
u_int esp_trans_deflev, esp_net_deflev;
u_int ah_trans_deflev, ah_net_deflev;
@@ -1283,7 +1337,7 @@
#define IPSEC_CHECK_DEFAULT(lev) \
(((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \
&& (lev) != IPSEC_LEVEL_UNIQUE) \
- ? (ipsec_debug \
+ ? (V_ipsec_debug \
? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\
(lev), IPSEC_LEVEL_REQUIRE) \
: 0), \
@@ -1295,10 +1349,10 @@
switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) {
#ifdef INET
case AF_INET:
- esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev);
- esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev);
- ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev);
- ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev);
+ esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev);
+ esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev);
+ ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev);
+ ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev);
break;
#endif
#ifdef INET6
@@ -1373,6 +1427,7 @@
int
ipsec_in_reject(struct secpolicy *sp, struct mbuf *m)
{
+ INIT_VNET_IPSEC(curvnet);
struct ipsecrequest *isr;
int need_auth;
@@ -1448,6 +1503,7 @@
struct mbuf *m;
struct inpcb *inp;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
int error;
int result;
@@ -1466,7 +1522,7 @@
if (sp != NULL) {
result = ipsec_in_reject(sp, m);
if (result)
- ipsec4stat.ips_in_polvio++;
+ V_ipsec4stat.ips_in_polvio++;
KEY_FREESP(&sp);
} else {
result = 0; /* XXX should be panic ?
@@ -1523,6 +1579,7 @@
static size_t
ipsec_hdrsiz(struct secpolicy *sp)
{
+ INIT_VNET_IPSEC(curvnet);
struct ipsecrequest *isr;
size_t siz;
@@ -1585,6 +1642,7 @@
u_int dir;
struct inpcb *inp;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
int error;
size_t size;
@@ -1623,6 +1681,7 @@
u_int dir;
struct in6pcb *in6p;
{
+ INIT_VNET_IPSEC(curvnet);
struct secpolicy *sp;
int error;
size_t size;
@@ -1724,6 +1783,7 @@
u_int32_t seq;
struct secasvar *sav;
{
+ INIT_VNET_IPSEC(curvnet);
struct secreplay *replay;
u_int32_t diff;
int fr;
@@ -1932,9 +1992,71 @@
static void
ipsec_attach(void)
{
- SECPOLICY_LOCK_INIT(&ip4_def_policy);
- ip4_def_policy.refcnt = 1; /* NB: disallow free */
+#ifdef VIMAGE
+ vnet_mod_register(&vnet_ipsec_modinfo);
+#else
+ vnet_ipsec_iattach(NULL);
+#endif
+}
+
+static int
+vnet_ipsec_iattach(unused)
+ void *unused;
+{
+#ifdef VIMAGE
+ struct vnet_ipsec *vnet_ipsec;
+
+ if (curvnet == &vnet_0) {
+ vnet_ipsec = &vnet_ipsec_0;
+ } else {
+ vnet_ipsec = malloc(sizeof(struct vnet_ipsec),
+ M_IPSEC, M_NOWAIT | M_ZERO);
+ if (vnet_ipsec == NULL)
+ panic("couldn't allocate memory for vnet_ipsec");
+ }
+ curvnet->mod_data[vnet_ipsec_modinfo.id] = vnet_ipsec;
+ vnet_ipsec->parent_vnet = curvnet;
+#endif
+
+ #ifdef IPSEC_DEBUG
+ V_ipsec_debug = 1;
+ #else
+ V_ipsec_debug = 0;
+ #endif
+
+ SECPOLICY_LOCK_INIT(&V_ip4_def_policy);
+ V_ip4_def_policy.refcnt = 1; /* NB: disallow free */
+
+ V_ip4_ah_offsetmask = 0; /* maybe IP_DF? */
+ V_ip4_ipsec_dfbit = 0; /* DF bit on encap. 0: clear 1: set 2: copy */
+ V_ip4_esp_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip4_esp_net_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ah_trans_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
+ V_ip4_ipsec_ecn = 0;
+
+ V_ip4_esp_randpad = -1;
+ V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
+ V_ipsec_replay = 0;
+ V_ipsec_integrity = 0;
+
+ return 0;
+}
+
+/* XXX finish this! */
+#ifdef VIMAGE
+static int
+vnet_ipsec_idetach(unused)
+ void *unused;
+{
+ INIT_VNET_IPSEC(curvnet);
+
+ curvnet->mod_data[vnet_ipsec_modinfo.id] = NULL;
+ free((caddr_t)vnet_ipsec, M_IPSEC);
+
+ return 0;
}
+#endif
SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL)
==== //depot/projects/vimage/src/sys/netipsec/ipsec.h#3 (text+ko) ====
@@ -345,9 +345,9 @@
extern int ip4_esp_randpad;
extern int crypto_support;
-#define ipseclog(x) do { if (ipsec_debug) log x; } while (0)
+#define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0)
/* for openbsd compatibility */
-#define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0)
+#define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0)
extern struct ipsecrequest *ipsec_newisr(void);
extern void ipsec_delisr(struct ipsecrequest *);
==== //depot/projects/vimage/src/sys/netipsec/ipsec_input.c#5 (text+ko) ====
@@ -90,6 +90,7 @@
#include <netipsec/keydb.h>
#include <netipsec/xform.h>
+#include <netipsec/vipsec.h>
#include <netinet6/ip6protosw.h>
#include <machine/in_cksum.h>
@@ -109,12 +110,13 @@
static int
ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto)
{
+ INIT_VNET_IPSEC(curvnet);
union sockaddr_union dst_address;
struct secasvar *sav;
u_int32_t spi;
int error;
- IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input,
+ IPSEC_ISTAT(sproto, V_espstat.esps_input, ahstat.ahs_input,
ipcompstat.ipcomps_input);
IPSEC_ASSERT(m != NULL, ("null packet"));
@@ -123,18 +125,18 @@
sproto == IPPROTO_IPCOMP,
("unexpected security protocol %u", sproto));
- if ((sproto == IPPROTO_ESP && !esp_enable) ||
+ if ((sproto == IPPROTO_ESP && !V_esp_enable) ||
(sproto == IPPROTO_AH && !ah_enable) ||
(sproto == IPPROTO_IPCOMP && !ipcomp_enable)) {
m_freem(m);
- IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
return EOPNOTSUPP;
}
if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) {
m_freem(m);
- IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
DPRINTF(("%s: packet too small\n", __func__));
return EINVAL;
@@ -180,7 +182,7 @@
default:
DPRINTF(("%s: unsupported protocol family %u\n", __func__, af));
m_freem(m);
- IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf,
+ IPSEC_ISTAT(sproto, V_espstat.esps_nopf, ahstat.ahs_nopf,
ipcompstat.ipcomps_nopf);
return EPFNOSUPPORT;
}
@@ -191,7 +193,7 @@
DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb,
+ IPSEC_ISTAT(sproto, V_espstat.esps_notdb, ahstat.ahs_notdb,
ipcompstat.ipcomps_notdb);
m_freem(m);
return ENOENT;
@@ -201,7 +203,7 @@
DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n",
__func__, ipsec_address(&dst_address),
(u_long) ntohl(spi), sproto));
- IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform,
+ IPSEC_ISTAT(sproto, V_espstat.esps_noxform, ahstat.ahs_noxform,
ipcompstat.ipcomps_noxform);
KEY_FREESAV(&sav);
m_freem(m);
@@ -278,6 +280,7 @@
ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
int skip, int protoff, struct m_tag *mt)
{
+ INIT_VNET_IPSEC(curvnet);
int prot, af, sproto;
struct ip *ip;
struct m_tag *mtag;
@@ -306,7 +309,7 @@
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
+ IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
KEY_FREESAV(&sav);
return EINVAL;
@@ -318,7 +321,7 @@
DPRINTF(("%s: processing failed for SA %s/%08lx\n",
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = ENOBUFS;
goto bad;
@@ -340,7 +343,7 @@
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
@@ -371,7 +374,7 @@
ipsp_address(saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
error = EACCES;
@@ -384,7 +387,7 @@
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
@@ -413,7 +416,7 @@
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
ahstat.ahs_pdrops,
ipcompstat.ipcomps_pdrops);
error = EACCES;
@@ -436,7 +439,7 @@
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
@@ -471,7 +474,7 @@
* Re-dispatch via software interrupt.
*/
if ((error = netisr_queue(NETISR_IP, m))) {
- IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull,
+ IPSEC_ISTAT(sproto, V_espstat.esps_qfull, ahstat.ahs_qfull,
ipcompstat.ipcomps_qfull);
DPRINTF(("%s: queue full; proto %u packet dropped\n",
@@ -496,6 +499,7 @@
int
ipsec6_common_input(struct mbuf **mp, int *offp, int proto)
{
+ INIT_VNET_IPSEC(curvnet);
int l = 0;
int protoff;
struct ip6_ext ip6e;
@@ -525,7 +529,7 @@
if (protoff + l != *offp) {
DPRINTF(("%s: bad packet header chain, protoff %u, "
"l %u, off %u\n", __func__, protoff, l, *offp));
- IPSEC_ISTAT(proto, espstat.esps_hdrops,
+ IPSEC_ISTAT(proto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
m_freem(*mp);
@@ -547,6 +551,7 @@
struct m_tag *mt)
{
INIT_VNET_INET6(curvnet);
+ INIT_VNET_IPSEC(curvnet);
int prot, af, sproto;
struct ip6_hdr *ip6;
struct m_tag *mtag;
@@ -573,7 +578,7 @@
/* Sanity check */
if (m == NULL) {
DPRINTF(("%s: null mbuf", __func__));
- IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr,
+ IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, ahstat.ahs_badkcr,
ipcompstat.ipcomps_badkcr);
error = EINVAL;
goto bad;
@@ -587,7 +592,7 @@
__func__, ipsec_address(&sav->sah->saidx.dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EACCES;
goto bad;
@@ -606,7 +611,7 @@
struct ip ipn;
if (m->m_pkthdr.len - skip < sizeof(struct ip)) {
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
@@ -633,7 +638,7 @@
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTATsproto, (espstat.esps_pdrops,
+ IPSEC_ISTATsproto, (V_espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
@@ -646,7 +651,7 @@
struct ip6_hdr ip6n;
if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) {
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops,
ipcompstat.ipcomps_hdrops);
error = EINVAL;
@@ -675,7 +680,7 @@
ipsec_address(&saidx->dst),
(u_long) ntohl(sav->spi)));
- IPSEC_ISTAT(sproto, espstat.esps_pdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_pdrops,
ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops);
error = EACCES;
goto bad;
@@ -696,7 +701,7 @@
sizeof(struct tdb_ident), M_NOWAIT);
if (mtag == NULL) {
DPRINTF(("%s: failed to get tag\n", __func__));
- IPSEC_ISTAT(sproto, espstat.esps_hdrops,
+ IPSEC_ISTAT(sproto, V_espstat.esps_hdrops,
ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops);
error = ENOMEM;
goto bad;
==== //depot/projects/vimage/src/sys/netipsec/ipsec_mbuf.c#3 (text+ko) ====
@@ -31,16 +31,19 @@
*/
#include "opt_param.h"
+#include "opt_vimage.h"
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
#include <sys/socket.h>
+#include <sys/vimage.h>
#include <net/route.h>
#include <netinet/in.h>
#include <netipsec/ipsec.h>
+#include <netipsec/vipsec.h>
/*
* Make space for a new header of length hlen at skip bytes
@@ -53,6 +56,7 @@
struct mbuf *
m_makespace(struct mbuf *m0, int skip, int hlen, int *off)
{
+ INIT_VNET_IPSEC(curvnet);
struct mbuf *m;
unsigned remain;
@@ -88,7 +92,7 @@
return (NULL);
n->m_next = m->m_next; /* splice new mbuf */
m->m_next = n;
- ipsec4stat.ips_mbinserted++;
+ V_ipsec4stat.ips_mbinserted++;
if (hlen <= M_TRAILINGSPACE(m) + remain) {
/*
* New header fits in the old mbuf if we copy
@@ -122,7 +126,7 @@
/* splice in second mbuf */
n2->m_next = n->m_next;
n->m_next = n2;
- ipsec4stat.ips_mbinserted++;
+ V_ipsec4stat.ips_mbinserted++;
} else {
memcpy(mtod(n, caddr_t) + hlen,
mtod(m, caddr_t) + skip, remain);
@@ -155,6 +159,7 @@
caddr_t
m_pad(struct mbuf *m, int n)
{
+ INIT_VNET_IPSEC(curvnet);
register struct mbuf *m0, *m1;
register int len, pad;
caddr_t retval;
@@ -227,6 +232,7 @@
int
m_striphdr(struct mbuf *m, int skip, int hlen)
{
+ INIT_VNET_IPSEC(curvnet);
struct mbuf *m1;
int roff;
@@ -238,7 +244,7 @@
/* Remove the header and associated data from the mbuf. */
if (roff == 0) {
/* The header was at the beginning of the mbuf */
- ipsec4stat.ips_input_front++;
+ V_ipsec4stat.ips_input_front++;
m_adj(m1, hlen);
if ((m1->m_flags & M_PKTHDR) == 0)
m->m_pkthdr.len -= hlen;
@@ -250,7 +256,7 @@
* so first let's remove the remainder of the header from
* the beginning of the remainder of the mbuf chain, if any.
*/
- ipsec4stat.ips_input_end++;
+ V_ipsec4stat.ips_input_end++;
if (roff + hlen > m1->m_len) {
/* Adjust the next mbuf by the remainder */
m_adj(m1->m_next, roff + hlen - m1->m_len);
@@ -275,7 +281,7 @@
* The header lies in the "middle" of the mbuf; copy
* the remainder of the mbuf down over the header.
*/
- ipsec4stat.ips_input_middle++;
+ V_ipsec4stat.ips_input_middle++;
bcopy(mtod(m1, u_char *) + roff + hlen,
mtod(m1, u_char *) + roff,
m1->m_len - (roff + hlen));
==== //depot/projects/vimage/src/sys/netipsec/ipsec_output.c#5 (text+ko) ====
@@ -81,12 +81,14 @@
#include <netipsec/key.h>
#include <netipsec/keydb.h>
#include <netipsec/key_debug.h>
+#include <netipsec/vipsec.h>
#include <machine/in_cksum.h>
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the p4-projects
mailing list