svn commit: r310413 - in projects/ipsec/sys: conf netipsec
Andrey V. Elsukov
ae at FreeBSD.org
Thu Dec 22 14:27:09 UTC 2016
Author: ae
Date: Thu Dec 22 14:27:07 2016
New Revision: 310413
URL: https://svnweb.freebsd.org/changeset/base/310413
Log:
Add netipsec/subr_ipsec.c file.
It is build into kernel when IPSEC or IPSEC_SUPPORT options configured.
It contains code that is expanded for IPsec methods macros.
Also update sys/conf/files to reflect changes related to IPSEC_SUPPORT
option. And update functions declarations in ipsec[6].h.
Added:
projects/ipsec/sys/netipsec/subr_ipsec.c (contents, props changed)
Modified:
projects/ipsec/sys/conf/files
projects/ipsec/sys/netipsec/ipsec.h
projects/ipsec/sys/netipsec/ipsec6.h
projects/ipsec/sys/netipsec/udpencap.c
Modified: projects/ipsec/sys/conf/files
==============================================================================
--- projects/ipsec/sys/conf/files Thu Dec 22 14:21:14 2016 (r310412)
+++ projects/ipsec/sys/conf/files Thu Dec 22 14:27:07 2016 (r310413)
@@ -4067,7 +4067,6 @@ netinet/ip_encap.c optional inet | inet
netinet/ip_fastfwd.c optional inet
netinet/ip_icmp.c optional inet | inet6
netinet/ip_input.c optional inet
-netinet/ip_ipsec.c optional inet ipsec
netinet/ip_mroute.c optional mrouting inet
netinet/ip_options.c optional inet
netinet/ip_output.c optional inet
@@ -4136,7 +4135,6 @@ netinet6/ip6_id.c optional inet6
netinet6/ip6_input.c optional inet6
netinet6/ip6_mroute.c optional mrouting inet6
netinet6/ip6_output.c optional inet6
-netinet6/ip6_ipsec.c optional inet6 ipsec
netinet6/mld6.c optional inet6
netinet6/nd6.c optional inet6
netinet6/nd6_nbr.c optional inet6
@@ -4150,16 +4148,22 @@ netipsec/ipsec.c optional ipsec inet |
netipsec/ipsec_input.c optional ipsec inet | ipsec inet6
netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6
netipsec/ipsec_output.c optional ipsec inet | ipsec inet6
-netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6
-netipsec/key.c optional ipsec inet | ipsec inet6
-netipsec/key_debug.c optional ipsec inet | ipsec inet6
-netipsec/keysock.c optional ipsec inet | ipsec inet6
+netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/key.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/key_debug.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/keysock.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
+netipsec/subr_ipsec.c optional ipsec inet | ipsec inet6 | \
+ ipsec_support inet | ipsec_support inet6
netipsec/udpencap.c optional ipsec inet
netipsec/xform_ah.c optional ipsec inet | ipsec inet6
netipsec/xform_esp.c optional ipsec inet | ipsec inet6
netipsec/xform_ipcomp.c optional ipsec inet | ipsec inet6
netipsec/xform_tcp.c optional ipsec inet tcp_signature | \
- ipsec inet6 tcp_signature
+ ipsec inet6 tcp_signature
netnatm/natm.c optional natm
netnatm/natm_pcb.c optional natm
netnatm/natm_proto.c optional natm
Modified: projects/ipsec/sys/netipsec/ipsec.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:21:14 2016 (r310412)
+++ projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:27:07 2016 (r310413)
@@ -310,19 +310,7 @@ struct secpolicy *ipsec4_checkpolicy(con
int *);
u_int ipsec_get_reqlevel(struct secpolicy *, u_int);
-size_t ipsec_hdrsiz_inpcb(struct inpcb *);
-int ipsec_init_pcbpolicy(struct inpcb *);
-int ipsec_delete_pcbpolicy(struct inpcb *);
-int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *);
-int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *);
-
-int tcp_ipsec_pcbctl(struct inpcb *, struct sockopt *);
-int tcp_ipsec_input(struct mbuf *, struct tcphdr *, u_char *);
-int tcp_ipsec_output(struct mbuf *, struct tcphdr *, u_char *);
-
-int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *);
-int udp_ipsec_input(struct mbuf *, int, int);
void udp_ipsec_adjust_cksum(struct mbuf *, struct secasvar *, int, int);
int udp_ipsec_output(struct mbuf *, struct secasvar *);
@@ -338,7 +326,10 @@ char *ipsec_logsastr(struct secasvar *,
extern void ipsec_dumpmbuf(const struct mbuf *);
int ipsec4_in_reject(const struct mbuf *, struct inpcb *);
-int ipsec4_common_input(struct mbuf **, int *, int);
+int ipsec4_input(struct mbuf *, int, int);
+int ipsec4_forward(struct mbuf *);
+int ipsec4_output(struct mbuf *, struct inpcb *);
+int ipsec4_capability(struct mbuf *, u_int);
int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int);
int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *,
Modified: projects/ipsec/sys/netipsec/ipsec6.h
==============================================================================
--- projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:21:14 2016 (r310412)
+++ projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:27:07 2016 (r310413)
@@ -59,17 +59,19 @@ VNET_DECLARE(int, ip6_ipsec_ecn);
#define V_ip6_ipsec_ecn VNET(ip6_ipsec_ecn)
struct inpcb;
-extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *);
struct secpolicy *ipsec6_checkpolicy(const struct mbuf *,
struct inpcb *, int *);
-struct m_tag;
-extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto);
-extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav,
- int skip, int protoff);
-extern void esp6_ctlinput(int, struct sockaddr *, void *);
-int ipsec6_process_packet(struct mbuf *, struct secpolicy *,
- struct inpcb *);
+int ipsec6_input(struct mbuf *, int, int);
+int ipsec6_in_reject(const struct mbuf *, struct inpcb *);
+int ipsec6_forward(struct mbuf *);
+int ipsec6_output(struct mbuf *, struct inpcb *);
+int ipsec6_capability(struct mbuf *, u_int);
+int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int);
+int ipsec6_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *);
+
+int ip6_ipsec_filtertunnel(struct mbuf *);
+int ip6_ipsec_pcbctl(struct inpcb *, struct sockopt *);
#endif /*_KERNEL*/
#endif /*_NETIPSEC_IPSEC6_H_*/
Added: projects/ipsec/sys/netipsec/subr_ipsec.c
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/ipsec/sys/netipsec/subr_ipsec.c Thu Dec 22 14:27:07 2016 (r310413)
@@ -0,0 +1,241 @@
+/*-
+ * Copyright (c) 2016 Andrey V. Elsukov <ae at FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "opt_inet.h"
+#include "opt_inet6.h"
+#include "opt_ipsec.h"
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mbuf.h>
+#include <sys/module.h>
+#include <sys/priv.h>
+#include <sys/rmlock.h>
+#include <sys/socket.h>
+#include <sys/sockopt.h>
+#include <sys/syslog.h>
+#include <sys/proc.h>
+
+#include <netinet/in.h>
+#include <netinet/in_pcb.h>
+
+#include <netipsec/ipsec_support.h>
+#include <netipsec/ipsec.h>
+#include <netipsec/ipsec6.h>
+#include <netipsec/key.h>
+#include <netipsec/key_debug.h>
+
+/*
+ * This file is build in the kernel only when 'options IPSEC' or
+ * 'options IPSEC_SUPPORT' is enabled.
+ */
+
+struct rmlock ipsec_kmod_lock;
+RM_SYSINIT(ipsec_kmod_lock, &ipsec_kmod_lock, "IPsec KLD lock");
+
+#define METHOD_DECL(...) __VA_ARGS__
+#define METHOD_ARGS(...) __VA_ARGS__
+#define IPSEC_KMOD_METHOD(name, sc, method, decl, args) \
+name (decl) \
+{ \
+ struct rm_priotracker tracker; \
+ int ret; \
+ IPSEC_ASSERT(sc != NULL, ("called with NULL methods")); \
+ rm_rlock(&ipsec_kmod_lock, &tracker); \
+ ret = (*sc->method)(args); \
+ rm_runlock(&ipsec_kmod_lock, &tracker); \
+ return (ret); \
+}
+
+static int
+ipsec_support_modevent(module_t mod, int type, void *data)
+{
+
+ switch (type) {
+ case MOD_LOAD:
+ return (0);
+ case MOD_UNLOAD:
+ return (EBUSY);
+ default:
+ return (EOPNOTSUPP);
+ }
+}
+
+static moduledata_t ipsec_support_mod = {
+ "ipsec_support",
+ ipsec_support_modevent,
+ 0
+};
+
+/*
+ * Declare IPSEC_SUPPORT as module to be able add dependency in
+ * ipsec.ko and tcpmd5.ko
+ */
+DECLARE_MODULE(ipsec_support, ipsec_support_mod,
+ SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY);
+MODULE_VERSION(ipsec_support, 1);
+
+#ifdef TCP_SIGNATURE
+const int tcp_ipsec_support = 1;
+#else
+#ifdef IPSEC_SUPPORT
+volatile int tcp_ipsec_support = 0;
+const struct tcpmd5_support * volatile tcp_ipsec_methods = NULL;
+
+int IPSEC_KMOD_METHOD(tcpmd5_kmod_input,
+ tcp_ipsec_methods,
+ input, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf),
+ METHOD_ARGS(m, th, buf)
+)
+
+int IPSEC_KMOD_METHOD(tcpmd5_kmod_output,
+ tcp_ipsec_methods,
+ output, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf),
+ METHOD_ARGS(m, th, buf)
+)
+
+int IPSEC_KMOD_METHOD(tcpmd5_kmod_pcbctl,
+ tcp_ipsec_methods,
+ pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt),
+ METHOD_ARGS(inp, sopt)
+)
+#endif
+#endif
+
+#ifdef IPSEC
+/*
+ * IPsec support is build in the kernel. Additional locking isn't required.
+ */
+#ifdef INET
+static struct ipsec_support ipv4_ipsec = {
+ .input = ipsec4_input,
+ .forward = ipsec4_forward,
+ .output = ipsec4_output,
+ .pcbctl = ipsec4_pcbctl,
+ .capability = ipsec4_capability,
+ .check_policy = ipsec4_in_reject,
+ .hdrsize = ipsec_hdrsiz_inpcb
+};
+const int ipv4_ipsec_support = 1;
+const struct ipsec_support * const ipv4_ipsec_methods = &ipv4_ipsec;
+#endif
+
+#ifdef INET6
+static struct ipsec_support ipv6_ipsec = {
+ .input = ipsec6_input,
+ .forward = ipsec6_forward,
+ .output = ipsec6_output,
+ .pcbctl = ipsec6_pcbctl,
+ .capability = ipsec6_capability,
+ .check_policy = ipsec6_in_reject
+ .hdrsize = ipsec_hdrsiz_inpcb
+};
+const int ipv6_ipsec_support = 1;
+const struct ipsec_support * const ipv6_ipsec_methods = &ipv6_ipsec;
+#endif
+#else /* IPSEC_SUPPORT */
+/*
+ * IPsec support is build as kernel module.
+ */
+#ifdef INET
+volatile int ipv4_ipsec_support = 0;
+const struct ipsec_support * volatile ipv4_ipsec_methods = NULL;
+const struct udpencap_support * volatile udp_ipsec_methods = NULL;
+
+int IPSEC_KMOD_METHOD(udpencap_kmod_input,
+ udp_ipsec_methods,
+ input, METHOD_DECL(struct mbuf *m, int off, int af),
+ METHOD_ARGS(m, off, af)
+)
+
+int IPSEC_KMOD_METHOD(udpencap_kmod_pcbctl,
+ udp_ipsec_methods,
+ pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt),
+ METHOD_ARGS(inp, sopt)
+)
+#endif
+
+#ifdef INET6
+volatile int ipv6_ipsec_support = 0;
+const struct ipsec_support * volatile ipv6_ipsec_methods = NULL;
+#endif
+
+int IPSEC_KMOD_METHOD(ipsec_kmod_input, sc,
+ input, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m,
+ int offset,int proto), METHOD_ARGS(m, offset, proto)
+)
+
+int IPSEC_KMOD_METHOD(ipsec_kmod_check_policy, sc,
+ check_policy, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m,
+ struct inpcb *inp), METHOD_ARGS(m, inp)
+)
+
+int IPSEC_KMOD_METHOD(ipsec_kmod_forward, sc,
+ forward, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m),
+ (m)
+)
+
+int IPSEC_KMOD_METHOD(ipsec_kmod_output, sc,
+ output, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m,
+ struct inpcb *inp), METHOD_ARGS(m, inp)
+)
+
+int IPSEC_KMOD_METHOD(ipsec_kmod_pcbctl, sc,
+ pcbctl, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp,
+ struct sockopt *sopt), METHOD_ARGS(inp, sopt)
+)
+
+size_t IPSEC_KMOD_METHOD(ipsec_kmod_hdrsize, sc,
+ hdrsize, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp),
+ (inp)
+)
+
+int static IPSEC_KMOD_METHOD(ipsec_kmod_caps, sc,
+ capability, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m,
+ u_int cap), METHOD_ARGS(m, cap)
+)
+
+int
+ipsec_kmod_capability(const struct ipsec_support *sc, struct mbuf *m,
+ u_int cap)
+{
+
+ /*
+ * Since PF_KEY is build in the kernel, we can use key_havesp()
+ * without taking the lock.
+ */
+ if (cap == IPSEC_CAP_OPERABLE)
+ return (key_havesp(IPSEC_DIR_INBOUND) != 0 ||
+ key_havesp(IPSEC_DIR_OUTBOUND) != 0);
+ return (ipsec_kmod_caps(sc, m, cap));
+}
+#endif
Modified: projects/ipsec/sys/netipsec/udpencap.c
==============================================================================
--- projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:21:14 2016 (r310412)
+++ projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:27:07 2016 (r310413)
@@ -28,6 +28,7 @@
__FBSDID("$FreeBSD$");
#include "opt_inet.h"
+#include "opt_ipsec.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -57,6 +58,7 @@ __FBSDID("$FreeBSD$");
#include <netipsec/key.h>
#include <netipsec/key_debug.h>
+#include <netipsec/ipsec_support.h>
#include <machine/in_cksum.h>
/*
More information about the svn-src-projects
mailing list