version 1.169, 2003/06/30 07:54:28 |
version 1.180, 2003/11/10 20:03:29 |
|
|
* 2. Redistributions in binary form must reproduce the above copyright |
* 2. Redistributions in binary form must reproduce the above copyright |
* notice, this list of conditions and the following disclaimer in the |
* notice, this list of conditions and the following disclaimer in the |
* documentation and/or other materials provided with the distribution. |
* documentation and/or other materials provided with the distribution. |
* 3. All advertising materials mentioning features or use of this software |
* 3. Neither the name of the University nor the names of its contributors |
* must display the following acknowledgement: |
|
* This product includes software developed by the University of |
|
* California, Berkeley and its contributors. |
|
* 4. Neither the name of the University nor the names of its contributors |
|
* may be used to endorse or promote products derived from this software |
* may be used to endorse or promote products derived from this software |
* without specific prior written permission. |
* without specific prior written permission. |
* |
* |
Line 151 __KERNEL_RCSID(0, "$NetBSD$"); |
|
Line 147 __KERNEL_RCSID(0, "$NetBSD$"); |
|
#include <netinet6/ipsec.h> |
#include <netinet6/ipsec.h> |
#include <netkey/key.h> |
#include <netkey/key.h> |
#endif |
#endif |
|
#ifdef FAST_IPSEC |
|
#include <netipsec/ipsec.h> |
|
#include <netipsec/key.h> |
|
#endif /* FAST_IPSEC*/ |
|
|
#ifndef IPFORWARDING |
#ifndef IPFORWARDING |
#ifdef GATEWAY |
#ifdef GATEWAY |
Line 223 struct in_ifaddrhead in_ifaddr; |
|
Line 223 struct in_ifaddrhead in_ifaddr; |
|
struct in_ifaddrhashhead *in_ifaddrhashtbl; |
struct in_ifaddrhashhead *in_ifaddrhashtbl; |
u_long in_multihash; /* size of hash table - 1 */ |
u_long in_multihash; /* size of hash table - 1 */ |
int in_multientries; /* total number of addrs */ |
int in_multientries; /* total number of addrs */ |
struct in_multihead in_multi; |
|
struct in_multihashhead *in_multihashtbl; |
struct in_multihashhead *in_multihashtbl; |
struct ifqueue ipintrq; |
struct ifqueue ipintrq; |
struct ipstat ipstat; |
struct ipstat ipstat; |
u_int16_t ip_id; |
|
|
|
#ifdef PFIL_HOOKS |
#ifdef PFIL_HOOKS |
struct pfil_head inet_pfil_hook; |
struct pfil_head inet_pfil_hook; |
|
|
pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) |
pr->pr_protocol && pr->pr_protocol != IPPROTO_RAW) |
ip_protox[pr->pr_protocol] = pr - inetsw; |
ip_protox[pr->pr_protocol] = pr - inetsw; |
LIST_INIT(&ipq); |
LIST_INIT(&ipq); |
ip_id = time.tv_sec & 0xffff; |
|
ipintrq.ifq_maxlen = ipqmaxlen; |
ipintrq.ifq_maxlen = ipqmaxlen; |
TAILQ_INIT(&in_ifaddr); |
TAILQ_INIT(&in_ifaddr); |
in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, M_IFADDR, |
in_ifaddrhashtbl = hashinit(IN_IFADDR_HASH_SIZE, HASH_LIST, M_IFADDR, |
Line 434 ip_input(struct mbuf *m) |
|
Line 431 ip_input(struct mbuf *m) |
|
int downmatch; |
int downmatch; |
int checkif; |
int checkif; |
int srcrt = 0; |
int srcrt = 0; |
|
#ifdef FAST_IPSEC |
|
struct m_tag *mtag; |
|
struct tdb_ident *tdbi; |
|
struct secpolicy *sp; |
|
int s, error; |
|
#endif /* FAST_IPSEC */ |
|
|
MCLAIM(m, &ip_rx_mowner); |
MCLAIM(m, &ip_rx_mowner); |
#ifdef DIAGNOSTIC |
#ifdef DIAGNOSTIC |
if ((m->m_flags & M_PKTHDR) == 0) |
if ((m->m_flags & M_PKTHDR) == 0) |
panic("ipintr no HDR"); |
panic("ipintr no HDR"); |
#endif |
#endif |
#ifdef IPSEC |
|
/* |
|
* should the inner packet be considered authentic? |
|
* see comment in ah4_input(). |
|
*/ |
|
if (m) { |
|
m->m_flags &= ~M_AUTHIPHDR; |
|
m->m_flags &= ~M_AUTHIPDGM; |
|
} |
|
#endif |
|
|
|
/* |
/* |
* If no IP addresses have been set yet but the interfaces |
* If no IP addresses have been set yet but the interfaces |
Line 767 ip_input(struct mbuf *m) |
|
Line 760 ip_input(struct mbuf *m) |
|
goto bad; |
goto bad; |
} |
} |
#endif |
#endif |
|
#ifdef FAST_IPSEC |
|
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); |
|
s = splsoftnet(); |
|
if (mtag != NULL) { |
|
tdbi = (struct tdb_ident *)(mtag + 1); |
|
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); |
|
} else { |
|
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
|
IP_FORWARDING, &error); |
|
} |
|
if (sp == NULL) { /* NB: can happen if error */ |
|
splx(s); |
|
/*XXX error stat???*/ |
|
DPRINTF(("ip_input: no SP for forwarding\n")); /*XXX*/ |
|
goto bad; |
|
} |
|
|
|
/* |
|
* Check security policy against packet attributes. |
|
*/ |
|
error = ipsec_in_reject(sp, m); |
|
KEY_FREESP(&sp); |
|
splx(s); |
|
if (error) { |
|
ipstat.ips_cantforward++; |
|
goto bad; |
|
} |
|
#endif /* FAST_IPSEC */ |
|
|
ip_forward(m, srcrt); |
ip_forward(m, srcrt); |
} |
} |
|
|
IPQ_UNLOCK(); |
IPQ_UNLOCK(); |
} |
} |
|
|
#ifdef IPSEC |
#if defined(IPSEC) |
/* |
/* |
* enforce IPsec policy checking if we are seeing last header. |
* enforce IPsec policy checking if we are seeing last header. |
* note that we do not visit this with protocols with pcb layer |
* note that we do not visit this with protocols with pcb layer |
|
|
goto bad; |
goto bad; |
} |
} |
#endif |
#endif |
|
#if FAST_IPSEC |
|
/* |
|
* enforce IPsec policy checking if we are seeing last header. |
|
* note that we do not visit this with protocols with pcb layer |
|
* code - like udp/tcp/raw ip. |
|
*/ |
|
if ((inetsw[ip_protox[ip->ip_p]].pr_flags & PR_LASTHDR) != 0) { |
|
/* |
|
* Check if the packet has already had IPsec processing |
|
* done. If so, then just pass it along. This tag gets |
|
* set during AH, ESP, etc. input handling, before the |
|
* packet is returned to the ip input queue for delivery. |
|
*/ |
|
mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL); |
|
s = splsoftnet(); |
|
if (mtag != NULL) { |
|
tdbi = (struct tdb_ident *)(mtag + 1); |
|
sp = ipsec_getpolicy(tdbi, IPSEC_DIR_INBOUND); |
|
} else { |
|
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_INBOUND, |
|
IP_FORWARDING, &error); |
|
} |
|
if (sp != NULL) { |
|
/* |
|
* Check security policy against packet attributes. |
|
*/ |
|
error = ipsec_in_reject(sp, m); |
|
KEY_FREESP(&sp); |
|
} else { |
|
/* XXX error stat??? */ |
|
error = EINVAL; |
|
DPRINTF(("ip_input: no SP, packet discarded\n"));/*XXX*/ |
|
goto bad; |
|
} |
|
splx(s); |
|
if (error) |
|
goto bad; |
|
} |
|
#endif /* FAST_IPSEC */ |
|
|
/* |
/* |
* Switch out to protocol's input routine. |
* Switch out to protocol's input routine. |
Line 1571 ip_forward(m, srcrt) |
|
Line 1631 ip_forward(m, srcrt) |
|
struct mbuf *mcopy; |
struct mbuf *mcopy; |
n_long dest; |
n_long dest; |
struct ifnet *destifp; |
struct ifnet *destifp; |
#ifdef IPSEC |
#if defined(IPSEC) || defined(FAST_IPSEC) |
struct ifnet dummyifp; |
struct ifnet dummyifp; |
#endif |
#endif |
|
|
Line 1664 ip_forward(m, srcrt) |
|
Line 1724 ip_forward(m, srcrt) |
|
} |
} |
} |
} |
|
|
#ifdef IPSEC |
|
/* Don't lookup socket in forwarding case */ |
|
(void)ipsec_setsocket(m, NULL); |
|
#endif |
|
error = ip_output(m, (struct mbuf *)0, &ipforward_rt, |
error = ip_output(m, (struct mbuf *)0, &ipforward_rt, |
(IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), 0); |
(IP_FORWARDING | (ip_directedbcast ? IP_ALLOWBROADCAST : 0)), |
|
(struct ip_moptions *)NULL, (struct socket *)NULL); |
|
|
if (error) |
if (error) |
ipstat.ips_cantforward++; |
ipstat.ips_cantforward++; |
else { |
else { |
Line 1709 ip_forward(m, srcrt) |
|
Line 1767 ip_forward(m, srcrt) |
|
case EMSGSIZE: |
case EMSGSIZE: |
type = ICMP_UNREACH; |
type = ICMP_UNREACH; |
code = ICMP_UNREACH_NEEDFRAG; |
code = ICMP_UNREACH_NEEDFRAG; |
#ifndef IPSEC |
#if !defined(IPSEC) && !defined(FAST_IPSEC) |
if (ipforward_rt.ro_rt) |
if (ipforward_rt.ro_rt) |
destifp = ipforward_rt.ro_rt->rt_ifp; |
destifp = ipforward_rt.ro_rt->rt_ifp; |
#else |
#else |
Line 1726 ip_forward(m, srcrt) |
|
Line 1784 ip_forward(m, srcrt) |
|
struct route *ro; |
struct route *ro; |
|
|
sp = ipsec4_getpolicybyaddr(mcopy, |
sp = ipsec4_getpolicybyaddr(mcopy, |
IPSEC_DIR_OUTBOUND, |
IPSEC_DIR_OUTBOUND, IP_FORWARDING, |
IP_FORWARDING, |
&ipsecerror); |
&ipsecerror); |
|
|
|
if (sp == NULL) |
if (sp == NULL) |
destifp = ipforward_rt.ro_rt->rt_ifp; |
destifp = ipforward_rt.ro_rt->rt_ifp; |
else { |
else { |
/* count IPsec header size */ |
/* count IPsec header size */ |
ipsechdr = ipsec4_hdrsiz(mcopy, |
ipsechdr = ipsec4_hdrsiz(mcopy, |
IPSEC_DIR_OUTBOUND, |
IPSEC_DIR_OUTBOUND, NULL); |
NULL); |
|
|
|
/* |
/* |
* find the correct route for outer IPv4 |
* find the correct route for outer IPv4 |
Line 1762 ip_forward(m, srcrt) |
|
Line 1818 ip_forward(m, srcrt) |
|
} |
} |
} |
} |
|
|
|
#ifdef IPSEC |
key_freesp(sp); |
key_freesp(sp); |
|
#else |
|
KEY_FREESP(&sp); |
|
#endif |
} |
} |
} |
} |
#endif /*IPSEC*/ |
#endif /*IPSEC*/ |
Line 1862 ip_sysctl(name, namelen, oldp, oldlenp, |
|
Line 1922 ip_sysctl(name, namelen, oldp, oldlenp, |
|
|
|
int error, old; |
int error, old; |
|
|
/* All sysctl names at this level are terminal. */ |
/* All sysctl names (except ifq.*) at this level are terminal. */ |
if (namelen != 1) |
if ((namelen != 1) && !(namelen == 2 && name[0] == IPCTL_IFQ)) |
return (ENOTDIR); |
return (ENOTDIR); |
|
|
switch (name[0]) { |
switch (name[0]) { |
case IPCTL_FORWARDING: |
case IPCTL_FORWARDING: |
Line 1999 ip_sysctl(name, namelen, oldp, oldlenp, |
|
Line 2059 ip_sysctl(name, namelen, oldp, oldlenp, |
|
case IPCTL_CHECKINTERFACE: |
case IPCTL_CHECKINTERFACE: |
return (sysctl_int(oldp, oldlenp, newp, newlen, |
return (sysctl_int(oldp, oldlenp, newp, newlen, |
&ip_checkinterface)); |
&ip_checkinterface)); |
|
case IPCTL_IFQ: |
|
return (sysctl_ifq(name+1, namelen-1, |
|
oldp, oldlenp, newp, newlen, |
|
&ipintrq)); |
|
|
default: |
default: |
return (EOPNOTSUPP); |
return (EOPNOTSUPP); |
} |
} |