diff options
author | Marko Zec <zec@FreeBSD.org> | 2008-10-02 15:37:58 +0000 |
---|---|---|
committer | Marko Zec <zec@FreeBSD.org> | 2008-10-02 15:37:58 +0000 |
commit | 8b615593fc0d78ef8366c1328f5966256b82a9c0 (patch) | |
tree | 53fef93d1ff076abec439159e0a765427992dee1 /sys/netipsec | |
parent | 04ec403dd815bd3731dbf7da040759cd16271e3c (diff) | |
download | src-8b615593fc0d78ef8366c1328f5966256b82a9c0.tar.gz src-8b615593fc0d78ef8366c1328f5966256b82a9c0.zip |
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
Notes
Notes:
svn path=/head/; revision=183550
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.c | 138 | ||||
-rw-r--r-- | sys/netipsec/ipsec.h | 5 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 5 | ||||
-rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 3 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 7 | ||||
-rw-r--r-- | sys/netipsec/key.c | 129 | ||||
-rw-r--r-- | sys/netipsec/keysock.c | 12 | ||||
-rw-r--r-- | sys/netipsec/vipsec.h | 188 | ||||
-rw-r--r-- | sys/netipsec/xform_ah.c | 19 | ||||
-rw-r--r-- | sys/netipsec/xform_esp.c | 14 | ||||
-rw-r--r-- | sys/netipsec/xform_ipcomp.c | 13 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 14 |
12 files changed, 448 insertions, 99 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index f973688eef83..b752a67ee353 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -126,36 +126,42 @@ int crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE; SYSCTL_DECL(_net_inet_ipsec); /* net.inet.ipsec */ -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, - "IPsec default policy."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, - CTLFLAG_RW, &ip4_esp_trans_deflev, 0, "Default ESP transport mode level"); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, - CTLFLAG_RW, &ip4_esp_net_deflev, 0, "Default ESP tunnel mode level."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, - CTLFLAG_RW, &ip4_ah_trans_deflev, 0, "AH transfer mode default level."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, - CTLFLAG_RW, &ip4_ah_net_deflev, 0, "AH tunnel mode default level."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, - ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, - "If set clear type-of-service field when doing AH computation."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, - ah_offsetmask, CTLFLAG_RW, &ip4_ah_offsetmask, 0, - "If not set clear offset field mask when doing AH computation."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, - dfbit, CTLFLAG_RW, &ip4_ipsec_dfbit, 0, "Do not fragment bit on encap."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_ECN, - ecn, CTLFLAG_RW, &ip4_ipsec_ecn, 0, - "Explicit Congestion Notification handling."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, &ipsec_debug, 0, - "Enable IPsec debugging output when set."); -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, - crypto_support, CTLFLAG_RW, &crypto_support, 0, - "Crypto driver selection."); -SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, - ipsecstats, CTLFLAG_RD, &ipsec4stat, ipsecstat, "IPsec IPv4 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_POLICY, + def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, + "IPsec default policy."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, ip4_esp_trans_deflev, 0, + "Default ESP transport mode level"); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, ip4_esp_net_deflev, 0, + "Default ESP tunnel mode level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, ip4_ah_trans_deflev, 0, + "AH transfer mode default level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, ip4_ah_net_deflev, 0, + "AH tunnel mode default level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_CLEARTOS, + ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, + "If set clear type-of-service field when doing AH computation."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, + ah_offsetmask, CTLFLAG_RW, ip4_ah_offsetmask, 0, + "If not set clear offset field mask when doing AH computation."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DFBIT, + dfbit, CTLFLAG_RW, ip4_ipsec_dfbit, 0, + "Do not fragment bit on encap."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_ECN, + ecn, CTLFLAG_RW, ip4_ipsec_ecn, 0, + "Explicit Congestion Notification handling."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, IPSECCTL_DEBUG, + debug, CTLFLAG_RW, ipsec_debug, 0, + "Enable IPsec debugging output when set."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, + crypto_support, CTLFLAG_RW, crypto_support,0, + "Crypto driver selection."); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO, + ipsecstats, CTLFLAG_RD, ipsec4stat, ipsecstat, + "IPsec IPv4 statistics."); #ifdef REGRESSION /* @@ -163,15 +169,15 @@ SYSCTL_STRUCT(_net_inet_ipsec, OID_AUTO, * This allows to verify if the other side has proper replay attacks detection. */ int ipsec_replay = 0; -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_replay, CTLFLAG_RW, &ipsec_replay, 0, - "Emulate replay attack"); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_replay, + CTLFLAG_RW, ipsec_replay, 0, "Emulate replay attack"); /* * When set 1, IPsec will send packets with corrupted HMAC. * This allows to verify if the other side properly detects modified packets. */ int ipsec_integrity = 0; -SYSCTL_INT(_net_inet_ipsec, OID_AUTO, test_integrity, CTLFLAG_RW, - &ipsec_integrity, 0, "Emulate man-in-the-middle attack"); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_ipsec, OID_AUTO, test_integrity, + CTLFLAG_RW, ipsec_integrity, 0, "Emulate man-in-the-middle attack"); #endif #ifdef INET6 @@ -189,24 +195,30 @@ SYSCTL_DECL(_net_inet6_ipsec6); SYSCTL_OID(_net_inet6_ipsec6, IPSECCTL_STATS, stats, CTLFLAG_RD, 0, 0, compat_ipsecstats_sysctl, "S", "IPsec IPv6 statistics."); #endif /* COMPAT_KAME */ -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_POLICY, - def_policy, CTLFLAG_RW, &ip4_def_policy.policy, 0, "IPsec default policy."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, esp_trans_deflev, - CTLFLAG_RW, &ip6_esp_trans_deflev, 0, "Default ESP transport mode level."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, esp_net_deflev, - CTLFLAG_RW, &ip6_esp_net_deflev, 0, "Default ESP tunnel mode level."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, ah_trans_deflev, - CTLFLAG_RW, &ip6_ah_trans_deflev, 0, "AH transfer mode default level."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, - CTLFLAG_RW, &ip6_ah_net_deflev, 0, "AH tunnel mode default level."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_ECN, - ecn, CTLFLAG_RW, &ip6_ipsec_ecn, 0, - "Explicit Congestion Notification handling."); -SYSCTL_INT(_net_inet6_ipsec6, IPSECCTL_DEBUG, - debug, CTLFLAG_RW, &ipsec_debug, 0, - "Enable IPsec debugging output when set."); -SYSCTL_STRUCT(_net_inet6_ipsec6, IPSECCTL_STATS, - ipsecstats, CTLFLAG_RD, &ipsec6stat, ipsecstat, "IPsec IPv6 statistics."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_POLICY, + def_policy, CTLFLAG_RW, ip4_def_policy.policy, 0, + "IPsec default policy."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_TRANSLEV, + esp_trans_deflev, CTLFLAG_RW, ip6_esp_trans_deflev, 0, + "Default ESP transport mode level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_ESP_NETLEV, + esp_net_deflev, CTLFLAG_RW, ip6_esp_net_deflev, 0, + "Default ESP tunnel mode level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_TRANSLEV, + ah_trans_deflev, CTLFLAG_RW, ip6_ah_trans_deflev, 0, + "AH transfer mode default level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEF_AH_NETLEV, + ah_net_deflev, CTLFLAG_RW, ip6_ah_net_deflev, 0, + "AH tunnel mode default level."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_ECN, + ecn, CTLFLAG_RW, ip6_ipsec_ecn, 0, + "Explicit Congestion Notification handling."); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG, + debug, CTLFLAG_RW, ipsec_debug, 0, + "Enable IPsec debugging output when set."); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS, + ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat, + "IPsec IPv6 statistics."); #endif /* INET6 */ static int ipsec4_setspidx_inpcb __P((struct mbuf *, struct inpcb *pcb)); @@ -236,6 +248,7 @@ MALLOC_DEFINE(M_IPSEC_INPCB, "inpcbpolicy", "inpcb-resident ipsec policy"); static struct secpolicy * key_allocsp_default(const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; KEYDEBUG(KEYDEBUG_IPSEC_STAMP, @@ -305,6 +318,7 @@ ipsec_getpolicybysock(m, dir, inp, error) struct inpcb *inp; int *error; { + INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *pcbsp = NULL; struct secpolicy *currsp = NULL; /* policy on socket */ struct secpolicy *sp; @@ -415,6 +429,7 @@ ipsec_getpolicybyaddr(m, dir, flag, error) int flag; int *error; { + INIT_VNET_IPSEC(curvnet); struct secpolicyindex spidx; struct secpolicy *sp; @@ -450,6 +465,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) int *error; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; *error = 0; @@ -521,6 +537,7 @@ ipsec6_setspidx_in6pcb(m, pcb) struct mbuf *m; struct in6pcb *pcb; { + //INIT_VNET_IPSEC(curvnet); struct secpolicyindex *spidx; int error; @@ -564,6 +581,7 @@ ipsec_setspidx(m, spidx, needport) struct secpolicyindex *spidx; int needport; { + INIT_VNET_IPSEC(curvnet); struct ip *ip = NULL; struct ip ipbuf; u_int v; @@ -757,6 +775,7 @@ ipsec6_get_ulp(m, spidx, needport) struct secpolicyindex *spidx; int needport; { + INIT_VNET_IPSEC(curvnet); int off, nxt; struct tcphdr th; struct udphdr uh; @@ -873,6 +892,7 @@ ipsec_init_policy(so, pcb_sp) struct socket *so; struct inpcbpolicy **pcb_sp; { + INIT_VNET_IPSEC(curvnet); struct inpcbpolicy *new; /* sanity check. */ @@ -1016,6 +1036,7 @@ ipsec_set_policy(pcb_sp, optname, request, len, cred) size_t len; struct ucred *cred; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *newsp = NULL; int error; @@ -1065,6 +1086,7 @@ ipsec_get_policy(pcb_sp, mp) struct secpolicy *pcb_sp; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); /* sanity check. */ if (pcb_sp == NULL || mp == NULL) @@ -1091,6 +1113,7 @@ ipsec4_set_policy(inp, optname, request, len, cred) size_t len; struct ucred *cred; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1125,6 +1148,7 @@ ipsec4_get_policy(inp, request, len, mp) size_t len; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1184,6 +1208,7 @@ ipsec6_set_policy(in6p, optname, request, len, cred) size_t len; struct ucred *cred; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy **pcb_sp; @@ -1218,6 +1243,7 @@ ipsec6_get_policy(in6p, request, len, mp) size_t len; struct mbuf **mp; { + INIT_VNET_IPSEC(curvnet); struct sadb_x_policy *xpl; struct secpolicy *pcb_sp; @@ -1276,6 +1302,7 @@ u_int ipsec_get_reqlevel(isr) struct ipsecrequest *isr; { + INIT_VNET_IPSEC(curvnet); u_int level = 0; u_int esp_trans_deflev, esp_net_deflev; u_int ah_trans_deflev, ah_net_deflev; @@ -1380,6 +1407,7 @@ ipsec_get_reqlevel(isr) int ipsec_in_reject(struct secpolicy *sp, struct mbuf *m) { + INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; int need_auth; @@ -1455,6 +1483,7 @@ ipsec4_in_reject(m, inp) struct mbuf *m; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; int result; @@ -1493,6 +1522,7 @@ ipsec6_in_reject(m, inp) struct mbuf *m; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp = NULL; int error; int result; @@ -1530,6 +1560,7 @@ ipsec6_in_reject(m, inp) static size_t ipsec_hdrsiz(struct secpolicy *sp) { + INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; size_t siz; @@ -1592,6 +1623,7 @@ ipsec4_hdrsiz(m, dir, inp) u_int dir; struct inpcb *inp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1632,6 +1664,7 @@ ipsec6_hdrsiz(m, dir, in6p) u_int dir; struct in6pcb *in6p; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int error; size_t size; @@ -1731,6 +1764,7 @@ ipsec_updatereplay(seq, sav) u_int32_t seq; struct secasvar *sav; { + INIT_VNET_IPSEC(curvnet); struct secreplay *replay; u_int32_t diff; int fr; diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 6f04611eea47..f6346f897af3 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -433,6 +433,9 @@ extern int ipsec_get_policylen __P((caddr_t)); extern char *ipsec_dump_policy __P((caddr_t, char *)); extern const char *ipsec_strerror __P((void)); -#endif /* !_KERNEL */ + +#else +#include <netipsec/vipsec.h> +#endif /* ! KERNEL */ #endif /* _NETIPSEC_IPSEC_H_ */ diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 0041698c9cb0..0c37aef21955 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -113,6 +113,7 @@ static void ipsec4_common_ctlinput(int, struct sockaddr *, void *, int); static int ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) { + INIT_VNET_IPSEC(curvnet); union sockaddr_union dst_address; struct secasvar *sav; u_int32_t spi; @@ -282,6 +283,7 @@ int ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { + INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip *ip; struct m_tag *mtag; @@ -504,6 +506,7 @@ ipsec4_common_ctlinput(int cmd, struct sockaddr *sa, void *v, int proto) int ipsec6_common_input(struct mbuf **mp, int *offp, int proto) { + INIT_VNET_IPSEC(curvnet); int l = 0; int protoff; struct ip6_ext ip6e; @@ -554,6 +557,8 @@ int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int protoff, struct m_tag *mt) { + INIT_VNET_INET6(curvnet); + INIT_VNET_IPSEC(curvnet); int prot, af, sproto; struct ip6_hdr *ip6; struct m_tag *mtag; diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index 79c192814936..322df11a1efb 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -54,6 +54,7 @@ struct mbuf * m_makespace(struct mbuf *m0, int skip, int hlen, int *off) { + INIT_VNET_IPSEC(curvnet); struct mbuf *m; unsigned remain; @@ -156,6 +157,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) caddr_t m_pad(struct mbuf *m, int n) { + INIT_VNET_IPSEC(curvnet); register struct mbuf *m0, *m1; register int len, pad; caddr_t retval; @@ -228,6 +230,7 @@ m_pad(struct mbuf *m, int n) int m_striphdr(struct mbuf *m, int skip, int hlen) { + INIT_VNET_IPSEC(curvnet); struct mbuf *m1; int roff; diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 88ff2f67947e..7b79294e4eeb 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -91,6 +91,7 @@ int ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) { + INIT_VNET_IPSEC(curvnet); struct tdb_ident *tdbi; struct m_tag *mtag; struct secasvar *sav; @@ -207,6 +208,7 @@ ipsec_nextisr( { #define IPSEC_OSTAT(x,y,z) (isr->saidx.proto == IPPROTO_ESP ? (x)++ : \ isr->saidx.proto == IPPROTO_AH ? (y)++ : (z)++) + INIT_VNET_IPSEC(curvnet); struct secasvar *sav; IPSECREQUEST_LOCK_ASSERT(isr); @@ -350,6 +352,7 @@ ipsec4_process_packet( int flags, int tunalready) { + INIT_VNET_IPSEC(curvnet); struct secasindex saidx; struct secasvar *sav; struct ip *ip; @@ -563,6 +566,7 @@ ipsec6_output_trans( int flags, int *tun) { + INIT_VNET_IPSEC(curvnet); struct ipsecrequest *isr; struct secasindex saidx; int error = 0; @@ -630,6 +634,7 @@ bad: static int ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) { + INIT_VNET_IPSEC(curvnet); struct ip6_hdr *oip6; struct ip6_hdr *ip6; size_t plen; @@ -699,6 +704,8 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) int ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int flags) { + INIT_VNET_INET6(curvnet); + INIT_VNET_IPSEC(curvnet); struct ip6_hdr *ip6; struct ipsecrequest *isr; struct secasindex saidx; diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index e575cdcddd70..c3cba604b8f9 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -56,6 +56,7 @@ #include <sys/queue.h> #include <sys/refcount.h> #include <sys/syslog.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/route.h> @@ -243,52 +244,52 @@ static int ipsec_ah_keymin = 128; SYSCTL_DECL(_net_key); #endif -SYSCTL_INT(_net_key, KEYCTL_DEBUG_LEVEL, debug, CTLFLAG_RW, \ - &key_debug_level, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_DEBUG_LEVEL, debug, + CTLFLAG_RW, key_debug_level, 0, ""); /* max count of trial for the decision of spi value */ -SYSCTL_INT(_net_key, KEYCTL_SPI_TRY, spi_trycnt, CTLFLAG_RW, \ - &key_spi_trycnt, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_key, KEYCTL_SPI_TRY, spi_trycnt, + CTLFLAG_RW, key_spi_trycnt, 0, ""); /* minimum spi value to allocate automatically. */ -SYSCTL_INT(_net_key, KEYCTL_SPI_MIN_VALUE, spi_minval, CTLFLAG_RW, \ - &key_spi_minval, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MIN_VALUE, + spi_minval, CTLFLAG_RW, key_spi_minval, 0, ""); /* maximun spi value to allocate automatically. */ -SYSCTL_INT(_net_key, KEYCTL_SPI_MAX_VALUE, spi_maxval, CTLFLAG_RW, \ - &key_spi_maxval, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_SPI_MAX_VALUE, + spi_maxval, CTLFLAG_RW, key_spi_maxval, 0, ""); /* interval to initialize randseed */ -SYSCTL_INT(_net_key, KEYCTL_RANDOM_INT, int_random, CTLFLAG_RW, \ - &key_int_random, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_RANDOM_INT, + int_random, CTLFLAG_RW, key_int_random, 0, ""); /* lifetime for larval SA */ -SYSCTL_INT(_net_key, KEYCTL_LARVAL_LIFETIME, larval_lifetime, CTLFLAG_RW, \ - &key_larval_lifetime, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_LARVAL_LIFETIME, + larval_lifetime, CTLFLAG_RW, key_larval_lifetime, 0, ""); /* counter for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_COUNT, blockacq_count, CTLFLAG_RW, \ - &key_blockacq_count, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_COUNT, + blockacq_count, CTLFLAG_RW, key_blockacq_count, 0, ""); /* lifetime for blocking to send SADB_ACQUIRE to IKEd */ -SYSCTL_INT(_net_key, KEYCTL_BLOCKACQ_LIFETIME, blockacq_lifetime, CTLFLAG_RW, \ - &key_blockacq_lifetime, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_BLOCKACQ_LIFETIME, + blockacq_lifetime, CTLFLAG_RW, key_blockacq_lifetime, 0, ""); /* ESP auth */ -SYSCTL_INT(_net_key, KEYCTL_ESP_AUTH, esp_auth, CTLFLAG_RW, \ - &ipsec_esp_auth, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_AUTH, esp_auth, + CTLFLAG_RW, ipsec_esp_auth, 0, ""); /* minimum ESP key length */ -SYSCTL_INT(_net_key, KEYCTL_ESP_KEYMIN, esp_keymin, CTLFLAG_RW, \ - &ipsec_esp_keymin, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_ESP_KEYMIN, + esp_keymin, CTLFLAG_RW, ipsec_esp_keymin, 0, ""); /* minimum AH key length */ -SYSCTL_INT(_net_key, KEYCTL_AH_KEYMIN, ah_keymin, CTLFLAG_RW, \ - &ipsec_ah_keymin, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_AH_KEYMIN, ah_keymin, + CTLFLAG_RW, ipsec_ah_keymin, 0, ""); /* perfered old SA rather than new SA */ -SYSCTL_INT(_net_key, KEYCTL_PREFERED_OLDSA, preferred_oldsa, CTLFLAG_RW,\ - &key_preferred_oldsa, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_key, KEYCTL_PREFERED_OLDSA, + preferred_oldsa, CTLFLAG_RW, key_preferred_oldsa, 0, ""); #define __LIST_CHAINED(elm) \ (!((elm)->chain.le_next == NULL && (elm)->chain.le_prev == NULL)) @@ -554,6 +555,8 @@ key_addref(struct secpolicy *sp) int key_havesp(u_int dir) { + INIT_VNET_IPSEC(curvnet); + return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? LIST_FIRST(&V_sptree[dir]) != NULL : 1); } @@ -568,6 +571,7 @@ key_havesp(u_int dir) struct secpolicy * key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -624,6 +628,7 @@ key_allocsp2(u_int32_t spi, u_int dir, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(dst != NULL, ("null dst")); @@ -685,6 +690,7 @@ key_gettunnel(const struct sockaddr *osrc, const struct sockaddr *idst, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; const int dir = IPSEC_DIR_INBOUND; struct ipsecrequest *r1, *r2, *p; @@ -759,6 +765,7 @@ done: int key_checkrequest(struct ipsecrequest *isr, const struct secasindex *saidx) { + INIT_VNET_IPSEC(curvnet); u_int level; int error; @@ -854,6 +861,7 @@ static struct secasvar * key_allocsa_policy(const struct secasindex *saidx) { #define N(a) _ARRAYLEN(a) + INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize; @@ -901,6 +909,7 @@ key_allocsa_policy(const struct secasindex *saidx) static struct secasvar * key_do_allocsa_policy(struct secashead *sah, u_int state) { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav, *candidate, *d; /* initilize */ @@ -1046,6 +1055,7 @@ key_allocsa( u_int32_t spi, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int stateidx, arraysize, state; @@ -1115,6 +1125,7 @@ done: void _key_freesp(struct secpolicy **spp, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp = *spp; IPSEC_ASSERT(sp != NULL, ("null sp")); @@ -1140,6 +1151,7 @@ _key_freesp(struct secpolicy **spp, const char* where, int tag) void key_freeso(struct socket *so) { + INIT_VNET_IPSEC(curvnet); IPSEC_ASSERT(so != NULL, ("null so")); switch (so->so_proto->pr_domain->dom_family) { @@ -1208,6 +1220,7 @@ key_freesp_so(struct secpolicy **sp) void key_freesav(struct secasvar **psav, const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav = *psav; IPSEC_ASSERT(sav != NULL, ("null sav")); @@ -1266,6 +1279,7 @@ key_delsp(struct secpolicy *sp) static struct secpolicy * key_getsp(struct secpolicyindex *spidx) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; IPSEC_ASSERT(spidx != NULL, ("null spidx")); @@ -1292,6 +1306,7 @@ key_getsp(struct secpolicyindex *spidx) static struct secpolicy * key_getspbyid(u_int32_t id) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; SPTREE_LOCK(); @@ -1321,6 +1336,7 @@ done: struct secpolicy * key_newsp(const char* where, int tag) { + INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp = NULL; newsp = (struct secpolicy *) @@ -1355,6 +1371,7 @@ key_msg2sp(xpl0, len, error) size_t len; int *error; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *newsp; IPSEC_ASSERT(xpl0 != NULL, ("null xpl0")); @@ -1752,6 +1769,7 @@ key_spdadd(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0, *xpl; struct sadb_lifetime *lft = NULL; @@ -1974,6 +1992,7 @@ key_spdadd(so, m, mhp) static u_int32_t key_getnewspid() { + INIT_VNET_IPSEC(curvnet); u_int32_t newid = 0; int count = V_key_spi_trycnt; /* XXX */ struct secpolicy *sp; @@ -2015,6 +2034,7 @@ key_spddelete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct sadb_x_policy *xpl0; struct secpolicyindex spidx; @@ -2113,6 +2133,7 @@ key_spddelete2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; @@ -2205,6 +2226,7 @@ key_spdget(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); u_int32_t id; struct secpolicy *sp; struct mbuf *n; @@ -2256,6 +2278,7 @@ int key_spdacquire(sp) struct secpolicy *sp; { + INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secspacq *newspacq; @@ -2318,6 +2341,7 @@ key_spdflush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secpolicy *sp; u_int dir; @@ -2370,6 +2394,7 @@ key_spddump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct secpolicy *sp; int cnt; u_int dir; @@ -2632,6 +2657,7 @@ static struct secashead * key_newsah(saidx) struct secasindex *saidx; { + INIT_VNET_IPSEC(curvnet); struct secashead *newsah; IPSEC_ASSERT(saidx != NULL, ("null saidx")); @@ -2660,6 +2686,7 @@ static void key_delsah(sah) struct secashead *sah; { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav, *nextsav; u_int stateidx; int zombie = 0; @@ -2716,6 +2743,7 @@ key_newsav(m, mhp, sah, errp, where, tag) const char* where; int tag; { + INIT_VNET_IPSEC(curvnet); struct secasvar *newsav; const struct sadb_sa *xsa; @@ -2882,6 +2910,7 @@ static struct secashead * key_getsah(saidx) struct secasindex *saidx; { + INIT_VNET_IPSEC(curvnet); struct secashead *sah; SAHTREE_LOCK(); @@ -2908,6 +2937,7 @@ key_checkspidup(saidx, spi) struct secasindex *saidx; u_int32_t spi; { + INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; @@ -2944,6 +2974,7 @@ key_getsavbyspi(sah, spi) struct secashead *sah; u_int32_t spi; { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav; u_int stateidx, state; @@ -2987,6 +3018,7 @@ key_setsaval(sav, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); int error = 0; IPSEC_ASSERT(m != NULL, ("null mbuf")); @@ -3219,6 +3251,7 @@ key_setsaval(sav, m, mhp) static int key_mature(struct secasvar *sav) { + INIT_VNET_IPSEC(curvnet); int error; /* check SPI value */ @@ -3649,6 +3682,7 @@ struct seckey * key_dup_keymsg(const struct sadb_key *src, u_int len, struct malloc_type *type) { + INIT_VNET_IPSEC(curvnet); struct seckey *dst; dst = (struct seckey *)malloc(sizeof(struct seckey), type, M_NOWAIT); if (dst != NULL) { @@ -3682,6 +3716,7 @@ static struct seclifetime * key_dup_lifemsg(const struct sadb_lifetime *src, struct malloc_type *type) { + INIT_VNET_IPSEC(curvnet); struct seclifetime *dst = NULL; dst = (struct seclifetime *)malloc(sizeof(struct seclifetime), @@ -3707,6 +3742,7 @@ key_ismyaddr(sa) struct sockaddr *sa; { #ifdef INET + INIT_VNET_INET(curvnet); struct sockaddr_in *sin; struct in_ifaddr *ia; #endif @@ -3751,6 +3787,7 @@ static int key_ismyaddr6(sin6) struct sockaddr_in6 *sin6; { + INIT_VNET_INET6(curvnet); struct in6_ifaddr *ia; struct in6_multi *in6m; @@ -4072,6 +4109,7 @@ key_bbcmp(const void *a1, const void *a2, u_int bits) static void key_flush_spd(time_t now) { + INIT_VNET_IPSEC(curvnet); static u_int16_t sptree_scangen = 0; u_int16_t gen = sptree_scangen++; struct secpolicy *sp; @@ -4109,6 +4147,7 @@ restart: static void key_flush_sad(time_t now) { + INIT_VNET_IPSEC(curvnet); struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -4247,6 +4286,7 @@ key_flush_sad(time_t now) static void key_flush_acq(time_t now) { + INIT_VNET_IPSEC(curvnet); struct secacq *acq, *nextacq; /* ACQ tree */ @@ -4265,6 +4305,7 @@ key_flush_acq(time_t now) static void key_flush_spacq(time_t now) { + INIT_VNET_IPSEC(curvnet); struct secspacq *acq, *nextacq; /* SP ACQ tree */ @@ -4289,12 +4330,17 @@ key_flush_spacq(time_t now) void key_timehandler(void) { + VNET_ITERATOR_DECL(vnet_iter); time_t now = time_second; - key_flush_spd(now); - key_flush_sad(now); - key_flush_acq(now); - key_flush_spacq(now); + VNET_FOREACH(vnet_iter) { + CURVNET_SET(vnet_iter); + key_flush_spd(now); + key_flush_sad(now); + key_flush_acq(now); + key_flush_spacq(now); + CURVNET_RESTORE(); + } #ifndef IPSEC_DEBUG2 /* do exchange to tick time !! */ @@ -4407,6 +4453,7 @@ key_getspi(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *newsah; @@ -4601,6 +4648,7 @@ key_do_getnewspi(spirange, saidx) struct sadb_spirange *spirange; struct secasindex *saidx; { + INIT_VNET_IPSEC(curvnet); u_int32_t newspi; u_int32_t min, max; int count = V_key_spi_trycnt; @@ -4682,6 +4730,7 @@ key_update(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -4880,6 +4929,7 @@ key_add(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -5003,6 +5053,7 @@ key_setident(sah, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); const struct sadb_ident *idsrc, *iddst; int idsrclen, iddstlen; @@ -5125,6 +5176,7 @@ key_delete(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -5236,6 +5288,7 @@ key_delete_all(so, m, mhp, proto) const struct sadb_msghdr *mhp; u_int16_t proto; { + INIT_VNET_IPSEC(curvnet); struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -5321,6 +5374,7 @@ key_get(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_sa *sa0; struct sadb_address *src0, *dst0; struct secasindex saidx; @@ -5426,6 +5480,7 @@ key_getcomb_setlifetime(comb) static struct mbuf * key_getcomb_esp() { + INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct enc_xform *algo; struct mbuf *result = NULL, *m, *n; @@ -5504,6 +5559,8 @@ key_getsizes_ah( u_int16_t* min, u_int16_t* max) { + INIT_VNET_IPSEC(curvnet); + *min = *max = ah->keysize; if (ah->keysize == 0) { /* @@ -5528,6 +5585,7 @@ key_getsizes_ah( static struct mbuf * key_getcomb_ah() { + INIT_VNET_IPSEC(curvnet); struct sadb_comb *comb; struct auth_hash *algo; struct mbuf *m; @@ -5688,6 +5746,7 @@ key_getprop(saidx) static int key_acquire(const struct secasindex *saidx, struct secpolicy *sp) { + INIT_VNET_IPSEC(curvnet); struct mbuf *result = NULL, *m; struct secacq *newacq; u_int8_t satype; @@ -5853,6 +5912,7 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) static struct secacq * key_newacq(const struct secasindex *saidx) { + INIT_VNET_IPSEC(curvnet); struct secacq *newacq; /* get new entry */ @@ -5879,6 +5939,7 @@ key_newacq(const struct secasindex *saidx) static struct secacq * key_getacq(const struct secasindex *saidx) { + INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -5895,6 +5956,7 @@ static struct secacq * key_getacqbyseq(seq) u_int32_t seq; { + INIT_VNET_IPSEC(curvnet); struct secacq *acq; ACQ_LOCK(); @@ -5911,6 +5973,7 @@ static struct secspacq * key_newspacq(spidx) struct secpolicyindex *spidx; { + INIT_VNET_IPSEC(curvnet); struct secspacq *acq; /* get new entry */ @@ -5937,6 +6000,7 @@ static struct secspacq * key_getspacq(spidx) struct secpolicyindex *spidx; { + INIT_VNET_IPSEC(curvnet); struct secspacq *acq; SPACQ_LOCK(); @@ -5971,6 +6035,7 @@ key_acquire2(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); const struct sadb_address *src0, *dst0; struct secasindex saidx; struct secashead *sah; @@ -6092,6 +6157,7 @@ key_register(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct secreg *reg, *newreg = 0; IPSEC_ASSERT(so != NULL, ("null socket")); @@ -6246,6 +6312,7 @@ key_register(so, m, mhp) void key_freereg(struct socket *so) { + INIT_VNET_IPSEC(curvnet); struct secreg *reg; int i; @@ -6417,6 +6484,7 @@ key_flush(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct sadb_msg *newmsg; struct secashead *sah, *nextsah; struct secasvar *sav, *nextsav; @@ -6500,6 +6568,7 @@ key_dump(so, m, mhp) struct mbuf *m; const struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct secasvar *sav; u_int16_t proto; @@ -6680,6 +6749,7 @@ key_parse(m, so) struct mbuf *m; struct socket *so; { + INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; struct sadb_msghdr mh; u_int orglen; @@ -6951,6 +7021,7 @@ key_align(m, mhp) struct mbuf *m; struct sadb_msghdr *mhp; { + INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct sadb_ext *ext; size_t off, end; @@ -7110,6 +7181,7 @@ key_validate_ext(ext, len) void key_init(void) { + INIT_VNET_IPSEC(curvnet); int i; SPTREE_LOCK_INIT(); @@ -7215,6 +7287,7 @@ void key_sa_routechange(dst) struct sockaddr *dst; { + INIT_VNET_IPSEC(curvnet); struct secashead *sah; struct route *ro; diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index c86791e245d0..2f7426100bee 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -52,13 +52,17 @@ #include <sys/systm.h> #include <sys/vimage.h> +#include <net/if.h> #include <net/raw_cb.h> #include <net/route.h> +#include <netinet/in.h> + #include <net/pfkeyv2.h> #include <netipsec/key.h> #include <netipsec/keysock.h> #include <netipsec/key_debug.h> +#include <netipsec/ipsec.h> #include <machine/stdarg.h> @@ -80,6 +84,7 @@ struct pfkeystat pfkeystat; int key_output(struct mbuf *m, struct socket *so) { + INIT_VNET_IPSEC(curvnet); struct sadb_msg *msg; int len, error = 0; @@ -133,6 +138,7 @@ key_sendup0(rp, m, promisc) struct mbuf *m; int promisc; { + INIT_VNET_IPSEC(curvnet); int error; if (promisc) { @@ -177,6 +183,7 @@ key_sendup(so, msg, len, target) u_int len; int target; /*target of the resulting message*/ { + INIT_VNET_IPSEC(curvnet); struct mbuf *m, *n, *mprev; int tlen; @@ -265,6 +272,8 @@ key_sendup_mbuf(so, m, target) struct mbuf *m; int target; { + INIT_VNET_NET(curvnet); + INIT_VNET_IPSEC(curvnet); struct mbuf *n; struct keycb *kp; int sendup; @@ -382,6 +391,7 @@ key_abort(struct socket *so) static int key_attach(struct socket *so, int proto, struct thread *td) { + INIT_VNET_IPSEC(curvnet); struct keycb *kp; int error; @@ -456,6 +466,7 @@ key_connect(struct socket *so, struct sockaddr *nam, struct thread *td) static void key_detach(struct socket *so) { + INIT_VNET_IPSEC(curvnet); struct keycb *kp = (struct keycb *)sotorawcb(so); KASSERT(kp != NULL, ("key_detach: kp == NULL")); @@ -558,6 +569,7 @@ struct protosw keysw[] = { static void key_init0(void) { + INIT_VNET_IPSEC(curvnet); bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); key_init(); } diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h new file mode 100644 index 000000000000..5a007ce0dadd --- /dev/null +++ b/sys/netipsec/vipsec.h @@ -0,0 +1,188 @@ +/* + * Copyright (c) 2007-2008 University of Zagreb + * Copyright (c) 2007-2008 FreeBSD Foundation + * + * This software was developed by the University of Zagreb and the + * FreeBSD Foundation under sponsorship by the Stichting NLnet and the + * FreeBSD Foundation. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _NETIPSEC_VIPSEC_H_ +#define _NETIPSEC_VIPSEC_H_ + +#ifdef VIMAGE +#include <sys/proc.h> +#include <sys/protosw.h> +#include <sys/socket.h> + +#include <netipsec/ipsec.h> +#include <netipsec/esp_var.h> +#include <netipsec/ah_var.h> +#include <netipsec/ipcomp_var.h> +#include <netipsec/ipip_var.h> + +#include <net/if.h> +#include <net/if_var.h> +#include <net/route.h> +#include <net/raw_cb.h> + +#include <netipsec/keysock.h> + +struct vnet_ipsec { + int _ipsec_debug; + struct ipsecstat _ipsec4stat; + struct secpolicy _ip4_def_policy; + + int _ip4_esp_trans_deflev; + int _ip4_esp_net_deflev; + int _ip4_ah_trans_deflev; + int _ip4_ah_net_deflev; + int _ip4_ah_offsetmask; + int _ip4_ipsec_dfbit; + int _ip4_ipsec_ecn; + int _ip4_esp_randpad; + + int _ipsec_replay; + int _ipsec_integrity; + int _crypto_support; + + u_int32_t _key_debug_level; + u_int _key_spi_trycnt; + u_int32_t _key_spi_minval; + u_int32_t _key_spi_maxval; + u_int32_t _policy_id; + u_int _key_int_random; + u_int _key_larval_lifetime; + int _key_blockacq_count; + int _key_blockacq_lifetime; + int _key_preferred_oldsa; + u_int32_t _acq_seq; + + u_int _saorder_state_alive[3]; + u_int _saorder_state_any[4]; + int _esp_enable; + struct espstat _espstat; + int _esp_max_ivlen; + int _ipsec_esp_keymin; + int _ipsec_esp_auth; + int _ipsec_ah_keymin; + int _ipip_allow; + struct ipipstat _ipipstat; + + struct ipsecstat _ipsec6stat; + int _ip6_esp_trans_deflev; + int _ip6_esp_net_deflev; + int _ip6_ah_trans_deflev; + int _ip6_ah_net_deflev; + int _ip6_ipsec_ecn; + int _ip6_esp_randpad; + + int _ah_enable; + int _ah_cleartos; + struct ahstat _ahstat; + + int _ipcomp_enable; + struct ipcompstat _ipcompstat; + + struct pfkeystat _pfkeystat; + struct key_cb _key_cb; + struct sockaddr _key_dst; + struct sockaddr _key_src; + + LIST_HEAD(, secpolicy) _sptree[IPSEC_DIR_MAX]; + LIST_HEAD(, secashead) _sahtree; + LIST_HEAD(, secreg) _regtree[SADB_SATYPE_MAX + 1]; + LIST_HEAD(, secacq) _acqtree; + LIST_HEAD(, secspacq) _spacqtree; +}; +#endif + +/* + * Symbol translation macros + */ +#define INIT_VNET_IPSEC(vnet) \ + INIT_FROM_VNET(vnet, VNET_MOD_IPSEC, struct vnet_ipsec, vnet_ipsec) + +#define VNET_IPSEC(sym) VSYM(vnet_ipsec, sym) + +#define V_acq_seq VNET_IPSEC(acq_seq) +#define V_acqtree VNET_IPSEC(acqtree) +#define V_ah_cleartos VNET_IPSEC(ah_cleartos) +#define V_ah_enable VNET_IPSEC(ah_enable) +#define V_ahstat VNET_IPSEC(ahstat) +#define V_crypto_support VNET_IPSEC(crypto_support) +#define V_esp_enable VNET_IPSEC(esp_enable) +#define V_esp_max_ivlen VNET_IPSEC(esp_max_ivlen) +#define V_espstat VNET_IPSEC(espstat) +#define V_ip4_ah_net_deflev VNET_IPSEC(ip4_ah_net_deflev) +#define V_ip4_ah_offsetmask VNET_IPSEC(ip4_ah_offsetmask) +#define V_ip4_ah_trans_deflev VNET_IPSEC(ip4_ah_trans_deflev) +#define V_ip4_def_policy VNET_IPSEC(ip4_def_policy) +#define V_ip4_esp_net_deflev VNET_IPSEC(ip4_esp_net_deflev) +#define V_ip4_esp_randpad VNET_IPSEC(ip4_esp_randpad) +#define V_ip4_esp_trans_deflev VNET_IPSEC(ip4_esp_trans_deflev) +#define V_ip4_ipsec_dfbit VNET_IPSEC(ip4_ipsec_dfbit) +#define V_ip4_ipsec_ecn VNET_IPSEC(ip4_ipsec_ecn) +#define V_ip6_ah_net_deflev VNET_IPSEC(ip6_ah_net_deflev) +#define V_ip6_ah_trans_deflev VNET_IPSEC(ip6_ah_trans_deflev) +#define V_ip6_esp_net_deflev VNET_IPSEC(ip6_esp_net_deflev) +#define V_ip6_esp_randpad VNET_IPSEC(ip6_esp_randpad) +#define V_ip6_esp_trans_deflev VNET_IPSEC(ip6_esp_trans_deflev) +#define V_ip6_ipsec_ecn VNET_IPSEC(ip6_ipsec_ecn) +#define V_ipcomp_enable VNET_IPSEC(ipcomp_enable) +#define V_ipcompstat VNET_IPSEC(ipcompstat) +#define V_ipip_allow VNET_IPSEC(ipip_allow) +#define V_ipipstat VNET_IPSEC(ipipstat) +#define V_ipsec4stat VNET_IPSEC(ipsec4stat) +#define V_ipsec6stat VNET_IPSEC(ipsec6stat) +#define V_ipsec_ah_keymin VNET_IPSEC(ipsec_ah_keymin) +#define V_ipsec_debug VNET_IPSEC(ipsec_debug) +#define V_ipsec_esp_auth VNET_IPSEC(ipsec_esp_auth) +#define V_ipsec_esp_keymin VNET_IPSEC(ipsec_esp_keymin) +#define V_ipsec_integrity VNET_IPSEC(ipsec_integrity) +#define V_ipsec_replay VNET_IPSEC(ipsec_replay) +#define V_key_blockacq_count VNET_IPSEC(key_blockacq_count) +#define V_key_blockacq_lifetime VNET_IPSEC(key_blockacq_lifetime) +#define V_key_cb VNET_IPSEC(key_cb) +#define V_key_debug_level VNET_IPSEC(key_debug_level) +#define V_key_dst VNET_IPSEC(key_dst) +#define V_key_int_random VNET_IPSEC(key_int_random) +#define V_key_larval_lifetime VNET_IPSEC(key_larval_lifetime) +#define V_key_preferred_oldsa VNET_IPSEC(key_preferred_oldsa) +#define V_key_spi_maxval VNET_IPSEC(key_spi_maxval) +#define V_key_spi_minval VNET_IPSEC(key_spi_minval) +#define V_key_spi_trycnt VNET_IPSEC(key_spi_trycnt) +#define V_key_src VNET_IPSEC(key_src) +#define V_pfkeystat VNET_IPSEC(pfkeystat) +#define V_policy_id VNET_IPSEC(policy_id) +#define V_regtree VNET_IPSEC(regtree) +#define V_sahtree VNET_IPSEC(sahtree) +#define V_saorder_state_alive VNET_IPSEC(saorder_state_alive) +#define V_saorder_state_any VNET_IPSEC(saorder_state_any) +#define V_spacqtree VNET_IPSEC(spacqtree) +#define V_sptree VNET_IPSEC(sptree) + +#endif /* !_NETIPSEC_VIPSEC_H_ */ diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 4f87db6f4679..76fecb1367f1 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -93,12 +93,12 @@ int ah_cleartos = 1; /* clear ip_tos when doing AH calc */ struct ahstat ahstat; SYSCTL_DECL(_net_inet_ah); -SYSCTL_INT(_net_inet_ah, OID_AUTO, - ah_enable, CTLFLAG_RW, &ah_enable, 0, ""); -SYSCTL_INT(_net_inet_ah, OID_AUTO, - ah_cleartos, CTLFLAG_RW, &ah_cleartos, 0, ""); -SYSCTL_STRUCT(_net_inet_ah, IPSECCTL_STATS, - stats, CTLFLAG_RD, &ahstat, ahstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, + ah_enable, CTLFLAG_RW, ah_enable, 0, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ah, OID_AUTO, + ah_cleartos, CTLFLAG_RW, ah_cleartos, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ah, IPSECCTL_STATS, + stats, CTLFLAG_RD, ahstat, ahstat, ""); static unsigned char ipseczeroes[256]; /* larger than an ip6 extension hdr */ @@ -160,6 +160,7 @@ ah_hdrsiz(struct secasvar *sav) int ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) { + INIT_VNET_IPSEC(curvnet); struct auth_hash *thash; int keylen; @@ -214,6 +215,7 @@ ah_init0(struct secasvar *sav, struct xformsw *xsp, struct cryptoini *cria) static int ah_init(struct secasvar *sav, struct xformsw *xsp) { + INIT_VNET_IPSEC(curvnet); struct cryptoini cria; int error; @@ -248,6 +250,7 @@ ah_zeroize(struct secasvar *sav) static int ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) { + INIT_VNET_IPSEC(curvnet); struct mbuf *m = *m0; unsigned char *ptr; int off, count; @@ -552,6 +555,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) static int ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { + INIT_VNET_IPSEC(curvnet); struct auth_hash *ahx; struct tdb_ident *tdbi; struct tdb_crypto *tc; @@ -721,6 +725,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ah_input_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); int rplen, error, skip, protoff; unsigned char calc[AH_ALEN_MAX]; struct mbuf *m; @@ -883,6 +888,7 @@ ah_output( int skip, int protoff) { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct auth_hash *ahx; struct cryptodesc *crda; @@ -1109,6 +1115,7 @@ bad: static int ah_output_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); int skip, protoff, error; struct tdb_crypto *tc; struct ipsecrequest *isr; diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 3ac01c6cd5ff..21cc82f1ec26 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -80,10 +80,10 @@ int esp_enable = 1; struct espstat espstat; SYSCTL_DECL(_net_inet_esp); -SYSCTL_INT(_net_inet_esp, OID_AUTO, - esp_enable, CTLFLAG_RW, &esp_enable, 0, ""); -SYSCTL_STRUCT(_net_inet_esp, IPSECCTL_STATS, - stats, CTLFLAG_RD, &espstat, espstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec,_net_inet_esp, OID_AUTO, + esp_enable, CTLFLAG_RW, esp_enable, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_esp, IPSECCTL_STATS, + stats, CTLFLAG_RD, espstat, espstat, ""); static int esp_max_ivlen; /* max iv length over all algorithms */ @@ -123,6 +123,7 @@ esp_algorithm_lookup(int alg) size_t esp_hdrsiz(struct secasvar *sav) { + INIT_VNET_IPSEC(curvnet); size_t size; if (sav != NULL) { @@ -157,6 +158,7 @@ esp_hdrsiz(struct secasvar *sav) static int esp_init(struct secasvar *sav, struct xformsw *xsp) { + INIT_VNET_IPSEC(curvnet); struct enc_xform *txform; struct cryptoini cria, crie; int keylen; @@ -267,6 +269,7 @@ esp_zeroize(struct secasvar *sav) static int esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { + INIT_VNET_IPSEC(curvnet); struct auth_hash *esph; struct enc_xform *espx; struct tdb_ident *tdbi; @@ -449,6 +452,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int esp_input_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); u_int8_t lastthree[3], aalg[AH_HMAC_HASHLEN]; int hlen, skip, protoff, error; struct mbuf *m; @@ -652,6 +656,7 @@ esp_output( int protoff ) { + INIT_VNET_IPSEC(curvnet); struct enc_xform *espx; struct auth_hash *esph; int hlen, rlen, plen, padding, blks, alen, i, roff; @@ -882,6 +887,7 @@ bad: static int esp_output_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 2882af83f014..34929246c54d 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -71,10 +71,10 @@ int ipcomp_enable = 0; struct ipcompstat ipcompstat; SYSCTL_DECL(_net_inet_ipcomp); -SYSCTL_INT(_net_inet_ipcomp, OID_AUTO, - ipcomp_enable, CTLFLAG_RW, &ipcomp_enable, 0, ""); -SYSCTL_STRUCT(_net_inet_ipcomp, IPSECCTL_STATS, - stats, CTLFLAG_RD, &ipcompstat, ipcompstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipcomp, OID_AUTO, + ipcomp_enable, CTLFLAG_RW, ipcomp_enable, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipcomp, IPSECCTL_STATS, + stats, CTLFLAG_RD, ipcompstat, ipcompstat, ""); static int ipcomp_input_cb(struct cryptop *crp); static int ipcomp_output_cb(struct cryptop *crp); @@ -97,6 +97,7 @@ ipcomp_algorithm_lookup(int alg) static int ipcomp_init(struct secasvar *sav, struct xformsw *xsp) { + INIT_VNET_IPSEC(curvnet); struct comp_algo *tcomp; struct cryptoini cric; @@ -137,6 +138,7 @@ ipcomp_zeroize(struct secasvar *sav) static int ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) { + INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct cryptodesc *crdc; struct cryptop *crp; @@ -207,6 +209,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) static int ipcomp_input_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); struct cryptodesc *crd; struct tdb_crypto *tc; int skip, protoff; @@ -327,6 +330,7 @@ ipcomp_output( int protoff ) { + INIT_VNET_IPSEC(curvnet); struct secasvar *sav; struct comp_algo *ipcompx; int error, ralen, hlen, maxpacketsize, roff; @@ -485,6 +489,7 @@ bad: static int ipcomp_output_cb(struct cryptop *crp) { + INIT_VNET_IPSEC(curvnet); struct tdb_crypto *tc; struct ipsecrequest *isr; struct secasvar *sav; diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index cb9256d15953..568d42e92dc7 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -95,10 +95,10 @@ int ipip_allow = 0; struct ipipstat ipipstat; SYSCTL_DECL(_net_inet_ipip); -SYSCTL_INT(_net_inet_ipip, OID_AUTO, - ipip_allow, CTLFLAG_RW, &ipip_allow, 0, ""); -SYSCTL_STRUCT(_net_inet_ipip, IPSECCTL_STATS, - stats, CTLFLAG_RD, &ipipstat, ipipstat, ""); +SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipip, OID_AUTO, + ipip_allow, CTLFLAG_RW, ipip_allow, 0, ""); +SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipip, IPSECCTL_STATS, + stats, CTLFLAG_RD, ipipstat, ipipstat, ""); /* XXX IPCOMP */ #define M_IPSEC (M_AUTHIPHDR|M_AUTHIPDGM|M_DECRYPTED) @@ -156,6 +156,8 @@ ip4_input(struct mbuf *m, int off) static void _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) { + INIT_VNET_NET(curvnet); + INIT_VNET_IPSEC(curvnet); register struct sockaddr_in *sin; register struct ifnet *ifp; register struct ifaddr *ifa; @@ -407,6 +409,10 @@ ipip_output( int protoff ) { + INIT_VNET_IPSEC(curvnet); +#ifdef INET + INIT_VNET_INET(curvnet); +#endif /* INET */ struct secasvar *sav; u_int8_t tp, otos; struct secasindex *saidx; |