aboutsummaryrefslogtreecommitdiff
path: root/sys/netipsec
diff options
context:
space:
mode:
authorAndrew Thompson <thompsa@FreeBSD.org>2006-06-26 22:30:08 +0000
committerAndrew Thompson <thompsa@FreeBSD.org>2006-06-26 22:30:08 +0000
commitbdea400f3ba20dd0ffcaef20d68912f7041d9eeb (patch)
treead08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec
parentd81175c738fc9af95fe03734068b50159524e89f (diff)
downloadsrc-bdea400f3ba20dd0ffcaef20d68912f7041d9eeb.tar.gz
src-bdea400f3ba20dd0ffcaef20d68912f7041d9eeb.zip
Add a pseudo interface for packet filtering IPSec connections before or after
encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
Notes
Notes: svn path=/head/; revision=159965
Diffstat (limited to 'sys/netipsec')
-rw-r--r--sys/netipsec/ipsec.h2
-rw-r--r--sys/netipsec/ipsec_input.c13
-rw-r--r--sys/netipsec/ipsec_output.c13
-rw-r--r--sys/netipsec/xform_ipip.c7
4 files changed, 35 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index 7dfe1ac8ab81..e514ce5d2eb3 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -417,6 +417,8 @@ extern void m_checkalignment(const char* where, struct mbuf *m0,
extern struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off);
extern caddr_t m_pad(struct mbuf *m, int n);
extern int m_striphdr(struct mbuf *m, int skip, int hlen);
+extern int ipsec_filter(struct mbuf **, int);
+extern void ipsec_bpf(struct mbuf *, struct secasvar *, int);
#endif /* _KERNEL */
#ifndef _KERNEL
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
index 753b78a5b15a..24bc1c3e9df0 100644
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@@ -43,6 +43,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
key_sa_recordxfer(sav, m); /* record data transfer */
+#ifdef DEV_ENC
+ /*
+ * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
+ * packet later after it has been decapsulated.
+ */
+ ipsec_bpf(m, sav, AF_INET);
+
+ if (prot != IPPROTO_IPIP)
+ if ((error = ipsec_filter(&m, 1)) != 0)
+ return (error);
+#endif
+
/*
* Re-dispatch via software interrupt.
*/
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
index 788e07a739fc..51dce8267ef9 100644
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@@ -32,6 +32,7 @@
#include "opt_inet.h"
#include "opt_inet6.h"
#include "opt_ipsec.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -358,6 +359,13 @@ ipsec4_process_packet(
goto bad;
sav = isr->sav;
+
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for packet filtering */
+ if ((error = ipsec_filter(&m, 2)) != 0)
+ goto bad;
+#endif
+
if (!tunalready) {
union sockaddr_union *dst = &sav->sah->saidx.dst;
int setdf;
@@ -455,6 +463,11 @@ ipsec4_process_packet(
}
}
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for bpf processing */
+ ipsec_bpf(m, sav, AF_INET);
+#endif
+
/*
* Dispatch to the appropriate IPsec transform logic. The
* packet will be returned for transmission after crypto
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
index 4bb0b547903d..81910091e7ef 100644
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@@ -41,6 +41,7 @@
*/
#include "opt_inet.h"
#include "opt_inet6.h"
+#include "opt_enc.h"
#include <sys/param.h>
#include <sys/systm.h>
@@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
/* Statistics */
ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;
+#ifdef DEV_ENC
+ /* pass the mbuf to enc0 for packet filtering */
+ if (ipsec_filter(&m, 1) != 0)
+ return;
+#endif
+
/*
* Interface pointer stays the same; if no IPsec processing has
* been done (or will be done), this will point to a normal