diff options
author | Andrew Thompson <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
---|---|---|
committer | Andrew Thompson <thompsa@FreeBSD.org> | 2006-06-26 22:30:08 +0000 |
commit | bdea400f3ba20dd0ffcaef20d68912f7041d9eeb (patch) | |
tree | ad08e122ba3a5390ec867d258e80d618c4727731 /sys/netipsec | |
parent | d81175c738fc9af95fe03734068b50159524e89f (diff) | |
download | src-bdea400f3ba20dd0ffcaef20d68912f7041d9eeb.tar.gz src-bdea400f3ba20dd0ffcaef20d68912f7041d9eeb.zip |
Add a pseudo interface for packet filtering IPSec connections before or after
encryption. There are two functions, a bpf tap which has a basic header with
the SPI number which our current tcpdump knows how to display, and handoff to
pfil(9) for packet filtering.
Obtained from: OpenBSD
Based on: kern/94829
No objections: arch, net
MFC after: 1 month
Notes
Notes:
svn path=/head/; revision=159965
Diffstat (limited to 'sys/netipsec')
-rw-r--r-- | sys/netipsec/ipsec.h | 2 | ||||
-rw-r--r-- | sys/netipsec/ipsec_input.c | 13 | ||||
-rw-r--r-- | sys/netipsec/ipsec_output.c | 13 | ||||
-rw-r--r-- | sys/netipsec/xform_ipip.c | 7 |
4 files changed, 35 insertions, 0 deletions
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 7dfe1ac8ab81..e514ce5d2eb3 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -417,6 +417,8 @@ extern void m_checkalignment(const char* where, struct mbuf *m0, extern struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off); extern caddr_t m_pad(struct mbuf *m, int n); extern int m_striphdr(struct mbuf *m, int skip, int hlen); +extern int ipsec_filter(struct mbuf **, int); +extern void ipsec_bpf(struct mbuf *, struct secasvar *, int); #endif /* _KERNEL */ #ifndef _KERNEL diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index 753b78a5b15a..24bc1c3e9df0 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -43,6 +43,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, key_sa_recordxfer(sav, m); /* record data transfer */ +#ifdef DEV_ENC + /* + * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP + * packet later after it has been decapsulated. + */ + ipsec_bpf(m, sav, AF_INET); + + if (prot != IPPROTO_IPIP) + if ((error = ipsec_filter(&m, 1)) != 0) + return (error); +#endif + /* * Re-dispatch via software interrupt. */ diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 788e07a739fc..51dce8267ef9 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -32,6 +32,7 @@ #include "opt_inet.h" #include "opt_inet6.h" #include "opt_ipsec.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -358,6 +359,13 @@ ipsec4_process_packet( goto bad; sav = isr->sav; + +#ifdef DEV_ENC + /* pass the mbuf to enc0 for packet filtering */ + if ((error = ipsec_filter(&m, 2)) != 0) + goto bad; +#endif + if (!tunalready) { union sockaddr_union *dst = &sav->sah->saidx.dst; int setdf; @@ -455,6 +463,11 @@ ipsec4_process_packet( } } +#ifdef DEV_ENC + /* pass the mbuf to enc0 for bpf processing */ + ipsec_bpf(m, sav, AF_INET); +#endif + /* * Dispatch to the appropriate IPsec transform logic. The * packet will be returned for transmission after crypto diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 4bb0b547903d..81910091e7ef 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -41,6 +41,7 @@ */ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_enc.h" #include <sys/param.h> #include <sys/systm.h> @@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Statistics */ ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; +#ifdef DEV_ENC + /* pass the mbuf to enc0 for packet filtering */ + if (ipsec_filter(&m, 1) != 0) + return; +#endif + /* * Interface pointer stays the same; if no IPsec processing has * been done (or will be done), this will point to a normal |