Date: Thu, 22 Dec 2016 14:27:07 +0000 (UTC) From: "Andrey V. Elsukov" <ae@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r310413 - in projects/ipsec/sys: conf netipsec Message-ID: <201612221427.uBMER7ka077529@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ae Date: Thu Dec 22 14:27:07 2016 New Revision: 310413 URL: https://svnweb.freebsd.org/changeset/base/310413 Log: Add netipsec/subr_ipsec.c file. It is build into kernel when IPSEC or IPSEC_SUPPORT options configured. It contains code that is expanded for IPsec methods macros. Also update sys/conf/files to reflect changes related to IPSEC_SUPPORT option. And update functions declarations in ipsec[6].h. Added: projects/ipsec/sys/netipsec/subr_ipsec.c (contents, props changed) Modified: projects/ipsec/sys/conf/files projects/ipsec/sys/netipsec/ipsec.h projects/ipsec/sys/netipsec/ipsec6.h projects/ipsec/sys/netipsec/udpencap.c Modified: projects/ipsec/sys/conf/files ============================================================================== --- projects/ipsec/sys/conf/files Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/conf/files Thu Dec 22 14:27:07 2016 (r310413) @@ -4067,7 +4067,6 @@ netinet/ip_encap.c optional inet | inet netinet/ip_fastfwd.c optional inet netinet/ip_icmp.c optional inet | inet6 netinet/ip_input.c optional inet -netinet/ip_ipsec.c optional inet ipsec netinet/ip_mroute.c optional mrouting inet netinet/ip_options.c optional inet netinet/ip_output.c optional inet @@ -4136,7 +4135,6 @@ netinet6/ip6_id.c optional inet6 netinet6/ip6_input.c optional inet6 netinet6/ip6_mroute.c optional mrouting inet6 netinet6/ip6_output.c optional inet6 -netinet6/ip6_ipsec.c optional inet6 ipsec netinet6/mld6.c optional inet6 netinet6/nd6.c optional inet6 netinet6/nd6_nbr.c optional inet6 @@ -4150,16 +4148,22 @@ netipsec/ipsec.c optional ipsec inet | netipsec/ipsec_input.c optional ipsec inet | ipsec inet6 netipsec/ipsec_mbuf.c optional ipsec inet | ipsec inet6 netipsec/ipsec_output.c optional ipsec inet | ipsec inet6 -netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 -netipsec/key.c optional ipsec inet | ipsec inet6 -netipsec/key_debug.c optional ipsec inet | ipsec inet6 -netipsec/keysock.c optional ipsec inet | ipsec inet6 +netipsec/ipsec_pcb.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/key.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/key_debug.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/keysock.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 +netipsec/subr_ipsec.c optional ipsec inet | ipsec inet6 | \ + ipsec_support inet | ipsec_support inet6 netipsec/udpencap.c optional ipsec inet netipsec/xform_ah.c optional ipsec inet | ipsec inet6 netipsec/xform_esp.c optional ipsec inet | ipsec inet6 netipsec/xform_ipcomp.c optional ipsec inet | ipsec inet6 netipsec/xform_tcp.c optional ipsec inet tcp_signature | \ - ipsec inet6 tcp_signature + ipsec inet6 tcp_signature netnatm/natm.c optional natm netnatm/natm_pcb.c optional natm netnatm/natm_proto.c optional natm Modified: projects/ipsec/sys/netipsec/ipsec.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/ipsec.h Thu Dec 22 14:27:07 2016 (r310413) @@ -310,19 +310,7 @@ struct secpolicy *ipsec4_checkpolicy(con int *); u_int ipsec_get_reqlevel(struct secpolicy *, u_int); -size_t ipsec_hdrsiz_inpcb(struct inpcb *); -int ipsec_init_pcbpolicy(struct inpcb *); -int ipsec_delete_pcbpolicy(struct inpcb *); -int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); -int ipsec_control_pcbpolicy(struct inpcb *, struct sockopt *); - -int tcp_ipsec_pcbctl(struct inpcb *, struct sockopt *); -int tcp_ipsec_input(struct mbuf *, struct tcphdr *, u_char *); -int tcp_ipsec_output(struct mbuf *, struct tcphdr *, u_char *); - -int udp_ipsec_pcbctl(struct inpcb *, struct sockopt *); -int udp_ipsec_input(struct mbuf *, int, int); void udp_ipsec_adjust_cksum(struct mbuf *, struct secasvar *, int, int); int udp_ipsec_output(struct mbuf *, struct secasvar *); @@ -338,7 +326,10 @@ char *ipsec_logsastr(struct secasvar *, extern void ipsec_dumpmbuf(const struct mbuf *); int ipsec4_in_reject(const struct mbuf *, struct inpcb *); -int ipsec4_common_input(struct mbuf **, int *, int); +int ipsec4_input(struct mbuf *, int, int); +int ipsec4_forward(struct mbuf *); +int ipsec4_output(struct mbuf *, struct inpcb *); +int ipsec4_capability(struct mbuf *, u_int); int ipsec4_common_input_cb(struct mbuf *, struct secasvar *, int, int); int ipsec4_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *); int ipsec_process_done(struct mbuf *, struct secpolicy *, struct secasvar *, Modified: projects/ipsec/sys/netipsec/ipsec6.h ============================================================================== --- projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/ipsec6.h Thu Dec 22 14:27:07 2016 (r310413) @@ -59,17 +59,19 @@ VNET_DECLARE(int, ip6_ipsec_ecn); #define V_ip6_ipsec_ecn VNET(ip6_ipsec_ecn) struct inpcb; -extern int ipsec6_in_reject(const struct mbuf *, struct inpcb *); struct secpolicy *ipsec6_checkpolicy(const struct mbuf *, struct inpcb *, int *); -struct m_tag; -extern int ipsec6_common_input(struct mbuf **mp, int *offp, int proto); -extern int ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, - int skip, int protoff); -extern void esp6_ctlinput(int, struct sockaddr *, void *); -int ipsec6_process_packet(struct mbuf *, struct secpolicy *, - struct inpcb *); +int ipsec6_input(struct mbuf *, int, int); +int ipsec6_in_reject(const struct mbuf *, struct inpcb *); +int ipsec6_forward(struct mbuf *); +int ipsec6_output(struct mbuf *, struct inpcb *); +int ipsec6_capability(struct mbuf *, u_int); +int ipsec6_common_input_cb(struct mbuf *, struct secasvar *, int, int); +int ipsec6_process_packet(struct mbuf *, struct secpolicy *, struct inpcb *); + +int ip6_ipsec_filtertunnel(struct mbuf *); +int ip6_ipsec_pcbctl(struct inpcb *, struct sockopt *); #endif /*_KERNEL*/ #endif /*_NETIPSEC_IPSEC6_H_*/ Added: projects/ipsec/sys/netipsec/subr_ipsec.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/ipsec/sys/netipsec/subr_ipsec.c Thu Dec 22 14:27:07 2016 (r310413) @@ -0,0 +1,241 @@ +/*- + * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "opt_inet.h" +#include "opt_inet6.h" +#include "opt_ipsec.h" + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/systm.h> +#include <sys/kernel.h> +#include <sys/lock.h> +#include <sys/malloc.h> +#include <sys/mbuf.h> +#include <sys/module.h> +#include <sys/priv.h> +#include <sys/rmlock.h> +#include <sys/socket.h> +#include <sys/sockopt.h> +#include <sys/syslog.h> +#include <sys/proc.h> + +#include <netinet/in.h> +#include <netinet/in_pcb.h> + +#include <netipsec/ipsec_support.h> +#include <netipsec/ipsec.h> +#include <netipsec/ipsec6.h> +#include <netipsec/key.h> +#include <netipsec/key_debug.h> + +/* + * This file is build in the kernel only when 'options IPSEC' or + * 'options IPSEC_SUPPORT' is enabled. + */ + +struct rmlock ipsec_kmod_lock; +RM_SYSINIT(ipsec_kmod_lock, &ipsec_kmod_lock, "IPsec KLD lock"); + +#define METHOD_DECL(...) __VA_ARGS__ +#define METHOD_ARGS(...) __VA_ARGS__ +#define IPSEC_KMOD_METHOD(name, sc, method, decl, args) \ +name (decl) \ +{ \ + struct rm_priotracker tracker; \ + int ret; \ + IPSEC_ASSERT(sc != NULL, ("called with NULL methods")); \ + rm_rlock(&ipsec_kmod_lock, &tracker); \ + ret = (*sc->method)(args); \ + rm_runlock(&ipsec_kmod_lock, &tracker); \ + return (ret); \ +} + +static int +ipsec_support_modevent(module_t mod, int type, void *data) +{ + + switch (type) { + case MOD_LOAD: + return (0); + case MOD_UNLOAD: + return (EBUSY); + default: + return (EOPNOTSUPP); + } +} + +static moduledata_t ipsec_support_mod = { + "ipsec_support", + ipsec_support_modevent, + 0 +}; + +/* + * Declare IPSEC_SUPPORT as module to be able add dependency in + * ipsec.ko and tcpmd5.ko + */ +DECLARE_MODULE(ipsec_support, ipsec_support_mod, + SI_SUB_PROTO_DOMAIN, SI_ORDER_ANY); +MODULE_VERSION(ipsec_support, 1); + +#ifdef TCP_SIGNATURE +const int tcp_ipsec_support = 1; +#else +#ifdef IPSEC_SUPPORT +volatile int tcp_ipsec_support = 0; +const struct tcpmd5_support * volatile tcp_ipsec_methods = NULL; + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_input, + tcp_ipsec_methods, + input, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), + METHOD_ARGS(m, th, buf) +) + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_output, + tcp_ipsec_methods, + output, METHOD_DECL(struct mbuf *m, struct tcphdr *th, u_char *buf), + METHOD_ARGS(m, th, buf) +) + +int IPSEC_KMOD_METHOD(tcpmd5_kmod_pcbctl, + tcp_ipsec_methods, + pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), + METHOD_ARGS(inp, sopt) +) +#endif +#endif + +#ifdef IPSEC +/* + * IPsec support is build in the kernel. Additional locking isn't required. + */ +#ifdef INET +static struct ipsec_support ipv4_ipsec = { + .input = ipsec4_input, + .forward = ipsec4_forward, + .output = ipsec4_output, + .pcbctl = ipsec4_pcbctl, + .capability = ipsec4_capability, + .check_policy = ipsec4_in_reject, + .hdrsize = ipsec_hdrsiz_inpcb +}; +const int ipv4_ipsec_support = 1; +const struct ipsec_support * const ipv4_ipsec_methods = &ipv4_ipsec; +#endif + +#ifdef INET6 +static struct ipsec_support ipv6_ipsec = { + .input = ipsec6_input, + .forward = ipsec6_forward, + .output = ipsec6_output, + .pcbctl = ipsec6_pcbctl, + .capability = ipsec6_capability, + .check_policy = ipsec6_in_reject + .hdrsize = ipsec_hdrsiz_inpcb +}; +const int ipv6_ipsec_support = 1; +const struct ipsec_support * const ipv6_ipsec_methods = &ipv6_ipsec; +#endif +#else /* IPSEC_SUPPORT */ +/* + * IPsec support is build as kernel module. + */ +#ifdef INET +volatile int ipv4_ipsec_support = 0; +const struct ipsec_support * volatile ipv4_ipsec_methods = NULL; +const struct udpencap_support * volatile udp_ipsec_methods = NULL; + +int IPSEC_KMOD_METHOD(udpencap_kmod_input, + udp_ipsec_methods, + input, METHOD_DECL(struct mbuf *m, int off, int af), + METHOD_ARGS(m, off, af) +) + +int IPSEC_KMOD_METHOD(udpencap_kmod_pcbctl, + udp_ipsec_methods, + pcbctl, METHOD_DECL(struct inpcb *inp, struct sockopt *sopt), + METHOD_ARGS(inp, sopt) +) +#endif + +#ifdef INET6 +volatile int ipv6_ipsec_support = 0; +const struct ipsec_support * volatile ipv6_ipsec_methods = NULL; +#endif + +int IPSEC_KMOD_METHOD(ipsec_kmod_input, sc, + input, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + int offset,int proto), METHOD_ARGS(m, offset, proto) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_check_policy, sc, + check_policy, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + struct inpcb *inp), METHOD_ARGS(m, inp) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_forward, sc, + forward, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m), + (m) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_output, sc, + output, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + struct inpcb *inp), METHOD_ARGS(m, inp) +) + +int IPSEC_KMOD_METHOD(ipsec_kmod_pcbctl, sc, + pcbctl, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp, + struct sockopt *sopt), METHOD_ARGS(inp, sopt) +) + +size_t IPSEC_KMOD_METHOD(ipsec_kmod_hdrsize, sc, + hdrsize, METHOD_DECL(const struct ipsec_support *sc, struct inpcb *inp), + (inp) +) + +int static IPSEC_KMOD_METHOD(ipsec_kmod_caps, sc, + capability, METHOD_DECL(const struct ipsec_support *sc, struct mbuf *m, + u_int cap), METHOD_ARGS(m, cap) +) + +int +ipsec_kmod_capability(const struct ipsec_support *sc, struct mbuf *m, + u_int cap) +{ + + /* + * Since PF_KEY is build in the kernel, we can use key_havesp() + * without taking the lock. + */ + if (cap == IPSEC_CAP_OPERABLE) + return (key_havesp(IPSEC_DIR_INBOUND) != 0 || + key_havesp(IPSEC_DIR_OUTBOUND) != 0); + return (ipsec_kmod_caps(sc, m, cap)); +} +#endif Modified: projects/ipsec/sys/netipsec/udpencap.c ============================================================================== --- projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:21:14 2016 (r310412) +++ projects/ipsec/sys/netipsec/udpencap.c Thu Dec 22 14:27:07 2016 (r310413) @@ -28,6 +28,7 @@ __FBSDID("$FreeBSD$"); #include "opt_inet.h" +#include "opt_ipsec.h" #include <sys/param.h> #include <sys/systm.h> @@ -57,6 +58,7 @@ __FBSDID("$FreeBSD$"); #include <netipsec/key.h> #include <netipsec/key_debug.h> +#include <netipsec/ipsec_support.h> #include <machine/in_cksum.h> /*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201612221427.uBMER7ka077529>