MFC

Add a pseudo interface for packet filtering IPSec connections before or after encryption. r1.2 src/share/man/man4/enc.4 r1.4 src/share/man/man4/fast_ipsec.4 r1.1126 src/sys/conf/files r1.549 src/sys/conf/options r1.4 src/sys/net/if_enc.c r1.22 src/sys/net/if_types.h r1.12 src/sys/netipsec/ipsec.h r1.12 src/sys/netipsec/ipsec_input.c r1.12 src/sys/netipsec/ipsec_output.c r1.13 src/sys/netipsec/xform_ipip.c
2006-07-24 23:20:59 +00:00 · 2006-07-24 23:20:59 +00:00 · 9733837fc0
commit 9733837fc0
parent 6f74591a87
10 changed files with 50 additions and 5 deletions
--- a/share/man/man4/Makefile
+++ b/share/man/man4/Makefile
@ -67,6 +67,7 @@ MAN=	aac.4 \
 	ehci.4 \
 	em.4 \
 	en.4 \
+	enc.4 \
 	esp.4 \
 	exca.4 \
 	faith.4 \
--- a/share/man/man4/fast_ipsec.4
+++ b/share/man/man4/fast_ipsec.4
@ -78,10 +78,16 @@ When the
 protocols are configured for use, all protocols are included in the system.
 To selectively enable/disable protocols, use
 .Xr sysctl 8 .
+.Pp
+The packets can be passed to a virtual interface,
+.Dq enc0 ,
+to perform packet filtering before outbound encryption and after decapsulation
+inbound.
 .Sh DIAGNOSTICS
 To be added.
 .Sh SEE ALSO
 .Xr crypto 4 ,
+.Xr enc 4 ,
 .Xr ipsec 4 ,
 .Xr setkey 8 ,
 .Xr sysctl 8
--- a/sys/conf/files
+++ b/sys/conf/files
@ -1416,6 +1416,7 @@ net/if_bridge.c			optional if_bridge
 net/if_clone.c			standard
 net/if_disc.c			optional disc
 net/if_ef.c			optional ef
+net/if_enc.c			optional enc
 net/if_ethersubr.c		optional ether
 net/if_faith.c			optional faith
 net/if_fddisubr.c		optional fddi
--- a/sys/conf/options
+++ b/sys/conf/options
@ -338,6 +338,7 @@ BOOTP_NFSV3		opt_bootp.h
 BOOTP_WIRED_TO		opt_bootp.h
 BRIDGE			opt_bdg.h
 DEVICE_POLLING
+DEV_ENC			opt_enc.h
 DEV_PF			opt_pf.h
 DEV_PFLOG		opt_pf.h
 DEV_PFSYNC		opt_pf.h
--- a/sys/net/if_enc.c
+++ b/sys/net/if_enc.c
@ -85,7 +85,7 @@ struct enc_softc {
 static int	enc_ioctl(struct ifnet *, u_long, caddr_t);
 static int	enc_output(struct ifnet *ifp, struct mbuf *m,
 		    struct sockaddr *dst, struct rtentry *rt);
-static int	enc_clone_create(struct if_clone *, int, caddr_t);
+static int	enc_clone_create(struct if_clone *, int);
 static void	enc_clone_destroy(struct ifnet *);

 IFC_SIMPLE_DECLARE(enc, 1);
@ -101,7 +101,7 @@ enc_clone_destroy(struct ifnet *ifp)
 }

 static int
-enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
+enc_clone_create(struct if_clone *ifc, int unit)
 {
 	struct ifnet *ifp;
 	struct enc_softc *sc;
@ -205,11 +205,11 @@ ipsec_filter(struct mbuf **mp, int dir)
 		return (0);

 	/* Skip pfil(9) if no filters are loaded */
-	if (!(PFIL_HOOKED(&inet_pfil_hook)
+	if (inet_pfil_hook.ph_busy_count < 0
 #ifdef INET6
-	    || PFIL_HOOKED(&inet6_pfil_hook)
+	    && inet6_pfil_hook.ph_busy_count < 0
 #endif
-	    )) {
+	    ) {
 		return (0);
 	}

--- a/sys/net/if_types.h
+++ b/sys/net/if_types.h
@ -246,6 +246,7 @@
 #define	IFT_GIF		0xf0
 #define	IFT_PVC		0xf1
 #define	IFT_FAITH	0xf2
+#define	IFT_ENC		0xf4
 #define	IFT_PFLOG	0xf6
 #define	IFT_PFSYNC	0xf7
 #define	IFT_CARP	0xf8	/* Common Address Redundancy Protocol */
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@ -413,6 +413,8 @@ extern	void m_checkalignment(const char* where, struct mbuf *m0,
 extern	struct mbuf *m_makespace(struct mbuf *m0, int skip, int hlen, int *off);
 extern	caddr_t m_pad(struct mbuf *m, int n);
 extern	int m_striphdr(struct mbuf *m, int skip, int hlen);
+extern	int ipsec_filter(struct mbuf **, int);
+extern	void ipsec_bpf(struct mbuf *, struct secasvar *, int);
 #endif /* _KERNEL */

 #ifndef _KERNEL
--- a/sys/netipsec/ipsec_input.c
+++ b/sys/netipsec/ipsec_input.c
@ -43,6 +43,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_enc.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -442,6 +443,18 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,

 	key_sa_recordxfer(sav, m);		/* record data transfer */

+#ifdef DEV_ENC
+	/*
+	 * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP
+	 * packet later after it has been decapsulated.
+	 */
+	ipsec_bpf(m, sav, AF_INET);
+
+	if (prot != IPPROTO_IPIP)
+		if ((error = ipsec_filter(&m, 1)) != 0)
+			return (error);
+#endif
+
 	/*
 	 * Re-dispatch via software interrupt.
 	 */
--- a/sys/netipsec/ipsec_output.c
+++ b/sys/netipsec/ipsec_output.c
@ -32,6 +32,7 @@
 #include "opt_inet.h"
 #include "opt_inet6.h"
 #include "opt_ipsec.h"
+#include "opt_enc.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -358,6 +359,13 @@ ipsec4_process_packet(
 		goto bad;

 	sav = isr->sav;
+
+#ifdef DEV_ENC
+	/* pass the mbuf to enc0 for packet filtering */
+	if ((error = ipsec_filter(&m, 2)) != 0)
+		goto bad;
+#endif
+
 	if (!tunalready) {
 		union sockaddr_union *dst = &sav->sah->saidx.dst;
 		int setdf;
@ -455,6 +463,11 @@ ipsec4_process_packet(
 		}
 	}

+#ifdef DEV_ENC
+	/* pass the mbuf to enc0 for bpf processing */
+	ipsec_bpf(m, sav, AF_INET);
+#endif
+
 	/*
 	 * Dispatch to the appropriate IPsec transform logic.  The
 	 * packet will be returned for transmission after crypto
--- a/sys/netipsec/xform_ipip.c
+++ b/sys/netipsec/xform_ipip.c
@ -41,6 +41,7 @@
 */
 #include "opt_inet.h"
 #include "opt_inet6.h"
+#include "opt_enc.h"

 #include <sys/param.h>
 #include <sys/systm.h>
@ -345,6 +346,12 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
 	/* Statistics */
 	ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen;

+#ifdef DEV_ENC
+	/* pass the mbuf to enc0 for packet filtering */
+	if (ipsec_filter(&m, 1) != 0)
+		return;
+#endif
+
 	/*
 	 * Interface pointer stays the same; if no IPsec processing has
 	 * been done (or will be done), this will point to a normal