Implement the 'ipsec' option to match packets coming out of an ipsec tunnel.

Should work with both regular and fast ipsec (mutually exclusive). See manpage for more details. Submitted by: Ari Suutari (ari.suutari@syncrontech.com) Revised by: sam MFC after: 1 week
2003-07-04 21:42:32 +00:00 · 2003-07-04 21:42:32 +00:00 · c530f5973f
commit c530f5973f
parent d9dfac9f45
3 changed files with 38 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -927,6 +927,18 @@ with a
 .It Cm ipprecedence Ar precedence
 Matches IP packets whose precedence field is equal to
 .Ar precedence .
+.It Cm ipsec
+Matches packets that have IPSEC history associated with them
+(i.e. the packet comes encapsulated in IPSEC, the kernel
+has IPSEC support and IPSEC_FILTERGIF option, and can correctly
+decapsulate it).
+.Pp
+Note that specifying
+.Cm ipsec
+is different from specifying
+.Cm proto Ar ipsec
+as the latter will only look at the specific IP protocol field,
+irrespective of IPSEC kernel support and the validity of the IPSEC data.
 .It Cm iptos Ar spec
 Matches IP packets whose
 .Cm tos
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@ -225,6 +225,7 @@ enum tokens {
 	TOK_MAC,
 	TOK_MACTYPE,
 	TOK_VERREVPATH,
+	TOK_IPSEC,

 	TOK_PLR,
 	TOK_NOERROR,
@ -335,6 +336,7 @@ struct _s_x rule_options[] = {
 	{ "mac",		TOK_MAC },
 	{ "mac-type",		TOK_MACTYPE },
 	{ "verrevpath",		TOK_VERREVPATH },
+	{ "ipsec",		TOK_IPSEC },

 	{ "not",		TOK_NOT },		/* pseudo option */
 	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
@ -1226,6 +1228,10 @@ show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
 				printf(" verrevpath");
 				break;

+			case O_IPSEC:
+				printf(" ipsec");
+				break;
+
 			case O_KEEP_STATE:
 				printf(" keep-state");
 				break;
@ -3270,6 +3276,10 @@ add(int ac, char *av[])
 			fill_cmd(cmd, O_VERREVPATH, 0, 0);
 			break;

+		case TOK_IPSEC:
+			fill_cmd(cmd, O_IPSEC, 0, 0);
+			break;
+
 		default:
 			errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
 		}
--- a/sys/netinet/ip_fw2.c
+++ b/sys/netinet/ip_fw2.c
@ -73,6 +73,10 @@
 #include <netinet/udp.h>
 #include <netinet/udp_var.h>

+#ifdef IPSEC
+#include <netinet6/ipsec.h>
+#endif
+
 #include <netinet/if_ether.h> /* XXX for ETHERTYPE_IP */

 #include <machine/in_cksum.h>	/* XXX for in_cksum */
@ -1820,6 +1824,17 @@ ipfw_chk(struct ip_fw_args *args)
 				    verify_rev_path(src_ip, m->m_pkthdr.rcvif));
 				break;

+			case O_IPSEC:
+#ifdef FAST_IPSEC
+				match = (m_tag_find(m,
+				    PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
+#endif
+#ifdef IPSEC
+				match = (ipsec_gethist(m, NULL) != NULL);
+#endif
+				/* otherwise no match */
+				break;
+
 			/*
 			 * The second set of opcodes represents 'actions',
 			 * i.e. the terminal part of a rule once the packet
@ -2392,6 +2407,7 @@ check_ipfw_struct(struct ip_fw *rule, int size)
 		case O_TCPOPTS:
 		case O_ESTAB:
 		case O_VERREVPATH:
+		case O_IPSEC:
 			if (cmdlen != F_INSN_SIZE(ipfw_insn))
 				goto bad_size;
 			break;