Changeset View
Changeset View
Standalone View
Standalone View
head/sys/net/if_ipsec.c
| Show First 20 Lines • Show All 711 Lines • ▼ Show 20 Lines | |||||
| * Each tunneling interface has following security policies for | * Each tunneling interface has following security policies for | ||||
| * both AF: | * both AF: | ||||
| * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ | * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ | ||||
| * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid | * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid | ||||
| * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ | * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ | ||||
| * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid | * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid | ||||
| */ | */ | ||||
| static int | static int | ||||
| ipsec_newpolicies(struct secpolicy *sp[IPSEC_SPCOUNT], | ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], | ||||
| const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) | const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) | ||||
| { | { | ||||
| struct ipsecrequest *isr; | struct ipsecrequest *isr; | ||||
| int i; | int i; | ||||
| memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); | memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); | ||||
| for (i = 0; i < IPSEC_SPCOUNT; i++) { | for (i = 0; i < IPSEC_SPCOUNT; i++) { | ||||
| if ((sp[i] = key_newsp()) == NULL) | if ((sp[i] = key_newsp()) == NULL) | ||||
| goto fail; | goto fail; | ||||
| if ((isr = ipsec_newisr()) == NULL) | if ((isr = ipsec_newisr()) == NULL) | ||||
| goto fail; | goto fail; | ||||
| sp[i]->policy = IPSEC_POLICY_IPSEC; | sp[i]->policy = IPSEC_POLICY_IPSEC; | ||||
| sp[i]->state = IPSEC_SPSTATE_DEAD; | sp[i]->state = IPSEC_SPSTATE_DEAD; | ||||
| sp[i]->req[sp[i]->tcount++] = isr; | sp[i]->req[sp[i]->tcount++] = isr; | ||||
| sp[i]->created = time_second; | sp[i]->created = time_second; | ||||
| /* Use priority field to store if_index */ | |||||
| sp[i]->priority = sc->ifp->if_index; | |||||
| isr->level = IPSEC_LEVEL_UNIQUE; | isr->level = IPSEC_LEVEL_UNIQUE; | ||||
| isr->saidx.proto = IPPROTO_ESP; | isr->saidx.proto = IPPROTO_ESP; | ||||
| isr->saidx.mode = IPSEC_MODE_TUNNEL; | isr->saidx.mode = IPSEC_MODE_TUNNEL; | ||||
| isr->saidx.reqid = reqid; | isr->saidx.reqid = reqid; | ||||
| if (i % 2 == 0) { | if (i % 2 == 0) { | ||||
| sp[i]->spidx.dir = IPSEC_DIR_INBOUND; | sp[i]->spidx.dir = IPSEC_DIR_INBOUND; | ||||
| bcopy(src, &isr->saidx.dst, src->sa_len); | bcopy(src, &isr->saidx.dst, src->sa_len); | ||||
| bcopy(dst, &isr->saidx.src, dst->sa_len); | bcopy(dst, &isr->saidx.src, dst->sa_len); | ||||
| ▲ Show 20 Lines • Show All 186 Lines • ▼ Show 20 Lines | |||||
| { | { | ||||
| struct secpolicy *sp[IPSEC_SPCOUNT]; | struct secpolicy *sp[IPSEC_SPCOUNT]; | ||||
| struct secpolicy *oldsp[IPSEC_SPCOUNT]; | struct secpolicy *oldsp[IPSEC_SPCOUNT]; | ||||
| int i, f; | int i, f; | ||||
| sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); | sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); | ||||
| /* Allocate SP with new addresses. */ | /* Allocate SP with new addresses. */ | ||||
| if (ipsec_newpolicies(sp, src, dst, reqid) == 0) { | if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { | ||||
| /* Add new policies to SPDB */ | /* Add new policies to SPDB */ | ||||
| if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { | if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { | ||||
| for (i = 0; i < IPSEC_SPCOUNT; i++) | for (i = 0; i < IPSEC_SPCOUNT; i++) | ||||
| key_freesp(&sp[i]); | key_freesp(&sp[i]); | ||||
| return (EAGAIN); | return (EAGAIN); | ||||
| } | } | ||||
| IPSEC_SC_WLOCK(); | IPSEC_SC_WLOCK(); | ||||
| if ((f = sc->family) != 0) | if ((f = sc->family) != 0) | ||||
| ▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines | |||||