Changeset View
Changeset View
Standalone View
Standalone View
head/sys/net/if_ipsec.c
Show First 20 Lines • Show All 711 Lines • ▼ Show 20 Lines | |||||
* Each tunneling interface has following security policies for | * Each tunneling interface has following security policies for | ||||
* both AF: | * both AF: | ||||
* 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ | * 0.0.0.0/0[any] 0.0.0.0/0[any] -P in \ | ||||
* ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid | * ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid | ||||
* 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ | * 0.0.0.0/0[any] 0.0.0.0/0[any] -P out \ | ||||
* ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid | * ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid | ||||
*/ | */ | ||||
static int | static int | ||||
ipsec_newpolicies(struct secpolicy *sp[IPSEC_SPCOUNT], | ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT], | ||||
const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) | const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid) | ||||
{ | { | ||||
struct ipsecrequest *isr; | struct ipsecrequest *isr; | ||||
int i; | int i; | ||||
memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); | memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT); | ||||
for (i = 0; i < IPSEC_SPCOUNT; i++) { | for (i = 0; i < IPSEC_SPCOUNT; i++) { | ||||
if ((sp[i] = key_newsp()) == NULL) | if ((sp[i] = key_newsp()) == NULL) | ||||
goto fail; | goto fail; | ||||
if ((isr = ipsec_newisr()) == NULL) | if ((isr = ipsec_newisr()) == NULL) | ||||
goto fail; | goto fail; | ||||
sp[i]->policy = IPSEC_POLICY_IPSEC; | sp[i]->policy = IPSEC_POLICY_IPSEC; | ||||
sp[i]->state = IPSEC_SPSTATE_DEAD; | sp[i]->state = IPSEC_SPSTATE_DEAD; | ||||
sp[i]->req[sp[i]->tcount++] = isr; | sp[i]->req[sp[i]->tcount++] = isr; | ||||
sp[i]->created = time_second; | sp[i]->created = time_second; | ||||
/* Use priority field to store if_index */ | |||||
sp[i]->priority = sc->ifp->if_index; | |||||
isr->level = IPSEC_LEVEL_UNIQUE; | isr->level = IPSEC_LEVEL_UNIQUE; | ||||
isr->saidx.proto = IPPROTO_ESP; | isr->saidx.proto = IPPROTO_ESP; | ||||
isr->saidx.mode = IPSEC_MODE_TUNNEL; | isr->saidx.mode = IPSEC_MODE_TUNNEL; | ||||
isr->saidx.reqid = reqid; | isr->saidx.reqid = reqid; | ||||
if (i % 2 == 0) { | if (i % 2 == 0) { | ||||
sp[i]->spidx.dir = IPSEC_DIR_INBOUND; | sp[i]->spidx.dir = IPSEC_DIR_INBOUND; | ||||
bcopy(src, &isr->saidx.dst, src->sa_len); | bcopy(src, &isr->saidx.dst, src->sa_len); | ||||
bcopy(dst, &isr->saidx.src, dst->sa_len); | bcopy(dst, &isr->saidx.src, dst->sa_len); | ||||
▲ Show 20 Lines • Show All 186 Lines • ▼ Show 20 Lines | |||||
{ | { | ||||
struct secpolicy *sp[IPSEC_SPCOUNT]; | struct secpolicy *sp[IPSEC_SPCOUNT]; | ||||
struct secpolicy *oldsp[IPSEC_SPCOUNT]; | struct secpolicy *oldsp[IPSEC_SPCOUNT]; | ||||
int i, f; | int i, f; | ||||
sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); | sx_assert(&ipsec_ioctl_sx, SA_XLOCKED); | ||||
/* Allocate SP with new addresses. */ | /* Allocate SP with new addresses. */ | ||||
if (ipsec_newpolicies(sp, src, dst, reqid) == 0) { | if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) { | ||||
/* Add new policies to SPDB */ | /* Add new policies to SPDB */ | ||||
if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { | if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) { | ||||
for (i = 0; i < IPSEC_SPCOUNT; i++) | for (i = 0; i < IPSEC_SPCOUNT; i++) | ||||
key_freesp(&sp[i]); | key_freesp(&sp[i]); | ||||
return (EAGAIN); | return (EAGAIN); | ||||
} | } | ||||
IPSEC_SC_WLOCK(); | IPSEC_SC_WLOCK(); | ||||
if ((f = sc->family) != 0) | if ((f = sc->family) != 0) | ||||
▲ Show 20 Lines • Show All 53 Lines • Show Last 20 Lines |