Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL

kernel option.
This also permits tuning of the option per virtual network stack, as
well as separately per inet, inet6.

The kernel option is left for a transition period, marked deprecated,
and will be removed soon.

Initially requested by:	phk (1 year 1 day ago)
MFC after:		4 weeks

8 files changed, 51 insertions, 12 deletions

diff --git a/share/man/man4/ipsec.4 b/share/man/man4/ipsec.4
index 4bc45d6..47ccdb1 100644
--- a/share/man/man4/ipsec.4
+++ b/share/man/man4/ipsec.4
@@ -29,7 +29,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd August 5, 2007
+.Dd May 23, 2009
 .Dt IPSEC 4
 .Os
 .Sh NAME
@@ -37,7 +37,6 @@
 .Nd Internet Protocol Security protocol
 .Sh SYNOPSIS
 .Cd "options IPSEC"
-.Cd "options IPSEC_FILTERTUNNEL"
 .Cd "device crypto"
 .Pp
 .In sys/types.h
@@ -88,9 +87,12 @@ inbound.
 .Pp
 To properly filter on the inner packets of an
 .Nm
-tunnel with firewalls, add
-.Cd "options IPSEC_FILTERTUNNEL"
-to the kernel configuration file.
+tunnel with firewalls, you can change the values of the following sysctls
+.Bl -column net.inet6.ipsec6.filtertunnel default enable
+.It Sy "Name	Default	Enable"
+.It net.inet.ipsec.filtertunnel	0	1
+.It net.inet6.ipsec6.filtertunnel	0	1
+.El
 .\"
 .Ss Kernel interface
 .Nm
diff --git a/sys/conf/NOTES b/sys/conf/NOTES
index 7ba6ac4..0e5bb44 100644
--- a/sys/conf/NOTES
+++ b/sys/conf/NOTES
@@ -524,9 +524,10 @@ options 	ROUTETABLES=2		# max 16. 1 is back compatible.
 options 	IPSEC			#IP security (requires device crypto)
 #options 	IPSEC_DEBUG		#debug for IP security
 #
-# Set IPSEC_FILTERTUNNEL to force packets coming through a tunnel
-# to be processed by any configured packet filtering twice.
-# The default is that packets coming out of a tunnel are _not_ processed;
+# #DEPRECATED#
+# Set IPSEC_FILTERTUNNEL to change the default of the sysctl to force packets
+# coming through a tunnel to be processed by any configured packet filtering
+# twice. The default is that packets coming out of a tunnel are _not_ processed;
 # they are assumed trusted.
 #
 # IPSEC history is preserved for such packets, and can be filtered
diff --git a/sys/netinet/ip_ipsec.c b/sys/netinet/ip_ipsec.c
index 45364a8..ab5d22d 100644
--- a/sys/netinet/ip_ipsec.c
+++ b/sys/netinet/ip_ipsec.c
@@ -71,6 +71,10 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inetsw[];
 
+#ifdef VIMAGE_GLOBALS
+int ip4_ipsec_filtertunnel;
+#endif
+
 /*
  * Check if we have to jump over firewall processing for this packet.
  * Called from ip_input().
@@ -79,11 +83,14 @@ extern	struct protosw inetsw[];
 int
 ip_ipsec_filtertunnel(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+	INIT_VNET_IPSEC(curvnet);
+
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
 	 */
-	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+	if (!V_ip4_ipsec_filtertunnel &&
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 		return 1;
 #endif
 	return 0;
diff --git a/sys/netinet6/ip6_ipsec.c b/sys/netinet6/ip6_ipsec.c
index a0c1abc..57a5044 100644
--- a/sys/netinet6/ip6_ipsec.c
+++ b/sys/netinet6/ip6_ipsec.c
@@ -76,6 +76,10 @@ __FBSDID("$FreeBSD$");
 
 extern	struct protosw inet6sw[];
 
+#ifdef VIMAGE_GLOBALS
+int ip6_ipsec6_filtertunnel;
+#endif
+
 /*
  * Check if we have to jump over firewall processing for this packet.
  * Called from ip_input().
@@ -84,11 +88,14 @@ extern	struct protosw inet6sw[];
 int
 ip6_ipsec_filtertunnel(struct mbuf *m)
 {
-#if defined(IPSEC) && !defined(IPSEC_FILTERTUNNEL)
+#if defined(IPSEC)
+	INIT_VNET_IPSEC(curvnet);
+
 	/*
 	 * Bypass packet filtering for packets from a tunnel.
 	 */
-	if (m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
+	if (!V_ip6_ipsec6_filtertunnel &&
+	    m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL)
 		return 1;
 #endif
 	return 0;
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 4124d9d..6c42e32 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -167,6 +167,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat,	
 	"IPsec IPv4 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");
 
 #ifdef REGRESSION
 #ifdef VIMAGE_GLOBALS
@@ -228,6 +231,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
 	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
 	"IPsec IPv6 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");
 #endif /* INET6 */
 
 static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@@ -273,6 +279,11 @@ ipsec_init(void)
 	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 	V_ip4_esp_randpad = -1;
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip4_ipsec_filtertunnel = 1;
+#else
+	V_ip4_ipsec_filtertunnel = 0;
+#endif
 
 	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
 
@@ -287,6 +298,11 @@ ipsec_init(void)
 	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip6_ipsec6_filtertunnel = 1;
+#else
+	V_ip6_ipsec6_filtertunnel = 0;
+#endif
 #endif
 }
 
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index d5e7c157..c869ec8 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -348,6 +348,7 @@ extern int ip4_ah_cleartos;
 extern int ip4_ah_offsetmask;
 extern int ip4_ipsec_dfbit;
 extern int ip4_ipsec_ecn;
+extern int ip4_ipsec_filtertunnel;
 extern int ip4_esp_randpad;
 extern int crypto_support;
 
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index 6612407..2f49463 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -47,6 +47,7 @@ extern int ip6_esp_net_deflev;
 extern int ip6_ah_trans_deflev;
 extern int ip6_ah_net_deflev;
 extern int ip6_ipsec_ecn;
+extern int ip6_ipsec6_filtertunnel;
 
 struct inpcb;
 
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
index 12b37c7..4a643e5 100644
--- a/sys/netipsec/vipsec.h
+++ b/sys/netipsec/vipsec.h
@@ -57,6 +57,7 @@ struct vnet_ipsec {
 	int			_ip4_ah_offsetmask;
 	int			_ip4_ipsec_dfbit;
 	int			_ip4_ipsec_ecn;
+	int			_ip4_ipsec_filtertunnel;
 	int			_ip4_esp_randpad;
 
 	int			_ipsec_replay;
@@ -90,6 +91,7 @@ struct vnet_ipsec {
 	int			_ip6_ah_trans_deflev;
 	int			_ip6_ah_net_deflev;
 	int			_ip6_ipsec_ecn;
+	int			_ip6_ipsec6_filtertunnel;
 
 	int			_ah_enable;
 	int			_ah_cleartos;
@@ -142,12 +144,14 @@ extern struct vnet_ipsec vnet_ipsec_0;
 #define	V_ip4_esp_trans_deflev		VNET_IPSEC(ip4_esp_trans_deflev)
 #define	V_ip4_ipsec_dfbit		VNET_IPSEC(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn			VNET_IPSEC(ip4_ipsec_ecn)
+#define	V_ip4_ipsec_filtertunnel	VNET_IPSEC(ip4_ipsec_filtertunnel)
 #define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
 #define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
 #define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
 #define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
 #define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
 #define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
+#define	V_ip6_ipsec6_filtertunnel	VNET_IPSEC(ip6_ipsec6_filtertunnel)
 #define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
 #define	V_ipcompstat			VNET_IPSEC(ipcompstat)
 #define	V_ipip_allow			VNET_IPSEC(ipip_allow)