diff options
| author | bz <bz@FreeBSD.org> | 2007-11-28 22:33:53 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2007-11-28 22:33:53 +0000 |
| commit | 05fda2a0bf2b957c1175b607bf125c590f44a416 (patch) | |
| tree | f1d778f747c5bf1497e0442e09b46a480cdc112d /sys/netipsec/ipsec_input.c | |
| parent | 4a39f29f1b08c6b6d6b082dee8129524b1fda5e5 (diff) | |
| download | FreeBSD-src-05fda2a0bf2b957c1175b607bf125c590f44a416.zip FreeBSD-src-05fda2a0bf2b957c1175b607bf125c590f44a416.tar.gz | |
Add sysctls to if_enc(4) to control whether the firewalls or
bpf will see inner and outer headers or just inner or outer
headers for incoming and outgoing IPsec packets.
This is useful in bpf to not have over long lines for debugging
or selcting packets based on the inner headers.
It also properly defines the behavior of what the firewalls see.
Last but not least it gives you if_enc(4) for IPv6 as well.
[ As some auxiliary state was not available in the later
input path we save it in the tdbi. That way tcpdump can give a
consistent view of either of (authentic,confidential) for both
before and after states. ]
Discussed with: thompsa (2007-04-25, basic idea of unifying paths)
Reviewed by: thompsa, gnn
Diffstat (limited to 'sys/netipsec/ipsec_input.c')
| -rw-r--r-- | sys/netipsec/ipsec_input.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index cea8aff..63677ec 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -444,6 +444,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, bcopy(&saidx->dst, &tdbi->dst, saidx->dst.sa.sa_len); tdbi->proto = sproto; tdbi->spi = sav->spi; + /* Cache those two for enc(4) in xform_ipip. */ + tdbi->alg_auth = sav->alg_auth; + tdbi->alg_enc = sav->alg_enc; m_tag_prepend(m, mtag); } else if (mt != NULL) { @@ -458,10 +461,10 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP * packet later after it has been decapsulated. */ - ipsec_bpf(m, sav, AF_INET); + ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE); if (prot != IPPROTO_IPIP) - if ((error = ipsec_filter(&m, PFIL_IN)) != 0) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) return (error); #endif @@ -703,6 +706,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto bcopy(&saidx->dst, &tdbi->dst, sizeof(union sockaddr_union)); tdbi->proto = sproto; tdbi->spi = sav->spi; + /* Cache those two for enc(4) in xform_ipip. */ + tdbi->alg_auth = sav->alg_auth; + tdbi->alg_enc = sav->alg_enc; m_tag_prepend(m, mtag); } else { @@ -713,6 +719,19 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto key_sa_recordxfer(sav, m); +#ifdef DEV_ENC + /* + * Pass the mbuf to enc0 for bpf and pfil. We will filter the IPIP + * packet later after it has been decapsulated. + */ + ipsec_bpf(m, sav, AF_INET6, ENC_IN|ENC_BEFORE); + + /* XXX-BZ does not make sense. */ + if (prot != IPPROTO_IPIP) + if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0) + return (error); +#endif + /* Retrieve new protocol */ m_copydata(m, protoff, sizeof(u_int8_t), (caddr_t) &nxt8); |
