Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL

kernel option.
This also permits tuning of the option per virtual network stack, as
well as separately per inet, inet6.

The kernel option is left for a transition period, marked deprecated,
and will be removed soon.

Initially requested by:	phk (1 year 1 day ago)
MFC after:		4 weeks

4 files changed, 22 insertions, 0 deletions

diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c
index 4124d9d..6c42e32 100644
--- a/sys/netipsec/ipsec.c
+++ b/sys/netipsec/ipsec.c
@@ -167,6 +167,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
 	ipsecstats,	CTLFLAG_RD,	ipsec4stat, ipsecstat,	
 	"IPsec IPv4 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet_ipsec, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip4_ipsec_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");
 
 #ifdef REGRESSION
 #ifdef VIMAGE_GLOBALS
@@ -228,6 +231,9 @@ SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_DEBUG,
 SYSCTL_V_STRUCT(V_NET, vnet_ipsec, _net_inet6_ipsec6, IPSECCTL_STATS,
 	ipsecstats, CTLFLAG_RD, ipsec6stat, ipsecstat,
 	"IPsec IPv6 statistics.");
+SYSCTL_V_INT(V_NET, vnet_ipsec, _net_inet6_ipsec6, OID_AUTO,
+	filtertunnel, CTLFLAG_RW, ip6_ipsec6_filtertunnel,  0,
+	"If set filter packets from an IPsec tunnel.");
 #endif /* INET6 */
 
 static int ipsec_setspidx_inpcb __P((struct mbuf *, struct inpcb *));
@@ -273,6 +279,11 @@ ipsec_init(void)
 	V_ip4_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip4_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
 	V_ip4_esp_randpad = -1;
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip4_ipsec_filtertunnel = 1;
+#else
+	V_ip4_ipsec_filtertunnel = 0;
+#endif
 
 	V_crypto_support = CRYPTOCAP_F_HARDWARE | CRYPTOCAP_F_SOFTWARE;
 
@@ -287,6 +298,11 @@ ipsec_init(void)
 	V_ip6_ah_trans_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ah_net_deflev = IPSEC_LEVEL_USE;
 	V_ip6_ipsec_ecn = 0;	/* ECN ignore(-1)/forbidden(0)/allowed(1) */
+#ifdef IPSEC_FILTERTUNNEL
+	V_ip6_ipsec6_filtertunnel = 1;
+#else
+	V_ip6_ipsec6_filtertunnel = 0;
+#endif
 #endif
 }
 
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
index d5e7c157..c869ec8 100644
--- a/sys/netipsec/ipsec.h
+++ b/sys/netipsec/ipsec.h
@@ -348,6 +348,7 @@ extern int ip4_ah_cleartos;
 extern int ip4_ah_offsetmask;
 extern int ip4_ipsec_dfbit;
 extern int ip4_ipsec_ecn;
+extern int ip4_ipsec_filtertunnel;
 extern int ip4_esp_randpad;
 extern int crypto_support;
 
diff --git a/sys/netipsec/ipsec6.h b/sys/netipsec/ipsec6.h
index 6612407..2f49463 100644
--- a/sys/netipsec/ipsec6.h
+++ b/sys/netipsec/ipsec6.h
@@ -47,6 +47,7 @@ extern int ip6_esp_net_deflev;
 extern int ip6_ah_trans_deflev;
 extern int ip6_ah_net_deflev;
 extern int ip6_ipsec_ecn;
+extern int ip6_ipsec6_filtertunnel;
 
 struct inpcb;
 
diff --git a/sys/netipsec/vipsec.h b/sys/netipsec/vipsec.h
index 12b37c7..4a643e5 100644
--- a/sys/netipsec/vipsec.h
+++ b/sys/netipsec/vipsec.h
@@ -57,6 +57,7 @@ struct vnet_ipsec {
 	int			_ip4_ah_offsetmask;
 	int			_ip4_ipsec_dfbit;
 	int			_ip4_ipsec_ecn;
+	int			_ip4_ipsec_filtertunnel;
 	int			_ip4_esp_randpad;
 
 	int			_ipsec_replay;
@@ -90,6 +91,7 @@ struct vnet_ipsec {
 	int			_ip6_ah_trans_deflev;
 	int			_ip6_ah_net_deflev;
 	int			_ip6_ipsec_ecn;
+	int			_ip6_ipsec6_filtertunnel;
 
 	int			_ah_enable;
 	int			_ah_cleartos;
@@ -142,12 +144,14 @@ extern struct vnet_ipsec vnet_ipsec_0;
 #define	V_ip4_esp_trans_deflev		VNET_IPSEC(ip4_esp_trans_deflev)
 #define	V_ip4_ipsec_dfbit		VNET_IPSEC(ip4_ipsec_dfbit)
 #define	V_ip4_ipsec_ecn			VNET_IPSEC(ip4_ipsec_ecn)
+#define	V_ip4_ipsec_filtertunnel	VNET_IPSEC(ip4_ipsec_filtertunnel)
 #define	V_ip6_ah_net_deflev		VNET_IPSEC(ip6_ah_net_deflev)
 #define	V_ip6_ah_trans_deflev		VNET_IPSEC(ip6_ah_trans_deflev)
 #define	V_ip6_esp_net_deflev		VNET_IPSEC(ip6_esp_net_deflev)
 #define	V_ip6_esp_randpad		VNET_IPSEC(ip6_esp_randpad)
 #define	V_ip6_esp_trans_deflev		VNET_IPSEC(ip6_esp_trans_deflev)
 #define	V_ip6_ipsec_ecn			VNET_IPSEC(ip6_ipsec_ecn)
+#define	V_ip6_ipsec6_filtertunnel	VNET_IPSEC(ip6_ipsec6_filtertunnel)
 #define	V_ipcomp_enable			VNET_IPSEC(ipcomp_enable)
 #define	V_ipcompstat			VNET_IPSEC(ipcompstat)
 #define	V_ipip_allow			VNET_IPSEC(ipip_allow)