diff options
-rw-r--r-- | sys/netinet/in.h | 3 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 14 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 24 | ||||
-rw-r--r-- | sys/netinet/ip_var.h | 2 | ||||
-rw-r--r-- | sys/netinet6/ip6_input.c | 3 | ||||
-rw-r--r-- | sys/netinet6/ip6_output.c | 101 |
6 files changed, 84 insertions, 63 deletions
diff --git a/sys/netinet/in.h b/sys/netinet/in.h index fa4cebe..5ec7ed7 100644 --- a/sys/netinet/in.h +++ b/sys/netinet/in.h @@ -702,7 +702,8 @@ int getsourcefilter(int, uint32_t, struct sockaddr *, socklen_t, #define IPCTL_FASTFORWARDING 14 /* use fast IP forwarding code */ #define IPCTL_KEEPFAITH 15 /* FAITH IPv4->IPv6 translater ctl */ #define IPCTL_GIF_TTL 16 /* default TTL for gif encap packet */ -#define IPCTL_MAXID 17 +#define IPCTL_IPSEC_INUSE 17 +#define IPCTL_MAXID 18 #endif /* __BSD_VISIBLE */ diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 77e6a48..81974fd 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -97,6 +97,11 @@ SYSCTL_VNET_INT(_net_inet_ip, IPCTL_FORWARDING, forwarding, CTLFLAG_RW, &VNET_NAME(ipforwarding), 0, "Enable IP forwarding between interfaces"); +VNET_DEFINE(int, ipipsec_in_use); +SYSCTL_VNET_INT(_net_inet_ip, IPCTL_IPSEC_INUSE, ipsec_in_use, CTLFLAG_RW, + &VNET_NAME(ipipsec_in_use), 0, + "Enable IPSec processing of packets"); + static VNET_DEFINE(int, ipsendredirects) = 1; /* XXX */ #define V_ipsendredirects VNET(ipsendredirects) SYSCTL_VNET_INT(_net_inet_ip, IPCTL_SENDREDIRECTS, redirect, CTLFLAG_RW, @@ -471,7 +476,7 @@ tooshort: /* * Bypass packet filtering for packets previously handled by IPsec. */ - if (ip_ipsec_filtertunnel(m)) + if (V_ipipsec_in_use && ip_ipsec_filtertunnel(m)) goto passin; #endif /* IPSEC */ @@ -678,7 +683,7 @@ passin: m_freem(m); } else { #ifdef IPSEC - if (ip_ipsec_fwd(m)) + if (V_ipipsec_in_use && ip_ipsec_fwd(m)) goto bad; #endif /* IPSEC */ ip_forward(m, dchg); @@ -725,7 +730,7 @@ ours: * note that we do not visit this with protocols with pcb layer * code - like udp/tcp/raw ip. */ - if (ip_ipsec_input(m)) + if (V_ipipsec_in_use && ip_ipsec_input(m)) goto bad; #endif /* IPSEC */ @@ -1524,7 +1529,8 @@ ip_forward(struct mbuf *m, int srcrt) * If IPsec is configured for this path, * override any possibly mtu value set by ip_output. */ - mtu = ip_ipsec_mtu(mcopy, mtu); + if (V_ipipsec_in_use) + mtu = ip_ipsec_mtu(mcopy, mtu); #endif /* IPSEC */ /* * If the MTU was set before make sure we are below the diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index 2db4578..aee6834 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -482,18 +482,20 @@ again: sendit: #ifdef IPSEC - switch(ip_ipsec_output(&m, inp, &flags, &error)) { - case 1: - goto bad; - case -1: - goto done; - case 0: - default: - break; /* Continue with packet processing. */ + if (V_ipipsec_in_use) { + switch(ip_ipsec_output(&m, inp, &flags, &error)) { + case 1: + goto bad; + case -1: + goto done; + case 0: + default: + break; /* Continue with packet processing. */ + } + /* Update variables that are affected by ipsec4_output(). */ + ip = mtod(m, struct ip *); + hlen = ip->ip_hl << 2; } - /* Update variables that are affected by ipsec4_output(). */ - ip = mtod(m, struct ip *); - hlen = ip->ip_hl << 2; #endif /* IPSEC */ /* Jump over all PFIL processing if hooks are not active. */ diff --git a/sys/netinet/ip_var.h b/sys/netinet/ip_var.h index b2251ac..de08849 100644 --- a/sys/netinet/ip_var.h +++ b/sys/netinet/ip_var.h @@ -176,6 +176,7 @@ struct sockopt; VNET_DECLARE(u_short, ip_id); /* ip packet ctr, for ids */ VNET_DECLARE(int, ip_defttl); /* default IP ttl */ VNET_DECLARE(int, ipforwarding); /* ip forwarding */ +VNET_DECLARE(int, ipipsec_in_use); #ifdef IPSTEALTH VNET_DECLARE(int, ipstealth); /* stealth forwarding */ #endif @@ -191,6 +192,7 @@ extern struct pr_usrreqs rip_usrreqs; #define V_ip_id VNET(ip_id) #define V_ip_defttl VNET(ip_defttl) #define V_ipforwarding VNET(ipforwarding) +#define V_ipipsec_in_use VNET(ipipsec_in_use) #ifdef IPSTEALTH #define V_ipstealth VNET(ipstealth) #endif diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c index b6602d3..08f29a0 100644 --- a/sys/netinet6/ip6_input.c +++ b/sys/netinet6/ip6_input.c @@ -133,6 +133,7 @@ static struct netisr_handler ip6_nh = { .nh_policy = NETISR_POLICY_FLOW, }; +#define V_ipipsec_in_use VNET(ipipsec_in_use) VNET_DECLARE(struct callout, in6_tmpaddrtimer_ch); #define V_in6_tmpaddrtimer_ch VNET(in6_tmpaddrtimer_ch) @@ -1004,6 +1005,7 @@ passin: } #ifdef IPSEC + if (V_ipipsec_in_use) { /* * enforce IPsec policy checking if we are seeing last header. * note that we do not visit this with protocols with pcb layer @@ -1011,6 +1013,7 @@ passin: */ if (ip6_ipsec_input(m, nxt)) goto bad; + } #endif /* IPSEC */ /* diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c index 4fbac61..43c86d9 100644 --- a/sys/netinet6/ip6_output.c +++ b/sys/netinet6/ip6_output.c @@ -147,6 +147,7 @@ static int ip6_getpmtu(struct route_in6 *, struct route_in6 *, struct ifnet *, struct in6_addr *, u_long *, int *, u_int); static int copypktopts(struct ip6_pktopts *, struct ip6_pktopts *, int); +#define V_ipipsec_in_use VNET(ipipsec_in_use) /* * Make an extension header from option data. hp is the source, and @@ -345,19 +346,21 @@ ip6_output(struct mbuf *m0, struct ip6_pktopts *opt, } #ifdef IPSEC - /* - * IPSec checking which handles several cases. - * FAST IPSEC: We re-injected the packet. - */ - switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp)) - { - case 1: /* Bad packet */ - goto freehdrs; - case -1: /* IPSec done */ - goto done; - case 0: /* No IPSec */ - default: - break; + if (V_ipipsec_in_use) { + /* + * IPSec checking which handles several cases. + * FAST IPSEC: We re-injected the packet. + */ + switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp)) + { + case 1: /* Bad packet */ + goto freehdrs; + case -1: /* IPSec done */ + goto done; + case 0: /* No IPSec */ + default: + break; + } } #endif /* IPSEC */ @@ -1722,19 +1725,21 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: { - caddr_t req; - struct mbuf *m; + if (V_ipipsec_in_use) { + caddr_t req; + struct mbuf *m; - if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ - break; - if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ + if ((error = soopt_getm(sopt, &m)) != 0) /* XXX */ + break; + if ((error = soopt_mcopyin(sopt, m)) != 0) /* XXX */ + break; + req = mtod(m, caddr_t); + error = ipsec_set_policy(in6p, optname, req, + m->m_len, (sopt->sopt_td != NULL) ? + sopt->sopt_td->td_ucred : NULL); + m_freem(m); break; - req = mtod(m, caddr_t); - error = ipsec_set_policy(in6p, optname, req, - m->m_len, (sopt->sopt_td != NULL) ? - sopt->sopt_td->td_ucred : NULL); - m_freem(m); - break; + } } #endif /* IPSEC */ @@ -1933,31 +1938,33 @@ do { \ #ifdef IPSEC case IPV6_IPSEC_POLICY: { - caddr_t req = NULL; - size_t len = 0; - struct mbuf *m = NULL; - struct mbuf **mp = &m; - size_t ovalsize = sopt->sopt_valsize; - caddr_t oval = (caddr_t)sopt->sopt_val; - - error = soopt_getm(sopt, &m); /* XXX */ - if (error != 0) - break; - error = soopt_mcopyin(sopt, m); /* XXX */ - if (error != 0) + if (V_ipipsec_in_use) { + caddr_t req = NULL; + size_t len = 0; + struct mbuf *m = NULL; + struct mbuf **mp = &m; + size_t ovalsize = sopt->sopt_valsize; + caddr_t oval = (caddr_t)sopt->sopt_val; + + error = soopt_getm(sopt, &m); /* XXX */ + if (error != 0) + break; + error = soopt_mcopyin(sopt, m); /* XXX */ + if (error != 0) + break; + sopt->sopt_valsize = ovalsize; + sopt->sopt_val = oval; + if (m) { + req = mtod(m, caddr_t); + len = m->m_len; + } + error = ipsec_get_policy(in6p, req, len, mp); + if (error == 0) + error = soopt_mcopyout(sopt, m); /* XXX */ + if (error == 0 && m) + m_freem(m); break; - sopt->sopt_valsize = ovalsize; - sopt->sopt_val = oval; - if (m) { - req = mtod(m, caddr_t); - len = m->m_len; } - error = ipsec_get_policy(in6p, req, len, mp); - if (error == 0) - error = soopt_mcopyout(sopt, m); /* XXX */ - if (error == 0 && m) - m_freem(m); - break; } #endif /* IPSEC */ |