diff options
Diffstat (limited to 'sys/netipsec')
| -rw-r--r-- | sys/netipsec/ipsec.c | 31 | ||||
| -rw-r--r-- | sys/netipsec/ipsec.h | 4 | ||||
| -rw-r--r-- | sys/netipsec/ipsec_input.c | 115 | ||||
| -rw-r--r-- | sys/netipsec/ipsec_mbuf.c | 11 | ||||
| -rw-r--r-- | sys/netipsec/ipsec_output.c | 35 | ||||
| -rw-r--r-- | sys/netipsec/key.c | 197 | ||||
| -rw-r--r-- | sys/netipsec/key_debug.h | 2 | ||||
| -rw-r--r-- | sys/netipsec/keysock.c | 63 | ||||
| -rw-r--r-- | sys/netipsec/xform_ah.c | 63 | ||||
| -rw-r--r-- | sys/netipsec/xform_esp.c | 75 | ||||
| -rw-r--r-- | sys/netipsec/xform_ipcomp.c | 45 | ||||
| -rw-r--r-- | sys/netipsec/xform_ipip.c | 57 |
12 files changed, 354 insertions, 344 deletions
diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index 154694a..f973688 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -53,6 +53,7 @@ #include <sys/syslog.h> #include <sys/sysctl.h> #include <sys/proc.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/route.h> @@ -240,7 +241,7 @@ key_allocsp_default(const char* where, int tag) KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP key_allocsp_default from %s:%u\n", where, tag)); - sp = &ip4_def_policy; + sp = &V_ip4_def_policy; if (sp->policy != IPSEC_POLICY_DISCARD && sp->policy != IPSEC_POLICY_NONE) { ipseclog((LOG_INFO, "fixed system default policy: %d->%d\n", @@ -458,7 +459,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) sp = ipsec_getpolicybysock(m, dir, inp, error); if (sp == NULL) { IPSEC_ASSERT(*error != 0, ("getpolicy failed w/o error")); - ipsec4stat.ips_out_inval++; + V_ipsec4stat.ips_out_inval++; return NULL; } IPSEC_ASSERT(*error == 0, ("sp w/ error set to %u", *error)); @@ -468,7 +469,7 @@ ipsec4_checkpolicy(m, dir, flag, error, inp) printf("%s: invalid policy %u\n", __func__, sp->policy); /* fall thru... */ case IPSEC_POLICY_DISCARD: - ipsec4stat.ips_out_polvio++; + V_ipsec4stat.ips_out_polvio++; *error = -EINVAL; /* packet is discarded by caller */ break; case IPSEC_POLICY_BYPASS: @@ -1289,7 +1290,7 @@ ipsec_get_reqlevel(isr) #define IPSEC_CHECK_DEFAULT(lev) \ (((lev) != IPSEC_LEVEL_USE && (lev) != IPSEC_LEVEL_REQUIRE \ && (lev) != IPSEC_LEVEL_UNIQUE) \ - ? (ipsec_debug \ + ? (V_ipsec_debug \ ? log(LOG_INFO, "fixed system default level " #lev ":%d->%d\n",\ (lev), IPSEC_LEVEL_REQUIRE) \ : 0), \ @@ -1301,18 +1302,18 @@ ipsec_get_reqlevel(isr) switch (((struct sockaddr *)&isr->sp->spidx.src)->sa_family) { #ifdef INET case AF_INET: - esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_trans_deflev); - esp_net_deflev = IPSEC_CHECK_DEFAULT(ip4_esp_net_deflev); - ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_trans_deflev); - ah_net_deflev = IPSEC_CHECK_DEFAULT(ip4_ah_net_deflev); + esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_trans_deflev); + esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_esp_net_deflev); + ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_trans_deflev); + ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip4_ah_net_deflev); break; #endif #ifdef INET6 case AF_INET6: - esp_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_trans_deflev); - esp_net_deflev = IPSEC_CHECK_DEFAULT(ip6_esp_net_deflev); - ah_trans_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_trans_deflev); - ah_net_deflev = IPSEC_CHECK_DEFAULT(ip6_ah_net_deflev); + esp_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_trans_deflev); + esp_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_esp_net_deflev); + ah_trans_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_trans_deflev); + ah_net_deflev = IPSEC_CHECK_DEFAULT(V_ip6_ah_net_deflev); break; #endif /* INET6 */ default: @@ -1472,7 +1473,7 @@ ipsec4_in_reject(m, inp) if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - ipsec4stat.ips_in_polvio++; + V_ipsec4stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; /* XXX should be panic ? @@ -1512,7 +1513,7 @@ ipsec6_in_reject(m, inp) if (sp != NULL) { result = ipsec_in_reject(sp, m); if (result) - ipsec6stat.ips_in_polvio++; + V_ipsec6stat.ips_in_polvio++; KEY_FREESP(&sp); } else { result = 0; @@ -1936,7 +1937,7 @@ ipsec_dumpmbuf(m) static void ipsec_attach(void) { - SECPOLICY_LOCK_INIT(&ip4_def_policy); + SECPOLICY_LOCK_INIT(&V_ip4_def_policy); ip4_def_policy.refcnt = 1; /* NB: disallow free */ } SYSINIT(ipsec, SI_SUB_PROTO_DOMAIN, SI_ORDER_FIRST, ipsec_attach, NULL); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 6c7e4fb..6f04611 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -351,9 +351,9 @@ extern int ip4_ipsec_ecn; extern int ip4_esp_randpad; extern int crypto_support; -#define ipseclog(x) do { if (ipsec_debug) log x; } while (0) +#define ipseclog(x) do { if (V_ipsec_debug) log x; } while (0) /* for openbsd compatibility */ -#define DPRINTF(x) do { if (ipsec_debug) printf x; } while (0) +#define DPRINTF(x) do { if (V_ipsec_debug) printf x; } while (0) extern struct ipsecrequest *ipsec_newisr(void); extern void ipsec_delisr(struct ipsecrequest *); diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c index edd2223..0041698 100644 --- a/sys/netipsec/ipsec_input.c +++ b/sys/netipsec/ipsec_input.c @@ -54,6 +54,7 @@ #include <sys/socket.h> #include <sys/errno.h> #include <sys/syslog.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/pfil.h> @@ -117,8 +118,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) u_int32_t spi; int error; - IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, - ipcompstat.ipcomps_input); + IPSEC_ISTAT(sproto, V_espstat.esps_input, V_ahstat.ahs_input, + V_ipcompstat.ipcomps_input); IPSEC_ASSERT(m != NULL, ("null packet")); @@ -126,19 +127,19 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) sproto == IPPROTO_IPCOMP, ("unexpected security protocol %u", sproto)); - if ((sproto == IPPROTO_ESP && !esp_enable) || - (sproto == IPPROTO_AH && !ah_enable) || - (sproto == IPPROTO_IPCOMP && !ipcomp_enable)) { + if ((sproto == IPPROTO_ESP && !V_esp_enable) || + (sproto == IPPROTO_AH && !V_ah_enable) || + (sproto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); return EOPNOTSUPP; } if (m->m_pkthdr.len - skip < 2 * sizeof (u_int32_t)) { m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); DPRINTF(("%s: packet too small\n", __func__)); return EINVAL; } @@ -183,8 +184,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) default: DPRINTF(("%s: unsupported protocol family %u\n", __func__, af)); m_freem(m); - IPSEC_ISTAT(sproto, espstat.esps_nopf, ahstat.ahs_nopf, - ipcompstat.ipcomps_nopf); + IPSEC_ISTAT(sproto, V_espstat.esps_nopf, V_ahstat.ahs_nopf, + V_ipcompstat.ipcomps_nopf); return EPFNOSUPPORT; } @@ -194,8 +195,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_notdb, ahstat.ahs_notdb, - ipcompstat.ipcomps_notdb); + IPSEC_ISTAT(sproto, V_espstat.esps_notdb, V_ahstat.ahs_notdb, + V_ipcompstat.ipcomps_notdb); m_freem(m); return ENOENT; } @@ -204,8 +205,8 @@ ipsec_common_input(struct mbuf *m, int skip, int protoff, int af, int sproto) DPRINTF(("%s: attempted to use uninitialized SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), (u_long) ntohl(spi), sproto)); - IPSEC_ISTAT(sproto, espstat.esps_noxform, ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + IPSEC_ISTAT(sproto, V_espstat.esps_noxform, V_ahstat.ahs_noxform, + V_ipcompstat.ipcomps_noxform); KEY_FREESAV(&sav); m_freem(m); return ENXIO; @@ -307,8 +308,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, + V_ipcompstat.ipcomps_badkcr); KEY_FREESAV(&sav); return EINVAL; } @@ -319,8 +320,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, DPRINTF(("%s: processing failed for SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = ENOBUFS; goto bad; } @@ -341,9 +342,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -372,9 +373,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsp_address(saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -385,9 +386,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -414,9 +415,9 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -437,8 +438,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -478,8 +479,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav, * Re-dispatch via software interrupt. */ if ((error = netisr_queue(NETISR_IP, m))) { - IPSEC_ISTAT(sproto, espstat.esps_qfull, ahstat.ahs_qfull, - ipcompstat.ipcomps_qfull); + IPSEC_ISTAT(sproto, V_espstat.esps_qfull, V_ahstat.ahs_qfull, + V_ipcompstat.ipcomps_qfull); DPRINTF(("%s: queue full; proto %u packet dropped\n", __func__, sproto)); @@ -532,9 +533,9 @@ ipsec6_common_input(struct mbuf **mp, int *offp, int proto) if (protoff + l != *offp) { DPRINTF(("%s: bad packet header chain, protoff %u, " "l %u, off %u\n", __func__, protoff, l, *offp)); - IPSEC_ISTAT(proto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(proto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); m_freem(*mp); *mp = NULL; return IPPROTO_DONE; @@ -579,8 +580,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto /* Sanity check */ if (m == NULL) { DPRINTF(("%s: null mbuf", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_badkcr, ahstat.ahs_badkcr, - ipcompstat.ipcomps_badkcr); + IPSEC_ISTAT(sproto, V_espstat.esps_badkcr, V_ahstat.ahs_badkcr, + V_ipcompstat.ipcomps_badkcr); error = EINVAL; goto bad; } @@ -593,8 +594,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EACCES; goto bad; } @@ -612,9 +613,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip ipn; if (m->m_pkthdr.len - skip < sizeof(struct ip)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -639,8 +640,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTATsproto, (espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + IPSEC_ISTATsproto, (V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -652,9 +653,9 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto struct ip6_hdr ip6n; if (m->m_pkthdr.len - skip < sizeof(struct ip6_hdr)) { - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, - ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, + V_ipcompstat.ipcomps_hdrops); error = EINVAL; goto bad; } @@ -681,8 +682,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - IPSEC_ISTAT(sproto, espstat.esps_pdrops, - ahstat.ahs_pdrops, ipcompstat.ipcomps_pdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_pdrops, + V_ahstat.ahs_pdrops, V_ipcompstat.ipcomps_pdrops); error = EACCES; goto bad; } @@ -702,8 +703,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto sizeof(struct tdb_ident), M_NOWAIT); if (mtag == NULL) { DPRINTF(("%s: failed to get tag\n", __func__)); - IPSEC_ISTAT(sproto, espstat.esps_hdrops, - ahstat.ahs_hdrops, ipcompstat.ipcomps_hdrops); + IPSEC_ISTAT(sproto, V_espstat.esps_hdrops, + V_ahstat.ahs_hdrops, V_ipcompstat.ipcomps_hdrops); error = ENOMEM; goto bad; } @@ -751,8 +752,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto nest = 0; nxt = nxt8; while (nxt != IPPROTO_DONE) { - if (ip6_hdrnestlimit && (++nest > ip6_hdrnestlimit)) { - ip6stat.ip6s_toomanyhdr++; + if (V_ip6_hdrnestlimit && (++nest > V_ip6_hdrnestlimit)) { + V_ip6stat.ip6s_toomanyhdr++; error = EINVAL; goto bad; } @@ -762,7 +763,7 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto * more sanity checks in header chain processing. */ if (m->m_pkthdr.len < skip) { - ip6stat.ip6s_tooshort++; + V_ip6stat.ip6s_tooshort++; in6_ifstat_inc(m->m_pkthdr.rcvif, ifs6_in_truncated); error = EINVAL; goto bad; diff --git a/sys/netipsec/ipsec_mbuf.c b/sys/netipsec/ipsec_mbuf.c index d4ec42a..79c1928 100644 --- a/sys/netipsec/ipsec_mbuf.c +++ b/sys/netipsec/ipsec_mbuf.c @@ -36,6 +36,7 @@ #include <sys/systm.h> #include <sys/mbuf.h> #include <sys/socket.h> +#include <sys/vimage.h> #include <net/route.h> #include <netinet/in.h> @@ -88,7 +89,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) return (NULL); n->m_next = m->m_next; /* splice new mbuf */ m->m_next = n; - ipsec4stat.ips_mbinserted++; + V_ipsec4stat.ips_mbinserted++; if (hlen <= M_TRAILINGSPACE(m) + remain) { /* * New header fits in the old mbuf if we copy @@ -122,7 +123,7 @@ m_makespace(struct mbuf *m0, int skip, int hlen, int *off) /* splice in second mbuf */ n2->m_next = n->m_next; n->m_next = n2; - ipsec4stat.ips_mbinserted++; + V_ipsec4stat.ips_mbinserted++; } else { memcpy(mtod(n, caddr_t) + hlen, mtod(m, caddr_t) + skip, remain); @@ -238,7 +239,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) /* Remove the header and associated data from the mbuf. */ if (roff == 0) { /* The header was at the beginning of the mbuf */ - ipsec4stat.ips_input_front++; + V_ipsec4stat.ips_input_front++; m_adj(m1, hlen); if ((m1->m_flags & M_PKTHDR) == 0) m->m_pkthdr.len -= hlen; @@ -250,7 +251,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * so first let's remove the remainder of the header from * the beginning of the remainder of the mbuf chain, if any. */ - ipsec4stat.ips_input_end++; + V_ipsec4stat.ips_input_end++; if (roff + hlen > m1->m_len) { /* Adjust the next mbuf by the remainder */ m_adj(m1->m_next, roff + hlen - m1->m_len); @@ -275,7 +276,7 @@ m_striphdr(struct mbuf *m, int skip, int hlen) * The header lies in the "middle" of the mbuf; copy * the remainder of the mbuf down over the header. */ - ipsec4stat.ips_input_middle++; + V_ipsec4stat.ips_input_middle++; bcopy(mtod(m1, u_char *) + roff + hlen, mtod(m1, u_char *) + roff, m1->m_len - (roff + hlen)); diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c index 72840c2..88ff2f6 100644 --- a/sys/netipsec/ipsec_output.c +++ b/sys/netipsec/ipsec_output.c @@ -42,6 +42,7 @@ #include <sys/socket.h> #include <sys/errno.h> #include <sys/syslog.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/pfil.h> @@ -159,7 +160,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) * doing further processing. */ if (isr->next) { - ipsec4stat.ips_out_bundlesa++; + V_ipsec4stat.ips_out_bundlesa++; return ipsec4_process_packet(m, isr->next, 0, 0); } key_sa_recordxfer(sav, m); /* record data transfer */ @@ -284,7 +285,7 @@ again: * this packet because it is responsibility for * upper layer to retransmit the packet. */ - ipsec4stat.ips_out_nosa++; + V_ipsec4stat.ips_out_nosa++; goto bad; } sav = isr->sav; @@ -308,13 +309,13 @@ again: /* * Check system global policy controls. */ - if ((isr->saidx.proto == IPPROTO_ESP && !esp_enable) || - (isr->saidx.proto == IPPROTO_AH && !ah_enable) || - (isr->saidx.proto == IPPROTO_IPCOMP && !ipcomp_enable)) { + if ((isr->saidx.proto == IPPROTO_ESP && !V_esp_enable) || + (isr->saidx.proto == IPPROTO_AH && !V_ah_enable) || + (isr->saidx.proto == IPPROTO_IPCOMP && !V_ipcomp_enable)) { DPRINTF(("%s: IPsec outbound packet dropped due" " to policy (check your sysctls)\n", __func__)); - IPSEC_OSTAT(espstat.esps_pdrops, ahstat.ahs_pdrops, - ipcompstat.ipcomps_pdrops); + IPSEC_OSTAT(V_espstat.esps_pdrops, V_ahstat.ahs_pdrops, + V_ipcompstat.ipcomps_pdrops); *error = EHOSTUNREACH; goto bad; } @@ -325,8 +326,8 @@ again: */ if (sav->tdb_xform == NULL) { DPRINTF(("%s: no transform for SA\n", __func__)); - IPSEC_OSTAT(espstat.esps_noxform, ahstat.ahs_noxform, - ipcompstat.ipcomps_noxform); + IPSEC_OSTAT(V_espstat.esps_noxform, V_ahstat.ahs_noxform, + V_ipcompstat.ipcomps_noxform); *error = EHOSTUNREACH; goto bad; } @@ -394,10 +395,10 @@ ipsec4_process_packet( } ip = mtod(m, struct ip *); /* Honor system-wide control of how to handle IP_DF */ - switch (ip4_ipsec_dfbit) { + switch (V_ip4_ipsec_dfbit) { case 0: /* clear in outer header */ case 1: /* set in outer header */ - setdf = ip4_ipsec_dfbit; + setdf = V_ip4_ipsec_dfbit; break; default: /* propagate to outer header */ setdf = ntohs(ip->ip_off & IP_DF); @@ -676,7 +677,7 @@ ipsec6_encapsulate(struct mbuf *m, struct secasvar *sav) /* construct new IPv6 header. see RFC 2401 5.1.2.2 */ /* ECN consideration. */ - ip6_ecn_ingress(ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); + ip6_ecn_ingress(V_ip6_ipsec_ecn, &ip6->ip6_flow, &oip6->ip6_flow); if (plen < IPV6_MAXPACKET - sizeof(struct ip6_hdr)) ip6->ip6_plen = htons(plen); else { @@ -755,14 +756,14 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int ipseclog((LOG_ERR, "%s: family mismatched between " "inner and outer, spi=%u\n", __func__, ntohl(isr->sav->spi))); - ipsec6stat.ips_out_inval++; + V_ipsec6stat.ips_out_inval++; error = EAFNOSUPPORT; goto bad; } m = ipsec6_splithdr(m); if (!m) { - ipsec6stat.ips_out_nomem++; + V_ipsec6stat.ips_out_nomem++; error = ENOMEM; goto bad; } @@ -790,8 +791,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int rtalloc(state->ro); } if (state->ro->ro_rt == 0) { - ip6stat.ip6s_noroute++; - ipsec6stat.ips_out_noroute++; + V_ip6stat.ip6s_noroute++; + V_ipsec6stat.ips_out_noroute++; error = EHOSTUNREACH; goto bad; } @@ -805,7 +806,7 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int m = ipsec6_splithdr(m); if (!m) { - ipsec6stat.ips_out_nomem++; + V_ipsec6stat.ips_out_nomem++; error = ENOMEM; goto bad; } diff --git a/sys/netipsec/key.c b/sys/netipsec/key.c index dc66a39..e575cdc 100644 --- a/sys/netipsec/key.c +++ b/sys/netipsec/key.c @@ -96,6 +96,7 @@ /* randomness */ #include <sys/random.h> +#include <sys/vimage.h> #define FULLMASK 0xff #define _BITS(bytes) ((bytes) << 3) @@ -554,7 +555,7 @@ int key_havesp(u_int dir) { return (dir == IPSEC_DIR_INBOUND || dir == IPSEC_DIR_OUTBOUND ? - LIST_FIRST(&sptree[dir]) != NULL : 1); + LIST_FIRST(&V_sptree[dir]) != NULL : 1); } /* %%% IPsec policy management */ @@ -582,7 +583,7 @@ key_allocsp(struct secpolicyindex *spidx, u_int dir, const char* where, int tag) kdebug_secpolicyindex(spidx)); SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { KEYDEBUG(KEYDEBUG_IPSEC_DATA, printf("*** in SPD\n"); kdebug_secpolicyindex(&sp->spidx)); @@ -639,7 +640,7 @@ key_allocsp2(u_int32_t spi, kdebug_sockaddr(&dst->sa)); SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { KEYDEBUG(KEYDEBUG_IPSEC_DATA, printf("*** in SPD\n"); kdebug_secpolicyindex(&sp->spidx)); @@ -700,7 +701,7 @@ key_gettunnel(const struct sockaddr *osrc, } SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) continue; @@ -859,11 +860,11 @@ key_allocsa_policy(const struct secasindex *saidx) const u_int *state_valid; SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, saidx, CMP_MODE_REQID)) { - if (key_preferred_oldsa) { + if (V_key_preferred_oldsa) { state_valid = saorder_state_valid_prefer_old; arraysize = N(saorder_state_valid_prefer_old); } else { @@ -928,7 +929,7 @@ key_do_allocsa_policy(struct secashead *sah, u_int state) IPSEC_ASSERT(sav->lft_c != NULL, ("null sav lifetime")); /* What the best method is to compare ? */ - if (key_preferred_oldsa) { + if (V_key_preferred_oldsa) { if (candidate->lft_c->addtime > sav->lft_c->addtime) { candidate = sav; @@ -1062,14 +1063,14 @@ key_allocsa( * encrypted so we can't check internal IP header. */ SAHTREE_LOCK(); - if (key_preferred_oldsa) { + if (V_key_preferred_oldsa) { saorder_state_valid = saorder_state_valid_prefer_old; arraysize = _ARRAYLEN(saorder_state_valid_prefer_old); } else { saorder_state_valid = saorder_state_valid_prefer_new; arraysize = _ARRAYLEN(saorder_state_valid_prefer_new); } - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { /* search valid state */ for (stateidx = 0; stateidx < arraysize; stateidx++) { state = saorder_state_valid[stateidx]; @@ -1270,7 +1271,7 @@ key_getsp(struct secpolicyindex *spidx) IPSEC_ASSERT(spidx != NULL, ("null spidx")); SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[spidx->dir], chain) { + LIST_FOREACH(sp, &V_sptree[spidx->dir], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) continue; if (key_cmpspidx_exactly(spidx, &sp->spidx)) { @@ -1294,7 +1295,7 @@ key_getspbyid(u_int32_t id) struct secpolicy *sp; SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[IPSEC_DIR_INBOUND], chain) { + LIST_FOREACH(sp, &V_sptree[IPSEC_DIR_INBOUND], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) continue; if (sp->id == id) { @@ -1303,7 +1304,7 @@ key_getspbyid(u_int32_t id) } } - LIST_FOREACH(sp, &sptree[IPSEC_DIR_OUTBOUND], chain) { + LIST_FOREACH(sp, &V_sptree[IPSEC_DIR_OUTBOUND], chain) { if (sp->state == IPSEC_SPSTATE_DEAD) continue; if (sp->id == id) { @@ -1905,7 +1906,7 @@ key_spdadd(so, m, mhp) newsp->refcnt = 1; /* do not reclaim until I say I do */ newsp->state = IPSEC_SPSTATE_ALIVE; - LIST_INSERT_TAIL(&sptree[newsp->spidx.dir], newsp, secpolicy, chain); + LIST_INSERT_TAIL(&V_sptree[newsp->spidx.dir], newsp, secpolicy, chain); /* delete the entry in spacqtree */ if (mhp->msg->sadb_msg_type == SADB_X_SPDUPDATE) { @@ -1974,12 +1975,12 @@ static u_int32_t key_getnewspid() { u_int32_t newid = 0; - int count = key_spi_trycnt; /* XXX */ + int count = V_key_spi_trycnt; /* XXX */ struct secpolicy *sp; /* when requesting to allocate spi ranged */ while (count--) { - newid = (policy_id = (policy_id == ~0 ? 1 : policy_id + 1)); + newid = (V_policy_id = (V_policy_id == ~0 ? 1 : V_policy_id + 1)); if ((sp = key_getspbyid(newid)) == NULL) break; @@ -2266,7 +2267,7 @@ key_spdacquire(sp) /* Get an entry to check whether sent message or not. */ newspacq = key_getspacq(&sp->spidx); if (newspacq != NULL) { - if (key_blockacq_count < newspacq->count) { + if (V_key_blockacq_count < newspacq->count) { /* reset counter and do send message. */ newspacq->count = 0; } else { @@ -2331,7 +2332,7 @@ key_spdflush(so, m, mhp) for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[dir], chain) + LIST_FOREACH(sp, &V_sptree[dir], chain) sp->state = IPSEC_SPSTATE_DEAD; SPTREE_UNLOCK(); } @@ -2382,7 +2383,7 @@ key_spddump(so, m, mhp) /* search SPD entry and get buffer size. */ cnt = 0; for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { cnt++; } } @@ -2391,7 +2392,7 @@ key_spddump(so, m, mhp) return key_senderror(so, m, ENOENT); for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { --cnt; n = key_setdumpsp(sp, SADB_X_SPDDUMP, cnt, mhp->msg->sadb_msg_pid); @@ -2646,7 +2647,7 @@ key_newsah(saidx) newsah->state = SADB_SASTATE_MATURE; SAHTREE_LOCK(); - LIST_INSERT_HEAD(&sahtree, newsah, chain); + LIST_INSERT_HEAD(&V_sahtree, newsah, chain); SAHTREE_UNLOCK(); } return(newsah); @@ -2668,9 +2669,9 @@ key_delsah(sah) /* searching all SA registerd in the secindex. */ for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); + stateidx < _ARRAYLEN(V_saorder_state_any); stateidx++) { - u_int state = saorder_state_any[stateidx]; + u_int state = V_saorder_state_any[stateidx]; LIST_FOREACH_SAFE(sav, &sah->savtree[state], chain, nextsav) { if (sav->refcnt == 0) { /* sanity check */ @@ -2738,7 +2739,7 @@ key_newsav(m, mhp, sah, errp, where, tag) /* sync sequence number */ if (mhp->msg->sadb_msg_seq == 0) newsav->seq = - (acq_seq = (acq_seq == ~0 ? 1 : ++acq_seq)); + (V_acq_seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq)); else #endif newsav->seq = mhp->msg->sadb_msg_seq; @@ -2884,7 +2885,7 @@ key_getsah(saidx) struct secashead *sah; SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) @@ -2920,7 +2921,7 @@ key_checkspidup(saidx, spi) sav = NULL; /* check all SAD */ SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (!key_ismyaddr((struct sockaddr *)&sah->saidx.dst)) continue; sav = key_getsavbyspi(sah, spi); @@ -2950,10 +2951,10 @@ key_getsavbyspi(sah, spi) SAHTREE_LOCK_ASSERT(); /* search all status */ for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); + stateidx < _ARRAYLEN(V_saorder_state_alive); stateidx++) { - state = saorder_state_alive[stateidx]; + state = V_saorder_state_alive[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { /* sanity check */ @@ -3716,7 +3717,7 @@ key_ismyaddr(sa) #ifdef INET case AF_INET: sin = (struct sockaddr_in *)sa; - for (ia = in_ifaddrhead.tqh_first; ia; + for (ia = V_in_ifaddrhead.tqh_first; ia; ia = ia->ia_link.tqe_next) { if (sin->sin_family == ia->ia_addr.sin_family && @@ -3753,7 +3754,7 @@ key_ismyaddr6(sin6) struct in6_ifaddr *ia; struct in6_multi *in6m; - for (ia = in6_ifaddr; ia; ia = ia->ia_next) { + for (ia = V_in6_ifaddr; ia; ia = ia->ia_next) { if (key_sockaddrcmp((struct sockaddr *)&sin6, (struct sockaddr *)&ia->ia_addr, 0) == 0) return 1; @@ -4080,7 +4081,7 @@ key_flush_spd(time_t now) for (dir = 0; dir < IPSEC_DIR_MAX; dir++) { restart: SPTREE_LOCK(); - LIST_FOREACH(sp, &sptree[dir], chain) { + LIST_FOREACH(sp, &V_sptree[dir], chain) { if (sp->scangen == gen) /* previously handled */ continue; sp->scangen = gen; @@ -4113,7 +4114,7 @@ key_flush_sad(time_t now) /* SAD */ SAHTREE_LOCK(); - LIST_FOREACH_SAFE(sah, &sahtree, chain, nextsah) { + LIST_FOREACH_SAFE(sah, &V_sahtree, chain, nextsah) { /* if sah has been dead, then delete it and process next sah. */ if (sah->state == SADB_SASTATE_DEAD) { key_delsah(sah); @@ -4122,7 +4123,7 @@ key_flush_sad(time_t now) /* if LARVAL entry doesn't become MATURE, delete it. */ LIST_FOREACH_SAFE(sav, &sah->savtree[SADB_SASTATE_LARVAL], chain, nextsav) { - if (now - sav->created > key_larval_lifetime) + if (now - sav->created > V_key_larval_lifetime) KEY_FREESAV(&sav); } @@ -4250,9 +4251,9 @@ key_flush_acq(time_t now) /* ACQ tree */ ACQ_LOCK(); - for (acq = LIST_FIRST(&acqtree); acq != NULL; acq = nextacq) { + for (acq = LIST_FIRST(&V_acqtree); acq != NULL; acq = nextacq) { nextacq = LIST_NEXT(acq, chain); - if (now - acq->created > key_blockacq_lifetime + if (now - acq->created > V_key_blockacq_lifetime && __LIST_CHAINED(acq)) { LIST_REMOVE(acq, chain); free(acq, M_IPSEC_SAQ); @@ -4268,9 +4269,9 @@ key_flush_spacq(time_t now) /* SP ACQ tree */ SPACQ_LOCK(); - for (acq = LIST_FIRST(&spacqtree); acq != NULL; acq = nextacq) { + for (acq = LIST_FIRST(&V_spacqtree); acq != NULL; acq = nextacq) { nextacq = LIST_NEXT(acq, chain); - if (now - acq->created > key_blockacq_lifetime + if (now - acq->created > V_key_blockacq_lifetime && __LIST_CHAINED(acq)) { LIST_REMOVE(acq, chain); free(acq, M_IPSEC_SAQ); @@ -4602,15 +4603,15 @@ key_do_getnewspi(spirange, saidx) { u_int32_t newspi; u_int32_t min, max; - int count = key_spi_trycnt; + int count = V_key_spi_trycnt; /* set spi range to allocate */ if (spirange != NULL) { min = spirange->sadb_spirange_min; max = spirange->sadb_spirange_max; } else { - min = key_spi_minval; - max = key_spi_maxval; + min = V_key_spi_minval; + max = V_key_spi_maxval; } /* IPCOMP needs 2-byte SPI */ if (saidx->proto == IPPROTO_IPCOMP) { @@ -4657,7 +4658,7 @@ key_do_getnewspi(spirange, saidx) /* statistics */ keystat.getspi_count = - (keystat.getspi_count + key_spi_trycnt - count) / 2; + (keystat.getspi_count + V_key_spi_trycnt - count) / 2; return newspi; } @@ -5180,7 +5181,7 @@ key_delete(so, m, mhp) /* get a SA header */ SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) @@ -5248,7 +5249,7 @@ key_delete_all(so, m, mhp, proto) KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) @@ -5256,9 +5257,9 @@ key_delete_all(so, m, mhp, proto) /* Delete all non-LARVAL SAs. */ for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); + stateidx < _ARRAYLEN(V_saorder_state_alive); stateidx++) { - state = saorder_state_alive[stateidx]; + state = V_saorder_state_alive[stateidx]; if (state == SADB_SASTATE_LARVAL) continue; for (sav = LIST_FIRST(&sah->savtree[state]); @@ -5363,7 +5364,7 @@ key_get(so, m, mhp) /* get a SA header */ SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, &saidx, CMP_HEAD) == 0) @@ -5440,14 +5441,14 @@ key_getcomb_esp() continue; /* discard algorithms with key size smaller than system min */ - if (_BITS(algo->maxkey) < ipsec_esp_keymin) + if (_BITS(algo->maxkey) < V_ipsec_esp_keymin) continue; - if (_BITS(algo->minkey) < ipsec_esp_keymin) - encmin = ipsec_esp_keymin; + if (_BITS(algo->minkey) < V_ipsec_esp_keymin) + encmin = V_ipsec_esp_keymin; else encmin = _BITS(algo->minkey); - if (ipsec_esp_auth) + if (V_ipsec_esp_auth) m = key_getcomb_ah(); else { IPSEC_ASSERT(l <= MLEN, @@ -5546,7 +5547,7 @@ key_getcomb_ah() continue; key_getsizes_ah(algo, i, &minkeysize, &maxkeysize); /* discard algorithms with key size smaller than system min */ - if (_BITS(minkeysize) < ipsec_ah_keymin) + if (_BITS(minkeysize) < V_ipsec_ah_keymin) continue; if (!m) { @@ -5705,7 +5706,7 @@ key_acquire(const struct secasindex *saidx, struct secpolicy *sp) */ /* Get an entry to check whether sending message or not. */ if ((newacq = key_getacq(saidx)) != NULL) { - if (key_blockacq_count < newacq->count) { + if (V_key_blockacq_count < newacq->count) { /* reset counter and do send message. */ newacq->count = 0; } else { @@ -5863,13 +5864,13 @@ key_newacq(const struct secasindex *saidx) /* copy secindex */ bcopy(saidx, &newacq->saidx, sizeof(newacq->saidx)); - newacq->seq = (acq_seq == ~0 ? 1 : ++acq_seq); + newacq->seq = (V_acq_seq == ~0 ? 1 : ++V_acq_seq); newacq->created = time_second; newacq->count = 0; /* add to acqtree */ ACQ_LOCK(); - LIST_INSERT_HEAD(&acqtree, newacq, chain); + LIST_INSERT_HEAD(&V_acqtree, newacq, chain); ACQ_UNLOCK(); return newacq; @@ -5881,7 +5882,7 @@ key_getacq(const struct secasindex *saidx) struct secacq *acq; ACQ_LOCK(); - LIST_FOREACH(acq, &acqtree, chain) { + LIST_FOREACH(acq, &V_acqtree, chain) { if (key_cmpsaidx(saidx, &acq->saidx, CMP_EXACTLY)) break; } @@ -5897,7 +5898,7 @@ key_getacqbyseq(seq) struct secacq *acq; ACQ_LOCK(); - LIST_FOREACH(acq, &acqtree, chain) { + LIST_FOREACH(acq, &V_acqtree, chain) { if (acq->seq == seq) break; } @@ -5926,7 +5927,7 @@ key_newspacq(spidx) /* add to spacqtree */ SPACQ_LOCK(); - LIST_INSERT_HEAD(&spacqtree, acq, chain); + LIST_INSERT_HEAD(&V_spacqtree, acq, chain); SPACQ_UNLOCK(); return acq; @@ -5939,7 +5940,7 @@ key_getspacq(spidx) struct secspacq *acq; SPACQ_LOCK(); - LIST_FOREACH(acq, &spacqtree, chain) { + LIST_FOREACH(acq, &V_spacqtree, chain) { if (key_cmpspidx_exactly(spidx, &acq->spidx)) { /* NB: return holding spacq_lock */ return acq; @@ -6050,7 +6051,7 @@ key_acquire2(so, m, mhp) /* get a SA index */ SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; if (key_cmpsaidx(&sah->saidx, &saidx, CMP_MODE_REQID)) @@ -6099,7 +6100,7 @@ key_register(so, m, mhp) IPSEC_ASSERT(mhp->msg != NULL, ("null msg")); /* check for invalid register message */ - if (mhp->msg->sadb_msg_satype >= sizeof(regtree)/sizeof(regtree[0])) + if (mhp->msg->sadb_msg_satype >= sizeof(V_regtree)/sizeof(V_regtree[0])) return key_senderror(so, m, EINVAL); /* When SATYPE_UNSPEC is specified, only return sabd_supported. */ @@ -6108,7 +6109,7 @@ key_register(so, m, mhp) /* check whether existing or not */ REGTREE_LOCK(); - LIST_FOREACH(reg, ®tree[mhp->msg->sadb_msg_satype], chain) { + LIST_FOREACH(reg, &V_regtree[mhp->msg->sadb_msg_satype], chain) { if (reg->so == so) { REGTREE_UNLOCK(); ipseclog((LOG_DEBUG, "%s: socket exists already.\n", @@ -6129,7 +6130,7 @@ key_register(so, m, mhp) ((struct keycb *)sotorawcb(so))->kp_registered++; /* add regnode to regtree. */ - LIST_INSERT_HEAD(®tree[mhp->msg->sadb_msg_satype], newreg, chain); + LIST_INSERT_HEAD(&V_regtree[mhp->msg->sadb_msg_satype], newreg, chain); REGTREE_UNLOCK(); setmsg: @@ -6257,7 +6258,7 @@ key_freereg(struct socket *so) */ REGTREE_LOCK(); for (i = 0; i <= SADB_SATYPE_MAX; i++) { - LIST_FOREACH(reg, ®tree[i], chain) { + LIST_FOREACH(reg, &V_regtree[i], chain) { if (reg->so == so && __LIST_CHAINED(reg)) { LIST_REMOVE(reg, chain); free(reg, M_IPSEC_SAR); @@ -6436,7 +6437,7 @@ key_flush(so, m, mhp) /* no SATYPE specified, i.e. flushing all SA. */ SAHTREE_LOCK(); - for (sah = LIST_FIRST(&sahtree); + for (sah = LIST_FIRST(&V_sahtree); sah != NULL; sah = nextsah) { nextsah = LIST_NEXT(sah, chain); @@ -6446,9 +6447,9 @@ key_flush(so, m, mhp) continue; for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_alive); + stateidx < _ARRAYLEN(V_saorder_state_alive); stateidx++) { - state = saorder_state_any[stateidx]; + state = V_saorder_state_any[stateidx]; for (sav = LIST_FIRST(&sah->savtree[state]); sav != NULL; sav = nextsav) { @@ -6524,15 +6525,15 @@ key_dump(so, m, mhp) /* count sav entries to be sent to the userland. */ cnt = 0; SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && proto != sah->saidx.proto) continue; for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); + stateidx < _ARRAYLEN(V_saorder_state_any); stateidx++) { - state = saorder_state_any[stateidx]; + state = V_saorder_state_any[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { cnt++; } @@ -6546,7 +6547,7 @@ key_dump(so, m, mhp) /* send this to the userland, one at a time. */ newmsg = NULL; - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { if (mhp->msg->sadb_msg_satype != SADB_SATYPE_UNSPEC && proto != sah->saidx.proto) continue; @@ -6560,9 +6561,9 @@ key_dump(so, m, mhp) } for (stateidx = 0; - stateidx < _ARRAYLEN(saorder_state_any); + stateidx < _ARRAYLEN(V_saorder_state_any); stateidx++) { - state = saorder_state_any[stateidx]; + state = V_saorder_state_any[stateidx]; LIST_FOREACH(sav, &sah->savtree[state], chain) { n = key_setdumpsa(sav, SADB_DUMP, satype, --cnt, mhp->msg->sadb_msg_pid); @@ -6706,7 +6707,7 @@ key_parse(m, so) if ((m->m_flags & M_PKTHDR) == 0 || m->m_pkthdr.len != m->m_pkthdr.len) { ipseclog((LOG_DEBUG, "%s: invalid message length.\n",__func__)); - pfkeystat.out_invlen++; + V_pfkeystat.out_invlen++; error = EINVAL; goto senderror; } @@ -6714,7 +6715,7 @@ key_parse(m, so) if (msg->sadb_msg_version != PF_KEY_V2) { ipseclog((LOG_DEBUG, "%s: PF_KEY version %u is mismatched.\n", __func__, msg->sadb_msg_version)); - pfkeystat.out_invver++; + V_pfkeystat.out_invver++; error = EINVAL; goto senderror; } @@ -6722,7 +6723,7 @@ key_parse(m, so) if (msg->sadb_msg_type > SADB_MAX) { ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_type)); - pfkeystat.out_invmsgtype++; + V_pfkeystat.out_invmsgtype++; error = EINVAL; goto senderror; } @@ -6775,7 +6776,7 @@ key_parse(m, so) ipseclog((LOG_DEBUG, "%s: must specify satype " "when msg type=%u.\n", __func__, msg->sadb_msg_type)); - pfkeystat.out_invsatype++; + V_pfkeystat.out_invsatype++; error = EINVAL; goto senderror; } @@ -6795,7 +6796,7 @@ key_parse(m, so) case SADB_X_SPDDELETE2: ipseclog((LOG_DEBUG, "%s: illegal satype=%u\n", __func__, msg->sadb_msg_type)); - pfkeystat.out_invsatype++; + V_pfkeystat.out_invsatype++; error = EINVAL; goto senderror; } @@ -6806,7 +6807,7 @@ key_parse(m, so) case SADB_SATYPE_MIP: ipseclog((LOG_DEBUG, "%s: type %u isn't supported.\n", __func__, msg->sadb_msg_satype)); - pfkeystat.out_invsatype++; + V_pfkeystat.out_invsatype++; error = EOPNOTSUPP; goto senderror; case 1: /* XXX: What does it do? */ @@ -6816,7 +6817,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: invalid type %u is passed.\n", __func__, msg->sadb_msg_satype)); - pfkeystat.out_invsatype++; + V_pfkeystat.out_invsatype++; error = EINVAL; goto senderror; } @@ -6834,7 +6835,7 @@ key_parse(m, so) if (src0->sadb_address_proto != dst0->sadb_address_proto) { ipseclog((LOG_DEBUG, "%s: upper layer protocol " "mismatched.\n", __func__)); - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6844,7 +6845,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_family) { ipseclog((LOG_DEBUG, "%s: address family mismatched.\n", __func__)); - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6852,7 +6853,7 @@ key_parse(m, so) PFKEY_ADDR_SADDR(dst0)->sa_len) { ipseclog((LOG_DEBUG, "%s: address struct size " "mismatched.\n", __func__)); - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6861,7 +6862,7 @@ key_parse(m, so) case AF_INET: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in)) { - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6869,7 +6870,7 @@ key_parse(m, so) case AF_INET6: if (PFKEY_ADDR_SADDR(src0)->sa_len != sizeof(struct sockaddr_in6)) { - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6877,7 +6878,7 @@ key_parse(m, so) default: ipseclog((LOG_DEBUG, "%s: unsupported address family\n", __func__)); - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EAFNOSUPPORT; goto senderror; } @@ -6899,7 +6900,7 @@ key_parse(m, so) dst0->sadb_address_prefixlen > plen) { ipseclog((LOG_DEBUG, "%s: illegal prefixlen.\n", __func__)); - pfkeystat.out_invaddr++; + V_pfkeystat.out_invaddr++; error = EINVAL; goto senderror; } @@ -6912,7 +6913,7 @@ key_parse(m, so) if (msg->sadb_msg_type >= sizeof(key_typesw)/sizeof(key_typesw[0]) || key_typesw[msg->sadb_msg_type] == NULL) { - pfkeystat.out_invmsgtype++; + V_pfkeystat.out_invmsgtype++; error = EINVAL; goto senderror; } @@ -7006,7 +7007,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: duplicate ext_type " "%u\n", __func__, ext->sadb_ext_type)); m_freem(m); - pfkeystat.out_dupext++; + V_pfkeystat.out_dupext++; return EINVAL; } break; @@ -7014,7 +7015,7 @@ key_align(m, mhp) ipseclog((LOG_DEBUG, "%s: invalid ext_type %u\n", __func__, ext->sadb_ext_type)); m_freem(m); - pfkeystat.out_invexttype++; + V_pfkeystat.out_invexttype++; return EINVAL; } @@ -7022,7 +7023,7 @@ key_align(m, mhp) if (key_validate_ext(ext, extlen)) { m_freem(m); - pfkeystat.out_invlen++; + V_pfkeystat.out_invlen++; return EINVAL; } @@ -7040,7 +7041,7 @@ key_align(m, mhp) if (off != end) { m_freem(m); - pfkeystat.out_invlen++; + V_pfkeystat.out_invlen++; return EINVAL; } @@ -7118,19 +7119,19 @@ key_init(void) SPACQ_LOCK_INIT(); for (i = 0; i < IPSEC_DIR_MAX; i++) - LIST_INIT(&sptree[i]); + LIST_INIT(&V_sptree[i]); - LIST_INIT(&sahtree); + LIST_INIT(&V_sahtree); for (i = 0; i <= SADB_SATYPE_MAX; i++) - LIST_INIT(®tree[i]); + LIST_INIT(&V_regtree[i]); - LIST_INIT(&acqtree); - LIST_INIT(&spacqtree); + LIST_INIT(&V_acqtree); + LIST_INIT(&V_spacqtree); /* system default */ - ip4_def_policy.policy = IPSEC_POLICY_NONE; - ip4_def_policy.refcnt++; /*never reclaim this*/ + V_ip4_def_policy.policy = IPSEC_POLICY_NONE; + V_ip4_def_policy.refcnt++; /*never reclaim this*/ #ifndef IPSEC_DEBUG2 timeout((void *)key_timehandler, (void *)0, hz); @@ -7218,7 +7219,7 @@ key_sa_routechange(dst) struct route *ro; SAHTREE_LOCK(); - LIST_FOREACH(sah, &sahtree, chain) { + LIST_FOREACH(sah, &V_sahtree, chain) { ro = &sah->sa_route; if (ro->ro_rt && dst->sa_len == ro->ro_dst.sa_len && bcmp(dst, &ro->ro_dst, dst->sa_len) == 0) { diff --git a/sys/netipsec/key_debug.h b/sys/netipsec/key_debug.h index be53f7a..6ca0fe2 100644 --- a/sys/netipsec/key_debug.h +++ b/sys/netipsec/key_debug.h @@ -54,7 +54,7 @@ #define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP) #define KEYDEBUG(lev,arg) \ - do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (0) + do { if ((V_key_debug_level & (lev)) == (lev)) { arg; } } while (0) extern u_int32_t key_debug_level; #endif /*_KERNEL*/ diff --git a/sys/netipsec/keysock.c b/sys/netipsec/keysock.c index 5b26b2e..c86791e 100644 --- a/sys/netipsec/keysock.c +++ b/sys/netipsec/keysock.c @@ -50,6 +50,7 @@ #include <sys/socketvar.h> #include <sys/sysctl.h> #include <sys/systm.h> +#include <sys/vimage.h> #include <net/raw_cb.h> #include <net/route.h> @@ -85,19 +86,19 @@ key_output(struct mbuf *m, struct socket *so) if (m == 0) panic("%s: NULL pointer was passed.\n", __func__); - pfkeystat.out_total++; - pfkeystat.out_bytes += m->m_pkthdr.len; + V_pfkeystat.out_total++; + V_pfkeystat.out_bytes += m->m_pkthdr.len; len = m->m_pkthdr.len; if (len < sizeof(struct sadb_msg)) { - pfkeystat.out_tooshort++; + V_pfkeystat.out_tooshort++; error = EINVAL; goto end; } if (m->m_len < sizeof(struct sadb_msg)) { if ((m = m_pullup(m, sizeof(struct sadb_msg))) == 0) { - pfkeystat.out_nomem++; + V_pfkeystat.out_nomem++; error = ENOBUFS; goto end; } @@ -108,9 +109,9 @@ key_output(struct mbuf *m, struct socket *so) KEYDEBUG(KEYDEBUG_KEY_DUMP, kdebug_mbuf(m)); msg = mtod(m, struct sadb_msg *); - pfkeystat.out_msgtype[msg->sadb_msg_type]++; + V_pfkeystat.out_msgtype[msg->sadb_msg_type]++; if (len != PFKEY_UNUNIT64(msg->sadb_msg_len)) { - pfkeystat.out_invlen++; + V_pfkeystat.out_invlen++; error = EINVAL; goto end; } @@ -141,7 +142,7 @@ key_sendup0(rp, m, promisc) if (m && m->m_len < sizeof(struct sadb_msg)) m = m_pullup(m, sizeof(struct sadb_msg)); if (!m) { - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; m_freem(m); return ENOBUFS; } @@ -154,12 +155,12 @@ key_sendup0(rp, m, promisc) pmsg->sadb_msg_len = PFKEY_UNIT64(m->m_pkthdr.len); /* pid and seq? */ - pfkeystat.in_msgtype[pmsg->sadb_msg_type]++; + V_pfkeystat.in_msgtype[pmsg->sadb_msg_type]++; } - if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&key_src, + if (!sbappendaddr(&rp->rcb_socket->so_rcv, (struct sockaddr *)&V_key_src, m, NULL)) { - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; m_freem(m); error = ENOBUFS; } else @@ -191,9 +192,9 @@ key_sendup(so, msg, len, target) * we increment statistics here, just in case we have ENOBUFS * in this function. */ - pfkeystat.in_total++; - pfkeystat.in_bytes += len; - pfkeystat.in_msgtype[msg->sadb_msg_type]++; + V_pfkeystat.in_total++; + V_pfkeystat.in_bytes += len; + V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; /* * Get mbuf chain whenever possible (not clusters), @@ -210,14 +211,14 @@ key_sendup(so, msg, len, target) if (tlen == len) { MGETHDR(n, M_DONTWAIT, MT_DATA); if (n == NULL) { - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; return ENOBUFS; } n->m_len = MHLEN; } else { MGET(n, M_DONTWAIT, MT_DATA); if (n == NULL) { - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; return ENOBUFS; } n->m_len = MLEN; @@ -227,7 +228,7 @@ key_sendup(so, msg, len, target) if ((n->m_flags & M_EXT) == 0) { m_free(n); m_freem(m); - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; return ENOBUFS; } n->m_len = MCLBYTES; @@ -250,9 +251,9 @@ key_sendup(so, msg, len, target) m_copyback(m, 0, len, (caddr_t)msg); /* avoid duplicated statistics */ - pfkeystat.in_total--; - pfkeystat.in_bytes -= len; - pfkeystat.in_msgtype[msg->sadb_msg_type]--; + V_pfkeystat.in_total--; + V_pfkeystat.in_bytes -= len; + V_pfkeystat.in_msgtype[msg->sadb_msg_type]--; return key_sendup_mbuf(so, m, target); } @@ -275,22 +276,22 @@ key_sendup_mbuf(so, m, target) if (so == NULL && target == KEY_SENDUP_ONE) panic("%s: NULL pointer was passed.\n", __func__); - pfkeystat.in_total++; - pfkeystat.in_bytes += m->m_pkthdr.len; + V_pfkeystat.in_total++; + V_pfkeystat.in_bytes += m->m_pkthdr.len; if (m->m_len < sizeof(struct sadb_msg)) { m = m_pullup(m, sizeof(struct sadb_msg)); if (m == NULL) { - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; return ENOBUFS; } } if (m->m_len >= sizeof(struct sadb_msg)) { struct sadb_msg *msg; msg = mtod(m, struct sadb_msg *); - pfkeystat.in_msgtype[msg->sadb_msg_type]++; + V_pfkeystat.in_msgtype[msg->sadb_msg_type]++; } mtx_lock(&rawcb_mtx); - LIST_FOREACH(rp, &rawcb_list, list) + LIST_FOREACH(rp, &V_rawcb_list, list) { if (rp->rcb_proto.sp_family != PF_KEY) continue; @@ -332,14 +333,14 @@ key_sendup_mbuf(so, m, target) sendup++; break; } - pfkeystat.in_msgtarget[target]++; + V_pfkeystat.in_msgtarget[target]++; if (!sendup) continue; if ((n = m_copy(m, 0, (int)M_COPYALL)) == NULL) { m_freem(m); - pfkeystat.in_nomem++; + V_pfkeystat.in_nomem++; mtx_unlock(&rawcb_mtx); return ENOBUFS; } @@ -409,8 +410,8 @@ key_attach(struct socket *so, int proto, struct thread *td) kp->kp_promisc = kp->kp_registered = 0; if (kp->kp_raw.rcb_proto.sp_protocol == PF_KEY) /* XXX: AF_KEY */ - key_cb.key_count++; - key_cb.any_count++; + V_key_cb.key_count++; + V_key_cb.any_count++; soisconnected(so); so->so_options |= SO_USELOOPBACK; @@ -460,8 +461,8 @@ key_detach(struct socket *so) KASSERT(kp != NULL, ("key_detach: kp == NULL")); if (kp->kp_raw.rcb_proto.sp_protocol == PF_KEY) /* XXX: AF_KEY */ - key_cb.key_count--; - key_cb.any_count--; + V_key_cb.key_count--; + V_key_cb.any_count--; key_freereg(so); raw_usrreqs.pru_detach(so); @@ -557,7 +558,7 @@ struct protosw keysw[] = { static void key_init0(void) { - bzero((caddr_t)&key_cb, sizeof(key_cb)); + bzero((caddr_t)&V_key_cb, sizeof(V_key_cb)); key_init(); } diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 2424b4a..4f87db6f 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -46,6 +46,7 @@ #include <sys/syslog.h> #include <sys/kernel.h> #include <sys/sysctl.h> +#include <sys/vimage.h> #include <net/if.h> @@ -218,7 +219,7 @@ ah_init(struct secasvar *sav, struct xformsw *xsp) error = ah_init0(sav, xsp, &cria); return error ? error : - crypto_newsession(&sav->tdb_cryptoid, &cria, crypto_support); + crypto_newsession(&sav->tdb_cryptoid, &cria, V_crypto_support); } /* @@ -277,7 +278,7 @@ ah_massage_headers(struct mbuf **m0, int proto, int skip, int alg, int out) /* Fix the IP header */ ip = mtod(m, struct ip *); - if (ah_cleartos) + if (V_ah_cleartos) ip->ip_tos = 0; ip->ip_ttl = 0; ip->ip_sum = 0; @@ -573,14 +574,14 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) IP6_EXTHDR_GET(ah, struct newah *, m, skip, rplen); if (ah == NULL) { DPRINTF(("ah_input: cannot pullup header\n")); - ahstat.ahs_hdrops++; /*XXX*/ + V_ahstat.ahs_hdrops++; /*XXX*/ m_freem(m); return ENOBUFS; } /* Check replay window, if applicable. */ if (sav->replay && !ipsec_chkreplay(ntohl(ah->ah_seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; DPRINTF(("%s: packet replay failure: %s\n", __func__, ipsec_logsastr(sav))); m_freem(m); @@ -597,17 +598,17 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) hl, (u_long) (authsize + rplen - sizeof (struct ah)), ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauthl++; + V_ahstat.ahs_badauthl++; m_freem(m); return EACCES; } - ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; + V_ahstat.ahs_ibytes += m->m_pkthdr.len - skip - hl; /* Get crypto descriptors. */ crp = crypto_getreq(1); if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; m_freem(m); return ENOBUFS; } @@ -647,7 +648,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) } if (tc == NULL) { DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; crypto_freereq(crp); m_freem(m); return ENOBUFS; @@ -671,7 +672,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) skip, ahx->type, 0); if (error != 0) { /* NB: mbuf is free'd by ah_massage_headers */ - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; free(tc, M_XDATA); crypto_freereq(crp); return error; @@ -745,7 +746,7 @@ ah_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -768,19 +769,19 @@ ah_input_cb(struct cryptop *crp) return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } else { - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; crypto_freereq(crp); /* No longer needed. */ crp = NULL; } /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; @@ -806,7 +807,7 @@ ah_input_cb(struct cryptop *crp) "in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_badauth++; + V_ahstat.ahs_badauth++; error = EACCES; goto bad; } @@ -837,7 +838,7 @@ ah_input_cb(struct cryptop *crp) m_copydata(m, skip + offsetof(struct newah, ah_seq), sizeof (seq), (caddr_t) &seq); if (ipsec_updatereplay(ntohl(seq), sav)) { - ahstat.ahs_replay++; + V_ahstat.ahs_replay++; error = ENOBUFS; /*XXX as above*/ goto bad; } @@ -851,7 +852,7 @@ ah_input_cb(struct cryptop *crp) DPRINTF(("%s: mangled mbuf chain for SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; goto bad; } @@ -898,7 +899,7 @@ ah_output( ahx = sav->tdb_authalgxform; IPSEC_ASSERT(ahx != NULL, ("null authentication xform")); - ahstat.ahs_output++; + V_ahstat.ahs_output++; /* Figure out header size. */ rplen = HDRSIZE(sav); @@ -921,7 +922,7 @@ ah_output( sav->sah->saidx.dst.sa.sa_family, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_nopf++; + V_ahstat.ahs_nopf++; error = EPFNOSUPPORT; goto bad; } @@ -932,20 +933,20 @@ ah_output( ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi), rplen + authsize + m->m_pkthdr.len, maxpacketsize)); - ahstat.ahs_toobig++; + V_ahstat.ahs_toobig++; error = EMSGSIZE; goto bad; } /* Update the counters. */ - ahstat.ahs_obytes += m->m_pkthdr.len - skip; + V_ahstat.ahs_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; + V_ahstat.ahs_hdrops++; error = ENOBUFS; goto bad; } @@ -958,7 +959,7 @@ ah_output( rplen + authsize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_hdrops++; /*XXX differs from openbsd */ + V_ahstat.ahs_hdrops++; /*XXX differs from openbsd */ error = ENOBUFS; goto bad; } @@ -986,13 +987,13 @@ ah_output( __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - ahstat.ahs_wrap++; + V_ahstat.ahs_wrap++; error = EINVAL; goto bad; } #ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ - if (!ipsec_replay) + if (!V_ipsec_replay) #endif sav->replay->count++; ah->ah_seq = htonl(sav->replay->count); @@ -1003,7 +1004,7 @@ ah_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1025,7 +1026,7 @@ ah_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; error = ENOBUFS; goto bad; } @@ -1127,7 +1128,7 @@ ah_output_cb(struct cryptop *crp) IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ahstat.ahs_notdb++; + V_ahstat.ahs_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -1146,7 +1147,7 @@ ah_output_cb(struct cryptop *crp) return error; } - ahstat.ahs_noxform++; + V_ahstat.ahs_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -1154,12 +1155,12 @@ ah_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - ahstat.ahs_crypto++; + V_ahstat.ahs_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; /* * Copy original headers (with the new protocol number) back @@ -1173,7 +1174,7 @@ ah_output_cb(struct cryptop *crp) #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ - if (ipsec_integrity) { + if (V_ipsec_integrity) { int alen; /* diff --git a/sys/netipsec/xform_esp.c b/sys/netipsec/xform_esp.c index 7e25da0..3ac01c6 100644 --- a/sys/netipsec/xform_esp.c +++ b/sys/netipsec/xform_esp.c @@ -46,6 +46,7 @@ #include <sys/kernel.h> #include <sys/random.h> #include <sys/sysctl.h> +#include <sys/vimage.h> #include <net/if.h> @@ -145,7 +146,7 @@ esp_hdrsiz(struct secasvar *sav) * + sizeof (next header field) * + max icv supported. */ - size = sizeof (struct newesp) + esp_max_ivlen + 9 + 16; + size = sizeof (struct newesp) + V_esp_max_ivlen + 9 + 16; } return size; } @@ -224,13 +225,13 @@ esp_init(struct secasvar *sav, struct xformsw *xsp) /* init both auth & enc */ crie.cri_next = &cria; error = crypto_newsession(&sav->tdb_cryptoid, - &crie, crypto_support); + &crie, V_crypto_support); } else if (sav->tdb_encalgxform) { error = crypto_newsession(&sav->tdb_cryptoid, - &crie, crypto_support); + &crie, V_crypto_support); } else if (sav->tdb_authalgxform) { error = crypto_newsession(&sav->tdb_cryptoid, - &cria, crypto_support); + &cria, V_crypto_support); } else { /* XXX cannot happen? */ DPRINTF(("%s: no encoding OR authentication xform!\n", @@ -312,7 +313,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) plen, espx->blocksize, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); - espstat.esps_badilen++; + V_espstat.esps_badilen++; m_freem(m); return EINVAL; } @@ -323,13 +324,13 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (esph && sav->replay && !ipsec_chkreplay(ntohl(esp->esp_seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); /*XXX*/ - espstat.esps_replay++; + V_espstat.esps_replay++; m_freem(m); return ENOBUFS; /*XXX*/ } /* Update the counters */ - espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); + V_espstat.esps_ibytes += m->m_pkthdr.len - (skip + hlen + alen); /* Find out if we've already done crypto */ for (mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_CRYPTO_DONE, NULL); @@ -348,7 +349,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - espstat.esps_crypto++; + V_espstat.esps_crypto++; m_freem(m); return ENOBUFS; } @@ -363,7 +364,7 @@ esp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - espstat.esps_crypto++; + V_espstat.esps_crypto++; m_freem(m); return ENOBUFS; } @@ -472,7 +473,7 @@ esp_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - espstat.esps_notdb++; + V_espstat.esps_notdb++; DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); @@ -500,7 +501,7 @@ esp_input_cb(struct cryptop *crp) return error; } - espstat.esps_noxform++; + V_espstat.esps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -508,12 +509,12 @@ esp_input_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - espstat.esps_crypto++; + V_espstat.esps_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - espstat.esps_hist[sav->alg_enc]++; + V_espstat.esps_hist[sav->alg_enc]++; /* If authentication was performed, check now. */ if (esph != NULL) { @@ -522,7 +523,7 @@ esp_input_cb(struct cryptop *crp) * the verification for us. Otherwise we need to * check the authentication calculation. */ - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; if (mtag == NULL) { /* Copy the authenticator from the packet */ m_copydata(m, m->m_pkthdr.len - AH_HMAC_HASHLEN, @@ -537,7 +538,7 @@ esp_input_cb(struct cryptop *crp) __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - espstat.esps_badauth++; + V_espstat.esps_badauth++; error = EACCES; goto bad; } @@ -567,7 +568,7 @@ esp_input_cb(struct cryptop *crp) if (ipsec_updatereplay(ntohl(seq), sav)) { DPRINTF(("%s: packet replay check for %s\n", __func__, ipsec_logsastr(sav))); - espstat.esps_replay++; + V_espstat.esps_replay++; error = ENOBUFS; goto bad; } @@ -582,7 +583,7 @@ esp_input_cb(struct cryptop *crp) /* Remove the ESP header and IV from the mbuf. */ error = m_striphdr(m, skip, hlen); if (error) { - espstat.esps_hdrops++; + V_espstat.esps_hdrops++; DPRINTF(("%s: bad mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -594,7 +595,7 @@ esp_input_cb(struct cryptop *crp) /* Verify pad length */ if (lastthree[1] + 2 > m->m_pkthdr.len - skip) { - espstat.esps_badilen++; + V_espstat.esps_badilen++; DPRINTF(("%s: invalid padding length %d for %u byte packet " "in SA %s/%08lx\n", __func__, lastthree[1], m->m_pkthdr.len - skip, @@ -607,7 +608,7 @@ esp_input_cb(struct cryptop *crp) /* Verify correct decryption by checking the last padding bytes */ if ((sav->flags & SADB_X_EXT_PMASK) != SADB_X_EXT_PRAND) { if (lastthree[1] != lastthree[0] && lastthree[1] != 0) { - espstat.esps_badenc++; + V_espstat.esps_badenc++; DPRINTF(("%s: decryption failed for packet in " "SA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -692,7 +693,7 @@ esp_output( else alen = 0; - espstat.esps_output++; + V_espstat.esps_output++; saidx = &sav->sah->saidx; /* Check for maximum packet size violations. */ @@ -712,7 +713,7 @@ esp_output( "family %d, SA %s/%08lx\n", __func__, saidx->dst.sa.sa_family, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - espstat.esps_nopf++; + V_espstat.esps_nopf++; error = EPFNOSUPPORT; goto bad; } @@ -721,19 +722,19 @@ esp_output( "(len %u, max len %u)\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi), skip + hlen + rlen + padding + alen, maxpacketsize)); - espstat.esps_toobig++; + V_espstat.esps_toobig++; error = EMSGSIZE; goto bad; } /* Update the counters. */ - espstat.esps_obytes += m->m_pkthdr.len - skip; + V_espstat.esps_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { DPRINTF(("%s: cannot clone mbuf chain, SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - espstat.esps_hdrops++; + V_espstat.esps_hdrops++; error = ENOBUFS; goto bad; } @@ -744,7 +745,7 @@ esp_output( DPRINTF(("%s: %u byte ESP hdr inject failed for SA %s/%08lx\n", __func__, hlen, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - espstat.esps_hdrops++; /* XXX diffs from openbsd */ + V_espstat.esps_hdrops++; /* XXX diffs from openbsd */ error = ENOBUFS; goto bad; } @@ -756,7 +757,7 @@ esp_output( #ifdef REGRESSION /* Emulate replay attack when ipsec_replay is TRUE. */ - if (!ipsec_replay) + if (!V_ipsec_replay) #endif sav->replay->count++; replay = htonl(sav->replay->count); @@ -808,7 +809,7 @@ esp_output( if (crp == NULL) { DPRINTF(("%s: failed to acquire crypto descriptors\n", __func__)); - espstat.esps_crypto++; + V_espstat.esps_crypto++; error = ENOBUFS; goto bad; } @@ -837,7 +838,7 @@ esp_output( if (tc == NULL) { crypto_freereq(crp); DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); - espstat.esps_crypto++; + V_espstat.esps_crypto++; error = ENOBUFS; goto bad; } @@ -895,7 +896,7 @@ esp_output_cb(struct cryptop *crp) IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - espstat.esps_notdb++; + V_espstat.esps_notdb++; DPRINTF(("%s: SA gone during crypto (SA %s/%08lx proto %u)\n", __func__, ipsec_address(&tc->tc_dst), (u_long) ntohl(tc->tc_spi), tc->tc_proto)); @@ -918,7 +919,7 @@ esp_output_cb(struct cryptop *crp) return error; } - espstat.esps_noxform++; + V_espstat.esps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; @@ -926,14 +927,14 @@ esp_output_cb(struct cryptop *crp) /* Shouldn't happen... */ if (m == NULL) { - espstat.esps_crypto++; + V_espstat.esps_crypto++; DPRINTF(("%s: bogus returned buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - espstat.esps_hist[sav->alg_enc]++; + V_espstat.esps_hist[sav->alg_enc]++; if (sav->tdb_authalgxform != NULL) - ahstat.ahs_hist[sav->alg_auth]++; + V_ahstat.ahs_hist[sav->alg_auth]++; /* Release crypto descriptors. */ free(tc, M_XDATA); @@ -941,7 +942,7 @@ esp_output_cb(struct cryptop *crp) #ifdef REGRESSION /* Emulate man-in-the-middle attack when ipsec_integrity is TRUE. */ - if (ipsec_integrity) { + if (V_ipsec_integrity) { static unsigned char ipseczeroes[AH_HMAC_HASHLEN]; struct auth_hash *esph; @@ -983,10 +984,10 @@ static void esp_attach(void) { #define MAXIV(xform) \ - if (xform.blocksize > esp_max_ivlen) \ - esp_max_ivlen = xform.blocksize \ + if (xform.blocksize > V_esp_max_ivlen) \ + V_esp_max_ivlen = xform.blocksize \ - esp_max_ivlen = 0; + V_esp_max_ivlen = 0; MAXIV(enc_xform_des); /* SADB_EALG_DESCBC */ MAXIV(enc_xform_3des); /* SADB_EALG_3DESCBC */ MAXIV(enc_xform_rijndael128); /* SADB_X_EALG_AES */ diff --git a/sys/netipsec/xform_ipcomp.c b/sys/netipsec/xform_ipcomp.c index 97f4827..2882af8 100644 --- a/sys/netipsec/xform_ipcomp.c +++ b/sys/netipsec/xform_ipcomp.c @@ -41,6 +41,7 @@ #include <sys/kernel.h> #include <sys/protosw.h> #include <sys/sysctl.h> +#include <sys/vimage.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -114,7 +115,7 @@ ipcomp_init(struct secasvar *sav, struct xformsw *xsp) bzero(&cric, sizeof (cric)); cric.cri_alg = sav->tdb_compalgxform->type; - return crypto_newsession(&sav->tdb_cryptoid, &cric, crypto_support); + return crypto_newsession(&sav->tdb_cryptoid, &cric, V_crypto_support); } /* @@ -146,7 +147,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) if (crp == NULL) { m_freem(m); DPRINTF(("%s: no crypto descriptors\n", __func__)); - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; return ENOBUFS; } /* Get IPsec-specific opaque pointer */ @@ -155,7 +156,7 @@ ipcomp_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) m_freem(m); crypto_freereq(crp); DPRINTF(("%s: cannot allocate tdb_crypto\n", __func__)); - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; return ENOBUFS; } crdc = crp->crp_desc; @@ -228,7 +229,7 @@ ipcomp_input_cb(struct cryptop *crp) sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ipcompstat.ipcomps_notdb++; + V_ipcompstat.ipcomps_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -251,19 +252,19 @@ ipcomp_input_cb(struct cryptop *crp) return error; } - ipcompstat.ipcomps_noxform++; + V_ipcompstat.ipcomps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: null mbuf returned from crypto\n", __func__)); error = EINVAL; goto bad; } - ipcompstat.ipcomps_hist[sav->alg_comp]++; + V_ipcompstat.ipcomps_hist[sav->alg_comp]++; clen = crp->crp_olen; /* Length of data after processing */ @@ -275,7 +276,7 @@ ipcomp_input_cb(struct cryptop *crp) m->m_pkthdr.len = clen + hlen + skip; if (m->m_len < skip + hlen && (m = m_pullup(m, skip + hlen)) == 0) { - ipcompstat.ipcomps_hdrops++; /*XXX*/ + V_ipcompstat.ipcomps_hdrops++; /*XXX*/ DPRINTF(("%s: m_pullup failed\n", __func__)); error = EINVAL; /*XXX*/ goto bad; @@ -288,7 +289,7 @@ ipcomp_input_cb(struct cryptop *crp) /* Remove the IPCOMP header */ error = m_striphdr(m, skip, hlen); if (error) { - ipcompstat.ipcomps_hdrops++; + V_ipcompstat.ipcomps_hdrops++; DPRINTF(("%s: bad mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -344,7 +345,7 @@ ipcomp_output( ralen = m->m_pkthdr.len - skip; /* Raw payload length before comp. */ hlen = IPCOMP_HLENGTH; - ipcompstat.ipcomps_output++; + V_ipcompstat.ipcomps_output++; /* Check for maximum packet size violations. */ switch (sav->sah->saidx.dst.sa.sa_family) { @@ -359,7 +360,7 @@ ipcomp_output( break; #endif /* INET6 */ default: - ipcompstat.ipcomps_nopf++; + V_ipcompstat.ipcomps_nopf++; DPRINTF(("%s: unknown/unsupported protocol family %d, " "IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, @@ -369,7 +370,7 @@ ipcomp_output( goto bad; } if (skip + hlen + ralen > maxpacketsize) { - ipcompstat.ipcomps_toobig++; + V_ipcompstat.ipcomps_toobig++; DPRINTF(("%s: packet in IPCA %s/%08lx got too big " "(len %u, max len %u)\n", __func__, ipsec_address(&sav->sah->saidx.dst), @@ -380,11 +381,11 @@ ipcomp_output( } /* Update the counters */ - ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; + V_ipcompstat.ipcomps_obytes += m->m_pkthdr.len - skip; m = m_unshare(m, M_NOWAIT); if (m == NULL) { - ipcompstat.ipcomps_hdrops++; + V_ipcompstat.ipcomps_hdrops++; DPRINTF(("%s: cannot clone mbuf chain, IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -395,7 +396,7 @@ ipcomp_output( /* Inject IPCOMP header */ mo = m_makespace(m, skip, hlen, &roff); if (mo == NULL) { - ipcompstat.ipcomps_wrap++; + V_ipcompstat.ipcomps_wrap++; DPRINTF(("%s: IPCOMP header inject failed for IPCA %s/%08lx\n", __func__, ipsec_address(&sav->sah->saidx.dst), (u_long) ntohl(sav->spi))); @@ -430,7 +431,7 @@ ipcomp_output( /* Get crypto descriptors */ crp = crypto_getreq(1); if (crp == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: failed to acquire crypto descriptor\n",__func__)); error = ENOBUFS; goto bad; @@ -450,7 +451,7 @@ ipcomp_output( tc = (struct tdb_crypto *) malloc(sizeof(struct tdb_crypto), M_XDATA, M_NOWAIT|M_ZERO); if (tc == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: failed to allocate tdb_crypto\n", __func__)); crypto_freereq(crp); error = ENOBUFS; @@ -500,7 +501,7 @@ ipcomp_output_cb(struct cryptop *crp) IPSECREQUEST_LOCK(isr); sav = KEY_ALLOCSA(&tc->tc_dst, tc->tc_proto, tc->tc_spi); if (sav == NULL) { - ipcompstat.ipcomps_notdb++; + V_ipcompstat.ipcomps_notdb++; DPRINTF(("%s: SA expired while in crypto\n", __func__)); error = ENOBUFS; /*XXX*/ goto bad; @@ -519,19 +520,19 @@ ipcomp_output_cb(struct cryptop *crp) error = crypto_dispatch(crp); return error; } - ipcompstat.ipcomps_noxform++; + V_ipcompstat.ipcomps_noxform++; DPRINTF(("%s: crypto error %d\n", __func__, crp->crp_etype)); error = crp->crp_etype; goto bad; } /* Shouldn't happen... */ if (m == NULL) { - ipcompstat.ipcomps_crypto++; + V_ipcompstat.ipcomps_crypto++; DPRINTF(("%s: bogus return buffer from crypto\n", __func__)); error = EINVAL; goto bad; } - ipcompstat.ipcomps_hist[sav->alg_comp]++; + V_ipcompstat.ipcomps_hist[sav->alg_comp]++; if (rlen > crp->crp_olen) { /* Adjust the length in the IP header */ @@ -548,7 +549,7 @@ ipcomp_output_cb(struct cryptop *crp) break; #endif /* INET6 */ default: - ipcompstat.ipcomps_nopf++; + V_ipcompstat.ipcomps_nopf++; DPRINTF(("%s: unknown/unsupported protocol " "family %d, IPCA %s/%08lx\n", __func__, sav->sah->saidx.dst.sa.sa_family, diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c index 4e8495b..cb9256d 100644 --- a/sys/netipsec/xform_ipip.c +++ b/sys/netipsec/xform_ipip.c @@ -50,6 +50,7 @@ #include <sys/kernel.h> #include <sys/protosw.h> #include <sys/sysctl.h> +#include <sys/vimage.h> #include <net/if.h> #include <net/pfil.h> @@ -113,9 +114,9 @@ ip4_input6(struct mbuf **m, int *offp, int proto) { #if 0 /* If we do not accept IP-in-IP explicitly, drop. */ - if (!ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { + if (!V_ipip_allow && ((*m)->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - ipipstat.ipips_pdrops++; + V_ipipstat.ipips_pdrops++; m_freem(*m); return IPPROTO_DONE; } @@ -134,9 +135,9 @@ ip4_input(struct mbuf *m, int off) { #if 0 /* If we do not accept IP-in-IP explicitly, drop. */ - if (!ipip_allow && (m->m_flags & M_IPSEC) == 0) { + if (!V_ipip_allow && (m->m_flags & M_IPSEC) == 0) { DPRINTF(("%s: dropped due to policy\n", __func__)); - ipipstat.ipips_pdrops++; + V_ipipstat.ipips_pdrops++; m_freem(m); return; } @@ -170,7 +171,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) u_int8_t v; int hlen; - ipipstat.ipips_ipackets++; + V_ipipstat.ipips_ipackets++; m_copydata(m, 0, 1, &v); @@ -186,7 +187,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - ipipstat.ipips_family++; + V_ipipstat.ipips_family++; m_freem(m); return /* EAFNOSUPPORT */; } @@ -195,7 +196,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (1) failed\n", __func__)); - ipipstat.ipips_hdrops++; + V_ipipstat.ipips_hdrops++; return; } } @@ -232,7 +233,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Sanity check */ if (m->m_pkthdr.len < sizeof(struct ip)) { - ipipstat.ipips_hdrops++; + V_ipipstat.ipips_hdrops++; m_freem(m); return; } @@ -252,7 +253,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) break; #endif default: - ipipstat.ipips_family++; + V_ipipstat.ipips_family++; m_freem(m); return; /* EAFNOSUPPORT */ } @@ -263,7 +264,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (m->m_len < hlen) { if ((m = m_pullup(m, hlen)) == NULL) { DPRINTF(("%s: m_pullup (2) failed\n", __func__)); - ipipstat.ipips_hdrops++; + V_ipipstat.ipips_hdrops++; return; } } @@ -280,7 +281,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) case 4: ipo = mtod(m, struct ip *); nxt = ipo->ip_p; - ip_ecn_egress(ip4_ipsec_ecn, &otos, &ipo->ip_tos); + ip_ecn_egress(V_ip4_ipsec_ecn, &otos, &ipo->ip_tos); break; #endif /* INET */ #ifdef INET6 @@ -288,7 +289,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) ip6 = (struct ip6_hdr *) ipo; nxt = ip6->ip6_nxt; itos = (ntohl(ip6->ip6_flow) >> 20) & 0xff; - ip_ecn_egress(ip6_ipsec_ecn, &otos, &itos); + ip_ecn_egress(V_ip6_ipsec_ecn, &otos, &itos); ip6->ip6_flow &= ~htonl(0xff << 20); ip6->ip6_flow |= htonl((u_int32_t) itos << 20); break; @@ -300,9 +301,9 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) /* Check for local address spoofing. */ if ((m->m_pkthdr.rcvif == NULL || !(m->m_pkthdr.rcvif->if_flags & IFF_LOOPBACK)) && - ipip_allow != 2) { + V_ipip_allow != 2) { IFNET_RLOCK(); - TAILQ_FOREACH(ifp, &ifnet, if_link) { + TAILQ_FOREACH(ifp, &V_ifnet, if_link) { TAILQ_FOREACH(ifa, &ifp->if_addrhead, ifa_link) { #ifdef INET if (ipo) { @@ -314,7 +315,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) if (sin->sin_addr.s_addr == ipo->ip_src.s_addr) { - ipipstat.ipips_spoof++; + V_ipipstat.ipips_spoof++; m_freem(m); IFNET_RUNLOCK(); return; @@ -331,7 +332,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) sin6 = (struct sockaddr_in6 *) ifa->ifa_addr; if (IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr, &ip6->ip6_src)) { - ipipstat.ipips_spoof++; + V_ipipstat.ipips_spoof++; m_freem(m); IFNET_RUNLOCK(); return; @@ -345,7 +346,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } /* Statistics */ - ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; + V_ipipstat.ipips_ibytes += m->m_pkthdr.len - iphlen; #ifdef DEV_ENC switch (v >> 4) { @@ -391,7 +392,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp) } if (netisr_queue(isr, m)) { /* (0) on success. */ - ipipstat.ipips_qfull++; + V_ipipstat.ipips_qfull++; DPRINTF(("%s: packet dropped because of full queue\n", __func__)); } @@ -438,7 +439,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ipipstat.ipips_unspec++; + V_ipipstat.ipips_unspec++; error = EINVAL; goto bad; } @@ -446,7 +447,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip), M_DONTWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - ipipstat.ipips_hdrops++; + V_ipipstat.ipips_hdrops++; error = ENOBUFS; goto bad; } @@ -456,7 +457,7 @@ ipip_output( ipo->ip_v = IPVERSION; ipo->ip_hl = 5; ipo->ip_len = htons(m->m_pkthdr.len); - ipo->ip_ttl = ip_defttl; + ipo->ip_ttl = V_ip_defttl; ipo->ip_sum = 0; ipo->ip_src = saidx->src.sin.sin_addr; ipo->ip_dst = saidx->dst.sin.sin_addr; @@ -515,7 +516,7 @@ ipip_output( "address in SA %s/%08lx\n", __func__, ipsec_address(&saidx->dst), (u_long) ntohl(sav->spi))); - ipipstat.ipips_unspec++; + V_ipipstat.ipips_unspec++; error = ENOBUFS; goto bad; } @@ -530,7 +531,7 @@ ipip_output( M_PREPEND(m, sizeof(struct ip6_hdr), M_DONTWAIT); if (m == 0) { DPRINTF(("%s: M_PREPEND failed\n", __func__)); - ipipstat.ipips_hdrops++; + V_ipipstat.ipips_hdrops++; error = ENOBUFS; goto bad; } @@ -541,7 +542,7 @@ ipip_output( ip6o->ip6_vfc &= ~IPV6_VERSION_MASK; ip6o->ip6_vfc |= IPV6_VERSION; ip6o->ip6_plen = htons(m->m_pkthdr.len); - ip6o->ip6_hlim = ip_defttl; + ip6o->ip6_hlim = V_ip_defttl; ip6o->ip6_dst = saidx->dst.sin6.sin6_addr; ip6o->ip6_src = saidx->src.sin6.sin6_addr; @@ -580,12 +581,12 @@ ipip_output( nofamily: DPRINTF(("%s: unsupported protocol family %u\n", __func__, saidx->dst.sa.sa_family)); - ipipstat.ipips_family++; + V_ipipstat.ipips_family++; error = EAFNOSUPPORT; /* XXX diffs from openbsd */ goto bad; } - ipipstat.ipips_opackets++; + V_ipipstat.ipips_opackets++; *mp = m; #ifdef INET @@ -595,7 +596,7 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip); #endif - ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); + V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip); } #endif /* INET */ @@ -606,7 +607,7 @@ nofamily: tdb->tdb_cur_bytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); #endif - ipipstat.ipips_obytes += + V_ipipstat.ipips_obytes += m->m_pkthdr.len - sizeof(struct ip6_hdr); } #endif /* INET6 */ |
