summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/ipsec_input.c
Commit message (Collapse)AuthorAgeFilesLines
* Overhaul if_enc(4) and make it loadable in run-time.ae2015-11-251-52/+22
| | | | | | | | Use hhook(9) framework to achieve ability of loading and unloading if_enc(4) kernel module. INET and INET6 code on initialization registers two helper hooks points in the kernel. if_enc(4) module uses these helper hook points and registers its hooks. IPSEC code uses these hhook points to call helper hooks implemented in if_enc(4).
* IPSEC, remove variable argument function its already due.eri2015-07-211-22/+7
| | | | | | Differential Revision: https://reviews.freebsd.org/D3080 Reviewed by: gnn, ae Approved by: gnn(mentor)
* Since PFIL can change mbuf pointer, we should update pointers afterae2015-04-281-0/+1
| | | | | | calling ipsec_filter(). Sponsored by: Yandex LLC
* Change ipsec_address() and ipsec_logsastr() functions to take twoae2015-04-181-8/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | additional arguments - buffer and size of this buffer. ipsec_address() is used to convert sockaddr structure to presentation format. The IPv6 part of this function returns pointer to the on-stack buffer and at the moment when it will be used by caller, it becames invalid. IPv4 version uses 4 static buffers and returns pointer to new buffer each time when it called. But anyway it is still possible to get corrupted data when several threads will use this function. ipsec_logsastr() is used to format string about SA entry. It also uses static buffer and has the same problem with concurrent threads. To fix these problems add the buffer pointer and size of this buffer to arguments. Now each caller will pass buffer and its size to these functions. Also convert all places where these functions are used (except disabled code). And now ipsec_address() uses inet_ntop() function from libkern. PR: 185996 Differential Revision: https://reviews.freebsd.org/D2321 Reviewed by: gnn Sponsored by: Yandex LLC
* Requeue mbuf via netisr when we use IPSec tunnel mode and IPv6.ae2015-04-181-1/+30
| | | | | | | | | | | | | | | | | | | ipsec6_common_input_cb() uses partial copy of ip6_input() to parse headers. But this isn't correct, when we use tunnel mode IPSec. When we stripped outer IPv6 header from the decrypted packet, it can become IPv4 packet and should be handled by ip_input. Also when we use tunnel mode IPSec with IPv6 traffic, we should pass decrypted packet with inner IPv6 header to ip6_input, it will correctly handle it and also can decide to forward it. The "skip" variable points to offset where payload starts. In tunnel mode we reset it to zero after stripping the outer header. So, when it is zero, we should requeue mbuf via netisr. Differential Revision: https://reviews.freebsd.org/D2306 Reviewed by: adrian, gnn Sponsored by: Yandex LLC
* Fix handling of scoped IPv6 addresses in IPSec code.ae2015-04-181-0/+7
| | | | | | | | | | | | | | | | | | | | | * in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope; * teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in kernel-internal form, we need to embed scope zone id from SA into the address before calling in6_localip. * in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA, because we keep addresses in the SADB without embedded scope zone id. Differential Revision: https://reviews.freebsd.org/D2304 Reviewed by: gnn Sponsored by: Yandex LLC
* Remove now unused mtag argument from ipsec*_common_input_cb.ae2014-12-111-23/+8
| | | | | Obtained from: Yandex LLC Sponsored by: Yandex LLC
* Remove route chaching support from ipsec code. It isn't used for some time.ae2014-12-021-1/+0
| | | | | | | | | * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
* Strip IP header only when we act in tunnel mode.ae2014-11-131-29/+30
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Pass mbuf to pfil processing before stripping outer IP header as itae2014-11-071-17/+6
| | | | | | | is described in if_enc(4). MFC after: 2 week Sponsored by: Yandex LLC
* When mode isn't explicitly specified (wildcard) and inner protocol isn'tae2014-11-061-1/+10
| | | | | | | | IPv4 or IPv6, assume it is the transport mode. Reported by: jmg MFC after: 1 week Sponsored by: Yandex LLC
* Do not strip outer header when operating in transport mode.ae2014-10-021-2/+10
| | | | | | | | | Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP encapsulation, it will be handled with tunneling interface. And thus proper interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling interface will see packets in both directions. Sponsored by: Yandex LLC
* Mechanically convert to if_inc_counter().glebius2014-09-191-4/+4
|
* Merge 'struct ip6protosw' and 'struct protosw' into one. Now we havekevlo2014-08-081-6/+31
| | | | | | | only one protocol switch structure that is shared between ipv4 and ipv6. Phabric: D476 Reviewed by: jhb
* Fixed IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.vanhu2014-05-281-47/+89
| | | | | | | | | | | | | For IPv6-in-IPv4, you may need to do the following command on the tunnel interface if it is configured as IPv4 only: ifconfig <interface> inet6 -ifdisabled Code logic inspired from NetBSD. PR: kern/169438 Submitted by: emeric.poupon@netasq.com Reviewed by: fabient, ae Obtained from: NETASQ
* Initialize prot variable.ae2013-11-111-0/+1
| | | | | PR: 177417 MFC after: 1 week
* The r48589 promised to remove implicit inclusion of if_var.h soon. Prepareglebius2013-10-261-0/+1
| | | | | | | | to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
* Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,ae2013-06-201-54/+30
| | | | | | PFKEY. MFC after: 2 weeks
* Use IP6STAT_INC/IP6STAT_DEC macros to update ip6 stats.ae2013-04-091-2/+2
| | | | MFC after: 1 week
* - Fix one more miss from r241913.glebius2012-10-231-2/+4
| | | | | - Add XXX comment about necessity of the entire block, that "fixes up" the IP header.
* Merge the projects/pf/head branch, that was worked on for last six months,glebius2012-09-081-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
* Update packet filter (pf) code to OpenBSD 4.5.bz2011-06-281-0/+2
| | | | | | | | You need to update userland (world and ports) tools to be in sync with the kernel. Submitted by: mlaier Submitted by: eri
* Make IPsec compile without INET adding appropriate #ifdef checks.bz2011-04-271-0/+2
| | | | | | | | | | | | Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
* Fix typo in comment.thomas2010-10-251-1/+1
|
* MFp4 @178283:bz2010-05-241-1/+1
| | | | | | | | | Improve IPsec flow distribution for better netisr parallelism. Instead of using the pointer that would have the last bits masked in a % statement in netisr_select_cpuid() to select the queue, use the SPI. Reviewed by: rwatson MFC after: 4 weeks
* Merge the remainder of kern_vimage.c and vimage.h into vnet.c andrwatson2009-08-011-1/+0
| | | | | | | | | | vnet.h, we now use jails (rather than vimages) as the abstraction for virtualization management, and what remained was specific to virtual network stacks. Minor cleanups are done in the process, and comments updated to reflect these changes. Reviewed by: bz Approved by: re (vimage blanket)
* Build on Jeff Roberson's linker-set based dynamic per-CPU allocatorrwatson2009-07-141-6/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
* Added support for NAT-Traversal (RFC 3948) in IPsec stack.vanhu2009-06-121-0/+9
| | | | | | | | | | | | | | Thanks to (no special order) Emmanuel Dreyfus (manu@netbsd.org), Larry Baird (lab@gta.com), gnn, bz, and other FreeBSD devs, Julien Vanherzeele (julien.vanherzeele@netasq.com, for years of bug reporting), the PFSense team, and all people who used / tried the NAT-T patch for years and reported bugs, patches, etc... X-MFC: never Reviewed by: bz Approved by: gnn(mentor) Obtained from: NETASQ
* Properly hide IPv4 only variables and functions under #ifdef INET.bz2009-06-101-0/+2
|
* Reimplement the netisr framework in order to support parallel netisrrwatson2009-06-011-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | threads: - Support up to one netisr thread per CPU, each processings its own workstream, or set of per-protocol queues. Threads may be bound to specific CPUs, or allowed to migrate, based on a global policy. In the future it would be desirable to support topology-centric policies, such as "one netisr per package". - Allow each protocol to advertise an ordering policy, which can currently be one of: NETISR_POLICY_SOURCE: packets must maintain ordering with respect to an implicit or explicit source (such as an interface or socket). NETISR_POLICY_FLOW: make use of mbuf flow identifiers to place work, as well as allowing protocols to provide a flow generation function for mbufs without flow identifers (m2flow). Falls back on NETISR_POLICY_SOURCE if now flow ID is available. NETISR_POLICY_CPU: allow protocols to inspect and assign a CPU for each packet handled by netisr (m2cpuid). - Provide utility functions for querying the number of workstreams being used, as well as a mapping function from workstream to CPU ID, which protocols may use in work placement decisions. - Add explicit interfaces to get and set per-protocol queue limits, and get and clear drop counters, which query data or apply changes across all workstreams. - Add a more extensible netisr registration interface, in which protocols declare 'struct netisr_handler' structures for each registered NETISR_ type. These include name, handler function, optional mbuf to flow ID function, optional mbuf to CPU ID function, queue limit, and ordering policy. Padding is present to allow these to be expanded in the future. If no queue limit is declared, then a default is used. - Queue limits are now per-workstream, and raised from the previous IFQ_MAXLEN default of 50 to 256. - All protocols are updated to use the new registration interface, and with the exception of netnatm, default queue limits. Most protocols register as NETISR_POLICY_SOURCE, except IPv4 and IPv6, which use NETISR_POLICY_FLOW, and will therefore take advantage of driver- generated flow IDs if present. - Formalize a non-packet based interface between interface polling and the netisr, rather than having polling pretend to be two protocols. Provide two explicit hooks in the netisr worker for start and end events for runs: netisr_poll() and netisr_pollmore(), as well as a function, netisr_sched_poll(), to allow the polling code to schedule netisr execution. DEVICE_POLLING still embeds single-netisr assumptions in its implementation, so for now if it is compiled into the kernel, a single and un-bound netisr thread is enforced regardless of tunable configuration. In the default configuration, the new netisr implementation maintains the same basic assumptions as the previous implementation: a single, un-bound worker thread processes all deferred work, and direct dispatch is enabled by default wherever possible. Performance measurement shows a marginal performance improvement over the old implementation due to the use of batched dequeue. An rmlock is used to synchronize use and registration/unregistration using the framework; currently, synchronized use is disabled (replicating current netisr policy) due to a measurable 3%-6% hit in ping-pong micro-benchmarking. It will be enabled once further rmlock optimization has taken place. However, in practice, netisrs are rarely registered or unregistered at runtime. A new man page for netisr will follow, but since one doesn't currently exist, it hasn't been updated. This change is not appropriate for MFC, although the polling shutdown handler should be merged to 7-STABLE. Bump __FreeBSD_version. Reviewed by: bz
* Rather than using hidden includes (with cicular dependencies),bz2008-12-021-0/+1
| | | | | | | | | | | directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files. For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h. Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
* Step 1.5 of importing the network stack virtualization infrastructurezec2008-10-021-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
* Commit step 1 of the vimage project, (network stack)bz2008-08-171-57/+58
| | | | | | | | | | | | | | | | | | | | | | | | virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
* Increase statistic counters for enc0 interface when enabledvanhu2008-08-121-0/+11
| | | | | | | and processing IPSec traffic. Approved by: gnn (mentor) MFC after: 1 week
* In addition to the ipsec_osdep.h removal a week ago, now also eliminatebz2008-05-241-2/+0
| | | | IPSEC_SPLASSERT_SOFTNET which has been 'unused' since FreeBSD 5.0.
* Add sysctls to if_enc(4) to control whether the firewalls orbz2007-11-281-2/+21
| | | | | | | | | | | | | | | | | | | bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
* Fix for an infinite loop in processing ESP, IPv6 packets.gnn2007-09-121-4/+17
| | | | | | | | The control input routine passes a NULL as its void argument when it has reached the innermost header, which terminates the loop. Reported by: Pawel Worach <pawel.worach@gmail.com> Approved by: re
* Replace hard coded options by their defined PFIL_{IN,OUT} names.bz2007-07-191-1/+2
| | | | Approved by: re (hrs)
* Looking at {ah,esp}_input_cb it seems we might be able to end upbz2007-06-151-1/+1
| | | | | | | | | without an mtag in ipsec4_common_input_cb. So in case of !IPCOMP (AH,ESP) only change the m_tag_id if an mtag was passed to ipsec4_common_input_cb. Found with: Coverity Prevent(tm) CID: 2523
* s,#,*, in a multi-line comment. This is C.bz2007-06-151-1/+1
| | | | No functional change.
* Though we are only called for the three security protocols we canbz2007-06-151-0/+4
| | | | | | | | handle, document those sprotos using an IPSEC_ASSERT so that it will be clear that 'spi' will always be initialized when used the first time. Found with: Coverity Prevent(tm) CID: 2533
* s,#if INET6,#ifdef INET6,bz2006-12-141-1/+1
| | | | | | This unbreaks the build for FAST_IPSEC && !INET6 and was wrong anyway. Reported by: Dmitry Pryanishnikov <dmitry atlantis.dp.ua>
* MFp4: 92972, 98913 + one more changebz2006-12-121-2/+10
| | | | | | | In ip6_sprintf no longer use and return one of eight static buffers for printing/logging ipv6 addresses. The caller now has to hand in a sufficiently large buffer as first argument.
* Add a pseudo interface for packet filtering IPSec connections before or afterthompsa2006-06-261-0/+13
| | | | | | | | | | | encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
* Change '#if INET' and '#if INET6' to '#ifdef INET' and '#ifdef INET6'.pjd2006-06-041-1/+1
| | | | This unbreaks compiling a kernel with FAST_IPSEC and no INET6.
* Extend the notdef #ifdef to cover the packet copy as there is no point in ↵gnn2006-06-041-8/+4
| | | | | | | doing that if we're not doing the rest of the work. Submitted by: thompsa MFC after: 1 week
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* Apply error and success logic consistently to the function netisr_queue() andandre2004-08-271-2/+2
| | | | | | | | | | | | | | | | | | its users. netisr_queue() now returns (0) on success and ERRNO on failure. At the moment ENXIO (netisr queue not functional) and ENOBUFS (netisr queue full) are supported. Previously it would return (1) on success but the return value of IF_HANDOFF() was interpreted wrongly and (0) was actually returned on success. Due to this schednetisr() was never called to kick the scheduling of the isr. However this was masked by other normal packets coming through netisr_dispatch() causing the dequeueing of waiting packets. PR: kern/70988 Found by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp> MFC after: 3 days
* MFp4: portability work, general cleanup, locking fixessam2003-09-291-135/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation
* Locking and misc cleanups; most of which I've been running for >4 months:sam2003-09-011-6/+1
| | | | | | | | | | o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
OpenPOWER on IntegriCloud