if_ipsec: Import from FreeBSD.

2 files changed, 1043 insertions, 0 deletions

diff --git a/freebsd/sys/net/if_ipsec.c b/freebsd/sys/net/if_ipsec.c
new file mode 100644
index 00000000..76eb07d9
--- /dev/null
+++ b/freebsd/sys/net/if_ipsec.c
@@ -0,0 +1,1004 @@
+#include <machine/rtems-bsd-kernel-space.h>
+
+/*-
+ * Copyright (c) 2016 Yandex LLC
+ * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <rtems/bsd/local/opt_inet.h>
+#include <rtems/bsd/local/opt_inet6.h>
+
+#include <sys/param.h>
+#include <sys/systm.h>
+#include <sys/kernel.h>
+#include <sys/fnv_hash.h>
+#include <sys/jail.h>
+#include <sys/lock.h>
+#include <sys/malloc.h>
+#include <sys/mbuf.h>
+#include <sys/module.h>
+#include <sys/rmlock.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/sx.h>
+#include <sys/errno.h>
+#include <sys/sysctl.h>
+#include <sys/priv.h>
+#include <sys/proc.h>
+#include <sys/conf.h>
+
+#include <net/if.h>
+#include <net/if_var.h>
+#include <net/if_clone.h>
+#include <net/if_types.h>
+#include <net/bpf.h>
+#include <net/route.h>
+#include <net/vnet.h>
+
+#include <netinet/in.h>
+#include <netinet/in_var.h>
+#include <netinet/ip.h>
+
+#include <netinet/ip6.h>
+#include <netinet6/in6_var.h>
+#include <netinet6/scope6_var.h>
+
+#include <netipsec/ipsec.h>
+#ifdef INET6
+#include <netipsec/ipsec6.h>
+#endif
+
+#include <net/if_ipsec.h>
+#include <netipsec/key.h>
+
+#include <security/mac/mac_framework.h>
+
+static MALLOC_DEFINE(M_IPSEC, "ipsec", "IPsec Virtual Tunnel Interface");
+static const char ipsecname[] = "ipsec";
+
+#if defined(INET) && defined(INET6)
+#define	IPSEC_SPCOUNT		4
+#else
+#define	IPSEC_SPCOUNT		2
+#endif
+
+struct ipsec_softc {
+	struct ifnet		*ifp;
+
+	struct rmlock		lock;
+	struct secpolicy	*sp[IPSEC_SPCOUNT];
+
+	uint32_t		reqid;
+	u_int			family;
+	u_int			fibnum;
+	LIST_ENTRY(ipsec_softc)	chain;
+	LIST_ENTRY(ipsec_softc) hash;
+};
+
+#define	IPSEC_LOCK_INIT(sc)	rm_init(&(sc)->lock, "if_ipsec softc")
+#define	IPSEC_LOCK_DESTROY(sc)	rm_destroy(&(sc)->lock)
+#define	IPSEC_RLOCK_TRACKER	struct rm_priotracker ipsec_tracker
+#define	IPSEC_RLOCK(sc)		rm_rlock(&(sc)->lock, &ipsec_tracker)
+#define	IPSEC_RUNLOCK(sc)	rm_runlock(&(sc)->lock, &ipsec_tracker)
+#define	IPSEC_RLOCK_ASSERT(sc)	rm_assert(&(sc)->lock, RA_RLOCKED)
+#define	IPSEC_WLOCK(sc)		rm_wlock(&(sc)->lock)
+#define	IPSEC_WUNLOCK(sc)	rm_wunlock(&(sc)->lock)
+#define	IPSEC_WLOCK_ASSERT(sc)	rm_assert(&(sc)->lock, RA_WLOCKED)
+
+static struct rmlock ipsec_sc_lock;
+RM_SYSINIT(ipsec_sc_lock, &ipsec_sc_lock, "if_ipsec softc list");
+
+#define	IPSEC_SC_RLOCK_TRACKER	struct rm_priotracker ipsec_sc_tracker
+#define	IPSEC_SC_RLOCK()	rm_rlock(&ipsec_sc_lock, &ipsec_sc_tracker)
+#define	IPSEC_SC_RUNLOCK()	rm_runlock(&ipsec_sc_lock, &ipsec_sc_tracker)
+#define	IPSEC_SC_RLOCK_ASSERT()	rm_assert(&ipsec_sc_lock, RA_RLOCKED)
+#define	IPSEC_SC_WLOCK()	rm_wlock(&ipsec_sc_lock)
+#define	IPSEC_SC_WUNLOCK()	rm_wunlock(&ipsec_sc_lock)
+#define	IPSEC_SC_WLOCK_ASSERT()	rm_assert(&ipsec_sc_lock, RA_WLOCKED)
+
+LIST_HEAD(ipsec_iflist, ipsec_softc);
+static VNET_DEFINE(struct ipsec_iflist, ipsec_sc_list);
+static VNET_DEFINE(struct ipsec_iflist *, ipsec_sc_htbl);
+static VNET_DEFINE(u_long, ipsec_sc_hmask);
+#define	V_ipsec_sc_list		VNET(ipsec_sc_list)
+#define	V_ipsec_sc_htbl		VNET(ipsec_sc_htbl)
+#define	V_ipsec_sc_hmask	VNET(ipsec_sc_hmask)
+
+static uint32_t
+ipsec_hash(uint32_t id)
+{
+
+	return (fnv_32_buf(&id, sizeof(id), FNV1_32_INIT));
+}
+
+#define	SCHASH_NHASH_LOG2	5
+#define	SCHASH_NHASH		(1 << SCHASH_NHASH_LOG2)
+#define	SCHASH_HASHVAL(id)	(ipsec_hash((id)) & V_ipsec_sc_hmask)
+#define	SCHASH_HASH(id)		&V_ipsec_sc_htbl[SCHASH_HASHVAL(id)]
+
+/*
+ * ipsec_ioctl_sx protects from concurrent ioctls.
+ */
+static struct sx ipsec_ioctl_sx;
+SX_SYSINIT(ipsec_ioctl_sx, &ipsec_ioctl_sx, "ipsec_ioctl");
+
+static int	ipsec_init_reqid(struct ipsec_softc *);
+static int	ipsec_set_tunnel(struct ipsec_softc *, struct sockaddr *,
+    struct sockaddr *, uint32_t);
+static void	ipsec_delete_tunnel(struct ifnet *, int);
+
+static int	ipsec_set_addresses(struct ifnet *, struct sockaddr *,
+    struct sockaddr *);
+static int	ipsec_set_reqid(struct ifnet *, uint32_t);
+
+static int	ipsec_ioctl(struct ifnet *, u_long, caddr_t);
+static int	ipsec_transmit(struct ifnet *, struct mbuf *);
+static int	ipsec_output(struct ifnet *, struct mbuf *,
+    const struct sockaddr *, struct route *);
+static void	ipsec_qflush(struct ifnet *);
+static int	ipsec_clone_create(struct if_clone *, int, caddr_t);
+static void	ipsec_clone_destroy(struct ifnet *);
+
+static VNET_DEFINE(struct if_clone *, ipsec_cloner);
+#define	V_ipsec_cloner		VNET(ipsec_cloner)
+
+static int
+ipsec_clone_create(struct if_clone *ifc, int unit, caddr_t params)
+{
+	struct ipsec_softc *sc;
+	struct ifnet *ifp;
+
+	sc = malloc(sizeof(*sc), M_IPSEC, M_WAITOK | M_ZERO);
+	sc->fibnum = curthread->td_proc->p_fibnum;
+	sc->ifp = ifp = if_alloc(IFT_TUNNEL);
+	IPSEC_LOCK_INIT(sc);
+	ifp->if_softc = sc;
+	if_initname(ifp, ipsecname, unit);
+
+	ifp->if_addrlen = 0;
+	ifp->if_mtu = IPSEC_MTU;
+	ifp->if_flags  = IFF_POINTOPOINT | IFF_MULTICAST;
+	ifp->if_ioctl  = ipsec_ioctl;
+	ifp->if_transmit  = ipsec_transmit;
+	ifp->if_qflush  = ipsec_qflush;
+	ifp->if_output = ipsec_output;
+	if_attach(ifp);
+	bpfattach(ifp, DLT_NULL, sizeof(uint32_t));
+
+	IPSEC_SC_WLOCK();
+	LIST_INSERT_HEAD(&V_ipsec_sc_list, sc, chain);
+	IPSEC_SC_WUNLOCK();
+	return (0);
+}
+
+static void
+ipsec_clone_destroy(struct ifnet *ifp)
+{
+	struct ipsec_softc *sc;
+
+	sx_xlock(&ipsec_ioctl_sx);
+	sc = ifp->if_softc;
+
+	IPSEC_SC_WLOCK();
+	ipsec_delete_tunnel(ifp, 1);
+	LIST_REMOVE(sc, chain);
+	IPSEC_SC_WUNLOCK();
+
+	bpfdetach(ifp);
+	if_detach(ifp);
+	ifp->if_softc = NULL;
+	sx_xunlock(&ipsec_ioctl_sx);
+
+	if_free(ifp);
+	IPSEC_LOCK_DESTROY(sc);
+	free(sc, M_IPSEC);
+}
+
+static void
+vnet_ipsec_init(const void *unused __unused)
+{
+
+	LIST_INIT(&V_ipsec_sc_list);
+	V_ipsec_sc_htbl = hashinit(SCHASH_NHASH, M_IPSEC, &V_ipsec_sc_hmask);
+	V_ipsec_cloner = if_clone_simple(ipsecname, ipsec_clone_create,
+	    ipsec_clone_destroy, 0);
+}
+VNET_SYSINIT(vnet_ipsec_init, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
+    vnet_ipsec_init, NULL);
+
+static void
+vnet_ipsec_uninit(const void *unused __unused)
+{
+
+	if_clone_detach(V_ipsec_cloner);
+	hashdestroy(V_ipsec_sc_htbl, M_IPSEC, V_ipsec_sc_hmask);
+}
+VNET_SYSUNINIT(vnet_ipsec_uninit, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY,
+    vnet_ipsec_uninit, NULL);
+
+static struct secpolicy *
+ipsec_getpolicy(struct ipsec_softc *sc, int dir, sa_family_t af)
+{
+
+	switch (af) {
+#ifdef INET
+	case AF_INET:
+		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)]);
+#endif
+#ifdef INET6
+	case AF_INET6:
+		return (sc->sp[(dir == IPSEC_DIR_INBOUND ? 0: 1)
+#ifdef INET
+			+ 2
+#endif
+		]);
+#endif
+	}
+	return (NULL);
+}
+
+static struct secasindex *
+ipsec_getsaidx(struct ipsec_softc *sc, int dir, sa_family_t af)
+{
+	struct secpolicy *sp;
+
+	sp = ipsec_getpolicy(sc, dir, af);
+	if (sp == NULL)
+		return (NULL);
+	return (&sp->req[0]->saidx);
+}
+
+static int
+ipsec_transmit(struct ifnet *ifp, struct mbuf *m)
+{
+	IPSEC_RLOCK_TRACKER;
+	struct ipsec_softc *sc;
+	struct secpolicy *sp;
+	struct ip *ip;
+	uint32_t af;
+	int error;
+
+#ifdef MAC
+	error = mac_ifnet_check_transmit(ifp, m);
+	if (error) {
+		m_freem(m);
+		goto err;
+	}
+#endif
+	error = ENETDOWN;
+	sc = ifp->if_softc;
+	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
+	    (ifp->if_flags & IFF_MONITOR) != 0 ||
+	    (ifp->if_flags & IFF_UP) == 0) {
+		m_freem(m);
+		goto err;
+	}
+
+	/* Determine address family to correctly handle packet in BPF */
+	ip = mtod(m, struct ip *);
+	switch (ip->ip_v) {
+#ifdef INET
+	case IPVERSION:
+		af = AF_INET;
+		break;
+#endif
+#ifdef INET6
+	case (IPV6_VERSION >> 4):
+		af = AF_INET6;
+		break;
+#endif
+	default:
+		error = EAFNOSUPPORT;
+		m_freem(m);
+		goto err;
+	}
+
+	/*
+	 * Loop prevention.
+	 * XXX: for now just check presence of IPSEC_OUT_DONE mbuf tag.
+	 *      We can read full chain and compare destination address,
+	 *      proto and mode from xform_history with values from softc.
+	 */
+	if (m_tag_find(m, PACKET_TAG_IPSEC_OUT_DONE, NULL) != NULL) {
+		m_freem(m);
+		goto err;
+	}
+
+	IPSEC_RLOCK(sc);
+	if (sc->family == 0) {
+		IPSEC_RUNLOCK(sc);
+		m_freem(m);
+		goto err;
+	}
+	sp = ipsec_getpolicy(sc, IPSEC_DIR_OUTBOUND, af);
+	key_addref(sp);
+	M_SETFIB(m, sc->fibnum);
+	IPSEC_RUNLOCK(sc);
+
+	BPF_MTAP2(ifp, &af, sizeof(af), m);
+	if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1);
+	if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len);
+
+	switch (af) {
+#ifdef INET
+	case AF_INET:
+		error = ipsec4_process_packet(m, sp, NULL);
+		break;
+#endif
+#ifdef INET6
+	case AF_INET6:
+		error = ipsec6_process_packet(m, sp, NULL);
+		break;
+#endif
+	default:
+		panic("%s: unknown address family\n", __func__);
+	}
+err:
+	if (error != 0)
+		if_inc_counter(ifp, IFCOUNTER_OERRORS, 1);
+	return (error);
+}
+
+static void
+ipsec_qflush(struct ifnet *ifp __unused)
+{
+
+}
+
+static int
+ipsec_output(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst,
+	struct route *ro)
+{
+
+	return (ifp->if_transmit(ifp, m));
+}
+
+int
+ipsec_if_input(struct mbuf *m, struct secasvar *sav, uint32_t af)
+{
+	IPSEC_SC_RLOCK_TRACKER;
+	struct secasindex *saidx;
+	struct ipsec_softc *sc;
+	struct ifnet *ifp;
+
+	if (sav->state != SADB_SASTATE_MATURE &&
+	    sav->state != SADB_SASTATE_DYING) {
+		m_freem(m);
+		return (ENETDOWN);
+	}
+
+	if (sav->sah->saidx.mode != IPSEC_MODE_TUNNEL ||
+	    sav->sah->saidx.proto != IPPROTO_ESP)
+		return (0);
+
+	IPSEC_SC_RLOCK();
+	/*
+	 * We only acquire SC_RLOCK() while we are doing search in
+	 * ipsec_sc_htbl. It is safe, because removing softc or changing
+	 * of reqid/addresses requires removing from hash table.
+	 */
+	LIST_FOREACH(sc, SCHASH_HASH(sav->sah->saidx.reqid), hash) {
+		saidx = ipsec_getsaidx(sc, IPSEC_DIR_INBOUND,
+		    sav->sah->saidx.src.sa.sa_family);
+		/* SA's reqid should match reqid in SP */
+		if (saidx == NULL ||
+		    sav->sah->saidx.reqid != saidx->reqid)
+			continue;
+		/* SAH's addresses should match tunnel endpoints. */
+		if (key_sockaddrcmp(&sav->sah->saidx.dst.sa,
+		    &saidx->dst.sa, 0) != 0)
+			continue;
+		if (key_sockaddrcmp(&sav->sah->saidx.src.sa,
+		    &saidx->src.sa, 0) == 0)
+			break;
+	}
+	if (sc == NULL) {
+		IPSEC_SC_RUNLOCK();
+		/* Tunnel was not found. Nothing to do. */
+		return (0);
+	}
+	ifp = sc->ifp;
+	if ((ifp->if_drv_flags & IFF_DRV_RUNNING) == 0 ||
+	    (ifp->if_flags & IFF_UP) == 0) {
+		IPSEC_SC_RUNLOCK();
+		m_freem(m);
+		return (ENETDOWN);
+	}
+	/*
+	 * We found matching and working tunnel.
+	 * Set its ifnet as receiving interface.
+	 */
+	m->m_pkthdr.rcvif = ifp;
+	IPSEC_SC_RUNLOCK();
+
+	/* m_clrprotoflags(m); */
+	M_SETFIB(m, ifp->if_fib);
+	BPF_MTAP2(ifp, &af, sizeof(af), m);
+	if_inc_counter(ifp, IFCOUNTER_IPACKETS, 1);
+	if_inc_counter(ifp, IFCOUNTER_IBYTES, m->m_pkthdr.len);
+	if ((ifp->if_flags & IFF_MONITOR) != 0) {
+		m_freem(m);
+		return (ENETDOWN);
+	}
+	return (0);
+}
+
+/* XXX how should we handle IPv6 scope on SIOC[GS]IFPHYADDR? */
+int
+ipsec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+	IPSEC_RLOCK_TRACKER;
+	struct ifreq *ifr = (struct ifreq*)data;
+	struct sockaddr *dst, *src;
+	struct ipsec_softc *sc;
+	struct secasindex *saidx;
+#ifdef INET
+	struct sockaddr_in *sin = NULL;
+#endif
+#ifdef INET6
+	struct sockaddr_in6 *sin6 = NULL;
+#endif
+	uint32_t reqid;
+	int error;
+
+	switch (cmd) {
+	case SIOCSIFADDR:
+		ifp->if_flags |= IFF_UP;
+	case SIOCADDMULTI:
+	case SIOCDELMULTI:
+	case SIOCGIFMTU:
+	case SIOCSIFFLAGS:
+		return (0);
+	case SIOCSIFMTU:
+		if (ifr->ifr_mtu < IPSEC_MTU_MIN ||
+		    ifr->ifr_mtu > IPSEC_MTU_MAX)
+			return (EINVAL);
+		else
+			ifp->if_mtu = ifr->ifr_mtu;
+		return (0);
+	}
+	sx_xlock(&ipsec_ioctl_sx);
+	sc = ifp->if_softc;
+	/* Check that softc is still here */
+	if (sc == NULL) {
+		error = ENXIO;
+		goto bad;
+	}
+	error = 0;
+	switch (cmd) {
+	case SIOCSIFPHYADDR:
+#ifdef INET6
+	case SIOCSIFPHYADDR_IN6:
+#endif
+		error = EINVAL;
+		switch (cmd) {
+#ifdef INET
+		case SIOCSIFPHYADDR:
+			src = (struct sockaddr *)
+				&(((struct in_aliasreq *)data)->ifra_addr);
+			dst = (struct sockaddr *)
+				&(((struct in_aliasreq *)data)->ifra_dstaddr);
+			break;
+#endif
+#ifdef INET6
+		case SIOCSIFPHYADDR_IN6:
+			src = (struct sockaddr *)
+				&(((struct in6_aliasreq *)data)->ifra_addr);
+			dst = (struct sockaddr *)
+				&(((struct in6_aliasreq *)data)->ifra_dstaddr);
+			break;
+#endif
+		default:
+			goto bad;
+		}
+		/* sa_family must be equal */
+		if (src->sa_family != dst->sa_family ||
+		    src->sa_len != dst->sa_len)
+			goto bad;
+
+		/* validate sa_len */
+		switch (src->sa_family) {
+#ifdef INET
+		case AF_INET:
+			if (src->sa_len != sizeof(struct sockaddr_in))
+				goto bad;
+			break;
+#endif
+#ifdef INET6
+		case AF_INET6:
+			if (src->sa_len != sizeof(struct sockaddr_in6))
+				goto bad;
+			break;
+#endif
+		default:
+			error = EAFNOSUPPORT;
+			goto bad;
+		}
+		/* check sa_family looks sane for the cmd */
+		error = EAFNOSUPPORT;
+		switch (cmd) {
+#ifdef INET
+		case SIOCSIFPHYADDR:
+			if (src->sa_family == AF_INET)
+				break;
+			goto bad;
+#endif
+#ifdef INET6
+		case SIOCSIFPHYADDR_IN6:
+			if (src->sa_family == AF_INET6)
+				break;
+			goto bad;
+#endif
+		}
+		error = EADDRNOTAVAIL;
+		switch (src->sa_family) {
+#ifdef INET
+		case AF_INET:
+			if (satosin(src)->sin_addr.s_addr == INADDR_ANY ||
+			    satosin(dst)->sin_addr.s_addr == INADDR_ANY)
+				goto bad;
+			break;
+#endif
+#ifdef INET6
+		case AF_INET6:
+			if (IN6_IS_ADDR_UNSPECIFIED(&satosin6(src)->sin6_addr)
+			    ||
+			    IN6_IS_ADDR_UNSPECIFIED(&satosin6(dst)->sin6_addr))
+				goto bad;
+			/*
+			 * Check validity of the scope zone ID of the
+			 * addresses, and convert it into the kernel
+			 * internal form if necessary.
+			 */
+			error = sa6_embedscope(satosin6(src), 0);
+			if (error != 0)
+				goto bad;
+			error = sa6_embedscope(satosin6(dst), 0);
+			if (error != 0)
+				goto bad;
+#endif
+		};
+		error = ipsec_set_addresses(ifp, src, dst);
+		break;
+	case SIOCDIFPHYADDR:
+		ipsec_delete_tunnel(ifp, 0);
+		break;
+	case SIOCGIFPSRCADDR:
+	case SIOCGIFPDSTADDR:
+#ifdef INET6
+	case SIOCGIFPSRCADDR_IN6:
+	case SIOCGIFPDSTADDR_IN6:
+#endif
+		IPSEC_RLOCK(sc);
+		if (sc->family == 0) {
+			IPSEC_RUNLOCK(sc);
+			error = EADDRNOTAVAIL;
+			break;
+		}
+		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
+		switch (cmd) {
+#ifdef INET
+		case SIOCGIFPSRCADDR:
+		case SIOCGIFPDSTADDR:
+			if (saidx->src.sa.sa_family != AF_INET) {
+				error = EADDRNOTAVAIL;
+				break;
+			}
+			sin = (struct sockaddr_in *)&ifr->ifr_addr;
+			memset(sin, 0, sizeof(*sin));
+			sin->sin_family = AF_INET;
+			sin->sin_len = sizeof(*sin);
+			break;
+#endif
+#ifdef INET6
+		case SIOCGIFPSRCADDR_IN6:
+		case SIOCGIFPDSTADDR_IN6:
+			if (saidx->src.sa.sa_family != AF_INET6) {
+				error = EADDRNOTAVAIL;
+				break;
+			}
+			sin6 = (struct sockaddr_in6 *)
+				&(((struct in6_ifreq *)data)->ifr_addr);
+			memset(sin6, 0, sizeof(*sin6));
+			sin6->sin6_family = AF_INET6;
+			sin6->sin6_len = sizeof(*sin6);
+			break;
+#endif
+		default:
+			error = EAFNOSUPPORT;
+		}
+		if (error == 0) {
+			switch (cmd) {
+#ifdef INET
+			case SIOCGIFPSRCADDR:
+				sin->sin_addr = saidx->src.sin.sin_addr;
+				break;
+			case SIOCGIFPDSTADDR:
+				sin->sin_addr = saidx->dst.sin.sin_addr;
+				break;
+#endif
+#ifdef INET6
+			case SIOCGIFPSRCADDR_IN6:
+				sin6->sin6_addr = saidx->src.sin6.sin6_addr;
+				break;
+			case SIOCGIFPDSTADDR_IN6:
+				sin6->sin6_addr = saidx->dst.sin6.sin6_addr;
+				break;
+#endif
+			}
+		}
+		IPSEC_RUNLOCK(sc);
+		if (error != 0)
+			break;
+		switch (cmd) {
+#ifdef INET
+		case SIOCGIFPSRCADDR:
+		case SIOCGIFPDSTADDR:
+			error = prison_if(curthread->td_ucred,
+			    (struct sockaddr *)sin);
+			if (error != 0)
+				memset(sin, 0, sizeof(*sin));
+			break;
+#endif
+#ifdef INET6
+		case SIOCGIFPSRCADDR_IN6:
+		case SIOCGIFPDSTADDR_IN6:
+			error = prison_if(curthread->td_ucred,
+			    (struct sockaddr *)sin6);
+			if (error == 0)
+				error = sa6_recoverscope(sin6);
+			if (error != 0)
+				memset(sin6, 0, sizeof(*sin6));
+#endif
+		}
+		break;
+	case SIOCGTUNFIB:
+		ifr->ifr_fib = sc->fibnum;
+		break;
+	case SIOCSTUNFIB:
+		if ((error = priv_check(curthread, PRIV_NET_SETIFFIB)) != 0)
+			break;
+		if (ifr->ifr_fib >= rt_numfibs)
+			error = EINVAL;
+		else
+			sc->fibnum = ifr->ifr_fib;
+		break;
+	case IPSECGREQID:
+		reqid = sc->reqid;
+		error = copyout(&reqid, ifr->ifr_data, sizeof(reqid));
+		break;
+	case IPSECSREQID:
+		if ((error = priv_check(curthread, PRIV_NET_SETIFCAP)) != 0)
+			break;
+		error = copyin(ifr->ifr_data, &reqid, sizeof(reqid));
+		if (error != 0)
+			break;
+		error = ipsec_set_reqid(ifp, reqid);
+		break;
+	default:
+		error = EINVAL;
+		break;
+	}
+bad:
+	sx_xunlock(&ipsec_ioctl_sx);
+	return (error);
+}
+
+/*
+ * Allocate new private security policies for tunneling interface.
+ * Each tunneling interface has following security policies for
+ * both AF:
+ *   0.0.0.0/0[any] 0.0.0.0/0[any] -P in \
+ *	ipsec esp/tunnel/RemoteIP-LocalIP/unique:reqid
+ *   0.0.0.0/0[any] 0.0.0.0/0[any] -P out \
+ *	ipsec esp/tunnel/LocalIP-RemoteIP/unique:reqid
+ */
+static int
+ipsec_newpolicies(struct ipsec_softc *sc, struct secpolicy *sp[IPSEC_SPCOUNT],
+    const struct sockaddr *src, const struct sockaddr *dst, uint32_t reqid)
+{
+	struct ipsecrequest *isr;
+	int i;
+
+	memset(sp, 0, sizeof(struct secpolicy *) * IPSEC_SPCOUNT);
+	for (i = 0; i < IPSEC_SPCOUNT; i++) {
+		if ((sp[i] = key_newsp()) == NULL)
+			goto fail;
+		if ((isr = ipsec_newisr()) == NULL)
+			goto fail;
+
+		sp[i]->policy = IPSEC_POLICY_IPSEC;
+		sp[i]->state = IPSEC_SPSTATE_DEAD;
+		sp[i]->req[sp[i]->tcount++] = isr;
+		sp[i]->created = time_second;
+		/* Use priority field to store if_index */
+		sp[i]->priority = sc->ifp->if_index;
+		isr->level = IPSEC_LEVEL_UNIQUE;
+		isr->saidx.proto = IPPROTO_ESP;
+		isr->saidx.mode = IPSEC_MODE_TUNNEL;
+		isr->saidx.reqid = reqid;
+		if (i % 2 == 0) {
+			sp[i]->spidx.dir = IPSEC_DIR_INBOUND;
+			bcopy(src, &isr->saidx.dst, src->sa_len);
+			bcopy(dst, &isr->saidx.src, dst->sa_len);
+		} else {
+			sp[i]->spidx.dir = IPSEC_DIR_OUTBOUND;
+			bcopy(src, &isr->saidx.src, src->sa_len);
+			bcopy(dst, &isr->saidx.dst, dst->sa_len);
+		}
+		sp[i]->spidx.ul_proto = IPSEC_ULPROTO_ANY;
+#ifdef INET
+		if (i < 2) {
+			sp[i]->spidx.src.sa.sa_family =
+			    sp[i]->spidx.dst.sa.sa_family = AF_INET;
+			sp[i]->spidx.src.sa.sa_len =
+			    sp[i]->spidx.dst.sa.sa_len =
+			    sizeof(struct sockaddr_in);
+			continue;
+		}
+#endif
+#ifdef INET6
+		sp[i]->spidx.src.sa.sa_family =
+		    sp[i]->spidx.dst.sa.sa_family = AF_INET6;
+		sp[i]->spidx.src.sa.sa_len =
+		    sp[i]->spidx.dst.sa.sa_len = sizeof(struct sockaddr_in6);
+#endif
+	}
+	return (0);
+fail:
+	for (i = 0; i < IPSEC_SPCOUNT; i++)
+		key_freesp(&sp[i]);
+	return (ENOMEM);
+}
+
+static int
+ipsec_check_reqid(uint32_t reqid)
+{
+	struct ipsec_softc *sc;
+
+	IPSEC_SC_RLOCK_ASSERT();
+	LIST_FOREACH(sc, &V_ipsec_sc_list, chain) {
+		if (sc->reqid == reqid)
+			return (EEXIST);
+	}
+	return (0);
+}
+
+/*
+ * We use key_newreqid() to automatically obtain unique reqid.
+ * Then we check that given id is unique, i.e. it is not used by
+ * another if_ipsec(4) interface. This macro limits the number of
+ * tries to get unique id.
+ */
+#define	IPSEC_REQID_TRYCNT	64
+static int
+ipsec_init_reqid(struct ipsec_softc *sc)
+{
+	uint32_t reqid;
+	int trycount;
+
+	IPSEC_SC_RLOCK_ASSERT();
+
+	if (sc->reqid != 0) /* already initialized */
+		return (0);
+
+	trycount = IPSEC_REQID_TRYCNT;
+	while (--trycount > 0) {
+		reqid = key_newreqid();
+		if (ipsec_check_reqid(reqid) == 0)
+			break;
+	}
+	if (trycount == 0)
+		return (EEXIST);
+	sc->reqid = reqid;
+	return (0);
+}
+
+/*
+ * Set or update reqid for given tunneling interface.
+ * When specified reqid is zero, generate new one.
+ * We are protected by ioctl_sx lock from concurrent id generation.
+ * Also softc would not disappear while we hold ioctl_sx lock.
+ */
+static int
+ipsec_set_reqid(struct ifnet *ifp, uint32_t reqid)
+{
+	IPSEC_SC_RLOCK_TRACKER;
+	struct ipsec_softc *sc;
+	struct secasindex *saidx;
+
+	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
+
+	sc = ifp->if_softc;
+	if (sc->reqid == reqid && reqid != 0)
+		return (0);
+
+	IPSEC_SC_RLOCK();
+	if (reqid != 0) {
+		/* Check that specified reqid doesn't exist */
+		if (ipsec_check_reqid(reqid) != 0) {
+			IPSEC_SC_RUNLOCK();
+			return (EEXIST);
+		}
+		sc->reqid = reqid;
+	} else {
+		/* Generate new reqid */
+		if (ipsec_init_reqid(sc) != 0) {
+			IPSEC_SC_RUNLOCK();
+			return (EEXIST);
+		}
+	}
+	IPSEC_SC_RUNLOCK();
+
+	/* Tunnel isn't fully configured, just return. */
+	if (sc->family == 0)
+		return (0);
+
+	saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND, sc->family);
+	KASSERT(saidx != NULL,
+	    ("saidx is NULL, but family is %d", sc->family));
+	return (ipsec_set_tunnel(sc, &saidx->src.sa, &saidx->dst.sa,
+	    sc->reqid));
+}
+
+/*
+ * Set tunnel endpoints addresses.
+ */
+static int
+ipsec_set_addresses(struct ifnet *ifp, struct sockaddr *src,
+    struct sockaddr *dst)
+{
+	IPSEC_SC_RLOCK_TRACKER;
+	struct ipsec_softc *sc, *tsc;
+	struct secasindex *saidx;
+
+	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
+
+	sc = ifp->if_softc;
+	if (sc->family != 0) {
+		saidx = ipsec_getsaidx(sc, IPSEC_DIR_OUTBOUND,
+		    src->sa_family);
+		if (saidx != NULL && saidx->reqid == sc->reqid &&
+		    key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
+		    key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0)
+			return (0); /* Nothing has been changed. */
+
+	}
+	/*
+	 * We cannot service IPsec tunnel when source address is
+	 * not our own.
+	 */
+#ifdef INET
+	if (src->sa_family == AF_INET &&
+	    in_localip(satosin(src)->sin_addr) == 0)
+		return (EADDRNOTAVAIL);
+#endif
+#ifdef INET6
+	/*
+	 * NOTE: IPv6 addresses are in kernel internal form with
+	 * embedded scope zone id.
+	 */
+	if (src->sa_family == AF_INET6 &&
+	    in6_localip(&satosin6(src)->sin6_addr) == 0)
+		return (EADDRNOTAVAIL);
+#endif
+	/* Check that given addresses aren't already configured */
+	IPSEC_SC_RLOCK();
+	LIST_FOREACH(tsc, &V_ipsec_sc_list, chain) {
+		if (tsc == sc || tsc->family != src->sa_family)
+			continue;
+		saidx = ipsec_getsaidx(tsc, IPSEC_DIR_OUTBOUND, tsc->family);
+		if (key_sockaddrcmp(&saidx->src.sa, src, 0) == 0 &&
+		    key_sockaddrcmp(&saidx->dst.sa, dst, 0) == 0) {
+			/* We already have tunnel with such addresses */
+			IPSEC_SC_RUNLOCK();
+			return (EADDRNOTAVAIL);
+		}
+	}
+	/* If reqid is not set, generate new one. */
+	if (ipsec_init_reqid(sc) != 0) {
+		IPSEC_SC_RUNLOCK();
+		return (EEXIST);
+	}
+	IPSEC_SC_RUNLOCK();
+	return (ipsec_set_tunnel(sc, src, dst, sc->reqid));
+}
+
+static int
+ipsec_set_tunnel(struct ipsec_softc *sc, struct sockaddr *src,
+    struct sockaddr *dst, uint32_t reqid)
+{
+	struct secpolicy *sp[IPSEC_SPCOUNT];
+	struct secpolicy *oldsp[IPSEC_SPCOUNT];
+	int i, f;
+
+	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
+
+	/* Allocate SP with new addresses. */
+	if (ipsec_newpolicies(sc, sp, src, dst, reqid) == 0) {
+		/* Add new policies to SPDB */
+		if (key_register_ifnet(sp, IPSEC_SPCOUNT) != 0) {
+			for (i = 0; i < IPSEC_SPCOUNT; i++)
+				key_freesp(&sp[i]);
+			return (EAGAIN);
+		}
+		IPSEC_SC_WLOCK();
+		if ((f = sc->family) != 0)
+			LIST_REMOVE(sc, hash);
+		IPSEC_WLOCK(sc);
+		for (i = 0; i < IPSEC_SPCOUNT; i++) {
+			oldsp[i] = sc->sp[i];
+			sc->sp[i] = sp[i];
+		}
+		sc->family = src->sa_family;
+		IPSEC_WUNLOCK(sc);
+		LIST_INSERT_HEAD(SCHASH_HASH(sc->reqid), sc, hash);
+		IPSEC_SC_WUNLOCK();
+	} else {
+		sc->ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
+		return (ENOMEM);
+	}
+
+	sc->ifp->if_drv_flags |= IFF_DRV_RUNNING;
+	if (f != 0) {
+		key_unregister_ifnet(oldsp, IPSEC_SPCOUNT);
+		for (i = 0; i < IPSEC_SPCOUNT; i++)
+			key_freesp(&oldsp[i]);
+	}
+	return (0);
+}
+
+static void
+ipsec_delete_tunnel(struct ifnet *ifp, int locked)
+{
+	struct ipsec_softc *sc = ifp->if_softc;
+	struct secpolicy *oldsp[IPSEC_SPCOUNT];
+	int i;
+
+	sx_assert(&ipsec_ioctl_sx, SA_XLOCKED);
+
+	ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
+	if (sc->family != 0) {
+		if (!locked)
+			IPSEC_SC_WLOCK();
+		/* Remove from hash table */
+		LIST_REMOVE(sc, hash);
+		IPSEC_WLOCK(sc);
+		for (i = 0; i < IPSEC_SPCOUNT; i++) {
+			oldsp[i] = sc->sp[i];
+			sc->sp[i] = NULL;
+		}
+		sc->family = 0;
+		IPSEC_WUNLOCK(sc);
+		if (!locked)
+			IPSEC_SC_WUNLOCK();
+		key_unregister_ifnet(oldsp, IPSEC_SPCOUNT);
+		for (i = 0; i < IPSEC_SPCOUNT; i++)
+			key_freesp(&oldsp[i]);
+	}
+}
diff --git a/freebsd/sys/net/if_ipsec.h b/freebsd/sys/net/if_ipsec.h
new file mode 100644
index 00000000..e7c8e7b8
--- /dev/null
+++ b/freebsd/sys/net/if_ipsec.h
@@ -0,0 +1,39 @@
+/*-
+ * Copyright (c) 2016 Yandex LLC
+ * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#ifndef _NET_IF_IPSEC_H_
+#define _NET_IF_IPSEC_H_
+
+#define	IPSEC_MTU		1400
+#define	IPSEC_MTU_MIN		1280
+#define	IPSEC_MTU_MAX		8192
+#define	IPSECGREQID		_IOWR('i', 160, struct ifreq)
+#define	IPSECSREQID		_IOW('i', 161, struct ifreq)
+
+#endif /* _NET_IF_IPSEC_H_ */