1 files changed, 375 insertions, 0 deletions
diff --git a/freebsd/sys/net/if_enc.c b/freebsd/sys/net/if_enc.c
new file mode 100644
index 00000000..6bbb6ceb
--- /dev/null
+++ b/freebsd/sys/net/if_enc.c
@@ -0,0 +1,375 @@
+#include <freebsd/machine/rtems-bsd-config.h>
+
+/*-
+ * Copyright (c) 2006 The FreeBSD Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
+ */
+
+#include <freebsd/sys/param.h>
+#include <freebsd/sys/systm.h>
+#include <freebsd/sys/kernel.h>
+#include <freebsd/sys/malloc.h>
+#include <freebsd/sys/mbuf.h>
+#include <freebsd/sys/module.h>
+#include <freebsd/machine/bus.h>
+#include <freebsd/sys/rman.h>
+#include <freebsd/sys/socket.h>
+#include <freebsd/sys/sockio.h>
+#include <freebsd/sys/sysctl.h>
+
+#include <freebsd/net/if.h>
+#include <freebsd/net/if_clone.h>
+#include <freebsd/net/if_types.h>
+#include <freebsd/net/pfil.h>
+#include <freebsd/net/route.h>
+#include <freebsd/net/netisr.h>
+#include <freebsd/net/bpf.h>
+#include <freebsd/net/vnet.h>
+
+#include <freebsd/netinet/in.h>
+#include <freebsd/netinet/in_systm.h>
+#include <freebsd/netinet/ip.h>
+#include <freebsd/netinet/ip_var.h>
+#include <freebsd/netinet/in_var.h>
+#include <freebsd/local/opt_inet6.h>
+
+#ifdef INET6
+#include <freebsd/netinet/ip6.h>
+#include <freebsd/netinet6/ip6_var.h>
+#endif
+
+#include <freebsd/local/opt_enc.h>
+#include <freebsd/netipsec/ipsec.h>
+#include <freebsd/netipsec/xform.h>
+
+#define ENCMTU		(1024+512)
+
+/* XXX this define must have the same value as in OpenBSD */
+#define M_CONF		0x0400	/* payload was encrypted (ESP-transport) */
+#define M_AUTH		0x0800	/* payload was authenticated (AH or ESP auth) */
+#define M_AUTH_AH	0x2000	/* header was authenticated (AH) */
+
+struct enchdr {
+	u_int32_t af;
+	u_int32_t spi;
+	u_int32_t flags;
+};
+
+struct ifnet	*encif;
+static struct mtx	enc_mtx;
+
+struct enc_softc {
+	struct	ifnet *sc_ifp;
+};
+
+static int	enc_ioctl(struct ifnet *, u_long, caddr_t);
+static int	enc_output(struct ifnet *ifp, struct mbuf *m,
+		    struct sockaddr *dst, struct route *ro);
+static int	enc_clone_create(struct if_clone *, int, caddr_t);
+static void	enc_clone_destroy(struct ifnet *);
+
+IFC_SIMPLE_DECLARE(enc, 1);
+
+/*
+ * Sysctls.
+ */
+
+/*
+ * Before and after are relative to when we are stripping the
+ * outer IP header.
+ */
+SYSCTL_NODE(_net, OID_AUTO, enc, CTLFLAG_RW, 0, "enc sysctl");
+
+SYSCTL_NODE(_net_enc, OID_AUTO, in, CTLFLAG_RW, 0, "enc input sysctl");
+static int ipsec_filter_mask_in = ENC_BEFORE;
+SYSCTL_XINT(_net_enc_in, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
+	&ipsec_filter_mask_in, 0, "IPsec input firewall filter mask");
+static int ipsec_bpf_mask_in = ENC_BEFORE;
+SYSCTL_XINT(_net_enc_in, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
+	&ipsec_bpf_mask_in, 0, "IPsec input bpf mask");
+
+SYSCTL_NODE(_net_enc, OID_AUTO, out, CTLFLAG_RW, 0, "enc output sysctl");
+static int ipsec_filter_mask_out = ENC_BEFORE;
+SYSCTL_XINT(_net_enc_out, OID_AUTO, ipsec_filter_mask, CTLFLAG_RW,
+	&ipsec_filter_mask_out, 0, "IPsec output firewall filter mask");
+static int ipsec_bpf_mask_out = ENC_BEFORE|ENC_AFTER;
+SYSCTL_XINT(_net_enc_out, OID_AUTO, ipsec_bpf_mask, CTLFLAG_RW,
+	&ipsec_bpf_mask_out, 0, "IPsec output bpf mask");
+
+static void
+enc_clone_destroy(struct ifnet *ifp)
+{
+	KASSERT(ifp != encif, ("%s: destroying encif", __func__));
+
+	bpfdetach(ifp);
+	if_detach(ifp);
+	if_free(ifp);
+}
+
+static int
+enc_clone_create(struct if_clone *ifc, int unit, caddr_t params)
+{
+	struct ifnet *ifp;
+	struct enc_softc *sc;
+
+	sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO);
+	ifp = sc->sc_ifp = if_alloc(IFT_ENC);
+	if (ifp == NULL) {
+		free(sc, M_DEVBUF);
+		return (ENOSPC);
+	}
+
+	if_initname(ifp, ifc->ifc_name, unit);
+	ifp->if_mtu = ENCMTU;
+	ifp->if_ioctl = enc_ioctl;
+	ifp->if_output = enc_output;
+	ifp->if_snd.ifq_maxlen = ifqmaxlen;
+	ifp->if_softc = sc;
+	if_attach(ifp);
+	bpfattach(ifp, DLT_ENC, sizeof(struct enchdr));
+
+	mtx_lock(&enc_mtx);
+	/* grab a pointer to enc0, ignore the rest */
+	if (encif == NULL)
+		encif = ifp;
+	mtx_unlock(&enc_mtx);
+
+	return (0);
+}
+
+static int
+enc_modevent(module_t mod, int type, void *data)
+{
+	switch (type) {
+	case MOD_LOAD:
+		mtx_init(&enc_mtx, "enc mtx", NULL, MTX_DEF);
+		if_clone_attach(&enc_cloner);
+		break;
+	case MOD_UNLOAD:
+		printf("enc module unload - not possible for this module\n");
+		return (EINVAL);
+	default:
+		return (EOPNOTSUPP);
+	}
+	return (0);
+}
+
+static moduledata_t enc_mod = {
+	"enc",
+	enc_modevent,
+	0
+};
+
+DECLARE_MODULE(enc, enc_mod, SI_SUB_PROTO_IFATTACHDOMAIN, SI_ORDER_ANY);
+
+static int
+enc_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst,
+    struct route *ro)
+{
+	m_freem(m);
+	return (0);
+}
+
+/*
+ * Process an ioctl request.
+ */
+/* ARGSUSED */
+static int
+enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
+{
+	int error = 0;
+
+	mtx_lock(&enc_mtx);
+
+	switch (cmd) {
+
+	case SIOCSIFFLAGS:
+		if (ifp->if_flags & IFF_UP)
+			ifp->if_drv_flags |= IFF_DRV_RUNNING;
+		else
+			ifp->if_drv_flags &= ~IFF_DRV_RUNNING;
+
+		break;
+
+	default:
+		error = EINVAL;
+	}
+
+	mtx_unlock(&enc_mtx);
+	return (error);
+}
+
+int
+ipsec_filter(struct mbuf **mp, int dir, int flags)
+{
+	int error, i;
+	struct ip *ip;
+
+	KASSERT(encif != NULL, ("%s: encif is null", __func__));
+	KASSERT(flags & (ENC_IN|ENC_OUT),
+		("%s: invalid flags: %04x", __func__, flags));
+
+	if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
+		return (0);
+
+	if (flags & ENC_IN) {
+		if ((flags & ipsec_filter_mask_in) == 0)
+			return (0);
+	} else {
+		if ((flags & ipsec_filter_mask_out) == 0)
+			return (0);
+	}
+
+	/* Skip pfil(9) if no filters are loaded */
+	if (!(PFIL_HOOKED(&V_inet_pfil_hook)
+#ifdef INET6
+	    || PFIL_HOOKED(&V_inet6_pfil_hook)
+#endif
+	    )) {
+		return (0);
+	}
+
+	i = min((*mp)->m_pkthdr.len, max_protohdr);
+	if ((*mp)->m_len < i) {
+		*mp = m_pullup(*mp, i);
+		if (*mp == NULL) {
+			printf("%s: m_pullup failed\n", __func__);
+			return (-1);
+		}
+	}
+
+	error = 0;
+	ip = mtod(*mp, struct ip *);
+	switch (ip->ip_v) {
+		case 4:
+			/*
+			 * before calling the firewall, swap fields the same as
+			 * IP does. here we assume the header is contiguous
+			 */
+			ip->ip_len = ntohs(ip->ip_len);
+			ip->ip_off = ntohs(ip->ip_off);
+
+			error = pfil_run_hooks(&V_inet_pfil_hook, mp,
+			    encif, dir, NULL);
+
+			if (*mp == NULL || error != 0)
+				break;
+
+			/* restore byte ordering */
+			ip = mtod(*mp, struct ip *);
+			ip->ip_len = htons(ip->ip_len);
+			ip->ip_off = htons(ip->ip_off);
+			break;
+
+#ifdef INET6
+		case 6:
+			error = pfil_run_hooks(&V_inet6_pfil_hook, mp,
+			    encif, dir, NULL);
+			break;
+#endif
+		default:
+			printf("%s: unknown IP version\n", __func__);
+	}
+
+	/*
+	 * If the mbuf was consumed by the filter for requeueing (dummynet, etc)
+	 * then error will be zero but we still want to return an error to our
+	 * caller so the null mbuf isn't forwarded further.
+	 */
+	if (*mp == NULL && error == 0)
+		return (-1);	/* Consumed by the filter */
+	if (*mp == NULL)
+		return (error);
+	if (error != 0)
+		goto bad;
+
+	return (error);
+
+bad:
+	m_freem(*mp);
+	*mp = NULL;
+	return (error);
+}
+
+void
+ipsec_bpf(struct mbuf *m, struct secasvar *sav, int af, int flags)
+{
+	int mflags;
+	struct enchdr hdr;
+
+	KASSERT(encif != NULL, ("%s: encif is null", __func__));
+	KASSERT(flags & (ENC_IN|ENC_OUT),
+		("%s: invalid flags: %04x", __func__, flags));
+
+	if ((encif->if_drv_flags & IFF_DRV_RUNNING) == 0)
+		return;
+
+	if (flags & ENC_IN) {
+		if ((flags & ipsec_bpf_mask_in) == 0)
+			return;
+	} else {
+		if ((flags & ipsec_bpf_mask_out) == 0)
+			return;
+	}
+
+	if (bpf_peers_present(encif->if_bpf)) {
+		mflags = 0;
+		hdr.spi = 0;
+		if (!sav) {
+			struct m_tag *mtag;
+			mtag = m_tag_find(m, PACKET_TAG_IPSEC_IN_DONE, NULL);
+			if (mtag != NULL) {
+				struct tdb_ident *tdbi;
+				tdbi = (struct tdb_ident *) (mtag + 1);
+				if (tdbi->alg_enc != SADB_EALG_NONE)
+					mflags |= M_CONF;
+				if (tdbi->alg_auth != SADB_AALG_NONE)
+					mflags |= M_AUTH;
+				hdr.spi = tdbi->spi;
+			}
+		} else {
+			if (sav->alg_enc != SADB_EALG_NONE)
+				mflags |= M_CONF;
+			if (sav->alg_auth != SADB_AALG_NONE)
+				mflags |= M_AUTH;
+			hdr.spi = sav->spi;
+		}
+
+		/*
+		 * We need to prepend the address family as a four byte
+		 * field.  Cons up a dummy header to pacify bpf.  This
+		 * is safe because bpf will only read from the mbuf
+		 * (i.e., it won't try to free it or keep a pointer a
+		 * to it).
+		 */
+		hdr.af = af;
+		/* hdr.spi already set above */
+		hdr.flags = mflags;
+
+		bpf_mtap2(encif->if_bpf, &hdr, sizeof(hdr), m);
+	}
+}