diff options
| author | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 1999-02-24 22:36:22 +0000 |
|---|---|---|
| committer | Angelos D. Keromytis <angelos@cvs.openbsd.org> | 1999-02-24 22:36:22 +0000 |
| commit | c03c21660ef1b0eb01d3d461f2b03ceaf3a65e75 (patch) | |
| tree | 90fd594f11a312eeacd003cd477bf0c4832abe5f | |
| parent | 0532902b4468dd0077e53b22b3ccbf2f409ca26e (diff) | |
Not used anymore.
| -rw-r--r-- | sys/net/encap.c | 1155 | ||||
| -rw-r--r-- | sys/net/encap.h | 357 |
2 files changed, 0 insertions, 1512 deletions
diff --git a/sys/net/encap.c b/sys/net/encap.c deleted file mode 100644 index de226379869..00000000000 --- a/sys/net/encap.c +++ /dev/null @@ -1,1155 +0,0 @@ -/* $OpenBSD: encap.c,v 1.26 1999/01/11 22:52:49 angelos Exp $ */ - -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -#include <sys/param.h> -#include <sys/systm.h> -#include <sys/proc.h> -#include <sys/mbuf.h> -#include <sys/socket.h> -#include <sys/socketvar.h> -#include <sys/domain.h> -#include <sys/protosw.h> -#include <sys/ioctl.h> -#include <vm/vm.h> -#include <sys/sysctl.h> - -#include <net/if.h> -#include <net/route.h> -#include <net/raw_cb.h> -#include <machine/stdarg.h> - -#ifdef INET -#include <netinet/in.h> -#include <netinet/in_systm.h> -#include <netinet/ip.h> -#include <netinet/in_pcb.h> -#endif - -#include <net/encap.h> -#include <netinet/ip_ipsp.h> -#include <netinet/ip_ip4.h> - -#include <sys/syslog.h> - -void encap_init(void); -void encap_sendnotify(int, struct tdb *, void *); -int encap_notify_sa(u_int32_t, struct in_addr, struct in_addr, - u_int16_t, u_int16_t, u_int16_t, u_int16_t); -int encap_enable_spi(u_int32_t, struct in_addr, struct in_addr, struct in_addr, - struct in_addr, struct in_addr, u_int16_t, u_int16_t, - u_int16_t, u_int16_t, u_int16_t); -int encap_output __P((struct mbuf *, ...)); -int encap_usrreq(struct socket *, int, struct mbuf *, struct mbuf *, - struct mbuf *); -int encap_sysctl(int *, u_int, void *, size_t *, void *, size_t); - -extern int tdb_init(struct tdb *, struct mbuf *); - -extern struct domain encapdomain; - -extern struct inpcbtable tcbtable; /* Notify - XXX */ -extern struct inpcbtable udbtable; /* Notify - XXX */ -extern struct inpcbtable rawcbtable; /* Notify - XXX */ - -struct sockaddr encap_dst = { 2, PF_ENCAP, }; -struct sockaddr encap_src = { 2, PF_ENCAP, }; -struct sockproto encap_proto = { PF_ENCAP, }; - -struct protosw encapsw[] = { - { SOCK_RAW, &encapdomain, 0, PR_ATOMIC|PR_ADDR, - raw_input, encap_output, raw_ctlinput, 0, - encap_usrreq, - encap_init, 0, 0, 0, - encap_sysctl - }, -}; - -struct domain encapdomain = -{ AF_ENCAP, "encapsulation", 0, 0, 0, - encapsw, &encapsw[sizeof(encapsw) / sizeof(encapsw[0])], 0, - rn_inithead, 16, sizeof(struct sockaddr_encap)}; - -/* - * Sysctl for encap variables - */ -int -encap_sysctl(int *name, u_int namelen, void *oldp, size_t *oldplenp, - void *newp, size_t newlen) -{ - /* All sysctl names at this level are terminal */ - if (namelen != 1) - return ENOTDIR; - - switch (name[0]) - { - case ENCAPCTL_ENCDEBUG: - return (sysctl_int(oldp, oldplenp, newp, newlen, &encdebug)); - - default: - return ENOPROTOOPT; - } - /* Not reached */ -} - -void -encap_init() -{ - struct xformsw *xsp; - - for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++) - { - /*log(LOG_INFO, "encap_init(): attaching <%s>\n", xsp->xf_name);*/ - (*(xsp->xf_attach))(); - } -} - -/*ARGSUSED*/ -int -encap_usrreq(register struct socket *so, int req, struct mbuf *m, - struct mbuf *nam, struct mbuf *control) -{ - register struct rawcb *rp = sotorawcb(so); - register int error = 0; - int s; - - if (req == PRU_ATTACH) - { - MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK); - if (rp == (struct rawcb *) NULL) - return ENOBUFS; - - if ((so->so_pcb = (caddr_t) rp)) - bzero(so->so_pcb, sizeof(*rp)); - } - - s = splnet(); - error = raw_usrreq(so, req, m, nam, control); - rp = sotorawcb(so); - if ((req == PRU_ATTACH) && rp) - { - /* int af = rp->rcb_proto.sp_protocol; */ - - if (error) - { - free((caddr_t) rp, M_PCB); - splx(s); - return error; - } - rp->rcb_faddr = &encap_src; - soisconnected(so); - so->so_options |= SO_USELOOPBACK; - } - splx(s); - return error; -} - -int -encap_notify_sa(u_int32_t spi, struct in_addr dst, struct in_addr src, - u_int16_t sport, u_int16_t dport, u_int16_t protocol, - u_int16_t sproto) -{ - struct inpcbtable *table = NULL; - struct inpcb *inp = NULL; - struct in_addr altm, zeroin_addr; - struct tdb *tdbp; - struct flow *flow; - int error = 0; - u_int8_t secrequire; - - altm.s_addr = INADDR_BROADCAST; - - switch (protocol) { - case IPPROTO_TCP: - table = &tcbtable; - break; - case IPPROTO_UDP: - table = &udbtable; - break; - default: - break; - } - - if (table != NULL) { - /* Protocols with own inpcb tables */ - bzero((caddr_t)&zeroin_addr, sizeof(zeroin_addr)); - inp = in_pcblookup(table, &dst, dport, &zeroin_addr, sport, - INPLOOKUP_WILDCARD); - } else { - /* RAW protocol - taken from raw_ip.c */ - /* XXX - we can have more than one inp sleeping here */ - for (inp = rawcbtable.inpt_queue.cqh_first; - inp != (struct inpcb *)&rawcbtable.inpt_queue; - inp = inp->inp_queue.cqe_next) { - if (!inp->inp_socket || - inp->inp_socket->so_proto->pr_protocol != protocol) - continue; - if (inp->inp_faddr.s_addr && - inp->inp_faddr.s_addr != dst.s_addr) - continue; - if (inp->inp_secrequire != 0 && - inp->inp_secresult == SR_WAIT) - break; - } - if (inp == (struct inpcb *)&rawcbtable.inpt_queue) - inp = NULL; - } - -#ifdef ENCDEBUG - if (encdebug && inp != NULL) - printf("encap: found inp for protocol %d\n", protocol); -#endif /* ENCDEBUG */ - - if (inp && inp->inp_secresult == SR_WAIT && inp->inp_secrequire != 0) { - secrequire = inp->inp_secrequire; - } else { - /* - * XXX - is this the right thing to do ?? We need to know if - * IPSec is already in use. - * This does only work for host-to-host - */ - flow = find_global_flow(src, altm, dst, altm, 0,0,0); - if (flow == (struct flow *)NULL) - return (ENOENT); - - SPI_CHAIN_ATTRIB(secrequire, tdb_onext, flow->flow_sa); -#ifdef ENCDEBUG - if (encdebug) - printf("encap: Existing flow (%0x) requires: %d\n", - flow, secrequire); -#endif /* ENCDEBUG */ - } - - if (spi == 0) { -#ifdef ENCDEBUG - if (encdebug) - printf("encap: key management failed\n"); -#endif - if (inp != NULL) { - inp->inp_secresult = SR_FAILED; - wakeup(inp); - } - return (0); - } else { - u_int8_t sa_have; - - tdbp = gettdb(spi, dst, sproto); - if (tdbp == NULL) - return (ENOENT); -#ifdef ENCDEBUG - if (encdebug) - printf("encap: found tdb\n"); -#endif /* ENCDEBUG */ - - SPI_CHAIN_ATTRIB(sa_have, tdb_onext, tdbp); - - /* Requirements not met */ - if (secrequire & ~sa_have) - return (EINVAL); -#ifdef ENCDEBUG - if (encdebug) - printf("encap: tdb meets requirements\n"); -#endif /* ENCDEBUG */ - - /* - * This is a stupid hack, we do not support socketwise - * keying at the moment, so we do it for the whole host - */ - error = encap_enable_spi(spi, dst, src, altm, dst, altm, - 0, 0, 0, sproto, - ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL); - - if (!error) { -#ifdef ENCDEBUG - if (encdebug) - printf("encap: key management succeeded\n"); -#endif /* ENCDEBUG */ - if (inp != NULL) { - inp->inp_secresult = SR_SUCCESS; - wakeup(inp); - } - } - } - - return (error); -} - -int -encap_enable_spi(u_int32_t spi, struct in_addr dst, - struct in_addr isrc, struct in_addr ismask, - struct in_addr idst, struct in_addr idmask, - u_int16_t sport, u_int16_t dport, - u_int16_t protocol, u_int16_t sproto, - u_int16_t flags) -{ - struct sockaddr_encap encapdst, encapgw, encapnetmask; - struct flow *flow, *flow2, *flow3, *flow4; - struct in_addr alts, altm; - struct tdb *tdbp; - int error = 0; - - tdbp = gettdb(spi, dst, sproto); - if (tdbp == NULL) - return (ENOENT); - - bzero((caddr_t) &encapdst, sizeof(struct sockaddr_encap)); - bzero((caddr_t) &encapnetmask, sizeof(struct sockaddr_encap)); - bzero((caddr_t) &encapgw, sizeof(struct sockaddr_encap)); - - flow = flow2 = flow3 = flow4 = (struct flow *) NULL; - - /* Retrieve source and destination masks from routing entry */ - if (flags & ENABLE_FLAG_MODIFY) { - struct route_enc re0, *re = &re0; - struct sockaddr_encap *dest, *mask; - - bzero((caddr_t) re, sizeof(*re)); - dest = (struct sockaddr_encap *) &re->re_dst; - dest->sen_family = AF_ENCAP; - dest->sen_len = SENT_IP4_LEN; - dest->sen_type = SENT_IP4; - dest->sen_ip_src = tdbp->tdb_src; - dest->sen_ip_dst = dst; - dest->sen_proto = protocol; - dest->sen_sport = sport; - dest->sen_dport = dport; - rtalloc((struct route *) re); - if (re->re_rt == NULL) - return (ENOENT); - - mask = (struct sockaddr_encap *) (rt_mask(re->re_rt)); - if (mask == NULL) - return (ENOENT); - - ismask.s_addr = mask->sen_ip_src.s_addr; - idmask.s_addr = mask->sen_ip_dst.s_addr; - - RTFREE(re->re_rt); - } - - isrc.s_addr &= ismask.s_addr; - idst.s_addr &= idmask.s_addr; - - flow3 = find_global_flow(isrc, ismask, idst, idmask, - protocol, sport, dport); - if ((flow3 != (struct flow *) NULL) && !(flags & ENABLE_FLAG_REPLACE)) - return (EEXIST); - - /* Check for 0.0.0.0/255.255.255.255 if the flow is local */ - if (flags & ENABLE_FLAG_LOCAL) { - alts.s_addr = INADDR_ANY; - altm.s_addr = INADDR_BROADCAST; - flow4 = find_global_flow(alts, altm, idst, idmask, - protocol, sport, dport); - if (flow4 != (struct flow *) NULL) { - if (!(flags & ENABLE_FLAG_REPLACE)) - return (EEXIST); - else if (flow3 == flow4) - return (EINVAL); - } - } - - flow = get_flow(); - if (flow == (struct flow *) NULL) - return (ENOBUFS); - - flow->flow_src.s_addr = isrc.s_addr; - flow->flow_dst.s_addr = idst.s_addr; - flow->flow_srcmask.s_addr = ismask.s_addr; - flow->flow_dstmask.s_addr = idmask.s_addr; - flow->flow_proto = protocol; - flow->flow_sport = sport; - flow->flow_dport = dport; - - if (flags & ENABLE_FLAG_LOCAL) { - flow2 = get_flow(); - if (flow2 == (struct flow *) NULL) { - FREE(flow, M_TDB); - return (ENOBUFS); - } - - flow2->flow_src.s_addr = INADDR_ANY; - flow2->flow_dst.s_addr = idst.s_addr; - flow2->flow_srcmask.s_addr = INADDR_BROADCAST; - flow2->flow_dstmask.s_addr = idmask.s_addr; - flow2->flow_proto = protocol; - flow2->flow_sport = sport; - flow2->flow_dport = dport; - - put_flow(flow2, tdbp); - } - - put_flow(flow, tdbp); - - /* Setup the encap fields */ - encapdst.sen_len = SENT_IP4_LEN; - encapdst.sen_family = AF_ENCAP; - encapdst.sen_type = SENT_IP4; - encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr; - encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr; - encapdst.sen_proto = flow->flow_proto; - encapdst.sen_sport = flow->flow_sport; - encapdst.sen_dport = flow->flow_dport; - - encapgw.sen_len = SENT_IPSP_LEN; - encapgw.sen_family = AF_ENCAP; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp_dst.s_addr = tdbp->tdb_dst.s_addr; - encapgw.sen_ipsp_spi = tdbp->tdb_spi; - encapgw.sen_ipsp_sproto = tdbp->tdb_sproto; - - encapnetmask.sen_len = SENT_IP4_LEN; - encapnetmask.sen_family = AF_ENCAP; - encapnetmask.sen_type = SENT_IP4; - encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr; - encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr; - - if (flow->flow_proto) { - encapnetmask.sen_proto = 0xff; - - if (flow->flow_sport) - encapnetmask.sen_sport = 0xffff; - - if (flow->flow_dport) - encapnetmask.sen_dport = 0xffff; - } - - /* If this is set, delete any old route for this flow */ - if (flags & ENABLE_FLAG_REPLACE) - rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst, - (struct sockaddr *) 0, - (struct sockaddr *) &encapnetmask, 0, - (struct rtentry **) 0); - - /* Add the entry in the routing table */ - error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - - if (error) { - encapdst.sen_len = SENT_IP4_LEN; - encapdst.sen_family = AF_ENCAP; - encapdst.sen_type = SENT_IP4; - encapdst.sen_ip_src.s_addr = flow3->flow_src.s_addr; - encapdst.sen_ip_dst.s_addr = flow3->flow_dst.s_addr; - encapdst.sen_proto = flow3->flow_proto; - encapdst.sen_sport = flow3->flow_sport; - encapdst.sen_dport = flow3->flow_dport; - - encapgw.sen_len = SENT_IPSP_LEN; - encapgw.sen_family = AF_ENCAP; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp_dst.s_addr = flow3->flow_sa->tdb_dst.s_addr; - encapgw.sen_ipsp_spi = flow3->flow_sa->tdb_spi; - encapgw.sen_ipsp_sproto = flow3->flow_sa->tdb_sproto; - - encapnetmask.sen_len = SENT_IP4_LEN; - encapnetmask.sen_family = AF_ENCAP; - encapnetmask.sen_type = SENT_IP4; - encapnetmask.sen_ip_src.s_addr = flow3->flow_srcmask.s_addr; - encapnetmask.sen_ip_dst.s_addr = flow3->flow_dstmask.s_addr; - - if (flow3->flow_proto) { - encapnetmask.sen_proto = 0xff; - - if (flow3->flow_sport) - encapnetmask.sen_sport = 0xffff; - - if (flow->flow_dport) - encapnetmask.sen_dport = 0xffff; - } - - /* Try to add the old entry back in */ - rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - - delete_flow(flow, tdbp); - if (flow2) - delete_flow(flow2, tdbp); - return (error); - } - - /* If this is a "local" packet flow */ - if (flags & ENABLE_FLAG_LOCAL) { - encapdst.sen_ip_src.s_addr = INADDR_ANY; - encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST; - - if (flags & ENABLE_FLAG_REPLACE) - rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst, - (struct sockaddr *) 0, - (struct sockaddr *) &encapnetmask, 0, - (struct rtentry **) 0); - - error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - - if (error) { - /* Delete the first entry inserted */ - encapdst.sen_ip_src.s_addr = isrc.s_addr; - encapnetmask.sen_ip_src.s_addr = ismask.s_addr; - - rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst, - (struct sockaddr *) 0, - (struct sockaddr *) &encapnetmask, 0, - (struct rtentry **) 0); - - /* Setup the old entries */ - encapdst.sen_len = SENT_IP4_LEN; - encapdst.sen_family = AF_ENCAP; - encapdst.sen_type = SENT_IP4; - encapdst.sen_ip_src.s_addr = flow3->flow_src.s_addr; - encapdst.sen_ip_dst.s_addr = flow3->flow_dst.s_addr; - encapdst.sen_proto = flow3->flow_proto; - encapdst.sen_sport = flow3->flow_sport; - encapdst.sen_dport = flow3->flow_dport; - - encapgw.sen_len = SENT_IPSP_LEN; - encapgw.sen_family = AF_ENCAP; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp_dst.s_addr = flow3->flow_sa->tdb_dst.s_addr; - encapgw.sen_ipsp_spi = flow3->flow_sa->tdb_spi; - encapgw.sen_ipsp_sproto = flow3->flow_sa->tdb_sproto; - - encapnetmask.sen_len = SENT_IP4_LEN; - encapnetmask.sen_family = AF_ENCAP; - encapnetmask.sen_type = SENT_IP4; - encapnetmask.sen_ip_src.s_addr = flow3->flow_srcmask.s_addr; - encapnetmask.sen_ip_dst.s_addr = flow3->flow_dstmask.s_addr; - - if (flow3->flow_proto) { - encapnetmask.sen_proto = 0xff; - - if (flow3->flow_sport) - encapnetmask.sen_sport = 0xffff; - - if (flow->flow_dport) - encapnetmask.sen_dport = 0xffff; - } - - rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - - encapdst.sen_ip_src.s_addr = INADDR_ANY; - encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST; - - rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - - delete_flow(flow, tdbp); - delete_flow(flow2, tdbp); - return (error); - } - } - - /* - * If we're here, it means we've successfully added the new - * entries, so free the old ones. - */ - if (flow3) - delete_flow(flow3, flow3->flow_sa); - - if (flow4) - delete_flow(flow4, flow4->flow_sa); - - return 0; -} - -int -#ifdef __STDC__ -encap_output(struct mbuf *m, ...) -#else -encap_output(m, va_alist) -register struct mbuf *m; -va_dcl -#endif -{ -#define SENDERR(e) do { error = e; goto flush;} while (0) - struct sockaddr_encap encapdst, encapgw, encapnetmask; - struct flow *flow, *flow2; - int len, emlen, error = 0; - struct in_addr alts, altm; - struct encap_msghdr *emp; - struct tdb *tdbp, *tdbp2; - struct expiration *exp; - caddr_t buffer = 0; - struct socket *so; - u_int32_t spi; - va_list ap; - - va_start(ap, m); - so = va_arg(ap, struct socket *); - va_end(ap); - - if ((m == 0) || ((m->m_len < sizeof(int32_t)) && - (m = m_pullup(m, sizeof(int32_t))) == 0)) - return ENOBUFS; - - if ((m->m_flags & M_PKTHDR) == 0) - SENDERR(EINVAL); - - len = m->m_pkthdr.len; - - emp = mtod(m, struct encap_msghdr *); - - emlen = emp->em_msglen; - if (len < emlen) - SENDERR(EINVAL); - - if (m->m_len < emlen) - { - MALLOC(buffer, caddr_t, emlen, M_TEMP, M_WAITOK); - if (buffer == 0) - SENDERR(ENOBUFS); - - m_copydata(m, 0, emlen, buffer); - - emp = (struct encap_msghdr *) buffer; - } - - if (emp->em_version != PFENCAP_VERSION_1) - SENDERR(EINVAL); - - bzero((caddr_t) &encapdst, sizeof(struct sockaddr_encap)); - bzero((caddr_t) &encapnetmask, sizeof(struct sockaddr_encap)); - bzero((caddr_t) &encapgw, sizeof(struct sockaddr_encap)); - - switch (emp->em_type) - { - case EMT_SETSPI: - if (emlen <= EMT_SETSPI_FLEN) - SENDERR(EINVAL); - - /* - * If only one of the two outter addresses is set, return - * error. - */ - if ((emp->em_osrc.s_addr != 0) ^ - (emp->em_odst.s_addr != 0)) - SENDERR(EINVAL); - - tdbp = gettdb(emp->em_spi, emp->em_dst, emp->em_sproto); - if (tdbp == NULL) - { - MALLOC(tdbp, struct tdb *, sizeof(*tdbp), M_TDB, M_WAITOK); - if (tdbp == NULL) - SENDERR(ENOBUFS); - - bzero((caddr_t) tdbp, sizeof(*tdbp)); - - tdbp->tdb_spi = emp->em_spi; - tdbp->tdb_dst = emp->em_dst; - tdbp->tdb_sproto = emp->em_sproto; - puttdb(tdbp); - } - else - { - if (tdbp->tdb_xform) - (*tdbp->tdb_xform->xf_zeroize)(tdbp); - - cleanup_expirations(tdbp->tdb_dst, tdbp->tdb_spi, - tdbp->tdb_sproto); - } - - tdbp->tdb_src = emp->em_src; - tdbp->tdb_satype = emp->em_satype; - - /* Check if this is an encapsulating SPI */ - if (emp->em_osrc.s_addr != 0) - { - tdbp->tdb_flags |= TDBF_TUNNELING; - tdbp->tdb_osrc = emp->em_osrc; - tdbp->tdb_odst = emp->em_odst; - - /* TTL */ - switch (emp->em_ttl) - { - case IP4_DEFAULT_TTL: - tdbp->tdb_ttl = 0; - break; - - case IP4_SAME_TTL: - tdbp->tdb_flags |= TDBF_SAME_TTL; - break; - - default: - /* Get just the least significant bits */ - tdbp->tdb_ttl = emp->em_ttl % 256; - break; - } - } - - /* Clear the INVALID flag */ - tdbp->tdb_flags &= (~TDBF_INVALID); - - /* Various timers/counters */ - if (emp->em_first_use_hard != 0) - { - tdbp->tdb_exp_first_use = emp->em_first_use_hard; - tdbp->tdb_flags |= TDBF_FIRSTUSE; - } - - if (emp->em_first_use_soft != 0) - { - tdbp->tdb_soft_first_use = emp->em_first_use_soft; - tdbp->tdb_flags |= TDBF_SOFT_FIRSTUSE; - } - - if (emp->em_expire_hard != 0) - { - tdbp->tdb_exp_timeout = emp->em_expire_hard; - tdbp->tdb_flags |= TDBF_TIMER; - - exp = get_expiration(); - if (exp == (struct expiration *) NULL) - { - tdb_delete(tdbp, 0); - SENDERR(ENOBUFS); - } - - exp->exp_dst.s_addr = tdbp->tdb_dst.s_addr; - exp->exp_spi = tdbp->tdb_spi; - exp->exp_sproto = tdbp->tdb_sproto; - exp->exp_timeout = emp->em_expire_hard; - put_expiration(exp); - } - - if (emp->em_expire_soft != 0) - { - tdbp->tdb_soft_timeout = emp->em_expire_soft; - tdbp->tdb_flags |= TDBF_SOFT_TIMER; - - if (tdbp->tdb_soft_timeout <= tdbp->tdb_exp_timeout) - { - exp = get_expiration(); - if (exp == (struct expiration *) NULL) - { - tdb_delete(tdbp, 0); - SENDERR(ENOBUFS); - } - - exp->exp_dst.s_addr = tdbp->tdb_dst.s_addr; - exp->exp_spi = tdbp->tdb_spi; - exp->exp_sproto = tdbp->tdb_sproto; - exp->exp_timeout = emp->em_expire_soft; - put_expiration(exp); - } - } - - if (emp->em_bytes_hard != 0) - { - tdbp->tdb_exp_bytes = emp->em_bytes_hard; - tdbp->tdb_flags |= TDBF_BYTES; - } - - if (emp->em_bytes_soft != 0) - { - tdbp->tdb_soft_bytes = emp->em_bytes_soft; - tdbp->tdb_flags |= TDBF_SOFT_BYTES; - } - - if (emp->em_packets_hard != 0) - { - tdbp->tdb_exp_packets = emp->em_packets_hard; - tdbp->tdb_flags |= TDBF_PACKETS; - } - - if (emp->em_packets_soft != 0) - { - tdbp->tdb_soft_packets = emp->em_packets_soft; - tdbp->tdb_flags |= TDBF_SOFT_PACKETS; - } - - error = tdb_init(tdbp, m); - if (error) - { - tdb_delete(tdbp, 0); - SENDERR(EINVAL); - } - - break; - - case EMT_DELSPI: - if (emlen != EMT_DELSPI_FLEN) - SENDERR(EINVAL); - - tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, - emp->em_gen_sproto); - if (tdbp == NULL) - SENDERR(ENOENT); - - error = tdb_delete(tdbp, 0); - if (error) - SENDERR(EINVAL); - - break; - - case EMT_DELSPICHAIN: - if (emlen != EMT_DELSPICHAIN_FLEN) - SENDERR(EINVAL); - - tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst, - emp->em_gen_sproto); - if (tdbp == NULL) - SENDERR(ENOENT); - - error = tdb_delete(tdbp, 1); - if (error) - SENDERR(EINVAL); - - break; - - case EMT_GRPSPIS: - if (emlen != EMT_GRPSPIS_FLEN) - SENDERR(EINVAL); - - tdbp = gettdb(emp->em_rel_spi, emp->em_rel_dst, - emp->em_rel_sproto); - if (tdbp == NULL) - SENDERR(ENOENT); - - tdbp2 = gettdb(emp->em_rel_spi2, emp->em_rel_dst2, - emp->em_rel_sproto2); - if (tdbp2 == NULL) - SENDERR(ENOENT); - - tdbp->tdb_onext = tdbp2; - tdbp2->tdb_inext = tdbp; - - error = 0; - - break; - - case EMT_RESERVESPI: - if (emlen != EMT_RESERVESPI_FLEN) - SENDERR(EINVAL); - - spi = reserve_spi(emp->em_gen_spi, emp->em_gen_dst, - emp->em_gen_sproto, &error); - if (spi == 0) - SENDERR(error); - - emp->em_gen_spi = spi; - - /* If we're using a buffer, copy the data back to an mbuf. */ - if (buffer) - m_copyback(m, 0, emlen, buffer); - - /* Send it back to us */ - if (sbappendaddr(&so->so_rcv, &encap_src, m, - (struct mbuf *) 0) == 0) - SENDERR(ENOBUFS); - else - sorwakeup(so); /* wakeup */ - - m = NULL; /* So it's not free'd */ - error = 0; - - break; - - case EMT_ENABLESPI: - if (emlen != EMT_ENABLESPI_FLEN) - SENDERR(EINVAL); - - error = encap_enable_spi(emp->em_ena_spi, emp->em_ena_dst, - emp->em_ena_isrc, emp->em_ena_ismask, - emp->em_ena_idst, emp->em_ena_idmask, - emp->em_ena_sport, emp->em_ena_dport, - emp->em_ena_protocol, emp->em_ena_sproto, - emp->em_ena_flags); - - break; - - case EMT_DISABLESPI: - if (emlen != EMT_DISABLESPI_FLEN) - SENDERR(EINVAL); - - tdbp = gettdb(emp->em_ena_spi, emp->em_ena_dst, - emp->em_ena_sproto); - if (tdbp == NULL) - SENDERR(ENOENT); - - /* Retrieve source and destination masks from routing entry */ - if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) { - struct route_enc re0, *re = &re0; - struct sockaddr_encap *dest, *mask; - - bzero((caddr_t) re, sizeof(*re)); - dest = (struct sockaddr_encap *) &re->re_dst; - dest->sen_family = AF_ENCAP; - dest->sen_len = SENT_IP4_LEN; - dest->sen_type = SENT_IP4; - dest->sen_ip_src = tdbp->tdb_src; - dest->sen_ip_dst = emp->em_ena_dst; - dest->sen_proto = emp->em_ena_protocol; - dest->sen_sport = emp->em_ena_sport; - dest->sen_dport = emp->em_ena_dport; - rtalloc((struct route *) re); - if (re->re_rt == NULL) - return (ENOENT); - - mask = (struct sockaddr_encap *) (rt_mask(re->re_rt)); - if (mask == NULL) - return (ENOENT); - - emp->em_ena_ismask.s_addr = mask->sen_ip_src.s_addr; - emp->em_ena_idmask.s_addr = mask->sen_ip_dst.s_addr; - - RTFREE(re->re_rt); - } - - emp->em_ena_isrc.s_addr &= emp->em_ena_ismask.s_addr; - emp->em_ena_idst.s_addr &= emp->em_ena_idmask.s_addr; - - flow = find_flow(emp->em_ena_isrc, emp->em_ena_ismask, - emp->em_ena_idst, emp->em_ena_idmask, - emp->em_ena_protocol, emp->em_ena_sport, - emp->em_ena_dport, tdbp); - if (flow == (struct flow *) NULL) - SENDERR(ENOENT); - - if (emp->em_ena_flags & ENABLE_FLAG_LOCAL) - { - alts.s_addr = INADDR_ANY; - altm.s_addr = INADDR_BROADCAST; - - flow2 = find_flow(alts, altm, emp->em_ena_idst, - emp->em_ena_idmask, emp->em_ena_protocol, - emp->em_ena_sport, emp->em_ena_dport, tdbp); - if (flow2 == (struct flow *) NULL) - SENDERR(ENOENT); - - if (flow == flow2) - SENDERR(EINVAL); - } - - /* Setup the encap fields */ - encapdst.sen_len = SENT_IP4_LEN; - encapdst.sen_family = AF_ENCAP; - encapdst.sen_type = SENT_IP4; - encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr; - encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr; - encapdst.sen_proto = flow->flow_proto; - encapdst.sen_sport = flow->flow_sport; - encapdst.sen_dport = flow->flow_dport; - - encapnetmask.sen_len = SENT_IP4_LEN; - encapnetmask.sen_family = AF_ENCAP; - encapnetmask.sen_type = SENT_IP4; - encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr; - encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr; - - if (flow->flow_proto) - { - encapnetmask.sen_proto = 0xff; - - if (flow->flow_sport) - encapnetmask.sen_sport = 0xffff; - - if (flow->flow_dport) - encapnetmask.sen_dport = 0xffff; - } - - /* Delete the entry */ - rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst, - (struct sockaddr *) 0, - (struct sockaddr *) &encapnetmask, 0, - (struct rtentry **) 0); - - if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) { - encapgw.sen_len = SENT_IPSP_LEN; - encapgw.sen_family = AF_ENCAP; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp_dst.s_addr = emp->em_ena_dst.s_addr; - encapgw.sen_ipsp_spi = htonl(1); - encapgw.sen_ipsp_sproto = IPPROTO_ESP; - error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - } - - if (emp->em_ena_flags & ENABLE_FLAG_LOCAL) - { - - encapdst.sen_ip_src.s_addr = INADDR_ANY; - encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST; - - rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst, - (struct sockaddr *) 0, - (struct sockaddr *) &encapnetmask, 0, - (struct rtentry **) 0); - - if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) { - encapgw.sen_len = SENT_IPSP_LEN; - encapgw.sen_family = AF_ENCAP; - encapgw.sen_type = SENT_IPSP; - encapgw.sen_ipsp_dst.s_addr = emp->em_ena_dst.s_addr; - encapgw.sen_ipsp_spi = htonl(1); - encapgw.sen_ipsp_sproto = IPPROTO_ESP; - error = rtrequest(RTM_ADD, - (struct sockaddr *) &encapdst, - (struct sockaddr *) &encapgw, - (struct sockaddr *) &encapnetmask, - RTF_UP | RTF_GATEWAY | RTF_STATIC, - (struct rtentry **) 0); - } - delete_flow(flow2, tdbp); - } - - delete_flow(flow, tdbp); - - break; - - case EMT_REPLACESPI: - if (emlen <= EMT_REPLACESPI_FLEN) - SENDERR(EINVAL); - - /* XXX Not yet finished */ - - SENDERR(EINVAL); - - break; - - case EMT_NOTIFY: - if (emlen < EMT_NOTIFY_FLEN) - SENDERR(EINVAL); - - if (emp->em_not_type != NOTIFY_REQUEST_SA) - SENDERR(EINVAL); - - error = encap_notify_sa(emp->em_not_spi, - emp->em_not_dst, emp->em_not_src, - emp->em_not_sport, emp->em_not_dport, - emp->em_not_protocol, emp->em_not_sproto); - - break; - - default: - SENDERR(EINVAL); - } - -flush: - if (m) - m_freem(m); - - if (buffer) - free(buffer, M_TEMP); - - return error; -} - -void -encap_sendnotify(int subtype, struct tdb *tdbp, void *data) -{ - struct encap_msghdr em; - struct mbuf *m; - - bzero(&em, sizeof(struct encap_msghdr)); - - em.em_msglen = EMT_NOTIFY_FLEN; - em.em_version = PFENCAP_VERSION_1; - em.em_type = EMT_NOTIFY; - - notify_msgids++; - - switch (subtype) - { - case NOTIFY_SOFT_EXPIRE: - case NOTIFY_HARD_EXPIRE: - em.em_not_spi = tdbp->tdb_spi; - em.em_not_sproto = tdbp->tdb_sproto; - em.em_not_dst.s_addr = tdbp->tdb_dst.s_addr; - em.em_not_type = subtype; - em.em_not_satype = tdbp->tdb_satype; - break; - - case NOTIFY_REQUEST_SA: - em.em_not_dst.s_addr = tdbp->tdb_dst.s_addr; -#ifdef INET - if (data != NULL) { - struct inpcb *inp = (struct inpcb *) data; - struct socket *so = inp->inp_socket; - em.em_not_dport = inp->inp_fport; - em.em_not_sport = inp->inp_lport; - if (so != 0) - em.em_not_protocol = so->so_proto->pr_protocol; - } -#endif - em.em_not_type = subtype; - em.em_not_satype = tdbp->tdb_satype; - break; - - default: -#ifdef ENCDEBUG - if (encdebug) - log(LOG_WARNING, "encap_sendnotify(): unknown subtype %d\n", subtype); -#endif /* ENCDEBUG */ - return; - } - - m = m_gethdr(M_DONTWAIT, MT_DATA); - if (m == NULL) - { - if (encdebug) - log(LOG_ERR, "encap_sendnotify(): m_gethdr() returned NULL\n"); - return; - } - - m->m_len = min(MHLEN, em.em_msglen); - m_copyback(m, 0, em.em_msglen, (caddr_t) &em); - raw_input(m, &encap_proto, &encap_src, &encap_dst); - - return; -} - -struct ifaddr * -encap_findgwifa(struct sockaddr *gw) -{ - return enc_softc.if_addrlist.tqh_first; -} diff --git a/sys/net/encap.h b/sys/net/encap.h deleted file mode 100644 index 23ac0370b7a..00000000000 --- a/sys/net/encap.h +++ /dev/null @@ -1,357 +0,0 @@ -/* $OpenBSD: encap.h,v 1.13 1998/05/24 14:13:59 provos Exp $ */ - -/* - * The authors of this code are John Ioannidis (ji@tla.org), - * Angelos D. Keromytis (kermit@csd.uch.gr) and - * Niels Provos (provos@physnet.uni-hamburg.de). - * - * This code was written by John Ioannidis for BSD/OS in Athens, Greece, - * in November 1995. - * - * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996, - * by Angelos D. Keromytis. - * - * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis - * and Niels Provos. - * - * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis - * and Niels Provos. - * - * Permission to use, copy, and modify this software without fee - * is hereby granted, provided that this entire notice is included in - * all copies of any software which is or includes a copy or - * modification of this software. - * You may use this code under the GNU public license if you so wish. Please - * contribute changes back to the authors under this freer than GPL license - * so that we may further the use of strong encryption without limitations to - * all. - * - * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY - * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE - * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR - * PURPOSE. - */ - -/* - * encap.h - * - * Declarations useful in the encapsulation code. - */ - -/* Sysctl definitions */ - -#define ENCAPCTL_ENCDEBUG 1 -#define ENCAPCTL_MAXID 2 - -#define ENCAPCTL_NAMES {\ - { 0, 0 }, \ - { "encdebug", CTLTYPE_INT }, \ -} - -/* - * Definitions for encapsulation-related phenomena. - * - * A lot of encapsulation protocols (ipip, swipe, ip_encap, ipsp, etc.) - * select their tunnel based on the destination (and sometimes the source) - * of the packet. The encap address/protocol family provides a generic - * mechanism for specifying tunnels. - */ - -/* - * A tunnel is characterized by which source/destination address pairs - * (with netmasks) it is valid for (the "destination" as far as the - * routing code is concerned), and what the source (local) and destination - * (remote) endpoints of the tunnel, and the SPI, should be (the "gateway" - * as far as the routing code is concerned. - */ - -struct sockaddr_encap -{ - u_int8_t sen_len; /* length */ - u_int8_t sen_family; /* AF_ENCAP */ - u_int16_t sen_type; /* see SENT_* */ - union - { - u_int8_t Data[16]; /* other stuff mapped here */ - - struct /* SENT_IP4 */ - { - struct in_addr Src; - struct in_addr Dst; - u_int16_t Sport; - u_int16_t Dport; - u_int8_t Proto; - u_int8_t Filler[3]; - } Sip4; - - struct /* SENT_IPSP */ - { - struct in_addr Dst; - u_int32_t Spi; - u_int8_t Sproto; - u_int8_t Filler[7]; - } Sipsp; - } Sen; -}; - -#define PFENCAP_VERSION_0 0 -#define PFENCAP_VERSION_1 1 - -#define sen_data Sen.Data -#define sen_ip_src Sen.Sip4.Src -#define sen_ip_dst Sen.Sip4.Dst -#define sen_proto Sen.Sip4.Proto -#define sen_sport Sen.Sip4.Sport -#define sen_dport Sen.Sip4.Dport -#define sen_ipsp_dst Sen.Sipsp.Dst -#define sen_ipsp_spi Sen.Sipsp.Spi -#define sen_ipsp_sproto Sen.Sipsp.Sproto - -/* - * The "type" is really part of the address as far as the routing - * system is concerned. By using only one bit in the type field - * for each type, we sort-of make sure that different types of - * encapsulation addresses won't be matched against the wrong type. - * - */ - -#define SENT_IP4 0x0001 /* data is two struct in_addr */ -#define SENT_IPSP 0x0002 /* data as in IP4 plus SPI */ - -/* - * SENT_HDRLEN is the length of the "header" - * SENT_*_LEN are the lengths of various forms of sen_data - * SENT_*_OFF are the offsets in the sen_data array of various fields - */ - -#define SENT_HDRLEN (2 * sizeof(u_int8_t) + sizeof(u_int16_t)) - -#define SENT_IP4_SRCOFF (0) -#define SENT_IP4_DSTOFF (sizeof (struct in_addr)) - -#define SENT_IP4_LEN 20 -#define SENT_IPSP_LEN 20 - -/* - * For encapsulation routes are possible not only for the destination - * address but also for the protocol, source and destination ports - * if available - */ - -struct route_enc { - struct rtentry *re_rt; - struct sockaddr_encap re_dst; -}; - -/* - * Tunnel descriptors are setup and torn down using a socket of the - * AF_ENCAP domain. The following defines the messages that can - * be sent down that socket. - */ -struct encap_msghdr -{ - u_int16_t em_msglen; /* message length */ - u_int8_t em_version; /* for future expansion */ - u_int8_t em_type; /* message type */ - u_int32_t foo; /* Alignment to 64 bit */ - union - { - /* - * This is used to set/change the attributes of an SPI. If oSrc and - * oDst are set to non-zero values, the SPI will also do IP-in-IP - * encapsulation (tunneling). If only one of them is set, an error - * is returned. Both zero implies transport mode. - */ - struct - { - u_int32_t Spi; /* SPI */ - int32_t Alg; /* Algorithm to use */ - struct in_addr Dst; /* Destination address */ - struct in_addr Src; /* This is used to set our source - * address when the outgoing packet - * does not have a source address - * (is zero). */ - struct in_addr oSrc; /* Outter header source address */ - struct in_addr oDst; /* Same, for destination address */ - u_int64_t First_Use_Hard; /* Expire relative to first use */ - u_int64_t First_Use_Soft; - u_int64_t Expire_Hard; /* Expire at fixed point in time */ - u_int64_t Expire_Soft; - u_int64_t Bytes_Hard; /* Expire after bytes recved/sent */ - u_int64_t Bytes_Soft; - u_int64_t Packets_Hard; /* Expire after packets recved/sent */ - u_int64_t Packets_Soft; - int32_t TTL; /* When tunneling, what TTL to use. - * If set to IP4_SAME_TTL, the ttl - * from the encapsulated packet will - * be copied. If set to IP4_DEFAULT_TTL, - * the system default TTL will be used. - * If set to anything else, then the - * ttl used will be TTL % 256 */ - u_int16_t Satype; - u_int8_t Sproto; /* ESP or AH */ - u_int8_t Foo; /* Alignment */ - u_int8_t Dat[1]; /* Data */ - } Xfm; - - /* - * For expiration notifications, the kernel fills in - * Notification_Type, Spi, Dst and Sproto, Src and Satype. - * No direct response is expected. - * - * For SA Requests, the kernel fills in - * Notification_Type, MsgID, Dst, Satype, (and optionally - * Protocol, Src, Sport, Dport and UserID). - * - */ - struct /* kernel->userland notifications */ - { - u_int32_t Notification_Type; - u_int32_t MsgID; /* Request ID */ - u_int32_t Spi; - struct in_addr Dst; /* Peer */ - struct in_addr Src; /* Might have our local address */ - u_int16_t Sport; /* Source port */ - u_int16_t Dport; /* Destination port */ - u_int8_t Protocol; /* Transport protocol */ - u_int8_t Sproto; /* IPsec protocol */ - u_int16_t Satype; /* SA type */ - u_int32_t Foo; /* Alignment */ - u_int8_t UserID[1]; /* Might be used to indicate user */ - } Notify; - - /* Link two SPIs */ - struct - { - u_int32_t Spi; /* SPI */ - u_int32_t Spi2; - struct in_addr Dst; /* Dest */ - struct in_addr Dst2; - u_int8_t Sproto; /* IPsec protocol */ - u_int8_t Sproto2; - } Rel; - - /* Enable/disable an SA for a session */ - struct - { - u_int32_t Spi; - struct in_addr Dst; - struct in_addr iSrc; /* Source... */ - struct in_addr iDst; /* ...and destination in inner IP */ - struct in_addr iSmask; /* Source netmask */ - struct in_addr iDmask; /* Destination netmask */ - u_int16_t Sport; /* Source port, if applicable */ - u_int16_t Dport; /* Destination port, if applicable */ - u_int8_t Protocol; /* Transport mode for which protocol */ - u_int8_t Sproto; /* IPsec protocol */ - u_int16_t Flags; - u_int32_t Spi2; /* Used in REPLACESPI... */ - struct in_addr Dst2; /* ...to specify which SPI is... */ - u_int8_t Sproto2; /* ...replaced. */ - } Ena; - - /* For general use: (in)validate, delete (chain), reserve */ - struct - { - u_int32_t Spi; - struct in_addr Dst; - u_int8_t Sproto; - } Gen; - } Eu; -}; - -#define ENABLE_FLAG_REPLACE 1 /* Replace existing flow with new */ -#define ENABLE_FLAG_LOCAL 2 /* Add routes for 0.0.0.0 */ -#define ENABLE_FLAG_MODIFY 4 /* Keep routing masks */ - -#define ENCAP_MSG_FIXED_LEN (2 * sizeof(u_int32_t)) - -#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */ -#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */ -#define NOTIFY_REQUEST_SA 2 /* Establish an SA */ - -#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */ -#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */ -#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */ - -#define em_ena_spi Eu.Ena.Spi -#define em_ena_dst Eu.Ena.Dst -#define em_ena_isrc Eu.Ena.iSrc -#define em_ena_idst Eu.Ena.iDst -#define em_ena_ismask Eu.Ena.iSmask -#define em_ena_idmask Eu.Ena.iDmask -#define em_ena_sport Eu.Ena.Sport -#define em_ena_dport Eu.Ena.Dport -#define em_ena_protocol Eu.Ena.Protocol -#define em_ena_sproto Eu.Ena.Sproto -#define em_ena_flags Eu.Ena.Flags - -#define em_gen_spi Eu.Gen.Spi -#define em_gen_dst Eu.Gen.Dst -#define em_gen_sproto Eu.Gen.Sproto - -#define em_not_type Eu.Notify.Notification_Type -#define em_not_spi Eu.Notify.Spi -#define em_not_dst Eu.Notify.Dst -#define em_not_src Eu.Notify.Src -#define em_not_satype Eu.Notify.Satype -#define em_not_userid Eu.Notify.UserID -#define em_not_msgid Eu.Notify.MsgID -#define em_not_sport Eu.Notify.Sport -#define em_not_dport Eu.Notify.Dport -#define em_not_protocol Eu.Notify.Protocol -#define em_not_sproto Eu.Notify.Sproto - -#define em_spi Eu.Xfm.Spi -#define em_dst Eu.Xfm.Dst -#define em_src Eu.Xfm.Src -#define em_osrc Eu.Xfm.oSrc -#define em_odst Eu.Xfm.oDst -#define em_alg Eu.Xfm.Alg -#define em_dat Eu.Xfm.Dat -#define em_first_use_hard Eu.Xfm.First_Use_Hard -#define em_first_use_soft Eu.Xfm.First_Use_Soft -#define em_expire_hard Eu.Xfm.Expire_Hard -#define em_expire_soft Eu.Xfm.Expire_Soft -#define em_bytes_hard Eu.Xfm.Bytes_Hard -#define em_bytes_soft Eu.Xfm.Bytes_Soft -#define em_packets_hard Eu.Xfm.Packets_Hard -#define em_packets_soft Eu.Xfm.Packets_Soft -#define em_ttl Eu.Xfm.TTL -#define em_sproto Eu.Xfm.Sproto -#define em_satype Eu.Xfm.Satype - -#define em_rel_spi Eu.Rel.Spi -#define em_rel_spi2 Eu.Rel.Spi2 -#define em_rel_dst Eu.Rel.Dst -#define em_rel_dst2 Eu.Rel.Dst2 -#define em_rel_sproto Eu.Rel.Sproto -#define em_rel_sproto2 Eu.Rel.Sproto2 - -#define EMT_SETSPI 1 /* Set SPI properties */ -#define EMT_GRPSPIS 2 /* Group SPIs */ -#define EMT_DELSPI 3 /* delete an SPI */ -#define EMT_DELSPICHAIN 4 /* delete an SPI chain starting from */ -#define EMT_RESERVESPI 5 /* Give us an SPI */ -#define EMT_ENABLESPI 6 /* Enable an SA */ -#define EMT_DISABLESPI 7 /* Disable an SA */ -#define EMT_NOTIFY 8 /* kernel->userland key mgmt not. */ -#define EMT_REPLACESPI 10 /* Replace all uses of an SA */ - -/* Total packet lengths */ -#define EMT_SETSPI_FLEN 104 -#define EMT_GRPSPIS_FLEN 26 -#define EMT_GENLEN 17 -#define EMT_DELSPI_FLEN EMT_GENLEN -#define EMT_DELSPICHAIN_FLEN EMT_GENLEN -#define EMT_RESERVESPI_FLEN EMT_GENLEN -#define EMT_NOTIFY_FLEN 40 -#define EMT_ENABLESPI_FLEN 49 -#define EMT_DISABLESPI_FLEN EMT_ENABLESPI_FLEN -#define EMT_REPLACESPI_FLEN EMT_ENABLESPI_FLEN - -#ifdef _KERNEL -extern struct ifaddr *encap_findgwifa(struct sockaddr *); -extern struct ifnet enc_softc; -#endif |