summaryrefslogtreecommitdiff
path: root/sys/net
diff options
context:
space:
mode:
authorAngelos D. Keromytis <angelos@cvs.openbsd.org>1999-02-24 22:36:22 +0000
committerAngelos D. Keromytis <angelos@cvs.openbsd.org>1999-02-24 22:36:22 +0000
commitc03c21660ef1b0eb01d3d461f2b03ceaf3a65e75 (patch)
tree90fd594f11a312eeacd003cd477bf0c4832abe5f /sys/net
parent0532902b4468dd0077e53b22b3ccbf2f409ca26e (diff)
Not used anymore.
Diffstat (limited to 'sys/net')
-rw-r--r--sys/net/encap.c1155
-rw-r--r--sys/net/encap.h357
2 files changed, 0 insertions, 1512 deletions
diff --git a/sys/net/encap.c b/sys/net/encap.c
deleted file mode 100644
index de226379869..00000000000
--- a/sys/net/encap.c
+++ /dev/null
@@ -1,1155 +0,0 @@
-/* $OpenBSD: encap.c,v 1.26 1999/01/11 22:52:49 angelos Exp $ */
-
-/*
- * The authors of this code are John Ioannidis (ji@tla.org),
- * Angelos D. Keromytis (kermit@csd.uch.gr) and
- * Niels Provos (provos@physnet.uni-hamburg.de).
- *
- * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
- * in November 1995.
- *
- * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
- * by Angelos D. Keromytis.
- *
- * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
- * and Niels Provos.
- *
- * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
- * and Niels Provos.
- *
- * Permission to use, copy, and modify this software without fee
- * is hereby granted, provided that this entire notice is included in
- * all copies of any software which is or includes a copy or
- * modification of this software.
- * You may use this code under the GNU public license if you so wish. Please
- * contribute changes back to the authors under this freer than GPL license
- * so that we may further the use of strong encryption without limitations to
- * all.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
- * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
- * PURPOSE.
- */
-
-#include <sys/param.h>
-#include <sys/systm.h>
-#include <sys/proc.h>
-#include <sys/mbuf.h>
-#include <sys/socket.h>
-#include <sys/socketvar.h>
-#include <sys/domain.h>
-#include <sys/protosw.h>
-#include <sys/ioctl.h>
-#include <vm/vm.h>
-#include <sys/sysctl.h>
-
-#include <net/if.h>
-#include <net/route.h>
-#include <net/raw_cb.h>
-#include <machine/stdarg.h>
-
-#ifdef INET
-#include <netinet/in.h>
-#include <netinet/in_systm.h>
-#include <netinet/ip.h>
-#include <netinet/in_pcb.h>
-#endif
-
-#include <net/encap.h>
-#include <netinet/ip_ipsp.h>
-#include <netinet/ip_ip4.h>
-
-#include <sys/syslog.h>
-
-void encap_init(void);
-void encap_sendnotify(int, struct tdb *, void *);
-int encap_notify_sa(u_int32_t, struct in_addr, struct in_addr,
- u_int16_t, u_int16_t, u_int16_t, u_int16_t);
-int encap_enable_spi(u_int32_t, struct in_addr, struct in_addr, struct in_addr,
- struct in_addr, struct in_addr, u_int16_t, u_int16_t,
- u_int16_t, u_int16_t, u_int16_t);
-int encap_output __P((struct mbuf *, ...));
-int encap_usrreq(struct socket *, int, struct mbuf *, struct mbuf *,
- struct mbuf *);
-int encap_sysctl(int *, u_int, void *, size_t *, void *, size_t);
-
-extern int tdb_init(struct tdb *, struct mbuf *);
-
-extern struct domain encapdomain;
-
-extern struct inpcbtable tcbtable; /* Notify - XXX */
-extern struct inpcbtable udbtable; /* Notify - XXX */
-extern struct inpcbtable rawcbtable; /* Notify - XXX */
-
-struct sockaddr encap_dst = { 2, PF_ENCAP, };
-struct sockaddr encap_src = { 2, PF_ENCAP, };
-struct sockproto encap_proto = { PF_ENCAP, };
-
-struct protosw encapsw[] = {
- { SOCK_RAW, &encapdomain, 0, PR_ATOMIC|PR_ADDR,
- raw_input, encap_output, raw_ctlinput, 0,
- encap_usrreq,
- encap_init, 0, 0, 0,
- encap_sysctl
- },
-};
-
-struct domain encapdomain =
-{ AF_ENCAP, "encapsulation", 0, 0, 0,
- encapsw, &encapsw[sizeof(encapsw) / sizeof(encapsw[0])], 0,
- rn_inithead, 16, sizeof(struct sockaddr_encap)};
-
-/*
- * Sysctl for encap variables
- */
-int
-encap_sysctl(int *name, u_int namelen, void *oldp, size_t *oldplenp,
- void *newp, size_t newlen)
-{
- /* All sysctl names at this level are terminal */
- if (namelen != 1)
- return ENOTDIR;
-
- switch (name[0])
- {
- case ENCAPCTL_ENCDEBUG:
- return (sysctl_int(oldp, oldplenp, newp, newlen, &encdebug));
-
- default:
- return ENOPROTOOPT;
- }
- /* Not reached */
-}
-
-void
-encap_init()
-{
- struct xformsw *xsp;
-
- for (xsp = xformsw; xsp < xformswNXFORMSW; xsp++)
- {
- /*log(LOG_INFO, "encap_init(): attaching <%s>\n", xsp->xf_name);*/
- (*(xsp->xf_attach))();
- }
-}
-
-/*ARGSUSED*/
-int
-encap_usrreq(register struct socket *so, int req, struct mbuf *m,
- struct mbuf *nam, struct mbuf *control)
-{
- register struct rawcb *rp = sotorawcb(so);
- register int error = 0;
- int s;
-
- if (req == PRU_ATTACH)
- {
- MALLOC(rp, struct rawcb *, sizeof(*rp), M_PCB, M_WAITOK);
- if (rp == (struct rawcb *) NULL)
- return ENOBUFS;
-
- if ((so->so_pcb = (caddr_t) rp))
- bzero(so->so_pcb, sizeof(*rp));
- }
-
- s = splnet();
- error = raw_usrreq(so, req, m, nam, control);
- rp = sotorawcb(so);
- if ((req == PRU_ATTACH) && rp)
- {
- /* int af = rp->rcb_proto.sp_protocol; */
-
- if (error)
- {
- free((caddr_t) rp, M_PCB);
- splx(s);
- return error;
- }
- rp->rcb_faddr = &encap_src;
- soisconnected(so);
- so->so_options |= SO_USELOOPBACK;
- }
- splx(s);
- return error;
-}
-
-int
-encap_notify_sa(u_int32_t spi, struct in_addr dst, struct in_addr src,
- u_int16_t sport, u_int16_t dport, u_int16_t protocol,
- u_int16_t sproto)
-{
- struct inpcbtable *table = NULL;
- struct inpcb *inp = NULL;
- struct in_addr altm, zeroin_addr;
- struct tdb *tdbp;
- struct flow *flow;
- int error = 0;
- u_int8_t secrequire;
-
- altm.s_addr = INADDR_BROADCAST;
-
- switch (protocol) {
- case IPPROTO_TCP:
- table = &tcbtable;
- break;
- case IPPROTO_UDP:
- table = &udbtable;
- break;
- default:
- break;
- }
-
- if (table != NULL) {
- /* Protocols with own inpcb tables */
- bzero((caddr_t)&zeroin_addr, sizeof(zeroin_addr));
- inp = in_pcblookup(table, &dst, dport, &zeroin_addr, sport,
- INPLOOKUP_WILDCARD);
- } else {
- /* RAW protocol - taken from raw_ip.c */
- /* XXX - we can have more than one inp sleeping here */
- for (inp = rawcbtable.inpt_queue.cqh_first;
- inp != (struct inpcb *)&rawcbtable.inpt_queue;
- inp = inp->inp_queue.cqe_next) {
- if (!inp->inp_socket ||
- inp->inp_socket->so_proto->pr_protocol != protocol)
- continue;
- if (inp->inp_faddr.s_addr &&
- inp->inp_faddr.s_addr != dst.s_addr)
- continue;
- if (inp->inp_secrequire != 0 &&
- inp->inp_secresult == SR_WAIT)
- break;
- }
- if (inp == (struct inpcb *)&rawcbtable.inpt_queue)
- inp = NULL;
- }
-
-#ifdef ENCDEBUG
- if (encdebug && inp != NULL)
- printf("encap: found inp for protocol %d\n", protocol);
-#endif /* ENCDEBUG */
-
- if (inp && inp->inp_secresult == SR_WAIT && inp->inp_secrequire != 0) {
- secrequire = inp->inp_secrequire;
- } else {
- /*
- * XXX - is this the right thing to do ?? We need to know if
- * IPSec is already in use.
- * This does only work for host-to-host
- */
- flow = find_global_flow(src, altm, dst, altm, 0,0,0);
- if (flow == (struct flow *)NULL)
- return (ENOENT);
-
- SPI_CHAIN_ATTRIB(secrequire, tdb_onext, flow->flow_sa);
-#ifdef ENCDEBUG
- if (encdebug)
- printf("encap: Existing flow (%0x) requires: %d\n",
- flow, secrequire);
-#endif /* ENCDEBUG */
- }
-
- if (spi == 0) {
-#ifdef ENCDEBUG
- if (encdebug)
- printf("encap: key management failed\n");
-#endif
- if (inp != NULL) {
- inp->inp_secresult = SR_FAILED;
- wakeup(inp);
- }
- return (0);
- } else {
- u_int8_t sa_have;
-
- tdbp = gettdb(spi, dst, sproto);
- if (tdbp == NULL)
- return (ENOENT);
-#ifdef ENCDEBUG
- if (encdebug)
- printf("encap: found tdb\n");
-#endif /* ENCDEBUG */
-
- SPI_CHAIN_ATTRIB(sa_have, tdb_onext, tdbp);
-
- /* Requirements not met */
- if (secrequire & ~sa_have)
- return (EINVAL);
-#ifdef ENCDEBUG
- if (encdebug)
- printf("encap: tdb meets requirements\n");
-#endif /* ENCDEBUG */
-
- /*
- * This is a stupid hack, we do not support socketwise
- * keying at the moment, so we do it for the whole host
- */
- error = encap_enable_spi(spi, dst, src, altm, dst, altm,
- 0, 0, 0, sproto,
- ENABLE_FLAG_REPLACE|ENABLE_FLAG_LOCAL);
-
- if (!error) {
-#ifdef ENCDEBUG
- if (encdebug)
- printf("encap: key management succeeded\n");
-#endif /* ENCDEBUG */
- if (inp != NULL) {
- inp->inp_secresult = SR_SUCCESS;
- wakeup(inp);
- }
- }
- }
-
- return (error);
-}
-
-int
-encap_enable_spi(u_int32_t spi, struct in_addr dst,
- struct in_addr isrc, struct in_addr ismask,
- struct in_addr idst, struct in_addr idmask,
- u_int16_t sport, u_int16_t dport,
- u_int16_t protocol, u_int16_t sproto,
- u_int16_t flags)
-{
- struct sockaddr_encap encapdst, encapgw, encapnetmask;
- struct flow *flow, *flow2, *flow3, *flow4;
- struct in_addr alts, altm;
- struct tdb *tdbp;
- int error = 0;
-
- tdbp = gettdb(spi, dst, sproto);
- if (tdbp == NULL)
- return (ENOENT);
-
- bzero((caddr_t) &encapdst, sizeof(struct sockaddr_encap));
- bzero((caddr_t) &encapnetmask, sizeof(struct sockaddr_encap));
- bzero((caddr_t) &encapgw, sizeof(struct sockaddr_encap));
-
- flow = flow2 = flow3 = flow4 = (struct flow *) NULL;
-
- /* Retrieve source and destination masks from routing entry */
- if (flags & ENABLE_FLAG_MODIFY) {
- struct route_enc re0, *re = &re0;
- struct sockaddr_encap *dest, *mask;
-
- bzero((caddr_t) re, sizeof(*re));
- dest = (struct sockaddr_encap *) &re->re_dst;
- dest->sen_family = AF_ENCAP;
- dest->sen_len = SENT_IP4_LEN;
- dest->sen_type = SENT_IP4;
- dest->sen_ip_src = tdbp->tdb_src;
- dest->sen_ip_dst = dst;
- dest->sen_proto = protocol;
- dest->sen_sport = sport;
- dest->sen_dport = dport;
- rtalloc((struct route *) re);
- if (re->re_rt == NULL)
- return (ENOENT);
-
- mask = (struct sockaddr_encap *) (rt_mask(re->re_rt));
- if (mask == NULL)
- return (ENOENT);
-
- ismask.s_addr = mask->sen_ip_src.s_addr;
- idmask.s_addr = mask->sen_ip_dst.s_addr;
-
- RTFREE(re->re_rt);
- }
-
- isrc.s_addr &= ismask.s_addr;
- idst.s_addr &= idmask.s_addr;
-
- flow3 = find_global_flow(isrc, ismask, idst, idmask,
- protocol, sport, dport);
- if ((flow3 != (struct flow *) NULL) && !(flags & ENABLE_FLAG_REPLACE))
- return (EEXIST);
-
- /* Check for 0.0.0.0/255.255.255.255 if the flow is local */
- if (flags & ENABLE_FLAG_LOCAL) {
- alts.s_addr = INADDR_ANY;
- altm.s_addr = INADDR_BROADCAST;
- flow4 = find_global_flow(alts, altm, idst, idmask,
- protocol, sport, dport);
- if (flow4 != (struct flow *) NULL) {
- if (!(flags & ENABLE_FLAG_REPLACE))
- return (EEXIST);
- else if (flow3 == flow4)
- return (EINVAL);
- }
- }
-
- flow = get_flow();
- if (flow == (struct flow *) NULL)
- return (ENOBUFS);
-
- flow->flow_src.s_addr = isrc.s_addr;
- flow->flow_dst.s_addr = idst.s_addr;
- flow->flow_srcmask.s_addr = ismask.s_addr;
- flow->flow_dstmask.s_addr = idmask.s_addr;
- flow->flow_proto = protocol;
- flow->flow_sport = sport;
- flow->flow_dport = dport;
-
- if (flags & ENABLE_FLAG_LOCAL) {
- flow2 = get_flow();
- if (flow2 == (struct flow *) NULL) {
- FREE(flow, M_TDB);
- return (ENOBUFS);
- }
-
- flow2->flow_src.s_addr = INADDR_ANY;
- flow2->flow_dst.s_addr = idst.s_addr;
- flow2->flow_srcmask.s_addr = INADDR_BROADCAST;
- flow2->flow_dstmask.s_addr = idmask.s_addr;
- flow2->flow_proto = protocol;
- flow2->flow_sport = sport;
- flow2->flow_dport = dport;
-
- put_flow(flow2, tdbp);
- }
-
- put_flow(flow, tdbp);
-
- /* Setup the encap fields */
- encapdst.sen_len = SENT_IP4_LEN;
- encapdst.sen_family = AF_ENCAP;
- encapdst.sen_type = SENT_IP4;
- encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr;
- encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr;
- encapdst.sen_proto = flow->flow_proto;
- encapdst.sen_sport = flow->flow_sport;
- encapdst.sen_dport = flow->flow_dport;
-
- encapgw.sen_len = SENT_IPSP_LEN;
- encapgw.sen_family = AF_ENCAP;
- encapgw.sen_type = SENT_IPSP;
- encapgw.sen_ipsp_dst.s_addr = tdbp->tdb_dst.s_addr;
- encapgw.sen_ipsp_spi = tdbp->tdb_spi;
- encapgw.sen_ipsp_sproto = tdbp->tdb_sproto;
-
- encapnetmask.sen_len = SENT_IP4_LEN;
- encapnetmask.sen_family = AF_ENCAP;
- encapnetmask.sen_type = SENT_IP4;
- encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr;
- encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr;
-
- if (flow->flow_proto) {
- encapnetmask.sen_proto = 0xff;
-
- if (flow->flow_sport)
- encapnetmask.sen_sport = 0xffff;
-
- if (flow->flow_dport)
- encapnetmask.sen_dport = 0xffff;
- }
-
- /* If this is set, delete any old route for this flow */
- if (flags & ENABLE_FLAG_REPLACE)
- rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
- (struct sockaddr *) 0,
- (struct sockaddr *) &encapnetmask, 0,
- (struct rtentry **) 0);
-
- /* Add the entry in the routing table */
- error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
-
- if (error) {
- encapdst.sen_len = SENT_IP4_LEN;
- encapdst.sen_family = AF_ENCAP;
- encapdst.sen_type = SENT_IP4;
- encapdst.sen_ip_src.s_addr = flow3->flow_src.s_addr;
- encapdst.sen_ip_dst.s_addr = flow3->flow_dst.s_addr;
- encapdst.sen_proto = flow3->flow_proto;
- encapdst.sen_sport = flow3->flow_sport;
- encapdst.sen_dport = flow3->flow_dport;
-
- encapgw.sen_len = SENT_IPSP_LEN;
- encapgw.sen_family = AF_ENCAP;
- encapgw.sen_type = SENT_IPSP;
- encapgw.sen_ipsp_dst.s_addr = flow3->flow_sa->tdb_dst.s_addr;
- encapgw.sen_ipsp_spi = flow3->flow_sa->tdb_spi;
- encapgw.sen_ipsp_sproto = flow3->flow_sa->tdb_sproto;
-
- encapnetmask.sen_len = SENT_IP4_LEN;
- encapnetmask.sen_family = AF_ENCAP;
- encapnetmask.sen_type = SENT_IP4;
- encapnetmask.sen_ip_src.s_addr = flow3->flow_srcmask.s_addr;
- encapnetmask.sen_ip_dst.s_addr = flow3->flow_dstmask.s_addr;
-
- if (flow3->flow_proto) {
- encapnetmask.sen_proto = 0xff;
-
- if (flow3->flow_sport)
- encapnetmask.sen_sport = 0xffff;
-
- if (flow->flow_dport)
- encapnetmask.sen_dport = 0xffff;
- }
-
- /* Try to add the old entry back in */
- rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
-
- delete_flow(flow, tdbp);
- if (flow2)
- delete_flow(flow2, tdbp);
- return (error);
- }
-
- /* If this is a "local" packet flow */
- if (flags & ENABLE_FLAG_LOCAL) {
- encapdst.sen_ip_src.s_addr = INADDR_ANY;
- encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST;
-
- if (flags & ENABLE_FLAG_REPLACE)
- rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
- (struct sockaddr *) 0,
- (struct sockaddr *) &encapnetmask, 0,
- (struct rtentry **) 0);
-
- error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
-
- if (error) {
- /* Delete the first entry inserted */
- encapdst.sen_ip_src.s_addr = isrc.s_addr;
- encapnetmask.sen_ip_src.s_addr = ismask.s_addr;
-
- rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
- (struct sockaddr *) 0,
- (struct sockaddr *) &encapnetmask, 0,
- (struct rtentry **) 0);
-
- /* Setup the old entries */
- encapdst.sen_len = SENT_IP4_LEN;
- encapdst.sen_family = AF_ENCAP;
- encapdst.sen_type = SENT_IP4;
- encapdst.sen_ip_src.s_addr = flow3->flow_src.s_addr;
- encapdst.sen_ip_dst.s_addr = flow3->flow_dst.s_addr;
- encapdst.sen_proto = flow3->flow_proto;
- encapdst.sen_sport = flow3->flow_sport;
- encapdst.sen_dport = flow3->flow_dport;
-
- encapgw.sen_len = SENT_IPSP_LEN;
- encapgw.sen_family = AF_ENCAP;
- encapgw.sen_type = SENT_IPSP;
- encapgw.sen_ipsp_dst.s_addr = flow3->flow_sa->tdb_dst.s_addr;
- encapgw.sen_ipsp_spi = flow3->flow_sa->tdb_spi;
- encapgw.sen_ipsp_sproto = flow3->flow_sa->tdb_sproto;
-
- encapnetmask.sen_len = SENT_IP4_LEN;
- encapnetmask.sen_family = AF_ENCAP;
- encapnetmask.sen_type = SENT_IP4;
- encapnetmask.sen_ip_src.s_addr = flow3->flow_srcmask.s_addr;
- encapnetmask.sen_ip_dst.s_addr = flow3->flow_dstmask.s_addr;
-
- if (flow3->flow_proto) {
- encapnetmask.sen_proto = 0xff;
-
- if (flow3->flow_sport)
- encapnetmask.sen_sport = 0xffff;
-
- if (flow->flow_dport)
- encapnetmask.sen_dport = 0xffff;
- }
-
- rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
-
- encapdst.sen_ip_src.s_addr = INADDR_ANY;
- encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST;
-
- rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
-
- delete_flow(flow, tdbp);
- delete_flow(flow2, tdbp);
- return (error);
- }
- }
-
- /*
- * If we're here, it means we've successfully added the new
- * entries, so free the old ones.
- */
- if (flow3)
- delete_flow(flow3, flow3->flow_sa);
-
- if (flow4)
- delete_flow(flow4, flow4->flow_sa);
-
- return 0;
-}
-
-int
-#ifdef __STDC__
-encap_output(struct mbuf *m, ...)
-#else
-encap_output(m, va_alist)
-register struct mbuf *m;
-va_dcl
-#endif
-{
-#define SENDERR(e) do { error = e; goto flush;} while (0)
- struct sockaddr_encap encapdst, encapgw, encapnetmask;
- struct flow *flow, *flow2;
- int len, emlen, error = 0;
- struct in_addr alts, altm;
- struct encap_msghdr *emp;
- struct tdb *tdbp, *tdbp2;
- struct expiration *exp;
- caddr_t buffer = 0;
- struct socket *so;
- u_int32_t spi;
- va_list ap;
-
- va_start(ap, m);
- so = va_arg(ap, struct socket *);
- va_end(ap);
-
- if ((m == 0) || ((m->m_len < sizeof(int32_t)) &&
- (m = m_pullup(m, sizeof(int32_t))) == 0))
- return ENOBUFS;
-
- if ((m->m_flags & M_PKTHDR) == 0)
- SENDERR(EINVAL);
-
- len = m->m_pkthdr.len;
-
- emp = mtod(m, struct encap_msghdr *);
-
- emlen = emp->em_msglen;
- if (len < emlen)
- SENDERR(EINVAL);
-
- if (m->m_len < emlen)
- {
- MALLOC(buffer, caddr_t, emlen, M_TEMP, M_WAITOK);
- if (buffer == 0)
- SENDERR(ENOBUFS);
-
- m_copydata(m, 0, emlen, buffer);
-
- emp = (struct encap_msghdr *) buffer;
- }
-
- if (emp->em_version != PFENCAP_VERSION_1)
- SENDERR(EINVAL);
-
- bzero((caddr_t) &encapdst, sizeof(struct sockaddr_encap));
- bzero((caddr_t) &encapnetmask, sizeof(struct sockaddr_encap));
- bzero((caddr_t) &encapgw, sizeof(struct sockaddr_encap));
-
- switch (emp->em_type)
- {
- case EMT_SETSPI:
- if (emlen <= EMT_SETSPI_FLEN)
- SENDERR(EINVAL);
-
- /*
- * If only one of the two outter addresses is set, return
- * error.
- */
- if ((emp->em_osrc.s_addr != 0) ^
- (emp->em_odst.s_addr != 0))
- SENDERR(EINVAL);
-
- tdbp = gettdb(emp->em_spi, emp->em_dst, emp->em_sproto);
- if (tdbp == NULL)
- {
- MALLOC(tdbp, struct tdb *, sizeof(*tdbp), M_TDB, M_WAITOK);
- if (tdbp == NULL)
- SENDERR(ENOBUFS);
-
- bzero((caddr_t) tdbp, sizeof(*tdbp));
-
- tdbp->tdb_spi = emp->em_spi;
- tdbp->tdb_dst = emp->em_dst;
- tdbp->tdb_sproto = emp->em_sproto;
- puttdb(tdbp);
- }
- else
- {
- if (tdbp->tdb_xform)
- (*tdbp->tdb_xform->xf_zeroize)(tdbp);
-
- cleanup_expirations(tdbp->tdb_dst, tdbp->tdb_spi,
- tdbp->tdb_sproto);
- }
-
- tdbp->tdb_src = emp->em_src;
- tdbp->tdb_satype = emp->em_satype;
-
- /* Check if this is an encapsulating SPI */
- if (emp->em_osrc.s_addr != 0)
- {
- tdbp->tdb_flags |= TDBF_TUNNELING;
- tdbp->tdb_osrc = emp->em_osrc;
- tdbp->tdb_odst = emp->em_odst;
-
- /* TTL */
- switch (emp->em_ttl)
- {
- case IP4_DEFAULT_TTL:
- tdbp->tdb_ttl = 0;
- break;
-
- case IP4_SAME_TTL:
- tdbp->tdb_flags |= TDBF_SAME_TTL;
- break;
-
- default:
- /* Get just the least significant bits */
- tdbp->tdb_ttl = emp->em_ttl % 256;
- break;
- }
- }
-
- /* Clear the INVALID flag */
- tdbp->tdb_flags &= (~TDBF_INVALID);
-
- /* Various timers/counters */
- if (emp->em_first_use_hard != 0)
- {
- tdbp->tdb_exp_first_use = emp->em_first_use_hard;
- tdbp->tdb_flags |= TDBF_FIRSTUSE;
- }
-
- if (emp->em_first_use_soft != 0)
- {
- tdbp->tdb_soft_first_use = emp->em_first_use_soft;
- tdbp->tdb_flags |= TDBF_SOFT_FIRSTUSE;
- }
-
- if (emp->em_expire_hard != 0)
- {
- tdbp->tdb_exp_timeout = emp->em_expire_hard;
- tdbp->tdb_flags |= TDBF_TIMER;
-
- exp = get_expiration();
- if (exp == (struct expiration *) NULL)
- {
- tdb_delete(tdbp, 0);
- SENDERR(ENOBUFS);
- }
-
- exp->exp_dst.s_addr = tdbp->tdb_dst.s_addr;
- exp->exp_spi = tdbp->tdb_spi;
- exp->exp_sproto = tdbp->tdb_sproto;
- exp->exp_timeout = emp->em_expire_hard;
- put_expiration(exp);
- }
-
- if (emp->em_expire_soft != 0)
- {
- tdbp->tdb_soft_timeout = emp->em_expire_soft;
- tdbp->tdb_flags |= TDBF_SOFT_TIMER;
-
- if (tdbp->tdb_soft_timeout <= tdbp->tdb_exp_timeout)
- {
- exp = get_expiration();
- if (exp == (struct expiration *) NULL)
- {
- tdb_delete(tdbp, 0);
- SENDERR(ENOBUFS);
- }
-
- exp->exp_dst.s_addr = tdbp->tdb_dst.s_addr;
- exp->exp_spi = tdbp->tdb_spi;
- exp->exp_sproto = tdbp->tdb_sproto;
- exp->exp_timeout = emp->em_expire_soft;
- put_expiration(exp);
- }
- }
-
- if (emp->em_bytes_hard != 0)
- {
- tdbp->tdb_exp_bytes = emp->em_bytes_hard;
- tdbp->tdb_flags |= TDBF_BYTES;
- }
-
- if (emp->em_bytes_soft != 0)
- {
- tdbp->tdb_soft_bytes = emp->em_bytes_soft;
- tdbp->tdb_flags |= TDBF_SOFT_BYTES;
- }
-
- if (emp->em_packets_hard != 0)
- {
- tdbp->tdb_exp_packets = emp->em_packets_hard;
- tdbp->tdb_flags |= TDBF_PACKETS;
- }
-
- if (emp->em_packets_soft != 0)
- {
- tdbp->tdb_soft_packets = emp->em_packets_soft;
- tdbp->tdb_flags |= TDBF_SOFT_PACKETS;
- }
-
- error = tdb_init(tdbp, m);
- if (error)
- {
- tdb_delete(tdbp, 0);
- SENDERR(EINVAL);
- }
-
- break;
-
- case EMT_DELSPI:
- if (emlen != EMT_DELSPI_FLEN)
- SENDERR(EINVAL);
-
- tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst,
- emp->em_gen_sproto);
- if (tdbp == NULL)
- SENDERR(ENOENT);
-
- error = tdb_delete(tdbp, 0);
- if (error)
- SENDERR(EINVAL);
-
- break;
-
- case EMT_DELSPICHAIN:
- if (emlen != EMT_DELSPICHAIN_FLEN)
- SENDERR(EINVAL);
-
- tdbp = gettdb(emp->em_gen_spi, emp->em_gen_dst,
- emp->em_gen_sproto);
- if (tdbp == NULL)
- SENDERR(ENOENT);
-
- error = tdb_delete(tdbp, 1);
- if (error)
- SENDERR(EINVAL);
-
- break;
-
- case EMT_GRPSPIS:
- if (emlen != EMT_GRPSPIS_FLEN)
- SENDERR(EINVAL);
-
- tdbp = gettdb(emp->em_rel_spi, emp->em_rel_dst,
- emp->em_rel_sproto);
- if (tdbp == NULL)
- SENDERR(ENOENT);
-
- tdbp2 = gettdb(emp->em_rel_spi2, emp->em_rel_dst2,
- emp->em_rel_sproto2);
- if (tdbp2 == NULL)
- SENDERR(ENOENT);
-
- tdbp->tdb_onext = tdbp2;
- tdbp2->tdb_inext = tdbp;
-
- error = 0;
-
- break;
-
- case EMT_RESERVESPI:
- if (emlen != EMT_RESERVESPI_FLEN)
- SENDERR(EINVAL);
-
- spi = reserve_spi(emp->em_gen_spi, emp->em_gen_dst,
- emp->em_gen_sproto, &error);
- if (spi == 0)
- SENDERR(error);
-
- emp->em_gen_spi = spi;
-
- /* If we're using a buffer, copy the data back to an mbuf. */
- if (buffer)
- m_copyback(m, 0, emlen, buffer);
-
- /* Send it back to us */
- if (sbappendaddr(&so->so_rcv, &encap_src, m,
- (struct mbuf *) 0) == 0)
- SENDERR(ENOBUFS);
- else
- sorwakeup(so); /* wakeup */
-
- m = NULL; /* So it's not free'd */
- error = 0;
-
- break;
-
- case EMT_ENABLESPI:
- if (emlen != EMT_ENABLESPI_FLEN)
- SENDERR(EINVAL);
-
- error = encap_enable_spi(emp->em_ena_spi, emp->em_ena_dst,
- emp->em_ena_isrc, emp->em_ena_ismask,
- emp->em_ena_idst, emp->em_ena_idmask,
- emp->em_ena_sport, emp->em_ena_dport,
- emp->em_ena_protocol, emp->em_ena_sproto,
- emp->em_ena_flags);
-
- break;
-
- case EMT_DISABLESPI:
- if (emlen != EMT_DISABLESPI_FLEN)
- SENDERR(EINVAL);
-
- tdbp = gettdb(emp->em_ena_spi, emp->em_ena_dst,
- emp->em_ena_sproto);
- if (tdbp == NULL)
- SENDERR(ENOENT);
-
- /* Retrieve source and destination masks from routing entry */
- if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) {
- struct route_enc re0, *re = &re0;
- struct sockaddr_encap *dest, *mask;
-
- bzero((caddr_t) re, sizeof(*re));
- dest = (struct sockaddr_encap *) &re->re_dst;
- dest->sen_family = AF_ENCAP;
- dest->sen_len = SENT_IP4_LEN;
- dest->sen_type = SENT_IP4;
- dest->sen_ip_src = tdbp->tdb_src;
- dest->sen_ip_dst = emp->em_ena_dst;
- dest->sen_proto = emp->em_ena_protocol;
- dest->sen_sport = emp->em_ena_sport;
- dest->sen_dport = emp->em_ena_dport;
- rtalloc((struct route *) re);
- if (re->re_rt == NULL)
- return (ENOENT);
-
- mask = (struct sockaddr_encap *) (rt_mask(re->re_rt));
- if (mask == NULL)
- return (ENOENT);
-
- emp->em_ena_ismask.s_addr = mask->sen_ip_src.s_addr;
- emp->em_ena_idmask.s_addr = mask->sen_ip_dst.s_addr;
-
- RTFREE(re->re_rt);
- }
-
- emp->em_ena_isrc.s_addr &= emp->em_ena_ismask.s_addr;
- emp->em_ena_idst.s_addr &= emp->em_ena_idmask.s_addr;
-
- flow = find_flow(emp->em_ena_isrc, emp->em_ena_ismask,
- emp->em_ena_idst, emp->em_ena_idmask,
- emp->em_ena_protocol, emp->em_ena_sport,
- emp->em_ena_dport, tdbp);
- if (flow == (struct flow *) NULL)
- SENDERR(ENOENT);
-
- if (emp->em_ena_flags & ENABLE_FLAG_LOCAL)
- {
- alts.s_addr = INADDR_ANY;
- altm.s_addr = INADDR_BROADCAST;
-
- flow2 = find_flow(alts, altm, emp->em_ena_idst,
- emp->em_ena_idmask, emp->em_ena_protocol,
- emp->em_ena_sport, emp->em_ena_dport, tdbp);
- if (flow2 == (struct flow *) NULL)
- SENDERR(ENOENT);
-
- if (flow == flow2)
- SENDERR(EINVAL);
- }
-
- /* Setup the encap fields */
- encapdst.sen_len = SENT_IP4_LEN;
- encapdst.sen_family = AF_ENCAP;
- encapdst.sen_type = SENT_IP4;
- encapdst.sen_ip_src.s_addr = flow->flow_src.s_addr;
- encapdst.sen_ip_dst.s_addr = flow->flow_dst.s_addr;
- encapdst.sen_proto = flow->flow_proto;
- encapdst.sen_sport = flow->flow_sport;
- encapdst.sen_dport = flow->flow_dport;
-
- encapnetmask.sen_len = SENT_IP4_LEN;
- encapnetmask.sen_family = AF_ENCAP;
- encapnetmask.sen_type = SENT_IP4;
- encapnetmask.sen_ip_src.s_addr = flow->flow_srcmask.s_addr;
- encapnetmask.sen_ip_dst.s_addr = flow->flow_dstmask.s_addr;
-
- if (flow->flow_proto)
- {
- encapnetmask.sen_proto = 0xff;
-
- if (flow->flow_sport)
- encapnetmask.sen_sport = 0xffff;
-
- if (flow->flow_dport)
- encapnetmask.sen_dport = 0xffff;
- }
-
- /* Delete the entry */
- rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
- (struct sockaddr *) 0,
- (struct sockaddr *) &encapnetmask, 0,
- (struct rtentry **) 0);
-
- if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) {
- encapgw.sen_len = SENT_IPSP_LEN;
- encapgw.sen_family = AF_ENCAP;
- encapgw.sen_type = SENT_IPSP;
- encapgw.sen_ipsp_dst.s_addr = emp->em_ena_dst.s_addr;
- encapgw.sen_ipsp_spi = htonl(1);
- encapgw.sen_ipsp_sproto = IPPROTO_ESP;
- error = rtrequest(RTM_ADD, (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
- }
-
- if (emp->em_ena_flags & ENABLE_FLAG_LOCAL)
- {
-
- encapdst.sen_ip_src.s_addr = INADDR_ANY;
- encapnetmask.sen_ip_src.s_addr = INADDR_BROADCAST;
-
- rtrequest(RTM_DELETE, (struct sockaddr *) &encapdst,
- (struct sockaddr *) 0,
- (struct sockaddr *) &encapnetmask, 0,
- (struct rtentry **) 0);
-
- if (emp->em_ena_flags & ENABLE_FLAG_MODIFY) {
- encapgw.sen_len = SENT_IPSP_LEN;
- encapgw.sen_family = AF_ENCAP;
- encapgw.sen_type = SENT_IPSP;
- encapgw.sen_ipsp_dst.s_addr = emp->em_ena_dst.s_addr;
- encapgw.sen_ipsp_spi = htonl(1);
- encapgw.sen_ipsp_sproto = IPPROTO_ESP;
- error = rtrequest(RTM_ADD,
- (struct sockaddr *) &encapdst,
- (struct sockaddr *) &encapgw,
- (struct sockaddr *) &encapnetmask,
- RTF_UP | RTF_GATEWAY | RTF_STATIC,
- (struct rtentry **) 0);
- }
- delete_flow(flow2, tdbp);
- }
-
- delete_flow(flow, tdbp);
-
- break;
-
- case EMT_REPLACESPI:
- if (emlen <= EMT_REPLACESPI_FLEN)
- SENDERR(EINVAL);
-
- /* XXX Not yet finished */
-
- SENDERR(EINVAL);
-
- break;
-
- case EMT_NOTIFY:
- if (emlen < EMT_NOTIFY_FLEN)
- SENDERR(EINVAL);
-
- if (emp->em_not_type != NOTIFY_REQUEST_SA)
- SENDERR(EINVAL);
-
- error = encap_notify_sa(emp->em_not_spi,
- emp->em_not_dst, emp->em_not_src,
- emp->em_not_sport, emp->em_not_dport,
- emp->em_not_protocol, emp->em_not_sproto);
-
- break;
-
- default:
- SENDERR(EINVAL);
- }
-
-flush:
- if (m)
- m_freem(m);
-
- if (buffer)
- free(buffer, M_TEMP);
-
- return error;
-}
-
-void
-encap_sendnotify(int subtype, struct tdb *tdbp, void *data)
-{
- struct encap_msghdr em;
- struct mbuf *m;
-
- bzero(&em, sizeof(struct encap_msghdr));
-
- em.em_msglen = EMT_NOTIFY_FLEN;
- em.em_version = PFENCAP_VERSION_1;
- em.em_type = EMT_NOTIFY;
-
- notify_msgids++;
-
- switch (subtype)
- {
- case NOTIFY_SOFT_EXPIRE:
- case NOTIFY_HARD_EXPIRE:
- em.em_not_spi = tdbp->tdb_spi;
- em.em_not_sproto = tdbp->tdb_sproto;
- em.em_not_dst.s_addr = tdbp->tdb_dst.s_addr;
- em.em_not_type = subtype;
- em.em_not_satype = tdbp->tdb_satype;
- break;
-
- case NOTIFY_REQUEST_SA:
- em.em_not_dst.s_addr = tdbp->tdb_dst.s_addr;
-#ifdef INET
- if (data != NULL) {
- struct inpcb *inp = (struct inpcb *) data;
- struct socket *so = inp->inp_socket;
- em.em_not_dport = inp->inp_fport;
- em.em_not_sport = inp->inp_lport;
- if (so != 0)
- em.em_not_protocol = so->so_proto->pr_protocol;
- }
-#endif
- em.em_not_type = subtype;
- em.em_not_satype = tdbp->tdb_satype;
- break;
-
- default:
-#ifdef ENCDEBUG
- if (encdebug)
- log(LOG_WARNING, "encap_sendnotify(): unknown subtype %d\n", subtype);
-#endif /* ENCDEBUG */
- return;
- }
-
- m = m_gethdr(M_DONTWAIT, MT_DATA);
- if (m == NULL)
- {
- if (encdebug)
- log(LOG_ERR, "encap_sendnotify(): m_gethdr() returned NULL\n");
- return;
- }
-
- m->m_len = min(MHLEN, em.em_msglen);
- m_copyback(m, 0, em.em_msglen, (caddr_t) &em);
- raw_input(m, &encap_proto, &encap_src, &encap_dst);
-
- return;
-}
-
-struct ifaddr *
-encap_findgwifa(struct sockaddr *gw)
-{
- return enc_softc.if_addrlist.tqh_first;
-}
diff --git a/sys/net/encap.h b/sys/net/encap.h
deleted file mode 100644
index 23ac0370b7a..00000000000
--- a/sys/net/encap.h
+++ /dev/null
@@ -1,357 +0,0 @@
-/* $OpenBSD: encap.h,v 1.13 1998/05/24 14:13:59 provos Exp $ */
-
-/*
- * The authors of this code are John Ioannidis (ji@tla.org),
- * Angelos D. Keromytis (kermit@csd.uch.gr) and
- * Niels Provos (provos@physnet.uni-hamburg.de).
- *
- * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
- * in November 1995.
- *
- * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
- * by Angelos D. Keromytis.
- *
- * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
- * and Niels Provos.
- *
- * Copyright (C) 1995, 1996, 1997, 1998 by John Ioannidis, Angelos D. Keromytis
- * and Niels Provos.
- *
- * Permission to use, copy, and modify this software without fee
- * is hereby granted, provided that this entire notice is included in
- * all copies of any software which is or includes a copy or
- * modification of this software.
- * You may use this code under the GNU public license if you so wish. Please
- * contribute changes back to the authors under this freer than GPL license
- * so that we may further the use of strong encryption without limitations to
- * all.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
- * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
- * PURPOSE.
- */
-
-/*
- * encap.h
- *
- * Declarations useful in the encapsulation code.
- */
-
-/* Sysctl definitions */
-
-#define ENCAPCTL_ENCDEBUG 1
-#define ENCAPCTL_MAXID 2
-
-#define ENCAPCTL_NAMES {\
- { 0, 0 }, \
- { "encdebug", CTLTYPE_INT }, \
-}
-
-/*
- * Definitions for encapsulation-related phenomena.
- *
- * A lot of encapsulation protocols (ipip, swipe, ip_encap, ipsp, etc.)
- * select their tunnel based on the destination (and sometimes the source)
- * of the packet. The encap address/protocol family provides a generic
- * mechanism for specifying tunnels.
- */
-
-/*
- * A tunnel is characterized by which source/destination address pairs
- * (with netmasks) it is valid for (the "destination" as far as the
- * routing code is concerned), and what the source (local) and destination
- * (remote) endpoints of the tunnel, and the SPI, should be (the "gateway"
- * as far as the routing code is concerned.
- */
-
-struct sockaddr_encap
-{
- u_int8_t sen_len; /* length */
- u_int8_t sen_family; /* AF_ENCAP */
- u_int16_t sen_type; /* see SENT_* */
- union
- {
- u_int8_t Data[16]; /* other stuff mapped here */
-
- struct /* SENT_IP4 */
- {
- struct in_addr Src;
- struct in_addr Dst;
- u_int16_t Sport;
- u_int16_t Dport;
- u_int8_t Proto;
- u_int8_t Filler[3];
- } Sip4;
-
- struct /* SENT_IPSP */
- {
- struct in_addr Dst;
- u_int32_t Spi;
- u_int8_t Sproto;
- u_int8_t Filler[7];
- } Sipsp;
- } Sen;
-};
-
-#define PFENCAP_VERSION_0 0
-#define PFENCAP_VERSION_1 1
-
-#define sen_data Sen.Data
-#define sen_ip_src Sen.Sip4.Src
-#define sen_ip_dst Sen.Sip4.Dst
-#define sen_proto Sen.Sip4.Proto
-#define sen_sport Sen.Sip4.Sport
-#define sen_dport Sen.Sip4.Dport
-#define sen_ipsp_dst Sen.Sipsp.Dst
-#define sen_ipsp_spi Sen.Sipsp.Spi
-#define sen_ipsp_sproto Sen.Sipsp.Sproto
-
-/*
- * The "type" is really part of the address as far as the routing
- * system is concerned. By using only one bit in the type field
- * for each type, we sort-of make sure that different types of
- * encapsulation addresses won't be matched against the wrong type.
- *
- */
-
-#define SENT_IP4 0x0001 /* data is two struct in_addr */
-#define SENT_IPSP 0x0002 /* data as in IP4 plus SPI */
-
-/*
- * SENT_HDRLEN is the length of the "header"
- * SENT_*_LEN are the lengths of various forms of sen_data
- * SENT_*_OFF are the offsets in the sen_data array of various fields
- */
-
-#define SENT_HDRLEN (2 * sizeof(u_int8_t) + sizeof(u_int16_t))
-
-#define SENT_IP4_SRCOFF (0)
-#define SENT_IP4_DSTOFF (sizeof (struct in_addr))
-
-#define SENT_IP4_LEN 20
-#define SENT_IPSP_LEN 20
-
-/*
- * For encapsulation routes are possible not only for the destination
- * address but also for the protocol, source and destination ports
- * if available
- */
-
-struct route_enc {
- struct rtentry *re_rt;
- struct sockaddr_encap re_dst;
-};
-
-/*
- * Tunnel descriptors are setup and torn down using a socket of the
- * AF_ENCAP domain. The following defines the messages that can
- * be sent down that socket.
- */
-struct encap_msghdr
-{
- u_int16_t em_msglen; /* message length */
- u_int8_t em_version; /* for future expansion */
- u_int8_t em_type; /* message type */
- u_int32_t foo; /* Alignment to 64 bit */
- union
- {
- /*
- * This is used to set/change the attributes of an SPI. If oSrc and
- * oDst are set to non-zero values, the SPI will also do IP-in-IP
- * encapsulation (tunneling). If only one of them is set, an error
- * is returned. Both zero implies transport mode.
- */
- struct
- {
- u_int32_t Spi; /* SPI */
- int32_t Alg; /* Algorithm to use */
- struct in_addr Dst; /* Destination address */
- struct in_addr Src; /* This is used to set our source
- * address when the outgoing packet
- * does not have a source address
- * (is zero). */
- struct in_addr oSrc; /* Outter header source address */
- struct in_addr oDst; /* Same, for destination address */
- u_int64_t First_Use_Hard; /* Expire relative to first use */
- u_int64_t First_Use_Soft;
- u_int64_t Expire_Hard; /* Expire at fixed point in time */
- u_int64_t Expire_Soft;
- u_int64_t Bytes_Hard; /* Expire after bytes recved/sent */
- u_int64_t Bytes_Soft;
- u_int64_t Packets_Hard; /* Expire after packets recved/sent */
- u_int64_t Packets_Soft;
- int32_t TTL; /* When tunneling, what TTL to use.
- * If set to IP4_SAME_TTL, the ttl
- * from the encapsulated packet will
- * be copied. If set to IP4_DEFAULT_TTL,
- * the system default TTL will be used.
- * If set to anything else, then the
- * ttl used will be TTL % 256 */
- u_int16_t Satype;
- u_int8_t Sproto; /* ESP or AH */
- u_int8_t Foo; /* Alignment */
- u_int8_t Dat[1]; /* Data */
- } Xfm;
-
- /*
- * For expiration notifications, the kernel fills in
- * Notification_Type, Spi, Dst and Sproto, Src and Satype.
- * No direct response is expected.
- *
- * For SA Requests, the kernel fills in
- * Notification_Type, MsgID, Dst, Satype, (and optionally
- * Protocol, Src, Sport, Dport and UserID).
- *
- */
- struct /* kernel->userland notifications */
- {
- u_int32_t Notification_Type;
- u_int32_t MsgID; /* Request ID */
- u_int32_t Spi;
- struct in_addr Dst; /* Peer */
- struct in_addr Src; /* Might have our local address */
- u_int16_t Sport; /* Source port */
- u_int16_t Dport; /* Destination port */
- u_int8_t Protocol; /* Transport protocol */
- u_int8_t Sproto; /* IPsec protocol */
- u_int16_t Satype; /* SA type */
- u_int32_t Foo; /* Alignment */
- u_int8_t UserID[1]; /* Might be used to indicate user */
- } Notify;
-
- /* Link two SPIs */
- struct
- {
- u_int32_t Spi; /* SPI */
- u_int32_t Spi2;
- struct in_addr Dst; /* Dest */
- struct in_addr Dst2;
- u_int8_t Sproto; /* IPsec protocol */
- u_int8_t Sproto2;
- } Rel;
-
- /* Enable/disable an SA for a session */
- struct
- {
- u_int32_t Spi;
- struct in_addr Dst;
- struct in_addr iSrc; /* Source... */
- struct in_addr iDst; /* ...and destination in inner IP */
- struct in_addr iSmask; /* Source netmask */
- struct in_addr iDmask; /* Destination netmask */
- u_int16_t Sport; /* Source port, if applicable */
- u_int16_t Dport; /* Destination port, if applicable */
- u_int8_t Protocol; /* Transport mode for which protocol */
- u_int8_t Sproto; /* IPsec protocol */
- u_int16_t Flags;
- u_int32_t Spi2; /* Used in REPLACESPI... */
- struct in_addr Dst2; /* ...to specify which SPI is... */
- u_int8_t Sproto2; /* ...replaced. */
- } Ena;
-
- /* For general use: (in)validate, delete (chain), reserve */
- struct
- {
- u_int32_t Spi;
- struct in_addr Dst;
- u_int8_t Sproto;
- } Gen;
- } Eu;
-};
-
-#define ENABLE_FLAG_REPLACE 1 /* Replace existing flow with new */
-#define ENABLE_FLAG_LOCAL 2 /* Add routes for 0.0.0.0 */
-#define ENABLE_FLAG_MODIFY 4 /* Keep routing masks */
-
-#define ENCAP_MSG_FIXED_LEN (2 * sizeof(u_int32_t))
-
-#define NOTIFY_SOFT_EXPIRE 0 /* Soft expiration of SA */
-#define NOTIFY_HARD_EXPIRE 1 /* Hard expiration of SA */
-#define NOTIFY_REQUEST_SA 2 /* Establish an SA */
-
-#define NOTIFY_SATYPE_CONF 1 /* SA should do encryption */
-#define NOTIFY_SATYPE_AUTH 2 /* SA should do authentication */
-#define NOTIFY_SATYPE_TUNNEL 4 /* SA should use tunneling */
-
-#define em_ena_spi Eu.Ena.Spi
-#define em_ena_dst Eu.Ena.Dst
-#define em_ena_isrc Eu.Ena.iSrc
-#define em_ena_idst Eu.Ena.iDst
-#define em_ena_ismask Eu.Ena.iSmask
-#define em_ena_idmask Eu.Ena.iDmask
-#define em_ena_sport Eu.Ena.Sport
-#define em_ena_dport Eu.Ena.Dport
-#define em_ena_protocol Eu.Ena.Protocol
-#define em_ena_sproto Eu.Ena.Sproto
-#define em_ena_flags Eu.Ena.Flags
-
-#define em_gen_spi Eu.Gen.Spi
-#define em_gen_dst Eu.Gen.Dst
-#define em_gen_sproto Eu.Gen.Sproto
-
-#define em_not_type Eu.Notify.Notification_Type
-#define em_not_spi Eu.Notify.Spi
-#define em_not_dst Eu.Notify.Dst
-#define em_not_src Eu.Notify.Src
-#define em_not_satype Eu.Notify.Satype
-#define em_not_userid Eu.Notify.UserID
-#define em_not_msgid Eu.Notify.MsgID
-#define em_not_sport Eu.Notify.Sport
-#define em_not_dport Eu.Notify.Dport
-#define em_not_protocol Eu.Notify.Protocol
-#define em_not_sproto Eu.Notify.Sproto
-
-#define em_spi Eu.Xfm.Spi
-#define em_dst Eu.Xfm.Dst
-#define em_src Eu.Xfm.Src
-#define em_osrc Eu.Xfm.oSrc
-#define em_odst Eu.Xfm.oDst
-#define em_alg Eu.Xfm.Alg
-#define em_dat Eu.Xfm.Dat
-#define em_first_use_hard Eu.Xfm.First_Use_Hard
-#define em_first_use_soft Eu.Xfm.First_Use_Soft
-#define em_expire_hard Eu.Xfm.Expire_Hard
-#define em_expire_soft Eu.Xfm.Expire_Soft
-#define em_bytes_hard Eu.Xfm.Bytes_Hard
-#define em_bytes_soft Eu.Xfm.Bytes_Soft
-#define em_packets_hard Eu.Xfm.Packets_Hard
-#define em_packets_soft Eu.Xfm.Packets_Soft
-#define em_ttl Eu.Xfm.TTL
-#define em_sproto Eu.Xfm.Sproto
-#define em_satype Eu.Xfm.Satype
-
-#define em_rel_spi Eu.Rel.Spi
-#define em_rel_spi2 Eu.Rel.Spi2
-#define em_rel_dst Eu.Rel.Dst
-#define em_rel_dst2 Eu.Rel.Dst2
-#define em_rel_sproto Eu.Rel.Sproto
-#define em_rel_sproto2 Eu.Rel.Sproto2
-
-#define EMT_SETSPI 1 /* Set SPI properties */
-#define EMT_GRPSPIS 2 /* Group SPIs */
-#define EMT_DELSPI 3 /* delete an SPI */
-#define EMT_DELSPICHAIN 4 /* delete an SPI chain starting from */
-#define EMT_RESERVESPI 5 /* Give us an SPI */
-#define EMT_ENABLESPI 6 /* Enable an SA */
-#define EMT_DISABLESPI 7 /* Disable an SA */
-#define EMT_NOTIFY 8 /* kernel->userland key mgmt not. */
-#define EMT_REPLACESPI 10 /* Replace all uses of an SA */
-
-/* Total packet lengths */
-#define EMT_SETSPI_FLEN 104
-#define EMT_GRPSPIS_FLEN 26
-#define EMT_GENLEN 17
-#define EMT_DELSPI_FLEN EMT_GENLEN
-#define EMT_DELSPICHAIN_FLEN EMT_GENLEN
-#define EMT_RESERVESPI_FLEN EMT_GENLEN
-#define EMT_NOTIFY_FLEN 40
-#define EMT_ENABLESPI_FLEN 49
-#define EMT_DISABLESPI_FLEN EMT_ENABLESPI_FLEN
-#define EMT_REPLACESPI_FLEN EMT_ENABLESPI_FLEN
-
-#ifdef _KERNEL
-extern struct ifaddr *encap_findgwifa(struct sockaddr *);
-extern struct ifnet enc_softc;
-#endif