diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-07-09 16:58:07 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2010-07-09 16:58:07 +0000 |
| commit | 9b4939a135e7439d02025abc3fae443f6b34a436 (patch) | |
| tree | 4d6d474863598a533548ed438df229f82ffd9a59 /sys/netinet/ip_ipcomp.c | |
| parent | 74c8e65b12d50b84bca2cad414861a6a3de2ec89 (diff) | |
Add support for using IPsec in multiple rdomains.
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
Diffstat (limited to 'sys/netinet/ip_ipcomp.c')
| -rw-r--r-- | sys/netinet/ip_ipcomp.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/sys/netinet/ip_ipcomp.c b/sys/netinet/ip_ipcomp.c index af855f0d7cb..fff0dbfe999 100644 --- a/sys/netinet/ip_ipcomp.c +++ b/sys/netinet/ip_ipcomp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ip_ipcomp.c,v 1.26 2010/07/02 02:40:16 blambert Exp $ */ +/* $OpenBSD: ip_ipcomp.c,v 1.27 2010/07/09 16:58:06 reyk Exp $ */ /* * Copyright (c) 2001 Jean-Jacques Bernard-Gundol (jj@wabbitt.org) @@ -195,6 +195,7 @@ ipcomp_input(m, tdb, skip, protoff) tc->tc_protoff = protoff; tc->tc_spi = tdb->tdb_spi; tc->tc_proto = IPPROTO_IPCOMP; + tc->tc_rdomain = tdb->tdb_rdomain; bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); return crypto_dispatch(crp); @@ -234,7 +235,7 @@ ipcomp_input_cb(op) s = spltdb(); - tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); + tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA); ipcompstat.ipcomps_notdb++; @@ -526,6 +527,7 @@ ipcomp_output(m, tdb, mp, skip, protoff) tc->tc_spi = tdb->tdb_spi; tc->tc_proto = tdb->tdb_sproto; tc->tc_skip = skip; + tc->tc_rdomain = tdb->tdb_rdomain; bcopy(&tdb->tdb_dst, &tc->tc_dst, sizeof(union sockaddr_union)); /* Crypto operation descriptor */ @@ -577,7 +579,7 @@ ipcomp_output_cb(cp) s = spltdb(); - tdb = gettdb(tc->tc_spi, &tc->tc_dst, tc->tc_proto); + tdb = gettdb(tc->tc_rdomain, tc->tc_spi, &tc->tc_dst, tc->tc_proto); if (tdb == NULL) { free(tc, M_XDATA); ipcompstat.ipcomps_notdb++; |