summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorDavid Gwynne <dlg@cvs.openbsd.org>2023-08-07 01:44:52 +0000
committerDavid Gwynne <dlg@cvs.openbsd.org>2023-08-07 01:44:52 +0000
commitf20a58c65d5c49227ac18f2a01aac95acd271112 (patch)
tree30d6103f977d3a264c75895f7036cf16535978c6 /sys/netinet
parentbb939e2908baffbe417ab89618cee309d38291a6 (diff)
start adding support for route-based ipsec vpns.
rather than use ipsec flows (aka, entries in the ipsec security policy database) to decide which traffic should be encapsulated in ipsec and sent to a peer, this tweaks security associations (SAs) so they can refer to a tunnel interface. when traffic is routed over that tunnel interface, an ipsec SA is looked up and used to encapsulate traffic before being sent to the peer on the SA. When traffic is received from a peer using an interface SA, the specified interface is looked up and the packet is handed to it so it looks like packets come out of the tunnel. to support this, SAs get a TDBF_IFACE flag and iface and iface_dir fields. When TDBF_IFACE is set the iface and dir fields are considered valid, and the tdb/SA should be used with the tunnel interface instead of the SPD. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_ipsp.h7
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 5da3ad7437f..c24174d0f90 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.241 2023/07/06 04:55:05 dlg Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.242 2023/08/07 01:44:51 dlg Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -357,6 +357,7 @@ struct tdb { /* tunnel descriptor block */
#define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */
#define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */
#define TDBF_PFSYNC_SNAPPED 0x200000 /* entry is being dispatched to peer */
+#define TDBF_IFACE 0x400000 /* entry policy is via sec(4) */
#define TDBF_BITS ("\20" \
"\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \
@@ -364,7 +365,7 @@ struct tdb { /* tunnel descriptor block */
"\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \
"\15TUNNELING" \
"\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \
- "\25ESN")
+ "\25ESN" "\26IFACE")
u_int32_t tdb_flags; /* [m] Flags related to this TDB */
@@ -406,6 +407,7 @@ struct tdb { /* tunnel descriptor block */
u_int8_t tdb_sproto; /* [I] IPsec protocol */
u_int8_t tdb_wnd; /* Replay window */
u_int8_t tdb_satype; /* SA type (RFC2367, PF_KEY) */
+ u_int8_t tdb_iface_dir; /* [I] sec(4) iface direction */
union sockaddr_union tdb_dst; /* [N] Destination address */
union sockaddr_union tdb_src; /* [N] Source address */
@@ -431,6 +433,7 @@ struct tdb { /* tunnel descriptor block */
u_int16_t tdb_tag; /* Packet filter tag */
u_int32_t tdb_tap; /* Alternate enc(4) interface */
+ unsigned int tdb_iface; /* [I] sec(4) iface */
u_int tdb_rdomain; /* [I] Routing domain */
u_int tdb_rdomain_post; /* [I] Change domain */