summaryrefslogtreecommitdiff
path: root/sys/netinet
diff options
context:
space:
mode:
authorReyk Floeter <reyk@cvs.openbsd.org>2006-11-24 13:52:15 +0000
committerReyk Floeter <reyk@cvs.openbsd.org>2006-11-24 13:52:15 +0000
commit7fbffbaf7e3799b9cd7a8945cea919cc091ca8d1 (patch)
tree0cef703fab0b082809c2f9483714feb180bfe502 /sys/netinet
parent2e37005e33b1ab74053f390d46313cbefe2212ad (diff)
add support to tag ipsec traffic belonging to specific IKE-initiated
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Diffstat (limited to 'sys/netinet')
-rw-r--r--sys/netinet/ip_ipsp.c15
-rw-r--r--sys/netinet/ip_ipsp.h6
-rw-r--r--sys/netinet/ipsec_input.c14
-rw-r--r--sys/netinet/ipsec_output.c14
4 files changed, 44 insertions, 5 deletions
diff --git a/sys/netinet/ip_ipsp.c b/sys/netinet/ip_ipsp.c
index 39611a04eed..196aab812f7 100644
--- a/sys/netinet/ip_ipsp.c
+++ b/sys/netinet/ip_ipsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.c,v 1.165 2006/01/13 10:11:23 mpf Exp $ */
+/* $OpenBSD: ip_ipsp.c,v 1.166 2006/11/24 13:52:14 reyk Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -37,6 +37,8 @@
* PURPOSE.
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/mbuf.h>
#include <sys/socket.h>
@@ -46,6 +48,10 @@
#include <net/if.h>
#include <net/route.h>
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
#ifdef INET
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -858,6 +864,13 @@ tdb_free(struct tdb *tdbp)
tdbp->tdb_remote_cred = NULL;
}
+#if NPF > 0
+ if (tdbp->tdb_tag) {
+ pf_tag_unref(tdbp->tdb_tag);
+ tdbp->tdb_tag = 0;
+ }
+#endif
+
if ((tdbp->tdb_onext) && (tdbp->tdb_onext->tdb_inext == tdbp))
tdbp->tdb_onext->tdb_inext = NULL;
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index 9f0cba75b4f..06fcc70f549 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ip_ipsp.h,v 1.134 2006/06/30 21:41:12 deraadt Exp $ */
+/* $OpenBSD: ip_ipsp.h,v 1.135 2006/11/24 13:52:14 reyk Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -270,7 +270,7 @@ struct tdb { /* tunnel descriptor block */
* Each TDB is on three hash tables: one keyed on dst/spi/sproto,
* one keyed on dst/sproto, and one keyed on src/sproto. The first
* is used for finding a specific TDB, the second for finding TDBs
- * TDBs for outgoing policy matching, and the third for incoming
+ * for outgoing policy matching, and the third for incoming
* policy matching. The following three fields maintain the hash
* queues in those three tables.
*/
@@ -367,6 +367,8 @@ struct tdb { /* tunnel descriptor block */
u_int16_t tdb_udpencap_port; /* Peer UDP port */
+ u_int16_t tdb_tag; /* Packet filter tag */
+
struct sockaddr_encap tdb_filter; /* What traffic is acceptable */
struct sockaddr_encap tdb_filtermask; /* And the mask */
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 2617482c6b2..e00cf80b590 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_input.c,v 1.79 2006/03/25 22:41:48 djm Exp $ */
+/* $OpenBSD: ipsec_input.c,v 1.80 2006/11/24 13:52:14 reyk Exp $ */
/*
* The authors of this code are John Ioannidis (ji@tla.org),
* Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -35,6 +35,8 @@
* PURPOSE.
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/protosw.h>
@@ -47,6 +49,10 @@
#include <net/netisr.h>
#include <net/bpf.h>
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
@@ -554,6 +560,12 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff,
} else if (sproto == IPPROTO_AH)
m->m_flags |= M_AUTH | M_AUTH_AH;
+#if NPF > 0
+ /* Add pf tag if requested. */
+ if (pf_tag_packet(m, NULL, tdbp->tdb_tag, -1))
+ DPRINTF(("failed to tag ipsec packet\n"));
+#endif
+
if (tdbp->tdb_flags & TDBF_TUNNELING)
m->m_flags |= M_TUNNEL;
diff --git a/sys/netinet/ipsec_output.c b/sys/netinet/ipsec_output.c
index 73bae9676d9..1e91a4997ac 100644
--- a/sys/netinet/ipsec_output.c
+++ b/sys/netinet/ipsec_output.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec_output.c,v 1.33 2005/04/12 09:39:54 markus Exp $ */
+/* $OpenBSD: ipsec_output.c,v 1.34 2006/11/24 13:52:14 reyk Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@cis.upenn.edu)
*
@@ -20,6 +20,8 @@
* PURPOSE.
*/
+#include "pf.h"
+
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/mbuf.h>
@@ -29,6 +31,10 @@
#include <net/if.h>
#include <net/route.h>
+#if NPF > 0
+#include <net/pfvar.h>
+#endif
+
#ifdef INET
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -428,6 +434,12 @@ ipsp_process_done(struct mbuf *m, struct tdb *tdb)
return ipsp_process_packet(m, tdb->tdb_onext,
tdb->tdb_dst.sa.sa_family, 0);
+#if NPF > 0
+ /* Add pf tag if requested. */
+ if (pf_tag_packet(m, NULL, tdb->tdb_tag, -1))
+ DPRINTF(("failed to tag ipsec packet\n"));
+#endif
+
/*
* We're done with IPsec processing, transmit the packet using the
* appropriate network protocol (IP or IPv6). SPD lookup will be