Introduce ipsec_sysctl() and move IPsec tunables where they belong.

ok bluhm@, visa@

4 files changed, 139 insertions, 53 deletions

diff --git a/sys/netinet/in.h b/sys/netinet/in.h
index 3bc34d8d7e7..46fb591c1d6 100644
--- a/sys/netinet/in.h
+++ b/sys/netinet/in.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: in.h,v 1.125 2017/10/06 21:14:55 bluhm Exp $	*/
+/*	$OpenBSD: in.h,v 1.126 2017/11/14 09:30:17 mpi Exp $	*/
 /*	$NetBSD: in.h,v 1.20 1996/02/13 23:41:47 christos Exp $	*/
 
 /*
@@ -745,19 +745,19 @@ struct ip_mreq {
 	&ipport_hifirstauto, \
 	&ipport_hilastauto, \
 	&ip_maxqueue, \
-	&encdebug, \
+	NULL /* encdebug */, \
 	NULL, \
-	&ipsec_expire_acquire, \
-	&ipsec_keep_invalid, \
-	&ipsec_require_pfs, \
-	&ipsec_soft_allocations, \
-	&ipsec_exp_allocations, \
-	&ipsec_soft_bytes, \
-	&ipsec_exp_bytes, \
-	&ipsec_exp_timeout, \
-	&ipsec_soft_timeout, \
-	&ipsec_soft_first_use, \
-	&ipsec_exp_first_use, \
+	NULL /* ipsec_expire_acquire */, \
+	NULL /* ipsec_keep_invalid */, \
+	NULL /* ipsec_require_pfs */, \
+	NULL /* ipsec_soft_allocations */, \
+	NULL /* ipsec_exp_allocations */, \
+	NULL /* ipsec_soft_bytes */, \
+	NULL /* ipsec_exp_bytes */, \
+	NULL /* ipsec_exp_timeout */, \
+	NULL /* ipsec_soft_timeout */, \
+	NULL /* ipsec_soft_first_use */, \
+	NULL /* ipsec_exp_first_use */, \
 	NULL, \
 	NULL, \
 	NULL, \
diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c
index 238ab79df32..7be0c7d0c54 100644
--- a/sys/netinet/ip_input.c
+++ b/sys/netinet/ip_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_input.c,v 1.331 2017/11/10 08:55:49 mpi Exp $	*/
+/*	$OpenBSD: ip_input.c,v 1.332 2017/11/14 09:30:17 mpi Exp $	*/
 /*	$NetBSD: ip_input.c,v 1.30 1996/03/16 23:53:58 christos Exp $	*/
 
 /*
@@ -84,22 +84,6 @@
 #include <netinet/ip_carp.h>
 #endif
 
-int encdebug = 0;
-int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
-int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
-int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
-int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
-int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
-int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
-int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
-int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
-int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
-int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
-int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
-char ipsec_def_enc[20];
-char ipsec_def_auth[20];
-char ipsec_def_comp[20];
-
 /* values controllable via sysctl */
 int	ipforwarding = 0;
 int	ipmforwarding = 0;
@@ -211,10 +195,6 @@ ip_init(void)
 	for (i = 0; defrootonlyports_udp[i] != 0; i++)
 		DP_SET(rootonlyports.udp, defrootonlyports_udp[i]);
 
-	strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
-	strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
-	strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
-
 	mq_init(&ipsend_mq, 64, IPL_SOFTNET);
 
 #ifdef IPSEC
@@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
 					      ip_mtudisc_timeout);
 		NET_UNLOCK();
 		return (error);
+#ifdef IPSEC
+	case IPCTL_ENCDEBUG:
+	case IPCTL_IPSEC_EXPIRE_ACQUIRE:
+	case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT:
+	case IPCTL_IPSEC_REQUIRE_PFS:
+	case IPCTL_IPSEC_SOFT_ALLOCATIONS:
+	case IPCTL_IPSEC_ALLOCATIONS:
+	case IPCTL_IPSEC_SOFT_BYTES:
+	case IPCTL_IPSEC_BYTES:
+	case IPCTL_IPSEC_TIMEOUT:
+	case IPCTL_IPSEC_SOFT_TIMEOUT:
+	case IPCTL_IPSEC_SOFT_FIRSTUSE:
+	case IPCTL_IPSEC_FIRSTUSE:
 	case IPCTL_IPSEC_ENC_ALGORITHM:
-		NET_LOCK();
-		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-				       ipsec_def_enc, sizeof(ipsec_def_enc));
-		NET_UNLOCK();
-		return (error);
 	case IPCTL_IPSEC_AUTH_ALGORITHM:
-		NET_LOCK();
-		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-				       ipsec_def_auth,
-				       sizeof(ipsec_def_auth));
-		NET_UNLOCK();
-		return (error);
 	case IPCTL_IPSEC_IPCOMP_ALGORITHM:
-		NET_LOCK();
-		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-				       ipsec_def_comp,
-				       sizeof(ipsec_def_comp));
-		NET_UNLOCK();
-		return (error);
+		return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp,
+		    newlen));
+#endif
 	case IPCTL_IFQUEUE:
 		return (sysctl_niq(name + 1, namelen - 1,
 		    oldp, oldlenp, newp, newlen, &ipintrq));
diff --git a/sys/netinet/ip_ipsp.h b/sys/netinet/ip_ipsp.h
index e60cd229525..e617ff5446e 100644
--- a/sys/netinet/ip_ipsp.h
+++ b/sys/netinet/ip_ipsp.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ip_ipsp.h,v 1.186 2017/11/08 16:29:20 visa Exp $	*/
+/*	$OpenBSD: ip_ipsp.h,v 1.187 2017/11/14 09:30:17 mpi Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr),
@@ -424,6 +424,51 @@ extern int ipsec_exp_timeout;		/* seconds/SA before it expires */
 extern int ipsec_soft_first_use;	/* seconds between 1st asso & renego */
 extern int ipsec_exp_first_use;		/* seconds between 1st asso & expire */	
 
+/*
+ * Names for IPsec sysctl objects
+ */
+#define	IPSEC_ENCDEBUG			IPCTL_ENCDEBUG			/* 12 */
+#define IPSEC_EXPIRE_ACQUIRE		IPCTL_IPSEC_EXPIRE_ACQUIRE	/* 14 */
+#define IPSEC_EMBRYONIC_SA_TIMEOUT	IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
+#define IPSEC_REQUIRE_PFS		IPCTL_IPSEC_REQUIRE_PFS		/* 16 */
+#define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS	/* 17 */
+#define IPSEC_ALLOCATIONS		IPCTL_IPSEC_ALLOCATIONS		/* 18 */
+#define IPSEC_SOFT_BYTES		IPCTL_IPSEC_SOFT_BYTES		/* 19 */
+#define IPSEC_BYTES			IPCTL_IPSEC_BYTES		/* 20 */
+#define IPSEC_TIMEOUT			IPCTL_IPSEC_TIMEOUT		/* 21 */
+#define IPSEC_SOFT_TIMEOUT		IPCTL_IPSEC_SOFT_TIMEOUT	/* 22 */
+#define IPSEC_SOFT_FIRSTUSE		IPCTL_IPSEC_SOFT_FIRSTUSE	/* 23 */
+#define IPSEC_FIRSTUSE			IPCTL_IPSEC_FIRSTUSE		/* 24 */
+#define IPSEC_MAXID	25
+
+#define	IPSECCTL_VARS { \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	NULL, \
+	&encdebug, \
+	NULL, \
+	&ipsec_expire_acquire, \
+	&ipsec_keep_invalid, \
+	&ipsec_require_pfs, \
+	&ipsec_soft_allocations, \
+	&ipsec_exp_allocations, \
+	&ipsec_soft_bytes, \
+	&ipsec_exp_bytes, \
+	&ipsec_exp_timeout, \
+	&ipsec_soft_timeout, \
+	&ipsec_soft_first_use, \
+	&ipsec_exp_first_use, \
+}
+
 extern char ipsec_def_enc[];
 extern char ipsec_def_auth[];
 extern char ipsec_def_comp[];
@@ -549,6 +594,7 @@ struct ipsec_ids *ipsp_ids_lookup(u_int32_t);
 void	ipsp_ids_free(struct ipsec_ids *);
 
 void	ipsec_init(void);
+int	ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 int	ipsec_common_input(struct mbuf *, int, int, int, int, int);
 void	ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
 int	ipsec_delete_policy(struct ipsec_policy *);
diff --git a/sys/netinet/ipsec_input.c b/sys/netinet/ipsec_input.c
index 0596f3b1138..31aff573f73 100644
--- a/sys/netinet/ipsec_input.c
+++ b/sys/netinet/ipsec_input.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ipsec_input.c,v 1.159 2017/11/08 16:29:20 visa Exp $	*/
+/*	$OpenBSD: ipsec_input.c,v 1.160 2017/11/14 09:30:17 mpi Exp $	*/
 /*
  * The authors of this code are John Ioannidis (ji@tla.org),
  * Angelos D. Keromytis (kermit@csd.uch.gr) and
@@ -88,6 +88,19 @@ void ipsec_common_ctlinput(u_int, int, struct sockaddr *, void *, int);
 #endif
 
 /* sysctl variables */
+int encdebug = 0;
+int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
+int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
+int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
+int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
+int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
+int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
+int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
+int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
+int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
+int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
+int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
+
 int esp_enable = 1;
 int ah_enable = 1;
 int ipcomp_enable = 0;
@@ -100,6 +113,12 @@ struct cpumem *espcounters;
 struct cpumem *ahcounters;
 struct cpumem *ipcompcounters;
 
+char ipsec_def_enc[20];
+char ipsec_def_auth[20];
+char ipsec_def_comp[20];
+
+int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS;
+
 int esp_sysctl_espstat(void *, size_t *, void *);
 int ah_sysctl_ahstat(void *, size_t *, void *);
 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *);
@@ -110,6 +129,11 @@ ipsec_init(void)
 	espcounters = counters_alloc(esps_ncounters);
 	ahcounters = counters_alloc(ahs_ncounters);
 	ipcompcounters = counters_alloc(ipcomps_ncounters);
+
+	strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
+	strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
+	strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
+
 }
 
 /*
@@ -612,6 +636,43 @@ ipsec_common_input_cb(struct mbuf *m, struct tdb *tdbp, int skip, int protoff)
 }
 
 int
+ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
+    size_t newlen)
+{
+	int error;
+
+	switch (name[0]) {
+	case IPCTL_IPSEC_ENC_ALGORITHM:
+		NET_LOCK();
+		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+		    ipsec_def_enc, sizeof(ipsec_def_enc));
+		NET_UNLOCK();
+		return (error);
+	case IPCTL_IPSEC_AUTH_ALGORITHM:
+		NET_LOCK();
+		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+		    ipsec_def_auth, sizeof(ipsec_def_auth));
+		NET_UNLOCK();
+		return (error);
+	case IPCTL_IPSEC_IPCOMP_ALGORITHM:
+		NET_LOCK();
+		error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+		    ipsec_def_comp, sizeof(ipsec_def_comp));
+		NET_UNLOCK();
+		return (error);
+	default:
+		if (name[0] < IPSEC_MAXID) {
+			NET_LOCK();
+			error = sysctl_int_arr(ipsecctl_vars, name, namelen,
+			    oldp, oldlenp, newp, newlen);
+			NET_UNLOCK();
+			return (error);
+		}
+		return (EOPNOTSUPP);
+	}
+}
+
+int
 esp_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
     size_t newlen)
 {