ipsecmod.c revision 356345 
1/*
2 * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module
3 *
4 * Copyright (c) 2017, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file contains a module that facilitates opportunistic IPsec. It does so
40 * by also quering for the IPSECKEY for A/AAAA queries and calling a
41 * configurable hook (eg. signaling an IKE daemon) before replying.
42 */
43
44#include "config.h"
45#ifdef USE_IPSECMOD
46#include "ipsecmod/ipsecmod.h"
47#include "ipsecmod/ipsecmod-whitelist.h"
48#include "util/fptr_wlist.h"
49#include "util/regional.h"
50#include "util/net_help.h"
51#include "util/config_file.h"
52#include "services/cache/dns.h"
53#include "sldns/wire2str.h"
54
55/** Apply configuration to ipsecmod module 'global' state. */
56static int
57ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg)
58{
59	if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) {
60		log_err("ipsecmod: missing ipsecmod-hook.");
61		return 0;
62	}
63	if(cfg->ipsecmod_whitelist &&
64		!ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg))
65		return 0;
66	return 1;
67}
68
69int
70ipsecmod_init(struct module_env* env, int id)
71{
72	struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1,
73		sizeof(struct ipsecmod_env));
74	if(!ipsecmod_env) {
75		log_err("malloc failure");
76		return 0;
77	}
78	env->modinfo[id] = (void*)ipsecmod_env;
79	ipsecmod_env->whitelist = NULL;
80	if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) {
81		log_err("ipsecmod: could not apply configuration settings.");
82		return 0;
83	}
84	return 1;
85}
86
87void
88ipsecmod_deinit(struct module_env* env, int id)
89{
90	struct ipsecmod_env* ipsecmod_env;
91	if(!env || !env->modinfo[id])
92		return;
93	ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id];
94	/* Free contents. */
95	ipsecmod_whitelist_delete(ipsecmod_env->whitelist);
96	free(ipsecmod_env);
97	env->modinfo[id] = NULL;
98}
99
100/** New query for ipsecmod. */
101static int
102ipsecmod_new(struct module_qstate* qstate, int id)
103{
104	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc(
105		qstate->region, sizeof(struct ipsecmod_qstate));
106	qstate->minfo[id] = iq;
107	if(!iq)
108		return 0;
109	/* Initialise it. */
110	memset(iq, 0, sizeof(*iq));
111	iq->enabled = qstate->env->cfg->ipsecmod_enabled;
112	iq->is_whitelisted = ipsecmod_domain_is_whitelisted(
113		(struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname,
114		qstate->qinfo.qname_len, qstate->qinfo.qclass);
115	return 1;
116}
117
118/**
119 * Exit module with an error status.
120 * @param qstate: query state
121 * @param id: module id.
122 */
123static void
124ipsecmod_error(struct module_qstate* qstate, int id)
125{
126	qstate->ext_state[id] = module_error;
127	qstate->return_rcode = LDNS_RCODE_SERVFAIL;
128}
129
130/**
131 * Generate a request for the IPSECKEY.
132 *
133 * @param qstate: query state that is the parent.
134 * @param id: module id.
135 * @param name: what name to query for.
136 * @param namelen: length of name.
137 * @param qtype: query type.
138 * @param qclass: query class.
139 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0.
140 * @return false on alloc failure.
141 */
142static int
143generate_request(struct module_qstate* qstate, int id, uint8_t* name,
144	size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags)
145{
146	struct module_qstate* newq;
147	struct query_info ask;
148	ask.qname = name;
149	ask.qname_len = namelen;
150	ask.qtype = qtype;
151	ask.qclass = qclass;
152	ask.local_alias = NULL;
153	log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask);
154	fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub));
155	if(!(*qstate->env->attach_sub)(qstate, &ask,
156		(uint16_t)(BIT_RD|flags), 0, 0, &newq)){
157		log_err("Could not generate request: out of memory");
158		return 0;
159	}
160	qstate->ext_state[id] = module_wait_subquery;
161	return 1;
162}
163
164/**
165 * Check if the string passed is a valid domain name with safe characters to
166 * pass to a shell.
167 * This will only allow:
168 *  - digits
169 *  - alphas
170 *  - hyphen (not at the start)
171 *  - dot (not at the start, or the only character)
172 *  - underscore
173 * @param s: pointer to the string.
174 * @param slen: string's length.
175 * @return true if s only contains safe characters; false otherwise.
176 */
177static int
178domainname_has_safe_characters(char* s, size_t slen) {
179	size_t i;
180	for(i = 0; i < slen; i++) {
181		if(s[i] == '\0') return 1;
182		if((s[i] == '-' && i != 0)
183			|| (s[i] == '.' && (i != 0 || s[1] == '\0'))
184			|| (s[i] == '_') || (s[i] >= '0' && s[i] <= '9')
185			|| (s[i] >= 'A' && s[i] <= 'Z')
186			|| (s[i] >= 'a' && s[i] <= 'z')) {
187			continue;
188		}
189		return 0;
190	}
191	return 1;
192}
193
194/**
195 * Check if the stringified IPSECKEY RDATA contains safe characters to pass to
196 * a shell.
197 * This is only relevant for checking the gateway when the gateway type is 3
198 * (domainname).
199 * @param s: pointer to the string.
200 * @param slen: string's length.
201 * @return true if s contains only safe characters; false otherwise.
202 */
203static int
204ipseckey_has_safe_characters(char* s, size_t slen) {
205	int precedence, gateway_type, algorithm;
206	char* gateway;
207	gateway = (char*)calloc(slen, sizeof(char));
208	if(!gateway) {
209		log_err("ipsecmod: out of memory when calling the hook");
210		return 0;
211	}
212	if(sscanf(s, "%d %d %d %s ",
213			&precedence, &gateway_type, &algorithm, gateway) != 4) {
214		free(gateway);
215		return 0;
216	}
217	if(gateway_type != 3) {
218		free(gateway);
219		return 1;
220	}
221	if(domainname_has_safe_characters(gateway, slen)) {
222		free(gateway);
223		return 1;
224	}
225	free(gateway);
226	return 0;
227}
228
229/**
230 *  Prepare the data and call the hook.
231 *
232 *  @param qstate: query state.
233 *  @param iq: ipsecmod qstate.
234 *  @param ie: ipsecmod environment.
235 *  @return true on success, false otherwise.
236 */
237static int
238call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq,
239	struct ipsecmod_env* ATTR_UNUSED(ie))
240{
241	size_t slen, tempdata_len, tempstring_len, i;
242	char str[65535], *s, *tempstring;
243	int w = 0, w_temp, qtype;
244	struct ub_packed_rrset_key* rrset_key;
245	struct packed_rrset_data* rrset_data;
246	uint8_t *tempdata;
247
248	/* Check if a shell is available */
249	if(system(NULL) == 0) {
250		log_err("ipsecmod: no shell available for ipsecmod-hook");
251		return 0;
252	}
253
254	/* Zero the buffer. */
255	s = str;
256	slen = sizeof(str);
257	memset(s, 0, slen);
258
259	/* Copy the hook into the buffer. */
260	w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook);
261	/* Put space into the buffer. */
262	w += sldns_str_print(&s, &slen, " ");
263	/* Copy the qname into the buffer. */
264	tempstring = sldns_wire2str_dname(qstate->qinfo.qname,
265		qstate->qinfo.qname_len);
266	if(!tempstring) {
267		log_err("ipsecmod: out of memory when calling the hook");
268		return 0;
269	}
270	if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) {
271		log_err("ipsecmod: qname has unsafe characters");
272		free(tempstring);
273		return 0;
274	}
275	w += sldns_str_print(&s, &slen, "\"%s\"", tempstring);
276	free(tempstring);
277	/* Put space into the buffer. */
278	w += sldns_str_print(&s, &slen, " ");
279	/* Copy the IPSECKEY TTL into the buffer. */
280	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
281	w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl);
282	/* Put space into the buffer. */
283	w += sldns_str_print(&s, &slen, " ");
284	rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
285		qstate->return_msg->rep);
286	/* Double check that the records are indeed A/AAAA.
287	 * This should never happen as this function is only executed for A/AAAA
288	 * queries but make sure we don't pass anything other than A/AAAA to the
289	 * shell. */
290	qtype = ntohs(rrset_key->rk.type);
291	if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) {
292		log_err("ipsecmod: Answer is not of A or AAAA type");
293		return 0;
294	}
295	rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
296	/* Copy the A/AAAA record(s) into the buffer. Start and end this section
297	 * with a double quote. */
298	w += sldns_str_print(&s, &slen, "\"");
299	for(i=0; i<rrset_data->count; i++) {
300		if(i > 0) {
301			/* Put space into the buffer. */
302			w += sldns_str_print(&s, &slen, " ");
303		}
304		/* Ignore the first two bytes, they are the rr_data len. */
305		w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2,
306			rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype);
307		if(w_temp < 0) {
308			/* Error in printout. */
309			log_err("ipsecmod: Error in printing IP address");
310			return 0;
311		} else if((size_t)w_temp >= slen) {
312			s = NULL; /* We do not want str to point outside of buffer. */
313			slen = 0;
314			log_err("ipsecmod: shell command too long");
315			return 0;
316		} else {
317			s += w_temp;
318			slen -= w_temp;
319			w += w_temp;
320		}
321	}
322	w += sldns_str_print(&s, &slen, "\"");
323	/* Put space into the buffer. */
324	w += sldns_str_print(&s, &slen, " ");
325	/* Copy the IPSECKEY record(s) into the buffer. Start and end this section
326	 * with a double quote. */
327	w += sldns_str_print(&s, &slen, "\"");
328	rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
329	for(i=0; i<rrset_data->count; i++) {
330		if(i > 0) {
331			/* Put space into the buffer. */
332			w += sldns_str_print(&s, &slen, " ");
333		}
334		/* Ignore the first two bytes, they are the rr_data len. */
335		tempdata = rrset_data->rr_data[i] + 2;
336		tempdata_len = rrset_data->rr_len[i] - 2;
337		/* Save the buffer pointers. */
338		tempstring = s; tempstring_len = slen;
339		w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s,
340			&slen, NULL, 0, NULL);
341		/* There was an error when parsing the IPSECKEY; reset the buffer
342		 * pointers to their previous values. */
343		if(w_temp == -1) {
344			s = tempstring; slen = tempstring_len;
345		} else if(w_temp > 0) {
346			if(!ipseckey_has_safe_characters(
347					tempstring, tempstring_len - slen)) {
348				log_err("ipsecmod: ipseckey has unsafe characters");
349				return 0;
350			}
351			w += w_temp;
352		}
353	}
354	w += sldns_str_print(&s, &slen, "\"");
355	if(w >= (int)sizeof(str)) {
356		log_err("ipsecmod: shell command too long");
357		return 0;
358	}
359	verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str);
360	/* ipsecmod-hook should return 0 on success. */
361	if(system(str) != 0)
362		return 0;
363	return 1;
364}
365
366/**
367 * Handle an ipsecmod module event with a query
368 * @param qstate: query state (from the mesh), passed between modules.
369 * 	contains qstate->env module environment with global caches and so on.
370 * @param iq: query state specific for this module.  per-query.
371 * @param ie: environment specific for this module.  global.
372 * @param id: module id.
373 */
374static void
375ipsecmod_handle_query(struct module_qstate* qstate,
376	struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id)
377{
378	struct ub_packed_rrset_key* rrset_key;
379	struct packed_rrset_data* rrset_data;
380	size_t i;
381	/* Pass to next module if we are not enabled and whitelisted. */
382	if(!(iq->enabled && iq->is_whitelisted)) {
383		qstate->ext_state[id] = module_wait_module;
384		return;
385	}
386	/* New query, check if the query is for an A/AAAA record and disable
387	 * caching for other modules. */
388	if(!iq->ipseckey_done) {
389		if(qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
390			qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) {
391			char type[16];
392			sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
393				sizeof(type));
394			verbose(VERB_ALGO, "ipsecmod: query for %s; engaging",
395				type);
396			qstate->no_cache_store = 1;
397		}
398		/* Pass request to next module. */
399		qstate->ext_state[id] = module_wait_module;
400		return;
401	}
402	/* IPSECKEY subquery is finished. */
403	/* We have an IPSECKEY answer. */
404	if(iq->ipseckey_rrset) {
405		rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data;
406		if(rrset_data) {
407			/* If bogus return SERVFAIL. */
408			if(!qstate->env->cfg->ipsecmod_ignore_bogus &&
409				rrset_data->security == sec_status_bogus) {
410				log_err("ipsecmod: bogus IPSECKEY");
411				ipsecmod_error(qstate, id);
412				return;
413			}
414			/* We have a valid IPSECKEY reply, call hook. */
415			if(!call_hook(qstate, iq, ie) &&
416				qstate->env->cfg->ipsecmod_strict) {
417				log_err("ipsecmod: ipsecmod-hook failed");
418				ipsecmod_error(qstate, id);
419				return;
420			}
421			/* Make sure the A/AAAA's TTL is equal/less than the
422			 * ipsecmod_max_ttl. */
423			rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo,
424				qstate->return_msg->rep);
425			rrset_data = (struct packed_rrset_data*)rrset_key->entry.data;
426			if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
427				/* Update TTL for rrset to fixed value. */
428				rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl;
429				for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++)
430					rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl;
431				/* Also update reply_info's TTL */
432				if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) {
433					qstate->return_msg->rep->ttl =
434						qstate->env->cfg->ipsecmod_max_ttl;
435					qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(
436						qstate->return_msg->rep->ttl);
437					qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl +
438						qstate->env->cfg->serve_expired_ttl;
439				}
440			}
441		}
442	}
443	/* Store A/AAAA in cache. */
444	if(!dns_cache_store(qstate->env, &qstate->qinfo,
445		qstate->return_msg->rep, 0, qstate->prefetch_leeway,
446		0, qstate->region, qstate->query_flags)) {
447		log_err("ipsecmod: out of memory caching record");
448	}
449	qstate->ext_state[id] = module_finished;
450}
451
452/**
453 * Handle an ipsecmod module event with a response from the iterator.
454 * @param qstate: query state (from the mesh), passed between modules.
455 * 	contains qstate->env module environment with global caches and so on.
456 * @param iq: query state specific for this module.  per-query.
457 * @param ie: environment specific for this module.  global.
458 * @param id: module id.
459 */
460static void
461ipsecmod_handle_response(struct module_qstate* qstate,
462	struct ipsecmod_qstate* ATTR_UNUSED(iq),
463	struct ipsecmod_env* ATTR_UNUSED(ie), int id)
464{
465	/* Pass to previous module if we are not enabled and whitelisted. */
466	if(!(iq->enabled && iq->is_whitelisted)) {
467		qstate->ext_state[id] = module_finished;
468		return;
469	}
470	/* check if the response is for an A/AAAA query. */
471	if((qstate->qinfo.qtype == LDNS_RR_TYPE_A ||
472		qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) &&
473		/* check that we had an answer for the A/AAAA query. */
474		qstate->return_msg &&
475		reply_find_answer_rrset(&qstate->return_msg->qinfo,
476		qstate->return_msg->rep) &&
477		/* check that another module didn't SERVFAIL. */
478		qstate->return_rcode == LDNS_RCODE_NOERROR) {
479		char type[16];
480		sldns_wire2str_type_buf(qstate->qinfo.qtype, type,
481			sizeof(type));
482		verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY "
483			"subquery", type);
484		/* generate an IPSECKEY query. */
485		if(!generate_request(qstate, id, qstate->qinfo.qname,
486			qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY,
487			qstate->qinfo.qclass, 0)) {
488			log_err("ipsecmod: could not generate subquery.");
489			ipsecmod_error(qstate, id);
490		}
491		return;
492	}
493	/* we are done with the query. */
494	qstate->ext_state[id] = module_finished;
495}
496
497void
498ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id,
499	struct outbound_entry* outbound)
500{
501	struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id];
502	struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id];
503	verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s",
504		id, strextstate(qstate->ext_state[id]), strmodulevent(event));
505	if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query",
506		&qstate->qinfo);
507
508	/* create ipsecmod_qstate. */
509	if((event == module_event_new || event == module_event_pass) &&
510		iq == NULL) {
511		if(!ipsecmod_new(qstate, id)) {
512			ipsecmod_error(qstate, id);
513			return;
514		}
515		iq = (struct ipsecmod_qstate*)qstate->minfo[id];
516	}
517	if(iq && (event == module_event_pass || event == module_event_new)) {
518		ipsecmod_handle_query(qstate, iq, ie, id);
519		return;
520	}
521	if(iq && (event == module_event_moddone)) {
522		ipsecmod_handle_response(qstate, iq, ie, id);
523		return;
524	}
525	if(iq && outbound) {
526		/* cachedb does not need to process responses at this time
527		 * ignore it.
528		cachedb_process_response(qstate, iq, ie, id, outbound, event);
529		*/
530		return;
531	}
532	if(event == module_event_error) {
533		verbose(VERB_ALGO, "got called with event error, giving up");
534		ipsecmod_error(qstate, id);
535		return;
536	}
537	if(!iq && (event == module_event_moddone)) {
538		/* during priming, module done but we never started. */
539		qstate->ext_state[id] = module_finished;
540		return;
541	}
542
543	log_err("ipsecmod: bad event %s", strmodulevent(event));
544	ipsecmod_error(qstate, id);
545	return;
546}
547
548void
549ipsecmod_inform_super(struct module_qstate* qstate, int id,
550	struct module_qstate* super)
551{
552	struct ipsecmod_qstate* siq;
553	log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is",
554		&qstate->qinfo);
555	log_query_info(VERB_ALGO, "super is", &super->qinfo);
556	siq = (struct ipsecmod_qstate*)super->minfo[id];
557	if(!siq) {
558		verbose(VERB_ALGO, "super has no ipsecmod state");
559		return;
560	}
561
562	if(qstate->return_msg) {
563		struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset(
564			&qstate->return_msg->qinfo, qstate->return_msg->rep);
565		if(rrset_key) {
566			/* We have an answer. */
567			/* Copy to super's region. */
568			rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0);
569			siq->ipseckey_rrset = rrset_key;
570			if(!rrset_key) {
571				log_err("ipsecmod: out of memory.");
572			}
573		}
574	}
575	/* Notify super to proceed. */
576	siq->ipseckey_done = 1;
577}
578
579void
580ipsecmod_clear(struct module_qstate* qstate, int id)
581{
582	if(!qstate)
583		return;
584	qstate->minfo[id] = NULL;
585}
586
587size_t
588ipsecmod_get_mem(struct module_env* env, int id)
589{
590	struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id];
591	if(!ie)
592		return 0;
593	return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist);
594}
595
596/**
597 * The ipsecmod function block
598 */
599static struct module_func_block ipsecmod_block = {
600	"ipsecmod",
601	&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
602	&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
603};
604
605struct module_func_block*
606ipsecmod_get_funcblock(void)
607{
608	return &ipsecmod_block;
609}
610#endif /* USE_IPSECMOD */
611