1/*- 2 * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 25 * 26 * $FreeBSD$ 27 */ 28 29#ifndef _NETIPSEC_IPSEC_SUPPORT_H_ 30#define _NETIPSEC_IPSEC_SUPPORT_H_ 31 32#ifdef _KERNEL 33#if defined(IPSEC) || defined(IPSEC_SUPPORT) 34struct mbuf; 35struct inpcb; 36struct tcphdr; 37struct sockopt; 38struct sockaddr; 39struct ipsec_support; 40struct tcpmd5_support; 41 42size_t ipsec_hdrsiz_inpcb(struct inpcb *); 43int ipsec_init_pcbpolicy(struct inpcb *); 44int ipsec_delete_pcbpolicy(struct inpcb *); 45int ipsec_copy_pcbpolicy(struct inpcb *, struct inpcb *); 46 47struct ipsec_methods { 48 int (*input)(struct mbuf *, int, int); 49 int (*check_policy)(const struct mbuf *, struct inpcb *); 50 int (*forward)(struct mbuf *); 51 int (*output)(struct mbuf *, struct inpcb *); 52 int (*pcbctl)(struct inpcb *, struct sockopt *); 53 size_t (*hdrsize)(struct inpcb *); 54 int (*capability)(struct mbuf *, u_int); 55 int (*ctlinput)(int, struct sockaddr *, void *); 56 57 int (*udp_input)(struct mbuf *, int, int); 58 int (*udp_pcbctl)(struct inpcb *, struct sockopt *); 59}; 60#define IPSEC_CAP_OPERABLE 1 61#define IPSEC_CAP_BYPASS_FILTER 2 62 63struct tcpmd5_methods { 64 int (*input)(struct mbuf *, struct tcphdr *, u_char *); 65 int (*output)(struct mbuf *, struct tcphdr *, u_char *); 66 int (*pcbctl)(struct inpcb *, struct sockopt *); 67}; 68 69#define IPSEC_MODULE_ENABLED 0x0001 70#define IPSEC_ENABLED(proto) \ 71 ((proto ## _ipsec_support)->enabled & IPSEC_MODULE_ENABLED) 72#define TCPMD5_ENABLED() IPSEC_ENABLED(tcp) 73 74#ifdef TCP_SIGNATURE 75/* TCP-MD5 build in the kernel */ 76struct tcpmd5_support { 77 const u_int enabled; 78 const struct tcpmd5_methods * const methods; 79}; 80extern const struct tcpmd5_support * const tcp_ipsec_support; 81 82#define TCPMD5_INPUT(m, ...) \ 83 (*tcp_ipsec_support->methods->input)(m, __VA_ARGS__) 84#define TCPMD5_OUTPUT(m, ...) \ 85 (*tcp_ipsec_support->methods->output)(m, __VA_ARGS__) 86#define TCPMD5_PCBCTL(inp, sopt) \ 87 (*tcp_ipsec_support->methods->pcbctl)(inp, sopt) 88#elif defined(IPSEC_SUPPORT) 89/* TCP-MD5 build as module */ 90struct tcpmd5_support { 91 volatile u_int enabled; 92 const struct tcpmd5_methods * volatile methods; 93}; 94extern struct tcpmd5_support * const tcp_ipsec_support; 95 96void tcpmd5_support_enable(const struct tcpmd5_methods * const); 97void tcpmd5_support_disable(void); 98 99int tcpmd5_kmod_pcbctl(struct tcpmd5_support * const, struct inpcb *, 100 struct sockopt *); 101int tcpmd5_kmod_input(struct tcpmd5_support * const, struct mbuf *, 102 struct tcphdr *, u_char *); 103int tcpmd5_kmod_output(struct tcpmd5_support * const, struct mbuf *, 104 struct tcphdr *, u_char *); 105#define TCPMD5_INPUT(m, ...) \ 106 tcpmd5_kmod_input(tcp_ipsec_support, m, __VA_ARGS__) 107#define TCPMD5_OUTPUT(m, ...) \ 108 tcpmd5_kmod_output(tcp_ipsec_support, m, __VA_ARGS__) 109#define TCPMD5_PCBCTL(inp, sopt) \ 110 tcpmd5_kmod_pcbctl(tcp_ipsec_support, inp, sopt) 111#endif 112 113#endif /* IPSEC || IPSEC_SUPPORT */ 114 115#if defined(IPSEC) 116struct ipsec_support { 117 const u_int enabled; 118 const struct ipsec_methods * const methods; 119}; 120extern const struct ipsec_support * const ipv4_ipsec_support; 121extern const struct ipsec_support * const ipv6_ipsec_support; 122 123#define IPSEC_INPUT(proto, m, ...) \ 124 (*(proto ## _ipsec_support)->methods->input)(m, __VA_ARGS__) 125#define IPSEC_CHECK_POLICY(proto, m, ...) \ 126 (*(proto ## _ipsec_support)->methods->check_policy)(m, __VA_ARGS__) 127#define IPSEC_FORWARD(proto, m) \ 128 (*(proto ## _ipsec_support)->methods->forward)(m) 129#define IPSEC_OUTPUT(proto, m, ...) \ 130 (*(proto ## _ipsec_support)->methods->output)(m, __VA_ARGS__) 131#define IPSEC_PCBCTL(proto, inp, sopt) \ 132 (*(proto ## _ipsec_support)->methods->pcbctl)(inp, sopt) 133#define IPSEC_CAPS(proto, m, ...) \ 134 (*(proto ## _ipsec_support)->methods->capability)(m, __VA_ARGS__) 135#define IPSEC_HDRSIZE(proto, inp) \ 136 (*(proto ## _ipsec_support)->methods->hdrsize)(inp) 137 138#define UDPENCAP_INPUT(m, ...) \ 139 (*ipv4_ipsec_support->methods->udp_input)(m, __VA_ARGS__) 140#define UDPENCAP_PCBCTL(inp, sopt) \ 141 (*ipv4_ipsec_support->methods->udp_pcbctl)(inp, sopt) 142 143#elif defined(IPSEC_SUPPORT) 144struct ipsec_support { 145 volatile u_int enabled; 146 const struct ipsec_methods * volatile methods; 147}; 148extern struct ipsec_support * const ipv4_ipsec_support; 149extern struct ipsec_support * const ipv6_ipsec_support; 150 151void ipsec_support_enable(struct ipsec_support * const, 152 const struct ipsec_methods * const); 153void ipsec_support_disable(struct ipsec_support * const); 154 155int ipsec_kmod_input(struct ipsec_support * const, struct mbuf *, int, int); 156int ipsec_kmod_check_policy(struct ipsec_support * const, struct mbuf *, 157 struct inpcb *); 158int ipsec_kmod_forward(struct ipsec_support * const, struct mbuf *); 159int ipsec_kmod_output(struct ipsec_support * const, struct mbuf *, 160 struct inpcb *); 161int ipsec_kmod_pcbctl(struct ipsec_support * const, struct inpcb *, 162 struct sockopt *); 163int ipsec_kmod_capability(struct ipsec_support * const, struct mbuf *, u_int); 164size_t ipsec_kmod_hdrsize(struct ipsec_support * const, struct inpcb *); 165int ipsec_kmod_udp_input(struct ipsec_support * const, struct mbuf *, int, int); 166int ipsec_kmod_udp_pcbctl(struct ipsec_support * const, struct inpcb *, 167 struct sockopt *); 168 169#define UDPENCAP_INPUT(m, ...) \ 170 ipsec_kmod_udp_input(ipv4_ipsec_support, m, __VA_ARGS__) 171#define UDPENCAP_PCBCTL(inp, sopt) \ 172 ipsec_kmod_udp_pcbctl(ipv4_ipsec_support, inp, sopt) 173 174#define IPSEC_INPUT(proto, ...) \ 175 ipsec_kmod_input(proto ## _ipsec_support, __VA_ARGS__) 176#define IPSEC_CHECK_POLICY(proto, ...) \ 177 ipsec_kmod_check_policy(proto ## _ipsec_support, __VA_ARGS__) 178#define IPSEC_FORWARD(proto, ...) \ 179 ipsec_kmod_forward(proto ## _ipsec_support, __VA_ARGS__) 180#define IPSEC_OUTPUT(proto, ...) \ 181 ipsec_kmod_output(proto ## _ipsec_support, __VA_ARGS__) 182#define IPSEC_PCBCTL(proto, ...) \ 183 ipsec_kmod_pcbctl(proto ## _ipsec_support, __VA_ARGS__) 184#define IPSEC_CAPS(proto, ...) \ 185 ipsec_kmod_capability(proto ## _ipsec_support, __VA_ARGS__) 186#define IPSEC_HDRSIZE(proto, ...) \ 187 ipsec_kmod_hdrsize(proto ## _ipsec_support, __VA_ARGS__) 188#endif /* IPSEC_SUPPORT */ 189#endif /* _KERNEL */ 190#endif /* _NETIPSEC_IPSEC_SUPPORT_H_ */ 191