1/* 2 * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36/** 37 * \file 38 * 39 * This file contains a module that facilitates opportunistic IPsec. It does so 40 * by also querying for the IPSECKEY for A/AAAA queries and calling a 41 * configurable hook (eg. signaling an IKE daemon) before replying. 42 */ 43 44#include "config.h" 45#ifdef USE_IPSECMOD 46#include "ipsecmod/ipsecmod.h" 47#include "ipsecmod/ipsecmod-whitelist.h" 48#include "util/fptr_wlist.h" 49#include "util/regional.h" 50#include "util/net_help.h" 51#include "util/config_file.h" 52#include "services/cache/dns.h" 53#include "sldns/wire2str.h" 54 55/** Apply configuration to ipsecmod module 'global' state. */ 56static int 57ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg) 58{ 59 if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) { 60 log_err("ipsecmod: missing ipsecmod-hook."); 61 return 0; 62 } 63 if(cfg->ipsecmod_whitelist && 64 !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg)) 65 return 0; 66 return 1; 67} 68 69int 70ipsecmod_init(struct module_env* env, int id) 71{ 72 struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1, 73 sizeof(struct ipsecmod_env)); 74 if(!ipsecmod_env) { 75 log_err("malloc failure"); 76 return 0; 77 } 78 env->modinfo[id] = (void*)ipsecmod_env; 79 ipsecmod_env->whitelist = NULL; 80 if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) { 81 log_err("ipsecmod: could not apply configuration settings."); 82 return 0; 83 } 84 return 1; 85} 86 87void 88ipsecmod_deinit(struct module_env* env, int id) 89{ 90 struct ipsecmod_env* ipsecmod_env; 91 if(!env || !env->modinfo[id]) 92 return; 93 ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id]; 94 /* Free contents. */ 95 ipsecmod_whitelist_delete(ipsecmod_env->whitelist); 96 free(ipsecmod_env); 97 env->modinfo[id] = NULL; 98} 99 100/** New query for ipsecmod. */ 101static int 102ipsecmod_new(struct module_qstate* qstate, int id) 103{ 104 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc( 105 qstate->region, sizeof(struct ipsecmod_qstate)); 106 qstate->minfo[id] = iq; 107 if(!iq) 108 return 0; 109 /* Initialise it. */ 110 memset(iq, 0, sizeof(*iq)); 111 iq->enabled = qstate->env->cfg->ipsecmod_enabled; 112 iq->is_whitelisted = ipsecmod_domain_is_whitelisted( 113 (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname, 114 qstate->qinfo.qname_len, qstate->qinfo.qclass); 115 return 1; 116} 117 118/** 119 * Exit module with an error status. 120 * @param qstate: query state 121 * @param id: module id. 122 */ 123static void 124ipsecmod_error(struct module_qstate* qstate, int id) 125{ 126 qstate->ext_state[id] = module_error; 127 qstate->return_rcode = LDNS_RCODE_SERVFAIL; 128} 129 130/** 131 * Generate a request for the IPSECKEY. 132 * 133 * @param qstate: query state that is the parent. 134 * @param id: module id. 135 * @param name: what name to query for. 136 * @param namelen: length of name. 137 * @param qtype: query type. 138 * @param qclass: query class. 139 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 140 * @return false on alloc failure. 141 */ 142static int 143generate_request(struct module_qstate* qstate, int id, uint8_t* name, 144 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags) 145{ 146 struct module_qstate* newq; 147 struct query_info ask; 148 ask.qname = name; 149 ask.qname_len = namelen; 150 ask.qtype = qtype; 151 ask.qclass = qclass; 152 ask.local_alias = NULL; 153 log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask); 154 155 /* Explicitly check for cycle before trying to attach. Will result in 156 * cleaner error message. The attach_sub code also checks for cycle but the 157 * message will be out of memory in both cases then. */ 158 fptr_ok(fptr_whitelist_modenv_detect_cycle(qstate->env->detect_cycle)); 159 if((*qstate->env->detect_cycle)(qstate, &ask, 160 (uint16_t)(BIT_RD|flags), 0, 0)) { 161 verbose(VERB_ALGO, "Could not generate request: cycle detected"); 162 return 0; 163 } 164 165 fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); 166 if(!(*qstate->env->attach_sub)(qstate, &ask, 167 (uint16_t)(BIT_RD|flags), 0, 0, &newq)){ 168 log_err("Could not generate request: out of memory"); 169 return 0; 170 } 171 qstate->ext_state[id] = module_wait_subquery; 172 return 1; 173} 174 175/** 176 * Check if the string passed is a valid domain name with safe characters to 177 * pass to a shell. 178 * This will only allow: 179 * - digits 180 * - alphas 181 * - hyphen (not at the start) 182 * - dot (not at the start, or the only character) 183 * - underscore 184 * @param s: pointer to the string. 185 * @param slen: string's length. 186 * @return true if s only contains safe characters; false otherwise. 187 */ 188static int 189domainname_has_safe_characters(char* s, size_t slen) { 190 size_t i; 191 for(i = 0; i < slen; i++) { 192 if(s[i] == '\0') return 1; 193 if((s[i] == '-' && i != 0) 194 || (s[i] == '.' && (i != 0 || s[1] == '\0')) 195 || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9') 196 || (s[i] >= 'A' && s[i] <= 'Z') 197 || (s[i] >= 'a' && s[i] <= 'z')) { 198 continue; 199 } 200 return 0; 201 } 202 return 1; 203} 204 205/** 206 * Check if the stringified IPSECKEY RDATA contains safe characters to pass to 207 * a shell. 208 * This is only relevant for checking the gateway when the gateway type is 3 209 * (domainname). 210 * @param s: pointer to the string. 211 * @param slen: string's length. 212 * @return true if s contains only safe characters; false otherwise. 213 */ 214static int 215ipseckey_has_safe_characters(char* s, size_t slen) { 216 int precedence, gateway_type, algorithm; 217 char* gateway; 218 gateway = (char*)calloc(slen, sizeof(char)); 219 if(!gateway) { 220 log_err("ipsecmod: out of memory when calling the hook"); 221 return 0; 222 } 223 if(sscanf(s, "%d %d %d %s ", 224 &precedence, &gateway_type, &algorithm, gateway) != 4) { 225 free(gateway); 226 return 0; 227 } 228 if(gateway_type != 3) { 229 free(gateway); 230 return 1; 231 } 232 if(domainname_has_safe_characters(gateway, slen)) { 233 free(gateway); 234 return 1; 235 } 236 free(gateway); 237 return 0; 238} 239 240/** 241 * Prepare the data and call the hook. 242 * 243 * @param qstate: query state. 244 * @param iq: ipsecmod qstate. 245 * @param ie: ipsecmod environment. 246 * @return true on success, false otherwise. 247 */ 248static int 249call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, 250 struct ipsecmod_env* ATTR_UNUSED(ie)) 251{ 252 size_t slen, tempdata_len, tempstring_len, i; 253 char str[65535], *s, *tempstring; 254 int w = 0, w_temp, qtype; 255 struct ub_packed_rrset_key* rrset_key; 256 struct packed_rrset_data* rrset_data; 257 uint8_t *tempdata; 258 259 /* Check if a shell is available */ 260 if(system(NULL) == 0) { 261 log_err("ipsecmod: no shell available for ipsecmod-hook"); 262 return 0; 263 } 264 265 /* Zero the buffer. */ 266 s = str; 267 slen = sizeof(str); 268 memset(s, 0, slen); 269 270 /* Copy the hook into the buffer. */ 271 w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); 272 /* Put space into the buffer. */ 273 w += sldns_str_print(&s, &slen, " "); 274 /* Copy the qname into the buffer. */ 275 tempstring = sldns_wire2str_dname(qstate->qinfo.qname, 276 qstate->qinfo.qname_len); 277 if(!tempstring) { 278 log_err("ipsecmod: out of memory when calling the hook"); 279 return 0; 280 } 281 if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) { 282 log_err("ipsecmod: qname has unsafe characters"); 283 free(tempstring); 284 return 0; 285 } 286 w += sldns_str_print(&s, &slen, "\"%s\"", tempstring); 287 free(tempstring); 288 /* Put space into the buffer. */ 289 w += sldns_str_print(&s, &slen, " "); 290 /* Copy the IPSECKEY TTL into the buffer. */ 291 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 292 w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); 293 /* Put space into the buffer. */ 294 w += sldns_str_print(&s, &slen, " "); 295 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 296 qstate->return_msg->rep); 297 /* Double check that the records are indeed A/AAAA. 298 * This should never happen as this function is only executed for A/AAAA 299 * queries but make sure we don't pass anything other than A/AAAA to the 300 * shell. */ 301 qtype = ntohs(rrset_key->rk.type); 302 if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) { 303 log_err("ipsecmod: Answer is not of A or AAAA type"); 304 return 0; 305 } 306 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 307 /* Copy the A/AAAA record(s) into the buffer. Start and end this section 308 * with a double quote. */ 309 w += sldns_str_print(&s, &slen, "\""); 310 for(i=0; i<rrset_data->count; i++) { 311 if(i > 0) { 312 /* Put space into the buffer. */ 313 w += sldns_str_print(&s, &slen, " "); 314 } 315 /* Ignore the first two bytes, they are the rr_data len. */ 316 w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, 317 rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); 318 if(w_temp < 0) { 319 /* Error in printout. */ 320 log_err("ipsecmod: Error in printing IP address"); 321 return 0; 322 } else if((size_t)w_temp >= slen) { 323 s = NULL; /* We do not want str to point outside of buffer. */ 324 slen = 0; 325 log_err("ipsecmod: shell command too long"); 326 return 0; 327 } else { 328 s += w_temp; 329 slen -= w_temp; 330 w += w_temp; 331 } 332 } 333 w += sldns_str_print(&s, &slen, "\""); 334 /* Put space into the buffer. */ 335 w += sldns_str_print(&s, &slen, " "); 336 /* Copy the IPSECKEY record(s) into the buffer. Start and end this section 337 * with a double quote. */ 338 w += sldns_str_print(&s, &slen, "\""); 339 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 340 for(i=0; i<rrset_data->count; i++) { 341 if(i > 0) { 342 /* Put space into the buffer. */ 343 w += sldns_str_print(&s, &slen, " "); 344 } 345 /* Ignore the first two bytes, they are the rr_data len. */ 346 tempdata = rrset_data->rr_data[i] + 2; 347 tempdata_len = rrset_data->rr_len[i] - 2; 348 /* Save the buffer pointers. */ 349 tempstring = s; tempstring_len = slen; 350 w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, 351 &slen, NULL, 0, NULL); 352 /* There was an error when parsing the IPSECKEY; reset the buffer 353 * pointers to their previous values. */ 354 if(w_temp == -1) { 355 s = tempstring; slen = tempstring_len; 356 } else if(w_temp > 0) { 357 if(!ipseckey_has_safe_characters( 358 tempstring, tempstring_len - slen)) { 359 log_err("ipsecmod: ipseckey has unsafe characters"); 360 return 0; 361 } 362 w += w_temp; 363 } 364 } 365 w += sldns_str_print(&s, &slen, "\""); 366 if(w >= (int)sizeof(str)) { 367 log_err("ipsecmod: shell command too long"); 368 return 0; 369 } 370 verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str); 371 /* ipsecmod-hook should return 0 on success. */ 372 if(system(str) != 0) 373 return 0; 374 return 1; 375} 376 377/** 378 * Handle an ipsecmod module event with a query 379 * @param qstate: query state (from the mesh), passed between modules. 380 * contains qstate->env module environment with global caches and so on. 381 * @param iq: query state specific for this module. per-query. 382 * @param ie: environment specific for this module. global. 383 * @param id: module id. 384 */ 385static void 386ipsecmod_handle_query(struct module_qstate* qstate, 387 struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id) 388{ 389 struct ub_packed_rrset_key* rrset_key; 390 struct packed_rrset_data* rrset_data; 391 size_t i; 392 /* Pass to next module if we are not enabled and whitelisted. */ 393 if(!(iq->enabled && iq->is_whitelisted)) { 394 qstate->ext_state[id] = module_wait_module; 395 return; 396 } 397 /* New query, check if the query is for an A/AAAA record and disable 398 * caching for other modules. */ 399 if(!iq->ipseckey_done) { 400 if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || 401 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) { 402 char type[16]; 403 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 404 sizeof(type)); 405 verbose(VERB_ALGO, "ipsecmod: query for %s; engaging", 406 type); 407 qstate->no_cache_store = 1; 408 } 409 /* Pass request to next module. */ 410 qstate->ext_state[id] = module_wait_module; 411 return; 412 } 413 /* IPSECKEY subquery is finished. */ 414 /* We have an IPSECKEY answer. */ 415 if(iq->ipseckey_rrset) { 416 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 417 if(rrset_data) { 418 /* If bogus return SERVFAIL. */ 419 if(!qstate->env->cfg->ipsecmod_ignore_bogus && 420 rrset_data->security == sec_status_bogus) { 421 log_err("ipsecmod: bogus IPSECKEY"); 422 errinf(qstate, "ipsecmod: bogus IPSECKEY"); 423 ipsecmod_error(qstate, id); 424 return; 425 } 426 /* We have a valid IPSECKEY reply, call hook. */ 427 if(!call_hook(qstate, iq, ie) && 428 qstate->env->cfg->ipsecmod_strict) { 429 log_err("ipsecmod: ipsecmod-hook failed"); 430 errinf(qstate, "ipsecmod: ipsecmod-hook failed"); 431 ipsecmod_error(qstate, id); 432 return; 433 } 434 /* Make sure the A/AAAA's TTL is equal/less than the 435 * ipsecmod_max_ttl. */ 436 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 437 qstate->return_msg->rep); 438 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 439 if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 440 /* Update TTL for rrset to fixed value. */ 441 rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl; 442 for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++) 443 rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl; 444 /* Also update reply_info's TTL */ 445 if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 446 qstate->return_msg->rep->ttl = 447 qstate->env->cfg->ipsecmod_max_ttl; 448 qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC( 449 qstate->return_msg->rep->ttl); 450 qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl + 451 qstate->env->cfg->serve_expired_ttl; 452 } 453 } 454 } 455 } 456 /* Store A/AAAA in cache. */ 457 if(!dns_cache_store(qstate->env, &qstate->qinfo, 458 qstate->return_msg->rep, 0, qstate->prefetch_leeway, 459 0, qstate->region, qstate->query_flags, qstate->qstarttime)) { 460 log_err("ipsecmod: out of memory caching record"); 461 } 462 qstate->ext_state[id] = module_finished; 463} 464 465/** 466 * Handle an ipsecmod module event with a response from the iterator. 467 * @param qstate: query state (from the mesh), passed between modules. 468 * contains qstate->env module environment with global caches and so on. 469 * @param iq: query state specific for this module. per-query. 470 * @param ie: environment specific for this module. global. 471 * @param id: module id. 472 */ 473static void 474ipsecmod_handle_response(struct module_qstate* qstate, 475 struct ipsecmod_qstate* ATTR_UNUSED(iq), 476 struct ipsecmod_env* ATTR_UNUSED(ie), int id) 477{ 478 /* Pass to previous module if we are not enabled and whitelisted. */ 479 if(!(iq->enabled && iq->is_whitelisted)) { 480 qstate->ext_state[id] = module_finished; 481 return; 482 } 483 /* check if the response is for an A/AAAA query. */ 484 if((qstate->qinfo.qtype == LDNS_RR_TYPE_A || 485 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) && 486 /* check that we had an answer for the A/AAAA query. */ 487 qstate->return_msg && 488 reply_find_answer_rrset(&qstate->return_msg->qinfo, 489 qstate->return_msg->rep) && 490 /* check that another module didn't SERVFAIL. */ 491 qstate->return_rcode == LDNS_RCODE_NOERROR) { 492 char type[16]; 493 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 494 sizeof(type)); 495 verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY " 496 "subquery", type); 497 /* generate an IPSECKEY query. */ 498 if(!generate_request(qstate, id, qstate->qinfo.qname, 499 qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY, 500 qstate->qinfo.qclass, 0)) { 501 log_err("ipsecmod: could not generate subquery."); 502 errinf(qstate, "ipsecmod: could not generate subquery."); 503 ipsecmod_error(qstate, id); 504 } 505 return; 506 } 507 /* we are done with the query. */ 508 qstate->ext_state[id] = module_finished; 509} 510 511void 512ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id, 513 struct outbound_entry* outbound) 514{ 515 struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id]; 516 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 517 verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s", 518 id, strextstate(qstate->ext_state[id]), strmodulevent(event)); 519 if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query", 520 &qstate->qinfo); 521 522 /* create ipsecmod_qstate. */ 523 if((event == module_event_new || event == module_event_pass) && 524 iq == NULL) { 525 if(!ipsecmod_new(qstate, id)) { 526 errinf(qstate, "ipsecmod: could not ipsecmod_new"); 527 ipsecmod_error(qstate, id); 528 return; 529 } 530 iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 531 } 532 if(iq && (event == module_event_pass || event == module_event_new)) { 533 ipsecmod_handle_query(qstate, iq, ie, id); 534 return; 535 } 536 if(iq && (event == module_event_moddone)) { 537 ipsecmod_handle_response(qstate, iq, ie, id); 538 return; 539 } 540 if(iq && outbound) { 541 /* cachedb does not need to process responses at this time 542 * ignore it. 543 cachedb_process_response(qstate, iq, ie, id, outbound, event); 544 */ 545 return; 546 } 547 if(event == module_event_error) { 548 verbose(VERB_ALGO, "got called with event error, giving up"); 549 errinf(qstate, "ipsecmod: got called with event error"); 550 ipsecmod_error(qstate, id); 551 return; 552 } 553 if(!iq && (event == module_event_moddone)) { 554 /* during priming, module done but we never started. */ 555 qstate->ext_state[id] = module_finished; 556 return; 557 } 558 559 log_err("ipsecmod: bad event %s", strmodulevent(event)); 560 errinf(qstate, "ipsecmod: operate got bad event"); 561 ipsecmod_error(qstate, id); 562 return; 563} 564 565void 566ipsecmod_inform_super(struct module_qstate* qstate, int id, 567 struct module_qstate* super) 568{ 569 struct ipsecmod_qstate* siq; 570 log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is", 571 &qstate->qinfo); 572 log_query_info(VERB_ALGO, "super is", &super->qinfo); 573 siq = (struct ipsecmod_qstate*)super->minfo[id]; 574 if(!siq) { 575 verbose(VERB_ALGO, "super has no ipsecmod state"); 576 return; 577 } 578 579 if(qstate->return_msg) { 580 struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset( 581 &qstate->return_msg->qinfo, qstate->return_msg->rep); 582 if(rrset_key) { 583 /* We have an answer. */ 584 /* Copy to super's region. */ 585 rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0); 586 siq->ipseckey_rrset = rrset_key; 587 if(!rrset_key) { 588 log_err("ipsecmod: out of memory."); 589 } 590 } 591 } 592 /* Notify super to proceed. */ 593 siq->ipseckey_done = 1; 594} 595 596void 597ipsecmod_clear(struct module_qstate* qstate, int id) 598{ 599 if(!qstate) 600 return; 601 qstate->minfo[id] = NULL; 602} 603 604size_t 605ipsecmod_get_mem(struct module_env* env, int id) 606{ 607 struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id]; 608 if(!ie) 609 return 0; 610 return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist); 611} 612 613/** 614 * The ipsecmod function block 615 */ 616static struct module_func_block ipsecmod_block = { 617 "ipsecmod", 618 &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate, 619 &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem 620}; 621 622struct module_func_block* 623ipsecmod_get_funcblock(void) 624{ 625 return &ipsecmod_block; 626} 627#endif /* USE_IPSECMOD */ 628