search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
MFC:
[dragonfly.git] / contrib / ipfilter / ip_ipsec_pxy.c
blob40ce131961a38e7ebb9ab42d1767fc5df4e66512
1 /*
2 * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
3 * code.
4 *
5 * $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
6 *
7 */
8 #define IPF_IPSEC_PROXY
9
10
11 int ippr_ipsec_init __P((void));
12 int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
13 void ippr_ipsec_del __P((ap_session_t *));
14 int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
15 int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
16
17 static frentry_t ipsecfr;
18
19
20 static char ipsec_buffer[1500];
21
22 /*
23 * RCMD application proxy initialization.
24 */
25 int ippr_ipsec_init()
26 {
27 bzero((char *)&ipsecfr, sizeof(ipsecfr));
28 ipsecfr.fr_ref = 1;
29 ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
30 return 0;
31 }
32
33
34 /*
35 * Setup for a new IPSEC proxy.
36 */
37 int ippr_ipsec_new(fin, ip, aps, nat)
38 fr_info_t *fin;
39 ip_t *ip;
40 ap_session_t *aps;
41 nat_t *nat;
42 {
43 ipsec_pxy_t *ipsec;
44 fr_info_t fi;
45 ipnat_t *ipn;
46 char *ptr;
47 int p, off, dlen;
48 mb_t *m;
49
50 bzero(ipsec_buffer, sizeof(ipsec_buffer));
51 off = fin->fin_hlen + sizeof(udphdr_t);
52 #ifdef _KERNEL
53 # if SOLARIS
54 m = fin->fin_qfm;
55
56 dlen = msgdsize(m) - off;
57 if (dlen < 16)
58 return -1;
59 copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
60 # else
61 m = *(mb_t **)fin->fin_mp;
62 dlen = mbufchainlen(m) - off;
63 if (dlen < 16)
64 return -1;
65 m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
66 # endif
67 #else
68 m = *(mb_t **)fin->fin_mp;
69 dlen = ip->ip_len - off;
70 ptr = (char *)m;
71 ptr += off;
72 bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
73 #endif
74
75 /*
76 * Because _new() gets called from nat_new(), ipf_nat is held with a
77 * write lock so pass rw=1 to nat_outlookup().
78 */
79 if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
80 ip->ip_dst, 1) != NULL)
81 return -1;
82
83 aps->aps_psiz = sizeof(*ipsec);
84 KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
85 if (aps->aps_data == NULL)
86 return -1;
87
88 ipsec = aps->aps_data;
89 bzero((char *)ipsec, sizeof(*ipsec));
90
91 /*
92 * Create NAT rule against which the tunnel/transport mapping is
93 * created. This is required because the current NAT rule does not
94 * describe ESP but UDP instead.
95 */
96 ipn = &ipsec->ipsc_rule;
97 ipn->in_ifp = fin->fin_ifp;
98 ipn->in_apr = NULL;
99 ipn->in_use = 1;
100 ipn->in_hits = 1;
101 ipn->in_nip = ntohl(nat->nat_outip.s_addr);
102 ipn->in_ippip = 1;
103 ipn->in_inip = nat->nat_inip.s_addr;
104 ipn->in_inmsk = 0xffffffff;
105 ipn->in_outip = nat->nat_outip.s_addr;
106 ipn->in_outmsk = 0xffffffff;
107 ipn->in_srcip = fin->fin_saddr;
108 ipn->in_srcmsk = 0xffffffff;
109 ipn->in_redir = NAT_MAP;
110 bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
111 ipn->in_p = IPPROTO_ESP;
112
113 bcopy((char *)fin, (char *)&fi, sizeof(fi));
114 fi.fin_fi.fi_p = IPPROTO_ESP;
115 fi.fin_fr = &ipsecfr;
116 fi.fin_data[0] = 0;
117 fi.fin_data[1] = 0;
118 p = ip->ip_p;
119 ip->ip_p = IPPROTO_ESP;
120 fi.fin_fl &= ~FI_TCPUDP;
121
122 ptr = ipsec_buffer;
123 bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
124 ptr += sizeof(ipsec_cookie_t);
125 bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
126 /*
127 * The responder cookie should only be non-zero if the initiator
128 * cookie is non-zero. Therefore, it is safe to assume(!) that the
129 * cookies are both set after copying if the responder is non-zero.
130 */
131 if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
132 ipsec->ipsc_rckset = 1;
133 else
134 nat->nat_age = 60; /* 30 seconds */
135
136 ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
137 NAT_OUTBOUND);
138 if (ipsec->ipsc_nat != NULL) {
139 fi.fin_data[0] = 0;
140 fi.fin_data[1] = 0;
141 ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
142 FI_IGNOREPKT|FI_NORULE);
143 }
144 ip->ip_p = p;
145 return 0;
146 }
147
148
149 /*
150 * For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
151 * we can. If they have disappeared, recreate them.
152 */
153 int ippr_ipsec_out(fin, ip, aps, nat)
154 fr_info_t *fin;
155 ip_t *ip;
156 ap_session_t *aps;
157 nat_t *nat;
158 {
159 ipsec_pxy_t *ipsec;
160 fr_info_t fi;
161 int p;
162
163 bcopy((char *)fin, (char *)&fi, sizeof(fi));
164 fi.fin_fi.fi_p = IPPROTO_ESP;
165 fi.fin_fr = &ipsecfr;
166 fi.fin_data[0] = 0;
167 fi.fin_data[1] = 0;
168 p = ip->ip_p;
169 ip->ip_p = IPPROTO_ESP;
170 fi.fin_fl &= ~FI_TCPUDP;
171
172 ipsec = aps->aps_data;
173 if (ipsec != NULL) {
174 /*
175 * Update NAT timeout/create NAT if missing.
176 */
177 if (ipsec->ipsc_rckset == 0)
178 nat->nat_age = 60; /* 30 seconds */
179 if (ipsec->ipsc_nat != NULL)
180 ipsec->ipsc_nat->nat_age = nat->nat_age;
181 else
182 ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
183 &ipsec->ipsc_nat,
184 FI_IGNOREPKT, NAT_OUTBOUND);
185
186 /*
187 * Update state timeout/create state if missing.
188 */
189 READ_ENTER(&ipf_state);
190 if (ipsec->ipsc_state != NULL) {
191 ipsec->ipsc_state->is_age = nat->nat_age;
192 RWLOCK_EXIT(&ipf_state);
193 } else {
194 RWLOCK_EXIT(&ipf_state);
195 fi.fin_data[0] = 0;
196 fi.fin_data[1] = 0;
197 ipsec->ipsc_state = fr_addstate(ip, &fi,
198 &ipsec->ipsc_state,
199 FI_IGNOREPKT|FI_NORULE);
200 }
201 }
202 ip->ip_p = p;
203 return 0;
204 }
205
206
207 /*
208 * This extends the NAT matching to be based on the cookies associated with
209 * a session and found at the front of IKE packets. The cookies are always
210 * in the same order (not reversed depending on packet flow direction as with
211 * UDP/TCP port numbers).
212 */
213 int ippr_ipsec_match(fin, aps, nat)
214 fr_info_t *fin;
215 ap_session_t *aps;
216 nat_t *nat;
217 {
218 ipsec_pxy_t *ipsec;
219 u_32_t cookies[4];
220 mb_t *m;
221 int off;
222
223 if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
224 return -1;
225
226 ipsec = aps->aps_data;
227 off = fin->fin_hlen + sizeof(udphdr_t);
228 #ifdef _KERNEL
229 # if SOLARIS
230 m = fin->fin_qfm;
231
232 copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
233 # else
234 m = *(mb_t **)fin->fin_mp;
235 m_copydata(m, off, sizeof(cookies), (char *)cookies);
236 # endif
237 #else
238 m = *(mb_t **)fin->fin_mp;
239 bcopy((char *)m + off, cookies, sizeof(cookies));
240 #endif
241
242 if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
243 (cookies[1] != ipsec->ipsc_icookie[1]))
244 return -1;
245
246 if (ipsec->ipsc_rckset == 0) {
247 if ((cookies[2]|cookies[3]) == 0) {
248 nat->nat_age = 60; /* 30 seconds */
249 return 0;
250 }
251 ipsec->ipsc_rckset = 1;
252 ipsec->ipsc_rcookie[0] = cookies[2];
253 ipsec->ipsc_rcookie[1] = cookies[3];
254 return 0;
255 }
256
257 if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
258 (cookies[3] != ipsec->ipsc_rcookie[1]))
259 return -1;
260 return 0;
261 }
262
263
264 /*
265 * clean up after ourselves.
266 */
267 void ippr_ipsec_del(aps)
268 ap_session_t *aps;
269 {
270 ipsec_pxy_t *ipsec;
271
272 ipsec = aps->aps_data;
273
274 if (ipsec != NULL) {
275 /*
276 * Don't delete it from here, just schedule it to be
277 * deleted ASAP.
278 */
279 if (ipsec->ipsc_nat != NULL) {
280 ipsec->ipsc_nat->nat_age = 1;
281 ipsec->ipsc_nat->nat_ptr = NULL;
282 }
283
284 READ_ENTER(&ipf_state);
285 if (ipsec->ipsc_state != NULL)
286 ipsec->ipsc_state->is_age = 1;
287 RWLOCK_EXIT(&ipf_state);
288
289 ipsec->ipsc_state = NULL;
290 ipsec->ipsc_nat = NULL;
291 }
292 }
DragonFly BSD