ipsec: allow it to work with unmapped mbufs

Only map mbuf when a policy is looked up and indicates that IPSEC needs
to transform the packet. If IPSEC is inline offloaded, it is up to the
interface

ipsec: allow it to work with unmapped mbufs

Only map mbuf when a policy is looked up and indicates that IPSEC needs
to transform the packet. If IPSEC is inline offloaded, it is up to the
interface driver to request remap if needed.

Fetch the IP header using m_copydata() instead of using mtod() to select
policy/SA.

Reviewed by: markj
Sponsored by: NVidia networking
Differential revision: https://reviews.freebsd.org/D48265

show more ...

ipsec_output(): add mtu argument

Similarly, mtu is needed to decide inline IPSEC offloiad for the driver.

Sponsored by: NVIDIA networking
Differential revision: https://reviews.freebsd.org/D44224

ipsec_output(): add outcoming ifp argument

The information about the interface is needed to coordinate inline
offloading of IPSEC processing with corresponding driver.

Sponsored by: NVIDIA networki

ipsec_output(): add outcoming ifp argument

The information about the interface is needed to coordinate inline
offloading of IPSEC processing with corresponding driver.

Sponsored by: NVIDIA networking
Differential revision: https://reviews.freebsd.org/D44223

show more ...

ipsec_newpolicies(): do not call key_freesp() with NULL value

Sponsored by: NVIDIA networking
MFC after: 1 week

sys: Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

ifnet/API: Move struct ifnet definition to a <net/if_private.h>

Hide the ifnet structure definition, no user serviceable parts inside,
it's a netstack implementation detail. Include it temporarily

ifnet/API: Move struct ifnet definition to a <net/if_private.h>

Hide the ifnet structure definition, no user serviceable parts inside,
it's a netstack implementation detail. Include it temporarily in
<net/if_var.h> until all drivers are updated to use the accessors
exclusively.

Reviewed by: glebius
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D38046

show more ...

if_ipsec(4): handle situations where there are no policy or SADB entry for if

Reviewed by: ae, hselasky
Sponsored by: NVIDIA Networking
MFC after: 1 week
Differential revision: https://reviews.freeb

if_ipsec(4): handle situations where there are no policy or SADB entry for if

Reviewed by: ae, hselasky
Sponsored by: NVIDIA Networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D38093

show more ...

if_ipsec(4): protect against user supplying unknown address family

Reviewed by: ae, hselasky
Sponsored by: NVIDIA Networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D380

if_ipsec(4): protect against user supplying unknown address family

Reviewed by: ae, hselasky
Sponsored by: NVIDIA Networking
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D38093

show more ...

Use network epoch to protect local IPv4 addresses hash.

The modification to the hash are already naturally locked by
in_control_sx. Convert the hash lists to CK lists. Remove the
in_ifaddr_rmlock.

Use network epoch to protect local IPv4 addresses hash.

The modification to the hash are already naturally locked by
in_control_sx. Convert the hash lists to CK lists. Remove the
in_ifaddr_rmlock. Assert the network epoch where necessary.

Most cases when the hash lookup is done the epoch is already entered.
Cover a few cases, that need entering the epoch, which mostly is
initial configuration of tunnel interfaces and multicast addresses.

Reviewed by: melifaro
Differential revision: https://reviews.freebsd.org/D32584

show more ...

net: clean up empty lines in .c and .h files

Add if_reassing method to all tunneling interfaces.

After r339550 tunneling interfaces have started handle appearing and
disappearing of ingress IP address on the host system.
When such interfaces a

Add if_reassing method to all tunneling interfaces.

After r339550 tunneling interfaces have started handle appearing and
disappearing of ingress IP address on the host system.
When such interfaces are moving into VNET jail, they lose ability to
properly handle ifaddr_event_ext event. And this leads to need to
reconfigure tunnel to make it working again.

Since moving an interface into VNET jail leads to removing of all IP
addresses, it looks consistent, that tunnel configuration should also
be cleared. This is what will do if_reassing method.

Reported by: John W. O'Brien <john saltant com>
MFC after: 1 week

show more ...

Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>.

This fixes ipsec.ko to include all of IPSEC_DEBUG.

Reviewed by: imp
MFC after: 2 weeks
Sponsored by: Netflix
Differential Revis

Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>.

This fixes ipsec.ko to include all of IPSEC_DEBUG.

Reviewed by: imp
MFC after: 2 weeks
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D25046

show more ...

Mechanically substitute assertion of in_epoch(net_epoch_preempt) to
NET_EPOCH_ASSERT(). NFC

Merge ^/head r340427 through r340868.

Allow configuration of several ipsec interfaces with the same tunnel
endpoints.

This can be used to configure several IPsec tunnels between two hosts
with different security associations.

Obtained

Allow configuration of several ipsec interfaces with the same tunnel
endpoints.

This can be used to configure several IPsec tunnels between two hosts
with different security associations.

Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC

show more ...

Merge ^/head r339015 through r339669.

Add the check that current VNET is ready and access to srchash is
allowed.

ipsec_srcaddr() callback can be called during VNET teardown, since
ingress address checking subsystem isn't VNET specific.

Add the check that current VNET is ready and access to srchash is
allowed.

ipsec_srcaddr() callback can be called during VNET teardown, since
ingress address checking subsystem isn't VNET specific. And thus
callback can make access to already freed memory. To prevent this,
use V_ipsec_idhtbl pointer as indicator of VNET readiness. And make
epoch_wait() after resetting it to NULL in vnet_ipsec_uninit() to
be sure that ipsec_srcaddr() is finished its work.

Reported by: kp
MFC after: 20 days

show more ...

Remove softc from idhash when interface is destroyed.

MFC after: 20 days

Follow the fix in r339532 (by glebius):
Fix exiting an epoch(9) we never entered. May happen only with MAC.

MFC after: 1 month

Rework if_ipsec(4) to use epoch(9) instead of rmlock.

* use CK_LIST and FNV hash to keep chains of softc;
* read access to softc is protected by epoch();
* write access is protected by ipsec_ioctl_s

Rework if_ipsec(4) to use epoch(9) instead of rmlock.

* use CK_LIST and FNV hash to keep chains of softc;
* read access to softc is protected by epoch();
* write access is protected by ipsec_ioctl_sx. Changing of softc fields
is allowed only when softc is unlinked from CK_LIST chains.
* linking/unlinking of softc is allowed only when ipsec_ioctl_sx is
exclusive locked.
* the plain LIST of all softc is replaced by hash table that uses ingress
address of tunnels as a key.
* added support for appearing/disappearing of ingress address handling.
Now it is allowed configure non-local ingress IP address, and thus the
problem with if_ipsec(4) configuration that happens on boot, when
ingress address is not yet configured, is solved.

MFC after: 1 month
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D17190

show more ...

MFH @ r337607, in preparation for boarding

Use the new VNET_DEFINE_STATIC macro when we are defining static VNET
variables.

Reviewed by: bz
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D16147

Apply the change from r272770 to if_ipsec(4) interface.

It is guaranteed that if_ipsec(4) interface is used only for tunnel
mode IPsec, i.e. decrypted and decapsultaed packet has its own IP header.

Apply the change from r272770 to if_ipsec(4) interface.

It is guaranteed that if_ipsec(4) interface is used only for tunnel
mode IPsec, i.e. decrypted and decapsultaed packet has its own IP header.
Thus we can consider it as new packet and clear the protocols flags.
This allows ICMP/ICMPv6 properly handle errors that may cause this packet.

PR: 228108
MFC after: 1 week

show more ...

Use an accessor function to access ifr_data.

This fixes 32-bit compat (no ioctl command defintions are required
as struct ifreq is the same size). This is believed to be sufficent to
fully support

Use an accessor function to access ifr_data.

This fixes 32-bit compat (no ioctl command defintions are required
as struct ifreq is the same size). This is believed to be sufficent to
fully support ifconfig on 32-bit systems.

Reviewed by: kib
Obtained from: CheriBSD
MFC after: 1 week
Relnotes: yes
Sponsored by: DARPA, AFRL
Differential Revision: https://reviews.freebsd.org/D14900

show more ...

Introduce the concept of IPsec security policies scope.

Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an admin

Introduce the concept of IPsec security policies scope.

Currently are defined three scopes: global, ifnet, and pcb.
Generic security policies that IKE daemon can add via PF_KEY interface
or an administrator creates with setkey(8) utility have GLOBAL scope.
Such policies can be applied by the kernel to outgoing packets and checked
agains inbound packets after IPsec processing.
Security policies created by if_ipsec(4) interfaces have IFNET scope.
Such policies are applied to packets that are passed through if_ipsec(4)
interface.
And security policies created by application using setsockopt()
IP_IPSEC_POLICY option have PCB scope. Such policies are applied to
packets related to specific socket. Currently there is no way to list
PCB policies via setkey(8) utility.

Modify setkey(8) and libipsec(3) to be able distinguish the scope of
security policies in the `setkey -DP` listing. Add two optional flags:
'-t' to list only policies related to virtual *tunneling* interfaces,
i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL
scope. By default policies from all scopes are listed.

To implement this PF_KEY's sadb_x_policy structure was modified.
sadb_x_policy_reserved field is used to pass the policy scope from the
kernel to userland. SADB_SPDDUMP message extended to support filtering
by scope: sadb_msg_satype field is used to specify bit mask of requested
scopes.

For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy
is used to pass if_ipsec's interface if_index to the userland. For GLOBAL
policies sadb_x_policy_priority is used only to manage order of security
policies in the SPDB. For IFNET policies it is not used, so it can be used
to keep if_index.

After this change the output of `setkey -DP` now looks like:
# setkey -DPt
0.0.0.0/0[any] 0.0.0.0/0[any] any
in ipsec
esp/tunnel/87.250.242.144-87.250.242.145/unique:145
spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0
refcnt=1
# setkey -DPg
::/0 ::/0 icmp6 135,0
out none
spid=5 seq=1 pid=872 scope=global
refcnt=1

No objection from: #network
Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D9805

show more ...