1 /* 2 * ipsecmod/ipsecmod.c - facilitate opportunistic IPsec module 3 * 4 * Copyright (c) 2017, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file contains a module that facilitates opportunistic IPsec. It does so 40 * by also quering for the IPSECKEY for A/AAAA queries and calling a 41 * configurable hook (eg. signaling an IKE daemon) before replying. 42 */ 43 44 #include "config.h" 45 #ifdef USE_IPSECMOD 46 #include "ipsecmod/ipsecmod.h" 47 #include "ipsecmod/ipsecmod-whitelist.h" 48 #include "util/fptr_wlist.h" 49 #include "util/regional.h" 50 #include "util/net_help.h" 51 #include "util/config_file.h" 52 #include "services/cache/dns.h" 53 #include "sldns/wire2str.h" 54 55 /** Apply configuration to ipsecmod module 'global' state. */ 56 static int 57 ipsecmod_apply_cfg(struct ipsecmod_env* ipsecmod_env, struct config_file* cfg) 58 { 59 if(!cfg->ipsecmod_hook || (cfg->ipsecmod_hook && !cfg->ipsecmod_hook[0])) { 60 log_err("ipsecmod: missing ipsecmod-hook."); 61 return 0; 62 } 63 if(cfg->ipsecmod_whitelist && 64 !ipsecmod_whitelist_apply_cfg(ipsecmod_env, cfg)) 65 return 0; 66 return 1; 67 } 68 69 int 70 ipsecmod_init(struct module_env* env, int id) 71 { 72 struct ipsecmod_env* ipsecmod_env = (struct ipsecmod_env*)calloc(1, 73 sizeof(struct ipsecmod_env)); 74 if(!ipsecmod_env) { 75 log_err("malloc failure"); 76 return 0; 77 } 78 env->modinfo[id] = (void*)ipsecmod_env; 79 ipsecmod_env->whitelist = NULL; 80 if(!ipsecmod_apply_cfg(ipsecmod_env, env->cfg)) { 81 log_err("ipsecmod: could not apply configuration settings."); 82 return 0; 83 } 84 return 1; 85 } 86 87 void 88 ipsecmod_deinit(struct module_env* env, int id) 89 { 90 struct ipsecmod_env* ipsecmod_env; 91 if(!env || !env->modinfo[id]) 92 return; 93 ipsecmod_env = (struct ipsecmod_env*)env->modinfo[id]; 94 /* Free contents. */ 95 ipsecmod_whitelist_delete(ipsecmod_env->whitelist); 96 free(ipsecmod_env); 97 env->modinfo[id] = NULL; 98 } 99 100 /** New query for ipsecmod. */ 101 static int 102 ipsecmod_new(struct module_qstate* qstate, int id) 103 { 104 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)regional_alloc( 105 qstate->region, sizeof(struct ipsecmod_qstate)); 106 qstate->minfo[id] = iq; 107 if(!iq) 108 return 0; 109 /* Initialise it. */ 110 memset(iq, 0, sizeof(*iq)); 111 iq->enabled = qstate->env->cfg->ipsecmod_enabled; 112 iq->is_whitelisted = ipsecmod_domain_is_whitelisted( 113 (struct ipsecmod_env*)qstate->env->modinfo[id], qstate->qinfo.qname, 114 qstate->qinfo.qname_len, qstate->qinfo.qclass); 115 return 1; 116 } 117 118 /** 119 * Exit module with an error status. 120 * @param qstate: query state 121 * @param id: module id. 122 */ 123 static void 124 ipsecmod_error(struct module_qstate* qstate, int id) 125 { 126 qstate->ext_state[id] = module_error; 127 qstate->return_rcode = LDNS_RCODE_SERVFAIL; 128 } 129 130 /** 131 * Generate a request for the IPSECKEY. 132 * 133 * @param qstate: query state that is the parent. 134 * @param id: module id. 135 * @param name: what name to query for. 136 * @param namelen: length of name. 137 * @param qtype: query type. 138 * @param qclass: query class. 139 * @param flags: additional flags, such as the CD bit (BIT_CD), or 0. 140 * @return false on alloc failure. 141 */ 142 static int 143 generate_request(struct module_qstate* qstate, int id, uint8_t* name, 144 size_t namelen, uint16_t qtype, uint16_t qclass, uint16_t flags) 145 { 146 struct module_qstate* newq; 147 struct query_info ask; 148 ask.qname = name; 149 ask.qname_len = namelen; 150 ask.qtype = qtype; 151 ask.qclass = qclass; 152 ask.local_alias = NULL; 153 log_query_info(VERB_ALGO, "ipsecmod: generate request", &ask); 154 fptr_ok(fptr_whitelist_modenv_attach_sub(qstate->env->attach_sub)); 155 if(!(*qstate->env->attach_sub)(qstate, &ask, 156 (uint16_t)(BIT_RD|flags), 0, 0, &newq)){ 157 log_err("Could not generate request: out of memory"); 158 return 0; 159 } 160 qstate->ext_state[id] = module_wait_subquery; 161 return 1; 162 } 163 164 /** 165 * Check if the string passed is a valid domain name with safe characters to 166 * pass to a shell. 167 * This will only allow: 168 * - digits 169 * - alphas 170 * - hyphen (not at the start) 171 * - dot (not at the start, or the only character) 172 * - underscore 173 * @param s: pointer to the string. 174 * @param slen: string's length. 175 * @return true if s only contains safe characters; false otherwise. 176 */ 177 static int 178 domainname_has_safe_characters(char* s, size_t slen) { 179 size_t i; 180 for(i = 0; i < slen; i++) { 181 if(s[i] == '\0') return 1; 182 if((s[i] == '-' && i != 0) 183 || (s[i] == '.' && (i != 0 || s[1] == '\0')) 184 || (s[i] == '_') || (s[i] >= '0' && s[i] <= '9') 185 || (s[i] >= 'A' && s[i] <= 'Z') 186 || (s[i] >= 'a' && s[i] <= 'z')) { 187 continue; 188 } 189 return 0; 190 } 191 return 1; 192 } 193 194 /** 195 * Check if the stringified IPSECKEY RDATA contains safe characters to pass to 196 * a shell. 197 * This is only relevant for checking the gateway when the gateway type is 3 198 * (domainname). 199 * @param s: pointer to the string. 200 * @param slen: string's length. 201 * @return true if s contains only safe characters; false otherwise. 202 */ 203 static int 204 ipseckey_has_safe_characters(char* s, size_t slen) { 205 int precedence, gateway_type, algorithm; 206 char* gateway; 207 gateway = (char*)calloc(slen, sizeof(char)); 208 if(!gateway) { 209 log_err("ipsecmod: out of memory when calling the hook"); 210 return 0; 211 } 212 if(sscanf(s, "%d %d %d %s ", 213 &precedence, &gateway_type, &algorithm, gateway) != 4) { 214 free(gateway); 215 return 0; 216 } 217 if(gateway_type != 3) { 218 free(gateway); 219 return 1; 220 } 221 if(domainname_has_safe_characters(gateway, slen)) { 222 free(gateway); 223 return 1; 224 } 225 free(gateway); 226 return 0; 227 } 228 229 /** 230 * Prepare the data and call the hook. 231 * 232 * @param qstate: query state. 233 * @param iq: ipsecmod qstate. 234 * @param ie: ipsecmod environment. 235 * @return true on success, false otherwise. 236 */ 237 static int 238 call_hook(struct module_qstate* qstate, struct ipsecmod_qstate* iq, 239 struct ipsecmod_env* ATTR_UNUSED(ie)) 240 { 241 size_t slen, tempdata_len, tempstring_len, i; 242 char str[65535], *s, *tempstring; 243 int w = 0, w_temp, qtype; 244 struct ub_packed_rrset_key* rrset_key; 245 struct packed_rrset_data* rrset_data; 246 uint8_t *tempdata; 247 248 /* Check if a shell is available */ 249 if(system(NULL) == 0) { 250 log_err("ipsecmod: no shell available for ipsecmod-hook"); 251 return 0; 252 } 253 254 /* Zero the buffer. */ 255 s = str; 256 slen = sizeof(str); 257 memset(s, 0, slen); 258 259 /* Copy the hook into the buffer. */ 260 w += sldns_str_print(&s, &slen, "%s", qstate->env->cfg->ipsecmod_hook); 261 /* Put space into the buffer. */ 262 w += sldns_str_print(&s, &slen, " "); 263 /* Copy the qname into the buffer. */ 264 tempstring = sldns_wire2str_dname(qstate->qinfo.qname, 265 qstate->qinfo.qname_len); 266 if(!tempstring) { 267 log_err("ipsecmod: out of memory when calling the hook"); 268 return 0; 269 } 270 if(!domainname_has_safe_characters(tempstring, strlen(tempstring))) { 271 log_err("ipsecmod: qname has unsafe characters"); 272 free(tempstring); 273 return 0; 274 } 275 w += sldns_str_print(&s, &slen, "\"%s\"", tempstring); 276 free(tempstring); 277 /* Put space into the buffer. */ 278 w += sldns_str_print(&s, &slen, " "); 279 /* Copy the IPSECKEY TTL into the buffer. */ 280 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 281 w += sldns_str_print(&s, &slen, "\"%ld\"", (long)rrset_data->ttl); 282 /* Put space into the buffer. */ 283 w += sldns_str_print(&s, &slen, " "); 284 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 285 qstate->return_msg->rep); 286 /* Double check that the records are indeed A/AAAA. 287 * This should never happen as this function is only executed for A/AAAA 288 * queries but make sure we don't pass anything other than A/AAAA to the 289 * shell. */ 290 qtype = ntohs(rrset_key->rk.type); 291 if(qtype != LDNS_RR_TYPE_AAAA && qtype != LDNS_RR_TYPE_A) { 292 log_err("ipsecmod: Answer is not of A or AAAA type"); 293 return 0; 294 } 295 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 296 /* Copy the A/AAAA record(s) into the buffer. Start and end this section 297 * with a double quote. */ 298 w += sldns_str_print(&s, &slen, "\""); 299 for(i=0; i<rrset_data->count; i++) { 300 if(i > 0) { 301 /* Put space into the buffer. */ 302 w += sldns_str_print(&s, &slen, " "); 303 } 304 /* Ignore the first two bytes, they are the rr_data len. */ 305 w_temp = sldns_wire2str_rdata_buf(rrset_data->rr_data[i] + 2, 306 rrset_data->rr_len[i] - 2, s, slen, qstate->qinfo.qtype); 307 if(w_temp < 0) { 308 /* Error in printout. */ 309 log_err("ipsecmod: Error in printing IP address"); 310 return 0; 311 } else if((size_t)w_temp >= slen) { 312 s = NULL; /* We do not want str to point outside of buffer. */ 313 slen = 0; 314 log_err("ipsecmod: shell command too long"); 315 return 0; 316 } else { 317 s += w_temp; 318 slen -= w_temp; 319 w += w_temp; 320 } 321 } 322 w += sldns_str_print(&s, &slen, "\""); 323 /* Put space into the buffer. */ 324 w += sldns_str_print(&s, &slen, " "); 325 /* Copy the IPSECKEY record(s) into the buffer. Start and end this section 326 * with a double quote. */ 327 w += sldns_str_print(&s, &slen, "\""); 328 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 329 for(i=0; i<rrset_data->count; i++) { 330 if(i > 0) { 331 /* Put space into the buffer. */ 332 w += sldns_str_print(&s, &slen, " "); 333 } 334 /* Ignore the first two bytes, they are the rr_data len. */ 335 tempdata = rrset_data->rr_data[i] + 2; 336 tempdata_len = rrset_data->rr_len[i] - 2; 337 /* Save the buffer pointers. */ 338 tempstring = s; tempstring_len = slen; 339 w_temp = sldns_wire2str_ipseckey_scan(&tempdata, &tempdata_len, &s, 340 &slen, NULL, 0, NULL); 341 /* There was an error when parsing the IPSECKEY; reset the buffer 342 * pointers to their previous values. */ 343 if(w_temp == -1) { 344 s = tempstring; slen = tempstring_len; 345 } else if(w_temp > 0) { 346 if(!ipseckey_has_safe_characters( 347 tempstring, tempstring_len - slen)) { 348 log_err("ipsecmod: ipseckey has unsafe characters"); 349 return 0; 350 } 351 w += w_temp; 352 } 353 } 354 w += sldns_str_print(&s, &slen, "\""); 355 if(w >= (int)sizeof(str)) { 356 log_err("ipsecmod: shell command too long"); 357 return 0; 358 } 359 verbose(VERB_ALGO, "ipsecmod: shell command: '%s'", str); 360 /* ipsecmod-hook should return 0 on success. */ 361 if(system(str) != 0) 362 return 0; 363 return 1; 364 } 365 366 /** 367 * Handle an ipsecmod module event with a query 368 * @param qstate: query state (from the mesh), passed between modules. 369 * contains qstate->env module environment with global caches and so on. 370 * @param iq: query state specific for this module. per-query. 371 * @param ie: environment specific for this module. global. 372 * @param id: module id. 373 */ 374 static void 375 ipsecmod_handle_query(struct module_qstate* qstate, 376 struct ipsecmod_qstate* iq, struct ipsecmod_env* ie, int id) 377 { 378 struct ub_packed_rrset_key* rrset_key; 379 struct packed_rrset_data* rrset_data; 380 size_t i; 381 /* Pass to next module if we are not enabled and whitelisted. */ 382 if(!(iq->enabled && iq->is_whitelisted)) { 383 qstate->ext_state[id] = module_wait_module; 384 return; 385 } 386 /* New query, check if the query is for an A/AAAA record and disable 387 * caching for other modules. */ 388 if(!iq->ipseckey_done) { 389 if(qstate->qinfo.qtype == LDNS_RR_TYPE_A || 390 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) { 391 char type[16]; 392 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 393 sizeof(type)); 394 verbose(VERB_ALGO, "ipsecmod: query for %s; engaging", 395 type); 396 qstate->no_cache_store = 1; 397 } 398 /* Pass request to next module. */ 399 qstate->ext_state[id] = module_wait_module; 400 return; 401 } 402 /* IPSECKEY subquery is finished. */ 403 /* We have an IPSECKEY answer. */ 404 if(iq->ipseckey_rrset) { 405 rrset_data = (struct packed_rrset_data*)iq->ipseckey_rrset->entry.data; 406 if(rrset_data) { 407 /* If bogus return SERVFAIL. */ 408 if(!qstate->env->cfg->ipsecmod_ignore_bogus && 409 rrset_data->security == sec_status_bogus) { 410 log_err("ipsecmod: bogus IPSECKEY"); 411 ipsecmod_error(qstate, id); 412 return; 413 } 414 /* We have a valid IPSECKEY reply, call hook. */ 415 if(!call_hook(qstate, iq, ie) && 416 qstate->env->cfg->ipsecmod_strict) { 417 log_err("ipsecmod: ipsecmod-hook failed"); 418 ipsecmod_error(qstate, id); 419 return; 420 } 421 /* Make sure the A/AAAA's TTL is equal/less than the 422 * ipsecmod_max_ttl. */ 423 rrset_key = reply_find_answer_rrset(&qstate->return_msg->qinfo, 424 qstate->return_msg->rep); 425 rrset_data = (struct packed_rrset_data*)rrset_key->entry.data; 426 if(rrset_data->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 427 /* Update TTL for rrset to fixed value. */ 428 rrset_data->ttl = qstate->env->cfg->ipsecmod_max_ttl; 429 for(i=0; i<rrset_data->count+rrset_data->rrsig_count; i++) 430 rrset_data->rr_ttl[i] = qstate->env->cfg->ipsecmod_max_ttl; 431 /* Also update reply_info's TTL */ 432 if(qstate->return_msg->rep->ttl > (time_t)qstate->env->cfg->ipsecmod_max_ttl) { 433 qstate->return_msg->rep->ttl = 434 qstate->env->cfg->ipsecmod_max_ttl; 435 qstate->return_msg->rep->prefetch_ttl = PREFETCH_TTL_CALC( 436 qstate->return_msg->rep->ttl); 437 qstate->return_msg->rep->serve_expired_ttl = qstate->return_msg->rep->ttl + 438 qstate->env->cfg->serve_expired_ttl; 439 } 440 } 441 } 442 } 443 /* Store A/AAAA in cache. */ 444 if(!dns_cache_store(qstate->env, &qstate->qinfo, 445 qstate->return_msg->rep, 0, qstate->prefetch_leeway, 446 0, qstate->region, qstate->query_flags)) { 447 log_err("ipsecmod: out of memory caching record"); 448 } 449 qstate->ext_state[id] = module_finished; 450 } 451 452 /** 453 * Handle an ipsecmod module event with a response from the iterator. 454 * @param qstate: query state (from the mesh), passed between modules. 455 * contains qstate->env module environment with global caches and so on. 456 * @param iq: query state specific for this module. per-query. 457 * @param ie: environment specific for this module. global. 458 * @param id: module id. 459 */ 460 static void 461 ipsecmod_handle_response(struct module_qstate* qstate, 462 struct ipsecmod_qstate* ATTR_UNUSED(iq), 463 struct ipsecmod_env* ATTR_UNUSED(ie), int id) 464 { 465 /* Pass to previous module if we are not enabled and whitelisted. */ 466 if(!(iq->enabled && iq->is_whitelisted)) { 467 qstate->ext_state[id] = module_finished; 468 return; 469 } 470 /* check if the response is for an A/AAAA query. */ 471 if((qstate->qinfo.qtype == LDNS_RR_TYPE_A || 472 qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA) && 473 /* check that we had an answer for the A/AAAA query. */ 474 qstate->return_msg && 475 reply_find_answer_rrset(&qstate->return_msg->qinfo, 476 qstate->return_msg->rep) && 477 /* check that another module didn't SERVFAIL. */ 478 qstate->return_rcode == LDNS_RCODE_NOERROR) { 479 char type[16]; 480 sldns_wire2str_type_buf(qstate->qinfo.qtype, type, 481 sizeof(type)); 482 verbose(VERB_ALGO, "ipsecmod: response for %s; generating IPSECKEY " 483 "subquery", type); 484 /* generate an IPSECKEY query. */ 485 if(!generate_request(qstate, id, qstate->qinfo.qname, 486 qstate->qinfo.qname_len, LDNS_RR_TYPE_IPSECKEY, 487 qstate->qinfo.qclass, 0)) { 488 log_err("ipsecmod: could not generate subquery."); 489 ipsecmod_error(qstate, id); 490 } 491 return; 492 } 493 /* we are done with the query. */ 494 qstate->ext_state[id] = module_finished; 495 } 496 497 void 498 ipsecmod_operate(struct module_qstate* qstate, enum module_ev event, int id, 499 struct outbound_entry* outbound) 500 { 501 struct ipsecmod_env* ie = (struct ipsecmod_env*)qstate->env->modinfo[id]; 502 struct ipsecmod_qstate* iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 503 verbose(VERB_QUERY, "ipsecmod[module %d] operate: extstate:%s event:%s", 504 id, strextstate(qstate->ext_state[id]), strmodulevent(event)); 505 if(iq) log_query_info(VERB_QUERY, "ipsecmod operate: query", 506 &qstate->qinfo); 507 508 /* create ipsecmod_qstate. */ 509 if((event == module_event_new || event == module_event_pass) && 510 iq == NULL) { 511 if(!ipsecmod_new(qstate, id)) { 512 ipsecmod_error(qstate, id); 513 return; 514 } 515 iq = (struct ipsecmod_qstate*)qstate->minfo[id]; 516 } 517 if(iq && (event == module_event_pass || event == module_event_new)) { 518 ipsecmod_handle_query(qstate, iq, ie, id); 519 return; 520 } 521 if(iq && (event == module_event_moddone)) { 522 ipsecmod_handle_response(qstate, iq, ie, id); 523 return; 524 } 525 if(iq && outbound) { 526 /* cachedb does not need to process responses at this time 527 * ignore it. 528 cachedb_process_response(qstate, iq, ie, id, outbound, event); 529 */ 530 return; 531 } 532 if(event == module_event_error) { 533 verbose(VERB_ALGO, "got called with event error, giving up"); 534 ipsecmod_error(qstate, id); 535 return; 536 } 537 if(!iq && (event == module_event_moddone)) { 538 /* during priming, module done but we never started. */ 539 qstate->ext_state[id] = module_finished; 540 return; 541 } 542 543 log_err("ipsecmod: bad event %s", strmodulevent(event)); 544 ipsecmod_error(qstate, id); 545 return; 546 } 547 548 void 549 ipsecmod_inform_super(struct module_qstate* qstate, int id, 550 struct module_qstate* super) 551 { 552 struct ipsecmod_qstate* siq; 553 log_query_info(VERB_ALGO, "ipsecmod: inform_super, sub is", 554 &qstate->qinfo); 555 log_query_info(VERB_ALGO, "super is", &super->qinfo); 556 siq = (struct ipsecmod_qstate*)super->minfo[id]; 557 if(!siq) { 558 verbose(VERB_ALGO, "super has no ipsecmod state"); 559 return; 560 } 561 562 if(qstate->return_msg) { 563 struct ub_packed_rrset_key* rrset_key = reply_find_answer_rrset( 564 &qstate->return_msg->qinfo, qstate->return_msg->rep); 565 if(rrset_key) { 566 /* We have an answer. */ 567 /* Copy to super's region. */ 568 rrset_key = packed_rrset_copy_region(rrset_key, super->region, 0); 569 siq->ipseckey_rrset = rrset_key; 570 if(!rrset_key) { 571 log_err("ipsecmod: out of memory."); 572 } 573 } 574 } 575 /* Notify super to proceed. */ 576 siq->ipseckey_done = 1; 577 } 578 579 void 580 ipsecmod_clear(struct module_qstate* qstate, int id) 581 { 582 if(!qstate) 583 return; 584 qstate->minfo[id] = NULL; 585 } 586 587 size_t 588 ipsecmod_get_mem(struct module_env* env, int id) 589 { 590 struct ipsecmod_env* ie = (struct ipsecmod_env*)env->modinfo[id]; 591 if(!ie) 592 return 0; 593 return sizeof(*ie) + ipsecmod_whitelist_get_mem(ie->whitelist); 594 } 595 596 /** 597 * The ipsecmod function block 598 */ 599 static struct module_func_block ipsecmod_block = { 600 "ipsecmod", 601 &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate, 602 &ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem 603 }; 604 605 struct module_func_block* 606 ipsecmod_get_funcblock(void) 607 { 608 return &ipsecmod_block; 609 } 610 #endif /* USE_IPSECMOD */ 611