2 * Simple ISAKMP transparent proxy for in-kernel use. For use with the NAT
5 * $Id: ip_ipsec_pxy.c,v 1.1.2.10 2002/01/13 04:58:29 darrenr Exp $
6 * $FreeBSD: src/sys/contrib/ipfilter/netinet/ip_ipsec_pxy.c,v 1.1.1.1.2.1 2002/04/27 17:37:12 darrenr Exp $
9 #define IPF_IPSEC_PROXY
12 int ippr_ipsec_init __P((void));
13 int ippr_ipsec_new __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
14 void ippr_ipsec_del __P((ap_session_t *));
15 int ippr_ipsec_out __P((fr_info_t *, ip_t *, ap_session_t *, nat_t *));
16 int ippr_ipsec_match __P((fr_info_t *, ap_session_t *, nat_t *));
18 static frentry_t ipsecfr;
21 static char ipsec_buffer[1500];
24 * RCMD application proxy initialization.
28 bzero((char *)&ipsecfr, sizeof(ipsecfr));
30 ipsecfr.fr_flags = FR_OUTQUE|FR_PASS|FR_QUICK|FR_KEEPSTATE;
36 * Setup for a new IPSEC proxy.
38 int ippr_ipsec_new(fin, ip, aps, nat)
51 bzero(ipsec_buffer, sizeof(ipsec_buffer));
52 off = fin->fin_hlen + sizeof(udphdr_t);
57 dlen = msgdsize(m) - off;
60 copyout_mblk(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
62 m = *(mb_t **)fin->fin_mp;
63 dlen = mbufchainlen(m) - off;
66 m_copydata(m, off, MIN(sizeof(ipsec_buffer), dlen), ipsec_buffer);
69 m = *(mb_t **)fin->fin_mp;
70 dlen = ip->ip_len - off;
73 bcopy(ptr, ipsec_buffer, MIN(sizeof(ipsec_buffer), dlen));
77 * Because _new() gets called from nat_new(), ipf_nat is held with a
78 * write lock so pass rw=1 to nat_outlookup().
80 if (nat_outlookup(fin, 0, IPPROTO_ESP, nat->nat_inip,
81 ip->ip_dst, 1) != NULL)
84 aps->aps_psiz = sizeof(*ipsec);
85 KMALLOCS(aps->aps_data, ipsec_pxy_t *, sizeof(*ipsec));
86 if (aps->aps_data == NULL)
89 ipsec = aps->aps_data;
90 bzero((char *)ipsec, sizeof(*ipsec));
93 * Create NAT rule against which the tunnel/transport mapping is
94 * created. This is required because the current NAT rule does not
95 * describe ESP but UDP instead.
97 ipn = &ipsec->ipsc_rule;
98 ipn->in_ifp = fin->fin_ifp;
102 ipn->in_nip = ntohl(nat->nat_outip.s_addr);
104 ipn->in_inip = nat->nat_inip.s_addr;
105 ipn->in_inmsk = 0xffffffff;
106 ipn->in_outip = nat->nat_outip.s_addr;
107 ipn->in_outmsk = 0xffffffff;
108 ipn->in_srcip = fin->fin_saddr;
109 ipn->in_srcmsk = 0xffffffff;
110 ipn->in_redir = NAT_MAP;
111 bcopy(nat->nat_ptr->in_ifname, ipn->in_ifname, sizeof(ipn->in_ifname));
112 ipn->in_p = IPPROTO_ESP;
114 bcopy((char *)fin, (char *)&fi, sizeof(fi));
115 fi.fin_fi.fi_p = IPPROTO_ESP;
116 fi.fin_fr = &ipsecfr;
120 ip->ip_p = IPPROTO_ESP;
121 fi.fin_fl &= ~FI_TCPUDP;
124 bcopy(ptr, ipsec->ipsc_icookie, sizeof(ipsec_cookie_t));
125 ptr += sizeof(ipsec_cookie_t);
126 bcopy(ptr, ipsec->ipsc_rcookie, sizeof(ipsec_cookie_t));
128 * The responder cookie should only be non-zero if the initiator
129 * cookie is non-zero. Therefore, it is safe to assume(!) that the
130 * cookies are both set after copying if the responder is non-zero.
132 if ((ipsec->ipsc_rcookie[0]|ipsec->ipsc_rcookie[1]) != 0)
133 ipsec->ipsc_rckset = 1;
135 nat->nat_age = 60; /* 30 seconds */
137 ipsec->ipsc_nat = nat_new(&fi, ip, ipn, &ipsec->ipsc_nat, FI_IGNOREPKT,
139 if (ipsec->ipsc_nat != NULL) {
142 ipsec->ipsc_state = fr_addstate(ip, &fi, &ipsec->ipsc_state,
143 FI_IGNOREPKT|FI_NORULE);
151 * For outgoing IKE packets. refresh timeouts for NAT & stat entries, if
152 * we can. If they have disappeared, recreate them.
154 int ippr_ipsec_out(fin, ip, aps, nat)
164 bcopy((char *)fin, (char *)&fi, sizeof(fi));
165 fi.fin_fi.fi_p = IPPROTO_ESP;
166 fi.fin_fr = &ipsecfr;
170 ip->ip_p = IPPROTO_ESP;
171 fi.fin_fl &= ~FI_TCPUDP;
173 ipsec = aps->aps_data;
176 * Update NAT timeout/create NAT if missing.
178 if (ipsec->ipsc_rckset == 0)
179 nat->nat_age = 60; /* 30 seconds */
180 if (ipsec->ipsc_nat != NULL)
181 ipsec->ipsc_nat->nat_age = nat->nat_age;
183 ipsec->ipsc_nat = nat_new(&fi, ip, &ipsec->ipsc_rule,
185 FI_IGNOREPKT, NAT_OUTBOUND);
188 * Update state timeout/create state if missing.
190 READ_ENTER(&ipf_state);
191 if (ipsec->ipsc_state != NULL) {
192 ipsec->ipsc_state->is_age = nat->nat_age;
193 RWLOCK_EXIT(&ipf_state);
195 RWLOCK_EXIT(&ipf_state);
198 ipsec->ipsc_state = fr_addstate(ip, &fi,
200 FI_IGNOREPKT|FI_NORULE);
209 * This extends the NAT matching to be based on the cookies associated with
210 * a session and found at the front of IKE packets. The cookies are always
211 * in the same order (not reversed depending on packet flow direction as with
212 * UDP/TCP port numbers).
214 int ippr_ipsec_match(fin, aps, nat)
224 if ((fin->fin_dlen < sizeof(cookies)) || (fin->fin_fl & FI_FRAG))
227 ipsec = aps->aps_data;
228 off = fin->fin_hlen + sizeof(udphdr_t);
233 copyout_mblk(m, off, sizeof(cookies), (char *)cookies);
235 m = *(mb_t **)fin->fin_mp;
236 m_copydata(m, off, sizeof(cookies), (char *)cookies);
239 m = *(mb_t **)fin->fin_mp;
240 bcopy((char *)m + off, cookies, sizeof(cookies));
243 if ((cookies[0] != ipsec->ipsc_icookie[0]) ||
244 (cookies[1] != ipsec->ipsc_icookie[1]))
247 if (ipsec->ipsc_rckset == 0) {
248 if ((cookies[2]|cookies[3]) == 0) {
249 nat->nat_age = 60; /* 30 seconds */
252 ipsec->ipsc_rckset = 1;
253 ipsec->ipsc_rcookie[0] = cookies[2];
254 ipsec->ipsc_rcookie[1] = cookies[3];
258 if ((cookies[2] != ipsec->ipsc_rcookie[0]) ||
259 (cookies[3] != ipsec->ipsc_rcookie[1]))
266 * clean up after ourselves.
268 void ippr_ipsec_del(aps)
273 ipsec = aps->aps_data;
277 * Don't delete it from here, just schedule it to be
280 if (ipsec->ipsc_nat != NULL) {
281 ipsec->ipsc_nat->nat_age = 1;
282 ipsec->ipsc_nat->nat_ptr = NULL;
285 READ_ENTER(&ipf_state);
286 if (ipsec->ipsc_state != NULL)
287 ipsec->ipsc_state->is_age = 1;
288 RWLOCK_EXIT(&ipf_state);
290 ipsec->ipsc_state = NULL;
291 ipsec->ipsc_nat = NULL;