|
1
|
diff --git a/sys/net/if_enc.c b/sys/net/if_enc.c
|
|
2
|
index dcb82f5..f3c34ad 100644
|
|
3
|
--- a/sys/net/if_enc.c
|
|
4
|
+++ b/sys/net/if_enc.c
|
|
5
|
@@ -52,6 +52,9 @@
|
|
6
|
#include <net/bpf.h>
|
|
7
|
#include <net/vnet.h>
|
|
8
|
|
|
9
|
+#include <altq/if_altq.h>
|
|
10
|
+#include <netpfil/pf/pf_mtag.h>
|
|
11
|
+
|
|
12
|
#include <netinet/in.h>
|
|
13
|
#include <netinet/in_systm.h>
|
|
14
|
#include <netinet/ip.h>
|
|
15
|
@@ -225,10 +228,11 @@ enc_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data)
|
|
16
|
}
|
|
17
|
|
|
18
|
int
|
|
19
|
-ipsec_filter(struct mbuf **mp, int dir, int flags)
|
|
20
|
+ipsec_filter(struct mbuf **mp, struct secasindex *saidx, int dir, int flags)
|
|
21
|
{
|
|
22
|
int error, i;
|
|
23
|
struct ip *ip;
|
|
24
|
+ struct pf_mtag *atag;
|
|
25
|
|
|
26
|
KASSERT(encif != NULL, ("%s: encif is null", __func__));
|
|
27
|
KASSERT(flags & (ENC_IN|ENC_OUT),
|
|
28
|
@@ -297,6 +301,9 @@ ipsec_filter(struct mbuf **mp, int dir, int flags)
|
|
29
|
if (error != 0)
|
|
30
|
goto bad;
|
|
31
|
|
|
32
|
+ if (saidx && (atag = pf_find_mtag(*mp)) != NULL)
|
|
33
|
+ saidx->qid = atag->qid;
|
|
34
|
+
|
|
35
|
return (error);
|
|
36
|
|
|
37
|
bad:
|
|
38
|
diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h
|
|
39
|
index 240083a..836a040 100644
|
|
40
|
--- a/sys/netipsec/ipsec.h
|
|
41
|
+++ b/sys/netipsec/ipsec.h
|
|
42
|
@@ -383,7 +383,7 @@ extern int m_striphdr(struct mbuf *m, int skip, int hlen);
|
|
43
|
#define ENC_AFTER 0x0002
|
|
44
|
#define ENC_IN 0x0100
|
|
45
|
#define ENC_OUT 0x0200
|
|
46
|
-extern int ipsec_filter(struct mbuf **, int, int);
|
|
47
|
+extern int ipsec_filter(struct mbuf **, struct secasindex *, int, int);
|
|
48
|
extern void ipsec_bpf(struct mbuf *, struct secasvar *, int, int);
|
|
49
|
#endif
|
|
50
|
#endif /* _KERNEL */
|
|
51
|
diff --git a/sys/netipsec/ipsec_input.c b/sys/netipsec/ipsec_input.c
|
|
52
|
index 23a4a5c..13313a7 100644
|
|
53
|
--- a/sys/netipsec/ipsec_input.c
|
|
54
|
+++ b/sys/netipsec/ipsec_input.c
|
|
55
|
@@ -475,7 +475,8 @@ ipsec4_common_input_cb(struct mbuf *m, struct secasvar *sav,
|
|
56
|
ipsec_bpf(m, sav, AF_INET, ENC_IN|ENC_BEFORE);
|
|
57
|
|
|
58
|
if (prot != IPPROTO_IPIP)
|
|
59
|
- if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
|
|
60
|
+ if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
|
|
61
|
+ ENC_IN|ENC_BEFORE)) != 0)
|
|
62
|
return (error);
|
|
63
|
#endif
|
|
64
|
|
|
65
|
@@ -729,7 +730,8 @@ ipsec6_common_input_cb(struct mbuf *m, struct secasvar *sav, int skip, int proto
|
|
66
|
|
|
67
|
/* XXX-BZ does not make sense. */
|
|
68
|
if (prot != IPPROTO_IPIP)
|
|
69
|
- if ((error = ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_BEFORE)) != 0)
|
|
70
|
+ if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_IN,
|
|
71
|
+ ENC_IN|ENC_BEFORE)) != 0)
|
|
72
|
return (error);
|
|
73
|
#endif
|
|
74
|
|
|
75
|
diff --git a/sys/netipsec/ipsec_output.c b/sys/netipsec/ipsec_output.c
|
|
76
|
index 19b27ec..5d5c2f6 100644
|
|
77
|
--- a/sys/netipsec/ipsec_output.c
|
|
78
|
+++ b/sys/netipsec/ipsec_output.c
|
|
79
|
@@ -43,6 +43,11 @@
|
|
80
|
#include <sys/errno.h>
|
|
81
|
#include <sys/syslog.h>
|
|
82
|
|
|
83
|
+#ifdef DEV_ENC
|
|
84
|
+#include <altq/if_altq.h>
|
|
85
|
+#include <netpfil/pf/pf_mtag.h>
|
|
86
|
+#endif
|
|
87
|
+
|
|
88
|
#include <net/if.h>
|
|
89
|
#include <net/pfil.h>
|
|
90
|
#include <net/route.h>
|
|
91
|
@@ -99,6 +104,7 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
|
92
|
struct m_tag *mtag;
|
|
93
|
struct secasvar *sav;
|
|
94
|
struct secasindex *saidx;
|
|
95
|
+ struct pf_mtag *atag = NULL;
|
|
96
|
int error;
|
|
97
|
|
|
98
|
IPSEC_ASSERT(m != NULL, ("null mbuf"));
|
|
99
|
@@ -190,6 +196,14 @@ ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr)
|
|
100
|
}
|
|
101
|
key_sa_recordxfer(sav, m); /* record data transfer */
|
|
102
|
|
|
103
|
+#ifdef DEV_ENC
|
|
104
|
+ if (saidx->qid && (atag = pf_find_mtag(m)) != NULL) {
|
|
105
|
+ atag->qid = saidx->qid;
|
|
106
|
+ /* add hints for ecn */
|
|
107
|
+ atag->af = saidx->dst.sa.sa_family;
|
|
108
|
+ atag->hdr = NULL; /* This should be safe! */
|
|
109
|
+ }
|
|
110
|
+#endif
|
|
111
|
/*
|
|
112
|
* We're done with IPsec processing, transmit the packet using the
|
|
113
|
* appropriate network protocol (IP or IPv6). SPD lookup will be
|
|
114
|
@@ -451,7 +465,8 @@ ipsec4_process_packet(
|
|
115
|
/* pass the mbuf to enc0 for bpf processing */
|
|
116
|
ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_BEFORE);
|
|
117
|
/* pass the mbuf to enc0 for packet filtering */
|
|
118
|
- if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
|
|
119
|
+ if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
|
|
120
|
+ ENC_OUT|ENC_BEFORE)) != 0)
|
|
121
|
goto bad;
|
|
122
|
#endif
|
|
123
|
|
|
124
|
@@ -556,7 +571,8 @@ ipsec4_process_packet(
|
|
125
|
/* pass the mbuf to enc0 for bpf processing */
|
|
126
|
ipsec_bpf(m, sav, AF_INET, ENC_OUT|ENC_AFTER);
|
|
127
|
/* pass the mbuf to enc0 for packet filtering */
|
|
128
|
- if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
|
|
129
|
+ if ((error = ipsec_filter(&m, &sav->sah->saidx, PFIL_OUT,
|
|
130
|
+ ENC_OUT|ENC_AFTER)) != 0)
|
|
131
|
goto bad;
|
|
132
|
#endif
|
|
133
|
|
|
134
|
@@ -814,7 +830,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
|
|
135
|
/* pass the mbuf to enc0 for bpf processing */
|
|
136
|
ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_BEFORE);
|
|
137
|
/* pass the mbuf to enc0 for packet filtering */
|
|
138
|
- if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_BEFORE)) != 0)
|
|
139
|
+ if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT,
|
|
140
|
+ ENC_OUT|ENC_BEFORE)) != 0)
|
|
141
|
goto bad;
|
|
142
|
#endif
|
|
143
|
|
|
144
|
@@ -890,7 +907,8 @@ ipsec6_output_tunnel(struct ipsec_output_state *state, struct secpolicy *sp, int
|
|
145
|
/* pass the mbuf to enc0 for bpf processing */
|
|
146
|
ipsec_bpf(m, isr->sav, AF_INET6, ENC_OUT|ENC_AFTER);
|
|
147
|
/* pass the mbuf to enc0 for packet filtering */
|
|
148
|
- if ((error = ipsec_filter(&m, PFIL_OUT, ENC_OUT|ENC_AFTER)) != 0)
|
|
149
|
+ if ((error = ipsec_filter(&m, &isr->sav->sah->saidx, PFIL_OUT,
|
|
150
|
+ ENC_OUT|ENC_AFTER)) != 0)
|
|
151
|
goto bad;
|
|
152
|
#endif
|
|
153
|
|
|
154
|
diff --git a/sys/netipsec/keydb.h b/sys/netipsec/keydb.h
|
|
155
|
index 7494f5f..f22230b 100644
|
|
156
|
--- a/sys/netipsec/keydb.h
|
|
157
|
+++ b/sys/netipsec/keydb.h
|
|
158
|
@@ -58,6 +58,8 @@ struct secasindex {
|
|
159
|
u_int8_t mode; /* mode of protocol, see ipsec.h */
|
|
160
|
u_int32_t reqid; /* reqid id who owned this SA */
|
|
161
|
/* see IPSEC_MANUAL_REQID_MAX. */
|
|
162
|
+ u_int32_t qid; /* used for ALTQ shaping inside */
|
|
163
|
+ /* tunnel */
|
|
164
|
};
|
|
165
|
|
|
166
|
/*
|
|
167
|
diff --git a/sys/netipsec/xform_ipip.c b/sys/netipsec/xform_ipip.c
|
|
168
|
index 1d2aff2..b630df4 100644
|
|
169
|
--- a/sys/netipsec/xform_ipip.c
|
|
170
|
+++ b/sys/netipsec/xform_ipip.c
|
|
171
|
@@ -371,7 +371,7 @@ _ipip_input(struct mbuf *m, int iphlen, struct ifnet *gifp)
|
|
172
|
panic("%s: bogus ip version %u", __func__, v>>4);
|
|
173
|
}
|
|
174
|
/* pass the mbuf to enc0 for packet filtering */
|
|
175
|
- if (ipsec_filter(&m, PFIL_IN, ENC_IN|ENC_AFTER) != 0)
|
|
176
|
+ if (ipsec_filter(&m, NULL, PFIL_IN, ENC_IN|ENC_AFTER) != 0)
|
|
177
|
return;
|
|
178
|
#endif
|
|
179
|
|