? sys/net/if_macsec.c ? sys/net/if_macsec.h ? sys/net/if_tg.c Index: sbin/ipsecctl/ike.c =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ike.c,v retrieving revision 1.83 diff -u -p -r1.83 ike.c --- sbin/ipsecctl/ike.c 25 Jun 2022 20:33:40 -0000 1.83 +++ sbin/ipsecctl/ike.c 17 May 2023 12:17:19 -0000 @@ -148,6 +148,10 @@ ike_section_ipsec(struct ipsec_rule *r, if (r->tag) fprintf(fd, SET "[%s]:PF-Tag=%s force\n", r->p2name, r->tag); + if (r->flags & IPSEC_RULE_F_IFACE) { + fprintf(fd, SET "[%s]:Interface=%u force\n", r->p2name, + r->iface); + } } static int Index: sbin/ipsecctl/ipsecctl.h =================================================================== RCS file: /cvs/src/sbin/ipsecctl/ipsecctl.h,v retrieving revision 1.75 diff -u -p -r1.75 ipsecctl.h --- sbin/ipsecctl/ipsecctl.h 22 Oct 2021 12:30:54 -0000 1.75 +++ sbin/ipsecctl/ipsecctl.h 17 May 2023 12:17:19 -0000 @@ -178,6 +178,9 @@ TAILQ_HEAD(dst_bundle_queue, ipsec_rule) struct ipsec_rule { u_int8_t type; + unsigned int flags; +#define IPSEC_RULE_F_IFACE (1 << 0) /* iface is valid */ + struct ipsec_addr_wrap *src; struct ipsec_addr_wrap *dst; struct ipsec_addr_wrap *dst2; @@ -215,6 +218,7 @@ struct ipsec_rule { u_int32_t spi; u_int32_t spi2; u_int32_t nr; + unsigned int iface; TAILQ_ENTRY(ipsec_rule) rule_entry; TAILQ_ENTRY(ipsec_rule) bundle_entry; Index: sbin/ipsecctl/parse.y =================================================================== RCS file: /cvs/src/sbin/ipsecctl/parse.y,v retrieving revision 1.182 diff -u -p -r1.182 parse.y --- sbin/ipsecctl/parse.y 19 Apr 2023 13:33:37 -0000 1.182 +++ sbin/ipsecctl/parse.y 17 May 2023 12:17:19 -0000 @@ -232,6 +232,7 @@ struct ipsec_transforms *ipsec_transform typedef struct { union { int64_t number; + uint32_t unit; u_int8_t ikemode; u_int8_t dir; u_int8_t satype; /* encapsulating prococol */ @@ -284,9 +285,10 @@ typedef struct { %token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE %token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFETIME %token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT TAG -%token INCLUDE BUNDLE UDPENCAP +%token INCLUDE BUNDLE UDPENCAP INTERFACE %token STRING %token NUMBER +%type iface %type string %type dir %type satype @@ -401,6 +403,41 @@ ikerule : IKE ikemode satype tmode prot if (expand_rule(r, &$7, 0, 0, NULL, NULL, NULL)) errx(1, "ikerule: expand_rule"); } + + /* ike interface sec0 local $h_self peer $h_s2s1 ... */ + | IKE ikemode iface peers + phase1mode phase2mode ids ikeauth { + uint8_t proto = 0; // IPPROTO_IPIP; + struct ipsec_hosts hosts; + struct ike_mode *phase1mode = $5; + struct ike_mode *phase2mode = $6; + uint8_t satype = IPSEC_ESP; + uint8_t tmode = IPSEC_TUNNEL; + uint8_t mode = $2; + struct ike_auth *authtype = &$8; + char *tag = NULL; + + struct ipsec_rule *r; + + hosts.src = host_v4("0.0.0.0/0", 1); + hosts.sport = htons(0); + hosts.dst = host_v4("0.0.0.0/0", 1); + hosts.dport = htons(0); + + r = create_ike(proto, &hosts, phase1mode, phase2mode, + satype, tmode, mode, $7.srcid, $7.dstid, + authtype, tag); + if (r == NULL) { + YYERROR; + } + + r->flags |= IPSEC_RULE_F_IFACE; + r->iface = $3; + + if (expand_rule(r, &$4, 0, 0, NULL, NULL, NULL)) + errx(1, "ikerule: expand interface rule"); + + } ; satype : /* empty */ { $$ = IPSEC_ESP; } @@ -909,6 +946,30 @@ tag : /* empty */ } ; +iface : INTERFACE STRING { + static const char prefix[] = "sec"; + const char *errstr = NULL; + size_t len, plen; + + plen = strlen(prefix); + len = strlen($2); + + if (len <= plen || memcmp($2, prefix, plen) != 0) { + yyerror("invalid %s interface name", prefix); + free($2); + YYERROR; + } + + $$ = strtonum($2 + plen, 0, UINT_MAX, &errstr); + free($2); + if (errstr != NULL) { + yyerror("invalid %s interface unit: %s", + prefix, errstr); + YYERROR; + } + } + ; + string : string STRING { if (asprintf(&$$, "%s %s", $1, $2) == -1) @@ -1009,6 +1070,7 @@ lookup(char *s) { "ike", IKE }, { "in", IN }, { "include", INCLUDE }, + { "interface", INTERFACE }, { "ipcomp", IPCOMP }, { "ipip", IPIP }, { "lifetime", LIFETIME }, @@ -2216,6 +2278,7 @@ copyrule(struct ipsec_rule *rule) r->enckey = copykey(rule->enckey); r->tag = copytag(rule->tag); + r->flags = rule->flags; r->p1ie = rule->p1ie; r->p2ie = rule->p2ie; r->type = rule->type; @@ -2231,6 +2294,7 @@ copyrule(struct ipsec_rule *rule) r->udpencap = rule->udpencap; r->udpdport = rule->udpdport; r->nr = rule->nr; + r->iface = rule->iface; return (r); } Index: sbin/isakmpd/ipsec.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/ipsec.c,v retrieving revision 1.152 diff -u -p -r1.152 ipsec.c --- sbin/isakmpd/ipsec.c 16 Jan 2022 14:30:11 -0000 1.152 +++ sbin/isakmpd/ipsec.c 17 May 2023 12:17:19 -0000 @@ -38,6 +38,7 @@ #include #include #include +#include #include #include @@ -131,6 +132,7 @@ static int ipsec_validate_transform static int ipsec_sa_check_flow(struct sa *, void *); static int ipsec_sa_check_flow_any(struct sa *, void *); static int ipsec_sa_tag(struct exchange *, struct sa *, struct sa *); +static int ipsec_sa_iface(struct exchange *, struct sa *, struct sa *); static struct doi ipsec_doi = { {0}, IPSEC_DOI_IPSEC, @@ -272,6 +274,12 @@ ipsec_sa_check_flow_any(struct sa *sa, v isa->dport != isa2->dport) return 0; + if ((sa->flags & SA_FLAG_IFACE) != (sa2->flags & SA_FLAG_IFACE)) + return 0; + + if (sa->flags & SA_FLAG_IFACE) + return sa->iface == sa2->iface; + /* * If at least one of the IPsec SAs is incomplete, we're done. */ @@ -379,6 +387,30 @@ ipsec_sa_tag(struct exchange *exchange, return (error); } +static int +ipsec_sa_iface(struct exchange *exchange, struct sa *sa, struct sa *isakmp_sa) +{ + char *section, *value; + const char *errstr = NULL; + + sa->tag = NULL; + + if (exchange->name == NULL || + (section = exchange->name) == NULL || + (value = conf_get_str(section, "Interface")) == NULL) + return (0); /* ignore if not present */ + + sa->iface = strtonum(value, 0, UINT_MAX, &errstr); + if (errstr != NULL) { + log_error("[%s]:Interface %s", section, errstr); + return (-1); + } + + sa->flags |= SA_FLAG_IFACE; + + return (0); +} + /* * Do IPsec DOI specific finalizations task for the exchange where MSG was * the final message. @@ -461,6 +493,9 @@ ipsec_finalize_exchange(struct message * } if (ipsec_sa_tag(exchange, sa, isakmp_sa) == -1) + return; + + if (ipsec_sa_iface(exchange, sa, isakmp_sa) == -1) return; for (proto = TAILQ_FIRST(&sa->protos), Index: sbin/isakmpd/ipsec.h =================================================================== RCS file: /cvs/src/sbin/isakmpd/ipsec.h,v retrieving revision 1.27 diff -u -p -r1.27 ipsec.h --- sbin/isakmpd/ipsec.h 8 Nov 2017 13:33:49 -0000 1.27 +++ sbin/isakmpd/ipsec.h 17 May 2023 12:17:19 -0000 @@ -144,6 +144,7 @@ struct ipsec_proto { extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t); extern int ipsec_ah_keylength(struct proto *); extern u_int8_t *ipsec_build_id(char *, size_t *); +extern u_int8_t *ipsec_build_interface_id(size_t *); extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); extern void ipsec_decode_transform(struct message *, struct sa *, Index: sbin/isakmpd/pf_key_v2.c =================================================================== RCS file: /cvs/src/sbin/isakmpd/pf_key_v2.c,v retrieving revision 1.204 diff -u -p -r1.204 pf_key_v2.c --- sbin/isakmpd/pf_key_v2.c 31 Jan 2022 23:51:15 -0000 1.204 +++ sbin/isakmpd/pf_key_v2.c 17 May 2023 12:17:19 -0000 @@ -1378,6 +1378,23 @@ nodid: goto cleanup; } + if (sa->flags & SADB_X_EXT_IFACE) { + struct sadb_x_iface *siface; + + len = sizeof(*siface); + siface = calloc(1, len); + if (siface == NULL) + goto cleanup; + + siface->sadb_x_iface_len = len / PF_KEY_V2_CHUNK; + siface->sadb_x_iface_exttype = SADB_X_EXT_IFACE; + siface->sadb_x_iface_unit = sa->iface; + + if (pf_key_v2_msg_add(update, (struct sadb_ext *)siface, + PF_KEY_V2_NODE_MALLOCED) == -1) + goto cleanup; + } + /* XXX Here can sensitivity extensions be setup. */ if (sockaddr2text(dst, &addr_str, 0)) Index: sbin/isakmpd/sa.h =================================================================== RCS file: /cvs/src/sbin/isakmpd/sa.h,v retrieving revision 1.54 diff -u -p -r1.54 sa.h --- sbin/isakmpd/sa.h 15 Jan 2018 09:54:48 -0000 1.54 +++ sbin/isakmpd/sa.h 17 May 2023 12:17:19 -0000 @@ -211,6 +211,9 @@ struct sa { /* The add a pf tag to packets matching the established SA. */ char *tag; + + /* IPsec with Interface SAs, enabled with SA_FLAG_IFACE */ + unsigned int iface; }; /* This SA is alive. */ @@ -243,6 +246,9 @@ struct sa { /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ #define SA_FLAG_NAT_T_ENABLE 0x100 #define SA_FLAG_NAT_T_KEEPALIVE 0x200 + +/* Policy is handled by routing/filtering on the specified iface */ +#define SA_FLAG_IFACE 0x400 extern void proto_free(struct proto * proto); extern int sa_add_transform(struct sa *, struct payload *, int, Index: sbin/ping/ping.c =================================================================== RCS file: /cvs/src/sbin/ping/ping.c,v retrieving revision 1.248 diff -u -p -r1.248 ping.c --- sbin/ping/ping.c 1 Dec 2022 07:34:06 -0000 1.248 +++ sbin/ping/ping.c 17 May 2023 12:17:19 -0000 @@ -153,6 +153,7 @@ int options; #define F_TOS 0x1000 #define F_AUD_RECV 0x2000 #define F_AUD_MISS 0x4000 +#define F_SO_TSTAMP 0x8000 /* multicast options */ int moptions; @@ -217,6 +218,8 @@ const char *pr_addr(struct sockaddr *, void pr_pack(u_char *, int, struct msghdr *); __dead void usage(void); +int get_tstamp(struct msghdr *, struct timespec *); + /* IPv4 specific functions */ void pr_ipopt(int, u_char *); int in_cksum(u_short *, int); @@ -297,8 +300,8 @@ main(int argc, char *argv[]) preload = 0; datap = &outpack[ECHOLEN + ECHOTMLEN]; while ((ch = getopt(argc, argv, v6flag ? - "c:DdEefgHh:I:i:Ll:mNnp:qS:s:T:V:vw:" : - "DEI:LRS:c:defgHi:l:np:qs:T:t:V:vw:")) != -1) { + "c:DdEefHh:I:i:Ll:mNnp:qS:s:T:V:vw:x" : + "DEI:LRS:c:defHi:l:np:qs:T:t:V:vw:x")) != -1) { switch(ch) { case 'c': npackets = strtonum(optarg, 0, INT64_MAX, &errstr); @@ -432,6 +435,9 @@ main(int argc, char *argv[]) errx(1, "maxwait value is %s: %s", errstr, optarg); break; + case 'x': + options |= F_SO_TSTAMP; + break; default: usage(); } @@ -570,6 +576,13 @@ main(int argc, char *argv[]) (void)setsockopt(s, SOL_SOCKET, SO_DEBUG, &optval, sizeof(optval)); + if (options & F_SO_TSTAMP) { + optval = 1; + if (setsockopt(s, SOL_SOCKET, SO_MONOSTAMP, + &optval, sizeof(optval)) == -1) + warn("setsockopt SO_MONOSTAMP"); + } + if ((options & F_FLOOD) && (options & F_INTERVAL)) errx(1, "-f and -i options are incompatible"); @@ -1204,11 +1217,12 @@ pr_pack(u_char *buf, int cc, struct msgh struct ip *ip = NULL; struct icmp *icp = NULL; struct icmp6_hdr *icp6 = NULL; - struct timespec ts, tp; + struct timespec ts, tp, diff; struct payload payload; struct sockaddr *from; socklen_t fromlen; double triptime = 0; + int64_t xtriptime = 0; int i, dupflag; int hlen = -1, hoplim = -1, echo_reply = 0; u_int16_t seq; @@ -1315,15 +1329,25 @@ pr_pack(u_char *buf, int cc, struct msgh tp.tv_nsec = betoh64(tv64->tv64_nsec) - tv64_offset.tv64_nsec; - timespecsub(&ts, &tp, &ts); - triptime = ((double)ts.tv_sec) * 1000.0 + - ((double)ts.tv_nsec) / 1000000.0; + timespecsub(&ts, &tp, &diff); + triptime = ((double)diff.tv_sec) * 1000.0 + + ((double)diff.tv_nsec) / 1000000.0; tsum += triptime; tsumsq += triptime * triptime; if (triptime < tmin) tmin = triptime; if (triptime > tmax) tmax = triptime; + + if (options & F_SO_TSTAMP && + get_tstamp(mhdr, &ts) != -1) { + uint64_t tsnsec = ts.tv_sec * 1000000000 + + ts.tv_nsec; + uint64_t tpnsec = tp.tv_sec * 1000000000 + + tp.tv_nsec; + + xtriptime = tsnsec - tpnsec; + } } if (TST(ntohs(seq) % mx_dup_ck)) { @@ -1356,6 +1380,10 @@ pr_pack(u_char *buf, int cc, struct msgh printf(" ttl=%d", ip->ip_ttl); if (cc >= ECHOLEN + ECHOTMLEN) printf(" time=%.3f ms", triptime); + if (options & F_SO_TSTAMP) { + printf(" xtime=%.3f ms", + (double)xtriptime / 1000000.0); + } if (dupflag) printf(" (DUP!)"); /* check the data */ @@ -1963,6 +1991,27 @@ get_hoplim(struct msghdr *mhdr) cm->cmsg_type == IPV6_HOPLIMIT && cm->cmsg_len == CMSG_LEN(sizeof(int))) return(*(int *)CMSG_DATA(cm)); + } + + return(-1); +} + +int +get_tstamp(struct msghdr *mhdr, struct timespec *ts) +{ + struct cmsghdr *cm; + + for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(mhdr); cm; + cm = (struct cmsghdr *)CMSG_NXTHDR(mhdr, cm)) { + if (cm->cmsg_len == 0) + return(-1); + + if (cm->cmsg_level == SOL_SOCKET && + cm->cmsg_type == SCM_MONOSTAMP && + cm->cmsg_len == CMSG_LEN(sizeof(*ts))) { + *ts = *(struct timespec *)CMSG_DATA(cm); + return (0); + } } return(-1); Index: sys/conf/GENERIC =================================================================== RCS file: /cvs/src/sys/conf/GENERIC,v retrieving revision 1.288 diff -u -p -r1.288 GENERIC --- sys/conf/GENERIC 27 Mar 2023 09:39:21 -0000 1.288 +++ sys/conf/GENERIC 17 May 2023 12:17:21 -0000 @@ -90,6 +90,7 @@ pseudo-device veb # virtual Ethernet br pseudo-device carp # CARP protocol support pseudo-device etherip # EtherIP (RFC 3378) pseudo-device gif # IPv[46] over IPv[46] tunnel (RFC1933) +pseudo-device sec # route based IPsec VPN interface pseudo-device gre # GRE encapsulation interface pseudo-device loop # network loopback pseudo-device mpe # MPLS PE interface Index: sys/conf/files =================================================================== RCS file: /cvs/src/sys/conf/files,v retrieving revision 1.724 diff -u -p -r1.724 files --- sys/conf/files 23 Apr 2023 00:20:26 -0000 1.724 +++ sys/conf/files 17 May 2023 12:17:21 -0000 @@ -572,6 +572,7 @@ pseudo-device vlan: ifnet, ether pseudo-device carp: ifnet, ether pseudo-device sppp: ifnet pseudo-device gif: ifnet +pseudo-device sec: ifnet pseudo-device gre: ifnet, ether, etherbridge pseudo-device crypto: ifnet pseudo-device trunk: ifnet, ether, ifmedia @@ -1006,6 +1007,7 @@ file uvm/uvm_vnode.c # IPv6 file net/if_gif.c gif needs-count +file net/if_sec.c sec needs-count file netinet/ip_ecn.c file netinet6/in6_pcb.c inet6 file netinet6/in6.c inet6 Index: sys/net/if_sec.c =================================================================== RCS file: sys/net/if_sec.c diff -N sys/net/if_sec.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/net/if_sec.c 17 May 2023 12:17:24 -0000 @@ -0,0 +1,439 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2022 The University of Queensland + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code was written by David Gwynne as part + * of the Information Technology Infrastructure Group (ITIG) in the + * Faculty of Engineering, Architecture and Information Technology + * (EAIT). + */ + +#ifndef IPSEC +#error sec enabled without IPSEC defined +#endif + +#include "bpfilter.h" +#include "pf.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#ifdef INET6 +#include +#include +#include +#endif + +#ifdef MPLS +#include +#endif /* MPLS */ + +#if NBPFILTER > 0 +#include +#endif + +#if NPF > 0 +#include +#endif + +#define SEC_MTU 1280 +#define SEC_MTU_MIN 1280 +#define SEC_MTU_MAX 32768 /* could get closer to 64k... */ + +struct sec_softc { + struct ifnet sc_if; + + struct task sc_send; + + unsigned int sc_unit; + SMR_SLIST_ENTRY(sec_softc) sc_entry; + struct refcnt sc_refs; +}; + +SMR_SLIST_HEAD(sec_bucket, sec_softc); + +static int sec_output(struct ifnet *, struct mbuf *, struct sockaddr *, + struct rtentry *); +static int sec_enqueue(struct ifnet *, struct mbuf *); +static void sec_send(void *); +static void sec_start(struct ifnet *); + +static int sec_ioctl(struct ifnet *, u_long, caddr_t); +static int sec_up(struct sec_softc *); +static int sec_down(struct sec_softc *); + +static int sec_clone_create(struct if_clone *, int); +static int sec_clone_destroy(struct ifnet *); + +static struct if_clone sec_cloner = + IF_CLONE_INITIALIZER("sec", sec_clone_create, sec_clone_destroy); + +static struct sec_bucket sec_map[256] __aligned(CACHELINESIZE); + +void +secattach(int n) +{ + if_clone_attach(&sec_cloner); +} + +static int +sec_clone_create(struct if_clone *ifc, int unit) +{ + struct sec_softc *sc; + struct ifnet *ifp; + + sc = malloc(sizeof(*sc), M_DEVBUF, M_WAITOK|M_ZERO); + + sc->sc_unit = unit; + + task_set(&sc->sc_send, sec_send, sc); + + snprintf(sc->sc_if.if_xname, sizeof sc->sc_if.if_xname, "%s%d", + ifc->ifc_name, unit); + + ifp = &sc->sc_if; + ifp->if_softc = sc; + ifp->if_type = IFT_TUNNEL; + ifp->if_mtu = SEC_MTU; + ifp->if_flags = IFF_POINTOPOINT|IFF_MULTICAST; + ifp->if_xflags = IFXF_CLONED; + ifp->if_bpf_mtap = p2p_bpf_mtap; + ifp->if_input = p2p_input; + ifp->if_output = sec_output; + ifp->if_enqueue = sec_enqueue; + ifp->if_start = sec_start; + ifp->if_ioctl = sec_ioctl; + ifp->if_rtrequest = p2p_rtrequest; + + if_counters_alloc(ifp); + if_attach(ifp); + if_alloc_sadl(ifp); + +#if NBPFILTER > 0 + bpfattach(&ifp->if_bpf, ifp, DLT_LOOP, sizeof(uint32_t)); +#endif + + return (0); +} + +static int +sec_clone_destroy(struct ifnet *ifp) +{ + struct sec_softc *sc = ifp->if_softc; + + NET_LOCK(); + if (ISSET(ifp->if_flags, IFF_RUNNING)) + sec_down(sc); + NET_UNLOCK(); + + if_detach(ifp); + + free(sc, M_DEVBUF, sizeof(*sc)); + + return (0); +} + +static int +sec_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data) +{ + struct sec_softc *sc = ifp->if_softc; + struct ifreq *ifr = (struct ifreq *)data; + int error = 0; + + switch (cmd) { + case SIOCSIFADDR: + break; + + case SIOCSIFFLAGS: + if (ISSET(ifp->if_flags, IFF_UP)) { + if (!ISSET(ifp->if_flags, IFF_RUNNING)) + error = sec_up(sc); + else + error = 0; + } else { + if (ISSET(ifp->if_flags, IFF_RUNNING)) + error = sec_down(sc); + } + break; + + case SIOCADDMULTI: + case SIOCDELMULTI: + break; + + case SIOCSIFMTU: + if (ifr->ifr_mtu < SEC_MTU_MIN || + ifr->ifr_mtu > SEC_MTU_MAX) { + error = EINVAL; + break; + } + + ifp->if_mtu = ifr->ifr_mtu; + break; + + default: + error = ENOTTY; + break; + } + + return (error); +} + +static int +sec_up(struct sec_softc *sc) +{ + struct ifnet *ifp = &sc->sc_if; + unsigned int idx = stoeplitz_h32(sc->sc_unit) % nitems(sec_map); + + NET_ASSERT_LOCKED(); + + SET(ifp->if_flags, IFF_RUNNING); + refcnt_init(&sc->sc_refs); + + SMR_SLIST_INSERT_HEAD_LOCKED(&sec_map[idx], sc, sc_entry); + + return (0); +} + +static int +sec_down(struct sec_softc *sc) +{ + struct ifnet *ifp = &sc->sc_if; + unsigned int idx = stoeplitz_h32(sc->sc_unit) % nitems(sec_map); + + NET_ASSERT_LOCKED(); + + CLR(ifp->if_flags, IFF_RUNNING); + + SMR_SLIST_REMOVE_LOCKED(&sec_map[idx], sc, sec_softc, sc_entry); + + smr_barrier(); + taskq_del_barrier(systq, &sc->sc_send); + + refcnt_finalize(&sc->sc_refs, "secdown"); + + return (0); +} + +static int +sec_output(struct ifnet *ifp, struct mbuf *m, struct sockaddr *dst, + struct rtentry *rt) +{ + struct m_tag *mtag; + int error = 0; + + if (!ISSET(ifp->if_flags, IFF_RUNNING)) { + error = ENETDOWN; + goto drop; + } + + switch (dst->sa_family) { + case AF_INET: +#ifdef INET6 + case AF_INET6: +#endif +#ifdef MPLS + case AF_MPLS: +#endif + break; + default: + error = EAFNOSUPPORT; + goto drop; + } + + mtag = NULL; + while ((mtag = m_tag_find(m, PACKET_TAG_GRE, mtag)) != NULL) { + if (ifp->if_index == *(int *)(mtag + 1)) { + error = EIO; + goto drop; + } + } + + m->m_pkthdr.ph_family = dst->sa_family; + + error = if_enqueue(ifp, m); + if (error != 0) + counters_inc(ifp->if_counters, ifc_oerrors); + + return (error); + +drop: + m_freem(m); + return (error); +} + +static int +sec_enqueue(struct ifnet *ifp, struct mbuf *m) +{ + struct sec_softc *sc = ifp->if_softc; + struct ifqueue *ifq = &ifp->if_snd; + int error; + + error = ifq_enqueue(ifq, m); + if (error) + return (error); + + task_add(systq, &sc->sc_send); + + return (0); +} + +static void +sec_send(void *arg) +{ + struct sec_softc *sc = arg; + struct ifnet *ifp = &sc->sc_if; + struct ifqueue *ifq = &ifp->if_snd; +#if 0 + struct tdb *tdbp; + struct mbuf *m; + int error; + + if (!ISSET(ifp->if_flags, IFF_RUNNING)) + return; + + tdbp = gettdbbyiface(sc->sc_rdomain, &sc->sc_dst, IPPROTO_ESP, + NULL, /* filter */ NULL, /* filtermask */ NULL); /* XXX */ + if (tdbp == NULL) + goto purge; + if (ISSET(tdbp->tdb_flags, TDBF_DELETED) || + !ISSET(tdbp->tdb_flags, TDBF_TUNNELING)) { + tdb_unref(tdbp); + goto purge; + } + + NET_LOCK(); + while ((m = ifq_dequeue(ifq)) != NULL) { + CLR(m->m_flags, M_BCAST|M_MCAST); + +#if NPF > 0 + pf_pkt_addr_changed(m); +#endif + + error = ipsp_process_packet(m, tdbp, + m->m_pkthdr.ph_family, /* already tunnelled? */ 0); + if (error != 0) + counters_inc(ifp->if_counters, ifc_oerrors); + } + NET_UNLOCK(); + + tdb_unref(tdbp); + return; + +purge: +#endif + counters_add(ifp->if_counters, ifc_oerrors, ifq_purge(ifq)); +} + +static void +sec_start(struct ifnet *ifp) +{ + counters_add(ifp->if_counters, ifc_oerrors, ifq_purge(&ifp->if_snd)); +} + +struct sec_softc * +sec_get(unsigned int unit) +{ + unsigned int idx = stoeplitz_h32(unit) % nitems(sec_map); + struct sec_bucket *sb = &sec_map[idx]; + struct sec_softc *sc; + + smr_read_enter(); + SMR_SLIST_FOREACH(sc, sb, sc_entry) { + if (sc->sc_unit == unit) { + refcnt_take(&sc->sc_refs); + break; + } + } + smr_read_leave(); + + return (sc); +} + +void +sec_input(struct sec_softc *sc, int af, int proto, struct mbuf *m) +{ + struct ip *iph; + int hlen; + + switch (af) { + case AF_INET: + iph = mtod(m, struct ip *); + hlen = iph->ip_hl << 2; + break; +#ifdef INET6 + case AF_INET6: + hlen = sizeof(struct ip6_hdr); + break; +#endif + default: + unhandled_af(af); + } + + m_adj(m, hlen); + + switch (proto) { + case IPPROTO_IPV4: + af = AF_INET; + break; + case IPPROTO_IPV6: + af = AF_INET6; + break; + case IPPROTO_MPLS: + af = AF_MPLS; + break; + default: + af = AF_UNSPEC; + break; + } + + m->m_pkthdr.ph_family = af; + + if_vinput(&sc->sc_if, m); +} + +void +sec_put(struct sec_softc *sc) +{ + refcnt_rele_wake(&sc->sc_refs); +} Index: sys/net/if_sec.h =================================================================== RCS file: sys/net/if_sec.h diff -N sys/net/if_sec.h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ sys/net/if_sec.h 17 May 2023 12:17:24 -0000 @@ -0,0 +1,31 @@ +/* $OpenBSD$ */ + +/* + * Copyright (c) 2023 David Gwynne + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _NET_IF_SEC_H +#define _NET_IF_SEC_H + +#ifdef _KERNEL +struct sec_softc; + +struct sec_softc *sec_get(unsigned int); +void sec_input(struct sec_softc * , int, int, + struct mbuf *); +void sec_put(struct sec_softc *); +#endif /* _KERNEL */ + +#endif /* _NET_IF_SEC_H */ Index: sys/net/pfkeyv2.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2.c,v retrieving revision 1.256 diff -u -p -r1.256 pfkeyv2.c --- sys/net/pfkeyv2.c 22 Apr 2023 20:51:56 -0000 1.256 +++ sys/net/pfkeyv2.c 17 May 2023 12:17:24 -0000 @@ -69,6 +69,7 @@ */ #include "pf.h" +#include "sec.h" #include #include @@ -868,6 +869,11 @@ pfkeyv2_get(struct tdb *tdb, void **head i += sizeof(struct sadb_x_tap); #endif +#if NSEC > 0 + if (ISSET(tdb->tdb_flags, TDBF_IFACE)) + i += sizeof(struct sadb_x_iface); +#endif + if (lenp) *lenp = i; @@ -979,6 +985,14 @@ pfkeyv2_get(struct tdb *tdb, void **head } #endif +#if NSEC > 0 + /* Export sec(4) interface information, if present */ + if (ISSET(tdb->tdb_flags, TDBF_IFACE)) { + headers[SADB_X_EXT_IFACE] = p; + export_iface(&p, tdb); + } +#endif + headers[SADB_X_EXT_COUNTER] = p; export_counter(&p, tdb); @@ -1360,6 +1374,9 @@ pfkeyv2_dosend(struct socket *so, void * import_tag(newsa, headers[SADB_X_EXT_TAG]); import_tap(newsa, headers[SADB_X_EXT_TAP]); #endif +#if NSEC > 0 + import_iface(newsa, headers[SADB_X_EXT_IFACE]); +#endif /* Exclude sensitive data from reply message. */ headers[SADB_EXT_KEY_AUTH] = NULL; @@ -1411,6 +1428,9 @@ pfkeyv2_dosend(struct socket *so, void * import_tag(sa2, headers[SADB_X_EXT_TAG]); import_tap(sa2, headers[SADB_X_EXT_TAP]); #endif +#if NSEC > 0 + import_iface(sa2, headers[SADB_X_EXT_IFACE]); +#endif if (headers[SADB_EXT_ADDRESS_SRC] || headers[SADB_EXT_ADDRESS_PROXY]) { mtx_enter(&tdb_sadb_mtx); @@ -1534,6 +1554,9 @@ pfkeyv2_dosend(struct socket *so, void * #if NPF > 0 import_tag(newsa, headers[SADB_X_EXT_TAG]); import_tap(newsa, headers[SADB_X_EXT_TAP]); +#endif +#if NSEC > 0 + import_iface(newsa, headers[SADB_X_EXT_IFACE]); #endif /* Exclude sensitive data from reply message. */ Index: sys/net/pfkeyv2.h =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2.h,v retrieving revision 1.93 diff -u -p -r1.93 pfkeyv2.h --- sys/net/pfkeyv2.h 27 Aug 2022 20:28:01 -0000 1.93 +++ sys/net/pfkeyv2.h 17 May 2023 12:17:24 -0000 @@ -252,6 +252,12 @@ struct sadb_x_mtu { uint32_t sadb_x_mtu_mtu; }; +struct sadb_x_iface { + uint16_t sadb_x_iface_len; + uint16_t sadb_x_iface_exttype; + uint32_t sadb_x_iface_unit; +}; + #ifdef _KERNEL #define SADB_X_GETSPROTO(x) \ ( (x) == SADB_SATYPE_AH ? IPPROTO_AH :\ @@ -300,7 +306,8 @@ struct sadb_x_mtu { #define SADB_X_EXT_RDOMAIN 37 #define SADB_X_EXT_MTU 38 #define SADB_X_EXT_REPLAY 39 -#define SADB_EXT_MAX 39 +#define SADB_X_EXT_IFACE 40 +#define SADB_EXT_MAX 40 /* Fix pfkeyv2.c struct pfkeyv2_socket if SATYPE_MAX > 31 */ #define SADB_SATYPE_UNSPEC 0 @@ -438,6 +445,7 @@ void export_mtu(void **, struct tdb *); void export_tap(void **, struct tdb *); void export_satype(void **, struct tdb *); void export_counter(void **, struct tdb *); +void export_iface(void **, struct tdb *); void import_address(struct sockaddr *, struct sadb_address *); void import_identities(struct ipsec_ids **, int, struct sadb_ident *, @@ -452,6 +460,7 @@ void import_udpencap(struct tdb *, struc void import_tag(struct tdb *, struct sadb_x_tag *); void import_rdomain(struct tdb *, struct sadb_x_rdomain *); void import_tap(struct tdb *, struct sadb_x_tap *); +void import_iface(struct tdb *, struct sadb_x_iface *); extern const uint64_t sadb_exts_allowed_out[SADB_MAX+1]; extern const uint64_t sadb_exts_required_out[SADB_MAX+1]; Index: sys/net/pfkeyv2_convert.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2_convert.c,v retrieving revision 1.79 diff -u -p -r1.79 pfkeyv2_convert.c --- sys/net/pfkeyv2_convert.c 20 Jan 2022 17:13:12 -0000 1.79 +++ sys/net/pfkeyv2_convert.c 17 May 2023 12:17:24 -0000 @@ -92,6 +92,7 @@ */ #include "pf.h" +#include "sec.h" #include #include @@ -948,6 +947,30 @@ export_tap(void **p, struct tdb *tdb) stag->sadb_x_tap_unit = tdb->tdb_tap; stag->sadb_x_tap_len = sizeof(struct sadb_x_tap) / sizeof(uint64_t); *p += sizeof(struct sadb_x_tap); +} +#endif + +#if NSEC > 0 +/* Import interface information for SA */ +void +import_iface(struct tdb *tdb, struct sadb_x_iface *siface) +{ + if (siface != NULL) { + SET(tdb->tdb_flags, TDBF_IFACE); + tdb->tdb_iface = siface->sadb_x_iface_unit; + } +} + +/* Export interface information for SA */ +void +export_iface(void **p, struct tdb *tdb) +{ + struct sadb_x_iface *siface = (struct sadb_x_iface *)*p; + + siface->sadb_x_iface_len = sizeof(*siface) / sizeof(uint64_t); + siface->sadb_x_iface_unit = tdb->tdb_iface; + + *p += sizeof(*siface); } #endif Index: sys/net/pfkeyv2_parsemessage.c =================================================================== RCS file: /cvs/src/sys/net/pfkeyv2_parsemessage.c,v retrieving revision 1.60 diff -u -p -r1.60 pfkeyv2_parsemessage.c --- sys/net/pfkeyv2_parsemessage.c 14 Jul 2021 22:39:26 -0000 1.60 +++ sys/net/pfkeyv2_parsemessage.c 17 May 2023 12:17:24 -0000 @@ -135,6 +135,7 @@ #define BITMAP_X_COUNTER (1LL << SADB_X_EXT_COUNTER) #define BITMAP_X_MTU (1LL << SADB_X_EXT_MTU) #define BITMAP_X_REPLAY (1LL << SADB_X_EXT_REPLAY) +#define BITMAP_X_IFACE (1LL << SADB_X_EXT_IFACE) uint64_t sadb_exts_allowed_in[SADB_MAX+1] = { @@ -881,6 +882,12 @@ pfkeyv2_parsemessage(void *p, int len, v } break; #endif + case SADB_X_EXT_IFACE: + if (i != sizeof(struct sadb_x_iface)) { + DPRINTF("bad IFACE header length"); + return (EINVAL); + } + break; default: DPRINTF("unknown extension header type %d", sadb_ext->sadb_ext_type); Index: sys/netinet/ip_input.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_input.c,v retrieving revision 1.383 diff -u -p -r1.383 ip_input.c --- sys/netinet/ip_input.c 5 Apr 2023 21:51:47 -0000 1.383 +++ sys/netinet/ip_input.c 17 May 2023 12:17:24 -0000 @@ -1768,6 +1768,15 @@ ip_savecontrol(struct inpcb *inp, struct if (*mp) mp = &(*mp)->m_next; } + if (inp->inp_socket->so_options & SO_MONOSTAMP) { + struct timespec ts; + + m_nanouptime(m, &ts); + *mp = sbcreatecontrol((caddr_t)&ts, sizeof(ts), + SCM_MONOSTAMP, SOL_SOCKET); + if (*mp) + mp = &(*mp)->m_next; + } if (inp->inp_flags & INP_RECVDSTADDR) { *mp = sbcreatecontrol((caddr_t) &ip->ip_dst, Index: sys/netinet/ip_ipsp.c =================================================================== RCS file: /cvs/src/sys/netinet/ip_ipsp.c,v retrieving revision 1.275 diff -u -p -r1.275 ip_ipsp.c --- sys/netinet/ip_ipsp.c 11 Nov 2022 18:09:58 -0000 1.275 +++ sys/netinet/ip_ipsp.c 17 May 2023 12:17:24 -0000 @@ -39,6 +39,7 @@ #include "pf.h" #include "pfsync.h" +#include "sec.h" #include #include @@ -421,6 +422,29 @@ gettdbbysrcdst_dir(u_int rdomain, u_int3 return tdbp; } +int +ipsp_aux_match_prefix(const uint32_t *paddr, const uint32_t *pmask, + const uint32_t *taddr, const uint32_t *tmask, size_t n) +{ + uint32_t mask; + + do { + n--; + + /* is the prefix from the policy contained in the TDB? */ + mask = pmask[n] & tmask[n]; + if (tmask[n] != mask) + return (0); + + /* does the common prefix match? */ + if ((paddr[n] & mask) != (taddr[n] & mask)) + return (0); + + } while (n > 0); + + return (1); +} + /* * Check that IDs match. Return true if so. The t* range of * arguments contains information from TDBs; the p* range of @@ -439,20 +463,91 @@ ipsp_aux_match(struct tdb *tdb, return 0; /* Check for filter matches. */ - if (pfilter != NULL && pfiltermask != NULL && - tdb->tdb_filter.sen_type) { - /* - * XXX We should really be doing a subnet-check (see - * whether the TDB-associated filter is a subset - * of the policy's. For now, an exact match will solve - * most problems (all this will do is make every - * policy get its own SAs). - */ - if (memcmp(&tdb->tdb_filter, pfilter, - sizeof(struct sockaddr_encap)) || - memcmp(&tdb->tdb_filtermask, pfiltermask, - sizeof(struct sockaddr_encap))) - return 0; + if (pfilter != NULL && pfiltermask != NULL) { + if (pfilter->sen_type != tdb->tdb_filter.sen_type || + pfiltermask->sen_type != tdb->tdb_filtermask.sen_type) + return (0); + +#define maskcmp(_pf, _pm, _tf, _tm, _f) ( \ + (_pm)->_f != (_tm)->_f || \ + ((_pf)->_f & (_pm)->_f) != ((_tf)->_f & (_tm)->_f) \ +) + + switch (tdb->tdb_filter.sen_type) { + case SENT_IP4: + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_direction)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_proto)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_sport)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_dport)) + return (0); + + if (!ipsp_aux_match_prefix( + &pfilter->sen_ip_src.s_addr, + &pfiltermask->sen_ip_src.s_addr, + &tdb->tdb_filter.sen_ip_src.s_addr, + &tdb->tdb_filtermask.sen_ip_src.s_addr, 1)) + return (0); + + if (!ipsp_aux_match_prefix( + &pfilter->sen_ip_dst.s_addr, + &pfiltermask->sen_ip_dst.s_addr, + &tdb->tdb_filter.sen_ip_dst.s_addr, + &tdb->tdb_filtermask.sen_ip_dst.s_addr, 1)) + return (0); + + break; + +#ifdef INET6 + case SENT_IP6: + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_ip6_direction)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_ip6_proto)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_ip6_sport)) + return (0); + if (maskcmp(pfilter, pfiltermask, + &tdb->tdb_filter, &tdb->tdb_filtermask, + sen_ip6_dport)) + return (0); + + if (!ipsp_aux_match_prefix( + pfilter->sen_ip6_src.s6_addr32, + pfiltermask->sen_ip6_src.s6_addr32, + tdb->tdb_filter.sen_ip6_src.s6_addr32, + tdb->tdb_filtermask.sen_ip6_src.s6_addr32, 4)) + return (0); + + if (!ipsp_aux_match_prefix( + pfilter->sen_ip6_dst.s6_addr32, + pfiltermask->sen_ip6_dst.s6_addr32, + tdb->tdb_filter.sen_ip6_dst.s6_addr32, + tdb->tdb_filtermask.sen_ip6_dst.s6_addr32, 4)) + return (0); + + break; +#endif +#undef maskcmp + + default: + break; + } } return 1; @@ -473,7 +568,7 @@ gettdbbydst(u_int rdomain, union sockadd mtx_enter(&tdb_sadb_mtx); hashval = tdb_hash(0, dst, sproto); - for (tdbp = tdbdst[hashval]; tdbp != NULL; tdbp = tdbp->tdb_dnext) + for (tdbp = tdbdst[hashval]; tdbp != NULL; tdbp = tdbp->tdb_dnext) { if ((tdbp->tdb_sproto == sproto) && (tdbp->tdb_rdomain == rdomain) && ((tdbp->tdb_flags & TDBF_INVALID) == 0) && @@ -483,6 +578,7 @@ gettdbbydst(u_int rdomain, union sockadd continue; break; } + } tdb_ref(tdbp); mtx_leave(&tdb_sadb_mtx); @@ -852,14 +948,6 @@ puttdb_locked(struct tdb *tdbp) tdbp->tdb_hnext = tdbh[hashval]; tdbh[hashval] = tdbp; - hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); - tdbp->tdb_dnext = tdbdst[hashval]; - tdbdst[hashval] = tdbp; - - hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); - tdbp->tdb_snext = tdbsrc[hashval]; - tdbsrc[hashval] = tdbp; - tdb_count++; #ifdef IPSEC if ((tdbp->tdb_flags & (TDBF_INVALID|TDBF_TUNNELING)) == TDBF_TUNNELING) @@ -867,6 +955,21 @@ puttdb_locked(struct tdb *tdbp) #endif /* IPSEC */ ipsec_last_added = getuptime(); + + if (ISSET(tdbp->tdb_flags, TDBF_IFACE)) { +#if NSEC > 0 + +#endif + return; + } + + hashval = tdb_hash(0, &tdbp->tdb_dst, tdbp->tdb_sproto); + tdbp->tdb_dnext = tdbdst[hashval]; + tdbdst[hashval] = tdbp; + + hashval = tdb_hash(0, &tdbp->tdb_src, tdbp->tdb_sproto); + tdbp->tdb_snext = tdbsrc[hashval]; + tdbsrc[hashval] = tdbp; } void Index: sys/netinet/ip_ipsp.h =================================================================== RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v retrieving revision 1.240 diff -u -p -r1.240 ip_ipsp.h --- sys/netinet/ip_ipsp.h 14 Jul 2022 13:52:10 -0000 1.240 +++ sys/netinet/ip_ipsp.h 17 May 2023 12:17:24 -0000 @@ -356,6 +356,7 @@ struct tdb { /* tunnel descriptor blo #define TDBF_PFSYNC_RPL 0x80000 /* Replay counter should be bumped */ #define TDBF_ESN 0x100000 /* 64-bit sequence numbers (ESN) */ #define TDBF_PFSYNC_SNAPPED 0x200000 /* entry is being dispatched to peer */ +#define TDBF_IFACE 0x400000 /* entry policy is via sec(4) */ #define TDBF_BITS ("\20" \ "\1UNIQUE\2TIMER\3BYTES\4ALLOCATIONS" \ @@ -363,7 +364,7 @@ struct tdb { /* tunnel descriptor blo "\11SOFT_BYTES\12SOFT_ALLOCATIONS\13SOFT_FIRSTUSE\14PFS" \ "\15TUNNELING" \ "\21USEDTUNNEL\22UDPENCAP\23PFSYNC\24PFSYNC_RPL" \ - "\25ESN") + "\25ESN" "\26IFACE") u_int32_t tdb_flags; /* [m] Flags related to this TDB */ @@ -431,6 +432,7 @@ struct tdb { /* tunnel descriptor blo u_int16_t tdb_tag; /* Packet filter tag */ u_int32_t tdb_tap; /* Alternate enc(4) interface */ + unsigned int tdb_iface; /* Policy via sec(4) interface */ u_int tdb_rdomain; /* [I] Routing domain */ u_int tdb_rdomain_post; /* [I] Change domain */ Index: sys/netinet/ipsec_input.c =================================================================== RCS file: /cvs/src/sys/netinet/ipsec_input.c,v retrieving revision 1.204 diff -u -p -r1.204 ipsec_input.c --- sys/netinet/ipsec_input.c 13 May 2023 13:35:17 -0000 1.204 +++ sys/netinet/ipsec_input.c 17 May 2023 12:17:24 -0000 @@ -36,6 +36,7 @@ */ #include "pf.h" +#include "sec.h" #include #include @@ -63,6 +64,10 @@ #include #endif +#if NSEC > 0 +#include +#endif + #ifdef INET6 #include #include @@ -544,6 +549,21 @@ ipsec_common_input_cb(struct mbuf **mp, } } #endif + + if (ISSET(tdbp->tdb_flags, TDBF_IFACE)) { +#if NSEC > 0 + if (ISSET(tdbp->tdb_flags, TDBF_TUNNELING)) { + struct sec_softc *sc = sec_get(tdbp->tdb_iface); + if (sc == NULL) + goto baddone; + + sec_input(sc, af, prot, m); + sec_put(sc); + return IPPROTO_DONE; + } +#endif /* NSEC > 0 */ + goto baddone; + } #if NPF > 0 /*