6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 * Copyright (c) 2017, Joyent, Inc.
27 */
28
29 /*
30 * IPsec Security Policy Database.
31 *
32 * This module maintains the SPD and provides routines used by ip and ip6
33 * to apply IPsec policy to inbound and outbound datagrams.
34 */
35
36 #include <sys/types.h>
37 #include <sys/stream.h>
38 #include <sys/stropts.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsubr.h>
41 #include <sys/strsun.h>
42 #include <sys/strlog.h>
43 #include <sys/strsun.h>
44 #include <sys/cmn_err.h>
45 #include <sys/zone.h>
46
4106 ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4107 ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4108 ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4109 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4110 }
4111
4112 void
4113 ipsec_in_release_refs(ip_recv_attr_t *ira)
4114 {
4115 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4116 return;
4117
4118 if (ira->ira_ipsec_ah_sa != NULL) {
4119 IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4120 ira->ira_ipsec_ah_sa = NULL;
4121 }
4122 if (ira->ira_ipsec_esp_sa != NULL) {
4123 IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4124 ira->ira_ipsec_esp_sa = NULL;
4125 }
4126 ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4127 }
4128
4129 /*
4130 * This is called from ire_send_local when a packet
4131 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4132 * held by the callers.
4133 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4134 * across so that the fanout policy checks see that IPsec was applied.
4135 *
4136 * The caller should do ipsec_in_release_refs() on the ira by calling
4137 * ira_cleanup().
4138 */
4139 void
4140 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4141 {
4142 ipsec_policy_t *pol;
4143 ipsec_action_t *act;
4144
4145 /* Non-IPsec operations */
|
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2010 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2012 Nexenta Systems, Inc. All rights reserved.
25 * Copyright (c) 2016 by Delphix. All rights reserved.
26 * Copyright (c) 2018, Joyent, Inc.
27 */
28
29 /*
30 * IPsec Security Policy Database.
31 *
32 * This module maintains the SPD and provides routines used by ip and ip6
33 * to apply IPsec policy to inbound and outbound datagrams.
34 */
35
36 #include <sys/types.h>
37 #include <sys/stream.h>
38 #include <sys/stropts.h>
39 #include <sys/sysmacros.h>
40 #include <sys/strsubr.h>
41 #include <sys/strsun.h>
42 #include <sys/strlog.h>
43 #include <sys/strsun.h>
44 #include <sys/cmn_err.h>
45 #include <sys/zone.h>
46
4106 ixa->ixa_ipsec_ref[1].ipsr_sa = NULL;
4107 ixa->ixa_ipsec_ref[1].ipsr_bucket = NULL;
4108 ixa->ixa_ipsec_ref[1].ipsr_gen = 0;
4109 ixa->ixa_flags &= ~IXAF_IPSEC_SECURE;
4110 }
4111
4112 void
4113 ipsec_in_release_refs(ip_recv_attr_t *ira)
4114 {
4115 if (!(ira->ira_flags & IRAF_IPSEC_SECURE))
4116 return;
4117
4118 if (ira->ira_ipsec_ah_sa != NULL) {
4119 IPSA_REFRELE(ira->ira_ipsec_ah_sa);
4120 ira->ira_ipsec_ah_sa = NULL;
4121 }
4122 if (ira->ira_ipsec_esp_sa != NULL) {
4123 IPSA_REFRELE(ira->ira_ipsec_esp_sa);
4124 ira->ira_ipsec_esp_sa = NULL;
4125 }
4126 if (ira->ira_ipsec_action != NULL) {
4127 IPACT_REFRELE(ira->ira_ipsec_action);
4128 ira->ira_ipsec_action = NULL;
4129 }
4130
4131 ira->ira_flags &= ~IRAF_IPSEC_SECURE;
4132 }
4133
4134 /*
4135 * This is called from ire_send_local when a packet
4136 * is looped back. We setup the ip_recv_attr_t "borrowing" the references
4137 * held by the callers.
4138 * Note that we don't do any IPsec but we carry the actions and IPSEC flags
4139 * across so that the fanout policy checks see that IPsec was applied.
4140 *
4141 * The caller should do ipsec_in_release_refs() on the ira by calling
4142 * ira_cleanup().
4143 */
4144 void
4145 ipsec_out_to_in(ip_xmit_attr_t *ixa, ill_t *ill, ip_recv_attr_t *ira)
4146 {
4147 ipsec_policy_t *pol;
4148 ipsec_action_t *act;
4149
4150 /* Non-IPsec operations */
|