Introduce ipsec_sysctl()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Introduce ipsec_sysctl()

Martin Pieuchot
This move all IPsec tunables to netinet/ipsec_input.c without breaking
the "net.inet.ip" sysctl(3) namespace.  

The reason for this move is to properly separate IPsec and IP globals
in order to ease the removal of the NET_LOCK() in these layers.

ok?

Index: netinet/in.h
===================================================================
RCS file: /cvs/src/sys/netinet/in.h,v
retrieving revision 1.125
diff -u -p -r1.125 in.h
--- netinet/in.h 6 Oct 2017 21:14:55 -0000 1.125
+++ netinet/in.h 13 Nov 2017 12:11:16 -0000
@@ -745,19 +745,19 @@ struct ip_mreq {
  &ipport_hifirstauto, \
  &ipport_hilastauto, \
  &ip_maxqueue, \
- &encdebug, \
+ NULL /* encdebug */, \
  NULL, \
- &ipsec_expire_acquire, \
- &ipsec_keep_invalid, \
- &ipsec_require_pfs, \
- &ipsec_soft_allocations, \
- &ipsec_exp_allocations, \
- &ipsec_soft_bytes, \
- &ipsec_exp_bytes, \
- &ipsec_exp_timeout, \
- &ipsec_soft_timeout, \
- &ipsec_soft_first_use, \
- &ipsec_exp_first_use, \
+ NULL /* ipsec_expire_acquire */, \
+ NULL /* ipsec_keep_invalid */, \
+ NULL /* ipsec_require_pfs */, \
+ NULL /* ipsec_soft_allocations */, \
+ NULL /* ipsec_exp_allocations */, \
+ NULL /* ipsec_soft_bytes */, \
+ NULL /* ipsec_exp_bytes */, \
+ NULL /* ipsec_exp_timeout */, \
+ NULL /* ipsec_soft_timeout */, \
+ NULL /* ipsec_soft_first_use */, \
+ NULL /* ipsec_exp_first_use */, \
  NULL, \
  NULL, \
  NULL, \
Index: netinet/ip_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_input.c,v
retrieving revision 1.331
diff -u -p -r1.331 ip_input.c
--- netinet/ip_input.c 10 Nov 2017 08:55:49 -0000 1.331
+++ netinet/ip_input.c 13 Nov 2017 08:51:37 -0000
@@ -84,22 +84,6 @@
 #include <netinet/ip_carp.h>
 #endif
 
-int encdebug = 0;
-int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
-int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
-int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
-int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
-int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
-int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
-int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
-int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
-int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
-int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
-int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
-char ipsec_def_enc[20];
-char ipsec_def_auth[20];
-char ipsec_def_comp[20];
-
 /* values controllable via sysctl */
 int ipforwarding = 0;
 int ipmforwarding = 0;
@@ -211,10 +195,6 @@ ip_init(void)
  for (i = 0; defrootonlyports_udp[i] != 0; i++)
  DP_SET(rootonlyports.udp, defrootonlyports_udp[i]);
 
- strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
- strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
- strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
-
  mq_init(&ipsend_mq, 64, IPL_SOFTNET);
 
 #ifdef IPSEC
@@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void
       ip_mtudisc_timeout);
  NET_UNLOCK();
  return (error);
+#ifdef IPSEC
+ case IPCTL_ENCDEBUG:
+ case IPCTL_IPSEC_EXPIRE_ACQUIRE:
+ case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT:
+ case IPCTL_IPSEC_REQUIRE_PFS:
+ case IPCTL_IPSEC_SOFT_ALLOCATIONS:
+ case IPCTL_IPSEC_ALLOCATIONS:
+ case IPCTL_IPSEC_SOFT_BYTES:
+ case IPCTL_IPSEC_BYTES:
+ case IPCTL_IPSEC_TIMEOUT:
+ case IPCTL_IPSEC_SOFT_TIMEOUT:
+ case IPCTL_IPSEC_SOFT_FIRSTUSE:
+ case IPCTL_IPSEC_FIRSTUSE:
  case IPCTL_IPSEC_ENC_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-       ipsec_def_enc, sizeof(ipsec_def_enc));
- NET_UNLOCK();
- return (error);
  case IPCTL_IPSEC_AUTH_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-       ipsec_def_auth,
-       sizeof(ipsec_def_auth));
- NET_UNLOCK();
- return (error);
  case IPCTL_IPSEC_IPCOMP_ALGORITHM:
- NET_LOCK();
- error = sysctl_tstring(oldp, oldlenp, newp, newlen,
-       ipsec_def_comp,
-       sizeof(ipsec_def_comp));
- NET_UNLOCK();
- return (error);
+ return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp,
+    newlen));
+#endif
  case IPCTL_IFQUEUE:
  return (sysctl_niq(name + 1, namelen - 1,
     oldp, oldlenp, newp, newlen, &ipintrq));
Index: netinet/ip_ipsp.h
===================================================================
RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
retrieving revision 1.186
diff -u -p -r1.186 ip_ipsp.h
--- netinet/ip_ipsp.h 8 Nov 2017 16:29:20 -0000 1.186
+++ netinet/ip_ipsp.h 13 Nov 2017 08:52:18 -0000
@@ -424,6 +424,51 @@ extern int ipsec_exp_timeout; /* second
 extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */
 extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */
 
+/*
+ * Names for IPsec sysctl objects
+ */
+#define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */
+#define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */
+#define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
+#define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */
+#define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */
+#define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */
+#define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */
+#define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */
+#define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */
+#define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */
+#define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */
+#define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */
+#define IPSEC_MAXID 25
+
+#define IPSECCTL_VARS { \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ NULL, \
+ &encdebug, \
+ NULL, \
+ &ipsec_expire_acquire, \
+ &ipsec_keep_invalid, \
+ &ipsec_require_pfs, \
+ &ipsec_soft_allocations, \
+ &ipsec_exp_allocations, \
+ &ipsec_soft_bytes, \
+ &ipsec_exp_bytes, \
+ &ipsec_exp_timeout, \
+ &ipsec_soft_timeout, \
+ &ipsec_soft_first_use, \
+ &ipsec_exp_first_use, \
+}
+
 extern char ipsec_def_enc[];
 extern char ipsec_def_auth[];
 extern char ipsec_def_comp[];
@@ -549,6 +594,7 @@ struct ipsec_ids *ipsp_ids_lookup(u_int3
 void ipsp_ids_free(struct ipsec_ids *);
 
 void ipsec_init(void);
+int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
 int ipsec_common_input(struct mbuf *, int, int, int, int, int);
 void ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
 int ipsec_delete_policy(struct ipsec_policy *);
Index: netinet/ipsec_input.c
===================================================================
RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
retrieving revision 1.159
diff -u -p -r1.159 ipsec_input.c
--- netinet/ipsec_input.c 8 Nov 2017 16:29:20 -0000 1.159
+++ netinet/ipsec_input.c 13 Nov 2017 08:51:45 -0000
@@ -88,6 +88,19 @@ void ipsec_common_ctlinput(u_int, int, s
 #endif
 
 /* sysctl variables */
+int encdebug = 0;
+int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
+int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
+int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
+int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
+int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
+int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
+int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
+int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
+int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
+int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
+int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
+
 int esp_enable = 1;
 int ah_enable = 1;
 int ipcomp_enable = 0;
@@ -100,6 +113,12 @@ struct cpumem *espcounters;
 struct cpumem *ahcounters;
 struct cpumem *ipcompcounters;
 
+char ipsec_def_enc[20];
+char ipsec_def_auth[20];
+char ipsec_def_comp[20];
+
+int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS;
+
 int esp_sysctl_espstat(void *, size_t *, void *);
 int ah_sysctl_ahstat(void *, size_t *, void *);
 int ipcomp_sysctl_ipcompstat(void *, size_t *, void *);
@@ -110,6 +129,11 @@ ipsec_init(void)
  espcounters = counters_alloc(esps_ncounters);
  ahcounters = counters_alloc(ahs_ncounters);
  ipcompcounters = counters_alloc(ipcomps_ncounters);
+
+ strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
+ strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
+ strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
+
 }
 
 /*
@@ -609,6 +633,43 @@ ipsec_common_input_cb(struct mbuf *m, st
  /* Call the appropriate IPsec transform callback. */
  ip_deliver(&m, &skip, prot, af);
 #undef IPSEC_ISTAT
+}
+
+int
+ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
+    size_t newlen)
+{
+ int error;
+
+ switch (name[0]) {
+ case IPCTL_IPSEC_ENC_ALGORITHM:
+ NET_LOCK();
+ error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+    ipsec_def_enc, sizeof(ipsec_def_enc));
+ NET_UNLOCK();
+ return (error);
+ case IPCTL_IPSEC_AUTH_ALGORITHM:
+ NET_LOCK();
+ error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+    ipsec_def_auth, sizeof(ipsec_def_auth));
+ NET_UNLOCK();
+ return (error);
+ case IPCTL_IPSEC_IPCOMP_ALGORITHM:
+ NET_LOCK();
+ error = sysctl_tstring(oldp, oldlenp, newp, newlen,
+    ipsec_def_comp, sizeof(ipsec_def_comp));
+ NET_UNLOCK();
+ return (error);
+ default:
+ if (name[0] < IPSEC_MAXID) {
+ NET_LOCK();
+ error = sysctl_int_arr(ipsecctl_vars, name, namelen,
+    oldp, oldlenp, newp, newlen);
+ NET_UNLOCK();
+ return (error);
+ }
+ return (EOPNOTSUPP);
+ }
 }
 
 int

Reply | Threaded
Open this post in threaded view
|

Re: Introduce ipsec_sysctl()

Alexander Bluhm
On Mon, Nov 13, 2017 at 01:30:43PM +0100, Martin Pieuchot wrote:
> This move all IPsec tunables to netinet/ipsec_input.c without breaking
> the "net.inet.ip" sysctl(3) namespace.  
>
> The reason for this move is to properly separate IPsec and IP globals
> in order to ease the removal of the NET_LOCK() in these layers.
>
> ok?

OK bluhm@

> Index: netinet/in.h
> ===================================================================
> RCS file: /cvs/src/sys/netinet/in.h,v
> retrieving revision 1.125
> diff -u -p -r1.125 in.h
> --- netinet/in.h 6 Oct 2017 21:14:55 -0000 1.125
> +++ netinet/in.h 13 Nov 2017 12:11:16 -0000
> @@ -745,19 +745,19 @@ struct ip_mreq {
>   &ipport_hifirstauto, \
>   &ipport_hilastauto, \
>   &ip_maxqueue, \
> - &encdebug, \
> + NULL /* encdebug */, \
>   NULL, \
> - &ipsec_expire_acquire, \
> - &ipsec_keep_invalid, \
> - &ipsec_require_pfs, \
> - &ipsec_soft_allocations, \
> - &ipsec_exp_allocations, \
> - &ipsec_soft_bytes, \
> - &ipsec_exp_bytes, \
> - &ipsec_exp_timeout, \
> - &ipsec_soft_timeout, \
> - &ipsec_soft_first_use, \
> - &ipsec_exp_first_use, \
> + NULL /* ipsec_expire_acquire */, \
> + NULL /* ipsec_keep_invalid */, \
> + NULL /* ipsec_require_pfs */, \
> + NULL /* ipsec_soft_allocations */, \
> + NULL /* ipsec_exp_allocations */, \
> + NULL /* ipsec_soft_bytes */, \
> + NULL /* ipsec_exp_bytes */, \
> + NULL /* ipsec_exp_timeout */, \
> + NULL /* ipsec_soft_timeout */, \
> + NULL /* ipsec_soft_first_use */, \
> + NULL /* ipsec_exp_first_use */, \
>   NULL, \
>   NULL, \
>   NULL, \
> Index: netinet/ip_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_input.c,v
> retrieving revision 1.331
> diff -u -p -r1.331 ip_input.c
> --- netinet/ip_input.c 10 Nov 2017 08:55:49 -0000 1.331
> +++ netinet/ip_input.c 13 Nov 2017 08:51:37 -0000
> @@ -84,22 +84,6 @@
>  #include <netinet/ip_carp.h>
>  #endif
>  
> -int encdebug = 0;
> -int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
> -int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
> -int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
> -int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
> -int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
> -int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
> -int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
> -int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
> -int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
> -int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
> -int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
> -char ipsec_def_enc[20];
> -char ipsec_def_auth[20];
> -char ipsec_def_comp[20];
> -
>  /* values controllable via sysctl */
>  int ipforwarding = 0;
>  int ipmforwarding = 0;
> @@ -211,10 +195,6 @@ ip_init(void)
>   for (i = 0; defrootonlyports_udp[i] != 0; i++)
>   DP_SET(rootonlyports.udp, defrootonlyports_udp[i]);
>  
> - strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
> - strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
> - strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
> -
>   mq_init(&ipsend_mq, 64, IPL_SOFTNET);
>  
>  #ifdef IPSEC
> @@ -1643,26 +1623,25 @@ ip_sysctl(int *name, u_int namelen, void
>        ip_mtudisc_timeout);
>   NET_UNLOCK();
>   return (error);
> +#ifdef IPSEC
> + case IPCTL_ENCDEBUG:
> + case IPCTL_IPSEC_EXPIRE_ACQUIRE:
> + case IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT:
> + case IPCTL_IPSEC_REQUIRE_PFS:
> + case IPCTL_IPSEC_SOFT_ALLOCATIONS:
> + case IPCTL_IPSEC_ALLOCATIONS:
> + case IPCTL_IPSEC_SOFT_BYTES:
> + case IPCTL_IPSEC_BYTES:
> + case IPCTL_IPSEC_TIMEOUT:
> + case IPCTL_IPSEC_SOFT_TIMEOUT:
> + case IPCTL_IPSEC_SOFT_FIRSTUSE:
> + case IPCTL_IPSEC_FIRSTUSE:
>   case IPCTL_IPSEC_ENC_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -       ipsec_def_enc, sizeof(ipsec_def_enc));
> - NET_UNLOCK();
> - return (error);
>   case IPCTL_IPSEC_AUTH_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -       ipsec_def_auth,
> -       sizeof(ipsec_def_auth));
> - NET_UNLOCK();
> - return (error);
>   case IPCTL_IPSEC_IPCOMP_ALGORITHM:
> - NET_LOCK();
> - error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> -       ipsec_def_comp,
> -       sizeof(ipsec_def_comp));
> - NET_UNLOCK();
> - return (error);
> + return (ipsec_sysctl(name, namelen, oldp, oldlenp, newp,
> +    newlen));
> +#endif
>   case IPCTL_IFQUEUE:
>   return (sysctl_niq(name + 1, namelen - 1,
>      oldp, oldlenp, newp, newlen, &ipintrq));
> Index: netinet/ip_ipsp.h
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_ipsp.h,v
> retrieving revision 1.186
> diff -u -p -r1.186 ip_ipsp.h
> --- netinet/ip_ipsp.h 8 Nov 2017 16:29:20 -0000 1.186
> +++ netinet/ip_ipsp.h 13 Nov 2017 08:52:18 -0000
> @@ -424,6 +424,51 @@ extern int ipsec_exp_timeout; /* second
>  extern int ipsec_soft_first_use; /* seconds between 1st asso & renego */
>  extern int ipsec_exp_first_use; /* seconds between 1st asso & expire */
>  
> +/*
> + * Names for IPsec sysctl objects
> + */
> +#define IPSEC_ENCDEBUG IPCTL_ENCDEBUG /* 12 */
> +#define IPSEC_EXPIRE_ACQUIRE IPCTL_IPSEC_EXPIRE_ACQUIRE /* 14 */
> +#define IPSEC_EMBRYONIC_SA_TIMEOUT IPCTL_IPSEC_EMBRYONIC_SA_TIMEOUT/* 15 */
> +#define IPSEC_REQUIRE_PFS IPCTL_IPSEC_REQUIRE_PFS /* 16 */
> +#define IPSEC_SOFT_ALLOCATIONS          IPCTL_IPSEC_SOFT_ALLOCATIONS /* 17 */
> +#define IPSEC_ALLOCATIONS IPCTL_IPSEC_ALLOCATIONS /* 18 */
> +#define IPSEC_SOFT_BYTES IPCTL_IPSEC_SOFT_BYTES /* 19 */
> +#define IPSEC_BYTES IPCTL_IPSEC_BYTES /* 20 */
> +#define IPSEC_TIMEOUT IPCTL_IPSEC_TIMEOUT /* 21 */
> +#define IPSEC_SOFT_TIMEOUT IPCTL_IPSEC_SOFT_TIMEOUT /* 22 */
> +#define IPSEC_SOFT_FIRSTUSE IPCTL_IPSEC_SOFT_FIRSTUSE /* 23 */
> +#define IPSEC_FIRSTUSE IPCTL_IPSEC_FIRSTUSE /* 24 */
> +#define IPSEC_MAXID 25
> +
> +#define IPSECCTL_VARS { \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + NULL, \
> + &encdebug, \
> + NULL, \
> + &ipsec_expire_acquire, \
> + &ipsec_keep_invalid, \
> + &ipsec_require_pfs, \
> + &ipsec_soft_allocations, \
> + &ipsec_exp_allocations, \
> + &ipsec_soft_bytes, \
> + &ipsec_exp_bytes, \
> + &ipsec_exp_timeout, \
> + &ipsec_soft_timeout, \
> + &ipsec_soft_first_use, \
> + &ipsec_exp_first_use, \
> +}
> +
>  extern char ipsec_def_enc[];
>  extern char ipsec_def_auth[];
>  extern char ipsec_def_comp[];
> @@ -549,6 +594,7 @@ struct ipsec_ids *ipsp_ids_lookup(u_int3
>  void ipsp_ids_free(struct ipsec_ids *);
>  
>  void ipsec_init(void);
> +int ipsec_sysctl(int *, u_int, void *, size_t *, void *, size_t);
>  int ipsec_common_input(struct mbuf *, int, int, int, int, int);
>  void ipsec_common_input_cb(struct mbuf *, struct tdb *, int, int);
>  int ipsec_delete_policy(struct ipsec_policy *);
> Index: netinet/ipsec_input.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ipsec_input.c,v
> retrieving revision 1.159
> diff -u -p -r1.159 ipsec_input.c
> --- netinet/ipsec_input.c 8 Nov 2017 16:29:20 -0000 1.159
> +++ netinet/ipsec_input.c 13 Nov 2017 08:51:45 -0000
> @@ -88,6 +88,19 @@ void ipsec_common_ctlinput(u_int, int, s
>  #endif
>  
>  /* sysctl variables */
> +int encdebug = 0;
> +int ipsec_keep_invalid = IPSEC_DEFAULT_EMBRYONIC_SA_TIMEOUT;
> +int ipsec_require_pfs = IPSEC_DEFAULT_PFS;
> +int ipsec_soft_allocations = IPSEC_DEFAULT_SOFT_ALLOCATIONS;
> +int ipsec_exp_allocations = IPSEC_DEFAULT_EXP_ALLOCATIONS;
> +int ipsec_soft_bytes = IPSEC_DEFAULT_SOFT_BYTES;
> +int ipsec_exp_bytes = IPSEC_DEFAULT_EXP_BYTES;
> +int ipsec_soft_timeout = IPSEC_DEFAULT_SOFT_TIMEOUT;
> +int ipsec_exp_timeout = IPSEC_DEFAULT_EXP_TIMEOUT;
> +int ipsec_soft_first_use = IPSEC_DEFAULT_SOFT_FIRST_USE;
> +int ipsec_exp_first_use = IPSEC_DEFAULT_EXP_FIRST_USE;
> +int ipsec_expire_acquire = IPSEC_DEFAULT_EXPIRE_ACQUIRE;
> +
>  int esp_enable = 1;
>  int ah_enable = 1;
>  int ipcomp_enable = 0;
> @@ -100,6 +113,12 @@ struct cpumem *espcounters;
>  struct cpumem *ahcounters;
>  struct cpumem *ipcompcounters;
>  
> +char ipsec_def_enc[20];
> +char ipsec_def_auth[20];
> +char ipsec_def_comp[20];
> +
> +int *ipsecctl_vars[IPSEC_MAXID] = IPSECCTL_VARS;
> +
>  int esp_sysctl_espstat(void *, size_t *, void *);
>  int ah_sysctl_ahstat(void *, size_t *, void *);
>  int ipcomp_sysctl_ipcompstat(void *, size_t *, void *);
> @@ -110,6 +129,11 @@ ipsec_init(void)
>   espcounters = counters_alloc(esps_ncounters);
>   ahcounters = counters_alloc(ahs_ncounters);
>   ipcompcounters = counters_alloc(ipcomps_ncounters);
> +
> + strlcpy(ipsec_def_enc, IPSEC_DEFAULT_DEF_ENC, sizeof(ipsec_def_enc));
> + strlcpy(ipsec_def_auth, IPSEC_DEFAULT_DEF_AUTH, sizeof(ipsec_def_auth));
> + strlcpy(ipsec_def_comp, IPSEC_DEFAULT_DEF_COMP, sizeof(ipsec_def_comp));
> +
>  }
>  
>  /*
> @@ -609,6 +633,43 @@ ipsec_common_input_cb(struct mbuf *m, st
>   /* Call the appropriate IPsec transform callback. */
>   ip_deliver(&m, &skip, prot, af);
>  #undef IPSEC_ISTAT
> +}
> +
> +int
> +ipsec_sysctl(int *name, u_int namelen, void *oldp, size_t *oldlenp, void *newp,
> +    size_t newlen)
> +{
> + int error;
> +
> + switch (name[0]) {
> + case IPCTL_IPSEC_ENC_ALGORITHM:
> + NET_LOCK();
> + error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> +    ipsec_def_enc, sizeof(ipsec_def_enc));
> + NET_UNLOCK();
> + return (error);
> + case IPCTL_IPSEC_AUTH_ALGORITHM:
> + NET_LOCK();
> + error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> +    ipsec_def_auth, sizeof(ipsec_def_auth));
> + NET_UNLOCK();
> + return (error);
> + case IPCTL_IPSEC_IPCOMP_ALGORITHM:
> + NET_LOCK();
> + error = sysctl_tstring(oldp, oldlenp, newp, newlen,
> +    ipsec_def_comp, sizeof(ipsec_def_comp));
> + NET_UNLOCK();
> + return (error);
> + default:
> + if (name[0] < IPSEC_MAXID) {
> + NET_LOCK();
> + error = sysctl_int_arr(ipsecctl_vars, name, namelen,
> +    oldp, oldlenp, newp, newlen);
> + NET_UNLOCK();
> + return (error);
> + }
> + return (EOPNOTSUPP);
> + }
>  }
>  
>  int