Commit Graph

300 Commits

Author SHA1 Message Date
thorpej
ad5b855ef0 Back out the sledgehammer damage applied by wiz while I was out for
the holiday.
2000-12-28 21:40:59 +00:00
itojun
8b9fb822b0 do not touch ra_addr if it is NULL. from IIJ SEIL team 2000-12-28 21:23:00 +00:00
wiz
32e20d8993 Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej
d0357bdb4f Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type.  This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
itojun
b05acc70f8 make sure we notify of routing changes, even if we have net route pointed
to by inpcb.
2000-12-21 00:46:20 +00:00
thorpej
d9a9544a2f Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook. 2000-12-14 17:36:44 +00:00
itojun
1101f217b5 no need to rtalloc1() twice in pmtud. from kame 2000-12-11 19:28:47 +00:00
itojun
5eae50d991 update icmp6 too big validation. the change is necessary since pmtud is
mandatory for IPv6 (so we can't just validate by using connected pcb - we need
to allow traffic from unconnected pcb to do pmtud).
- if the traffic is validated by xx_ctlinput, allow up to "hiwat" pmtud
  route entries.
- if the traffic was not validated by xx_ctlinput, allow up to "lowat" pmtud
  route entries (there's upper limit, so bad guys cannot blow up our routing
  table).
sync with kame

XXX need to think again about default hiwat/lowat value.
XXX victim selection to help starvation case
2000-12-09 01:29:45 +00:00
itojun
fe5bd7125e make sure we don't touch uninitialized pointer. from: fvdl 2000-12-04 12:11:49 +00:00
thorpej
65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
itojun
a21e536042 improve spec conformance of node information query (07).
sync with kame.
2000-11-11 00:46:36 +00:00
itojun
970a75f808 fix KAME PR 296 again, for transport-mode SA only
(shortterm workaround - need revisit for ANY SA)
2000-11-10 01:10:36 +00:00
itojun
8c411160ec backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode. 2000-11-09 17:36:11 +00:00
itojun
e452bf6c6b save a little bit of CPU time (avoid computing CBC IV we do not use).
sync with kame.
2000-11-08 04:57:57 +00:00
itojun
47bce75f00 check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec
tunnel mode packet.  decapsulate only if we got a tunnel mode SA.
KAME PR 296.
2000-11-06 00:58:34 +00:00
itojun
ef8a34f5c3 fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc 2000-11-06 00:50:12 +00:00
onoe
e83458422f First Prototype implementation of network interface part for IEEE1394 (if_fw).
Current status:
	Only OHCI chip is supported (fwohci).
	ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
	sometimes works but not stable.
Not implemented yet:
	IRM (Isochronous Resource Manager) functionality.
	Link layer fragmentation.
	Topology map.
More to do:
	clean ups
	MCAP
	charactor device part
	dhcp

There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun
731744bcc2 avoid possible align issue 2000-11-02 12:28:45 +00:00
itojun
9b55c15642 [13]des fix for big endian machines. from: shigeru@iij.ad.jp 2000-11-02 12:25:01 +00:00
itojun
73b4766cf2 do not panic on "ifconfig inet6 fe80::1 -alias". from Todd Fries.
KAME PR 295.
2000-10-28 03:46:21 +00:00
itojun
cb1745c4f9 make IFA_STATS really work on IPv6. 2000-10-23 03:45:25 +00:00
itojun
9183e2dc4e remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun
d11a1f9bae kame 1.32 -> 1.33
in add_m6fc(), set interface list for all cases.
in response to a report from Hoerdt Mickael.

kame 1.31 -> 1.32
discard PIM register if the version of the inner packet is incorrect (i.e. IPv6)
(according to clarfication of recent discussion in the IETF pim ML)
2000-10-19 03:15:48 +00:00
itojun
edd876a35d validate ICMPv6 too big message.
XXX too restrictive given frequent uses of sendto(2)
2000-10-19 01:14:13 +00:00
itojun
9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun
23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej
ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun
3fe32f0197 use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>
(we don't ansify it for kame code sharing)
2000-10-17 21:46:42 +00:00
itojun
d7a216bb96 suppress warning on nd6_storelladdr failure. the failure could happen
easily when we have routing table with too many entries.  sync with kame.
2000-10-15 15:39:11 +00:00
itojun
6e3a9bc311 validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.
2000-10-13 17:53:44 +00:00
itojun
8fa0e6b9f7 sync with kame ($KAME$) 2000-10-10 16:26:43 +00:00
enami
0b9cbefe70 Don't initialize TCP twice on v4/v6 dual stack kernel. 2000-10-10 13:25:28 +00:00
itojun
654a1d9555 remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
sync with kame.
2000-10-06 05:07:41 +00:00
itojun
a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun
dabed37e1c correct merge failure in key size validation. 2000-10-02 23:49:02 +00:00
itojun
89af64e5e3 remove #ifdef freebsd 2000-10-02 17:23:49 +00:00
itojun
e9536f86fa add ESP rijndael logic. yet to be usable (until algorithm # is assigned) 2000-10-02 17:21:24 +00:00
itojun
dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun
b2366d4898 add missing \n. sync with kame. 2000-10-01 10:56:02 +00:00
itojun
8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun
78f9775c35 do not hardcode maximum IV length. 2000-09-26 08:37:38 +00:00
itojun
2c8b266751 make ip6_ext available for non-IPv6 compilation
(needed for header chain parsing).  (redo of 1.25 -> 1.26)
2000-09-25 15:00:08 +00:00
martin
4e675359ad Make kernels with IPSec but without IPv6 compile again.
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
2000-09-25 12:35:53 +00:00
itojun
89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun
e0bb769d4e on ipsec policy lookup, do not try to lookup port numbers for forwarded packet.
sync with kame.
2000-09-22 05:50:23 +00:00
itojun
aa5339554d cleanup ipsec policy lookup. specifically, repair the following cases:
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
	old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
2000-09-22 05:49:46 +00:00
itojun
10cc02200a - repair too strong assumption on mbuf chain.
- correct byte lifetime computation to conform to RFC2401 p23 (use
  packet BEFORE compression)
- stabilize deflate calls
- present error messages better
2000-09-21 20:28:52 +00:00
itojun
9c55bd3b1a repair infinite loop in ipcomp packet generation. oops. 2000-09-21 06:08:26 +00:00
itojun
cb4931c8e7 repair cut-and-paste bug. from: francis dupont. sync with kame 2000-09-20 23:35:51 +00:00
itojun
d2c6420404 do not inject empty mbuf to zlib. 2000-09-20 23:35:16 +00:00