itojun
dc96111483
deep-copy pcb policy if it is an ipsec policy. assign ID field to all
...
SPD entries. make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes). sync w/kame
2002-06-12 17:56:45 +00:00
itojun
3489976392
do not copy policy-on-socket at all. avoid copying packet header value to
...
struct spindex. should reduce memory usage per socket/pcb, and should speedup
ipsec processing. sync w/kame
2002-06-12 01:47:34 +00:00
itojun
fa53d749ff
share policy-on-pcb for listening socket. sync w/kame
...
todo: share even more, avoid frequent updates of spidx
2002-06-11 19:39:59 +00:00
itojun
2533e1f81f
avoid variable name confusion. sync w/kame
2002-06-11 17:26:52 +00:00
itojun
9b2ae3537c
silence some of log(), as the codepath will be visited for IPv6-non-capable
...
interfaces too and can be annoying. net.inet6.icmp6.nd6_debug will
re-enable them.
2002-06-11 07:28:05 +00:00
itojun
b05ff066a7
whitespace cleanup
2002-06-09 14:43:10 +00:00
itojun
e55d3b6782
indent cleanup
2002-06-08 21:32:55 +00:00
itojun
7316bc595b
KNF
2002-06-08 21:29:26 +00:00
itojun
2495e99fc7
gc
2002-06-08 21:28:18 +00:00
itojun
6d8d0d63d8
sync with latest KAME in6_ifaddr/prefix/default router manipulation.
...
behavior changes:
- two iocts used by ndp(8) are now obsolete (backward compat provided).
use sysctl path instead.
- lo0 does not get ::1 automatically. it will get ::1 when lo0 comes up.
2002-06-08 21:22:29 +00:00
itojun
fc5800e3fd
whitespace cleanup
2002-06-08 20:06:44 +00:00
itojun
2f88f76db1
in6_len2mask is a duplicate of in6_prefixlen2mask. unify. sync w/kame
2002-06-08 00:07:00 +00:00
itojun
9736fd7f05
on SIOCAIFADDR_IN6 check if sin6_len is sane. sync w/kame
2002-06-08 00:01:30 +00:00
itojun
e4f39ff86f
panic() if NULL is passed to ah_sumsiz_xx. suggested by sam leffler, sync w/kame
2002-06-07 23:42:41 +00:00
itojun
36f10d3196
some KNF
2002-06-07 22:08:41 +00:00
itojun
acf7dffae4
some KNF
2002-06-07 22:07:38 +00:00
itojun
0026ddd6dd
no need for offsetof()
2002-06-07 22:06:48 +00:00
itojun
edcbce7c37
typo
2002-06-07 22:05:37 +00:00
itojun
a1e0f0f9a7
sync IPV6_CHECKSUM handling with kame.
2002-06-07 22:03:02 +00:00
fvdl
2aae9aee46
Fix mistakes in previous.
2002-06-07 18:19:30 +00:00
itojun
09342cdd61
typo
2002-06-07 18:19:05 +00:00
itojun
fc16676d8e
If there has been no NS for the neighbor after entering the
...
INCOMPLETE state, send the first solicitation in nd6_output(), regardless
of the timer value.
revised comments about rate-limiting accordingly.
sync w/kame
2002-06-07 17:15:12 +00:00
itojun
4e9401b698
comment
2002-06-07 17:13:56 +00:00
itojun
ac03214470
whitespace
2002-06-07 14:48:56 +00:00
itojun
3e3b75590b
remove #if 0'ed portion
2002-06-07 14:43:11 +00:00
itojun
c889402ba0
style
2002-06-07 14:37:38 +00:00
itojun
3c11868be8
consistency
2002-06-07 14:35:55 +00:00
itojun
05f0c3e705
KNF a bit
2002-06-07 14:29:10 +00:00
itojun
a11e34efc5
whitespace
2002-06-07 07:38:51 +00:00
itojun
e2ce1896bd
whitespace
2002-06-07 07:35:39 +00:00
itojun
9b39e24802
minor KNF to sync w/kame
2002-06-07 04:30:40 +00:00
itojun
06ed16c31d
typo
2002-06-07 04:18:11 +00:00
itojun
922b4012cc
'fall through' is not a valid LINT keyword.
2002-06-07 04:07:55 +00:00
itojun
83aff37a0f
remove support for deprecated ioctls (EINVAL). sync w/kame
2002-06-07 04:03:53 +00:00
itojun
88a8e0dd9e
cope with ndi->maxmtu == 0 case. sync w/kame
2002-06-07 03:05:18 +00:00
itojun
fb6078474d
cope with cases when maxmtu == 0 (this shoulnd't happen!)
2002-06-07 02:31:04 +00:00
itojun
1eb402e813
be sure to use L3 MTU, not L2 MTU, when specified in spec (affects FDDI/ARCnet)
2002-06-05 01:10:54 +00:00
itojun
ad4cab117d
whitespace at EOL
2002-06-03 02:09:37 +00:00
itojun
ed45b704ac
do not hardcode if_mtu values in here, except for IFT_{ARC,FDDI} -
...
they need special handling. makes it possible to take advantage of 9k ether
frames.
2002-06-03 00:51:47 +00:00
itojun
5625d3b849
do not mistakenly lock PMTUD route entry with RTV_MTU.
2002-05-31 04:26:19 +00:00
itojun
3449ca6d23
do not try to update rmx_mtu if rmx_mtu == 0 (obey ifmtu)
2002-05-31 03:18:54 +00:00
itojun
87fc46bce9
improve nd6_setmtu(), to warn too-small MTU on SIOCSIFMTU. sync w/kame
2002-05-30 05:06:28 +00:00
itojun
a3e4fbdf14
use M_READONLY where possible. minor cleanup/sync with kame.
2002-05-30 04:39:15 +00:00
christos
c7f67f1479
make this compile again.
2002-05-29 19:50:48 +00:00
itojun
cfc6c918de
missing bzero
2002-05-29 13:56:14 +00:00
itojun
050c5b5b7c
receivedra field is gone
2002-05-29 13:52:56 +00:00
itojun
913276174b
"receivedra" field name is obsolete.
2002-05-29 09:32:01 +00:00
itojun
14dafa8f6a
avoid unneeded malloc/free. sync w/kame
2002-05-29 09:05:18 +00:00
itojun
5c1df51d53
attach nd_ifinfo structure into if_afdata.
...
split IPv6 link MTU (advertised by RA) from real link MTU.
sync with kame
2002-05-29 07:53:39 +00:00
itojun
9ea1dc0d36
correct rmx_mtu value after PMTUD entry timeout (should be set to 0)
2002-05-29 06:55:48 +00:00
itojun
ede265fffd
move per-interface ip6/icmp6 stat to ifnet->if_afdata. sync w/kame
2002-05-29 02:58:28 +00:00
itojun
a15e664f71
rm obsolete comment
2002-05-29 01:43:25 +00:00
itojun
3be26b82ef
use arc4random
2002-05-28 11:19:17 +00:00
itojun
4121fa09fc
correct in*_pcbrtentry. check cached value correctly.
2002-05-28 11:10:52 +00:00
itojun
d208a22daa
use arc4random() where possible.
...
XXX is it necessary to do microtime() on tcp syn cache?
2002-05-28 10:11:49 +00:00
itojun
7410ea60ca
in in*_pcbrtentry(), check if route is still valid (RTF_UP),
...
and address family is still valid.
2002-05-28 10:07:51 +00:00
itojun
10c5914022
limit number of IPv6 fragments (not the fragment queue size) to
...
fight against lots-of-frags DoS attacks. sync w/kame
2002-05-28 03:04:05 +00:00
itojun
9a1a825873
we have no IFT_DUMMY. kame merge mistake
2002-05-25 22:18:49 +00:00
itojun
e3c4951b26
re-enable ipsec policy caching onto pcb. refcnt fix and workarounds based on ymmt-san.
2002-05-25 10:01:01 +00:00
itojun
6f589cb1b2
extra blank line
2002-05-24 09:21:30 +00:00
itojun
c3015f8b5d
make a strict check before sending FQDN node information reply. sync w/kame
2002-05-24 09:13:59 +00:00
itojun
7e7fcd1df4
remove wrong "break" statement
2002-05-23 06:53:13 +00:00
itojun
64a1cfbf83
no longer need IFT_PROPVIRTUAL "bridge[0-9]+" check.
2002-05-23 06:40:03 +00:00
itojun
970757edd8
simplify conditions to do DAD. sync w/kame
2002-05-23 06:35:18 +00:00
itojun
e1d17f512b
should perform DAD for IFT_GIF.
2002-05-23 06:28:25 +00:00
itojun
5a51285f02
do not have link-local address for IFT_BRIDGE
2002-05-23 06:25:25 +00:00
itojun
d2fd814987
in sp caching code, check if sp is still alive. sync w/kame
2002-05-19 00:46:40 +00:00
itojun
b5f1426ee0
rename: net.inet6.ip6.bindv6only -> net.inet6.ip6.v6only
...
sync w/kame.
2002-05-14 10:27:28 +00:00
matt
0dc8ee943d
Eliminate more commons or redundant declarations.
2002-05-14 02:58:32 +00:00
kleink
241f6932ee
* Use uint{8,32}_t from <netinet/in.h> where applicable; use private
...
fixed-width integer types otherwise.
* Protect RFC 2292 prototypes, which are not XNS5.2/POSIX-2001; also, define
size_t for inet6_rthdr_space().
2002-05-13 15:20:30 +00:00
kleink
0f1faf8e09
IPV6PORT_* aren't in the reserved namespace either.
2002-05-13 14:25:13 +00:00
kleink
d258299876
Check _POSIX_C_SOURCE as well.
2002-05-13 14:15:34 +00:00
kleink
a317e750c3
Update two comments.
2002-05-13 13:52:31 +00:00
kleink
602066c0d6
Provide local definitions of in_{addr,port}_t in <netinet/in.h> and use
...
them where deemed appropriate by XNS5.2/POSIX-2001.
2002-05-12 23:04:15 +00:00
matt
c03e11f081
Eliminate commons.
2002-05-12 20:33:50 +00:00
wiz
d30d25dc1a
Spelling fixes, from Sergey Svishchev in kern/16650.
2002-05-12 15:48:36 +00:00
itojun
861dfdc294
disable ipsec policy caching on pcb, as it seems that there's some reference-
...
counting mistake that causes panic - see PR 15953 and 13813.
i am unable to find the real cause of problem, so it is a shortterm workaround,
hopefully.
2002-05-10 05:49:21 +00:00
itojun
d7669537a8
remove unneeded #ifdef __FreeBSD__ portion.
2002-05-10 05:38:29 +00:00
thorpej
dc12059c9e
Use M_READONLY() rathern than testing to see if ext_free is set
...
or MCLISREFERENCED().
2002-04-28 00:54:41 +00:00
itojun
64109d267c
make sure to check address family in route cache
...
(I really hate IPv4 mapped address...)
2002-03-28 01:33:50 +00:00
itojun
bb1e9bbcd8
double m_free() - niklas@openbsd
2002-03-24 20:46:56 +00:00
itojun
714618fb98
fix arg to bcmp() - need to compare 15 bytes, not 3 bytes. sync w/kame
2002-03-23 00:43:59 +00:00
itojun
8cbb556660
protect in6pcb queue operation by splnet, as pcb queue will be touched
...
by in6_pcbpurgeif() under splnet.
2002-03-21 02:11:39 +00:00
itojun
007db8b52a
remove obsolete comment
2002-03-20 22:47:59 +00:00
itojun
d31217b639
check sa_len and sa_family strictly. (NOTE: rtsol/rtsold older than Nov2001
...
will stop working, upgrade them first)
2002-03-19 01:21:19 +00:00
itojun
f3279050b2
esp/ah_ctlinput: pass useful address to key_alloc.
2002-03-18 15:30:03 +00:00
itojun
766a6d874e
have a real lock around IPv6 reassembly.
2002-03-15 10:44:07 +00:00
itojun
3faedc3f92
s/0/NULL/ as ln_hold is a pointer. sync w/ kame
2002-03-15 09:36:27 +00:00
itojun
38f3d28842
have tcp6_drain
2002-03-15 09:25:41 +00:00
itojun
4b327fb1f3
zlib 1.1.4 dislikes Z_FLUSH at the end of inflate().
2002-03-14 05:18:10 +00:00
itojun
2246ec4a66
on redirect output, always try to attach target link layer address option.
2002-03-05 08:13:56 +00:00
sommerfeld
ef49bcac3c
Nuke out-of-synch comment.
2002-03-04 15:18:32 +00:00
itojun
2ff9b43758
sync blowfish function prototype between i386 assembly and C.
...
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
2002-02-27 01:32:17 +00:00
itojun
ae1b9c29e9
make sure to check address family on route cache. with IPv4 mapped
...
address we can see both AF_INET/INET6.
2002-01-22 03:53:55 +00:00
itojun
b0e82d3005
do not log() in per-packet input path. sync w/kame
2002-01-08 04:37:32 +00:00
itojun
e6834b7b5c
make it compile even if NGIF=0
2001-12-22 01:40:03 +00:00
itojun
a225c3930f
whitespace/costmetic sync w/kame
2001-12-21 08:54:52 +00:00
itojun
1536628a1f
call encap6_ctlinput on icmp6 against tunnelled packet. sync w/kame
2001-12-21 08:54:19 +00:00
itojun
df8adebac1
remove obsolete #if 0'ed section. sync w/kame
2001-12-21 07:16:58 +00:00
itojun
28922b9973
use radix table for inbound tunnel lookup (would increase performance
...
for machines with a lot of tunnels).
update route cache for IPvX-over-IPv6 tunnel on path MTU discovery.
snyc with kame
2001-12-21 06:30:43 +00:00
itojun
9aaffcfde8
move in6_gif_hlim decl to in6_gif.c. sync with kame
2001-12-21 03:58:15 +00:00
itojun
745e191850
move protosw fragment for gif/stf to their own source code.
...
reduce #ifdef in stf code. sync with kame
2001-12-21 03:21:50 +00:00
itojun
ebb1c82ec5
centralize multicast group management (in6_join/leavegroup).
...
have a flag for ip6_output() to fragment to minimum MTU.
sync with kame
2001-12-20 07:26:36 +00:00
itojun
1cad8e6085
reduce white space/cosmetic diffs w/kame.
2001-12-18 03:04:02 +00:00
itojun
29064a3fdb
remove obsolete #if 0'ed portion.
2001-12-18 01:42:04 +00:00
itojun
33429d0612
correct timing to increment icmp6 MIB variables. sync with kame
2001-12-07 10:10:43 +00:00
itojun
f8321e02a6
fix cast128 with shorter key length. sync with kame
2001-11-27 11:19:36 +00:00
itojun
c23ea6c341
update outgoing ifp, only if tunnel mode ipsec is used. this is to
...
honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast. sync with kame
2001-11-21 06:28:08 +00:00
perry
c8549493da
(minor) delint
2001-11-17 18:55:11 +00:00
lukem
4f2ad95259
add RCSIDs
2001-11-13 00:56:55 +00:00
itojun
d54922c799
check offset overrun in ip6_nexthdr.
2001-11-02 08:05:48 +00:00
simonb
5f717f7c33
Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h>
...
anymore.
2001-10-29 07:02:30 +00:00
itojun
7b1918bdc8
always check extension header length.
2001-10-29 05:23:17 +00:00
itojun
eecba85f88
no tcp_fasttimo any more. PR 14333
2001-10-24 09:37:00 +00:00
itojun
73f4e5001f
more whitespace sync with kame
2001-10-24 06:36:37 +00:00
itojun
c7e6405a34
remove unused codepath (unifdef -UUDP6)
2001-10-24 06:04:08 +00:00
itojun
68fbfa26e8
gather stats on raw ip6 socket. sync with kame
2001-10-18 09:12:13 +00:00
itojun
51a9c75998
simplify per-if stats.
2001-10-18 09:09:25 +00:00
itojun
ae5499819c
reduce diffs with kame (mostly cosmetic).
...
move IPV6_CHECKSUM processing to sys/netinet6/raw_ip6.c.
constify a couple of places.
2001-10-18 07:44:33 +00:00
itojun
1990d680c4
do not change neighbor cache state on entry timeout,
...
if the cache entry is for outgoing router.
perform on-linkness check before default router (re-)seletion.
do not play with interface direct route on nd6_rtrequest.
sync a lot of cosmetic changes. sync with kame
2001-10-17 10:55:09 +00:00
itojun
dfb1429789
unifdef OLDIP6OUTPUT
2001-10-17 08:23:05 +00:00
itojun
7dcf45fbd8
more whitespace/comment sync with kame
2001-10-16 06:24:44 +00:00
itojun
45c8a6a57e
remove unused #define. sync whitespace/comment with kame.
2001-10-16 04:57:38 +00:00
itojun
9bff6fde4c
reduce diff with kame. whitespace only
2001-10-16 04:17:54 +00:00
itojun
149aafe6ad
sync with kame.
...
net.inet6.icmp6.nodeinfo is now a bitmap (2^0 = ping6 -w, 2^1 = ping6 -a).
give up local if there's mbuf alloc failures.
cope with ".." in hostname.
sync comments/whitespaces.
2001-10-15 11:12:44 +00:00
itojun
91498ffec5
implement IPV6_V6ONLY socket option from draft-ietf-ipngwg-rfc2553bis-03.txt.
...
IPV6_BINDV6ONLY (netbsd only) is deprecated, but still work just like before.
2001-10-15 09:51:15 +00:00
itojun
99d25b4e8a
reduce diff with kame. whitespace changes only.
2001-10-15 03:55:37 +00:00
wiz
456dff6cb8
Spell 'occurred' with two 'r's.
2001-09-16 16:34:23 +00:00
itojun
bf45c09959
fix SA lookup when IPsec transport mode and tunnel mode over IPv6 is used
...
at the same time. sync with kame
(like "IP AH ESP IP", policy = "esp/tunnel/a-b/use ah/transport//use")
2001-09-13 06:30:57 +00:00
itojun
080d73b4a3
minor style
2001-09-10 03:08:18 +00:00
tls
3d4146e21f
Add asm versions of blowfish and des transforms for i386.
...
This also involved updating the in-kernel DES functions to correspond
to the versions in our in-tree OpenSSL, because the des_SPtrans table
has changed; the asm code will not work with the old permutation table!
C and i386 asm code for the DES, 3DES, and Blowfish CBC modes is also
included; it is not currently built as the ESP processing in esp_core.c
splits the CBC operation and the cipher transform apart. Hopefully that
will be fixed as there is a substantial performance improvement to be had
from doing so. It will remain necessary to use the C version of the
Blowfish CBC function on some i386 machines, however, as the asm version
uses bswapl, which ony 486 and later processors have. The DES CBC code
doesn't have this problem.
Finally, change esp_core.c to use the ecb3_encrypt function instead of
calling ecb_encrypt three times; this improves performance a bit, in
particular in the asm case.
2001-09-09 11:00:59 +00:00
itojun
4d1509970e
do not try to bring IPv6 up on bridge*.
2001-08-23 02:58:24 +00:00
itojun
74ad87bc53
gif interface now uses generic software interrupt
...
(on archs that support it). also, make gif ALTQ-capable on outgoing.
sync with kame, comments from thorpej.
2001-08-16 17:45:25 +00:00
itojun
57030e2f12
cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed,
...
especially when it is a connected SOCK_STREAM in6?pcb. sync with kame.
2001-08-06 10:25:00 +00:00
itojun
e3d077542f
cosmetic (spacing near /* */). sync with kame
2001-08-05 22:20:44 +00:00
itojun
cad488d032
sync gif interface code with latest kame.
...
IFF_RUNNING is clearified. attach/detach logic is more clearner.
the old code mistakenly set IFF_UP by itself, now the behavior is gone.
2001-07-29 05:08:32 +00:00
itojun
fd5e7077a3
allocate ipsec policy buffer attached to pcb in in*_pcballoc, before
...
giving anyone accesses to pcb (do not reveal an inconsistent ones).
sync with kame
2001-07-25 23:28:02 +00:00
itojun
a21ce80cd6
ifindex2ifnet could return NULL if if_detach() is used (pcmcia card
...
removal and such).
2001-07-25 09:23:46 +00:00
itojun
0cd424b3ce
ifidex2ifnet could contain NULL after if_detach(). sync with kame
2001-07-25 06:59:51 +00:00
itojun
19392ee73b
fix comment on setsockopt arg size. KAME PR 369
2001-07-24 00:44:36 +00:00
itojun
bee33e3d00
repair scoped address handling in PRU_BIND. sync with kame.
2001-07-23 19:29:53 +00:00
wiz
a9356936b4
seperate -> separate
2001-07-22 13:33:58 +00:00
itojun
7f070caa75
sync rt_ifp check with IPv4 counterpart (see sys/net/if_ethersubr.c 1.27).
...
sync with kame
2001-07-20 20:26:35 +00:00
itojun
8c9f492242
do not malloc() during interrupt context for IPv6 multicast kludge table.
...
malloc() during interface initialization. sync with kame
2001-07-18 13:12:27 +00:00
itojun
fc35f336c7
sync with draft-ietf-ipngwg-p2p-pingpong-00.txt. apply special behavior
...
only if ip6_dst is "neighbor" within p2p prefix. sync with kame
2001-07-18 09:24:26 +00:00
itojun
5e920039c6
have ovbcopy() macro, for cross-BSD compatibility only.
2001-07-07 14:45:46 +00:00
itojun
193167b1eb
call in{,6}_pcbpurgeif0() before in{,6}_purgeif().
2001-07-03 08:06:19 +00:00
itojun
1ff38f4d03
on interface removal, remove multicast groups joined from pcb, before
...
removing interface addresses. without the change, we may deref
NULL pointer in in_pcbpurgeif(). from jinmei@kame, sync with kame
2001-07-02 15:25:34 +00:00
itojun
03927c60a5
call defrouter_select() only if it is autoconfigured host.
2001-06-29 16:01:47 +00:00
itojun
02c94ca414
refresh default router list on nd6_detach(), only if we are an
...
autoconfigured host. bug was that, we will lose default route on
"ifconfig gif0 destroy" even if default is not pointing to gif0.
reported by ume@mahoroba.org . sync with kame
2001-06-27 17:36:14 +00:00
itojun
9ccf08b3c5
netbsd; on interface removal, force pcbs to leave from multicast groups
...
pointing toward the interface about to be removed. sync with kame
XXX still need more discussions on semantics. the behavior should be safer
2001-06-27 15:53:14 +00:00
itojun
77a4124f7d
the documents are out of sync with the latest situation. remove them.
2001-06-24 19:40:35 +00:00
itojun
885b74c2be
select default router again, when L2 address of the router changes
2001-06-22 13:36:12 +00:00
itojun
0213b76857
remove RFC1885 compatibility code in #ifdef COMPAT_RFC1885, for icmp6
...
reply packet size consideration (obsolete, not used for a long time).
sync with kame
2001-06-22 13:01:49 +00:00
itojun
57d1913ebc
do not forward packet back to point-to-point interface, if the packet
...
matches the ipv6 prefix assigned to the p2p interface (= redirect case).
this leads to pingpong, chews bandwidth. bad thing is that bad guy from
remote can chew bandwidth. (follows upcoming internet draft)
2001-06-22 12:33:05 +00:00
wiz
ccfe29f3cf
Symmetric has one s and two m's.
2001-06-18 11:23:00 +00:00
matt
5571e920d6
senderr needs only be declared when PFIL_HOOKS is defined
2001-06-12 17:55:52 +00:00
itojun
bdbfdf946d
run pfil_hooks for IPv6 forwarding path (note: ip6_forward() does not
...
call ip6_output()).
2001-06-12 15:12:33 +00:00
itojun
8b646a5273
remove IPV6FIREWALL case, which is never used
2001-06-11 13:49:18 +00:00
wiz
40ac848024
Fix various misspellings of compatible/compatibility.
2001-06-11 01:50:48 +00:00
mrg
6a536c0364
fix a IPNOPRIVPORTS unused variable botch. noted by proff.
2001-06-06 06:07:06 +00:00
thorpej
ad9d3794b0
Implement support for IP/TCP/UDP checksum offloading provided by
...
network interfaces. This works by pre-computing the pseudo-header
checksum and caching it, delaying the actual checksum to ip_output()
if the hardware cannot perform the sum for us. In-bound checksums
can either be fully-checked by hardware, or summed up for final
verification by software. This method was modeled after how this
is done in FreeBSD, although the code is significantly different in
most places.
We don't delay checksums for IPv6/TCP, but we do take advantage of the
cached pseudo-header checksum.
Note: hardware-assisted checksumming defaults to "off". It is
enabled with ifconfig(8). See the manual page for details.
Implement hardware-assisted checksumming on the DP83820 Gigabit Ethernet,
3c90xB/3c90xC 10/100 Ethernet, and Alteon Tigon/Tigon2 Gigabit Ethernet.
2001-06-02 16:17:09 +00:00
itojun
781f6920ab
use default hoplimit when incoming interface is not given to icmp6_reflect.
...
sync with kame
2001-06-01 05:54:19 +00:00
mrg
67afbd6270
use _KERNEL_OPT
2001-05-30 11:57:16 +00:00
thorpej
c973d6a0eb
Skip the pseudo-header if nxt == 0. This is already documented
...
in in6_cksum(9) and is also the behavior of the i386 optimized
version.
2001-05-30 03:06:56 +00:00
itojun
e91c2ce847
remove debug printfs, which can be too noisy. sync with kame.
2001-05-27 17:36:07 +00:00
itojun
fc644273cd
print more diag message on in6_addmulti() failures.
2001-05-24 08:17:22 +00:00
itojun
a7596d1912
call icmp6_mtudisc_update(foo, 0) even if ICMPv6 messages are very short.
...
let icmp6 layer decide whether we take PMTUD routes or not.
2001-05-24 07:22:27 +00:00
itojun
fc66251bda
plug memory leak on invalid fragment packet. supress noisy log. from kame
2001-05-17 14:01:37 +00:00
itojun
498fdebcd7
drop multi destination mode (IFF_LINK0).
2001-05-14 13:35:20 +00:00
itojun
f4d5905544
there's no need to #if NFAITH here. IN6P_FAITH can be set even on
...
NFAITH == 0 kernel, it is safer to always check the condition.
sync with kame.
2001-05-11 18:38:03 +00:00
itojun
63181d71c1
correct ecn consideration on tunnel encap/decap. sync with kame.
2001-05-10 01:37:42 +00:00
itojun
1bec764d78
correct faith prefix determination. use sys/netinet/if_faith.c:faithprefix()
...
to determine. sync with kame.
(without this change, non-faith socket may mistakenly accept for-faith traffic)
2001-05-08 10:15:13 +00:00
itojun
d1b6307b88
do not copy TTL field on ipsec tunnel mode encapsulation. sync with kame
2001-04-15 01:55:49 +00:00
thorpej
bf2dcec4f5
Remove the use of splimp() from the NetBSD kernel. splnet()
...
and only splnet() is allowed for the protection of data structures
used by network devices.
2001-04-13 23:29:55 +00:00
itojun
f4e4c674a7
disallow userland programs from specifying addresses with IPV6_PKTINFO
...
setsockopt, if:
- the address is not verified by DAD (= not ready)
- the address is an anycast address (= not permitted as source)
sync with kame
2001-04-11 04:57:53 +00:00
itojun
5ed8fd262b
suppress RS/RA log messages (can be re-enabled by net.inet6.icmp6.nd6_debug),
...
as they may fill up /var. sync with kame.
2001-04-04 06:28:41 +00:00
itojun
2abaa8eae5
make sure rcvif is sane on call to icmp6_reflect
2001-04-04 06:28:40 +00:00
itojun
92969654c0
enable FAKE_LOOPBACK_IF case by default.
...
now traffic on loopback interface will be presented to bpf as normal wire
format packet (without KAME scopeid in s6_addr16[1]).
fix KAME PR 250 (host mistakenly accepts packets to fe80::x%lo0).
sync with kame.
2001-03-30 11:08:56 +00:00
itojun
dbcd4b8d03
fix constness of IN6_{IS,ARE}_xx with RFC2553. sync with kame.
2001-03-30 05:53:52 +00:00
itojun
2fb1887b31
re-initialize mopt in ip6_insert_jumboopt(). sync with kame
...
From: csapuntz@stanford.edu
2001-03-25 09:58:43 +00:00
itojun
0c8d8ae7a0
couple of missing splx. sync with kame.
...
From: csapuntz@play-doh.stanford.edu (Constantine Sapuntzakis)
2001-03-25 09:06:03 +00:00
itojun
3e898c9239
in nd6_cache_lladdr(), set nd6_gctimer to ln_expire just after the state
...
transition to STALE. fixes tahi test breakage. sync with kame.
2001-03-21 21:56:29 +00:00
thorpej
20fe4e2d96
Add a protosw flag, PR_ABRTACPTDIS (Abort on Accept of Disconnected
...
Socket), and add it to the protocols that use that behavior (all
PR_LISTEN protocols except for PF_LOCAL stream sockets).
2001-03-21 19:22:27 +00:00
itojun
4ce63adb1e
do not inject packets to ipfilter, if the packet went through IPsec tunnel.
...
http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction
2001-03-21 19:12:56 +00:00
itojun
93b8b31feb
set rmx_mtu to L2 interface mtu, instead of 0, on mtudisc timeout.
...
ip6_output() change is for safety. sync with kame
2001-03-21 07:52:13 +00:00
itojun
e4ecd03f2a
drop packets with link-local addresses,
...
if (internally-used) interface ID portion is already filled. sync with kame
2001-03-16 12:22:34 +00:00
itojun
27a0af5865
nd6_storelladdr() was not consistent about m_freem() policy.
...
do not touch RTF_STATIC entries (static ND entries) on ND cache update.
couple of costmetic sync. sync with kame
2001-03-08 10:49:32 +00:00
itojun
7695280d34
more missing splx. from kame
2001-03-08 10:48:40 +00:00
itojun
912f42ecda
remove bogus rtfree. sync with kame. inspired by openbsd PR 1706.
2001-03-08 00:19:03 +00:00
itojun
4e45315377
missing splx. from aaron@openbsd. sync with kame
2001-03-07 22:50:14 +00:00
itojun
c9e08725bc
avoid possible alignment issue. sync with kame
2001-03-04 16:49:17 +00:00
itojun
dc3424f555
pass key to rijndael logic as binary, not hexadecimal string.
...
sync with kame
2001-03-02 15:42:39 +00:00
itojun
f03176a0a8
have comment that refers to kame COVERAGE document. sync with kame
2001-03-02 04:55:40 +00:00
itojun
8c8c2f71a4
the date string in KAME version is getting very meaningless, remove.
2001-03-02 04:52:54 +00:00
itojun
2d6047cff9
make sure to enforce inbound ipsec policy checking, for any protocols on top
...
of ip (check it when final header is visited). sync with kame.
XXX kame team will need to re-check policy engine code
2001-03-01 16:31:37 +00:00
itojun
233e3963ed
make sure to validate packet against ipsec policy.
2001-02-26 07:20:44 +00:00
cgd
023e9f0649
C requires that labels be followed by statements.
2001-02-24 00:01:22 +00:00
itojun
f2a66201fc
garbage-collect stale ND entries (default: 1 day).
...
RFC 2461 5.3. sync with kame.
2001-02-23 08:02:41 +00:00
itojun
e1196a8f6e
remove unnecessary state, ND6_LLINFO_WAITDELETE, from neighbor cache
...
state machine.
no need for RTF_REJECT on neighbor cache entires, they are leftover from
ARP code.
sync with kame.
2001-02-23 06:41:50 +00:00
itojun
2df943e652
correct handling of upper limitation to # of reass queue.
2001-02-22 05:04:42 +00:00
itojun
49889b3afd
be more more picky about option length parsing. sync with kame
2001-02-22 01:40:25 +00:00
itojun
e1e316562b
make validation code more strict for ND6/dest6 variable length headers.
...
check duplicated nd6_ifinfo table initialization in a better way.
sync with kame
2001-02-21 17:23:09 +00:00
itojun
96413230d1
style, to make kame sync easier
2001-02-21 16:28:43 +00:00
itojun
52f2cece9f
tighten AH IPv4 option chasing more. drop too short (< 2) option.
...
sync with kame.
2001-02-21 01:27:58 +00:00
itojun
c9928e0ab1
need PR_ADDR|PR_ATOMIC for IPPROTO_EON. fix typo. from chopps, sync with kame
2001-02-21 00:11:53 +00:00
itojun
da8a3f0179
add AF_ISO case to output. from chopps.
2001-02-20 10:41:47 +00:00
itojun
176db3e930
ISO over IPv4/v6 by EON encapsulation. from chopps, sync with kame.
2001-02-20 08:49:15 +00:00
itojun
5bc3f3ff96
correct IPv4 option handling.
2001-02-19 04:24:27 +00:00
itojun
26a76076be
correct IPv4 option header chasing. the old code may overrun the buffer
...
if the option header is truncated. sync with kame
2001-02-19 03:47:01 +00:00
itojun
e6dbed9659
wording in comment.
...
is contradict -> "is contradictory", or "contradicts".
2001-02-16 15:13:40 +00:00
itojun
f99a50f858
protect router list management by splsoftnet properly. sync with kame
2001-02-11 07:12:01 +00:00
itojun
1bc6ca28a1
make sure to clean ln_byhint on reachability confirmation.
2001-02-11 07:00:03 +00:00
itojun
1442c06fae
wrap kernel-only #define (kame cross-bsd portability) into _KERNEL.
2001-02-11 06:50:59 +00:00
itojun
bc5a6e2482
pull latest kame pcbnotify code. synchronizes ICMPv6 path mtu discovery
...
behavior with other protocols (i.e. validation, use of hiwat/lowat).
2001-02-11 06:49:49 +00:00
itojun
2390806e17
whitespace sync with kame
2001-02-11 05:25:04 +00:00
itojun
5318e0ee0f
remove #ifdef __FreeBSD__.
2001-02-11 05:24:21 +00:00
itojun
37bb4bf58b
set frag6_doing_reass properly (for frag6_drain). sync with kame.
2001-02-11 05:05:27 +00:00
itojun
7781d63a92
recover $NetBSD$ (removed by mistake)
2001-02-11 04:53:49 +00:00
itojun
9a9c998cc7
add missing IFAFREE() in error recovery case.
2001-02-11 04:29:30 +00:00
itojun
e1f4f77960
to sync with kame better, (1) remove register declaration for variables,
...
(2) sync whitespaces, (3) update comments. (4) bring in some of portability
and logging enhancements. no functional changes here.
2001-02-10 04:14:26 +00:00
itojun
4cd9449e34
initialize "mbz" member. kame 1.35 -> 1.36
2001-02-10 03:06:39 +00:00
itojun
7f548573d5
cosmetic changes to sync with kame. tabify and minor local variable renames
2001-02-10 02:19:57 +00:00
itojun
20e2452579
fix if_set for architectures with sizeof(long) != 4. IF_xxx behaved badly.
...
(no fear of overrun, since index was mistakenly computed to too small value)
2001-02-10 02:10:14 +00:00
itojun
6b9104e0f7
sync with kame better. cosmetic/stat changes only.
2001-02-08 18:43:17 +00:00
itojun
ae819d9324
move udp6_output() to separate file. (sync better with kame)
2001-02-08 16:48:01 +00:00
itojun
109fcc5522
implement upper limit to icmp6 redirects (experimental, turned off)
...
negative value to {mtudisc,redirect}_{hi,lo}wat will turn off the limitation.
sync with kame.
2001-02-08 16:07:39 +00:00
itojun
179a7e0d7b
send up dst_unreach_admin error to local node, if transport-mode
...
ipsec key is not found. rather experimental. kame 1.83 -> 1.84
nuke IPSEC_SRCSEL which does not do the right thing.
adjust state->ro if the tunnel endpoint is offlink. KAME PR 233.
kame 1.84 -> 1.85
2001-02-08 15:04:26 +00:00
itojun
574214f10a
amove in6_{embed,recover}scope prototypes to in6_var.h (kernel only).
...
add in6_clearscope. sync with kame
2001-02-08 14:56:15 +00:00
itojun
a1d89972c7
when chasing nd6_llinfo chain, make sure we do not touch dangling
...
pointer (due to RTM_DELETE during default router list management).
from kame
2001-02-08 12:57:54 +00:00
itojun
c8e86cc06a
remove bogus DIAGNOSTIC. sync with kame
2001-02-07 10:56:38 +00:00
itojun
22b473e0f6
during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
...
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)
improve stats in ND6 code.
lots of synchronziation with kame (including comments and cometic ones).
2001-02-07 08:59:47 +00:00
itojun
172e802b90
bad semicolon after "if" conditional. sync with kame
2001-02-06 01:27:29 +00:00
chs
09cb38f22b
expose the definitions of MIN() and MAX() in sys/param.h to the kernel
...
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 10:42:40 +00:00
itojun
d17dfd2fc0
avoid panic when a packet with nonexistent link-local address is issued.
...
kame 1.151 -> 1.152.
2001-02-02 15:54:56 +00:00
itojun
617b3fab7e
- record IPsec packet history into m_aux structure.
...
- let ipfilter look at wire-format packet only (not the decapsulated ones),
so that VPN setting can work with NAT/ipfilter settings.
sync with kame.
TODO: use header history for stricter inbound validation
2001-01-24 09:04:15 +00:00
itojun
8b3234d2f2
minimize diff with the latest kame tree.
2001-01-23 05:21:23 +00:00
itojun
a836499e32
make it possible to turn off ingress filter on gif/stf tunnel egress,
...
by using IFF_LINK2. (part of) PR 11163 from Ken Raeburn.
2001-01-22 07:51:01 +00:00
itojun
60240f3ab9
workaround to avoid EMSGSIZE when ND6 table for the outgoing interface
...
is not initialized (should result in "interface down").
2001-01-18 06:50:12 +00:00
itojun
43950f6d05
on interface removal (ifconfig destroy) do not remove default route by mistake
2001-01-18 06:49:11 +00:00
itojun
4dbe2a5a97
wrap noisy ND6 debugging messages with ND6_DEBUG. sync with kame
2001-01-17 11:26:52 +00:00
itojun
df9784d749
pull post-4.4BSD change to sys/net/route.c from BSD/OS 4.2 (UCB copyrighted).
...
have sys/net/route.c:rtrequest1(), which takes rt_addrinfo * as the argument.
pass rt_addrinfo all the way down to rtrequest, and ifa->ifa_rtrequest.
3rd arg of ifa->ifa_rtrequest is now rt_addrinfo * instead of sockaddr *
(almost noone is using it anyways).
benefit: the follwoing command now works. previously we need two route(8)
invocations, "add" then "change".
# route add -inet6 default ::1 -ifp gif0
remove unsafe typecast in rtrequest(), from rtentry * to sockaddr *. it was
introduced by 4.3BSD-reno and never corrected.
XXX is eon_rtrequest() change correct regarding to 3rd arg?
eon_rtrequest() and rtrequest() were incorrect since 4.3BSD-reno,
so i do not have correct answer in the source code.
someone with more clue about netiso-over-ip, please help.
2001-01-17 04:05:41 +00:00
itojun
039777e3c8
s/ND6DEBUG/ND6_DEBUG/ to meet other places
2001-01-16 06:16:37 +00:00
itojun
9f119cbf91
wrap icmp6 checksum error printf() into #ifdef ND6DEBUG.
...
sync with kame, NetBSD PR 11911.
2001-01-08 06:12:46 +00:00
itojun
6562709f3a
typo fix. PR 11889
2001-01-04 11:48:44 +00:00
thorpej
ad5b855ef0
Back out the sledgehammer damage applied by wiz while I was out for
...
the holiday.
2000-12-28 21:40:59 +00:00
itojun
8b9fb822b0
do not touch ra_addr if it is NULL. from IIJ SEIL team
2000-12-28 21:23:00 +00:00
wiz
32e20d8993
Back out previous change. It causes NAT to fail, and was CLEARLY
...
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej
d0357bdb4f
Slight adjustment to how pfil_head's are registered. Instead of a
...
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type. This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
itojun
b05acc70f8
make sure we notify of routing changes, even if we have net route pointed
...
to by inpcb.
2000-12-21 00:46:20 +00:00
thorpej
d9a9544a2f
Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook.
2000-12-14 17:36:44 +00:00
itojun
1101f217b5
no need to rtalloc1() twice in pmtud. from kame
2000-12-11 19:28:47 +00:00
itojun
5eae50d991
update icmp6 too big validation. the change is necessary since pmtud is
...
mandatory for IPv6 (so we can't just validate by using connected pcb - we need
to allow traffic from unconnected pcb to do pmtud).
- if the traffic is validated by xx_ctlinput, allow up to "hiwat" pmtud
route entries.
- if the traffic was not validated by xx_ctlinput, allow up to "lowat" pmtud
route entries (there's upper limit, so bad guys cannot blow up our routing
table).
sync with kame
XXX need to think again about default hiwat/lowat value.
XXX victim selection to help starvation case
2000-12-09 01:29:45 +00:00
itojun
fe5bd7125e
make sure we don't touch uninitialized pointer. from: fvdl
2000-12-04 12:11:49 +00:00
thorpej
65fd25ea82
Restructure the PFIL_HOOKS mechanism a bit:
...
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
The "dlt" is a BPF data link type, indicating what type of header is
present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
less IP (really, IP Filter) centric.
Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
itojun
a21e536042
improve spec conformance of node information query (07).
...
sync with kame.
2000-11-11 00:46:36 +00:00
itojun
970a75f808
fix KAME PR 296 again, for transport-mode SA only
...
(shortterm workaround - need revisit for ANY SA)
2000-11-10 01:10:36 +00:00
itojun
8c411160ec
backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode.
2000-11-09 17:36:11 +00:00
itojun
e452bf6c6b
save a little bit of CPU time (avoid computing CBC IV we do not use).
...
sync with kame.
2000-11-08 04:57:57 +00:00
itojun
47bce75f00
check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec
...
tunnel mode packet. decapsulate only if we got a tunnel mode SA.
KAME PR 296.
2000-11-06 00:58:34 +00:00
itojun
ef8a34f5c3
fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc
2000-11-06 00:50:12 +00:00
onoe
e83458422f
First Prototype implementation of network interface part for IEEE1394 (if_fw).
...
Current status:
Only OHCI chip is supported (fwohci).
ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
sometimes works but not stable.
Not implemented yet:
IRM (Isochronous Resource Manager) functionality.
Link layer fragmentation.
Topology map.
More to do:
clean ups
MCAP
charactor device part
dhcp
There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun
731744bcc2
avoid possible align issue
2000-11-02 12:28:45 +00:00
itojun
9b55c15642
[13]des fix for big endian machines. from: shigeru@iij.ad.jp
2000-11-02 12:25:01 +00:00
itojun
73b4766cf2
do not panic on "ifconfig inet6 fe80::1 -alias". from Todd Fries.
...
KAME PR 295.
2000-10-28 03:46:21 +00:00
itojun
cb1745c4f9
make IFA_STATS really work on IPv6.
2000-10-23 03:45:25 +00:00
itojun
9183e2dc4e
remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
...
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun
d11a1f9bae
kame 1.32 -> 1.33
...
in add_m6fc(), set interface list for all cases.
in response to a report from Hoerdt Mickael.
kame 1.31 -> 1.32
discard PIM register if the version of the inner packet is incorrect (i.e. IPv6)
(according to clarfication of recent discussion in the IETF pim ML)
2000-10-19 03:15:48 +00:00
itojun
edd876a35d
validate ICMPv6 too big message.
...
XXX too restrictive given frequent uses of sendto(2)
2000-10-19 01:14:13 +00:00
itojun
9288750911
memcpy -> bcopy, for sync with kame tree
2000-10-19 00:40:44 +00:00
itojun
23a03329ef
verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
...
TODO: udp6, and sendto consideration. as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej
ea9b5a9106
Restructure the Path MTU Discovery code somewhat to avoid
...
entering rtentry's for hosts we're not actually communicating
with.
Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
* TCP -- Lookup the connection based on the address/port
pairs in the ICMP message.
* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.
If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc(). icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes. For TCP, this is where we now
refresh cached routes and re-enter slow-start.
As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.
XXX Note, this is only a fix for the IPv4 case. For the IPv6
XXX case, we need to wait for the KAME folks.
Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org .
2000-10-18 17:09:14 +00:00
itojun
3fe32f0197
use __P() in prototype for non-ansi compilers.
...
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>
(we don't ansify it for kame code sharing)
2000-10-17 21:46:42 +00:00
itojun
d7a216bb96
suppress warning on nd6_storelladdr failure. the failure could happen
...
easily when we have routing table with too many entries. sync with kame.
2000-10-15 15:39:11 +00:00
itojun
6e3a9bc311
validate mbuf chain length on *_ctlinput. remote node may be able to
...
transmit a truncated icmp6 packet and panic the system. sync with kame.
2000-10-13 17:53:44 +00:00
itojun
8fa0e6b9f7
sync with kame ($KAME$)
2000-10-10 16:26:43 +00:00
enami
0b9cbefe70
Don't initialize TCP twice on v4/v6 dual stack kernel.
2000-10-10 13:25:28 +00:00
itojun
654a1d9555
remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
...
sync with kame.
2000-10-06 05:07:41 +00:00
itojun
a6f9652adf
always use rnd(4) for IPsec random number source. avoid random(9).
...
if there's no rnd(4), random(9) will be used with one-time warning printf(9).
XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun
dabed37e1c
correct merge failure in key size validation.
2000-10-02 23:49:02 +00:00
itojun
89af64e5e3
remove #ifdef freebsd
2000-10-02 17:23:49 +00:00
itojun
e9536f86fa
add ESP rijndael logic. yet to be usable (until algorithm # is assigned)
2000-10-02 17:21:24 +00:00
itojun
dcfe05e7c1
fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
...
sync with kame.
2000-10-02 03:55:41 +00:00
itojun
b2366d4898
add missing \n. sync with kame.
2000-10-01 10:56:02 +00:00
itojun
8a9f93dc37
update ip compression algorithm lookup.
...
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net ). sync with kame
2000-09-26 08:40:23 +00:00
itojun
78f9775c35
do not hardcode maximum IV length.
2000-09-26 08:37:38 +00:00
itojun
2c8b266751
make ip6_ext available for non-IPv6 compilation
...
(needed for header chain parsing). (redo of 1.25 -> 1.26)
2000-09-25 15:00:08 +00:00
martin
4e675359ad
Make kernels with IPSec but without IPv6 compile again.
...
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
2000-09-25 12:35:53 +00:00
itojun
89f53512af
use real wallclock (got by microtime) to compute IPsec database lifetimes.
...
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun
e0bb769d4e
on ipsec policy lookup, do not try to lookup port numbers for forwarded packet.
...
sync with kame.
2000-09-22 05:50:23 +00:00
itojun
aa5339554d
cleanup ipsec policy lookup. specifically, repair the following cases:
...
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
2000-09-22 05:49:46 +00:00
itojun
10cc02200a
- repair too strong assumption on mbuf chain.
...
- correct byte lifetime computation to conform to RFC2401 p23 (use
packet BEFORE compression)
- stabilize deflate calls
- present error messages better
2000-09-21 20:28:52 +00:00
itojun
9c55bd3b1a
repair infinite loop in ipcomp packet generation. oops.
2000-09-21 06:08:26 +00:00
itojun
cb4931c8e7
repair cut-and-paste bug. from: francis dupont. sync with kame
2000-09-20 23:35:51 +00:00
itojun
d2c6420404
do not inject empty mbuf to zlib.
2000-09-20 23:35:16 +00:00
itojun
3ad679d8fd
call {de,in}flateEnd on failure, otherwise obsolete state will be kept.
2000-09-20 22:34:24 +00:00
itojun
ffb333a57c
plug mbuf leak (error case). need more investigation.
2000-09-20 21:43:52 +00:00
itojun
e485f6527e
pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
...
(not normally visited - we have switched to m_pulldown. just for completeness)
2000-09-18 22:18:00 +00:00
itojun
303fcdf765
repair blowfish-cbc. BF_encrypt() takes value in host byteorder, yuck!
...
(no effect to 1.5 branch)
2000-09-18 21:57:35 +00:00
itojun
691fdbb4f0
kame sys/netinet6/icmp6.c 1.140 -> 1.144
...
> in the check for the incoming redirect message, examine the gateway
> (from the routing table) only when the address family of the gateway is
> AF_INET6.
2000-09-16 10:12:22 +00:00
itojun
2192675fb1
move file static variable into auto variable, for better thread safety.
...
(not really required for big lock MP). sync with kame
2000-09-09 16:15:47 +00:00
itojun
f8481d085e
add attribute(packed).
...
From: Alfred Perlstein <bright@wintelcom.net>
2000-09-09 11:42:22 +00:00
itojun
dc23ec9971
add missing \n on log(). sync with kame
2000-08-31 07:35:44 +00:00
itojun
65fbdbe744
repair DES on LP64. past code did not interoperate with non-LP64, due to
...
incorrect computed results.
remove unnecessary #ifdef/#define. sync with kame.
2000-08-31 07:33:04 +00:00
itojun
58c93e23cf
LP64 fix (cast to u_long when printing size_t)
2000-08-30 14:58:33 +00:00
itojun
2af85c262b
improve code sharing for esp_schedule(). add some diagnostics cases
...
for esp_cbc_{en,de}crypt(). sync with kame.
2000-08-29 11:32:21 +00:00
itojun
6fe60cce5f
do not forward packets with unspecified source address (::).
...
this is clarification recently made to RFC2460. sync with kame.
2000-08-29 09:19:43 +00:00
itojun
bb8d535cc5
use per-block cipher function + esp_cbc_{de,en}crypt. do not use
...
cbc-over-mbuf functions in sys/crypto.
the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.
XXX: it looks that past blowfish-cbc code was buggy. i ran some test pattern,
and new blowfish-cbc code looks more correct. there's no interoperability
between the old code (before the commit) and the new code (after the commit).
XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun
3da9705446
add a warning on IPv6 setsockopt number space (*BSD shares the number space
...
so consult KAME for number allocation)
2000-08-27 01:02:48 +00:00
itojun
152da24bd9
implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.
2000-08-26 11:03:45 +00:00
itojun
4d40179399
add missing IPNOPRIVPORTS case
2000-08-26 10:40:03 +00:00
thorpej
5bd1b19b29
Don't use MALLOC() for variable-sized allocations.
2000-08-25 21:22:16 +00:00
itojun
cabceaa265
- icmp6 nodeinfo: remove possibility of unaligned pointer access.
...
- jumbo payload output: fix incorrect mbuf manipulation
- pedant: align issues, mbuf assumption
(sync with kame)
2000-08-19 08:15:53 +00:00
itojun
e6efb27c84
add missing splx, when outgoing interface queue is full on tunnelled
...
ESP packet output. KAME PR 280.
2000-08-16 09:54:39 +00:00
thorpej
831a48fd0b
Make this compile without INET6 again.
2000-08-15 21:43:57 +00:00
itojun
54aeb79d4c
supress warning (LOG_ERR -> LOG_DEBUG) which occurs in the following situation:
...
- manually configure an address from prefix P (like P::1)
- autoconfigure additional address from the same prefix P (like P::ifid).
- rtrequest fails due to P/plen already exists
more fundamental solution should appear later, when kame side stablizes it.
from thopej.
2000-08-13 23:45:22 +00:00
itojun
5e868d1e49
clearifications in icmp6 node query support.
...
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun
afa5315364
correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
...
sync with kame.
2000-08-03 14:31:04 +00:00
itojun
6574aa66e8
inhibit error code from rtinit(). this happens when we try to assign
...
multiple addresses from same prefix, onto single interface. PR 10427.
more info:
- 4.4BSD did not check return code from in_ifinit() at all.
4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
from the same prefix. KAME tree has more extensive change, however, it needs
much more time to get stabilized (rtentry refcnt change can cause serious
issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
itojun
32ef6bb0e7
sync comment with reality
2000-07-30 05:30:37 +00:00
itojun
0036ac92be
clarify comment. from jhawk. sync with kame.
2000-07-30 04:33:34 +00:00
itojun
5e8b5a35e4
make ipsec_strerror(3) to return const char *, not char *. sync with kame.
2000-07-30 02:38:35 +00:00
itojun
63de4c2cb9
nuke the following sysctl variables. "ppsratelimit" should work better.
...
need to recompile sbin/sysctl after updating /usr/include.
net.inet.tcp.rstratelimit
net.inet.icmp.errratelimit
net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun
73a29e35ff
do not forward packet with :: in the source.
...
this is not in the spec - we had rough consensus on it in ipngwg,
spec will get updated to include this behavior.
2000-07-27 15:53:51 +00:00
itojun
fec624be3f
wrap kernel function prototype by #ifdef _KERNEL.
2000-07-23 08:24:12 +00:00
itojun
411ff12b27
pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
...
sync with kame.
loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun
65d37eff7f
correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
...
sync from kame.
WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun
5f09b77987
s/IPSEC_IPV6FWD/IPSEC/. this should correct strange behavior on ipv6
...
forwarding (even if policy asks for tunnel mode encryption, packets
go out in clear). sync with kame.
2000-07-16 07:57:55 +00:00
itojun
a2744a4cf8
do not pull sys/queue.h from netinet6/in6.h. PR10597.
...
some sync with kame.
2000-07-16 01:10:34 +00:00
itojun
20964b0c23
fatal bug fix from kame (rtentry refcnt goes negative if we play with IPv6
...
address/routing table too much).
in6_ifloop_request()
not to request rtrequest to return an rtentry except for the ADD
operation, in order to avoid misdecreasing the refcnt (which might
cause leak of rtentry)
2000-07-13 09:56:20 +00:00
itojun
f5211e847a
remove m_pulldown statistics code. it is highly experimental and belong
...
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun
d8a9a3cc7b
add ppsratelimit(9), which does event-per-sec rate limitation.
...
use it from icmp6 error rate limitation code.
XXX better name for the function?
2000-07-09 06:44:57 +00:00
itojun
ec67eee51f
sync with kame.
...
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
christos
2068dee670
elide lint cast type conversion warnings.
2000-07-06 17:42:55 +00:00
itojun
210a3e2f80
remove unnecessary #include <netkey/key_debug.h>. from kame.
2000-07-06 12:51:39 +00:00
itojun
0a1e211454
- do not use bitfield for router renumbering header.
...
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation. TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
itojun
6fff122160
drop packet to tentative/duplicated interface address earlier. sync w/kame
2000-07-02 09:56:39 +00:00
itojun
8ff902fca1
repair kernel faithd(8) support. there were two mistakes:
...
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
itojun
3ade27131a
suppress too noisy warning on forward-over-loopback case. from kame
2000-06-30 19:46:05 +00:00
mrg
cf594a3f4d
<vm/vm.h> -> <uvm/uvm_extern.h>
2000-06-28 03:01:16 +00:00
kleink
d2787dad27
XNS5.2: define sa_family_t and use it where specified by the standard.
2000-06-26 15:48:19 +00:00
itojun
278184a8ab
avoid possible mbuf leaks on ipsec policy violation.(sync with kame)
2000-06-20 02:24:42 +00:00
itojun
90ca25568b
remove obsolete sysctl MIB net.inet.ipsec.inbound_call_ike.
...
(sync with kame)
2000-06-15 05:01:06 +00:00
thorpej
1b8ede9f7c
Import IPsec ESP from netbsd-cryptosrc-intl.
2000-06-14 19:39:42 +00:00
itojun
dafb757588
add algorithm name into algorithm table. (commit to crypto-intl will follow)
2000-06-14 11:27:35 +00:00
itojun
af9d516560
signedness issue with char, take 2. confirmed with i386 cc -funsigned-char.
2000-06-13 17:31:37 +00:00
itojun
c6a8ca266b
workaround to suppress warning on char == unsigned char arch.
2000-06-13 16:34:37 +00:00
itojun
0455eac327
do not use cached route if the route becomes !RTF_UP.
...
make the validation for jumbo payload option more strict.
2000-06-13 14:43:44 +00:00
itojun
36887242d7
add sanity check on in6_ifaddr.
2000-06-13 04:35:29 +00:00
itojun
fa24d1db9b
make sure to link new in6_ifaddr to if_addrlist.
2000-06-13 02:54:11 +00:00
