Commit Graph

459 Commits

Author SHA1 Message Date
itojun e4ecd03f2a drop packets with link-local addresses,
if (internally-used) interface ID portion is already filled.  sync with kame
2001-03-16 12:22:34 +00:00
itojun 27a0af5865 nd6_storelladdr() was not consistent about m_freem() policy.
do not touch RTF_STATIC entries (static ND entries) on ND cache update.
couple of costmetic sync.  sync with kame
2001-03-08 10:49:32 +00:00
itojun 7695280d34 more missing splx. from kame 2001-03-08 10:48:40 +00:00
itojun 912f42ecda remove bogus rtfree. sync with kame. inspired by openbsd PR 1706. 2001-03-08 00:19:03 +00:00
itojun 4e45315377 missing splx. from aaron@openbsd. sync with kame 2001-03-07 22:50:14 +00:00
itojun c9e08725bc avoid possible alignment issue. sync with kame 2001-03-04 16:49:17 +00:00
itojun dc3424f555 pass key to rijndael logic as binary, not hexadecimal string.
sync with kame
2001-03-02 15:42:39 +00:00
itojun f03176a0a8 have comment that refers to kame COVERAGE document. sync with kame 2001-03-02 04:55:40 +00:00
itojun 8c8c2f71a4 the date string in KAME version is getting very meaningless, remove. 2001-03-02 04:52:54 +00:00
itojun 2d6047cff9 make sure to enforce inbound ipsec policy checking, for any protocols on top
of ip (check it when final header is visited).  sync with kame.
XXX kame team will need to re-check policy engine code
2001-03-01 16:31:37 +00:00
itojun 233e3963ed make sure to validate packet against ipsec policy. 2001-02-26 07:20:44 +00:00
cgd 023e9f0649 C requires that labels be followed by statements. 2001-02-24 00:01:22 +00:00
itojun f2a66201fc garbage-collect stale ND entries (default: 1 day).
RFC 2461 5.3.  sync with kame.
2001-02-23 08:02:41 +00:00
itojun e1196a8f6e remove unnecessary state, ND6_LLINFO_WAITDELETE, from neighbor cache
state machine.
no need for RTF_REJECT on neighbor cache entires, they are leftover from
ARP code.
sync with kame.
2001-02-23 06:41:50 +00:00
itojun 2df943e652 correct handling of upper limitation to # of reass queue. 2001-02-22 05:04:42 +00:00
itojun 49889b3afd be more more picky about option length parsing. sync with kame 2001-02-22 01:40:25 +00:00
itojun e1e316562b make validation code more strict for ND6/dest6 variable length headers.
check duplicated nd6_ifinfo table initialization in a better way.
sync with kame
2001-02-21 17:23:09 +00:00
itojun 96413230d1 style, to make kame sync easier 2001-02-21 16:28:43 +00:00
itojun 52f2cece9f tighten AH IPv4 option chasing more. drop too short (< 2) option.
sync with kame.
2001-02-21 01:27:58 +00:00
itojun c9928e0ab1 need PR_ADDR|PR_ATOMIC for IPPROTO_EON. fix typo. from chopps, sync with kame 2001-02-21 00:11:53 +00:00
itojun da8a3f0179 add AF_ISO case to output. from chopps. 2001-02-20 10:41:47 +00:00
itojun 176db3e930 ISO over IPv4/v6 by EON encapsulation. from chopps, sync with kame. 2001-02-20 08:49:15 +00:00
itojun 5bc3f3ff96 correct IPv4 option handling. 2001-02-19 04:24:27 +00:00
itojun 26a76076be correct IPv4 option header chasing. the old code may overrun the buffer
if the option header is truncated.  sync with kame
2001-02-19 03:47:01 +00:00
itojun e6dbed9659 wording in comment.
is contradict -> "is contradictory", or "contradicts".
2001-02-16 15:13:40 +00:00
itojun f99a50f858 protect router list management by splsoftnet properly. sync with kame 2001-02-11 07:12:01 +00:00
itojun 1bc6ca28a1 make sure to clean ln_byhint on reachability confirmation. 2001-02-11 07:00:03 +00:00
itojun 1442c06fae wrap kernel-only #define (kame cross-bsd portability) into _KERNEL. 2001-02-11 06:50:59 +00:00
itojun bc5a6e2482 pull latest kame pcbnotify code. synchronizes ICMPv6 path mtu discovery
behavior with other protocols (i.e. validation, use of hiwat/lowat).
2001-02-11 06:49:49 +00:00
itojun 2390806e17 whitespace sync with kame 2001-02-11 05:25:04 +00:00
itojun 5318e0ee0f remove #ifdef __FreeBSD__. 2001-02-11 05:24:21 +00:00
itojun 37bb4bf58b set frag6_doing_reass properly (for frag6_drain). sync with kame. 2001-02-11 05:05:27 +00:00
itojun 7781d63a92 recover $NetBSD$ (removed by mistake) 2001-02-11 04:53:49 +00:00
itojun 9a9c998cc7 add missing IFAFREE() in error recovery case. 2001-02-11 04:29:30 +00:00
itojun e1f4f77960 to sync with kame better, (1) remove register declaration for variables,
(2) sync whitespaces, (3) update comments. (4) bring in some of portability
and logging enhancements.  no functional changes here.
2001-02-10 04:14:26 +00:00
itojun 4cd9449e34 initialize "mbz" member. kame 1.35 -> 1.36 2001-02-10 03:06:39 +00:00
itojun 7f548573d5 cosmetic changes to sync with kame. tabify and minor local variable renames 2001-02-10 02:19:57 +00:00
itojun 20e2452579 fix if_set for architectures with sizeof(long) != 4. IF_xxx behaved badly.
(no fear of overrun, since index was mistakenly computed to too small value)
2001-02-10 02:10:14 +00:00
itojun 6b9104e0f7 sync with kame better. cosmetic/stat changes only. 2001-02-08 18:43:17 +00:00
itojun ae819d9324 move udp6_output() to separate file. (sync better with kame) 2001-02-08 16:48:01 +00:00
itojun 109fcc5522 implement upper limit to icmp6 redirects (experimental, turned off)
negative value to {mtudisc,redirect}_{hi,lo}wat will turn off the limitation.
sync with kame.
2001-02-08 16:07:39 +00:00
itojun 179a7e0d7b send up dst_unreach_admin error to local node, if transport-mode
ipsec key is not found.  rather experimental.  kame 1.83 -> 1.84

nuke IPSEC_SRCSEL which does not do the right thing.
adjust state->ro if the tunnel endpoint is offlink.  KAME PR 233.
kame 1.84 -> 1.85
2001-02-08 15:04:26 +00:00
itojun 574214f10a amove in6_{embed,recover}scope prototypes to in6_var.h (kernel only).
add in6_clearscope.  sync with kame
2001-02-08 14:56:15 +00:00
itojun a1d89972c7 when chasing nd6_llinfo chain, make sure we do not touch dangling
pointer (due to RTM_DELETE during default router list management).
from kame
2001-02-08 12:57:54 +00:00
itojun c8e86cc06a remove bogus DIAGNOSTIC. sync with kame 2001-02-07 10:56:38 +00:00
itojun 22b473e0f6 during ip6/icmp6 inbound packet processing, do not call log() nor printf() in
normal operation (/var can get filled up by flodding bogus packets).
sysctl net.inet6.icmp6.nd6_debug will turn on diagnostic messages.
(#define ND6_DEBUG will turn it on by default)

improve stats in ND6 code.

lots of synchronziation with kame (including comments and cometic ones).
2001-02-07 08:59:47 +00:00
itojun 172e802b90 bad semicolon after "if" conditional. sync with kame 2001-02-06 01:27:29 +00:00
chs 09cb38f22b expose the definitions of MIN() and MAX() in sys/param.h to the kernel
and use those in favor of a dozen copies scattered around the source tree.
2001-02-05 10:42:40 +00:00
itojun d17dfd2fc0 avoid panic when a packet with nonexistent link-local address is issued.
kame 1.151 -> 1.152.
2001-02-02 15:54:56 +00:00
itojun 617b3fab7e - record IPsec packet history into m_aux structure.
- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation
2001-01-24 09:04:15 +00:00
itojun 8b3234d2f2 minimize diff with the latest kame tree. 2001-01-23 05:21:23 +00:00
itojun a836499e32 make it possible to turn off ingress filter on gif/stf tunnel egress,
by using IFF_LINK2.  (part of) PR 11163 from Ken Raeburn.
2001-01-22 07:51:01 +00:00
itojun 60240f3ab9 workaround to avoid EMSGSIZE when ND6 table for the outgoing interface
is not initialized (should result in "interface down").
2001-01-18 06:50:12 +00:00
itojun 43950f6d05 on interface removal (ifconfig destroy) do not remove default route by mistake 2001-01-18 06:49:11 +00:00
itojun 4dbe2a5a97 wrap noisy ND6 debugging messages with ND6_DEBUG. sync with kame 2001-01-17 11:26:52 +00:00
itojun df9784d749 pull post-4.4BSD change to sys/net/route.c from BSD/OS 4.2 (UCB copyrighted).
have sys/net/route.c:rtrequest1(), which takes rt_addrinfo * as the argument.
pass rt_addrinfo all the way down to rtrequest, and ifa->ifa_rtrequest.
3rd arg of ifa->ifa_rtrequest is now rt_addrinfo * instead of sockaddr *
(almost noone is using it anyways).

benefit: the follwoing command now works.  previously we need two route(8)
invocations, "add" then "change".
# route add -inet6 default ::1 -ifp gif0

remove unsafe typecast in rtrequest(), from rtentry * to sockaddr *.  it was
introduced by 4.3BSD-reno and never corrected.

XXX is eon_rtrequest() change correct regarding to 3rd arg?
eon_rtrequest() and rtrequest() were incorrect since 4.3BSD-reno,
so i do not have correct answer in the source code.
someone with more clue about netiso-over-ip, please help.
2001-01-17 04:05:41 +00:00
itojun 039777e3c8 s/ND6DEBUG/ND6_DEBUG/ to meet other places 2001-01-16 06:16:37 +00:00
itojun 9f119cbf91 wrap icmp6 checksum error printf() into #ifdef ND6DEBUG.
sync with kame,  NetBSD PR 11911.
2001-01-08 06:12:46 +00:00
itojun 6562709f3a typo fix. PR 11889 2001-01-04 11:48:44 +00:00
thorpej ad5b855ef0 Back out the sledgehammer damage applied by wiz while I was out for
the holiday.
2000-12-28 21:40:59 +00:00
itojun 8b9fb822b0 do not touch ra_addr if it is NULL. from IIJ SEIL team 2000-12-28 21:23:00 +00:00
wiz 32e20d8993 Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej d0357bdb4f Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type.  This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
itojun b05acc70f8 make sure we notify of routing changes, even if we have net route pointed
to by inpcb.
2000-12-21 00:46:20 +00:00
thorpej d9a9544a2f Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook. 2000-12-14 17:36:44 +00:00
itojun 1101f217b5 no need to rtalloc1() twice in pmtud. from kame 2000-12-11 19:28:47 +00:00
itojun 5eae50d991 update icmp6 too big validation. the change is necessary since pmtud is
mandatory for IPv6 (so we can't just validate by using connected pcb - we need
to allow traffic from unconnected pcb to do pmtud).
- if the traffic is validated by xx_ctlinput, allow up to "hiwat" pmtud
  route entries.
- if the traffic was not validated by xx_ctlinput, allow up to "lowat" pmtud
  route entries (there's upper limit, so bad guys cannot blow up our routing
  table).
sync with kame

XXX need to think again about default hiwat/lowat value.
XXX victim selection to help starvation case
2000-12-09 01:29:45 +00:00
itojun fe5bd7125e make sure we don't touch uninitialized pointer. from: fvdl 2000-12-04 12:11:49 +00:00
thorpej 65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
itojun a21e536042 improve spec conformance of node information query (07).
sync with kame.
2000-11-11 00:46:36 +00:00
itojun 970a75f808 fix KAME PR 296 again, for transport-mode SA only
(shortterm workaround - need revisit for ANY SA)
2000-11-10 01:10:36 +00:00
itojun 8c411160ec backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode. 2000-11-09 17:36:11 +00:00
itojun e452bf6c6b save a little bit of CPU time (avoid computing CBC IV we do not use).
sync with kame.
2000-11-08 04:57:57 +00:00
itojun 47bce75f00 check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec
tunnel mode packet.  decapsulate only if we got a tunnel mode SA.
KAME PR 296.
2000-11-06 00:58:34 +00:00
itojun ef8a34f5c3 fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc 2000-11-06 00:50:12 +00:00
onoe e83458422f First Prototype implementation of network interface part for IEEE1394 (if_fw).
Current status:
	Only OHCI chip is supported (fwohci).
	ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
	sometimes works but not stable.
Not implemented yet:
	IRM (Isochronous Resource Manager) functionality.
	Link layer fragmentation.
	Topology map.
More to do:
	clean ups
	MCAP
	charactor device part
	dhcp

There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun 731744bcc2 avoid possible align issue 2000-11-02 12:28:45 +00:00
itojun 9b55c15642 [13]des fix for big endian machines. from: shigeru@iij.ad.jp 2000-11-02 12:25:01 +00:00
itojun 73b4766cf2 do not panic on "ifconfig inet6 fe80::1 -alias". from Todd Fries.
KAME PR 295.
2000-10-28 03:46:21 +00:00
itojun cb1745c4f9 make IFA_STATS really work on IPv6. 2000-10-23 03:45:25 +00:00
itojun 9183e2dc4e remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun d11a1f9bae kame 1.32 -> 1.33
in add_m6fc(), set interface list for all cases.
in response to a report from Hoerdt Mickael.

kame 1.31 -> 1.32
discard PIM register if the version of the inner packet is incorrect (i.e. IPv6)
(according to clarfication of recent discussion in the IETF pim ML)
2000-10-19 03:15:48 +00:00
itojun edd876a35d validate ICMPv6 too big message.
XXX too restrictive given frequent uses of sendto(2)
2000-10-19 01:14:13 +00:00
itojun 9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun 23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun 3fe32f0197 use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>
(we don't ansify it for kame code sharing)
2000-10-17 21:46:42 +00:00
itojun d7a216bb96 suppress warning on nd6_storelladdr failure. the failure could happen
easily when we have routing table with too many entries.  sync with kame.
2000-10-15 15:39:11 +00:00
itojun 6e3a9bc311 validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.
2000-10-13 17:53:44 +00:00
itojun 8fa0e6b9f7 sync with kame ($KAME$) 2000-10-10 16:26:43 +00:00
enami 0b9cbefe70 Don't initialize TCP twice on v4/v6 dual stack kernel. 2000-10-10 13:25:28 +00:00
itojun 654a1d9555 remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
sync with kame.
2000-10-06 05:07:41 +00:00
itojun a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun dabed37e1c correct merge failure in key size validation. 2000-10-02 23:49:02 +00:00
itojun 89af64e5e3 remove #ifdef freebsd 2000-10-02 17:23:49 +00:00
itojun e9536f86fa add ESP rijndael logic. yet to be usable (until algorithm # is assigned) 2000-10-02 17:21:24 +00:00
itojun dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun b2366d4898 add missing \n. sync with kame. 2000-10-01 10:56:02 +00:00
itojun 8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun 78f9775c35 do not hardcode maximum IV length. 2000-09-26 08:37:38 +00:00
itojun 2c8b266751 make ip6_ext available for non-IPv6 compilation
(needed for header chain parsing).  (redo of 1.25 -> 1.26)
2000-09-25 15:00:08 +00:00
martin 4e675359ad Make kernels with IPSec but without IPv6 compile again.
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
2000-09-25 12:35:53 +00:00
itojun 89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun e0bb769d4e on ipsec policy lookup, do not try to lookup port numbers for forwarded packet.
sync with kame.
2000-09-22 05:50:23 +00:00
itojun aa5339554d cleanup ipsec policy lookup. specifically, repair the following cases:
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
	old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
2000-09-22 05:49:46 +00:00
itojun 10cc02200a - repair too strong assumption on mbuf chain.
- correct byte lifetime computation to conform to RFC2401 p23 (use
  packet BEFORE compression)
- stabilize deflate calls
- present error messages better
2000-09-21 20:28:52 +00:00
itojun 9c55bd3b1a repair infinite loop in ipcomp packet generation. oops. 2000-09-21 06:08:26 +00:00
itojun cb4931c8e7 repair cut-and-paste bug. from: francis dupont. sync with kame 2000-09-20 23:35:51 +00:00
itojun d2c6420404 do not inject empty mbuf to zlib. 2000-09-20 23:35:16 +00:00
itojun 3ad679d8fd call {de,in}flateEnd on failure, otherwise obsolete state will be kept. 2000-09-20 22:34:24 +00:00
itojun ffb333a57c plug mbuf leak (error case). need more investigation. 2000-09-20 21:43:52 +00:00
itojun e485f6527e pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
(not normally visited - we have switched to m_pulldown.  just for completeness)
2000-09-18 22:18:00 +00:00
itojun 303fcdf765 repair blowfish-cbc. BF_encrypt() takes value in host byteorder, yuck!
(no effect to 1.5 branch)
2000-09-18 21:57:35 +00:00
itojun 691fdbb4f0 kame sys/netinet6/icmp6.c 1.140 -> 1.144
>   in the check for the incoming redirect message, examine the gateway
>   (from the routing table) only when the address family of the gateway is
>   AF_INET6.
2000-09-16 10:12:22 +00:00
itojun 2192675fb1 move file static variable into auto variable, for better thread safety.
(not really required for big lock MP).  sync with kame
2000-09-09 16:15:47 +00:00
itojun f8481d085e add attribute(packed).
From: Alfred Perlstein <bright@wintelcom.net>
2000-09-09 11:42:22 +00:00
itojun dc23ec9971 add missing \n on log(). sync with kame 2000-08-31 07:35:44 +00:00
itojun 65fbdbe744 repair DES on LP64. past code did not interoperate with non-LP64, due to
incorrect computed results.
remove unnecessary #ifdef/#define.  sync with kame.
2000-08-31 07:33:04 +00:00
itojun 58c93e23cf LP64 fix (cast to u_long when printing size_t) 2000-08-30 14:58:33 +00:00
itojun 2af85c262b improve code sharing for esp_schedule(). add some diagnostics cases
for esp_cbc_{en,de}crypt().  sync with kame.
2000-08-29 11:32:21 +00:00
itojun 6fe60cce5f do not forward packets with unspecified source address (::).
this is clarification recently made to RFC2460.  sync with kame.
2000-08-29 09:19:43 +00:00
itojun bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun 3da9705446 add a warning on IPv6 setsockopt number space (*BSD shares the number space
so consult KAME for number allocation)
2000-08-27 01:02:48 +00:00
itojun 152da24bd9 implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable. 2000-08-26 11:03:45 +00:00
itojun 4d40179399 add missing IPNOPRIVPORTS case 2000-08-26 10:40:03 +00:00
thorpej 5bd1b19b29 Don't use MALLOC() for variable-sized allocations. 2000-08-25 21:22:16 +00:00
itojun cabceaa265 - icmp6 nodeinfo: remove possibility of unaligned pointer access.
- jumbo payload output: fix incorrect mbuf manipulation
- pedant: align issues, mbuf assumption
(sync with kame)
2000-08-19 08:15:53 +00:00
itojun e6efb27c84 add missing splx, when outgoing interface queue is full on tunnelled
ESP packet output.  KAME PR 280.
2000-08-16 09:54:39 +00:00
thorpej 831a48fd0b Make this compile without INET6 again. 2000-08-15 21:43:57 +00:00
itojun 54aeb79d4c supress warning (LOG_ERR -> LOG_DEBUG) which occurs in the following situation:
- manually configure an address from prefix P (like P::1)
- autoconfigure additional address from the same prefix P (like P::ifid).
- rtrequest fails due to P/plen already exists

more fundamental solution should appear later, when kame side stablizes it.
from thopej.
2000-08-13 23:45:22 +00:00
itojun 5e868d1e49 clearifications in icmp6 node query support.
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun afa5315364 correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
sync with kame.
2000-08-03 14:31:04 +00:00
itojun 6574aa66e8 inhibit error code from rtinit(). this happens when we try to assign
multiple addresses from same prefix, onto single interface.  PR 10427.


more info:
- 4.4BSD did not check return code from in_ifinit() at all.
  4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
  the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
  4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
  from the same prefix.  KAME tree has more extensive change, however, it needs
  much more time to get stabilized (rtentry refcnt change can cause serious
  issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
itojun 32ef6bb0e7 sync comment with reality 2000-07-30 05:30:37 +00:00
itojun 0036ac92be clarify comment. from jhawk. sync with kame. 2000-07-30 04:33:34 +00:00
itojun 5e8b5a35e4 make ipsec_strerror(3) to return const char *, not char *. sync with kame. 2000-07-30 02:38:35 +00:00
itojun 63de4c2cb9 nuke the following sysctl variables. "ppsratelimit" should work better.
need to recompile sbin/sysctl after updating /usr/include.
	net.inet.tcp.rstratelimit
	net.inet.icmp.errratelimit
	net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun 73a29e35ff do not forward packet with :: in the source.
this is not in the spec - we had rough consensus on it in ipngwg,
spec will get updated to include this behavior.
2000-07-27 15:53:51 +00:00
itojun fec624be3f wrap kernel function prototype by #ifdef _KERNEL. 2000-07-23 08:24:12 +00:00
itojun 411ff12b27 pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun 65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun 5f09b77987 s/IPSEC_IPV6FWD/IPSEC/. this should correct strange behavior on ipv6
forwarding (even if policy asks for tunnel mode encryption, packets
go out in clear).  sync with kame.
2000-07-16 07:57:55 +00:00
itojun a2744a4cf8 do not pull sys/queue.h from netinet6/in6.h. PR10597.
some sync with kame.
2000-07-16 01:10:34 +00:00
itojun 20964b0c23 fatal bug fix from kame (rtentry refcnt goes negative if we play with IPv6
address/routing table too much).

in6_ifloop_request()
  not to request rtrequest to return an rtentry except for the ADD
  operation, in order to avoid misdecreasing the refcnt (which might
  cause leak of rtentry)
2000-07-13 09:56:20 +00:00
itojun f5211e847a remove m_pulldown statistics code. it is highly experimental and belong
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun d8a9a3cc7b add ppsratelimit(9), which does event-per-sec rate limitation.
use it from icmp6 error rate limitation code.
XXX better name for the function?
2000-07-09 06:44:57 +00:00
itojun ec67eee51f sync with kame.
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
christos 2068dee670 elide lint cast type conversion warnings. 2000-07-06 17:42:55 +00:00
itojun 210a3e2f80 remove unnecessary #include <netkey/key_debug.h>. from kame. 2000-07-06 12:51:39 +00:00
itojun 0a1e211454 - do not use bitfield for router renumbering header.
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation.  TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00