Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
139,045 Commits 606 Branches 0 Tags 3.1 GiB
40a140d919
Commit Graph

852 Commits

Author SHA1 Message Date
yamt
540e6d4640 rip6_output: make sure that the mbuf is writable 
before write a checksum into it.
otherwise "ping6 -s50000" causes a panic.

ok'ed by itojun.
 2004-07-22 05:26:46 +00:00
itojun
3f35f96f9a prevent mbuf leak on IPsec tunnel mode. from iij seil team 2004-07-16 01:12:02 +00:00
itojun
8da378abea - update ro_pmtu on IPsec tunnel encapsulation. ro != ro_pmtu is used as the 
sign for the existence of routing header.
- fragment to 1280 on IPv6-over-IPv6 encapsulation, as ICMPv6 too big may not
  give you enough information to update pmtu cache.

from iij seil team, via kame.
 2004-07-14 03:06:08 +00:00
minoura
c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
drochner
05da173d52 abstain from typecasting the LHS of an assignment; 
gcc-3.4.x doesn't like it
 2004-06-24 16:49:51 +00:00
itojun
b791f5f740 error could be left uninitialized when we jump into "senderr" 2004-06-24 15:01:51 +00:00
itojun
0f18c4c945 multicast data management fix - previous fix was incorrect. jinmei@kame 2004-06-16 03:17:26 +00:00
itojun
ec7ac551be insufficient paren in macro def. Patrick Latifi 2004-06-16 02:36:37 +00:00
itojun
2e60f85658 use macro and make it a bit more readable. 2004-06-14 08:07:29 +00:00
itojun
4d7b9596f6 check before joining multicast group. otherwise multiple in6_multi structure 
will be kept.  reported by patrick latifi
 2004-06-14 07:54:45 +00:00
itojun
501233726d implement IPV6_USE_MIN_MTU sockopt. needed by bind9 + EDNS0 + big receive buffer. 2004-06-11 04:10:10 +00:00
itojun
56e182b708 there's no use to check privs on curproc in the input path. jinmei@kame 2004-06-01 03:13:22 +00:00
atatat
4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
itojun
32e4b55076 do not loop on nd6_output() when transmission fails. from kame 2004-05-19 17:45:05 +00:00
jonathan
f7abb16323 Fix per-PCB IPsec policy cache for FAST_IPSEC: 
The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header.  So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined.  ``Make it so''.

We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
 2004-04-26 01:53:59 +00:00
simonb
b5d0e6bf06 Initialise (most) pools from a link set instead of explicit calls 
to pool_init.  Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.

 Convert struct session, ucred and lockf to pools.
 2004-04-25 16:42:40 +00:00
itojun
cb0651e44a correct parameter to in6_cksum. keiichi@kame 2004-04-22 17:58:59 +00:00
matt
e50668c7fa Constify protosw arrays. This can reduce the kernel .data section by 
over 4K (if all the network protocols) are loaded.
 2004-04-22 01:01:40 +00:00
itojun
5da9234d88 remove duplicated #include. PR 25234 2004-04-20 17:12:03 +00:00
atatat
83b193a052 Make these compile without INET. tcp_input probably needs a lot more 
work...
 2004-03-29 04:59:02 +00:00
christos
d6939c86f1 no need for splsoftnet, because the caller does it already. 2004-03-28 08:28:50 +00:00
christos
03766c2d10 PR/23335: Christos Zoulas: Removing interfaces trashes free memory when 
ipv6 is used because multicast group memberships contain dangling references
to the multicast group deleted.
 2004-03-28 08:28:06 +00:00
itojun
e050c8a03d do not touch m->m_pkthdr.rcvif after m becomes invalid. Patrick Latifi 2004-03-26 03:35:02 +00:00
atatat
19af35fd0d Tango on sysctl_createv() and flags. The flags have all been renamed, 
and sysctl_createv() now uses more arguments.
 2004-03-24 15:34:46 +00:00
martti
c3f78782b9 Make ip6_getpmtu() globally visible. This is needed by IPFilter 4.x. 2004-03-23 18:21:38 +00:00
itojun
3811eef49d typo 2004-03-23 05:31:54 +00:00
itojun
721292cf12 constify AH algorithm function table. suggested by robert watson 2004-03-10 03:45:04 +00:00
thorpej
2803ff0955 Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup 
when possible.  This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
 2004-03-02 02:28:28 +00:00
thorpej
db4fcd885b Augment the PCB cache with a "hint" that can be used to short-circuit 
IPsec processing in other places.  The hint has 3 values: MAYBE, YES,
and NO.  Hints are initialized to MAYBE, and MAYBE is always used for
unconnected sockets (since the spidx may change for every packet
that is output).  For connected sockets, NONE and BYPASS policies cause
the hint to be set to NO, and all other policies to YES.

Also shuffle the PCB cache data structure, turning 3 arrays into a
single array of a struct.
 2004-03-02 02:17:38 +00:00
itojun
581091043b knf 2004-03-01 22:32:35 +00:00
wiz
f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun
aaa4bd9a6c avoid out-of-bound memory access if len == 128. 
from Ted Unangst via Colin Percival
 2004-02-23 05:01:04 +00:00
wiz
d20841bb64 Uppercase CPU, plural is CPUs. 2004-02-13 11:36:08 +00:00
itojun
d93f7028c1 we have IFT_BRIDGE already, no need for #ifdef 2004-02-11 20:51:24 +00:00
christos
bcdf1b194a We don't have IFT_{PFLOG,PFSYNC} (yet). 2004-02-11 17:36:33 +00:00
itojun
abd93ec67b minor KNF 2004-02-11 10:54:29 +00:00
itojun
5d3b18b4a4 KNF 2004-02-11 10:47:28 +00:00
itojun
57cbd26e09 missing bzero 2004-02-11 10:42:24 +00:00
itojun
6c8714a95e avoid ugly typecast 2004-02-11 10:37:33 +00:00
itojun
e2d302c40d reduce useless variables 2004-02-10 20:57:20 +00:00
itojun
c5cb8d59c0 remove unneeded #ifdef 2004-02-06 08:07:55 +00:00
tron
d23ecc0dca Remove outdated prototype for ip6_getpmtu(). The function has a different 
signature now and is statically declared in "ip6_output.c".
 2004-02-04 10:31:27 +00:00
itojun
70e51fdcf0 strictly follow RFC2460 section 5 last paragraph 
(sending rule when PMTU < 1280).  pointed out by guninski at guninski.com
 2004-02-04 05:17:28 +00:00
darrenr
5915fd3874 make ip6_getpmtu() externally visible 2004-01-24 13:02:41 +00:00
itojun
092e41da38 do not lookup security policy if IPV6_FORWARDING. 
avoids possible infinite ipsec encapsulation on
        ip6_input -> ip6_forward -(tunnel mode)-> ip6_output
case.  from kame
 2004-01-19 05:14:58 +00:00
itojun
cdaa27b23a when ipsec tunnel mode is applied, we are originating packet (instead of 
forwarding).  go to ip6_output() path for fragmentation and other processing.
from kame
 2004-01-16 05:12:08 +00:00
itojun
8dcc7f31aa typo. 
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
 2004-01-13 23:02:00 +00:00
itojun
1101ef17d0 plug memory leak on failure. 
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
 2004-01-13 23:01:08 +00:00
itojun
3ffdb9507a avoid deref-after-free. 
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
 2004-01-13 06:17:14 +00:00
wiz
d46bc94200 Niels Provos kindly agreed to drop clauses 3 and 4 from the 
license -- thanks.
Based on OpenBSD commit and hints by itojun.
 2003-12-26 19:04:55 +00:00
lha
2b1cb68e2f Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl. 
Makes ndp -r/ndp -p work again, patch from atatat
 2003-12-17 18:49:38 +00:00
itojun
d8ac1c6007 fix cases where pktinfo specifies outgoing interface of "0". 2003-12-10 22:35:35 +00:00
itojun
aa8a6718f0 use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL 
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces.  from kame
 2003-12-10 11:46:33 +00:00
itojun
561720b19b validate set/getsockopt arg more strictly. with previous code privileged 
user can cause kernel crash.
 2003-12-10 09:28:38 +00:00
itojun
c81f32fe6c comment from niels provos; 
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
  the repetition period to 30000)
 2003-12-10 05:22:18 +00:00
atatat
13f8d2ce5f Dynamic sysctl. 
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
 2003-12-04 19:38:21 +00:00
keihan
b8702f530b netbsd.org -> NetBSD.org 
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean".  Thanks for the patiance, and sorry for all the commits.
 2003-12-04 13:57:30 +00:00
itojun
0864b4939d "seed2" was ruining non-repeating property, so remove it. discussed on tech-net 2003-11-25 18:13:55 +00:00
jonathan
995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm, 
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
 2003-11-17 21:34:27 +00:00
itojun
3107b5dcc0 implement net.inet6.ifq 2003-11-12 15:25:19 +00:00
itojun
ae3e6f6041 correct behavior when ipv6mr_interface is 0. Matthias Drochner 2003-11-06 06:10:51 +00:00
itojun
60dac07656 use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90 2003-11-05 01:20:56 +00:00
briggs
07a0e27c44 Revert the change in default value of ipv6_v6only. Further discussion 
on this topic is required.  It should be reintroduced and pursued in
the IETF.
 2003-11-03 15:12:06 +00:00
simonb
a2facef339 Remove some assigned-to but otherwise unused variables. 2003-10-30 01:43:08 +00:00
mycroft
2dde0746b6 Do a jump optimization that eliminates some uninitialized variable warnings. 2003-10-29 10:12:43 +00:00
briggs
5a770ba2d8 Toggle the default value of ip6_v6only. Also provide a sample sysctl to 
retain the existing behavior.
 2003-10-28 06:31:28 +00:00
christos
59f2aab1ed fix uninitialized variables 2003-10-25 08:26:14 +00:00
itojun
ba71e93c60 backout previous (ENETREST special handlng) 2003-10-15 22:55:34 +00:00
itojun
90d92fe2d9 ignore ENETRESET on ADDMULTI 2003-10-15 22:16:35 +00:00
itojun
018cb094b4 ignore ENETRESET on ADDMULTI. 2003-10-15 22:15:25 +00:00
itojun
a8d71f892f define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame 2003-10-15 01:28:28 +00:00
itojun
40e6b63c60 fix endian bug in fragment header scanning. 2003-10-14 05:33:04 +00:00
itojun
b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun
98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun
96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun
140276fde1 shouldn't check scope match when encapsulating packet into tunnel mode. 
iij seil team
 2003-10-03 04:30:31 +00:00
itojun
d451ef2606 do not deref state.ro if it is NULL 2003-10-02 19:32:41 +00:00
itojun
d83af104d4 correctly look at outer IPv6 header when forwarding packet into ipsec tunnel. 
iij seil team
 2003-10-02 12:13:44 +00:00
itojun
364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun
8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
christos
36b4e0b6e7 Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD 2003-09-30 00:01:18 +00:00
mycroft
ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun
7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun
ca549eaf98 exp is a reserved name under posix 2003-09-16 00:31:23 +00:00
itojun
94da0d16ac avoid overflow during multiply. David Laight 2003-09-15 23:38:20 +00:00
itojun
71c96a2bb4 correct ru_a/ru_b setup for 20bit case 2003-09-13 21:32:59 +00:00
itojun
8ee5969c3b change confusing filename 2003-09-12 11:21:36 +00:00
itojun
9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun
a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun
6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun
5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun
494fe70198 lint 2003-09-09 11:39:14 +00:00
itojun
800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun
bfa3dccfd7 prototype should have no variable name 2003-09-07 15:50:43 +00:00
itojun
5c9706bb41 correct seed generation. sync w/ kame 2003-09-06 13:47:09 +00:00
itojun
37c3c44062 fix comment, from kame 2003-09-06 13:30:40 +00:00
itojun
680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00