NetBSD

Author	SHA1	Message	Date
provos	0f09ed48a5	remove trailing \n in panic(). approved perry.	2002-09-27 15:35:29 +00:00
itojun	9401012487	KNF - return is not a function. sync w/kame.	2002-09-11 02:46:42 +00:00
itojun	6dedde045a	correct signedness mixup in pointer passing. sync w/kame	2002-09-11 02:41:19 +00:00
itojun	c00fa8dfd9	avoid swapping endian of ip_len and ip_off on mbuf, to meet with M_LEADINGSPACE optimization made last year. should solve PR 17867 and 10195. IP_HDRINCL behavior of raw ip socket is kept unchanged. we may want to provide IP_HDRINCL variant that does not swap endian.	2002-08-14 00:23:27 +00:00
itojun	af8ad017f7	typo. From: Arto Selonen <arto@selonen.org>, sync w/kame	2002-08-01 05:17:47 +00:00
wiz	e00173a7f2	Spell 'should' correctly.	2002-07-18 11:59:06 +00:00
itojun	d7006267f3	reduce kernel stack usage by separating struct secasindex. sync w/kame From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>	2002-06-27 12:12:49 +00:00
itojun	61f28217c4	move sanity check upwards. sync w/kame From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>	2002-06-22 12:27:09 +00:00
itojun	cfb9a4a799	avoid listening socket from mistakenly use incorrect cached policy. From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp> sync w/kame	2002-06-22 12:04:07 +00:00
itojun	69d65da8c6	sizeof mistake in DIAGNOSTIC path. sync w/kame From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>	2002-06-21 23:15:35 +00:00
itojun	3033187db0	previous commit cached pcb policy too much (when pcb points to SPD entry that is not ipsec - like "none"). back it out. sync w/kame	2002-06-16 16:28:36 +00:00
itojun	c1808f02bf	cache pcb policy as much as possible. in fact, if policy is not IPSEC_POLICY_IPSEC we don't need to compare spidx. sync w/kame	2002-06-14 14:47:24 +00:00
itojun	813344bfbe	remove redundant line	2002-06-14 14:17:55 +00:00
itojun	a8dde3fa57	free secpolicy on deepcopy failure	2002-06-13 05:10:13 +00:00
itojun	dc96111483	deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb (racoon side needs some changes). sync w/kame	2002-06-12 17:56:45 +00:00
itojun	3489976392	do not copy policy-on-socket at all. avoid copying packet header value to struct spindex. should reduce memory usage per socket/pcb, and should speedup ipsec processing. sync w/kame	2002-06-12 01:47:34 +00:00
itojun	fa53d749ff	share policy-on-pcb for listening socket. sync w/kame todo: share even more, avoid frequent updates of spidx	2002-06-11 19:39:59 +00:00
itojun	2533e1f81f	avoid variable name confusion. sync w/kame	2002-06-11 17:26:52 +00:00
itojun	b05ff066a7	whitespace cleanup	2002-06-09 14:43:10 +00:00
itojun	fc5800e3fd	whitespace cleanup	2002-06-08 20:06:44 +00:00
itojun	e3c4951b26	re-enable ipsec policy caching onto pcb. refcnt fix and workarounds based on ymmt-san.	2002-05-25 10:01:01 +00:00
itojun	d2fd814987	in sp caching code, check if sp is still alive. sync w/kame	2002-05-19 00:46:40 +00:00
itojun	861dfdc294	disable ipsec policy caching on pcb, as it seems that there's some reference- counting mistake that causes panic - see PR 15953 and 13813. i am unable to find the real cause of problem, so it is a shortterm workaround, hopefully.	2002-05-10 05:49:21 +00:00
itojun	d7669537a8	remove unneeded #ifdef __FreeBSD__ portion.	2002-05-10 05:38:29 +00:00
thorpej	dc12059c9e	Use M_READONLY() rathern than testing to see if ext_free is set or MCLISREFERENCED().	2002-04-28 00:54:41 +00:00
itojun	c23ea6c341	update outgoing ifp, only if tunnel mode ipsec is used. this is to honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast. sync with kame	2001-11-21 06:28:08 +00:00
lukem	4f2ad95259	add RCSIDs	2001-11-13 00:56:55 +00:00
simonb	5f717f7c33	Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h> anymore.	2001-10-29 07:02:30 +00:00
itojun	7dcf45fbd8	more whitespace/comment sync with kame	2001-10-16 06:24:44 +00:00
wiz	456dff6cb8	Spell 'occurred' with two 'r's.	2001-09-16 16:34:23 +00:00
itojun	bf45c09959	fix SA lookup when IPsec transport mode and tunnel mode over IPv6 is used at the same time. sync with kame (like "IP AH ESP IP", policy = "esp/tunnel/a-b/use ah/transport//use")	2001-09-13 06:30:57 +00:00
itojun	57030e2f12	cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed, especially when it is a connected SOCK_STREAM in6?pcb. sync with kame.	2001-08-06 10:25:00 +00:00
itojun	e3d077542f	cosmetic (spacing near /* */). sync with kame	2001-08-05 22:20:44 +00:00
itojun	5e920039c6	have ovbcopy() macro, for cross-BSD compatibility only.	2001-07-07 14:45:46 +00:00
itojun	d1b6307b88	do not copy TTL field on ipsec tunnel mode encapsulation. sync with kame	2001-04-15 01:55:49 +00:00
itojun	179a7e0d7b	send up dst_unreach_admin error to local node, if transport-mode ipsec key is not found. rather experimental. kame 1.83 -> 1.84 nuke IPSEC_SRCSEL which does not do the right thing. adjust state->ro if the tunnel endpoint is offlink. KAME PR 233. kame 1.84 -> 1.85	2001-02-08 15:04:26 +00:00
itojun	617b3fab7e	- record IPsec packet history into m_aux structure. - let ipfilter look at wire-format packet only (not the decapsulated ones), so that VPN setting can work with NAT/ipfilter settings. sync with kame. TODO: use header history for stricter inbound validation	2001-01-24 09:04:15 +00:00
itojun	970a75f808	fix KAME PR 296 again, for transport-mode SA only (shortterm workaround - need revisit for ANY SA)	2000-11-10 01:10:36 +00:00
itojun	8c411160ec	backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode.	2000-11-09 17:36:11 +00:00
itojun	47bce75f00	check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec tunnel mode packet. decapsulate only if we got a tunnel mode SA. KAME PR 296.	2000-11-06 00:58:34 +00:00
itojun	dcfe05e7c1	fix compilation without INET. fix confusion between ipsecstat and ipsec6stat. sync with kame.	2000-10-02 03:55:41 +00:00
itojun	2c8b266751	make ip6_ext available for non-IPv6 compilation (needed for header chain parsing). (redo of 1.25 -> 1.26)	2000-09-25 15:00:08 +00:00
martin	4e675359ad	Make kernels with IPSec but without IPv6 compile again. This may break IPPROTO_AH - someone with a clue should double-check this, please.	2000-09-25 12:35:53 +00:00
itojun	aa5339554d	cleanup ipsec policy lookup. specifically, repair the following cases: - use of IPv4 mapped address on outbound socket - explicit port numbers via sendto(). old code grabbed port number from inpcb/in6pcb. in the above case, old code failed to lookup ipsec policy (oops). sync with kame.	2000-09-22 05:49:46 +00:00
mrg	cf594a3f4d	<vm/vm.h> -> <uvm/uvm_extern.h>	2000-06-28 03:01:16 +00:00
itojun	90ca25568b	remove obsolete sysctl MIB net.inet.ipsec.inbound_call_ike. (sync with kame)	2000-06-15 05:01:06 +00:00
itojun	92e64a4a0d	sync with almost-latest KAME IPsec. full changelog would be too big to mention here. notable changes are like below. kernel: - make PF_KEY kernel interface more robust against broken input stream. it includes complete internal structure change in sys/netkey/key.c. - remove non-RFC compliant change in PF_KEY API, in particular, in struct sadb_msg. we cannot just change these standard structs. sadb_x_sa2 is introduced instead. - remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h. these functions are not supplied in /usr/lib. setkey(8): - get/delete does not require "-m mode" (ignored with warning, if you specify it) - spddelete takes direction specification	2000-06-12 10:40:37 +00:00
itojun	d7e34999be	sync with recent kame. avoid use of macros to manipulate sockaddrs (hides error case too much). correct IPv4 packet handling when ip option is present. preparations for ipsec policy engine upgrades.	2000-06-03 16:14:02 +00:00
thorpej	e0d0cba239	Remove junk at the end of #undef.	2000-05-08 18:31:10 +00:00
itojun	fadbd2b29a	cleanup AH/policy processing. - parse IPv6 header by using common function, ip6_{last,next}hdr. - fix behaivior in multiple AH cases. make strict boundary checks on mbuf chasing. (sync with latest kame)	2000-03-21 23:53:30 +00:00

1 2

68 Commits