Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
168,241 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1089 Commits

Author SHA1 Message Date
rpaulo 1acb7de56f From KAME via SUZUKI Shinsuke: 
fixed a memory leak when net.inet6.icmp6.nd6_maxqueuelen is
	greater than 1.
 2006-03-24 19:24:38 +00:00
rpaulo 4532d44c4d RFC 4191 changed the meaning of the "Reserved" Router Preference 
value. Previously the router should treat the recieved router
advertisement as having a 0 router lifetime. The RFC now says that the
router should treat the "Reserved" field the same way as if it was the
medium (default) preference.

From the KAME project via SUZUKI Shinsuke.
 2006-03-20 12:13:05 +00:00
rpaulo 7122043ef9 0 > len ==> len < 0 2006-03-17 23:29:20 +00:00
rpaulo 86cd5b8af4 0 > len ==> len < 0 2006-03-17 23:26:06 +00:00
rpaulo 941ce91614 Rename local variables called delay that shadow the delay() decl. 
Pointed out by Robert Swindells.
 2006-03-06 20:33:52 +00:00
rpaulo 8c2379fd97 NDP-related improvements: 
RFC4191
	- supports host-side router-preference

	RFC3542
	- if DAD fails on a interface, disables IPv6 operation on the
          interface
	- don't advertise MLD report before DAD finishes

	Others
	- fixes integer overflow for valid and preferred lifetimes
	- improves timer granularity for MLD, using callout-timer.
	- reflects rtadvd's IPv6 host variable information into kernel
	  (router only)
	- adds a sysctl option to enable/disable pMTUd for multicast
          packets
	- performs NUD on PPP/GRE interface by default
	- Redirect works regardless of ip6_accept_rtadv
	- removes RFC1885-related code

From the KAME project via SUZUKI Shinsuke.
Reviewed by core.
 2006-03-05 23:47:08 +00:00
rpaulo 0131d25777 bzero -> memset 2006-03-05 01:28:51 +00:00
rpaulo eb35daf5b2 Fix typos in comments. 
From: the KAME project via SUZUKI Shinsuke.
 2006-03-03 14:07:06 +00:00
dyoung 8bc5b41214 In nd6_llinfo_timer, don't duplicate part of nd6_llinfo_settimer's 
logic, and then call nd6_llinfo_settimer.   Instead, call
nd6_llinfo_settimer immediately.

This should cause no functional change.  I've been running this
patch for months.
 2006-03-02 05:11:31 +00:00
wiz 5d1e8b2745 Fix some typos. 2006-02-25 02:28:55 +00:00
wiz 1ad8067cb3 Fix typos, reported by Alexey Dobriyan ("Gathered from Linux"), 
forwarded by jmc@openbsd.
 2006-02-25 00:58:34 +00:00
perry fbae48b901 Change "inline" back to "__inline" in .h files -- C99 is still too 
new, and some apps compile things in C89 mode. C89 keywords stay.

As per core@.
 2006-02-16 20:17:12 +00:00
rpaulo 1152ca51d5 From FreeBSD: 
In ipcomp6_input(), check 'md' not 'm' after a call to m_pulldown(): 'm'
    may be a stale pointer at this point, and we're interested in whether or
    not m_pulldown() failed.

    Noticed by:     Coverity Prevent analysis tool
 2006-02-14 21:43:02 +00:00
rpaulo 96aa0d0f54 Fix copy&paste problem found by James Juran 
<James.Juran@baesystems.com> in freebsd-net mailing list.
bzero'ing the wrong var with a wrong sizeof is clearly not ok..
 2006-02-08 13:35:48 +00:00
rpaulo 0c00fd29c5 PR 32653: mrt@notwork.org: remove 'sum += w[0]' left in previous revision. 2006-01-27 20:08:11 +00:00
rpaulo 035f84616e <netinet6/in6_pcb.h> is not needed. 2006-01-26 20:29:33 +00:00
rpaulo 7df4d41aef de-__P() 2006-01-26 18:59:18 +00:00
yamt 9178119484 ip6_input: don't embed scope id before running packet filters. 2006-01-23 23:01:40 +00:00
rpaulo 78678b130a Better support of IPv6 scoped addresses. 
- most of the kernel code will not care about the actual encoding of
  scope zone IDs and won't touch "s6_addr16[1]" directly.
- similarly, most of the kernel code will not care about link-local
  scoped addresses as a special case.
- scope boundary check will be stricter.  For example, the current
  *BSD code allows a packet with src=::1 and dst=(some global IPv6
  address) to be sent outside of the node, if the application do:
    s = socket(AF_INET6);
    bind(s, "::1");
    sendto(s, some_global_IPv6_addr);
  This is clearly wrong, since ::1 is only meaningful within a single
  node, but the current implementation of the *BSD kernel cannot
  reject this attempt.
- and, while there, don't try to remove the ff02::/32 interface route
  entry in in6_ifdetach() as it's already gone.

This also includes some level of support for the standard source
address selection algorithm defined in RFC3484, which will be
completed on in the future.

From the KAME project via JINMEI Tatuya.
Approved by core@.
 2006-01-21 00:15:35 +00:00
perry 0f0296d88a Remove leading __ from __(const|inline|signed|volatile) -- it is obsolete. 2005-12-24 20:45:08 +00:00
christos 7c77bfb8e4 Forward declarations for structs. 2005-12-20 19:32:58 +00:00
christos 95e1ffb156 merge ktrace-lwp. 2005-12-11 12:16:03 +00:00
elad 9702e98730 Multiple inclusion protection, as suggested by christos@ on tech-kern@ 
few days ago.
 2005-12-10 23:31:41 +00:00
dsl c24781af04 Pass the current process structure to in_pcbconnect() so that it can 
pass it to in_pcbbind() so that can allocate a low numbered port
if setsockopt() has been used to set IP_PORTRANGE to IP_PORTRANGE_LOW.
While there, fail in_pcbconnect() if the in_pcbbind() fails - rather
than sending the request out from a port of zero.
This has been largely broken since the socket option was added in 1998.
 2005-11-15 18:39:46 +00:00
bouyer e148e671d8 mif6table is used by netstat, so don't declare it static. Fix netstat -g 
on Xen, whose ELF loader doesn't load local symbols in the symbol table.
 2005-10-21 18:00:45 +00:00
bouyer b3b0d23068 In icmp6_redirect_output(), sip6 is initialised to point to the data area of 
m0. But m0 may be freed later, so trying to use sip6 at the end of this
function is wrong. My guess is that we want to reference the data area
of m (the mbuf about to be send) instead at this point.
Fix a panic on Xen (where a data area of a mbuf may be unmapped when the
mbuf is freed), and probably potential data/pool corruption in other cases.
 2005-10-19 20:42:54 +00:00
rpaulo 8f596fb842 If we recieve a PIM register message when IPv6 PIM-SM routing is 
enabled avoid a crash when forwarding the packet to outgoing interfaces.

Taken from FreeBSD which obtained it from KAME.
 2005-10-17 15:56:43 +00:00
christos a9a78a7c79 change bcopy to memmove since this was supposed to be an ovbcopy (from kre) 2005-09-23 21:21:58 +00:00
christos 03d7777e5c PR/25658: Steve Woodford: Default value of net.inet.ipsec.dfbit breaks PMTU 
over IPsec tunnels.
I have changed the default to 2 [copy]. I've verified that this works with
all my IPSEC setups, and this change has also been discussed in tech-net.
 2005-09-09 15:38:05 +00:00
rpaulo 3bb81503bf Implement net.inet6.raw6.stats sysctl. 
Reviewed by Elad Efrat.
 2005-08-28 21:04:09 +00:00
rpaulo 5872b8775c Implement net.inet6.pim6.stats sysctl. 
Reviewed by Elad Efrat.
 2005-08-28 21:03:18 +00:00
rpaulo 3995141ceb Implement net.inet6.ip6.stats sysctl. 
Reviewed by Elad Efrat.
 2005-08-28 21:01:53 +00:00
rpaulo 151760f5d2 Implement net.inet6.udp6.stats. 
Reviewed by Elad Efrat.
 2005-08-28 21:01:02 +00:00
tron d66d9a8e3b Remove write-only variable "derived" in esp_cbc_encrypt(). 2005-08-18 07:54:09 +00:00
yamt 2e85eff671 - introduce M_MOVE_PKTHDR and use it where appropriate. 
intended to be mostly API compatible with openbsd/freebsd.
- remove a glue #define in netipsec/ipsec_osdep.h.
 2005-08-18 00:30:58 +00:00
yamt 0be9633956 re-implement ipv6 tx loopback checksum omission. 2005-08-10 13:08:11 +00:00
yamt f02551ec2d move {tcp,udp}_do_loopback_cksum back to tcp/udp 
so that they can be referenced by ipv6.
 2005-08-10 13:06:49 +00:00
yamt 40a140d919 ipv6 tx checksum offloading. reviewed by Jason Thorpe. 2005-08-10 12:58:37 +00:00
manu ae124933ca introduce ipsec_policy_t to help user programs with the change of 
ipsec_set_policy, ipsec_get_policylen and ipsec_dump_policy prototypes
(using void * instead of caddr_t)
 2005-08-07 08:34:32 +00:00
christos 49b19c5f09 PR/30821: SUZUKI, Shinsuike: IPsec-AH is always calculated using the same 
key in AES-XCBC-MAC
 2005-07-28 14:19:56 +00:00
tron d5da0b0c38 Remove unnecessary bzero() calls before calling the algorithm specific 
init function.
 2005-07-21 16:59:20 +00:00
gdt b0239c745e Add PR_PURGEIF flag for protocols to indicate that the protocol might 
store a struct ifnet *, and define it for udp/tcp/rawip for INET and
INET6.  When deleting a struct ifnet, invoke PRU_PURGEIF on all
protocols marked with PR_PURGEIF.  Closes PR kern/29580 (mine).
 2005-07-19 12:58:24 +00:00
tron 58b513c9f5 Defopt IPSEC_NAT_T. 2005-07-07 16:00:56 +00:00
christos 7642adc771 match the declarations in libipsec.h 2005-06-26 21:14:37 +00:00
mlelstv d23f1d6e16 expire cached route. Fixes PR 22792. 2005-06-26 10:39:21 +00:00
tron c86b2622dd Change the first argument of the encapsulation check function from 
"const struct mbuf *" to "struct mbuf *". Without this change the
actual implementation cannot even use m_copydata() on the mbuf chain
which is broken.
 2005-06-02 15:21:35 +00:00
tron 41dcb3a310 Remove type casts and lint directives which are now longer necessary 
because the first argument of m_copydata() is "const struct mbuf *" now.
 2005-06-02 10:54:58 +00:00
christos 2ab31527e2 - avoid shadowed variables 
- sprinkle const.
 2005-05-29 21:43:51 +00:00
christos 6dbf0e5b0a avoid silly static variables that even caused nesting issues, not to mention 
reentrancy concerns.
 2005-05-29 21:43:09 +00:00
seanb 40b52d3132 - Arithmetic error when calculating ticks to nd6_llinfo_settimer(). 
- Reviewed by christos.
 2005-05-27 22:26:25 +00:00
manu 7c6ffb8ab4 Use NAT-T ports for AH and IPcomp too. 2005-05-20 01:25:17 +00:00
christos 362a4a0bd5 Yes, it was a cool trick >20 years ago to use "0123456789abcdef"[a] to 
implement, xtoa(), but I think defining the samestring 50 times is a bit
too much. Defined HEXDIGITS and hexdigits in subr_prf.c and use it...
 2005-05-17 04:14:57 +00:00
christos 7d0b65d656 PR/30154: YAMAMOTO Takashi: tcp_close locking botch 
One more so_uid -> so_uidinfo change.
 2005-05-07 17:44:11 +00:00
yamt 34c3fec469 move decl of inetsw to its own header to avoid array of incomplete type. 
found by gcc4.  reported by Adam Ciarcinski.
 2005-04-29 10:39:09 +00:00
manu 455d55f55b Enhance IPSEC_NAT_T so that it can work with multiple machines behind the 
same NAT.
 2005-04-23 14:05:28 +00:00
yamt df9d0a0359 disable loopback checksum omission for udp6. 
i forgot to commit this with:
http://mail-index.NetBSD.org/source-changes/2005/04/18/0023.html
 2005-04-22 11:56:33 +00:00
itojun f1fe53f0ac AES counter mode uses 8byte IV, not 16 bytes. 
msa@burp.tkv.asdf.org, Juha.Leppilahti@iki.fi
 2005-04-22 02:43:39 +00:00
tron 6589458a53 Make sure that prefixes get purged. This fixes PR kern/21189, 
PR kern/25968 and PR kern/27873.
 2005-04-03 11:02:27 +00:00
atatat 5b8a6c916d Revert the change that made kern.file2 and net.*.*.pcblist into nodes 
instead of structs.  It had other deleterious side-effects that are
rather nasty.  Another solution must be found.
 2005-03-11 06:16:15 +00:00
atatat ca63da437a Change types of kern.file2 and net.*.*.pcblist to NODE 2005-03-10 05:43:25 +00:00
itojun b64c75b041 correct mistake reported by VANHULLEBUS Yvan 2005-03-09 14:17:13 +00:00
atatat 7c62c74d09 Add the following nodes to the sysctl tree: 
net.local.stream.pcblist
	net.local.dgram.pcblist
	net.inet.tcp.pcblist
	net.inet.udp.pcblist
	net.inet.raw.pcblist
	net.inet6.tcp6.pcblist
	net.inet6.udp6.pcblist
	net.inet6.raw6.pcblist

which allow retrieval of the pcbs in use for those protocols.  The
struct involved is 32/64 bit clean and incorporates parts of struct
inpcb, struct unpcb, a bit of struct tcpcb, and two socket addresses.
 2005-03-09 05:07:19 +00:00
itojun 015b260743 make ip6_getpmtu back to static 2005-02-28 09:27:07 +00:00
perry f07677dd81 nuke trailing whitespace 2005-02-26 22:45:09 +00:00
manu 5c217c1a67 Add support for IPsec Network Address Translator traversal (NAT-T), as 
described by RFC 3947 and 3948.
 2005-02-12 12:31:07 +00:00
itojun 692c601c25 backout 1.54. heurestic code should never be used. if you experience DAD 
failure, suspect your driver, not ND code.
 2005-02-10 02:57:17 +00:00
drochner e1e8770b32 Give DAD a chance to succeed even if the network is "slightly broken" 
(in my case it as a switch set to "monitor" mode):
If we see an NS request for the address we are just probing for, for
three times the number of DAD packets we are supposed to send (the
"ip6.dad_count" sysctl variable), assume that these are our own packets
and let DAD succeed.
The code for this was mostly there, commented out. Just needed some fixes.
The "three times" is heuristic of course.
Being here, reset the "dad_ns_tcount" variable on a successful send;
otherwise we get strange interdependencies with user-settable variables
(ever tried to set ip6.dad_count to something >15?).
 2005-02-02 20:56:27 +00:00
drochner dc86361844 remove the unused in6_ifindex2scopeid() 
if at all, it works with site-local addresses whose fate is uncertain
to say the least
 2005-02-01 15:29:23 +00:00
drochner 5d0cfbc9bd sin6_scope_id maps to interface indices for link local addresses only! 
(unlikely to be used with other scopes for now, but we should be
correct anyway)
 2005-02-01 14:56:17 +00:00
matt d341be30f4 Change initialzie of domains to use link sets. Switch to using STAILQ. 
Add a convenience macro DOMAIN_FOREACH to interate through the domain.
 2005-01-23 18:41:56 +00:00
itojun 57fd095fdf shouldn't check code field on "packet too big" icmp6 message. 2005-01-17 10:16:07 +00:00
drochner e5653b8213 remove a redundant check for ifindex2ifnet[idx] != 0 2004-12-21 11:40:12 +00:00
drochner f44d9a5791 fix ifindex argument checks for IPV6_JOIN_GROUP, 
IPV6_LEAVE_GROUP and IPV6_MULTICAST_IF -
0 is always legal
 2004-12-21 11:37:47 +00:00
thorpej 7994b6f95e Don't perform checksums on loopback interfaces. They can be reenabled with 
the net.inet.*.do_loopback_cksum sysctl.

Approved by: groo
 2004-12-15 04:25:19 +00:00
peter 396b87b8c2 Convert lo(4) to a clonable device. 
This also removes the loif array and changes all code to use the new
lo0ifp pointer which points to the lo0 ifnet structure.

Approved by christos.
 2004-12-04 16:10:25 +00:00
christos 694d5b6a91 We don't need to include bpfilter.h 2004-11-28 02:37:38 +00:00
itojun 5bcaef8e92 wrong paren. Patrick Latifi 2004-11-17 03:20:53 +00:00
itojun bc559f51c6 remove extra code mistakenly committed 2004-10-27 23:16:56 +00:00
itojun 70fc307de9 missing break; Emmanuel Dreyfus 2004-10-27 22:26:50 +00:00
itojun 5e3841214f no need to call defrouter_select() here any more; jinmei 2004-10-26 07:03:29 +00:00
itojun 830e5a5fbf more cleanup on onlink assumption; jinmei 2004-10-26 06:54:53 +00:00
itojun b5f3688c67 remove onlink assumption behavior (consider destination on-link if default 
router list is empty) based on recent IETF ipv6 discussion (RFC2461 5.2).

fix "ndp -I delete".
 2004-10-26 06:08:00 +00:00
itojun 75259d166c ip6_flow_seq is no longer available. 2004-10-18 01:43:43 +00:00
yamt 056303b850 rip6_output: redo raw_ip6.c 1.67-1.67, using m_copyback_cow. 2004-09-06 10:05:14 +00:00
manu 6e3c639957 IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on 
tech-net@
 2004-09-04 23:29:44 +00:00
yamt 39dd3d0c5d run PFIL_IFADDR hooks on SIOCAIFADDR_IN6 and SIOCDIFADDR_IN6 as well. 
from Peter Postma, PR/26368.
ok'ed by itojun.
 2004-07-26 13:44:35 +00:00
yamt e08729e055 rip6_output: redo the previous (raw_ip6.c 1.66) 
with less assumptions about alignment.
 2004-07-23 09:53:10 +00:00
yamt 540e6d4640 rip6_output: make sure that the mbuf is writable 
before write a checksum into it.
otherwise "ping6 -s50000" causes a panic.

ok'ed by itojun.
 2004-07-22 05:26:46 +00:00
itojun 3f35f96f9a prevent mbuf leak on IPsec tunnel mode. from iij seil team 2004-07-16 01:12:02 +00:00
itojun 8da378abea - update ro_pmtu on IPsec tunnel encapsulation. ro != ro_pmtu is used as the 
sign for the existence of routing header.
- fragment to 1280 on IPv6-over-IPv6 encapsulation, as ICMPv6 too big may not
  give you enough information to update pmtu cache.

from iij seil team, via kame.
 2004-07-14 03:06:08 +00:00
minoura c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
drochner 05da173d52 abstain from typecasting the LHS of an assignment; 
gcc-3.4.x doesn't like it
 2004-06-24 16:49:51 +00:00
itojun b791f5f740 error could be left uninitialized when we jump into "senderr" 2004-06-24 15:01:51 +00:00
itojun 0f18c4c945 multicast data management fix - previous fix was incorrect. jinmei@kame 2004-06-16 03:17:26 +00:00
itojun ec7ac551be insufficient paren in macro def. Patrick Latifi 2004-06-16 02:36:37 +00:00
itojun 2e60f85658 use macro and make it a bit more readable. 2004-06-14 08:07:29 +00:00
itojun 4d7b9596f6 check before joining multicast group. otherwise multiple in6_multi structure 
will be kept.  reported by patrick latifi
 2004-06-14 07:54:45 +00:00
itojun 501233726d implement IPV6_USE_MIN_MTU sockopt. needed by bind9 + EDNS0 + big receive buffer. 2004-06-11 04:10:10 +00:00
itojun 56e182b708 there's no use to check privs on curproc in the input path. jinmei@kame 2004-06-01 03:13:22 +00:00
atatat 4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
itojun 32e4b55076 do not loop on nd6_output() when transmission fails. from kame 2004-05-19 17:45:05 +00:00
jonathan f7abb16323 Fix per-PCB IPsec policy cache for FAST_IPSEC: 
The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header.  So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined.  ``Make it so''.

We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
 2004-04-26 01:53:59 +00:00
simonb b5d0e6bf06 Initialise (most) pools from a link set instead of explicit calls 
to pool_init.  Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.

 Convert struct session, ucred and lockf to pools.
 2004-04-25 16:42:40 +00:00
itojun cb0651e44a correct parameter to in6_cksum. keiichi@kame 2004-04-22 17:58:59 +00:00
matt e50668c7fa Constify protosw arrays. This can reduce the kernel .data section by 
over 4K (if all the network protocols) are loaded.
 2004-04-22 01:01:40 +00:00
itojun 5da9234d88 remove duplicated #include. PR 25234 2004-04-20 17:12:03 +00:00
atatat 83b193a052 Make these compile without INET. tcp_input probably needs a lot more 
work...
 2004-03-29 04:59:02 +00:00
christos d6939c86f1 no need for splsoftnet, because the caller does it already. 2004-03-28 08:28:50 +00:00
christos 03766c2d10 PR/23335: Christos Zoulas: Removing interfaces trashes free memory when 
ipv6 is used because multicast group memberships contain dangling references
to the multicast group deleted.
 2004-03-28 08:28:06 +00:00
itojun e050c8a03d do not touch m->m_pkthdr.rcvif after m becomes invalid. Patrick Latifi 2004-03-26 03:35:02 +00:00
atatat 19af35fd0d Tango on sysctl_createv() and flags. The flags have all been renamed, 
and sysctl_createv() now uses more arguments.
 2004-03-24 15:34:46 +00:00
martti c3f78782b9 Make ip6_getpmtu() globally visible. This is needed by IPFilter 4.x. 2004-03-23 18:21:38 +00:00
itojun 3811eef49d typo 2004-03-23 05:31:54 +00:00
itojun 721292cf12 constify AH algorithm function table. suggested by robert watson 2004-03-10 03:45:04 +00:00
thorpej 2803ff0955 Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup 
when possible.  This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
 2004-03-02 02:28:28 +00:00
thorpej db4fcd885b Augment the PCB cache with a "hint" that can be used to short-circuit 
IPsec processing in other places.  The hint has 3 values: MAYBE, YES,
and NO.  Hints are initialized to MAYBE, and MAYBE is always used for
unconnected sockets (since the spidx may change for every packet
that is output).  For connected sockets, NONE and BYPASS policies cause
the hint to be set to NO, and all other policies to YES.

Also shuffle the PCB cache data structure, turning 3 arrays into a
single array of a struct.
 2004-03-02 02:17:38 +00:00
itojun 581091043b knf 2004-03-01 22:32:35 +00:00
wiz f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun aaa4bd9a6c avoid out-of-bound memory access if len == 128. 
from Ted Unangst via Colin Percival
 2004-02-23 05:01:04 +00:00
wiz d20841bb64 Uppercase CPU, plural is CPUs. 2004-02-13 11:36:08 +00:00
itojun d93f7028c1 we have IFT_BRIDGE already, no need for #ifdef 2004-02-11 20:51:24 +00:00
christos bcdf1b194a We don't have IFT_{PFLOG,PFSYNC} (yet). 2004-02-11 17:36:33 +00:00
itojun abd93ec67b minor KNF 2004-02-11 10:54:29 +00:00
itojun 5d3b18b4a4 KNF 2004-02-11 10:47:28 +00:00
itojun 57cbd26e09 missing bzero 2004-02-11 10:42:24 +00:00
itojun 6c8714a95e avoid ugly typecast 2004-02-11 10:37:33 +00:00
itojun e2d302c40d reduce useless variables 2004-02-10 20:57:20 +00:00
itojun c5cb8d59c0 remove unneeded #ifdef 2004-02-06 08:07:55 +00:00
tron d23ecc0dca Remove outdated prototype for ip6_getpmtu(). The function has a different 
signature now and is statically declared in "ip6_output.c".
 2004-02-04 10:31:27 +00:00
itojun 70e51fdcf0 strictly follow RFC2460 section 5 last paragraph 
(sending rule when PMTU < 1280).  pointed out by guninski at guninski.com
 2004-02-04 05:17:28 +00:00
darrenr 5915fd3874 make ip6_getpmtu() externally visible 2004-01-24 13:02:41 +00:00
itojun 092e41da38 do not lookup security policy if IPV6_FORWARDING. 
avoids possible infinite ipsec encapsulation on
        ip6_input -> ip6_forward -(tunnel mode)-> ip6_output
case.  from kame
 2004-01-19 05:14:58 +00:00
itojun cdaa27b23a when ipsec tunnel mode is applied, we are originating packet (instead of 
forwarding).  go to ip6_output() path for fragmentation and other processing.
from kame
 2004-01-16 05:12:08 +00:00
itojun 8dcc7f31aa typo. 
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
 2004-01-13 23:02:00 +00:00
itojun 1101ef17d0 plug memory leak on failure. 
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
 2004-01-13 23:01:08 +00:00
itojun 3ffdb9507a avoid deref-after-free. 
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
 2004-01-13 06:17:14 +00:00
wiz d46bc94200 Niels Provos kindly agreed to drop clauses 3 and 4 from the 
license -- thanks.
Based on OpenBSD commit and hints by itojun.
 2003-12-26 19:04:55 +00:00
lha 2b1cb68e2f Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl. 
Makes ndp -r/ndp -p work again, patch from atatat
 2003-12-17 18:49:38 +00:00
itojun d8ac1c6007 fix cases where pktinfo specifies outgoing interface of "0". 2003-12-10 22:35:35 +00:00
itojun aa8a6718f0 use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL 
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces.  from kame
 2003-12-10 11:46:33 +00:00
itojun 561720b19b validate set/getsockopt arg more strictly. with previous code privileged 
user can cause kernel crash.
 2003-12-10 09:28:38 +00:00
itojun c81f32fe6c comment from niels provos; 
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
  the repetition period to 30000)
 2003-12-10 05:22:18 +00:00
atatat 13f8d2ce5f Dynamic sysctl. 
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
 2003-12-04 19:38:21 +00:00
keihan b8702f530b netbsd.org -> NetBSD.org 
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean".  Thanks for the patiance, and sorry for all the commits.
 2003-12-04 13:57:30 +00:00
itojun 0864b4939d "seed2" was ruining non-repeating property, so remove it. discussed on tech-net 2003-11-25 18:13:55 +00:00
jonathan 995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm, 
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
 2003-11-17 21:34:27 +00:00
itojun 3107b5dcc0 implement net.inet6.ifq 2003-11-12 15:25:19 +00:00
itojun ae3e6f6041 correct behavior when ipv6mr_interface is 0. Matthias Drochner 2003-11-06 06:10:51 +00:00
itojun 60dac07656 use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90 2003-11-05 01:20:56 +00:00
briggs 07a0e27c44 Revert the change in default value of ipv6_v6only. Further discussion 
on this topic is required.  It should be reintroduced and pursued in
the IETF.
 2003-11-03 15:12:06 +00:00
simonb a2facef339 Remove some assigned-to but otherwise unused variables. 2003-10-30 01:43:08 +00:00
mycroft 2dde0746b6 Do a jump optimization that eliminates some uninitialized variable warnings. 2003-10-29 10:12:43 +00:00
briggs 5a770ba2d8 Toggle the default value of ip6_v6only. Also provide a sample sysctl to 
retain the existing behavior.
 2003-10-28 06:31:28 +00:00
christos 59f2aab1ed fix uninitialized variables 2003-10-25 08:26:14 +00:00
itojun ba71e93c60 backout previous (ENETREST special handlng) 2003-10-15 22:55:34 +00:00
itojun 90d92fe2d9 ignore ENETRESET on ADDMULTI 2003-10-15 22:16:35 +00:00
itojun 018cb094b4 ignore ENETRESET on ADDMULTI. 2003-10-15 22:15:25 +00:00
itojun a8d71f892f define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame 2003-10-15 01:28:28 +00:00
itojun 40e6b63c60 fix endian bug in fragment header scanning. 2003-10-14 05:33:04 +00:00
itojun b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun 98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun 96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun 140276fde1 shouldn't check scope match when encapsulating packet into tunnel mode. 
iij seil team
 2003-10-03 04:30:31 +00:00
itojun d451ef2606 do not deref state.ro if it is NULL 2003-10-02 19:32:41 +00:00
itojun d83af104d4 correctly look at outer IPv6 header when forwarding packet into ipsec tunnel. 
iij seil team
 2003-10-02 12:13:44 +00:00
itojun 364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun 8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
christos 36b4e0b6e7 Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD 2003-09-30 00:01:18 +00:00
mycroft ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
wiz cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun 7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun ca549eaf98 exp is a reserved name under posix 2003-09-16 00:31:23 +00:00
itojun 94da0d16ac avoid overflow during multiply. David Laight 2003-09-15 23:38:20 +00:00
itojun 71c96a2bb4 correct ru_a/ru_b setup for 20bit case 2003-09-13 21:32:59 +00:00
itojun 8ee5969c3b change confusing filename 2003-09-12 11:21:36 +00:00
itojun 9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun 6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun 5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun 494fe70198 lint 2003-09-09 11:39:14 +00:00
itojun 800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun bfa3dccfd7 prototype should have no variable name 2003-09-07 15:50:43 +00:00
itojun 5c9706bb41 correct seed generation. sync w/ kame 2003-09-06 13:47:09 +00:00
itojun 37c3c44062 fix comment, from kame 2003-09-06 13:30:40 +00:00
itojun 680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00
itojun b0b5b07f8a fix msb handling. from kame 2003-09-06 03:55:35 +00:00
itojun 32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun 175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun a245b3dc6d u_short -> u_int16_t. sync w/ kame. 
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
 2003-09-05 23:20:48 +00:00
itojun 95b95dbc37 call tcp_drain() if IPv4-less kernel 2003-09-05 01:35:08 +00:00
itojun 495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other. 
in6pcb lookup now uses hash(9).
 2003-09-04 09:16:57 +00:00
itojun 19d8b9bfea don't use m_cat to mbuf of different types. KAME-PR-495 2003-09-04 03:07:33 +00:00
itojun 725b73043b simplify rijndael.c API - always schedule encrypt/decrypt key. 
reviewed by thorpej
 2003-08-27 14:23:25 +00:00
itojun fb5acbcfc6 rijndael encryption context/scheduled key is assymmetric; need to setup two 
(one for encryption, one for decryption)
 2003-08-27 02:42:09 +00:00
thorpej 7b613a568e Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt() 
directly.  Reviewed by itojun.
 2003-08-27 00:08:31 +00:00
thorpej 6de9ce0437 Move the opencrypto CAST-128 implementation to crypto/cast128, removing 
the old one.  Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
 2003-08-26 16:37:36 +00:00
thorpej 2957d8dce6 Use the simplified rijndael API (which this was essentially a duplicate 
of).  XXX This file can now be merged into esp_core.c.
 2003-08-26 15:18:27 +00:00
itojun 356aebd768 g/c unused member. use in6p_ip6 more effectively. 2003-08-25 00:14:30 +00:00
itojun 9569786c95 deref member in in6p directly, don't rely on existence of macro 2003-08-25 00:11:52 +00:00
itojun ff512e5035 don't commit value into ip6_ptkopts until the validation is done. 
(note: the code will be updated with 2292bis definition soon, hopefully)
 2003-08-25 00:10:27 +00:00
itojun 4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun cabb25918f no need for opt_ipsec.h any longer 2003-08-22 22:05:11 +00:00
itojun 11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun 82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *. 
this fixes KAME policy lookup which was broken by the previous commit.
 2003-08-22 21:53:01 +00:00
itojun 9329caaf20 typo in log message 2003-08-22 21:50:42 +00:00
jonathan e3ec783e41 (Accidentally-omitted change): update for ip6_output() to match commit below. 
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:49:03 +00:00
jonathan 9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket* 
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
 2003-08-22 20:29:00 +00:00
jonathan 902669955f Replace the set_socket() method of passing an extra struct socket* 
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:20:09 +00:00
itojun 52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
jonathan 28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if 
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
 2003-08-15 03:42:00 +00:00
itojun fd3f06dabb enforce ipsec policy on raw wildcard. 2003-08-14 07:57:40 +00:00
itojun 4d754cb259 in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped 
address.  PR kern/22431 from Andreas Gustafsson
 2003-08-13 04:59:34 +00:00
agc aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence. 
Patches provided by Joel Baker in PR 22364, verified by myself.
 2003-08-07 16:26:28 +00:00
itojun da53b9c28e make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame 2003-08-07 08:52:32 +00:00
itojun 256877974a m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen 
before m_cat call.  from Julian Coleman via kame.
 2003-08-06 14:47:32 +00:00
itojun 3236f238b3 increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512 2003-08-05 12:20:35 +00:00
itojun d6c4b6beb6 minor KNF 2003-07-25 10:17:36 +00:00
itojun 969d6f5037 typo 2003-07-25 10:16:28 +00:00
itojun 1270423572 add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH), 
AES counter mode (ESP)
 2003-07-25 10:00:49 +00:00
itojun 4fc37746bf AES XCBC MAC (for AH) 
AES counter mode (for ESP)
 2003-07-25 09:48:17 +00:00
itojun ee7d78825a comment typo, from markus@openbsd 2003-07-23 00:27:25 +00:00
itojun c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
itojun 0d84200c22 clear scheduled key before freeing, for safety 2003-07-22 08:54:27 +00:00
itojun 77283a8429 sha2 is needed for AH, not ESP 2003-07-22 03:26:16 +00:00
itojun d64e1c8d6a add hmac-sha2 support. various cleanups (like avoid hardcoding '16'). 
from kame
 2003-07-22 03:24:23 +00:00
itojun 409ba7efc4 cosmetic 2003-07-22 03:21:21 +00:00
itojun 0445f65670 avoid assuming result buffer size in AH logic. sync w/kame 2003-07-20 18:01:41 +00:00
itojun 92a1800c4d due to previous type change, sav->schedlen never go negative. sync w/kame 2003-07-20 17:17:20 +00:00
itojun d1931d3717 change ESP xx_schedlen() return type to size_t. sync w/kame 2003-07-20 03:24:03 +00:00
itojun 74182febed remove #if 0 portion 2003-07-18 06:45:33 +00:00
kleink 43694e8d74 assymetric -> asymmetric 2003-07-15 17:37:00 +00:00
itojun 7b74887942 rijndael is assymmetric, correction from markus@openbsd 2003-07-15 15:25:13 +00:00
itojun 281d9d13a5 simplify and update rijndael code. markus@openbsd 2003-07-15 11:00:36 +00:00
itojun 8e90cd9ce4 KNF 2003-07-12 15:16:50 +00:00
itojun 3eaa5b9c93 no longer needed (#define _KERNEL) 2003-07-12 15:12:45 +00:00
itojun 7649b12429 remove obsolete comment on the use of m_pullup 2003-07-09 04:05:59 +00:00
itojun 0463e41004 on interface detach, clear multicast forwarding table. from kame 2003-07-08 10:20:45 +00:00
itojun 91b11e1eba prototype must not have variable name 2003-07-08 07:13:50 +00:00
itojun fc401b7586 fix missing check for taillen against pkthdr.len. markus@openbsd 2003-07-04 00:49:18 +00:00
itojun 022df20c75 minor KNF 2003-07-03 05:03:53 +00:00
itojun d8976f36ac typo. found by markus@openbsd 2003-07-02 13:55:13 +00:00
itojun 2317e81b85 avoid ICMPv6 redirect if the packet filter rewrite dst addr to an address 
on the incoming interface.  cedric@openbsd
 2003-06-30 08:00:59 +00:00
itojun 842d3bee32 KNF 2003-06-30 03:30:50 +00:00
fvdl d5aece61d6 Back out the lwp/ktrace changes. They contained a lot of colateral damage, 
and need to be examined and discussed more.
 2003-06-29 22:28:00 +00:00
darrenr 960df3c8d1 Pass lwp pointers throughtout the kernel, as required, so that the lwpid can 
be inserted into ktrace records.  The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V
 2003-06-28 14:20:43 +00:00
itojun 2cadb8ca7a split ND6 cache timer management to per-entry. increased accuracy, 
no O(N) loop.   sync w/ kame
 2003-06-27 08:41:08 +00:00
itojun 6d4a3c4191 remove unneeded checks of accept_rtadv. from kame 2003-06-24 07:54:47 +00:00
itojun adb5d5afb4 * kame/sys/netinet6/nd6.c (nd6_rtrequest): changed a condition to 
decide whether to create an empty llinfo stricter so that a user
can manually change the link-layer address of an existing neighbor
cache.
Pointed out by: KIU Shueng Chuan

from kame
 2003-06-24 07:49:03 +00:00