c5cb8d59c0
remove unneeded #ifdef
2004-02-06 08:07:55 +00:00
d23ecc0dca
Remove outdated prototype for ip6_getpmtu(). The function has a different
...
signature now and is statically declared in "ip6_output.c".
2004-02-04 10:31:27 +00:00
70e51fdcf0
strictly follow RFC2460 section 5 last paragraph
...
(sending rule when PMTU < 1280). pointed out by guninski at guninski.com
2004-02-04 05:17:28 +00:00
5915fd3874
make ip6_getpmtu() externally visible
2004-01-24 13:02:41 +00:00
092e41da38
do not lookup security policy if IPV6_FORWARDING.
...
avoids possible infinite ipsec encapsulation on
ip6_input -> ip6_forward -(tunnel mode)-> ip6_output
case. from kame
2004-01-19 05:14:58 +00:00
cdaa27b23a
when ipsec tunnel mode is applied, we are originating packet (instead of
...
forwarding). go to ip6_output() path for fragmentation and other processing.
from kame
2004-01-16 05:12:08 +00:00
8dcc7f31aa
typo.
...
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
2004-01-13 23:02:00 +00:00
1101ef17d0
plug memory leak on failure.
...
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
2004-01-13 23:01:08 +00:00
3ffdb9507a
avoid deref-after-free.
...
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
2004-01-13 06:17:14 +00:00
d46bc94200
Niels Provos kindly agreed to drop clauses 3 and 4 from the
...
license -- thanks.
Based on OpenBSD commit and hints by itojun.
2003-12-26 19:04:55 +00:00
2b1cb68e2f
Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl.
...
Makes ndp -r/ndp -p work again, patch from atatat
2003-12-17 18:49:38 +00:00
d8ac1c6007
fix cases where pktinfo specifies outgoing interface of "0".
2003-12-10 22:35:35 +00:00
aa8a6718f0
use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL
...
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces. from kame
2003-12-10 11:46:33 +00:00
561720b19b
validate set/getsockopt arg more strictly. with previous code privileged
...
user can cause kernel crash.
2003-12-10 09:28:38 +00:00
c81f32fe6c
comment from niels provos;
...
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
the repetition period to 30000)
2003-12-10 05:22:18 +00:00
13f8d2ce5f
Dynamic sysctl.
...
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
b8702f530b
netbsd.org -> NetBSD.org
...
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean". Thanks for the patiance, and sorry for all the commits.
2003-12-04 13:57:30 +00:00
0864b4939d
"seed2" was ruining non-repeating property, so remove it. discussed on tech-net
2003-11-25 18:13:55 +00:00
995c532c33
Revert the (default) ip_id algorithm to the pre-randomid algorithm,
...
due to demonstrated low-period repeated IDs from the randomized IP_id
code. Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.
Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be provided.
This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 21:34:27 +00:00
3107b5dcc0
implement net.inet6.ifq
2003-11-12 15:25:19 +00:00
ae3e6f6041
correct behavior when ipv6mr_interface is 0. Matthias Drochner
2003-11-06 06:10:51 +00:00
60dac07656
use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90
2003-11-05 01:20:56 +00:00
07a0e27c44
Revert the change in default value of ipv6_v6only. Further discussion
...
on this topic is required. It should be reintroduced and pursued in
the IETF.
2003-11-03 15:12:06 +00:00
a2facef339
Remove some assigned-to but otherwise unused variables.
2003-10-30 01:43:08 +00:00
2dde0746b6
Do a jump optimization that eliminates some uninitialized variable warnings.
2003-10-29 10:12:43 +00:00
5a770ba2d8
Toggle the default value of ip6_v6only. Also provide a sample sysctl to
...
retain the existing behavior.
2003-10-28 06:31:28 +00:00
59f2aab1ed
fix uninitialized variables
2003-10-25 08:26:14 +00:00
ba71e93c60
backout previous (ENETREST special handlng)
2003-10-15 22:55:34 +00:00
90d92fe2d9
ignore ENETRESET on ADDMULTI
2003-10-15 22:16:35 +00:00
018cb094b4
ignore ENETRESET on ADDMULTI.
2003-10-15 22:15:25 +00:00
a8d71f892f
define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame
2003-10-15 01:28:28 +00:00
40e6b63c60
fix endian bug in fragment header scanning.
2003-10-14 05:33:04 +00:00
b5b2092bce
no need to clear mbuf flags here; sync w/kame
2003-10-03 22:08:26 +00:00
98d5598feb
when dropping M_PKTHDR, need to free m_tag associated with it.
2003-10-03 20:56:11 +00:00
96fda496da
use in6_{embed,recover}scope for scoped address manipulation
2003-10-03 08:46:15 +00:00
140276fde1
shouldn't check scope match when encapsulating packet into tunnel mode.
...
iij seil team
2003-10-03 04:30:31 +00:00
d451ef2606
do not deref state.ro if it is NULL
2003-10-02 19:32:41 +00:00
d83af104d4
correctly look at outer IPv6 header when forwarding packet into ipsec tunnel.
...
iij seil team
2003-10-02 12:13:44 +00:00
364f2d9e12
permit tunnel mode over link-local address. (outer header is link-local)
...
iij seil team
2003-10-02 10:01:11 +00:00
8184c3658f
handle link-local address in ipsec6_tunnel_validate(). from iij seli team
2003-10-02 07:19:37 +00:00
36b4e0b6e7
Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD
2003-09-30 00:01:18 +00:00
ca96c7c4ec
Remove some code that breaks AH tunnels completely. The comment describing
...
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.
NB: This does not fix the fact that IPsec leaks "packet tags."
2003-09-28 04:45:14 +00:00
cff5e477ad
Process has only one c. From miod@openbsd.
2003-09-26 22:23:58 +00:00
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00
7fda10aea9
separate netkey/key* and netipsec/key*
2003-09-20 05:14:41 +00:00
ca549eaf98
exp is a reserved name under posix
2003-09-16 00:31:23 +00:00
94da0d16ac
avoid overflow during multiply. David Laight
2003-09-15 23:38:20 +00:00
71c96a2bb4
correct ru_a/ru_b setup for 20bit case
2003-09-13 21:32:59 +00:00
8ee5969c3b
change confusing filename
2003-09-12 11:21:36 +00:00
9f2c0659cd
remove extra blank line
2003-09-12 07:58:25 +00:00
a84539ea9e
make synchronization w/ PF tag support code easier
2003-09-12 07:53:29 +00:00
6371ddf557
make it possible to SADB_DUMP via sysctl. request by mrg
2003-09-12 07:38:10 +00:00
5125995b51
record socket * associated with secpolicy
2003-09-10 22:29:27 +00:00
494fe70198
lint
2003-09-09 11:39:14 +00:00
800fe5d178
- prepare for RFC2401bis 64bit sequence number (no behavior change yet)
...
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c. key.c is responsible for refcounting secasvar,
keydb.c is responsible for alloc/free.
2003-09-07 15:59:36 +00:00
bfa3dccfd7
prototype should have no variable name
2003-09-07 15:50:43 +00:00
5c9706bb41
correct seed generation. sync w/ kame
2003-09-06 13:47:09 +00:00
37c3c44062
fix comment, from kame
2003-09-06 13:30:40 +00:00
680540f194
committed by mistake, sorry
2003-09-06 04:20:57 +00:00
bce24b4a3e
correct comment
2003-09-06 04:13:50 +00:00
b0b5b07f8a
fix msb handling. from kame
2003-09-06 03:55:35 +00:00
32e3deae21
randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
...
of these fields. ip_id.c is from openbsd. ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
175c9afa3f
clarify flowlabel handling
2003-09-06 03:12:51 +00:00
a245b3dc6d
u_short -> u_int16_t. sync w/ kame.
...
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
2003-09-05 23:20:48 +00:00
95b95dbc37
call tcp_drain() if IPv4-less kernel
2003-09-05 01:35:08 +00:00
495906ca8e
revamp inpcb/in6pcb so that they are more aligned with each other.
...
in6pcb lookup now uses hash(9).
2003-09-04 09:16:57 +00:00
19d8b9bfea
don't use m_cat to mbuf of different types. KAME-PR-495
2003-09-04 03:07:33 +00:00
725b73043b
simplify rijndael.c API - always schedule encrypt/decrypt key.
...
reviewed by thorpej
2003-08-27 14:23:25 +00:00
fb5acbcfc6
rijndael encryption context/scheduled key is assymmetric; need to setup two
...
(one for encryption, one for decryption)
2003-08-27 02:42:09 +00:00
7b613a568e
Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt()
...
directly. Reviewed by itojun.
2003-08-27 00:08:31 +00:00
6de9ce0437
Move the opencrypto CAST-128 implementation to crypto/cast128, removing
...
the old one. Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
2003-08-26 16:37:36 +00:00
2957d8dce6
Use the simplified rijndael API (which this was essentially a duplicate
...
of). XXX This file can now be merged into esp_core.c.
2003-08-26 15:18:27 +00:00
356aebd768
g/c unused member. use in6p_ip6 more effectively.
2003-08-25 00:14:30 +00:00
9569786c95
deref member in in6p directly, don't rely on existence of macro
2003-08-25 00:11:52 +00:00
ff512e5035
don't commit value into ip6_ptkopts until the validation is done.
...
(note: the code will be updated with 2292bis definition soon, hopefully)
2003-08-25 00:10:27 +00:00
4e6aca94c2
correct missing inclusion of opt_ipsec.h
2003-08-22 22:11:44 +00:00
cabb25918f
no need for opt_ipsec.h any longer
2003-08-22 22:05:11 +00:00
11ede1ed88
remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output.
2003-08-22 22:00:36 +00:00
82eb4ce914
change the additional arg to be passed to ip{,6}_output to struct socket *.
...
this fixes KAME policy lookup which was broken by the previous commit.
2003-08-22 21:53:01 +00:00
9329caaf20
typo in log message
2003-08-22 21:50:42 +00:00
e3ec783e41
(Accidentally-omitted change): update for ip6_output() to match commit below.
...
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:49:03 +00:00
9339ef0381
Change KAME code for ip_output()/ip6_output() to obtain struct socket*
...
from the explicit inpcb*/in6pcb* argument. set_socket() becomes redundant.
2003-08-22 20:29:00 +00:00
902669955f
Replace the set_socket() method of passing an extra struct socket*
...
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)
In preparation for fast-ipsec. Reviewed by itojun.
2003-08-22 20:20:09 +00:00
52f8075c5a
allow userland to specify SPD ID. more readable debugging messages.
2003-08-22 06:22:21 +00:00
28b5f5dfab
(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
...
configured with ``options FAST_IPSEC''. Kernels with KAME IPsec or
with no IPsec should work as before.
All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.
Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
2003-08-15 03:42:00 +00:00
fd3f06dabb
enforce ipsec policy on raw wildcard.
2003-08-14 07:57:40 +00:00
4d754cb259
in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped
...
address. PR kern/22431 from Andreas Gustafsson
2003-08-13 04:59:34 +00:00
aad01611e7
Move UCB-licensed code from 4-clause to 3-clause licence.
...
Patches provided by Joel Baker in PR 22364, verified by myself.
2003-08-07 16:26:28 +00:00
da53b9c28e
make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame
2003-08-07 08:52:32 +00:00
256877974a
m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen
...
before m_cat call. from Julian Coleman via kame.
2003-08-06 14:47:32 +00:00
3236f238b3
increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512
2003-08-05 12:20:35 +00:00
d6c4b6beb6
minor KNF
2003-07-25 10:17:36 +00:00
969d6f5037
typo
2003-07-25 10:16:28 +00:00
1270423572
add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH),
...
AES counter mode (ESP)
2003-07-25 10:00:49 +00:00
4fc37746bf
AES XCBC MAC (for AH)
...
AES counter mode (for ESP)
2003-07-25 09:48:17 +00:00
ee7d78825a
comment typo, from markus@openbsd
2003-07-23 00:27:25 +00:00
c8ebadb000
unifdef -U_IP_VHL
2003-07-22 11:18:24 +00:00
0d84200c22
clear scheduled key before freeing, for safety
2003-07-22 08:54:27 +00:00
77283a8429
sha2 is needed for AH, not ESP
2003-07-22 03:26:16 +00:00
d64e1c8d6a
add hmac-sha2 support. various cleanups (like avoid hardcoding '16').
...
from kame
2003-07-22 03:24:23 +00:00
409ba7efc4
cosmetic
2003-07-22 03:21:21 +00:00
0445f65670
avoid assuming result buffer size in AH logic. sync w/kame
2003-07-20 18:01:41 +00:00
92a1800c4d
due to previous type change, sav->schedlen never go negative. sync w/kame
2003-07-20 17:17:20 +00:00
d1931d3717
change ESP xx_schedlen() return type to size_t. sync w/kame
2003-07-20 03:24:03 +00:00
74182febed
remove #if 0 portion
2003-07-18 06:45:33 +00:00
43694e8d74
assymetric -> asymmetric
2003-07-15 17:37:00 +00:00
7b74887942
rijndael is assymmetric, correction from markus@openbsd
2003-07-15 15:25:13 +00:00
281d9d13a5
simplify and update rijndael code. markus@openbsd
2003-07-15 11:00:36 +00:00
8e90cd9ce4
KNF
2003-07-12 15:16:50 +00:00
3eaa5b9c93
no longer needed (#define _KERNEL)
2003-07-12 15:12:45 +00:00
7649b12429
remove obsolete comment on the use of m_pullup
2003-07-09 04:05:59 +00:00
0463e41004
on interface detach, clear multicast forwarding table. from kame
2003-07-08 10:20:45 +00:00
91b11e1eba
prototype must not have variable name
2003-07-08 07:13:50 +00:00
fc401b7586
fix missing check for taillen against pkthdr.len. markus@openbsd
2003-07-04 00:49:18 +00:00
022df20c75
minor KNF
2003-07-03 05:03:53 +00:00
d8976f36ac
typo. found by markus@openbsd
2003-07-02 13:55:13 +00:00
2317e81b85
avoid ICMPv6 redirect if the packet filter rewrite dst addr to an address
...
on the incoming interface. cedric@openbsd
2003-06-30 08:00:59 +00:00
842d3bee32
KNF
2003-06-30 03:30:50 +00:00
d5aece61d6
Back out the lwp/ktrace changes. They contained a lot of colateral damage,
...
and need to be examined and discussed more.
2003-06-29 22:28:00 +00:00
960df3c8d1
Pass lwp pointers throughtout the kernel, as required, so that the lwpid can
...
be inserted into ktrace records. The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.
Bump the kernel rev up to 1.6V
2003-06-28 14:20:43 +00:00
2cadb8ca7a
split ND6 cache timer management to per-entry. increased accuracy,
...
no O(N) loop. sync w/ kame
2003-06-27 08:41:08 +00:00
6d4a3c4191
remove unneeded checks of accept_rtadv. from kame
2003-06-24 07:54:47 +00:00
adb5d5afb4
* kame/sys/netinet6/nd6.c (nd6_rtrequest): changed a condition to
...
decide whether to create an empty llinfo stricter so that a user
can manually change the link-layer address of an existing neighbor
cache.
Pointed out by: KIU Shueng Chuan
from kame
2003-06-24 07:49:03 +00:00
455b7679d4
typo
2003-06-24 07:43:44 +00:00
194f048bd9
use time.tv_sec directly
2003-06-24 07:39:24 +00:00
5b0c3f9506
clear ln_hold earlier. from kame
2003-06-24 07:32:03 +00:00
d505b18964
Make sure to include opt_foo.h if a defflag option FOO is used.
2003-06-23 11:00:59 +00:00
7a5741651c
- sync up MLD declaration with RFC3542 (s/MLD6/MLD/)
...
- routing header declaration with RFC3542
(note: sizeof(ip6_rthdr0) has changed!)
also, sync up with RFC2460 routing header definition (no "strict" source
routing mode any more)
part of advanced API update (RFC2292 -> 3542).
2003-06-06 08:13:43 +00:00
a07ae6a9df
don't try to forward multicast packet to mif that went away; kame
2003-06-06 06:52:29 +00:00
5c0f142820
remove assumption on redirect header option processing. from kame
2003-06-03 05:20:06 +00:00
f46a719b5c
can't use M_WAIT here, i believe.
2003-05-27 22:36:38 +00:00
63715bec6b
backout previous. (sys/net/if.c fixed)
2003-05-16 16:57:35 +00:00
d36e610a01
nd6_rtmsg: If called during if_detach(), TAILQ_FIRST(if_addrlist)
...
could be NULL. This is not a common case, but as nd6_rtmsg()
will be called during if_detach(), we need to check for the
case. reported by kanaoka-san.
2003-05-16 16:19:45 +00:00
4008ec1218
use strlcpy
2003-05-16 03:56:49 +00:00
4d9a92e2a2
remove duplicate. masanori kanaoka
2003-05-16 02:53:28 +00:00
9cf18f13b5
rt->rt_ifp may not always be available. masanori kanaoka via kame
2003-05-15 14:57:58 +00:00
a5d8a0a4f6
check version before computing checksum. checksum is more expensive operation.
2003-05-15 13:46:15 +00:00
19b1e87da3
KNF
2003-05-14 17:02:59 +00:00
6e0f23e7f6
KNF
2003-05-14 17:00:22 +00:00
f77518e2f5
KNF
2003-05-14 14:41:33 +00:00
5eaf3c3113
do not use m_pulldown() to parse intermediate extension headers (like routing).
...
we don't want to drop packets due to extension header parsing. KAME rev 1.59.
(performance may suck, but it is slowpath anyways)
2003-05-14 14:34:14 +00:00
de87ca793d
constant usually has two n.
2003-05-14 12:45:06 +00:00
346e0198f0
always use PULLDOWN_TEST codepath.
2003-05-14 06:47:33 +00:00
9787457fbe
bring a small amount of code out of an if() statement that was doing
...
the same thing for both cases.
2003-05-10 13:23:07 +00:00
874e6573c4
fix invalid pointer setting on RA reception. from kiu shueng chuan via kame
2003-05-08 20:08:52 +00:00
a617975d48
print how big the mtu needs to be for ipv6 ppp.
2003-05-04 13:43:09 +00:00
4be7a2dcf3
Add a new feature-test macro, _NETBSD_SOURCE. If this is defined
...
by the application, all NetBSD interfaces are made visible, even
if some other feature-test macro (like _POSIX_C_SOURCE) is defined.
<sys/featuretest.h> defined _NETBSD_SOURCE if none of _ANSI_SOURCE,
_POSIX_C_SOURCE and _XOPEN_SOURCE is defined, so as to preserve
existing behaviour.
This has two major advantages:
+ Programs that require non-POSIX facilities but define _POSIX_C_SOURCE
can trivially be overruled by putting -D_NETBSD_SOURCE in their CFLAGS.
+ It makes most of the #ifs simpler, in that they're all now ORs of the
various macros, rather than having checks for (!defined(_ANSI_SOURCE) ||
!defined(_POSIX_C_SOURCE) || !defined(_XOPEN_SOURCE)) all over the place.
I've tried not to change the semantics of the headers in any case where
_NETBSD_SOURCE wasn't defined, but there were some places where the
current semantics were clearly mad, and retaining them was harder than
correcting them. In particular, I've mostly normalised things so that
_ANSI_SOURCE gets you the smallest set of stuff, then _POSIX_C_SOURCE,
_XOPEN_SOURCE and _NETBSD_SOURCE in that order.
Tested by building for vax, encouraged by thorpej, and uncontested in
tech-userlevel for a week.
2003-04-28 23:16:11 +00:00
b2fcce1997
style
2003-04-22 10:08:33 +00:00
ee5b1a7c61
Protect the definition of offsetof().
2003-04-17 19:58:57 +00:00
a81c2be8be
avoid mbuf leak in redirect header option attachment. more complete
...
fix to come. from kame
2003-03-31 23:55:46 +00:00
itojun