8dcc7f31aa
typo.
...
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
2004-01-13 23:02:00 +00:00
1101ef17d0
plug memory leak on failure.
...
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
2004-01-13 23:01:08 +00:00
13f8d2ce5f
Dynamic sysctl.
...
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
995c532c33
Revert the (default) ip_id algorithm to the pre-randomid algorithm,
...
due to demonstrated low-period repeated IDs from the randomized IP_id
code. Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.
Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be provided.
This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
2003-11-17 21:34:27 +00:00
b5b2092bce
no need to clear mbuf flags here; sync w/kame
2003-10-03 22:08:26 +00:00
98d5598feb
when dropping M_PKTHDR, need to free m_tag associated with it.
2003-10-03 20:56:11 +00:00
96fda496da
use in6_{embed,recover}scope for scoped address manipulation
2003-10-03 08:46:15 +00:00
364f2d9e12
permit tunnel mode over link-local address. (outer header is link-local)
...
iij seil team
2003-10-02 10:01:11 +00:00
8184c3658f
handle link-local address in ipsec6_tunnel_validate(). from iij seli team
2003-10-02 07:19:37 +00:00
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00
9f2c0659cd
remove extra blank line
2003-09-12 07:58:25 +00:00
a84539ea9e
make synchronization w/ PF tag support code easier
2003-09-12 07:53:29 +00:00
6371ddf557
make it possible to SADB_DUMP via sysctl. request by mrg
2003-09-12 07:38:10 +00:00
5125995b51
record socket * associated with secpolicy
2003-09-10 22:29:27 +00:00
800fe5d178
- prepare for RFC2401bis 64bit sequence number (no behavior change yet)
...
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c. key.c is responsible for refcounting secasvar,
keydb.c is responsible for alloc/free.
2003-09-07 15:59:36 +00:00
680540f194
committed by mistake, sorry
2003-09-06 04:20:57 +00:00
bce24b4a3e
correct comment
2003-09-06 04:13:50 +00:00
32e3deae21
randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability
...
of these fields. ip_id.c is from openbsd. ip6_id.c is adapted by kame.
2003-09-06 03:36:30 +00:00
11ede1ed88
remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output.
2003-08-22 22:00:36 +00:00
52f8075c5a
allow userland to specify SPD ID. more readable debugging messages.
2003-08-22 06:22:21 +00:00
c8ebadb000
unifdef -U_IP_VHL
2003-07-22 11:18:24 +00:00
9787457fbe
bring a small amount of code out of an if() statement that was doing
...
the same thing for both cases.
2003-05-10 13:23:07 +00:00
40606ab8f2
switch from kame-based m_aux mbuf auxiliary data, to openbsd m_tag
...
implementation. it will simplify porting across *bsd (such as kame/altq),
and make us more synchronized. from Joel Wilsson
2003-01-17 08:11:49 +00:00
0f09ed48a5
remove trailing \n in panic(). approved perry.
2002-09-27 15:35:29 +00:00
9401012487
KNF - return is not a function. sync w/kame.
2002-09-11 02:46:42 +00:00
6dedde045a
correct signedness mixup in pointer passing. sync w/kame
2002-09-11 02:41:19 +00:00
c00fa8dfd9
avoid swapping endian of ip_len and ip_off on mbuf, to meet with M_LEADINGSPACE
...
optimization made last year. should solve PR 17867 and 10195.
IP_HDRINCL behavior of raw ip socket is kept unchanged. we may want to
provide IP_HDRINCL variant that does not swap endian.
2002-08-14 00:23:27 +00:00
af8ad017f7
typo. From: Arto Selonen <arto@selonen.org>, sync w/kame
2002-08-01 05:17:47 +00:00
e00173a7f2
Spell 'should' correctly.
2002-07-18 11:59:06 +00:00
d7006267f3
reduce kernel stack usage by separating struct secasindex. sync w/kame
...
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
2002-06-27 12:12:49 +00:00
61f28217c4
move sanity check upwards. sync w/kame
...
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
2002-06-22 12:27:09 +00:00
cfb9a4a799
avoid listening socket from mistakenly use incorrect cached policy.
...
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp> sync w/kame
2002-06-22 12:04:07 +00:00
69d65da8c6
sizeof mistake in DIAGNOSTIC path. sync w/kame
...
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
2002-06-21 23:15:35 +00:00
3033187db0
previous commit cached pcb policy too much (when pcb points to
...
SPD entry that is not ipsec - like "none"). back it out. sync w/kame
2002-06-16 16:28:36 +00:00
c1808f02bf
cache pcb policy as much as possible. in fact, if policy is not
...
IPSEC_POLICY_IPSEC we don't need to compare spidx. sync w/kame
2002-06-14 14:47:24 +00:00
813344bfbe
remove redundant line
2002-06-14 14:17:55 +00:00
a8dde3fa57
free secpolicy on deepcopy failure
2002-06-13 05:10:13 +00:00
dc96111483
deep-copy pcb policy if it is an ipsec policy. assign ID field to all
...
SPD entries. make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes). sync w/kame
2002-06-12 17:56:45 +00:00
3489976392
do not copy policy-on-socket at all. avoid copying packet header value to
...
struct spindex. should reduce memory usage per socket/pcb, and should speedup
ipsec processing. sync w/kame
2002-06-12 01:47:34 +00:00
fa53d749ff
share policy-on-pcb for listening socket. sync w/kame
...
todo: share even more, avoid frequent updates of spidx
2002-06-11 19:39:59 +00:00
2533e1f81f
avoid variable name confusion. sync w/kame
2002-06-11 17:26:52 +00:00
b05ff066a7
whitespace cleanup
2002-06-09 14:43:10 +00:00
fc5800e3fd
whitespace cleanup
2002-06-08 20:06:44 +00:00
e3c4951b26
re-enable ipsec policy caching onto pcb. refcnt fix and workarounds based on ymmt-san.
2002-05-25 10:01:01 +00:00
d2fd814987
in sp caching code, check if sp is still alive. sync w/kame
2002-05-19 00:46:40 +00:00
861dfdc294
disable ipsec policy caching on pcb, as it seems that there's some reference-
...
counting mistake that causes panic - see PR 15953 and 13813.
i am unable to find the real cause of problem, so it is a shortterm workaround,
hopefully.
2002-05-10 05:49:21 +00:00
d7669537a8
remove unneeded #ifdef __FreeBSD__ portion.
2002-05-10 05:38:29 +00:00
dc12059c9e
Use M_READONLY() rathern than testing to see if ext_free is set
...
or MCLISREFERENCED().
2002-04-28 00:54:41 +00:00
c23ea6c341
update outgoing ifp, only if tunnel mode ipsec is used. this is to
...
honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast. sync with kame
2001-11-21 06:28:08 +00:00
4f2ad95259
add RCSIDs
2001-11-13 00:56:55 +00:00
itojun