mlelstv
be6f2a4b87
Ignore freed rtcache entries.
2008-07-01 20:18:45 +00:00
degroote
ba4ebf7e6b
Kill caddr_t introduced in the previous revision
...
Fix build with FAST_IPSEC
2008-06-27 17:28:24 +00:00
mlelstv
fa014c6383
Verify icmp type and code in IPSEC rules.
...
Fixes PR kern/39018
2008-06-27 05:18:58 +00:00
thorpej
b129a80c20
Simplify the interface to netstat_sysctl() and allocate space for
...
the collated counters using kmem_alloc().
PR kern/38577
2008-05-04 07:22:14 +00:00
degroote
b6a04a1973
In key_do_allocsa_policy, fix a bad usage of key_setsadbmsg. The third argument
...
is an SADB_SATYPE_*, not an IPPROTO_* .
Fix PR/38405. Thanks for the report
2008-05-03 21:53:23 +00:00
martin
ce099b4099
Remove clause 3 and 4 from TNF licenses
2008-04-28 20:22:51 +00:00
degroote
bb588cd930
Fix a stupid typo. In ipsec6_process_packet, reinject the packet in AF_INET6,
...
nor in AF_INET.
2008-04-28 17:40:11 +00:00
degroote
e7dc156f58
Fix some fallout from socket locking patch :
...
- {ah6,esp6}_ctlinput must return void*
- use correct wrapper for rip_usrreq
2008-04-27 12:58:48 +00:00
ad
15e29e981b
Merge the socket locking patch:
...
- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.
With much feedback from matt@ and plunky@.
2008-04-24 11:38:36 +00:00
thorpej
02f63fe1bf
PF_KEY stats for IPSEC and FAST_IPSEC are now per-CPU.
2008-04-23 07:29:47 +00:00
thorpej
caf49ea572
Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
...
netstat_sysctl().
2008-04-23 06:09:04 +00:00
thorpej
680fd6866d
Make ip6 and icmp6 stats per-cpu.
2008-04-15 04:43:53 +00:00
thorpej
3f466bce48
Change IPv6 stats from a structure to an array of uint64_t's.
...
Note: This is ABI-compatible with the old ip6stat structure; old netstat
binaries will continue to work properly.
2008-04-08 23:37:43 +00:00
degroote
f3f9c5b3a1
Fix build of FAST_IPSEC after the change of ip_newid prototype
2008-02-10 21:42:20 +00:00
tls
e5bd2a127e
Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto"
...
(actually splnet) and condvars instead of tsleep/wakeup. Fix a few
miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some
point after this code came from FreeBSD -- it made it impossible to wait
properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct.
Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before
the kthread had a chance to dequeue it and call its callback -- this was
letting requests stick on the queues before even though done and copied
out.
Callers of crypto_newsession() or crypto_freesession() must now take the
mutex. Change netipsec to do so. Dispatch takes the mutex itself as
needed.
This was tested fairly extensively with the cryptosoft backend and lightly
with a new hardware driver. It has not been tested with FAST_IPSEC; I am
unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG , ad@NetBSD.ORG , and darran@snark.us pointed me in the
right direction several times in the course of this. Remaining bugs
are mine alone.
2008-02-04 00:35:34 +00:00
joerg
3615cf7715
Now that __HAVE_TIMECOUNTER and __HAVE_GENERIC_TODR are invariants,
...
remove the conditionals and the code associated with the undef case.
2008-01-20 18:09:03 +00:00
degroote
55718e804e
Fix the ipsec processing in case of USE rules with no SA installed.
...
In case where there is no more isr to process, just tag the packet and reinject
in the ip{,6} stack.
Fix pr/34843
2007-12-29 16:43:17 +00:00
degroote
bd4ac64c48
Add some statistics for case where compression is not useful
...
(when len(compressed packet) > len(initial packet))
2007-12-29 14:56:35 +00:00
degroote
61e79ba32a
Simplify the FAST_IPSEC output path
...
Only record an IPSEC_OUT_DONE tag when we have finished the processing
In ip{,6}_output, check this tag to know if we have already processed this
packet.
Remove some dead code (IPSEC_PENDING_TDB is not used in NetBSD)
Fix pr/36870
2007-12-29 14:53:24 +00:00
seanb
82a49e7352
- Remove remain <= MHLEN restriction in m_makespace()
...
PR:30124
2007-12-14 20:55:22 +00:00
lukem
9d8f493213
use __KERNEL_RCSID()
2007-12-11 12:40:10 +00:00
degroote
939a0dbd0a
Kill _IP_VHL ifdef (from netinet/ip.h history, it has never been used in NetBSD so ...)
2007-12-09 18:27:39 +00:00
elad
3668e580ae
Use struct initializers. No functional change.
2007-12-07 19:46:18 +00:00
elad
5a24b726ae
Let this code compile.
...
Hi, liamjfoy@. :)
2007-12-07 19:44:38 +00:00
dyoung
5bbde3d775
Use IFNET_FOREACH() and IFADDR_FOREACH().
2007-12-04 10:27:33 +00:00
christos
62edf45793
defflag IPSEC_DEBUG
2007-11-16 21:15:20 +00:00
adrianp
aaf8e048ae
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
...
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@
2007-10-28 15:48:23 +00:00
ad
a2a3828545
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h
2007-10-19 11:59:34 +00:00
degroote
cdb020058a
Fix my previous stupid caddr_t fix.
2007-09-22 23:33:18 +00:00
ad
88ab7da936
Merge some of the less invasive changes from the vmlocking branch:
...
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
degroote
a382db0aa9
Ansify
...
Remove useless extern
bzero -> memset, bcopy -> memcpy
No functionnal changes
2007-07-07 18:38:22 +00:00
degroote
4ddfe916ff
Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
...
No objection on tech-net@
2007-06-27 20:38:32 +00:00
degroote
5f72dadbd4
Always compute the sp index even if we don't have any sp in spd. It will
...
let us to choose the right default policy (based on the adress family
requested).
While here, fix an error message
2007-05-08 14:07:42 +00:00
degroote
8ebbd6c4f6
Increase the refcount for the default ipv6 policy so nobody can reclaim it
2007-05-08 14:03:05 +00:00
degroote
6997fa5f35
Choose the good default policy, depending of the adress family of the
...
desired policy
2007-04-15 14:17:12 +00:00
degroote
20341ba8ef
Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
...
to the sysctl kame interface.
2007-04-11 22:21:41 +00:00
degroote
68c3173bb4
When we construct an answer for SADB_X_SPDGET, don't use an hardcoded 0 for seq but
...
the seq used by the request. It will improve consistency with the answer of SADB_GET
request and helps some applications which relies both on seq and pid.
Reported by Karl Knutsson by pr/36119.
2007-04-11 21:33:40 +00:00
degroote
2a2cd74d79
In spddelete2, if we can't find the sp by this id, return after sending an error message,
...
don't process the following code with the NULL sp.
Spotted by Matthew Grooms on freebsd-net ML
2007-04-11 21:19:35 +00:00
degroote
0c3809d098
Fix a memleak in key_spdget.
...
Problem was reported by Karl Knutsson by pr/36119.
2007-04-09 21:07:03 +00:00
degroote
0138b12722
Honor the ip4_ah_offsetmask bits (clear or not the ip->ip_off field for ah
...
processing).
2007-03-25 22:11:18 +00:00
degroote
46c420f11a
Use ip4_ah_cleartos instead of ah_cleartos for consistency
2007-03-25 22:06:33 +00:00
degroote
40cf3d18fa
Make an exact match when we are looking for a cached sp for an unconnected
...
socket. If we don't make an exact match, we may use a cached rule which
has lower priority than a rule that would otherwise have matched the
packet.
Code submitted by Karl Knutsson in PR/36051
2007-03-25 12:46:42 +00:00
degroote
507fd51bd3
Call key_checkspidup with spi in network bit order in order to make correct
...
comparaison with spi stored into the sadb.
Reported by Karl Knutsson in kern/36038 .
2007-03-21 22:38:34 +00:00
liamjfoy
142de6f17b
Allow to build without INET6
...
Submitted by: Jukka Salmi
2007-03-09 00:40:39 +00:00
liamjfoy
9763fa0590
Add IPv6 Fast Forward:
...
Add call to ip6flow_invalidate_all()
ok christos, matt, dyoung and joerg
2007-03-07 22:21:45 +00:00
degroote
dd86ba7231
Remove useless cast
...
Use NULL instead of (void*) 0
2007-03-04 21:17:54 +00:00
degroote
c252f603d0
Fix fallout from caddr_t changes
2007-03-04 19:54:48 +00:00
christos
53524e44ef
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.
2007-03-04 05:59:00 +00:00
degroote
f76a162cb7
Oops, I forgot to commit some bits last time
...
fast_ipsec and ipcomp works better now.
2007-02-23 19:35:25 +00:00
degroote
9e2b4bf469
Always free the sav, not only in the mature case
2007-02-18 18:58:17 +00:00