Commit Graph

452 Commits

Author SHA1 Message Date
itojun
9f119cbf91 wrap icmp6 checksum error printf() into #ifdef ND6DEBUG.
sync with kame,  NetBSD PR 11911.
2001-01-08 06:12:46 +00:00
itojun
6562709f3a typo fix. PR 11889 2001-01-04 11:48:44 +00:00
thorpej
ad5b855ef0 Back out the sledgehammer damage applied by wiz while I was out for
the holiday.
2000-12-28 21:40:59 +00:00
itojun
8b9fb822b0 do not touch ra_addr if it is NULL. from IIJ SEIL team 2000-12-28 21:23:00 +00:00
wiz
32e20d8993 Back out previous change. It causes NAT to fail, and was CLEARLY
NOT TESTED before it was committed.
2000-12-25 02:00:46 +00:00
thorpej
d0357bdb4f Slight adjustment to how pfil_head's are registered. Instead of a
"key" and a "dlt", use a "type" (PFIL_TYPE_{AF,IFNET} for now) and
a val/ptr appropriate for that type.  This allows for more future
flexibility with the pfil_hook mechanism.
2000-12-22 20:01:17 +00:00
itojun
b05acc70f8 make sure we notify of routing changes, even if we have net route pointed
to by inpcb.
2000-12-21 00:46:20 +00:00
thorpej
d9a9544a2f Add ALTQ glue. XXX Temporary until ALTQ is changed to use a pfil hook. 2000-12-14 17:36:44 +00:00
itojun
1101f217b5 no need to rtalloc1() twice in pmtud. from kame 2000-12-11 19:28:47 +00:00
itojun
5eae50d991 update icmp6 too big validation. the change is necessary since pmtud is
mandatory for IPv6 (so we can't just validate by using connected pcb - we need
to allow traffic from unconnected pcb to do pmtud).
- if the traffic is validated by xx_ctlinput, allow up to "hiwat" pmtud
  route entries.
- if the traffic was not validated by xx_ctlinput, allow up to "lowat" pmtud
  route entries (there's upper limit, so bad guys cannot blow up our routing
  table).
sync with kame

XXX need to think again about default hiwat/lowat value.
XXX victim selection to help starvation case
2000-12-09 01:29:45 +00:00
itojun
fe5bd7125e make sure we don't touch uninitialized pointer. from: fvdl 2000-12-04 12:11:49 +00:00
thorpej
65fd25ea82 Restructure the PFIL_HOOKS mechanism a bit:
- All packets are passed to PFIL_HOOKS as they come off the wire, i.e.
  fields in protocol headers in network order, etc.
- Allow for multiple hooks to be registered, using a "key" and a "dlt".
  The "dlt" is a BPF data link type, indicating what type of header is
  present.
- INET and INET6 register with key == AF_INET or AF_INET6, and
  dlt == DLT_RAW.
- PFIL_HOOKS now take an argument for the filter hook, and mbuf **,
  an ifnet *, and a direction (PFIL_IN or PFIL_OUT), thus making them
  less IP (really, IP Filter) centric.

Maintain compatibility with IP Filter by adding wrapper functions for
IP Filter.
2000-11-11 00:52:36 +00:00
itojun
a21e536042 improve spec conformance of node information query (07).
sync with kame.
2000-11-11 00:46:36 +00:00
itojun
970a75f808 fix KAME PR 296 again, for transport-mode SA only
(shortterm workaround - need revisit for ANY SA)
2000-11-10 01:10:36 +00:00
itojun
8c411160ec backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode. 2000-11-09 17:36:11 +00:00
itojun
e452bf6c6b save a little bit of CPU time (avoid computing CBC IV we do not use).
sync with kame.
2000-11-08 04:57:57 +00:00
itojun
47bce75f00 check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec
tunnel mode packet.  decapsulate only if we got a tunnel mode SA.
KAME PR 296.
2000-11-06 00:58:34 +00:00
itojun
ef8a34f5c3 fix IPv4 TTL selection with AF_INET6 API. sync with kame. From: jdc 2000-11-06 00:50:12 +00:00
onoe
e83458422f First Prototype implementation of network interface part for IEEE1394 (if_fw).
Current status:
	Only OHCI chip is supported (fwohci).
	ping (IPv4) works with Sony's implementation (SmartConnect) on Win98.
	sometimes works but not stable.
Not implemented yet:
	IRM (Isochronous Resource Manager) functionality.
	Link layer fragmentation.
	Topology map.
More to do:
	clean ups
	MCAP
	charactor device part
	dhcp

There is no entry in GENERIC config file yet.
Follow sys/dev/ieee1394/IMPLEMENTATION to enable if_fw.
2000-11-05 17:17:12 +00:00
itojun
731744bcc2 avoid possible align issue 2000-11-02 12:28:45 +00:00
itojun
9b55c15642 [13]des fix for big endian machines. from: shigeru@iij.ad.jp 2000-11-02 12:25:01 +00:00
itojun
73b4766cf2 do not panic on "ifconfig inet6 fe80::1 -alias". from Todd Fries.
KAME PR 295.
2000-10-28 03:46:21 +00:00
itojun
cb1745c4f9 make IFA_STATS really work on IPv6. 2000-10-23 03:45:25 +00:00
itojun
9183e2dc4e remove #ifdef TCP6. it is not likely for us to bring in sys/netinet6/tcp6*.c
(separate TCP/IPv6 stack) into netbsd-current.
2000-10-19 20:22:59 +00:00
itojun
d11a1f9bae kame 1.32 -> 1.33
in add_m6fc(), set interface list for all cases.
in response to a report from Hoerdt Mickael.

kame 1.31 -> 1.32
discard PIM register if the version of the inner packet is incorrect (i.e. IPv6)
(according to clarfication of recent discussion in the IETF pim ML)
2000-10-19 03:15:48 +00:00
itojun
edd876a35d validate ICMPv6 too big message.
XXX too restrictive given frequent uses of sendto(2)
2000-10-19 01:14:13 +00:00
itojun
9288750911 memcpy -> bcopy, for sync with kame tree 2000-10-19 00:40:44 +00:00
itojun
23a03329ef verify ICMPv6 too big messages based on TCP pcbs, and/or IPsec SA.
TODO: udp6, and sendto consideration.  as pmtud is mandatory for IPv6,
it is rather important for us to support those cases.
TODO: more testing
TODO: kame sync
2000-10-18 21:14:12 +00:00
thorpej
ea9b5a9106 Restructure the Path MTU Discovery code somewhat to avoid
entering rtentry's for hosts we're not actually communicating
with.

Do this by invoking the ctlinput for the protocol, which is
responsible for validating the ICMP message:
	* TCP -- Lookup the connection based on the address/port
	  pairs in the ICMP message.
	* AH/ESP -- Lookup the SA based on the SPI in the ICMP message.

If validation succeeds, ctlinput is responsible for calling
icmp_mtudisc().  icmp_mtudisc() then invokes callbacks registered
by protocols (such as TCP) which want to take some sort of special
action when a path's MTU changes.  For TCP, this is where we now
refresh cached routes and re-enter slow-start.

As a side-effect, this fixes the problem where TCP would not be
notified when a path's MTU changed if AH/ESP were being used.

XXX Note, this is only a fix for the IPv4 case.  For the IPv6
XXX case, we need to wait for the KAME folks.

Reviewed by sommerfeld@netbsd.org and itojun@netbsd.org.
2000-10-18 17:09:14 +00:00
itojun
3fe32f0197 use __P() in prototype for non-ansi compilers.
From: Michael Shalayeff <mickey@lucifier.remote.dti.net>
(we don't ansify it for kame code sharing)
2000-10-17 21:46:42 +00:00
itojun
d7a216bb96 suppress warning on nd6_storelladdr failure. the failure could happen
easily when we have routing table with too many entries.  sync with kame.
2000-10-15 15:39:11 +00:00
itojun
6e3a9bc311 validate mbuf chain length on *_ctlinput. remote node may be able to
transmit a truncated icmp6 packet and panic the system.  sync with kame.
2000-10-13 17:53:44 +00:00
itojun
8fa0e6b9f7 sync with kame ($KAME$) 2000-10-10 16:26:43 +00:00
enami
0b9cbefe70 Don't initialize TCP twice on v4/v6 dual stack kernel. 2000-10-10 13:25:28 +00:00
itojun
654a1d9555 remove obsolete handling code for SIOCSIFPHY*. they are now in ifioctl().
sync with kame.
2000-10-06 05:07:41 +00:00
itojun
a6f9652adf always use rnd(4) for IPsec random number source. avoid random(9).
if there's no rnd(4), random(9) will be used with one-time warning printf(9).

XXX not sure how good rnd_extract_data(RND_EXTRACT_ANY) is, under entropy-
starvation situation
2000-10-05 04:49:17 +00:00
itojun
dabed37e1c correct merge failure in key size validation. 2000-10-02 23:49:02 +00:00
itojun
89af64e5e3 remove #ifdef freebsd 2000-10-02 17:23:49 +00:00
itojun
e9536f86fa add ESP rijndael logic. yet to be usable (until algorithm # is assigned) 2000-10-02 17:21:24 +00:00
itojun
dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat.
sync with kame.
2000-10-02 03:55:41 +00:00
itojun
b2366d4898 add missing \n. sync with kame. 2000-10-01 10:56:02 +00:00
itojun
8a9f93dc37 update ip compression algorithm lookup.
attach sadb_comb for IP compression (not in RFC2367;
discussed on pf_key@inner.net).  sync with kame
2000-09-26 08:40:23 +00:00
itojun
78f9775c35 do not hardcode maximum IV length. 2000-09-26 08:37:38 +00:00
itojun
2c8b266751 make ip6_ext available for non-IPv6 compilation
(needed for header chain parsing).  (redo of 1.25 -> 1.26)
2000-09-25 15:00:08 +00:00
martin
4e675359ad Make kernels with IPSec but without IPv6 compile again.
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
2000-09-25 12:35:53 +00:00
itojun
89f53512af use real wallclock (got by microtime) to compute IPsec database lifetimes.
previous code used interval timers, and had problem with suspend/resume.
sync with KAME.
2000-09-22 16:55:04 +00:00
itojun
e0bb769d4e on ipsec policy lookup, do not try to lookup port numbers for forwarded packet.
sync with kame.
2000-09-22 05:50:23 +00:00
itojun
aa5339554d cleanup ipsec policy lookup. specifically, repair the following cases:
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
	old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
2000-09-22 05:49:46 +00:00
itojun
10cc02200a - repair too strong assumption on mbuf chain.
- correct byte lifetime computation to conform to RFC2401 p23 (use
  packet BEFORE compression)
- stabilize deflate calls
- present error messages better
2000-09-21 20:28:52 +00:00
itojun
9c55bd3b1a repair infinite loop in ipcomp packet generation. oops. 2000-09-21 06:08:26 +00:00
itojun
cb4931c8e7 repair cut-and-paste bug. from: francis dupont. sync with kame 2000-09-20 23:35:51 +00:00
itojun
d2c6420404 do not inject empty mbuf to zlib. 2000-09-20 23:35:16 +00:00
itojun
3ad679d8fd call {de,in}flateEnd on failure, otherwise obsolete state will be kept. 2000-09-20 22:34:24 +00:00
itojun
ffb333a57c plug mbuf leak (error case). need more investigation. 2000-09-20 21:43:52 +00:00
itojun
e485f6527e pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
(not normally visited - we have switched to m_pulldown.  just for completeness)
2000-09-18 22:18:00 +00:00
itojun
303fcdf765 repair blowfish-cbc. BF_encrypt() takes value in host byteorder, yuck!
(no effect to 1.5 branch)
2000-09-18 21:57:35 +00:00
itojun
691fdbb4f0 kame sys/netinet6/icmp6.c 1.140 -> 1.144
>   in the check for the incoming redirect message, examine the gateway
>   (from the routing table) only when the address family of the gateway is
>   AF_INET6.
2000-09-16 10:12:22 +00:00
itojun
2192675fb1 move file static variable into auto variable, for better thread safety.
(not really required for big lock MP).  sync with kame
2000-09-09 16:15:47 +00:00
itojun
f8481d085e add attribute(packed).
From: Alfred Perlstein <bright@wintelcom.net>
2000-09-09 11:42:22 +00:00
itojun
dc23ec9971 add missing \n on log(). sync with kame 2000-08-31 07:35:44 +00:00
itojun
65fbdbe744 repair DES on LP64. past code did not interoperate with non-LP64, due to
incorrect computed results.
remove unnecessary #ifdef/#define.  sync with kame.
2000-08-31 07:33:04 +00:00
itojun
58c93e23cf LP64 fix (cast to u_long when printing size_t) 2000-08-30 14:58:33 +00:00
itojun
2af85c262b improve code sharing for esp_schedule(). add some diagnostics cases
for esp_cbc_{en,de}crypt().  sync with kame.
2000-08-29 11:32:21 +00:00
itojun
6fe60cce5f do not forward packets with unspecified source address (::).
this is clarification recently made to RFC2460.  sync with kame.
2000-08-29 09:19:43 +00:00
itojun
bb8d535cc5 use per-block cipher function + esp_cbc_{de,en}crypt. do not use
cbc-over-mbuf functions in sys/crypto.

the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.

XXX: it looks that past blowfish-cbc code was buggy.  i ran some test pattern,
and new blowfish-cbc code looks more correct.  there's no interoperability
between the old code (before the commit) and the new code (after the commit).

XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun
3da9705446 add a warning on IPv6 setsockopt number space (*BSD shares the number space
so consult KAME for number allocation)
2000-08-27 01:02:48 +00:00
itojun
152da24bd9 implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable. 2000-08-26 11:03:45 +00:00
itojun
4d40179399 add missing IPNOPRIVPORTS case 2000-08-26 10:40:03 +00:00
thorpej
5bd1b19b29 Don't use MALLOC() for variable-sized allocations. 2000-08-25 21:22:16 +00:00
itojun
cabceaa265 - icmp6 nodeinfo: remove possibility of unaligned pointer access.
- jumbo payload output: fix incorrect mbuf manipulation
- pedant: align issues, mbuf assumption
(sync with kame)
2000-08-19 08:15:53 +00:00
itojun
e6efb27c84 add missing splx, when outgoing interface queue is full on tunnelled
ESP packet output.  KAME PR 280.
2000-08-16 09:54:39 +00:00
thorpej
831a48fd0b Make this compile without INET6 again. 2000-08-15 21:43:57 +00:00
itojun
54aeb79d4c supress warning (LOG_ERR -> LOG_DEBUG) which occurs in the following situation:
- manually configure an address from prefix P (like P::1)
- autoconfigure additional address from the same prefix P (like P::ifid).
- rtrequest fails due to P/plen already exists

more fundamental solution should appear later, when kame side stablizes it.
from thopej.
2000-08-13 23:45:22 +00:00
itojun
5e868d1e49 clearifications in icmp6 node query support.
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun
afa5315364 correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
sync with kame.
2000-08-03 14:31:04 +00:00
itojun
6574aa66e8 inhibit error code from rtinit(). this happens when we try to assign
multiple addresses from same prefix, onto single interface.  PR 10427.


more info:
- 4.4BSD did not check return code from in_ifinit() at all.
  4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
  the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
  4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
  from the same prefix.  KAME tree has more extensive change, however, it needs
  much more time to get stabilized (rtentry refcnt change can cause serious
  issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
itojun
32ef6bb0e7 sync comment with reality 2000-07-30 05:30:37 +00:00
itojun
0036ac92be clarify comment. from jhawk. sync with kame. 2000-07-30 04:33:34 +00:00
itojun
5e8b5a35e4 make ipsec_strerror(3) to return const char *, not char *. sync with kame. 2000-07-30 02:38:35 +00:00
itojun
63de4c2cb9 nuke the following sysctl variables. "ppsratelimit" should work better.
need to recompile sbin/sysctl after updating /usr/include.
	net.inet.tcp.rstratelimit
	net.inet.icmp.errratelimit
	net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun
73a29e35ff do not forward packet with :: in the source.
this is not in the spec - we had rough consensus on it in ipngwg,
spec will get updated to include this behavior.
2000-07-27 15:53:51 +00:00
itojun
fec624be3f wrap kernel function prototype by #ifdef _KERNEL. 2000-07-23 08:24:12 +00:00
itojun
411ff12b27 pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
sync with kame.

loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun
65d37eff7f correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
sync from kame.

WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun
5f09b77987 s/IPSEC_IPV6FWD/IPSEC/. this should correct strange behavior on ipv6
forwarding (even if policy asks for tunnel mode encryption, packets
go out in clear).  sync with kame.
2000-07-16 07:57:55 +00:00
itojun
a2744a4cf8 do not pull sys/queue.h from netinet6/in6.h. PR10597.
some sync with kame.
2000-07-16 01:10:34 +00:00
itojun
20964b0c23 fatal bug fix from kame (rtentry refcnt goes negative if we play with IPv6
address/routing table too much).

in6_ifloop_request()
  not to request rtrequest to return an rtentry except for the ADD
  operation, in order to avoid misdecreasing the refcnt (which might
  cause leak of rtentry)
2000-07-13 09:56:20 +00:00
itojun
f5211e847a remove m_pulldown statistics code. it is highly experimental and belong
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun
d8a9a3cc7b add ppsratelimit(9), which does event-per-sec rate limitation.
use it from icmp6 error rate limitation code.
XXX better name for the function?
2000-07-09 06:44:57 +00:00
itojun
ec67eee51f sync with kame.
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
christos
2068dee670 elide lint cast type conversion warnings. 2000-07-06 17:42:55 +00:00
itojun
210a3e2f80 remove unnecessary #include <netkey/key_debug.h>. from kame. 2000-07-06 12:51:39 +00:00
itojun
0a1e211454 - do not use bitfield for router renumbering header.
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation.  TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
itojun
6fff122160 drop packet to tentative/duplicated interface address earlier. sync w/kame 2000-07-02 09:56:39 +00:00
itojun
8ff902fca1 repair kernel faithd(8) support. there were two mistakes:
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
itojun
3ade27131a suppress too noisy warning on forward-over-loopback case. from kame 2000-06-30 19:46:05 +00:00
mrg
cf594a3f4d <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:01:16 +00:00
kleink
d2787dad27 XNS5.2: define sa_family_t and use it where specified by the standard. 2000-06-26 15:48:19 +00:00
itojun
278184a8ab avoid possible mbuf leaks on ipsec policy violation.(sync with kame) 2000-06-20 02:24:42 +00:00
itojun
90ca25568b remove obsolete sysctl MIB net.inet.ipsec.inbound_call_ike.
(sync with kame)
2000-06-15 05:01:06 +00:00
thorpej
1b8ede9f7c Import IPsec ESP from netbsd-cryptosrc-intl. 2000-06-14 19:39:42 +00:00
itojun
dafb757588 add algorithm name into algorithm table. (commit to crypto-intl will follow) 2000-06-14 11:27:35 +00:00
itojun
af9d516560 signedness issue with char, take 2. confirmed with i386 cc -funsigned-char. 2000-06-13 17:31:37 +00:00
itojun
c6a8ca266b workaround to suppress warning on char == unsigned char arch. 2000-06-13 16:34:37 +00:00
itojun
0455eac327 do not use cached route if the route becomes !RTF_UP.
make the validation for jumbo payload option more strict.
2000-06-13 14:43:44 +00:00
itojun
36887242d7 add sanity check on in6_ifaddr. 2000-06-13 04:35:29 +00:00
itojun
fa24d1db9b make sure to link new in6_ifaddr to if_addrlist. 2000-06-13 02:54:11 +00:00
itojun
07098cd363 better conformance to draft-ietf-ipngwg-icmp-name-lookups-05.
the old code was chimera of 03 and 05 draft.

-n by default, since IPv6 reverse lookup takes too much time.
use -H to enable reverse name lookup.
2000-06-12 16:21:02 +00:00
itojun
8f26bbadf9 sync with latest kame tree (tiny update in IPv4 mapped issue) 2000-06-12 10:47:17 +00:00
itojun
92e64a4a0d sync with almost-latest KAME IPsec. full changelog would be too big
to mention here.  notable changes are like below.

kernel:
- make PF_KEY kernel interface more robust against broken input stream.
  it includes complete internal structure change in sys/netkey/key.c.
- remove non-RFC compliant change in PF_KEY API, in particular,
  in struct sadb_msg.  we cannot just change these standard structs.
  sadb_x_sa2 is introduced instead.
- remove prototypes for pfkey_xx functions from /usr/include/net/pfkeyv2.h.
  these functions are not supplied in /usr/lib.

setkey(8):
- get/delete does not require "-m mode" (ignored with warning, if you
  specify it)
- spddelete takes direction specification
2000-06-12 10:40:37 +00:00
itojun
90fb69b2b2 sync with latest kame document.
- update 6to4 i-d #.
- update descr on source address selection.
2000-06-10 08:21:11 +00:00
danw
f7d6ee345c Use _POSIX_SOURCE-safe type names 2000-06-08 19:01:44 +00:00
itojun
ffedfcb68d make sure not to overwrite sockaddr on PRU_SEND/PRU_CONNECT to
link-local address.  From: frank
2000-06-08 13:51:33 +00:00
itojun
8fe589a2ae fix anycast address determination.
correct interface address addition when link-local is added (check if ifp
matches).
make diff to kame repository easier (breaks some KNF)

sync with kame.
2000-06-07 06:27:43 +00:00
itojun
8183434ff7 s/PIMCTL/PIM6CTL/ to avoid future confusion. 2000-06-07 04:40:46 +00:00
itojun
af6b403d46 backout change to in6_pcbnotify(). the change seems premature
(may cause trouble with advanced API in certain situation).
2000-06-05 08:09:48 +00:00
itojun
8987054176 pass struct proc * down to udp6_output and in6_pcbbind. 2000-06-05 06:38:22 +00:00
itojun
93b2b4e693 remove include files in nonstandard path
(has been #error for couple of months).
2000-06-04 11:52:06 +00:00
itojun
d7e34999be sync with recent kame.
avoid use of macros to manipulate sockaddrs (hides error case too much).
correct IPv4 packet handling when ip option is present.
preparations for ipsec policy engine upgrades.
2000-06-03 16:14:02 +00:00
itojun
9d853e8a4f sync with kame.
- use latest source address selection code - in6_src.c.
- correct frag header insertion.
- deep copy ip6 header portion in ip6_mloopback to avoid overwrite.
- do not bark when we forward packet to loopback.
- some cosmetics.
2000-06-03 14:36:32 +00:00
itojun
e0b65589f1 sync with more recent kame. cope with malloc failure more gracefully
some cosmetics.
2000-06-02 18:20:15 +00:00
itojun
4308599c5a disallow bind(2) with IPv4 mapped address for now. port number check is
insufficient at this moment and we can bind(2) two sockets listen on same
port number.

for real fix, we need to check inpcb table with in6pcb.  we can't
find inpcb chain from particular in6pcb chain (like finding tcbtable from tcb6)
luckily RFC2553 does not talk about bind(2) behavior for IPv4 mapped.
IPv4 mapped brings in too much complexities...
2000-05-29 00:03:18 +00:00
itojun
c0ccb49681 sync with reality in netbsd-current.
- pcb layer changes
- officially supported net interfaces
- minor typo
- draft # updates
2000-05-28 23:44:30 +00:00
itojun
418a734f51 enforce parameter type check for IN6_ARE_ADDR_EQUAL(). (sync with kame) 2000-05-24 14:40:09 +00:00
itojun
fa2abf5727 make net.inet6.udp6.* sysctl name meet with IPv4 counterpart.
XXX do we need to keep symbols mistakingly added (like UDP6CTL_SENDMAX)
for backward compatibility?  I believe not.
2000-05-22 15:22:36 +00:00
itojun
5de72de121 disallow negative numbers for ratelimit interval (tcp, icmp, icmp6). 2000-05-22 12:08:43 +00:00
itojun
48c5048502 correct manipulation of link-local scoped address on loopback.
now "telnet fe80::1%lo0" should work again.
(we have another bug near here - will attack it soon)
2000-05-19 20:09:26 +00:00
itojun
41f4d3e2b6 correct MLD API. (binary backward compatibility is kept)
commit to usr.sbin/pim6* will follow.
2000-05-19 10:39:43 +00:00
thorpej
f636538446 NULL != 0 2000-05-19 04:34:39 +00:00
itojun
fa5c89d64a do not mistakingly forward link-local scoped packet (the bug was added
with "beyondscope" icmp6 support).
"options FAKE_LOOPBACK_IF" will honor scope on loopback outputs.  rcvif will
be real interface, not the loopback, just like when multicast loopback.

(sync with kame)
2000-05-19 01:40:18 +00:00
itojun
4f1c7f0bbe do not try NUD unless the gateway is a real neighbor.
real fix to KAME PR 245 (workaround has been implemented).
2000-05-09 11:51:12 +00:00
thorpej
e0d0cba239 Remove junk at the end of #undef. 2000-05-08 18:31:10 +00:00
itojun
b5393f9387 correct in6_ifdetach() (previous code touched dangling pointers).
actually the corrected portion was never visited.
2000-05-05 08:03:12 +00:00
itojun
57434b944b misuse of free(ia) in #if 0'ed region.
From: Lennart Augustsson <lennart@augustsson.net>
2000-04-27 16:44:19 +00:00
itojun
7e72267252 correct in6_ifdetach(). free oia, not ia.
From: Lennart Augustsson <augustss@augustsson.net>
2000-04-27 15:39:05 +00:00
itojun
b360c656a0 temporary workaround against GIF NUD issue (when you configure globals
onto GIF, NUD prevents packet from going out)
KAME PR 245.  From: Andreas Wrede <andreas@planix.com>
2000-04-27 00:33:47 +00:00
itojun
5393e61dd0 add boundary check for nd6_ifinfo (otherwise ndp -i can make out-of-bound
accesses).
2000-04-19 07:13:03 +00:00
itojun
3909133548 introduce sys/netinet/ip_encap.c, to dispatch inbound packets
to protocol handlers, based on src/dst (for ip proto #4/41).
see comment in ip_encap.c for details of the problem we have.
there are too many protocol specs for ip proto #4/41.
backward compatibility with MROUTING case is now provided in ip_encap.c.

fix ipip to work with gif (using ip_encap.c).  sorry for breakage.

gif now uses ip_encap.c.

introduce stf pseudo interface (implements 6to4, another IPv6-over-IPv4 code
with ip proto #41).
2000-04-19 06:30:51 +00:00
itojun
81e8059dfc fix endian issue in filling in interface id.
better sync with kame (nuke space at EOL).
2000-04-17 16:26:07 +00:00
itojun
3e34240544 perform neighbor unreachability detection on p2p links (spec requires
it for bidir p2p links).
improve -i in ndp(8) to allow tweaking per-interface ND flag on.
fix ndp(8) infinite loop on certain routing table setup.
2000-04-16 15:27:59 +00:00
itojun
30272756a8 better sync with latest kame (cosmetic only). 2000-04-16 15:00:56 +00:00
itojun
7716681678 add comment on sdl_alen check (sync with kame) 2000-04-13 16:27:00 +00:00
itojun
ff22afe8bf fix fatal bug in EUI64 generation (0xff -> 0xfe typo) 2000-04-13 16:21:25 +00:00
itojun
8b8adc2ee4 bark if sdl_alen == 0. test code for KAME PR 235. 2000-04-13 14:32:53 +00:00
itojun
18f9d539cc even if nd6_nud_hint is called, do not change a neighbor's status
unless the old status is probably reachable (i.e. the link-layer address
has already been resolved).
KAME PR 235.
2000-04-13 14:11:06 +00:00
itojun
af4021abec do not return icmp6 error against icmp6 error.
(this is due to a bug in header chain chasing)
2000-04-13 14:07:10 +00:00
itojun
ecb5f2e56a revisit in6_ifattach().
- be persistent on initializing interfaces, even if there's manually-
  assigned linklocal, multicast/whatever initialization is necessary.
- do not cache mac addr in the kernel.  grab mac addr from existing cards
  (this is important when you swap ethernet cards back and forth)
now ppp6 works just fine!

call in6_ifattach() on ATM PVC interface to assign link-local, using
hardware MAC address as seed.

(the change is in sync with kame tree).
2000-04-12 10:36:38 +00:00
itojun
6db43d2c0e cosmetic (space before EOL), to ease diff against kame 2000-04-10 15:45:24 +00:00
simonb
56fba1c4d0 Remove duplicate declaration of ifindex2ifnet - it's in <net/if.h>. 2000-03-29 03:38:53 +00:00
mycroft
a5edb9f747 Oops; fix thinko. 2000-03-26 19:11:04 +00:00
mycroft
a08d308dc2 Update byte count and time stamps for received packets (as in ESP).
May help fix stalls.
2000-03-26 18:55:37 +00:00
itojun
e2d658087d move ia6->ia6_dad_ch to dp->dad_timer_ch, to ease KAME code sharing.
now in6_var.h does not need to pull sys/callout.h in.
2000-03-24 04:09:04 +00:00
thorpej
fc96443d15 New callout mechanism with two major improvements over the old
timeout()/untimeout() API:
- Clients supply callout handle storage, thus eliminating problems of
  resource allocation.
- Insertion and removal of callouts is constant time, important as
  this facility is used quite a lot in the kernel.

The old timeout()/untimeout() API has been removed from the kernel.
2000-03-23 07:01:25 +00:00
itojun
e8808e9659 correct references. update ipsec description (sync with kame). 2000-03-22 08:20:18 +00:00
itojun
d6c5619790 use ip6_{last,next}hdr in icmp6 inbound packet parsing. 2000-03-22 04:42:01 +00:00
itojun
fadbd2b29a cleanup AH/policy processing.
- parse IPv6 header by using common function, ip6_{last,next}hdr.
- fix behaivior in multiple AH cases.
  make strict boundary checks on mbuf chasing.
(sync with latest kame)
2000-03-21 23:53:30 +00:00
itojun
48d556091f s/ND6DEBUG/ND6_DEBUG/ (just to meet nd6_nbr.c) 2000-03-21 11:34:25 +00:00
itojun
19b198e8c2 improve comment (about undo'ing code on in{,6}_ifinit failure) 2000-03-21 11:23:31 +00:00
itojun
a25da23509 #if 0'ed too strong sanity check against packets with v4 compatible addresses.
we may want to re-enable it whenever mech-xx clarifies router behavior
against native IPv6 packet with IPv4 compatible addresses.
2000-03-21 11:05:12 +00:00
itojun
d926d6fa47 #if 0'ed undo code for interface address addition failure.
it was a bit too strong, and forbids multiple addresses from
same prefix to be assigned.

now the behavior is the same as previous - memory leak on interface address
addition failure.
http://orange.kame.net/dev/query-pr.cgi?pr=218
2000-03-18 02:41:58 +00:00
thorpej
2ac45d6eef Quiet down the DAD messages a little more. 2000-03-16 02:53:45 +00:00
itojun
7560717e93 undo interface addition attempt if in6_ifinit() fails.
without it, :: will be kept if in6_ifinit() fails.
2000-03-12 05:23:07 +00:00
thorpej
308b6b91d5 Quiet a noisy diagnostic. 2000-03-04 02:39:58 +00:00
itojun
d7e8edfdcd configure ::1 to loopback dstaddr.
honor ifa_refcnt when configuring loopback.
2000-03-02 09:45:01 +00:00
itojun
52c11b789a bump kame revision id 2000-03-02 07:15:39 +00:00
itojun
36649fea92 don't configure ifa_dstaddr for non-pointopoint interface,
so that we won't be returning them from routing socket manipulation.
2000-03-02 07:14:52 +00:00
itojun
ded4e9540a properly handle notifies from icmp6, so that we can properly reflect
redirects/unreach to transport layer. (sync with latest kame)
2000-03-02 06:42:52 +00:00
itojun
04ac848d6f introduce m->m_pkthdr.aux to hold random data which needs to be passed
between protocol handlers.

ipsec socket pointers, ipsec decryption/auth information, tunnel
decapsulation information are in my mind - there can be several other usage.
at this moment, we use this for ipsec socket pointer passing.  this will
avoid reuse of m->m_pkthdr.rcvif in ipsec code.

due to the change, MHLEN will be decreased by sizeof(void *) - for example,
for i386, MHLEN was 100 bytes, but is now 96 bytes.
we may want to increase MSIZE from 128 to 256 for some of our architectures.

take caution if you use it for keeping some data item for long period
of time - use extra caution on M_PREPEND() or m_adj(), as they may result
in loss of m->m_pkthdr.aux pointer (and mbuf leak).

this will bump kernel version.

(as discussed in tech-net, tested in kame tree)
2000-03-01 12:49:27 +00:00
itojun
03f0ac370f make ICMPv6 redirect actually flush route cache in udp6/raw6 socket. 2000-02-28 16:10:52 +00:00
itojun
d8dfd96b2c fix ICMPv6 redirect input. the bug can result in invalid ND entry. 2000-02-28 14:30:36 +00:00
itojun
cdea88d700 support draft-ietf-ipngwg-icmp-name-lookups-05.txt, drop support for
draft-ietf-ipngwg-icmp-name-lookups-04.txt.

There are certain bitfield change in 04 draft to 05 draft, which makes
04 "ping6 -a" and 05 "ping6 -a" not interoperable.  sigh.
2000-02-28 13:48:50 +00:00
itojun
bbe25244d0 remove some of cross-BSD portability #ifdef.
remove xxCTL_VARS, which is BSDI specific.
2000-02-28 12:08:21 +00:00
itojun
2c7ba046f0 with IPv4 AH, strip off AH from the packet. this is to make some
of IPv4 transport layer code work correctly (specifically, ICMPv4
will transmit wrong packet if we don't strip AH here)

this is just for m_pulldown case.  normal installations are not affected.
2000-02-26 11:49:44 +00:00
itojun
99d909fc98 implement rip6_ctlinput, to cope with routing changes correctly.
(IMHO we need rip_ctlinput as well)
2000-02-26 09:09:17 +00:00
itojun
9c484862a0 make it possible to throw IPv6 packet with proto=4/41.
(in normal case we don't do it, but this is how IPv4 in_proto is written)
2000-02-26 09:01:59 +00:00
itojun
e40f8f1220 sync description on proxy NDP with latest KAME doc. 2000-02-26 08:49:49 +00:00
itojun
1450d6e643 bring in recent KAME changes (only important and stable ones, as usual).
- remove net.inet6.ip6.nd6_proxyall.  introduce proxy NDP code works
  just like "arp -s".
- revise source address selection.
  be more careful about use of yet-to-be-valid addresses as source.
- as router, transmit ICMP6_DST_UNREACH_BEYONDSCOPE against out-of-scope
  packet forwarding attempt.
- path MTU discovery takes care of routing header properly.
- be more strict about mbuf chain parsing.
2000-02-26 08:39:18 +00:00
itojun
de1fd6178d sync with latest KAME document.
- updates in I-D/RFC #
- scoped address syntax change
- remove ALTQ and other portion to avoid confusion
2000-02-25 07:29:47 +00:00
itojun
8f5a83e6e9 on SIOCS*_IN6, validate sockaddrs so that we never configure non-AF_INET6
addresses. (in_control has the same problem - I'll need to check it as well)

obsolete the following two ioctls, they do not fit well against IPv6 addressing
model. (the kernel support them for some period of time, we'll remove them
in the near future)
	SIOCSIFDSTADDR_IN6
	SIOCSIFNETMASK_IN6
2000-02-25 05:13:05 +00:00
itojun
eecf64392b remove unnecessary if - else clause.
(sync with kame)
2000-02-25 00:29:55 +00:00
itojun
1bb987a022 remove extra NULL check
typo in PULLDOWN_TEST case
note: the fixes does not affect normal configuration.
(sync with kame)
2000-02-25 00:29:00 +00:00
itojun
857bdcba78 make variable initialization safer.
(IP6_EXTHDR_CHECK can call m_pullup under rare condition)
2000-02-25 00:27:18 +00:00
itojun
3d97823234 remove never-referenced variable (in6_interfaces).
fix paren match for macro.
2000-02-24 12:59:12 +00:00
itojun
95db252b5c costmetic (remove space at EOL) 2000-02-24 12:43:49 +00:00
darrenr
4b3916780b pass "struct pfil_head *" to pfil_add_hook and pfil_remove hook rather
than "struct protosw *".
2000-02-20 00:56:33 +00:00
itojun
db71aa588d s/u_char/u_int8_t/ for sin6_{family,len} 2000-02-19 17:32:07 +00:00
darrenr
fd7edad6c3 Change the use of pfil hooks. There is no longer a single list of all
pfil information, instead, struct protosw now contains a structure
which caontains list heads, etc.  The per-protosw pfil struct is passed
to pfil_hook_get(), along with an in/out flag to get the head of the
relevant filter list.  This has been done for only IPv4 and IPv6, at
present, with these patches only enabling filtering for IPPROTO_IP and
IPPROTO_IPV6, although it is possible to have tcp/udp, etc, dedicated
filters now also.  The ipfilter code has been updated to only filter
IPv4 packets - next major release of ipfilter is required for ipv6.
2000-02-17 10:59:32 +00:00
thorpej
d2bccc29d8 Fix a couple of brainos in the last. 2000-02-15 00:31:08 +00:00
thorpej
144759ef2b Use ratecheck() for ICMP6 rate limiting. 2000-02-14 19:45:50 +00:00
itojun
19e9558eaf sync with extended scoped address syntax change. 2000-02-09 12:27:03 +00:00
itojun
53e333c935 honor ifa reference counting. 2000-02-09 03:34:01 +00:00
itojun
59d74f3d21 to improve RFC2553/2292 compliance, and promote use of
RFC2553/2292-compliant header file path, now the following headers are
forbidden:
	netinet6/ip6.h
	netinet6/icmp6.h
	netinet6/in6.h

if you want netinet6/{ip6,icmp6}.h, use netinet/{ip6,icmp6}.h.

if you want netinet6/in6.h, you just need to include netinet/in.h.
it pulls it in.
(we may need to integrate them into netinet/in.h, but for cross-BSD code
sharing i'd like to keep it like this for now)
2000-02-09 00:54:55 +00:00
itojun
2687887f38 s/DIAGNOSTIC/DEBUG/ 2000-02-07 06:15:16 +00:00
itojun
85cdd5f08e remove IPv6 router renumbering prefix information in the kernel
when all the interface addresses are gone.
this should remove dangling structure when:
# ifconfig lo0 inet6 3ffe::1 prefixlen 64 alias
# ifconfig lo0 inet6 3ffe::1 -alias
is performed.
2000-02-07 05:48:11 +00:00
itojun
1148e4715f correct SIOCAIFADDR_IN6 failure recovery in point-to-point case. 2000-02-07 05:42:59 +00:00
itojun
49bed394bd add more sanity check against mbuf length.
use log() for DAD related kernel message.
2000-02-07 05:42:28 +00:00
itojun
45b89333e4 close comment.
From: Kazuto Ushioda <x-y-z@3si.co.jp>
2000-02-07 03:51:59 +00:00
itojun
90736ab608 fix include pathname for better rfc2292 compliance. 2000-02-06 12:49:37 +00:00
itojun
51219dabc9 to be more rfc2292 complient, move ip6.h and icmp6.h into netinet.
(netinet6/{ip6,icmp6}.h is non-standard path - these files should go away)

it was not possible to use cvsmove in this case.
when you try to look at history, chase it toward netinet6/{ip6,icmp6}.h.
2000-02-06 11:11:29 +00:00
itojun
76064f5770 don't chase mbuf pointer when it is NULL. 2000-02-06 08:06:43 +00:00