Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
121,045 Commits 606 Branches 0 Tags 3.1 GiB
8e5c74aa34
Commit Graph

88 Commits

Author SHA1 Message Date
jonathan
995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm, 
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
 2003-11-17 21:34:27 +00:00
itojun
b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun
98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun
96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun
364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun
8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
itojun
cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun
9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun
a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun
6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun
5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun
800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun
680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00
itojun
32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun
11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun
52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
itojun
c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
darrenr
9787457fbe bring a small amount of code out of an if() statement that was doing 
the same thing for both cases.
 2003-05-10 13:23:07 +00:00
itojun
40606ab8f2 switch from kame-based m_aux mbuf auxiliary data, to openbsd m_tag 
implementation.  it will simplify porting across *bsd (such as kame/altq),
and make us more synchronized.  from Joel Wilsson
 2003-01-17 08:11:49 +00:00
provos
0f09ed48a5 remove trailing \n in panic(). approved perry. 2002-09-27 15:35:29 +00:00
itojun
9401012487 KNF - return is not a function. sync w/kame. 2002-09-11 02:46:42 +00:00
itojun
6dedde045a correct signedness mixup in pointer passing. sync w/kame 2002-09-11 02:41:19 +00:00
itojun
c00fa8dfd9 avoid swapping endian of ip_len and ip_off on mbuf, to meet with M_LEADINGSPACE 
optimization made last year.  should solve PR 17867 and 10195.

IP_HDRINCL behavior of raw ip socket is kept unchanged.  we may want to
provide IP_HDRINCL variant that does not swap endian.
 2002-08-14 00:23:27 +00:00
itojun
af8ad017f7 typo. From: Arto Selonen <arto@selonen.org>, sync w/kame 2002-08-01 05:17:47 +00:00
wiz
e00173a7f2 Spell 'should' correctly. 2002-07-18 11:59:06 +00:00
itojun
d7006267f3 reduce kernel stack usage by separating struct secasindex. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-27 12:12:49 +00:00
itojun
61f28217c4 move sanity check upwards. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-22 12:27:09 +00:00
itojun
cfb9a4a799 avoid listening socket from mistakenly use incorrect cached policy. 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>  sync w/kame
 2002-06-22 12:04:07 +00:00
itojun
69d65da8c6 sizeof mistake in DIAGNOSTIC path. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-21 23:15:35 +00:00
itojun
3033187db0 previous commit cached pcb policy too much (when pcb points to 
SPD entry that is not ipsec - like "none").  back it out.  sync w/kame
 2002-06-16 16:28:36 +00:00
itojun
c1808f02bf cache pcb policy as much as possible. in fact, if policy is not 
IPSEC_POLICY_IPSEC we don't need to compare spidx.  sync w/kame
 2002-06-14 14:47:24 +00:00
itojun
813344bfbe remove redundant line 2002-06-14 14:17:55 +00:00
itojun
a8dde3fa57 free secpolicy on deepcopy failure 2002-06-13 05:10:13 +00:00
itojun
dc96111483 deep-copy pcb policy if it is an ipsec policy. assign ID field to all 
SPD entries.  make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes).  sync w/kame
 2002-06-12 17:56:45 +00:00
itojun
3489976392 do not copy policy-on-socket at all. avoid copying packet header value to 
struct spindex.  should reduce memory usage per socket/pcb, and should speedup
ipsec processing.  sync w/kame
 2002-06-12 01:47:34 +00:00
itojun
fa53d749ff share policy-on-pcb for listening socket. sync w/kame 
todo: share even more, avoid frequent updates of spidx
 2002-06-11 19:39:59 +00:00
itojun
2533e1f81f avoid variable name confusion. sync w/kame 2002-06-11 17:26:52 +00:00
itojun
b05ff066a7 whitespace cleanup 2002-06-09 14:43:10 +00:00
itojun
fc5800e3fd whitespace cleanup 2002-06-08 20:06:44 +00:00
itojun
e3c4951b26 re-enable ipsec policy caching onto pcb. refcnt fix and workarounds based on ymmt-san. 2002-05-25 10:01:01 +00:00
itojun
d2fd814987 in sp caching code, check if sp is still alive. sync w/kame 2002-05-19 00:46:40 +00:00
itojun
861dfdc294 disable ipsec policy caching on pcb, as it seems that there's some reference- 
counting mistake that causes panic - see PR 15953 and 13813.

i am unable to find the real cause of problem, so it is a shortterm workaround,
hopefully.
 2002-05-10 05:49:21 +00:00
itojun
d7669537a8 remove unneeded #ifdef __FreeBSD__ portion. 2002-05-10 05:38:29 +00:00
thorpej
dc12059c9e Use M_READONLY() rathern than testing to see if ext_free is set 
or MCLISREFERENCED().
 2002-04-28 00:54:41 +00:00
itojun
c23ea6c341 update outgoing ifp, only if tunnel mode ipsec is used. this is to 
honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast.  sync with kame
 2001-11-21 06:28:08 +00:00
lukem
4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
simonb
5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h> 
anymore.
 2001-10-29 07:02:30 +00:00
itojun
7dcf45fbd8 more whitespace/comment sync with kame 2001-10-16 06:24:44 +00:00
wiz
456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00