Commit Graph

165 Commits

Author SHA1 Message Date
christos f794ad1e52 remove 2038 comment. 2009-02-14 20:53:58 +00:00
skd 8d41ac5617 Back out my previous change. The problem I'm chasgin is with the
initialization of ports in saidx's when IPSEC_NAT_T is defined but the
association connection is not using nat traversal.  Stay tuned.
2009-02-09 15:06:37 +00:00
skd 744626ac10 These comparison functions return 0 on match. Fix sense of test. 2009-01-28 19:06:03 +00:00
cegger 9b87d582bd kill MALLOC and FREE macros. 2008-12-17 20:51:31 +00:00
ad 0efea177e3 Remove LKMs and switch to the module framework, pass 1.
Proposed on tech-kern@.
2008-11-12 12:35:50 +00:00
dsl a8f5b9cfc2 Comment out the 'do' and 'while (0)' from KEY_CHKSASTATE().
The expansion contains a 'continue' which is expected to continue
a loop in the callling code, not just abort the #define.
2008-07-25 20:55:43 +00:00
mlelstv be6f2a4b87 Ignore freed rtcache entries. 2008-07-01 20:18:45 +00:00
degroote ba4ebf7e6b Kill caddr_t introduced in the previous revision
Fix build with FAST_IPSEC
2008-06-27 17:28:24 +00:00
mlelstv fa014c6383 Verify icmp type and code in IPSEC rules.
Fixes PR kern/39018
2008-06-27 05:18:58 +00:00
thorpej b129a80c20 Simplify the interface to netstat_sysctl() and allocate space for
the collated counters using kmem_alloc().

PR kern/38577
2008-05-04 07:22:14 +00:00
degroote b6a04a1973 In key_do_allocsa_policy, fix a bad usage of key_setsadbmsg. The third argument
is an SADB_SATYPE_*, not an IPPROTO_* .

Fix PR/38405. Thanks for the report
2008-05-03 21:53:23 +00:00
martin ce099b4099 Remove clause 3 and 4 from TNF licenses 2008-04-28 20:22:51 +00:00
degroote bb588cd930 Fix a stupid typo. In ipsec6_process_packet, reinject the packet in AF_INET6,
nor in AF_INET.
2008-04-28 17:40:11 +00:00
degroote e7dc156f58 Fix some fallout from socket locking patch :
- {ah6,esp6}_ctlinput must return void*
 - use correct wrapper for rip_usrreq
2008-04-27 12:58:48 +00:00
ad 15e29e981b Merge the socket locking patch:
- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.
2008-04-24 11:38:36 +00:00
thorpej 02f63fe1bf PF_KEY stats for IPSEC and FAST_IPSEC are now per-CPU. 2008-04-23 07:29:47 +00:00
thorpej caf49ea572 Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
netstat_sysctl().
2008-04-23 06:09:04 +00:00
thorpej 680fd6866d Make ip6 and icmp6 stats per-cpu. 2008-04-15 04:43:53 +00:00
thorpej 3f466bce48 Change IPv6 stats from a structure to an array of uint64_t's.
Note: This is ABI-compatible with the old ip6stat structure; old netstat
binaries will continue to work properly.
2008-04-08 23:37:43 +00:00
degroote f3f9c5b3a1 Fix build of FAST_IPSEC after the change of ip_newid prototype 2008-02-10 21:42:20 +00:00
tls e5bd2a127e Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto"
(actually splnet) and condvars instead of tsleep/wakeup.  Fix a few
miscellaneous problems and add some debugging printfs while there.

Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some
point after this code came from FreeBSD -- it made it impossible to wait
properly for a condition.

Add flags analogous to the "crp" flags to the key operation's krp struct.
Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before
the kthread had a chance to dequeue it and call its callback -- this was
letting requests stick on the queues before even though done and copied
out.

Callers of crypto_newsession() or crypto_freesession() must now take the
mutex.  Change netipsec to do so.  Dispatch takes the mutex itself as
needed.

This was tested fairly extensively with the cryptosoft backend and lightly
with a new hardware driver.  It has not been tested with FAST_IPSEC; I am
unable to ascertain whether FAST_IPSEC currently works at all in our tree.

pjd@FreeBSD.ORG, ad@NetBSD.ORG, and darran@snark.us pointed me in the
right direction several times in the course of this.  Remaining bugs
are mine alone.
2008-02-04 00:35:34 +00:00
joerg 3615cf7715 Now that __HAVE_TIMECOUNTER and __HAVE_GENERIC_TODR are invariants,
remove the conditionals and the code associated with the undef case.
2008-01-20 18:09:03 +00:00
degroote 55718e804e Fix the ipsec processing in case of USE rules with no SA installed.
In case where there is no more isr to process, just tag the packet and reinject
in the ip{,6} stack.

Fix pr/34843
2007-12-29 16:43:17 +00:00
degroote bd4ac64c48 Add some statistics for case where compression is not useful
(when len(compressed packet) > len(initial packet))
2007-12-29 14:56:35 +00:00
degroote 61e79ba32a Simplify the FAST_IPSEC output path
Only record an IPSEC_OUT_DONE tag when we have finished the processing
In ip{,6}_output, check this tag to know if we have already processed this
packet.
Remove some dead code (IPSEC_PENDING_TDB is not used in NetBSD)

Fix pr/36870
2007-12-29 14:53:24 +00:00
seanb 82a49e7352 - Remove remain <= MHLEN restriction in m_makespace()
PR:30124
2007-12-14 20:55:22 +00:00
lukem 9d8f493213 use __KERNEL_RCSID() 2007-12-11 12:40:10 +00:00
degroote 939a0dbd0a Kill _IP_VHL ifdef (from netinet/ip.h history, it has never been used in NetBSD so ...) 2007-12-09 18:27:39 +00:00
elad 3668e580ae Use struct initializers. No functional change. 2007-12-07 19:46:18 +00:00
elad 5a24b726ae Let this code compile.
Hi, liamjfoy@. :)
2007-12-07 19:44:38 +00:00
dyoung 5bbde3d775 Use IFNET_FOREACH() and IFADDR_FOREACH(). 2007-12-04 10:27:33 +00:00
christos 62edf45793 defflag IPSEC_DEBUG 2007-11-16 21:15:20 +00:00
adrianp aaf8e048ae The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.

Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@
2007-10-28 15:48:23 +00:00
ad a2a3828545 machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h 2007-10-19 11:59:34 +00:00
degroote cdb020058a Fix my previous stupid caddr_t fix. 2007-09-22 23:33:18 +00:00
ad 88ab7da936 Merge some of the less invasive changes from the vmlocking branch:
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
degroote a382db0aa9 Ansify
Remove useless extern
bzero -> memset, bcopy -> memcpy

No functionnal changes
2007-07-07 18:38:22 +00:00
degroote 4ddfe916ff Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
No objection on tech-net@
2007-06-27 20:38:32 +00:00
degroote 5f72dadbd4 Always compute the sp index even if we don't have any sp in spd. It will
let us to choose the right default policy (based on the adress family
requested).

While here, fix an error message
2007-05-08 14:07:42 +00:00
degroote 8ebbd6c4f6 Increase the refcount for the default ipv6 policy so nobody can reclaim it 2007-05-08 14:03:05 +00:00
degroote 6997fa5f35 Choose the good default policy, depending of the adress family of the
desired policy
2007-04-15 14:17:12 +00:00
degroote 20341ba8ef Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
to the sysctl kame interface.
2007-04-11 22:21:41 +00:00
degroote 68c3173bb4 When we construct an answer for SADB_X_SPDGET, don't use an hardcoded 0 for seq but
the seq used by the request. It will improve consistency with the answer of SADB_GET
request and helps some applications which relies both on seq and pid.

Reported by  Karl Knutsson by pr/36119.
2007-04-11 21:33:40 +00:00
degroote 2a2cd74d79 In spddelete2, if we can't find the sp by this id, return after sending an error message,
don't process the following code with the NULL sp.

Spotted by Matthew Grooms on freebsd-net ML
2007-04-11 21:19:35 +00:00
degroote 0c3809d098 Fix a memleak in key_spdget.
Problem was reported by Karl Knutsson by pr/36119.
2007-04-09 21:07:03 +00:00
degroote 0138b12722 Honor the ip4_ah_offsetmask bits (clear or not the ip->ip_off field for ah
processing).
2007-03-25 22:11:18 +00:00
degroote 46c420f11a Use ip4_ah_cleartos instead of ah_cleartos for consistency 2007-03-25 22:06:33 +00:00
degroote 40cf3d18fa Make an exact match when we are looking for a cached sp for an unconnected
socket. If we don't make an exact match, we may use a cached rule which
has lower priority than a rule that would otherwise have matched the
packet.

Code submitted by Karl Knutsson in PR/36051
2007-03-25 12:46:42 +00:00
degroote 507fd51bd3 Call key_checkspidup with spi in network bit order in order to make correct
comparaison with spi stored into the sadb.

Reported by Karl Knutsson in kern/36038 .
2007-03-21 22:38:34 +00:00
liamjfoy 142de6f17b Allow to build without INET6
Submitted by: Jukka Salmi
2007-03-09 00:40:39 +00:00