Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
272,001 Commits 606 Branches 0 Tags
Commit Graph

170 Commits

Author SHA1 Message Date
knakahara
683fe570e3 ipsec_getpolicybysock() should also call key_havesp() like ipsec_getpolicybyaddr(). 
That can reduce KEYDEBUG messages.
 2019-08-07 10:10:00 +00:00
maxv
e201bd44dc Fix uninitialized variable: in ipsec_checkpcbcache(), spidx.dir is not 
initialized, and the padding of the spidx structure is not initialized
either. This causes the memcmp() to wrongfully fail.

Change ipsec_setspidx() to always initialize spdix.dir and zero out the
padding.

ok ozaki-r@
 2019-07-09 16:56:24 +00:00
pgoyette
d91f98a871 Merge the [pgoyette-compat] branch 2019-01-27 02:08:33 +00:00
knakahara
890dda538a Support IPv6 NAT-T. Implemented by hsuenaga@IIJ and ohishi@IIJ. 
Add ATF later.
 2018-11-22 04:48:34 +00:00
maxv
74fced2cf1 Localify one function, and switch to C99 types while here. 2018-10-27 05:42:23 +00:00
maxv
3574e9908d Rename 
ip_undefer_csum  -> in_undefer_cksum
	in_delayed_cksum -> in_undefer_cksum_tcpudp

The two previous names were inconsistent and misleading.

Put the two functions into in_offload.c. Add comments to explain what
we're doing.

The same could be done for IPv6.
 2018-07-11 05:25:45 +00:00
maxv
00ff305a9c Merge ipsec4_input and ipsec6_input into ipsec_ip_input. Make the argument 
a bool for clarity. Optimize the function: if M_CANFASTFWD is not there
(because already removed by the firewall) leave now.

Makes it easier to see that M_CANFASTFWD is not removed on IPv6.
 2018-05-14 17:34:26 +00:00
maxv
59275f7378 Replace dumb code by M_VERIFY_PACKET. In fact, perhaps we should not even 
call M_VERIFY_PACKET here, there is no particular reason for this place to
be more wrong than the rest.
 2018-05-10 05:15:14 +00:00
maxv
f813c44d31 Rename ipsec4_forward -> ipsec_mtu, and switch to void. 2018-05-10 05:08:53 +00:00
maxv
d920327205 Remove unused and misleading argument from ipsec_set_policy. 2018-04-29 11:51:08 +00:00
maxv
68df48a8f0 Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op. 2018-04-28 15:45:16 +00:00
maxv
19f9cae6f8 Stop using a macro, rename the function to ipsec_init_pcbpolicy directly. 2018-04-28 14:21:03 +00:00
maxv
6f320ea66c Style and remove unused stuff. 2018-04-28 14:01:50 +00:00
maxv
e2c8a66404 Remove extra long file paths from the headers. 2018-04-19 08:27:38 +00:00
maxv
4fbb7668fe Remove dead code. 
ok ozaki-r@
 2018-04-18 06:57:39 +00:00
maxv
55d4a29846 Add XXX. If this code really does something, it should use MCHTYPE. 2018-04-17 17:47:05 +00:00
maxv
25be83d544 Style, add XXX (about the mtu that goes negative), and remove #ifdef inet. 2018-04-17 17:40:38 +00:00
maxv
d40270d9c9 Remove ipsec_copy_policy and ipsec_copy_pcbpolicy. No functional change, 
since we used only ipsec_copy_pcbpolicy, and it was a no-op.

Originally we were using ipsec_copy_policy to optimize the IPsec-PCB
cache: when an ACK was received in response to a SYN, we used to copy the
SP cached in the SYN's PCB into the ACK's PCB, so that
ipsec_getpolicybysock could use the cached SP instead of requerying it.

Then we switched to ipsec_copy_pcbpolicy which has always been a no-op. As
a result the SP cached in the SYN was/is not copied in the ACK, and the
first call to ipsec_getpolicybysock had to query the SP and cache it
itself. It's not totally clear to me why this change was made.

But it has been this way for years, and after a conversation with Ryota
Ozaki it turns out the optimization is not valid anymore due to
MP-ification, so it won't be re-enabled.

ok ozaki-r@
 2018-04-03 09:03:59 +00:00
maxv
65b46b60ed typo in comments 2018-03-31 19:27:14 +00:00
maxv
52489f2bdd Reduce the diff between ipsec4_output and ipsec6_check_policy. While here 
style.
 2018-03-03 09:54:55 +00:00
maxv
d219e3b4ad Dedup. 2018-03-03 09:47:01 +00:00
maxv
f3215192fd add missing static 2018-02-28 11:29:14 +00:00
maxv
247966d592 Dedup: merge ipsec4_setspidx_inpcb and ipsec6_setspidx_in6pcb. 2018-02-28 10:16:19 +00:00
maxv
f931621816 ipsec6_setspidx_in6pcb: call ipsec_setspidx() only once, just like the 
IPv4 code. While here put the correct variable in sizeof.

ok ozaki-r@
 2018-02-28 10:09:17 +00:00
maxv
faad9849ec Dedup: merge ipsec4_set_policy and ipsec6_set_policy. The content of the 
original ipsec_set_policy function is inlined into the new one.
 2018-02-27 15:01:30 +00:00
maxv
6fd7a9a762 Remove duplicate checks, and no need to initialize 'newsp' in 
ipsec_set_policy.
 2018-02-27 14:52:51 +00:00
maxv
580ac4be42 Dedup: merge 
ipsec4_get_policy and ipsec6_get_policy
	ipsec4_delete_pcbpolicy and ipsec6_delete_pcbpolicy

The already-existing ipsec_get_policy() function is inlined in the new
one.
 2018-02-27 14:44:10 +00:00
maxv
be32dea43c Use inpcb_hdr to reduce the diff between 
ipsec4_set_policy and ipsec6_set_policy
	ipsec4_get_policy and ipsec6_get_policy
	ipsec4_delete_pcbpolicy and ipsec6_delete_pcbpolicy

No real functional change.
 2018-02-27 13:36:21 +00:00
maxv
215e1b4181 Optimize: use ipsec_sp_hdrsiz instead of ipsec_hdrsiz, not to re-query 
the SP.

ok ozaki-r@
 2018-02-27 08:05:19 +00:00
maxv
0695fe90b1 Dedup: call ipsec_in_reject directly. IPSEC_STAT_IN_POLVIO also gets 
increased now.
 2018-02-26 10:36:24 +00:00
maxv
768c43840b Reduce the diff between ipsec6_input and ipsec4_input. 2018-02-26 10:19:13 +00:00
maxv
b39a0dd1f8 Dedup: merge ipsec4_in_reject and ipsec6_in_reject into ipsec_in_reject. 
While here fix misleading comment.

ok ozaki-r@
 2018-02-26 09:04:29 +00:00
maxv
c3c5f13028 Dedup: merge ipsec4_hdrsiz and ipsec6_hdrsiz into ipsec_hdrsiz. 
ok ozaki-r@
 2018-02-26 08:50:25 +00:00
maxv
2953bb2565 Dedup: merge ipsec4_checkpolicy and ipsec6_checkpolicy into 
ipsec_checkpolicy.

ok ozaki-r@
 2018-02-26 08:42:16 +00:00
maxv
8a440faae1 Fix nonsensical checks, neither in6p nor request is allowed to be NULL, 
and the former is already dereferenced in a kassert. This code should be
the same as ipsec4_set_policy.
 2018-02-26 06:48:01 +00:00
maxv
16a6b57077 Merge some minor (mostly stylistic) changes from last week. 2018-02-26 06:17:01 +00:00
maxv
b9badffce8 Fix ipsec4_get_ulp(). We should do "goto done" instead of "return", 
otherwise the port fields of spidx are uninitialized.

ok mlelstv@
 2018-02-21 16:42:33 +00:00
maxv
8df55a522b Use inpcb_hdr to reduce the diff between: 
ipsec4_hdrsiz      and ipsec6_hdrsiz
	ipsec4_in_reject   and ipsec6_in_reject
	ipsec4_checkpolicy and ipsec4_checkpolicy

The members of these couples are now identical, and could be merged,
giving only three functions instead of six...
 2018-02-21 16:38:15 +00:00
maxv
af69f63988 Rename: 
ipsec_in_reject -> ipsec_sp_reject
	ipsec_hdrsiz    -> ipsec_sp_hdrsiz

localify the former, and do some cleanup while here.
 2018-02-21 16:18:52 +00:00
maxv
22e66c740d Style, remove unused and misleading macros and comments, localify, and 
reduce the diff between similar functions. No functional change.
 2018-02-16 15:18:41 +00:00
maxv
2603d1d6e8 Fix inverted logic, otherwise the kernel crashes when receiving a 1-byte 
AH packet. Triggerable before authentication when IPsec and forwarding
are both enabled.
 2018-02-16 11:25:16 +00:00
maxv
9a3c5d51fb Style a bit, no functional change. 2018-02-16 11:07:44 +00:00
maxv
e7ef501d6b Remove some more FreeBSD sysctl declarations that already have NetBSD 
counterparts. Discussed with ozaki-r@.
 2018-02-16 09:07:50 +00:00
maxv
85384b6c32 Remove ipsec_replay and ipsec_integrity from this place, they are already 
declared as sysctls. Discussed with ozaki-r@.
 2018-02-16 08:56:50 +00:00
maxv
2ff2bfdeb3 Remove ip4_esp_randpad and ip6_esp_randpad, unused. Discussed with 
ozaki-r@.
 2018-02-16 08:51:28 +00:00
maxv
5104ba25f8 Remove unused net_osdep.h include. 2018-02-08 20:57:41 +00:00
ozaki-r
625a03500b Fix late NULL-checking (CID 1427782: Null pointer dereferences (REVERSE_INULL)) 2018-01-23 02:17:32 +00:00
ozaki-r
8cbaa241ed Use M_WAITOK to allocate mbufs wherever sleepable 
Further changes will get rid of unnecessary NULL checks then.
 2017-11-21 07:03:08 +00:00
ozaki-r
a05a27d7e6 Fix buffer length for ipsec_logsastr 2017-10-17 07:23:08 +00:00
ozaki-r
13270c3990 Don't abuse key_checkrequest just for looking up sav 
It does more than expected for example key_acquire.
 2017-10-03 08:25:21 +00:00