itojun
9c55bd3b1a
repair infinite loop in ipcomp packet generation. oops.
2000-09-21 06:08:26 +00:00
itojun
cb4931c8e7
repair cut-and-paste bug. from: francis dupont. sync with kame
2000-09-20 23:35:51 +00:00
itojun
d2c6420404
do not inject empty mbuf to zlib.
2000-09-20 23:35:16 +00:00
itojun
3ad679d8fd
call {de,in}flateEnd on failure, otherwise obsolete state will be kept.
2000-09-20 22:34:24 +00:00
itojun
ffb333a57c
plug mbuf leak (error case). need more investigation.
2000-09-20 21:43:52 +00:00
itojun
e485f6527e
pullup IPv6 and subsequent headers, on IPv6 IPsec transport mode input.
...
(not normally visited - we have switched to m_pulldown. just for completeness)
2000-09-18 22:18:00 +00:00
itojun
303fcdf765
repair blowfish-cbc. BF_encrypt() takes value in host byteorder, yuck!
...
(no effect to 1.5 branch)
2000-09-18 21:57:35 +00:00
itojun
691fdbb4f0
kame sys/netinet6/icmp6.c 1.140 -> 1.144
...
> in the check for the incoming redirect message, examine the gateway
> (from the routing table) only when the address family of the gateway is
> AF_INET6.
2000-09-16 10:12:22 +00:00
itojun
2192675fb1
move file static variable into auto variable, for better thread safety.
...
(not really required for big lock MP). sync with kame
2000-09-09 16:15:47 +00:00
itojun
f8481d085e
add attribute(packed).
...
From: Alfred Perlstein <bright@wintelcom.net>
2000-09-09 11:42:22 +00:00
itojun
dc23ec9971
add missing \n on log(). sync with kame
2000-08-31 07:35:44 +00:00
itojun
65fbdbe744
repair DES on LP64. past code did not interoperate with non-LP64, due to
...
incorrect computed results.
remove unnecessary #ifdef/#define. sync with kame.
2000-08-31 07:33:04 +00:00
itojun
58c93e23cf
LP64 fix (cast to u_long when printing size_t)
2000-08-30 14:58:33 +00:00
itojun
2af85c262b
improve code sharing for esp_schedule(). add some diagnostics cases
...
for esp_cbc_{en,de}crypt(). sync with kame.
2000-08-29 11:32:21 +00:00
itojun
6fe60cce5f
do not forward packets with unspecified source address (::).
...
this is clarification recently made to RFC2460. sync with kame.
2000-08-29 09:19:43 +00:00
itojun
bb8d535cc5
use per-block cipher function + esp_cbc_{de,en}crypt. do not use
...
cbc-over-mbuf functions in sys/crypto.
the change should make it much easier to switch crypto function to
machine-dependent ones (like assembly code under sys/arch/i386/crypto?).
also it should be much easier to import AES algorithms.
XXX: it looks that past blowfish-cbc code was buggy. i ran some test pattern,
and new blowfish-cbc code looks more correct. there's no interoperability
between the old code (before the commit) and the new code (after the commit).
XXX: need serious interop tests before move it into 1.5 branch
2000-08-29 09:08:42 +00:00
itojun
3da9705446
add a warning on IPv6 setsockopt number space (*BSD shares the number space
...
so consult KAME for number allocation)
2000-08-27 01:02:48 +00:00
itojun
152da24bd9
implement net.inet6.ip6.{anon,low}port{min,max} sysctl variable.
2000-08-26 11:03:45 +00:00
itojun
4d40179399
add missing IPNOPRIVPORTS case
2000-08-26 10:40:03 +00:00
thorpej
5bd1b19b29
Don't use MALLOC() for variable-sized allocations.
2000-08-25 21:22:16 +00:00
itojun
cabceaa265
- icmp6 nodeinfo: remove possibility of unaligned pointer access.
...
- jumbo payload output: fix incorrect mbuf manipulation
- pedant: align issues, mbuf assumption
(sync with kame)
2000-08-19 08:15:53 +00:00
itojun
e6efb27c84
add missing splx, when outgoing interface queue is full on tunnelled
...
ESP packet output. KAME PR 280.
2000-08-16 09:54:39 +00:00
thorpej
831a48fd0b
Make this compile without INET6 again.
2000-08-15 21:43:57 +00:00
itojun
54aeb79d4c
supress warning (LOG_ERR -> LOG_DEBUG) which occurs in the following situation:
...
- manually configure an address from prefix P (like P::1)
- autoconfigure additional address from the same prefix P (like P::ifid).
- rtrequest fails due to P/plen already exists
more fundamental solution should appear later, when kame side stablizes it.
from thopej.
2000-08-13 23:45:22 +00:00
itojun
5e868d1e49
clearifications in icmp6 node query support.
...
XXX previous commit included "supported qtypes" icmp6 node query support.
sorry commit message was mistaken.
2000-08-03 16:30:37 +00:00
itojun
afa5315364
correct typo in #define. ICMP6_NI_SUCESS -> SUCCESS (notice missing C).
...
sync with kame.
2000-08-03 14:31:04 +00:00
itojun
6574aa66e8
inhibit error code from rtinit(). this happens when we try to assign
...
multiple addresses from same prefix, onto single interface. PR 10427.
more info:
- 4.4BSD did not check return code from in_ifinit() at all.
4.4BSD does not support multiple address from same prefix.
- past KAME change passed in{,6}_ifinit() to upwards, toward ifconfig(8).
the behavior is filed as PR 10427.
- the commit inhibits EEXIST from rtinit(), hence partially recovers old
4.4BSD behavior.
- the right thing to happen is to properly support multiple address assignment
from the same prefix. KAME tree has more extensive change, however, it needs
much more time to get stabilized (rtentry refcnt change can cause serious
issue, we really need to bake it before bring it to netbsd)
2000-08-02 15:03:02 +00:00
itojun
32ef6bb0e7
sync comment with reality
2000-07-30 05:30:37 +00:00
itojun
0036ac92be
clarify comment. from jhawk. sync with kame.
2000-07-30 04:33:34 +00:00
itojun
5e8b5a35e4
make ipsec_strerror(3) to return const char *, not char *. sync with kame.
2000-07-30 02:38:35 +00:00
itojun
63de4c2cb9
nuke the following sysctl variables. "ppsratelimit" should work better.
...
need to recompile sbin/sysctl after updating /usr/include.
net.inet.tcp.rstratelimit
net.inet.icmp.errratelimit
net.inet6.icmp6.errratelimit
2000-07-28 04:06:52 +00:00
itojun
73a29e35ff
do not forward packet with :: in the source.
...
this is not in the spec - we had rough consensus on it in ipngwg,
spec will get updated to include this behavior.
2000-07-27 15:53:51 +00:00
itojun
fec624be3f
wrap kernel function prototype by #ifdef _KERNEL.
2000-07-23 08:24:12 +00:00
itojun
411ff12b27
pre-compute and cache intermediate crypto key. suggestion from sommerfeld,
...
sync with kame.
loopback, blowfish-cbc transport mode, 128bit key
before: 86588496 bytes received in 00:42 (1.94 MB/s)
after: 86588496 bytes received in 00:31 (2.58 MB/s)
2000-07-23 05:23:04 +00:00
itojun
65d37eff7f
correct RFC2367 PF_KEY conformance (SADB_[AE]ALG_xx values and namespaces).
...
sync from kame.
WARNING: need recompilation of setkey(8) and pkgsrc/security/racoon.
(no ipsec-ready netbsd was released as official release)
2000-07-18 14:56:42 +00:00
itojun
5f09b77987
s/IPSEC_IPV6FWD/IPSEC/. this should correct strange behavior on ipv6
...
forwarding (even if policy asks for tunnel mode encryption, packets
go out in clear). sync with kame.
2000-07-16 07:57:55 +00:00
itojun
a2744a4cf8
do not pull sys/queue.h from netinet6/in6.h. PR10597.
...
some sync with kame.
2000-07-16 01:10:34 +00:00
itojun
20964b0c23
fatal bug fix from kame (rtentry refcnt goes negative if we play with IPv6
...
address/routing table too much).
in6_ifloop_request()
not to request rtrequest to return an rtentry except for the ADD
operation, in order to avoid misdecreasing the refcnt (which might
cause leak of rtentry)
2000-07-13 09:56:20 +00:00
itojun
f5211e847a
remove m_pulldown statistics code. it is highly experimental and belong
...
to kame tree only (not for *bsd).
2000-07-13 05:34:21 +00:00
itojun
d8a9a3cc7b
add ppsratelimit(9), which does event-per-sec rate limitation.
...
use it from icmp6 error rate limitation code.
XXX better name for the function?
2000-07-09 06:44:57 +00:00
itojun
ec67eee51f
sync with kame.
...
introduce in6_{recover,embed}scope, for in-kernel scoped-address manipulation.
improve in6_pcbnotify.
2000-07-07 15:54:16 +00:00
christos
2068dee670
elide lint cast type conversion warnings.
2000-07-06 17:42:55 +00:00
itojun
210a3e2f80
remove unnecessary #include <netkey/key_debug.h>. from kame.
2000-07-06 12:51:39 +00:00
itojun
0a1e211454
- do not use bitfield for router renumbering header.
...
- add protection mechanism against ND cache corruption due to bad NUD hints.
- more stats
- icmp6 pps limitation. TOOD: should implement ppsratecheck(9).
2000-07-06 12:36:18 +00:00
itojun
6fff122160
drop packet to tentative/duplicated interface address earlier. sync w/kame
2000-07-02 09:56:39 +00:00
itojun
8ff902fca1
repair kernel faithd(8) support. there were two mistakes:
...
(1) tcp6_input dropped packets for translation
(2) in6_pcblookup_connect was too strict
2000-07-02 08:04:10 +00:00
itojun
3ade27131a
suppress too noisy warning on forward-over-loopback case. from kame
2000-06-30 19:46:05 +00:00
mrg
cf594a3f4d
<vm/vm.h> -> <uvm/uvm_extern.h>
2000-06-28 03:01:16 +00:00
kleink
d2787dad27
XNS5.2: define sa_family_t and use it where specified by the standard.
2000-06-26 15:48:19 +00:00
itojun
278184a8ab
avoid possible mbuf leaks on ipsec policy violation.(sync with kame)
2000-06-20 02:24:42 +00:00