Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
116,757 Commits 606 Branches 0 Tags 3.1 GiB
d00feb8a89
Commit Graph

73 Commits

Author SHA1 Message Date
itojun
11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun
52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
itojun
c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
darrenr
9787457fbe bring a small amount of code out of an if() statement that was doing 
the same thing for both cases.
 2003-05-10 13:23:07 +00:00
itojun
40606ab8f2 switch from kame-based m_aux mbuf auxiliary data, to openbsd m_tag 
implementation.  it will simplify porting across *bsd (such as kame/altq),
and make us more synchronized.  from Joel Wilsson
 2003-01-17 08:11:49 +00:00
provos
0f09ed48a5 remove trailing \n in panic(). approved perry. 2002-09-27 15:35:29 +00:00
itojun
9401012487 KNF - return is not a function. sync w/kame. 2002-09-11 02:46:42 +00:00
itojun
6dedde045a correct signedness mixup in pointer passing. sync w/kame 2002-09-11 02:41:19 +00:00
itojun
c00fa8dfd9 avoid swapping endian of ip_len and ip_off on mbuf, to meet with M_LEADINGSPACE 
optimization made last year.  should solve PR 17867 and 10195.

IP_HDRINCL behavior of raw ip socket is kept unchanged.  we may want to
provide IP_HDRINCL variant that does not swap endian.
 2002-08-14 00:23:27 +00:00
itojun
af8ad017f7 typo. From: Arto Selonen <arto@selonen.org>, sync w/kame 2002-08-01 05:17:47 +00:00
wiz
e00173a7f2 Spell 'should' correctly. 2002-07-18 11:59:06 +00:00
itojun
d7006267f3 reduce kernel stack usage by separating struct secasindex. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-27 12:12:49 +00:00
itojun
61f28217c4 move sanity check upwards. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-22 12:27:09 +00:00
itojun
cfb9a4a799 avoid listening socket from mistakenly use incorrect cached policy. 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>  sync w/kame
 2002-06-22 12:04:07 +00:00
itojun
69d65da8c6 sizeof mistake in DIAGNOSTIC path. sync w/kame 
From: YAMAMOTO Takashi <yamt@mwd.biglobe.ne.jp>
 2002-06-21 23:15:35 +00:00
itojun
3033187db0 previous commit cached pcb policy too much (when pcb points to 
SPD entry that is not ipsec - like "none").  back it out.  sync w/kame
 2002-06-16 16:28:36 +00:00
itojun
c1808f02bf cache pcb policy as much as possible. in fact, if policy is not 
IPSEC_POLICY_IPSEC we don't need to compare spidx.  sync w/kame
 2002-06-14 14:47:24 +00:00
itojun
813344bfbe remove redundant line 2002-06-14 14:17:55 +00:00
itojun
a8dde3fa57 free secpolicy on deepcopy failure 2002-06-13 05:10:13 +00:00
itojun
dc96111483 deep-copy pcb policy if it is an ipsec policy. assign ID field to all 
SPD entries.  make it possible for racoon to grab SPD entry on pcb
(racoon side needs some changes).  sync w/kame
 2002-06-12 17:56:45 +00:00
itojun
3489976392 do not copy policy-on-socket at all. avoid copying packet header value to 
struct spindex.  should reduce memory usage per socket/pcb, and should speedup
ipsec processing.  sync w/kame
 2002-06-12 01:47:34 +00:00
itojun
fa53d749ff share policy-on-pcb for listening socket. sync w/kame 
todo: share even more, avoid frequent updates of spidx
 2002-06-11 19:39:59 +00:00
itojun
2533e1f81f avoid variable name confusion. sync w/kame 2002-06-11 17:26:52 +00:00
itojun
b05ff066a7 whitespace cleanup 2002-06-09 14:43:10 +00:00
itojun
fc5800e3fd whitespace cleanup 2002-06-08 20:06:44 +00:00
itojun
e3c4951b26 re-enable ipsec policy caching onto pcb. refcnt fix and workarounds based on ymmt-san. 2002-05-25 10:01:01 +00:00
itojun
d2fd814987 in sp caching code, check if sp is still alive. sync w/kame 2002-05-19 00:46:40 +00:00
itojun
861dfdc294 disable ipsec policy caching on pcb, as it seems that there's some reference- 
counting mistake that causes panic - see PR 15953 and 13813.

i am unable to find the real cause of problem, so it is a shortterm workaround,
hopefully.
 2002-05-10 05:49:21 +00:00
itojun
d7669537a8 remove unneeded #ifdef __FreeBSD__ portion. 2002-05-10 05:38:29 +00:00
thorpej
dc12059c9e Use M_READONLY() rathern than testing to see if ext_free is set 
or MCLISREFERENCED().
 2002-04-28 00:54:41 +00:00
itojun
c23ea6c341 update outgoing ifp, only if tunnel mode ipsec is used. this is to 
honor IP_MULTICAST_IF setsockopt on ipsec-over-multicast.  sync with kame
 2001-11-21 06:28:08 +00:00
lukem
4f2ad95259 add RCSIDs 2001-11-13 00:56:55 +00:00
simonb
5f717f7c33 Don't need to include <uvm/uvm_extern.h> just to include <sys/sysctl.h> 
anymore.
 2001-10-29 07:02:30 +00:00
itojun
7dcf45fbd8 more whitespace/comment sync with kame 2001-10-16 06:24:44 +00:00
wiz
456dff6cb8 Spell 'occurred' with two 'r's. 2001-09-16 16:34:23 +00:00
itojun
bf45c09959 fix SA lookup when IPsec transport mode and tunnel mode over IPv6 is used 
at the same time.  sync with kame
(like "IP AH ESP IP", policy = "esp/tunnel/a-b/use ah/transport//use")
 2001-09-13 06:30:57 +00:00
itojun
57030e2f12 cache IPsec policy on in6?pcb. most of the lookup operations can be bypassed, 
especially when it is a connected SOCK_STREAM in6?pcb.  sync with kame.
 2001-08-06 10:25:00 +00:00
itojun
e3d077542f cosmetic (spacing near /* */). sync with kame 2001-08-05 22:20:44 +00:00
itojun
5e920039c6 have ovbcopy() macro, for cross-BSD compatibility only. 2001-07-07 14:45:46 +00:00
itojun
d1b6307b88 do not copy TTL field on ipsec tunnel mode encapsulation. sync with kame 2001-04-15 01:55:49 +00:00
itojun
179a7e0d7b send up dst_unreach_admin error to local node, if transport-mode 
ipsec key is not found.  rather experimental.  kame 1.83 -> 1.84

nuke IPSEC_SRCSEL which does not do the right thing.
adjust state->ro if the tunnel endpoint is offlink.  KAME PR 233.
kame 1.84 -> 1.85
 2001-02-08 15:04:26 +00:00
itojun
617b3fab7e - record IPsec packet history into m_aux structure. 
- let ipfilter look at wire-format packet only (not the decapsulated ones),
  so that VPN setting can work with NAT/ipfilter settings.
sync with kame.

TODO: use header history for stricter inbound validation
 2001-01-24 09:04:15 +00:00
itojun
970a75f808 fix KAME PR 296 again, for transport-mode SA only 
(shortterm workaround - need revisit for ANY SA)
 2000-11-10 01:10:36 +00:00
itojun
8c411160ec backout KAME PR 296. "any" mode SA should be able to be used for tunnel mode. 2000-11-09 17:36:11 +00:00
itojun
47bce75f00 check IPsec SA type (tunnel/transport/any) when we try to decapsulate IPsec 
tunnel mode packet.  decapsulate only if we got a tunnel mode SA.
KAME PR 296.
 2000-11-06 00:58:34 +00:00
itojun
dcfe05e7c1 fix compilation without INET. fix confusion between ipsecstat and ipsec6stat. 
sync with kame.
 2000-10-02 03:55:41 +00:00
itojun
2c8b266751 make ip6_ext available for non-IPv6 compilation 
(needed for header chain parsing).  (redo of 1.25 -> 1.26)
 2000-09-25 15:00:08 +00:00
martin
4e675359ad Make kernels with IPSec but without IPv6 compile again. 
This may break IPPROTO_AH - someone with a clue should double-check
this, please.
 2000-09-25 12:35:53 +00:00
itojun
aa5339554d cleanup ipsec policy lookup. specifically, repair the following cases: 
- use of IPv4 mapped address on outbound socket
- explicit port numbers via sendto().
	old code grabbed port number from inpcb/in6pcb.
in the above case, old code failed to lookup ipsec policy (oops).
sync with kame.
 2000-09-22 05:49:46 +00:00
mrg
cf594a3f4d <vm/vm.h> -> <uvm/uvm_extern.h> 2000-06-28 03:01:16 +00:00