Aren/NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
159,861 Commits 606 Branches 0 Tags 3.1 GiB
d831b3217f
Commit Graph

1022 Commits

Author SHA1 Message Date
drochner
dc86361844 remove the unused in6_ifindex2scopeid() 
if at all, it works with site-local addresses whose fate is uncertain
to say the least
 2005-02-01 15:29:23 +00:00
drochner
5d0cfbc9bd sin6_scope_id maps to interface indices for link local addresses only! 
(unlikely to be used with other scopes for now, but we should be
correct anyway)
 2005-02-01 14:56:17 +00:00
matt
d341be30f4 Change initialzie of domains to use link sets. Switch to using STAILQ. 
Add a convenience macro DOMAIN_FOREACH to interate through the domain.
 2005-01-23 18:41:56 +00:00
itojun
57fd095fdf shouldn't check code field on "packet too big" icmp6 message. 2005-01-17 10:16:07 +00:00
drochner
e5653b8213 remove a redundant check for ifindex2ifnet[idx] != 0 2004-12-21 11:40:12 +00:00
drochner
f44d9a5791 fix ifindex argument checks for IPV6_JOIN_GROUP, 
IPV6_LEAVE_GROUP and IPV6_MULTICAST_IF -
0 is always legal
 2004-12-21 11:37:47 +00:00
thorpej
7994b6f95e Don't perform checksums on loopback interfaces. They can be reenabled with 
the net.inet.*.do_loopback_cksum sysctl.

Approved by: groo
 2004-12-15 04:25:19 +00:00
peter
396b87b8c2 Convert lo(4) to a clonable device. 
This also removes the loif array and changes all code to use the new
lo0ifp pointer which points to the lo0 ifnet structure.

Approved by christos.
 2004-12-04 16:10:25 +00:00
christos
694d5b6a91 We don't need to include bpfilter.h 2004-11-28 02:37:38 +00:00
itojun
5bcaef8e92 wrong paren. Patrick Latifi 2004-11-17 03:20:53 +00:00
itojun
bc559f51c6 remove extra code mistakenly committed 2004-10-27 23:16:56 +00:00
itojun
70fc307de9 missing break; Emmanuel Dreyfus 2004-10-27 22:26:50 +00:00
itojun
5e3841214f no need to call defrouter_select() here any more; jinmei 2004-10-26 07:03:29 +00:00
itojun
830e5a5fbf more cleanup on onlink assumption; jinmei 2004-10-26 06:54:53 +00:00
itojun
b5f3688c67 remove onlink assumption behavior (consider destination on-link if default 
router list is empty) based on recent IETF ipv6 discussion (RFC2461 5.2).

fix "ndp -I delete".
 2004-10-26 06:08:00 +00:00
itojun
75259d166c ip6_flow_seq is no longer available. 2004-10-18 01:43:43 +00:00
yamt
056303b850 rip6_output: redo raw_ip6.c 1.67-1.67, using m_copyback_cow. 2004-09-06 10:05:14 +00:00
manu
6e3c639957 IPv4 PIM support, based on a submission from Pavlin Radoslavov posted on 
tech-net@
 2004-09-04 23:29:44 +00:00
yamt
39dd3d0c5d run PFIL_IFADDR hooks on SIOCAIFADDR_IN6 and SIOCDIFADDR_IN6 as well. 
from Peter Postma, PR/26368.
ok'ed by itojun.
 2004-07-26 13:44:35 +00:00
yamt
e08729e055 rip6_output: redo the previous (raw_ip6.c 1.66) 
with less assumptions about alignment.
 2004-07-23 09:53:10 +00:00
yamt
540e6d4640 rip6_output: make sure that the mbuf is writable 
before write a checksum into it.
otherwise "ping6 -s50000" causes a panic.

ok'ed by itojun.
 2004-07-22 05:26:46 +00:00
itojun
3f35f96f9a prevent mbuf leak on IPsec tunnel mode. from iij seil team 2004-07-16 01:12:02 +00:00
itojun
8da378abea - update ro_pmtu on IPsec tunnel encapsulation. ro != ro_pmtu is used as the 
sign for the existence of routing header.
- fragment to 1280 on IPv6-over-IPv6 encapsulation, as ICMPv6 too big may not
  give you enough information to update pmtu cache.

from iij seil team, via kame.
 2004-07-14 03:06:08 +00:00
minoura
c3ed038115 Remove broken code for now: getsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY,...). 
It returned EINVAL, now returns ENOPROTOOPT.
Ok'd by itojun.
 2004-07-06 04:30:27 +00:00
drochner
05da173d52 abstain from typecasting the LHS of an assignment; 
gcc-3.4.x doesn't like it
 2004-06-24 16:49:51 +00:00
itojun
b791f5f740 error could be left uninitialized when we jump into "senderr" 2004-06-24 15:01:51 +00:00
itojun
0f18c4c945 multicast data management fix - previous fix was incorrect. jinmei@kame 2004-06-16 03:17:26 +00:00
itojun
ec7ac551be insufficient paren in macro def. Patrick Latifi 2004-06-16 02:36:37 +00:00
itojun
2e60f85658 use macro and make it a bit more readable. 2004-06-14 08:07:29 +00:00
itojun
4d7b9596f6 check before joining multicast group. otherwise multiple in6_multi structure 
will be kept.  reported by patrick latifi
 2004-06-14 07:54:45 +00:00
itojun
501233726d implement IPV6_USE_MIN_MTU sockopt. needed by bind9 + EDNS0 + big receive buffer. 2004-06-11 04:10:10 +00:00
itojun
56e182b708 there's no use to check privs on curproc in the input path. jinmei@kame 2004-06-01 03:13:22 +00:00
atatat
4de3747b89 Sysctl descriptions under net subtree (net.key not done) 2004-05-25 04:33:59 +00:00
itojun
32e4b55076 do not loop on nd6_output() when transmission fails. from kame 2004-05-19 17:45:05 +00:00
jonathan
f7abb16323 Fix per-PCB IPsec policy cache for FAST_IPSEC: 
The sys/netipsec policy-cache (added by Jason Thorpe as a rewrite of
the KAME per-PCB policy cache) assumes that policy-cacheable PCBs
always has a non-NULL inph_sp in the common PCB header.  So we must
do all the per-PCB policy cache calls when either (KAME) IPSEC, or
FAST_IPSEC is defined.  ``Make it so''.

We can now support non-IPsec'ed IPv6 traffic, when both
``options FAST_IPSEC'' and ``options INET6'' are configured.
 2004-04-26 01:53:59 +00:00
simonb
b5d0e6bf06 Initialise (most) pools from a link set instead of explicit calls 
to pool_init.  Untouched pools are ones that either in arch-specific
code, or aren't initialiased during initial system startup.

 Convert struct session, ucred and lockf to pools.
 2004-04-25 16:42:40 +00:00
itojun
cb0651e44a correct parameter to in6_cksum. keiichi@kame 2004-04-22 17:58:59 +00:00
matt
e50668c7fa Constify protosw arrays. This can reduce the kernel .data section by 
over 4K (if all the network protocols) are loaded.
 2004-04-22 01:01:40 +00:00
itojun
5da9234d88 remove duplicated #include. PR 25234 2004-04-20 17:12:03 +00:00
atatat
83b193a052 Make these compile without INET. tcp_input probably needs a lot more 
work...
 2004-03-29 04:59:02 +00:00
christos
d6939c86f1 no need for splsoftnet, because the caller does it already. 2004-03-28 08:28:50 +00:00
christos
03766c2d10 PR/23335: Christos Zoulas: Removing interfaces trashes free memory when 
ipv6 is used because multicast group memberships contain dangling references
to the multicast group deleted.
 2004-03-28 08:28:06 +00:00
itojun
e050c8a03d do not touch m->m_pkthdr.rcvif after m becomes invalid. Patrick Latifi 2004-03-26 03:35:02 +00:00
atatat
19af35fd0d Tango on sysctl_createv() and flags. The flags have all been renamed, 
and sysctl_createv() now uses more arguments.
 2004-03-24 15:34:46 +00:00
martti
c3f78782b9 Make ip6_getpmtu() globally visible. This is needed by IPFilter 4.x. 2004-03-23 18:21:38 +00:00
itojun
3811eef49d typo 2004-03-23 05:31:54 +00:00
itojun
721292cf12 constify AH algorithm function table. suggested by robert watson 2004-03-10 03:45:04 +00:00
thorpej
2803ff0955 Use the new IPSEC_PCB_SKIP_IPSEC() to bypass a socket policy lookup 
when possible.  This shaves several cycles from the output path for
non-IPsec connections, even if the policy is cached in the PCB.
 2004-03-02 02:28:28 +00:00
thorpej
db4fcd885b Augment the PCB cache with a "hint" that can be used to short-circuit 
IPsec processing in other places.  The hint has 3 values: MAYBE, YES,
and NO.  Hints are initialized to MAYBE, and MAYBE is always used for
unconnected sockets (since the spidx may change for every packet
that is output).  For connected sockets, NONE and BYPASS policies cause
the hint to be set to NO, and all other policies to YES.

Also shuffle the PCB cache data structure, turning 3 arrays into a
single array of a struct.
 2004-03-02 02:17:38 +00:00
itojun
581091043b knf 2004-03-01 22:32:35 +00:00
wiz
f05e6f1a3a occured -> occurred. From Peter Postma. 2004-02-24 15:12:51 +00:00
itojun
aaa4bd9a6c avoid out-of-bound memory access if len == 128. 
from Ted Unangst via Colin Percival
 2004-02-23 05:01:04 +00:00
wiz
d20841bb64 Uppercase CPU, plural is CPUs. 2004-02-13 11:36:08 +00:00
itojun
d93f7028c1 we have IFT_BRIDGE already, no need for #ifdef 2004-02-11 20:51:24 +00:00
christos
bcdf1b194a We don't have IFT_{PFLOG,PFSYNC} (yet). 2004-02-11 17:36:33 +00:00
itojun
abd93ec67b minor KNF 2004-02-11 10:54:29 +00:00
itojun
5d3b18b4a4 KNF 2004-02-11 10:47:28 +00:00
itojun
57cbd26e09 missing bzero 2004-02-11 10:42:24 +00:00
itojun
6c8714a95e avoid ugly typecast 2004-02-11 10:37:33 +00:00
itojun
e2d302c40d reduce useless variables 2004-02-10 20:57:20 +00:00
itojun
c5cb8d59c0 remove unneeded #ifdef 2004-02-06 08:07:55 +00:00
tron
d23ecc0dca Remove outdated prototype for ip6_getpmtu(). The function has a different 
signature now and is statically declared in "ip6_output.c".
 2004-02-04 10:31:27 +00:00
itojun
70e51fdcf0 strictly follow RFC2460 section 5 last paragraph 
(sending rule when PMTU < 1280).  pointed out by guninski at guninski.com
 2004-02-04 05:17:28 +00:00
darrenr
5915fd3874 make ip6_getpmtu() externally visible 2004-01-24 13:02:41 +00:00
itojun
092e41da38 do not lookup security policy if IPV6_FORWARDING. 
avoids possible infinite ipsec encapsulation on
        ip6_input -> ip6_forward -(tunnel mode)-> ip6_output
case.  from kame
 2004-01-19 05:14:58 +00:00
itojun
cdaa27b23a when ipsec tunnel mode is applied, we are originating packet (instead of 
forwarding).  go to ip6_output() path for fragmentation and other processing.
from kame
 2004-01-16 05:12:08 +00:00
itojun
8dcc7f31aa typo. 
http://sources.zabbadoz.net/freebsd/patchset/108-ipsec-spelling.diff
 2004-01-13 23:02:00 +00:00
itojun
1101ef17d0 plug memory leak on failure. 
http://sources.zabbadoz.net/freebsd/patchset/109-ipsec-memleak.diff
 2004-01-13 23:01:08 +00:00
itojun
3ffdb9507a avoid deref-after-free. 
http://sources.zabbadoz.net/freebsd/patchset/106-ipsec-pcb-discon.diff
 2004-01-13 06:17:14 +00:00
wiz
d46bc94200 Niels Provos kindly agreed to drop clauses 3 and 4 from the 
license -- thanks.
Based on OpenBSD commit and hints by itojun.
 2003-12-26 19:04:55 +00:00
lha
2b1cb68e2f Fix ICMPV6CTL_ND6_[DP]RLIST, they broke with new sysctl. 
Makes ndp -r/ndp -p work again, patch from atatat
 2003-12-17 18:49:38 +00:00
itojun
d8ac1c6007 fix cases where pktinfo specifies outgoing interface of "0". 2003-12-10 22:35:35 +00:00
itojun
aa8a6718f0 use if_indexlim (instead of if_index) and ifindex2ifnet[x] != NULL 
to check if interface exists, as (1) if_index has different meaning
(2) ifindex2ifnet could become NULL when interface gets destroyed,
since when we have introduced dynamically-created interfaces.  from kame
 2003-12-10 11:46:33 +00:00
itojun
561720b19b validate set/getsockopt arg more strictly. with previous code privileged 
user can cause kernel crash.
 2003-12-10 09:28:38 +00:00
itojun
c81f32fe6c comment from niels provos; 
- seed2 is necessary, but use it as "seed2 + x" not "seed2 ^ x".
- skipping number is not needed, so disable it for 16bit generator (makes
  the repetition period to 30000)
 2003-12-10 05:22:18 +00:00
atatat
13f8d2ce5f Dynamic sysctl. 
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al.  Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.

Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded.  Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.

All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.

PS - I'm sorry, but there's a distinct lack of documentation at the
moment.  I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
 2003-12-04 19:38:21 +00:00
keihan
b8702f530b netbsd.org -> NetBSD.org 
This was the last commit of this kind to src/sys, which is now totally
"NetBSD.org clean".  Thanks for the patiance, and sorry for all the commits.
 2003-12-04 13:57:30 +00:00
itojun
0864b4939d "seed2" was ruining non-repeating property, so remove it. discussed on tech-net 2003-11-25 18:13:55 +00:00
jonathan
995c532c33 Revert the (default) ip_id algorithm to the pre-randomid algorithm, 
due to demonstrated low-period repeated IDs from the randomized IP_id
code.  Consensus is that the low-period repetition (much less than
2^15) is not suitable for general-purpose use.

Allocators of new IPv4 IDs should now call the function ip_newid().
Randomized IP_ids is now a config-time option, "options RANDOM_IP_ID".
ip_newid() can use ip_random-id()_IP_ID if and only if configured
with RANDOM_IP_ID. A sysctl knob should be  provided.

This API may be reworked in the near future to support linear ip_id
counters per (src,dst) IP-address pair.
 2003-11-17 21:34:27 +00:00
itojun
3107b5dcc0 implement net.inet6.ifq 2003-11-12 15:25:19 +00:00
itojun
ae3e6f6041 correct behavior when ipv6mr_interface is 0. Matthias Drochner 2003-11-06 06:10:51 +00:00
itojun
60dac07656 use hash table for in6_pcbbind(). similar to in_pcb 1.89 -> 1.90 2003-11-05 01:20:56 +00:00
briggs
07a0e27c44 Revert the change in default value of ipv6_v6only. Further discussion 
on this topic is required.  It should be reintroduced and pursued in
the IETF.
 2003-11-03 15:12:06 +00:00
simonb
a2facef339 Remove some assigned-to but otherwise unused variables. 2003-10-30 01:43:08 +00:00
mycroft
2dde0746b6 Do a jump optimization that eliminates some uninitialized variable warnings. 2003-10-29 10:12:43 +00:00
briggs
5a770ba2d8 Toggle the default value of ip6_v6only. Also provide a sample sysctl to 
retain the existing behavior.
 2003-10-28 06:31:28 +00:00
christos
59f2aab1ed fix uninitialized variables 2003-10-25 08:26:14 +00:00
itojun
ba71e93c60 backout previous (ENETREST special handlng) 2003-10-15 22:55:34 +00:00
itojun
90d92fe2d9 ignore ENETRESET on ADDMULTI 2003-10-15 22:16:35 +00:00
itojun
018cb094b4 ignore ENETRESET on ADDMULTI. 2003-10-15 22:15:25 +00:00
itojun
a8d71f892f define struct prf_ra outside of in6_prflags, to be c++ friendly. sync w/kame 2003-10-15 01:28:28 +00:00
itojun
40e6b63c60 fix endian bug in fragment header scanning. 2003-10-14 05:33:04 +00:00
itojun
b5b2092bce no need to clear mbuf flags here; sync w/kame 2003-10-03 22:08:26 +00:00
itojun
98d5598feb when dropping M_PKTHDR, need to free m_tag associated with it. 2003-10-03 20:56:11 +00:00
itojun
96fda496da use in6_{embed,recover}scope for scoped address manipulation 2003-10-03 08:46:15 +00:00
itojun
140276fde1 shouldn't check scope match when encapsulating packet into tunnel mode. 
iij seil team
 2003-10-03 04:30:31 +00:00
itojun
d451ef2606 do not deref state.ro if it is NULL 2003-10-02 19:32:41 +00:00
itojun
d83af104d4 correctly look at outer IPv6 header when forwarding packet into ipsec tunnel. 
iij seil team
 2003-10-02 12:13:44 +00:00
itojun
364f2d9e12 permit tunnel mode over link-local address. (outer header is link-local) 
iij seil team
 2003-10-02 10:01:11 +00:00
itojun
8184c3658f handle link-local address in ipsec6_tunnel_validate(). from iij seli team 2003-10-02 07:19:37 +00:00
christos
36b4e0b6e7 Fix off-by-one in PRC_NCMDS check. From FreeBSD via OpenBSD 2003-09-30 00:01:18 +00:00
mycroft
ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
wiz
cff5e477ad Process has only one c. From miod@openbsd. 2003-09-26 22:23:58 +00:00
itojun
cd71ebe2f7 mark security policy that should persist in the system "persistent". 
this should prevent recently-reported kernel panic when "spdflush" is issued.
 2003-09-22 04:47:43 +00:00
itojun
7fda10aea9 separate netkey/key* and netipsec/key* 2003-09-20 05:14:41 +00:00
itojun
ca549eaf98 exp is a reserved name under posix 2003-09-16 00:31:23 +00:00
itojun
94da0d16ac avoid overflow during multiply. David Laight 2003-09-15 23:38:20 +00:00
itojun
71c96a2bb4 correct ru_a/ru_b setup for 20bit case 2003-09-13 21:32:59 +00:00
itojun
8ee5969c3b change confusing filename 2003-09-12 11:21:36 +00:00
itojun
9f2c0659cd remove extra blank line 2003-09-12 07:58:25 +00:00
itojun
a84539ea9e make synchronization w/ PF tag support code easier 2003-09-12 07:53:29 +00:00
itojun
6371ddf557 make it possible to SADB_DUMP via sysctl. request by mrg 2003-09-12 07:38:10 +00:00
itojun
5125995b51 record socket * associated with secpolicy 2003-09-10 22:29:27 +00:00
itojun
494fe70198 lint 2003-09-09 11:39:14 +00:00
itojun
800fe5d178 - prepare for RFC2401bis 64bit sequence number (no behavior change yet) 
- use hash for SPI-based SAD entry lookup (should be faster, i hope)
- cleanup keydb.c and key.c.  key.c is responsible for refcounting secasvar,
  keydb.c is responsible for alloc/free.
 2003-09-07 15:59:36 +00:00
itojun
bfa3dccfd7 prototype should have no variable name 2003-09-07 15:50:43 +00:00
itojun
5c9706bb41 correct seed generation. sync w/ kame 2003-09-06 13:47:09 +00:00
itojun
37c3c44062 fix comment, from kame 2003-09-06 13:30:40 +00:00
itojun
680540f194 committed by mistake, sorry 2003-09-06 04:20:57 +00:00
itojun
bce24b4a3e correct comment 2003-09-06 04:13:50 +00:00
itojun
b0b5b07f8a fix msb handling. from kame 2003-09-06 03:55:35 +00:00
itojun
32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun
175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun
a245b3dc6d u_short -> u_int16_t. sync w/ kame. 
don't set ip6_plen where unneeded (i.e. before calling ip6_output)
 2003-09-05 23:20:48 +00:00
itojun
95b95dbc37 call tcp_drain() if IPv4-less kernel 2003-09-05 01:35:08 +00:00
itojun
495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other. 
in6pcb lookup now uses hash(9).
 2003-09-04 09:16:57 +00:00
itojun
19d8b9bfea don't use m_cat to mbuf of different types. KAME-PR-495 2003-09-04 03:07:33 +00:00
itojun
725b73043b simplify rijndael.c API - always schedule encrypt/decrypt key. 
reviewed by thorpej
 2003-08-27 14:23:25 +00:00
itojun
fb5acbcfc6 rijndael encryption context/scheduled key is assymmetric; need to setup two 
(one for encryption, one for decryption)
 2003-08-27 02:42:09 +00:00
thorpej
7b613a568e Use BF_ecb_encrypt() instead of using BF_encrypt()/BF_decrypt() 
directly.  Reviewed by itojun.
 2003-08-27 00:08:31 +00:00
thorpej
6de9ce0437 Move the opencrypto CAST-128 implementation to crypto/cast128, removing 
the old one.  Rename the functions/structures from cast_* to cast128_*.
Adapt the KAME IPsec to use the new CAST-128 code, which has a simpler
API and smaller footprint.
 2003-08-26 16:37:36 +00:00
thorpej
2957d8dce6 Use the simplified rijndael API (which this was essentially a duplicate 
of).  XXX This file can now be merged into esp_core.c.
 2003-08-26 15:18:27 +00:00
itojun
356aebd768 g/c unused member. use in6p_ip6 more effectively. 2003-08-25 00:14:30 +00:00
itojun
9569786c95 deref member in in6p directly, don't rely on existence of macro 2003-08-25 00:11:52 +00:00
itojun
ff512e5035 don't commit value into ip6_ptkopts until the validation is done. 
(note: the code will be updated with 2292bis definition soon, hopefully)
 2003-08-25 00:10:27 +00:00
itojun
4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun
cabb25918f no need for opt_ipsec.h any longer 2003-08-22 22:05:11 +00:00
itojun
11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun
82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *. 
this fixes KAME policy lookup which was broken by the previous commit.
 2003-08-22 21:53:01 +00:00
itojun
9329caaf20 typo in log message 2003-08-22 21:50:42 +00:00
jonathan
e3ec783e41 (Accidentally-omitted change): update for ip6_output() to match commit below. 
replace the set_socket() method of passing an extra struct socket*
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:49:03 +00:00
jonathan
9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket* 
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
 2003-08-22 20:29:00 +00:00
jonathan
902669955f Replace the set_socket() method of passing an extra struct socket* 
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:20:09 +00:00
itojun
52f8075c5a allow userland to specify SPD ID. more readable debugging messages. 2003-08-22 06:22:21 +00:00
jonathan
28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if 
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
 2003-08-15 03:42:00 +00:00
itojun
fd3f06dabb enforce ipsec policy on raw wildcard. 2003-08-14 07:57:40 +00:00
itojun
4d754cb259 in6_pcbrtentry() now returns IPv4 rtentry if in6pcb is connected to IPv4 mapped 
address.  PR kern/22431 from Andreas Gustafsson
 2003-08-13 04:59:34 +00:00
agc
aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence. 
Patches provided by Joel Baker in PR 22364, verified by myself.
 2003-08-07 16:26:28 +00:00
itojun
da53b9c28e make net.inet6.ip6.redirect actually work. from Tomoyuki Sahara via kame 2003-08-07 08:52:32 +00:00
itojun
256877974a m_cat may free mbuf on 2nd arg, so m_pkthdr manipulation has to happen 
before m_cat call.  from Julian Coleman via kame.
 2003-08-06 14:47:32 +00:00
itojun
3236f238b3 increase AH_MAXSUMSIZE to 512/8, for hmac-sha2-512 2003-08-05 12:20:35 +00:00
itojun
d6c4b6beb6 minor KNF 2003-07-25 10:17:36 +00:00
itojun
969d6f5037 typo 2003-07-25 10:16:28 +00:00
itojun
1270423572 add AH/ESP algorithms: hmac-ripemd160 (AH), AES XCBC MAC (AH), 
AES counter mode (ESP)
 2003-07-25 10:00:49 +00:00
itojun
4fc37746bf AES XCBC MAC (for AH) 
AES counter mode (for ESP)
 2003-07-25 09:48:17 +00:00
itojun
ee7d78825a comment typo, from markus@openbsd 2003-07-23 00:27:25 +00:00
itojun
c8ebadb000 unifdef -U_IP_VHL 2003-07-22 11:18:24 +00:00
itojun
0d84200c22 clear scheduled key before freeing, for safety 2003-07-22 08:54:27 +00:00
itojun
77283a8429 sha2 is needed for AH, not ESP 2003-07-22 03:26:16 +00:00
itojun
d64e1c8d6a add hmac-sha2 support. various cleanups (like avoid hardcoding '16'). 
from kame
 2003-07-22 03:24:23 +00:00
itojun
409ba7efc4 cosmetic 2003-07-22 03:21:21 +00:00
itojun
0445f65670 avoid assuming result buffer size in AH logic. sync w/kame 2003-07-20 18:01:41 +00:00
itojun
92a1800c4d due to previous type change, sav->schedlen never go negative. sync w/kame 2003-07-20 17:17:20 +00:00
itojun
d1931d3717 change ESP xx_schedlen() return type to size_t. sync w/kame 2003-07-20 03:24:03 +00:00
itojun
74182febed remove #if 0 portion 2003-07-18 06:45:33 +00:00
kleink
43694e8d74 assymetric -> asymmetric 2003-07-15 17:37:00 +00:00
itojun
7b74887942 rijndael is assymmetric, correction from markus@openbsd 2003-07-15 15:25:13 +00:00
itojun
281d9d13a5 simplify and update rijndael code. markus@openbsd 2003-07-15 11:00:36 +00:00
itojun
8e90cd9ce4 KNF 2003-07-12 15:16:50 +00:00
itojun
3eaa5b9c93 no longer needed (#define _KERNEL) 2003-07-12 15:12:45 +00:00
itojun
7649b12429 remove obsolete comment on the use of m_pullup 2003-07-09 04:05:59 +00:00
itojun
0463e41004 on interface detach, clear multicast forwarding table. from kame 2003-07-08 10:20:45 +00:00
itojun
91b11e1eba prototype must not have variable name 2003-07-08 07:13:50 +00:00
itojun
fc401b7586 fix missing check for taillen against pkthdr.len. markus@openbsd 2003-07-04 00:49:18 +00:00
itojun
022df20c75 minor KNF 2003-07-03 05:03:53 +00:00
itojun
d8976f36ac typo. found by markus@openbsd 2003-07-02 13:55:13 +00:00
itojun
2317e81b85 avoid ICMPv6 redirect if the packet filter rewrite dst addr to an address 
on the incoming interface.  cedric@openbsd
 2003-06-30 08:00:59 +00:00
itojun
842d3bee32 KNF 2003-06-30 03:30:50 +00:00
fvdl
d5aece61d6 Back out the lwp/ktrace changes. They contained a lot of colateral damage, 
and need to be examined and discussed more.
 2003-06-29 22:28:00 +00:00
darrenr
960df3c8d1 Pass lwp pointers throughtout the kernel, as required, so that the lwpid can 
be inserted into ktrace records.  The general change has been to replace
"struct proc *" with "struct lwp *" in various function prototypes, pass
the lwp through and use l_proc to get the process pointer when needed.

Bump the kernel rev up to 1.6V
 2003-06-28 14:20:43 +00:00
itojun
2cadb8ca7a split ND6 cache timer management to per-entry. increased accuracy, 
no O(N) loop.   sync w/ kame
 2003-06-27 08:41:08 +00:00
itojun
6d4a3c4191 remove unneeded checks of accept_rtadv. from kame 2003-06-24 07:54:47 +00:00
itojun
adb5d5afb4 * kame/sys/netinet6/nd6.c (nd6_rtrequest): changed a condition to 
decide whether to create an empty llinfo stricter so that a user
can manually change the link-layer address of an existing neighbor
cache.
Pointed out by: KIU Shueng Chuan

from kame
 2003-06-24 07:49:03 +00:00
itojun
455b7679d4 typo 2003-06-24 07:43:44 +00:00
itojun
194f048bd9 use time.tv_sec directly 2003-06-24 07:39:24 +00:00
itojun
5b0c3f9506 clear ln_hold earlier. from kame 2003-06-24 07:32:03 +00:00
martin
d505b18964 Make sure to include opt_foo.h if a defflag option FOO is used. 2003-06-23 11:00:59 +00:00
itojun
7a5741651c - sync up MLD declaration with RFC3542 (s/MLD6/MLD/) 
- routing header declaration with RFC3542
  (note: sizeof(ip6_rthdr0) has changed!)
  also, sync up with RFC2460 routing header definition (no "strict" source
  routing mode any more)

part of advanced API update (RFC2292 -> 3542).
 2003-06-06 08:13:43 +00:00
itojun
a07ae6a9df don't try to forward multicast packet to mif that went away; kame 2003-06-06 06:52:29 +00:00
itojun
5c0f142820 remove assumption on redirect header option processing. from kame 2003-06-03 05:20:06 +00:00
itojun
f46a719b5c can't use M_WAIT here, i believe. 2003-05-27 22:36:38 +00:00
itojun
63715bec6b backout previous. (sys/net/if.c fixed) 2003-05-16 16:57:35 +00:00
itojun
d36e610a01 nd6_rtmsg: If called during if_detach(), TAILQ_FIRST(if_addrlist) 
could be NULL.  This is not a common case, but as nd6_rtmsg()
will be called during if_detach(), we need to check for the
case.  reported by kanaoka-san.
 2003-05-16 16:19:45 +00:00
itojun
4008ec1218 use strlcpy 2003-05-16 03:56:49 +00:00
itojun
4d9a92e2a2 remove duplicate. masanori kanaoka 2003-05-16 02:53:28 +00:00
itojun
9cf18f13b5 rt->rt_ifp may not always be available. masanori kanaoka via kame 2003-05-15 14:57:58 +00:00
itojun
a5d8a0a4f6 check version before computing checksum. checksum is more expensive operation. 2003-05-15 13:46:15 +00:00
itojun
19b1e87da3 KNF 2003-05-14 17:02:59 +00:00
itojun
6e0f23e7f6 KNF 2003-05-14 17:00:22 +00:00
itojun
f77518e2f5 KNF 2003-05-14 14:41:33 +00:00
itojun
5eaf3c3113 do not use m_pulldown() to parse intermediate extension headers (like routing). 
we don't want to drop packets due to extension header parsing.  KAME rev 1.59.
(performance may suck, but it is slowpath anyways)
 2003-05-14 14:34:14 +00:00
wiz
de87ca793d constant usually has two n. 2003-05-14 12:45:06 +00:00
itojun
346e0198f0 always use PULLDOWN_TEST codepath. 2003-05-14 06:47:33 +00:00
darrenr
9787457fbe bring a small amount of code out of an if() statement that was doing 
the same thing for both cases.
 2003-05-10 13:23:07 +00:00
itojun
874e6573c4 fix invalid pointer setting on RA reception. from kiu shueng chuan via kame 2003-05-08 20:08:52 +00:00
christos
a617975d48 print how big the mtu needs to be for ipv6 ppp. 2003-05-04 13:43:09 +00:00
bjh21
4be7a2dcf3 Add a new feature-test macro, _NETBSD_SOURCE. If this is defined 
by the application, all NetBSD interfaces are made visible, even
if some other feature-test macro (like _POSIX_C_SOURCE) is defined.
<sys/featuretest.h> defined _NETBSD_SOURCE if none of _ANSI_SOURCE,
_POSIX_C_SOURCE and _XOPEN_SOURCE is defined, so as to preserve
existing behaviour.

This has two major advantages:
+ Programs that require non-POSIX facilities but define _POSIX_C_SOURCE
  can trivially be overruled by putting -D_NETBSD_SOURCE in their CFLAGS.
+ It makes most of the #ifs simpler, in that they're all now ORs of the
  various macros, rather than having checks for (!defined(_ANSI_SOURCE) ||
  !defined(_POSIX_C_SOURCE) || !defined(_XOPEN_SOURCE)) all over the place.

I've tried not to change the semantics of the headers in any case where
_NETBSD_SOURCE wasn't defined, but there were some places where the
current semantics were clearly mad, and retaining them was harder than
correcting them.  In particular, I've mostly normalised things so that
_ANSI_SOURCE gets you the smallest set of stuff, then _POSIX_C_SOURCE,
_XOPEN_SOURCE and _NETBSD_SOURCE in that order.

Tested by building for vax, encouraged by thorpej, and uncontested in
tech-userlevel for a week.
 2003-04-28 23:16:11 +00:00
itojun
b2fcce1997 style 2003-04-22 10:08:33 +00:00
thorpej
ee5b1a7c61 Protect the definition of offsetof(). 2003-04-17 19:58:57 +00:00
itojun
a81c2be8be avoid mbuf leak in redirect header option attachment. more complete 
fix to come.  from kame
 2003-03-31 23:55:46 +00:00
thorpej
452610ea39 Add in6_localaddr(). From KAME via FreeBSD. 2003-02-27 22:06:38 +00:00
he
eb5e5b35c1 Make sure to initialize callout structs. 2003-02-25 22:17:47 +00:00
matt
8c1eaadb7a automatic aggregates are evil. make it static const. 2003-02-24 03:01:03 +00:00
thorpej
b193480908 Add extensible malloc types, adapted from FreeBSD. This turns 
malloc types into a structure, a pointer to which is passed around,
instead of an int constant.  Allow the limit to be adjusted when the
malloc type is defined, or with a function call, as suggested by
Jonathan Stone.
 2003-02-01 06:23:35 +00:00
wiz
9115df8c49 success, not sucess. Noted by mjl. 2003-01-28 22:35:02 +00:00
simonb
276fd1665c The Double-Semi-Colon Police. 2003-01-20 05:29:53 +00:00
simonb
0efc092563 Remove variable that is only assigned too but not referenced. 2003-01-20 00:39:30 +00:00
itojun
40606ab8f2 switch from kame-based m_aux mbuf auxiliary data, to openbsd m_tag 
implementation.  it will simplify porting across *bsd (such as kame/altq),
and make us more synchronized.  from Joel Wilsson
 2003-01-17 08:11:49 +00:00
itojun
177ed24b8b allocate route_in6 in struct secashead, to avoid mistakenly overrun 
the end of secashead.  Fixes PR18751.
 2003-01-08 05:46:49 +00:00
itojun
be9a8d8e2f recover original stanford copyright. sync w/kame 2002-11-27 05:09:36 +00:00
lukem
0635de35a3 Remove KDIR=, since SYS_INCLUDE=symlinks and KDIR are not supported any more. 2002-11-26 23:30:07 +00:00
thorpej
d6f8cc841d Avoid strict-alias warnings. 2002-11-25 01:55:21 +00:00
itojun
c8a8326600 make USE_ENCAPCHECK (in netinet*/*gif.c) to global option, GIF_ENCAPCHECK. 
#ifdef out unneeded code when possible.
From: Krister Walfridsson <cato@df.lth.se>
 2002-11-11 18:35:27 +00:00
itojun
1e8dadc8f9 pmtu_probe is not used anywhere (it is used in KAME TCP6-only code). 
From: Krister Walfridsson <cato@df.lth.se>
 2002-11-11 18:26:42 +00:00
itojun
6f28503927 need icmp6.h for MULTICAST_PMTUD case. sync w/kame 2002-11-09 03:12:05 +00:00
perry
eab4bb9593 include opt_inet.h -- found by David Laight 2002-11-05 21:46:42 +00:00
itojun
29ef3e950d improve gif lookup performance, when there are many of those, 
by using radix tree for lookups.  tested by yshimizu@iij.
 2002-11-05 16:58:11 +00:00
perry
4f27ab21b8 /*CONTCOND*/ while (0)'ed macros 2002-11-02 07:30:55 +00:00
itojun
ad337ee31a plug a memory leak. from sam leffler. sync w/kame 2002-10-31 17:36:16 +00:00
itojun
02a04fd9fc increase correct stat. KAME pr 445 2002-10-28 16:42:44 +00:00
itojun
5fc1c3b058 do not differentiate manually configured address from autoconfigured ones 
wrt prefix management;
- always earn a reference to the prefix when an address is configured
 (by ioctl).
- always delete the prefix when an address that has the last referene
  is manually removed.

The change should solve the problem raised in KAME-snap 6989.

sync w/kame
 2002-10-17 00:07:44 +00:00
thorpej
d9ae0a6eb1 IPSEC_ESP depends on the "des", "blowfish", "cast128", and "rijndael" 
attributes.
 2002-10-12 15:41:24 +00:00
thorpej
5b2b587c85 Move netinet, netinet6, ipsec, and ipfilter config defns to 
netinet/files.ipfilter, etinet/files.netinet, netinet6/files.netinet6,
and netinet6/files.netipsec.

XXX There are still a few stragglers in conf/files, which are entangled
with other network protocols.
 2002-10-10 22:45:45 +00:00
itojun
b15fea2610 suppress too noisy log by default (can be re-enabled by sysctl). sync w/kame 2002-10-09 20:22:16 +00:00
provos
0f09ed48a5 remove trailing \n in panic(). approved perry. 2002-09-27 15:35:29 +00:00
itojun
ce1bd42a2c length field on PADN option, before jumbo payload option was wrong. 
sync w/kame
 2002-09-23 13:28:55 +00:00
itojun
0a734b348e better fix to PR 18163 ("deprecated" flag manipulation). sync w/kame 2002-09-23 13:16:52 +00:00
simonb
4e3613273b Remove breaks after returns, unreachable returns and returns after 
returns(!).
 2002-09-23 05:51:10 +00:00
simonb
03d61a28e4 Remove an extern declaration for the "pim6stat" variable; the only other 
occurance of this is a static variable in ip6_mroute.c.
 2002-09-23 04:56:58 +00:00
itojun
d694b45f9d remove extra blank line 2002-09-15 01:18:59 +00:00
itojun
255121cf44 avoid from applying IPsec transport mode to the packets when the kernel 
forwards the packets.
sync w/kame
 2002-09-11 08:15:37 +00:00
itojun
8808abb7b8 correct pointer signedness mixups. sync w/kame 2002-09-11 03:45:44 +00:00
itojun
75e1911429 reduce diff w/kame 2002-09-11 03:23:24 +00:00
itojun
9401012487 KNF - return is not a function. sync w/kame. 2002-09-11 02:46:42 +00:00
itojun
6dedde045a correct signedness mixup in pointer passing. sync w/kame 2002-09-11 02:41:19 +00:00
itojun
37bd81ba1e allow "deprecated" bit to be manually set. PR 18163 2002-09-04 07:22:28 +00:00
itojun
c7b00b4ce4 pass proc * to in6_pcbsetport. PR 18073 2002-08-26 14:25:00 +00:00
itojun
967cf54a67 check packet length before fetching ESP crypto checksum. sync w/kame 2002-08-21 23:12:01 +00:00
itojun
e5df0242ce sync up use_deprecated handling with latest kame. 
- bind(deprecated) is allowed, trusting userland app is doing the right thing
- use_deprecated default to 1
 2002-08-20 22:06:04 +00:00
itojun
ddbeae9874 check error from copyout 2002-08-19 23:23:22 +00:00