Aren
/
NetBSD
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
118,112 Commits 606 Branches 0 Tags 3.1 GiB
Commit Graph

1211 Commits

Author SHA1 Message Date
mycroft ca96c7c4ec Remove some code that breaks AH tunnels completely. The comment describing 
the purpose of this code appears to be on crack -- it's talking about
end-to-end authentication, but the purpose of an AH tunnel is NOT end-to-end
authentication; it's authentication of the tunnel endpoints.

NB: This does not fix the fact that IPsec leaks "packet tags."
 2003-09-28 04:45:14 +00:00
mycroft 3114965161 Fix glaring errors in recent changes. 2003-09-25 00:59:31 +00:00
itojun 8d9a724638 on arplookup() failure, nuke cloned route - otherwise outsider could use massive 
number of bogus ARPs for DoS attack.  FreeBSD-SA-03:14.arp
 2003-09-24 06:52:47 +00:00
jonathan 5923dedaeb Fast-ipsec can call ip_output() with a null 'struct socket *so' 
argument.  So check so is non-NULL before doing the pointer-chasing
dance to find the PCB. (Unless and until we rework fast-ipsec and
KAME, to pass a struct in_pcbhdr * instead of the struct socket *).
 2003-09-19 00:27:56 +00:00
itojun a3931fc5ab exp is reserved name under posix 2003-09-16 00:31:55 +00:00
itojun 6b33d95e22 send icmp admin prohibit if socket policy mismatches. 2003-09-12 09:55:22 +00:00
itojun 644a4857fb cut-and-paste error. Valeriy E. Ushakov 2003-09-10 01:46:27 +00:00
itojun 99bc41d6fd if IPsec inbound policy mismatches, respond to SYN with RST (instead of 
just dropping it), allow client to react quickly.
 2003-09-10 00:58:29 +00:00
itojun 495bd5ff91 initialize ip_hl for ipsec policy lookup. PR kern/22715 2003-09-08 02:06:34 +00:00
itojun 32e3deae21 randomize IPv4/v6 fragment ID and IPv6 flowlabel. avoids predictability 
of these fields.  ip_id.c is from openbsd.  ip6_id.c is adapted by kame.
 2003-09-06 03:36:30 +00:00
itojun 175c9afa3f clarify flowlabel handling 2003-09-06 03:12:51 +00:00
itojun dd45bfac41 backout previous, we don't know if arc4random() corrides on reboot. 2003-09-06 00:24:54 +00:00
itojun 9636351c96 u_short -> u_int16_t 2003-09-05 23:02:40 +00:00
itojun 186bd1ad6a initialize fragment ID with arc4random, not by time.tv_sec 2003-09-05 22:09:38 +00:00
itojun 495906ca8e revamp inpcb/in6pcb so that they are more aligned with each other. 
in6pcb lookup now uses hash(9).
 2003-09-04 09:16:57 +00:00
itojun 5c39f4aaa7 don't intiialize m by m0, m0 is not initialized (by introduction of ip_fragment) 2003-08-27 02:09:59 +00:00
itojun 3e76200c67 need sys/domain.h for FAST_IPSEC case; jonathan 2003-08-23 01:41:10 +00:00
itojun a3bad645a4 make sure so is properly initialized 2003-08-22 22:49:34 +00:00
itojun 58f57a60fd tp could be null in tcp_respond() 2003-08-22 22:27:07 +00:00
itojun 4e6aca94c2 correct missing inclusion of opt_ipsec.h 2003-08-22 22:11:44 +00:00
itojun 11ede1ed88 remove ipsec_set/getsocket. now we explicitly pass socket * to ip{,6}_output. 2003-08-22 22:00:36 +00:00
itojun 82eb4ce914 change the additional arg to be passed to ip{,6}_output to struct socket *. 
this fixes KAME policy lookup which was broken by the previous commit.
 2003-08-22 21:53:01 +00:00
jonathan 9339ef0381 Change KAME code for ip_output()/ip6_output() to obtain struct socket* 
from the explicit inpcb*/in6pcb* argument.  set_socket() becomes redundant.
 2003-08-22 20:29:00 +00:00
jonathan 902669955f Replace the set_socket() method of passing an extra struct socket* 
argument to ip6_output() with a new explicit struct in6pcb* argument.
(The underlying socket can be obtained via in6pcb->inp6_socket.)

In preparation for fast-ipsec.  Reviewed by itojun.
 2003-08-22 20:20:09 +00:00
jonathan 6196bbe72d Honour the M_CSUM_NO_PSEUDOHDR, if set on inbound TCP and UDP packets. 
Tested against  bcm5700 with patched if_bge.c.
 2003-08-21 14:49:49 +00:00
itojun b83dd2f98b remove unneeded #ifdef __NetBSD__ 2003-08-19 08:00:54 +00:00
itojun ade8129bdc make ip_fragment public (it is for coming PF integration) 2003-08-19 01:20:03 +00:00
christos ae572737ba make ip_fragment static and add prototype. 2003-08-19 00:54:41 +00:00
itojun 4f8ba921cd correct ip_multicast_if fix to always set ifp (tnx Shiva) 2003-08-19 00:17:38 +00:00
itojun 449b5c43d4 since we cope with packets with addess on !IFF_UP interface in ip_input() 
properly, IFF_UP check in INADDR_TO_IA is obsolete (or too much).
 2003-08-18 22:28:51 +00:00
itojun 122edbc337 fix problem we can't drop membership on !IFF_UP interface. 
reported by Shiva Shenoy

while we're here, fix another problem when the same interface address is
assigned to !IFF_MULTICAST and IFF_MULTICAST interface.  if ip_multicast_if()
returns the first one, join/leave will fail, which is not an desired effect.
 2003-08-18 22:23:22 +00:00
itojun 3bcba4f62b do not disconnect L4 connections on IP address removal. the behavior 
is too extreme (consider DHCP/PPP-based fixed address allocation).
see tech-net for more info.
 2003-08-16 11:30:35 +00:00
martti 03506a6ef3 Fix return-rst for IPv6 (PR#22157 by Peter Postma). 2003-08-15 08:11:09 +00:00
jonathan 28b5f5dfab (fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if 
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
 2003-08-15 03:42:00 +00:00
itojun fd3f06dabb enforce ipsec policy on raw wildcard. 2003-08-14 07:57:40 +00:00
agc aad01611e7 Move UCB-licensed code from 4-clause to 3-clause licence. 
Patches provided by Joel Baker in PR 22364, verified by myself.
 2003-08-07 16:26:28 +00:00
itojun e4feda72ab avoid code dup when check broadcast addr in bind(2) 2003-07-22 02:09:30 +00:00
itojun 074166110c permit bind(2) to broadcast address, as it was permitted before. 
(for instance, "ntpd -b" was broken since revision 1.82)
found report on http://pc.2ch.net/unix
 2003-07-21 07:02:35 +00:00
he 80ccb5520c As a temporary workaround, apply the fix from PR#20390, thereby 
cooperating with the callout code in working around the race
condition caused by the TCP code's use of the callout facility.

Instead of unconditionally releasing memory in tcp_close() and
SYN_CACHE_PUT(), check whether any of the related callout handlers
are about to be invoked (but have not yet done callout_ack()), and
if so, just mark the associated data structure (tcpcb or syn cache
entry) as "dead", and test for this (and release storage) in the
callout handler functions.
 2003-07-20 16:35:07 +00:00
itojun 4c19286f97 correct igmp. from love 2003-07-14 16:39:43 +00:00
ragge 9e2d68cb61 Make it possible to set TCP_INIT_WIN and TCP_INIT_WIN_LOCAL in the config 
file as options.
 2003-07-03 08:28:16 +00:00
itojun 022df20c75 minor KNF 2003-07-03 05:03:53 +00:00
ragge cb6b5a36c4 Make the fast-search stuff an option. There are still reports on 
problem with it.
 2003-07-02 21:43:49 +00:00
ragge c6308a0598 Fix previous bug. Thanks to Enami for spotting the (obvious) error, and 
to other people with much help with bug reports etc.
While fixing, change some of the code I added last time to make it
cleaner and simpler.
 2003-07-02 19:33:20 +00:00
ragge c04e1a5756 Disable the code I checked in yesterday; reports that samba (!) are crashing 
machines with it. Will do some more tests.
 2003-06-30 14:51:06 +00:00
itojun 7e53aaa8dd better ip_mrouter_detach(). by ono@kame 2003-06-30 10:34:53 +00:00
itojun 38d08be727 do not generate ICMP redirect when packet filter alters ip_dst to an 
address that reside on the same link.  Cedric Berger convinced me that
it is necessary.
 2003-06-30 07:54:28 +00:00
itojun 1db5330c52 freebsd code somehow crept in 2003-06-30 02:08:28 +00:00
itojun 7ded9690f4 after pfil_run_hooks, need to fix hlen as well 2003-06-30 01:22:51 +00:00
itojun 868bbd9978 fix indent 2003-06-30 01:21:11 +00:00