tron
b7be5e481c
Defopt IPSEC_NAT_T.
2005-07-07 19:34:51 +00:00
manu
771a32d331
Another NAT-T fix: don't check for port information in transport mode, as there
...
is no port information.
2005-07-03 22:57:09 +00:00
christos
8eaf136917
- sprinkle const
...
- change b*() -> mem*()
- rename shadowed variables.
2005-05-29 21:29:43 +00:00
manu
b83e2b6cb3
Yet another NAT-T fix: don't forbid SP with ports in the policy
2005-05-05 12:08:24 +00:00
manu
29ba532e9b
After more testing, it turns out that we don't really need to check the
...
source address to make NAT-T working with multiple clients behind the NAT.
Remove that check for the sake of RFC 2401 conformance.
2005-04-25 08:39:28 +00:00
manu
455d55f55b
Enhance IPSEC_NAT_T so that it can work with multiple machines behind the
...
same NAT.
2005-04-23 14:05:28 +00:00
manu
c5a5178582
Send NAT-T ports in SAD dump so that setkey -D can display them.
2005-04-20 15:44:12 +00:00
perry
bcfcddbac1
nuke trailing whitespace
2005-02-26 22:31:44 +00:00
manu
5c217c1a67
Add support for IPsec Network Address Translator traversal (NAT-T), as
...
described by RFC 3947 and 3948.
2005-02-12 12:31:07 +00:00
matt
d341be30f4
Change initialzie of domains to use link sets. Switch to using STAILQ.
...
Add a convenience macro DOMAIN_FOREACH to interate through the domain.
2005-01-23 18:41:56 +00:00
itojun
4db58ab415
fixed a unexpected addr/port matching failure in SA management
...
FreeBSD-PR: kern/72393
2005-01-11 01:30:17 +00:00
itojun
8d487352ba
move SA header to DEAD if there's no children. markus@openbsd
2004-12-06 08:07:28 +00:00
itojun
bc4b33d8be
reqid (for unique policy) is u_int16_t quantity. from markus@openbsd
2004-12-06 08:05:26 +00:00
dsl
e26801d6fb
Use unsigned char * variables when scanning buffer - saves casts and & 0xff
2004-10-30 08:22:40 +00:00
dsl
2722aff86f
Add (unsigned char) cast to ctype function (for /sbin/setkey)
2004-10-29 19:31:04 +00:00
itojun
b637834754
m->m_next check here is not needed, since we make no assumption on m_len below,
...
and key_align() may chop mbuf into multiple mbufs.
from freebsd via kame
2004-09-28 04:24:54 +00:00
itojun
3b68465490
as we use arc4random(9) for random number, we no longer need to reseed random
...
number. noted by rwatson@freebsd
2004-08-27 04:56:16 +00:00
itojun
19dd3c9508
send error up when error happens during SADB_UPDATE. kame-pr-785
2004-08-03 15:53:03 +00:00
yamt
388343e340
key_sendup0: prepend a promisc header only for a mbuf given as a function arg.
...
mbufs on kp_queue already have their complete headers.
2004-07-24 09:15:56 +00:00
yamt
133bbf0b79
key_receive: pull packets from kp_queue.
...
otherwise a receiver can sleep on empty so_rcv
while having packets on kp_queue.
ok'ed by itojun.
2004-07-24 09:14:52 +00:00
yamt
da6f02930b
key_sendup0: add a missing sorwakeup().
...
ok'ed by itojun.
2004-07-08 10:42:41 +00:00
itojun
caf5cb18b4
avoid null pointer deref
...
remove wrong comment
yamt@netbsd
2004-06-01 03:05:26 +00:00
itojun
25f8b7acdc
recover kp_queue properly. yamt
2004-06-01 02:01:14 +00:00
itojun
78bf2102d3
correct kp_queue handling. yamt
2004-05-31 11:40:40 +00:00
itojun
e58a39bab9
need to fix kp_queue better...
2004-05-31 09:20:38 +00:00
itojun
4516a4dc00
on EAGAIN, set kp_queue again for the next wakeup. pointed out by yamt
2004-05-31 09:06:36 +00:00
itojun
7bd231952e
safer key_{spd,}dump. comment from yamt.
...
XXX is spl level ok?
2004-05-31 04:29:01 +00:00
itojun
2cb6995056
dump/spddump can now handle tons of records.
2004-05-26 02:59:15 +00:00
yamt
c9290b239d
key_sp_unlink: decrement refcnt of the policy only if it was chained.
...
otherwise SADB_X_SPDDELETE2 and SADB_X_SPDFLUSH can free per-pcb policies
erroneously. it's the identical with what kame repository has.
ok'ed by itojun@
2004-05-10 09:30:23 +00:00
itojun
23973135aa
fix key_mature for tcp md5 signature
2004-04-26 04:39:17 +00:00
itojun
06dd2ce65c
add missing "break"
2004-04-26 04:00:06 +00:00
itojun
e0395ac8f0
make TCP MD5 signature work with KAME IPSEC (#define IPSEC).
...
support IPv6 if KAME IPSEC (RFC is not explicit about how we make data stream
for checksum with IPv6, but i'm pretty sure using normal pseudo-header is the
right thing).
XXX
current TCP MD5 signature code has giant flaw:
it does not validate signature on input (can't believe it! what is the point?)
2004-04-26 03:54:28 +00:00
matt
e06794e93a
Remove #else of #if __STDC__
2004-04-26 01:41:15 +00:00
matt
e50668c7fa
Constify protosw arrays. This can reduce the kernel .data section by
...
over 4K (if all the network protocols) are loaded.
2004-04-22 01:01:40 +00:00
matt
58011725c3
Use M_ZERO appropriately.
2004-04-18 23:33:58 +00:00
itojun
25b85e1925
fixed a memory leak (refcnt) in #ifdef IPSEC_DOSEQCHECK portion
2004-04-12 07:50:56 +00:00
atatat
19af35fd0d
Tango on sysctl_createv() and flags. The flags have all been renamed,
...
and sysctl_createv() now uses more arguments.
2004-03-24 15:34:46 +00:00
wiz
f05e6f1a3a
occured -> occurred. From Peter Postma.
2004-02-24 15:12:51 +00:00
itojun
7df1e71161
invalidate pcb policy cache on key_timehandler(). part of
...
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
2004-01-14 04:11:13 +00:00
itojun
45e487aa97
secpolicy refcnt mistake (missing key_freesp). part of
...
http://sources.zabbadoz.net/freebsd/patchset/110-ipsec-netkey-key.diff
2004-01-13 23:02:40 +00:00
itojun
b37e7ce6ef
do not touch sav->xx after key_freesav(). from hajimu umemoto
2003-12-10 23:46:42 +00:00
atatat
13f8d2ce5f
Dynamic sysctl.
...
Gone are the old kern_sysctl(), cpu_sysctl(), hw_sysctl(),
vfs_sysctl(), etc, routines, along with sysctl_int() et al. Now all
nodes are registered with the tree, and nodes can be added (or
removed) easily, and I/O to and from the tree is handled generically.
Since the nodes are registered with the tree, the mapping from name to
number (and back again) can now be discovered, instead of having to be
hard coded. Adding new nodes to the tree is likewise much simpler --
the new infrastructure handles almost all the work for simple types,
and just about anything else can be done with a small helper function.
All existing nodes are where they were before (numerically speaking),
so all existing consumers of sysctl information should notice no
difference.
PS - I'm sorry, but there's a distinct lack of documentation at the
moment. I'm working on sysctl(3/8/9) right now, and I promise to
watch out for buses.
2003-12-04 19:38:21 +00:00
itojun
bf72fd111d
missing splx. Hajimu UMEMOTO via kame
2003-11-27 18:26:46 +00:00
drochner
ca3116d2f1
in_ifaddr -> in_ifaddrhead
...
use TAILQ_FOREACH macro
2003-11-11 21:41:11 +00:00
itojun
f5c2aa04b0
splsoftnet() on spd/sad-dump-via-sysctl to ensure no 2 threads to go into
...
the function, or entries being removed during the dump operation.
suenaga@iij
2003-11-10 10:52:13 +00:00
itojun
57b5c736df
suppress -Wuninitialized
2003-11-04 05:50:54 +00:00
christos
e4e2331f07
fixed uninitialized variable
2003-10-25 08:27:12 +00:00
itojun
e6d129819b
update m_pkthdr.len
2003-10-13 08:55:59 +00:00
itojun
ec5e739b46
extra blank line
2003-09-23 00:03:05 +00:00
itojun
cd71ebe2f7
mark security policy that should persist in the system "persistent".
...
this should prevent recently-reported kernel panic when "spdflush" is issued.
2003-09-22 04:47:43 +00:00