efeb620e44
Adapt FAST_IPSEC to recent KPI changes.
...
Pointed out by dyoung@ on tech-kern@, thanks!
2009-05-10 02:13:07 +00:00
d779b85d3e
Remove extra whitespace added by a stupid tool.
...
XXX: more in src/sys/arch
2009-04-18 14:58:02 +00:00
4f9cf8aa30
Correct bungled bcopy() -> memcpy() conversion
2009-03-20 05:26:37 +00:00
e2cb85904d
bcopy -> memcpy
2009-03-18 17:06:41 +00:00
c363a9cb62
bzero -> memset
2009-03-18 16:00:08 +00:00
35fb64746b
bcmp -> memcmp
2009-03-18 15:14:29 +00:00
df7f595ecd
Ansify function definitions w/o arguments. Generated with sed.
2009-03-18 10:22:21 +00:00
02cdf4d2c8
Remove all the __P() from sys (excluding sys/dist)
...
Diff checked with grep and MK1 eyeball.
i386 and amd64 GENERIC and sys still build.
2009-03-14 14:45:51 +00:00
f794ad1e52
remove 2038 comment.
2009-02-14 20:53:58 +00:00
8d41ac5617
Back out my previous change. The problem I'm chasgin is with the
...
initialization of ports in saidx's when IPSEC_NAT_T is defined but the
association connection is not using nat traversal. Stay tuned.
2009-02-09 15:06:37 +00:00
744626ac10
These comparison functions return 0 on match. Fix sense of test.
2009-01-28 19:06:03 +00:00
9b87d582bd
kill MALLOC and FREE macros.
2008-12-17 20:51:31 +00:00
0efea177e3
Remove LKMs and switch to the module framework, pass 1.
...
Proposed on tech-kern@.
2008-11-12 12:35:50 +00:00
a8f5b9cfc2
Comment out the 'do' and 'while (0)' from KEY_CHKSASTATE().
...
The expansion contains a 'continue' which is expected to continue
a loop in the callling code, not just abort the #define.
2008-07-25 20:55:43 +00:00
be6f2a4b87
Ignore freed rtcache entries.
2008-07-01 20:18:45 +00:00
ba4ebf7e6b
Kill caddr_t introduced in the previous revision
...
Fix build with FAST_IPSEC
2008-06-27 17:28:24 +00:00
fa014c6383
Verify icmp type and code in IPSEC rules.
...
Fixes PR kern/39018
2008-06-27 05:18:58 +00:00
b129a80c20
Simplify the interface to netstat_sysctl() and allocate space for
...
the collated counters using kmem_alloc().
PR kern/38577
2008-05-04 07:22:14 +00:00
b6a04a1973
In key_do_allocsa_policy, fix a bad usage of key_setsadbmsg. The third argument
...
is an SADB_SATYPE_*, not an IPPROTO_* .
Fix PR/38405. Thanks for the report
2008-05-03 21:53:23 +00:00
ce099b4099
Remove clause 3 and 4 from TNF licenses
2008-04-28 20:22:51 +00:00
bb588cd930
Fix a stupid typo. In ipsec6_process_packet, reinject the packet in AF_INET6,
...
nor in AF_INET.
2008-04-28 17:40:11 +00:00
e7dc156f58
Fix some fallout from socket locking patch :
...
- {ah6,esp6}_ctlinput must return void*
- use correct wrapper for rip_usrreq
2008-04-27 12:58:48 +00:00
15e29e981b
Merge the socket locking patch:
...
- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.
With much feedback from matt@ and plunky@.
2008-04-24 11:38:36 +00:00
02f63fe1bf
PF_KEY stats for IPSEC and FAST_IPSEC are now per-CPU.
2008-04-23 07:29:47 +00:00
caf49ea572
Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and
...
netstat_sysctl().
2008-04-23 06:09:04 +00:00
680fd6866d
Make ip6 and icmp6 stats per-cpu.
2008-04-15 04:43:53 +00:00
3f466bce48
Change IPv6 stats from a structure to an array of uint64_t's.
...
Note: This is ABI-compatible with the old ip6stat structure; old netstat
binaries will continue to work properly.
2008-04-08 23:37:43 +00:00
f3f9c5b3a1
Fix build of FAST_IPSEC after the change of ip_newid prototype
2008-02-10 21:42:20 +00:00
e5bd2a127e
Rework opencrypto to use a spin mutex (crypto_mtx) instead of "splcrypto"
...
(actually splnet) and condvars instead of tsleep/wakeup. Fix a few
miscellaneous problems and add some debugging printfs while there.
Restore set of CRYPTO_F_DONE in crypto_done() which was lost at some
point after this code came from FreeBSD -- it made it impossible to wait
properly for a condition.
Add flags analogous to the "crp" flags to the key operation's krp struct.
Add a new flag, CRYPTO_F_ONRETQ which tells us a request finished before
the kthread had a chance to dequeue it and call its callback -- this was
letting requests stick on the queues before even though done and copied
out.
Callers of crypto_newsession() or crypto_freesession() must now take the
mutex. Change netipsec to do so. Dispatch takes the mutex itself as
needed.
This was tested fairly extensively with the cryptosoft backend and lightly
with a new hardware driver. It has not been tested with FAST_IPSEC; I am
unable to ascertain whether FAST_IPSEC currently works at all in our tree.
pjd@FreeBSD.ORG , ad@NetBSD.ORG , and darran@snark.us pointed me in the
right direction several times in the course of this. Remaining bugs
are mine alone.
2008-02-04 00:35:34 +00:00
3615cf7715
Now that __HAVE_TIMECOUNTER and __HAVE_GENERIC_TODR are invariants,
...
remove the conditionals and the code associated with the undef case.
2008-01-20 18:09:03 +00:00
55718e804e
Fix the ipsec processing in case of USE rules with no SA installed.
...
In case where there is no more isr to process, just tag the packet and reinject
in the ip{,6} stack.
Fix pr/34843
2007-12-29 16:43:17 +00:00
bd4ac64c48
Add some statistics for case where compression is not useful
...
(when len(compressed packet) > len(initial packet))
2007-12-29 14:56:35 +00:00
61e79ba32a
Simplify the FAST_IPSEC output path
...
Only record an IPSEC_OUT_DONE tag when we have finished the processing
In ip{,6}_output, check this tag to know if we have already processed this
packet.
Remove some dead code (IPSEC_PENDING_TDB is not used in NetBSD)
Fix pr/36870
2007-12-29 14:53:24 +00:00
82a49e7352
- Remove remain <= MHLEN restriction in m_makespace()
...
PR:30124
2007-12-14 20:55:22 +00:00
9d8f493213
use __KERNEL_RCSID()
2007-12-11 12:40:10 +00:00
939a0dbd0a
Kill _IP_VHL ifdef (from netinet/ip.h history, it has never been used in NetBSD so ...)
2007-12-09 18:27:39 +00:00
3668e580ae
Use struct initializers. No functional change.
2007-12-07 19:46:18 +00:00
5a24b726ae
Let this code compile.
...
Hi, liamjfoy@. :)
2007-12-07 19:44:38 +00:00
5bbde3d775
Use IFNET_FOREACH() and IFADDR_FOREACH().
2007-12-04 10:27:33 +00:00
62edf45793
defflag IPSEC_DEBUG
2007-11-16 21:15:20 +00:00
aaf8e048ae
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
...
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@
2007-10-28 15:48:23 +00:00
a2a3828545
machine/{bus,cpu,intr}.h -> sys/{bus,cpu,intr}.h
2007-10-19 11:59:34 +00:00
cdb020058a
Fix my previous stupid caddr_t fix.
2007-09-22 23:33:18 +00:00
88ab7da936
Merge some of the less invasive changes from the vmlocking branch:
...
- kthread, callout, devsw API changes
- select()/poll() improvements
- miscellaneous MT safety improvements
2007-07-09 20:51:58 +00:00
a382db0aa9
Ansify
...
Remove useless extern
bzero -> memset, bcopy -> memcpy
No functionnal changes
2007-07-07 18:38:22 +00:00
4ddfe916ff
Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).
...
No objection on tech-net@
2007-06-27 20:38:32 +00:00
5f72dadbd4
Always compute the sp index even if we don't have any sp in spd. It will
...
let us to choose the right default policy (based on the adress family
requested).
While here, fix an error message
2007-05-08 14:07:42 +00:00
8ebbd6c4f6
Increase the refcount for the default ipv6 policy so nobody can reclaim it
2007-05-08 14:03:05 +00:00
6997fa5f35
Choose the good default policy, depending of the adress family of the
...
desired policy
2007-04-15 14:17:12 +00:00
20341ba8ef
Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
...
to the sysctl kame interface.
2007-04-11 22:21:41 +00:00
elad