![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / net
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Fix various typos in comments, log messages and documentation.
IFQ_CLASSIFY() -> ifq_classify_packet().
Pull up following revision(s) (requested by knakahara in ticket #378):
tests/net/if_ipsec/t_ipsec_unnumbered.sh: revision 1.2
sys/net/if_ipsec.c: revision 1.35
sys/netipsec/key.c: revision 1.281
Use kmem_free instead of kmem_intr_free, as key_freesaval() is not called in softint after key.c:r1.223.
E.g. key_freesaval() was called the following call path before SAD MP-ify.
esp_input_cb()
KEY_FREESAV()
key_freesav()
key_delsav()
key_freesaval()
ok'ed by ozaki-r@n.o.
Use unit id instead of if_index to reduce fixed_reqid space.
Update for sys/net/if_ipsec.c:r1.35
Use unit id instead of if_index to reduce fixed_reqid space.
Add sadb_x_policy_flags to inform SP origination. This extension(struct sadb_x_policy) is *not* defined by RFC2367. OpenBSD does not have reserved fields in struct sadb_x_policy. Linux does not use this field yet. FreeBSD uses this field as "sadb_x_policy_scope"; the value range is from 0x00 to 0x04. We use from most significant bit to avoid the above usage.
Fix overflow case detected by clang. Pointed out by wsh@IIJ, thanks.
ipsecif(4) can use fixed SP reqid based on ifindex, that can reduce number of reqid. If we want to use fixed SP reqid for ipsecif(4), set net.ipsecif.use_fixed_reqid=1 Default(=0) is the same as before. net.ipsecif.use_fixed_reqid can be changed only if there is no ipsecif(4) yet. If we want to change the range of ipseif(4) SP reqid, set net.ipsecif.reqid_base and net.ipsecif.reqid_last. These can also be changed only if there is no ipsecif(4) yet.
Make pktq_rps_hash() pluggable for each interface type. Reviewed by gdt@n.o, thorpej@n.o, and riastradh@n.o, thanks.
ipsecif: Set the link state UP if we have a tunnel, otherwise DOWN.
Mostly merge changes from HEAD upto 20200411
Merge changes from current as of 20200406
Pull up following revision(s) (requested by knakahara in ticket #1520):
sys/netipsec/key.c: revision 1.271
sys/net/if_ipsec.c: revision 1.28
sys/net/if_ipsec.c: revision 1.29
Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.
"setkey -x" output is the following.
========== before ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=15 reserved=0 seq=0 pid=0
sadb_ext{ len=56 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=40 proto=50 mode=1 level=3 reqid=16393
sockaddr{ len=0 family=0 }
sockaddr{ len=0 family=0 }
}
========== before ==========
========== after ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=11 reserved=0 seq=0 pid=0
sadb_ext{ len=24 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=8 proto=50 mode=1 level=3 reqid=16393
}
========== after ==========
reduce unnecessary reqid of NAT-T ipsecif(4), suggested by ohishi@IIJ.
Fix kern/55066. Pointed out and fixed by Chuck Zmudzinski, thanks.
ok'ed by ozaki-r@n.o
Pull up following revision(s) (requested by knakahara in ticket #780):
sys/netipsec/key.c: revision 1.271
sys/net/if_ipsec.c: revision 1.28
sys/net/if_ipsec.c: revision 1.29
Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.
"setkey -x" output is the following.
========== before ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=15 reserved=0 seq=0 pid=0
sadb_ext{ len=56 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=40 proto=50 mode=1 level=3 reqid=16393
sockaddr{ len=0 family=0 }
sockaddr{ len=0 family=0 }
}
========== before ==========
========== after ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=11 reserved=0 seq=0 pid=0
sadb_ext{ len=24 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=8 proto=50 mode=1 level=3 reqid=16393
}
========== after ==========
reduce unnecessary reqid of NAT-T ipsecif(4), suggested by ohishi@IIJ.
Fix kern/55066. Pointed out and fixed by Chuck Zmudzinski, thanks.
ok'ed by ozaki-r@n.o
reduce unnecessary reqid of NAT-T ipsecif(4), suggested by ohishi@IIJ.
Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.
"setkey -x" output is the following.
========== before ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=15 reserved=0 seq=0 pid=0
sadb_ext{ len=56 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=40 proto=50 mode=1 level=3 reqid=16393
sockaddr{ len=0 family=0 }
sockaddr{ len=0 family=0 }
}
========== before ==========
========== after ==========
sadb_msg{ version=2 type=14 errno=0 satype=0
len=11 reserved=0 seq=0 pid=0
sadb_ext{ len=24 type=18 }
sadb_x_policy{ type=2 dir=1 id=9 }
{ len=8 proto=50 mode=1 level=3 reqid=16393
}
========== after ==========
Sync with head.
Fix order in rollback case; switch if_ipsec to atomic_load/store_*.
Adopt <net/if_stats.h>.
Make global and per-interface ipsecif(4) pmtu tunable like gif(4). And make hop limit tunable same as gif(4). See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
Pull up following revision(s) (requested by knakahara in ticket #1385):
sys/net/if.c 1.461
sys/net/if.h 1.277
sys/net/if_gif.c 1.149
sys/net/if_gif.h 1.33
sys/net/if_ipsec.c 1.19,1.20,1.24
sys/net/if_ipsec.h 1.5
sys/net/if_l2tp.c 1.33,1.36-1.39
sys/net/if_l2tp.h 1.7,1.8
sys/net/route.c 1.220,1.221
sys/net/route.h 1.125
sys/netinet/in_gif.c 1.95
sys/netinet/in_l2tp.c 1.17
sys/netinet/ip_input.c 1.391,1.392
sys/netinet/wqinput.c 1.6
sys/netinet6/in6_gif.c 1.94
sys/netinet6/in6_l2tp.c 1.18
sys/netinet6/ip6_forward.c 1.97
sys/netinet6/ip6_input.c 1.210,1.211
sys/netipsec/ipsec_output.c 1.82,1.83 (patched)
sys/netipsec/ipsecif.c 1.12,1.13,1.15,1.17 (patched)
sys/netipsec/key.c 1.259,1.260
ipsecif(4) support input drop packet counter.
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
Remove unnecessary addresses in PF_KEY message.
MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5. SPD Update
// snip
SADB_X_SPDADD:
// snip
sadb_x_ipsecrequest_reqid:
An ID for that SA can be passed to the kernel in the
sadb_x_ipsecrequest_reqid field.
If tunnel mode is specified, the sadb_x_ipsecrequest structure is
followed by two sockaddr structures that define the tunnel
endpoint addresses. In the case that transport mode is used, no
additional addresses are specified.
====================
see: <a rel="nofollow" href="https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01">https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01</a>
ipsecif(4) uses transport mode, so it should not add addresses.
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects
NetBSD_A and NetBSD_C at the following figure.
+----------+
+----| NetBSD_B |
+----------+ +------+ | +----------+
| NetBSD_A |--- ... ---| NAPT |---+
+----------+ +------+ | +----------+
+----| NetBSD_C |
+----------+
Add ATF later.
l2tp(4): fix output bytes counter. Pointed by k-goda@IIJ, thanks.
remove a variable which is no longer used.
l2tp: initialize mowner variables for MBUFTRACE
Avoid having a rtcache directly in a percpu storage
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing. Address this situation by having
just a pointer to a rtcache in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@
wqinput: avoid having struct wqinput_worklist directly in a percpu storage
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.
Input handlers of wqinput normally involves sleepable operations so we must
avoid dereferencing a percpu data (struct wqinput_worklist) after executing
an input handler. Address this situation by having just a pointer to the data
in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@
Add missing #include <sys/kmem.h>
Divide Tx context of l2tp(4) to improve performance.
It seems l2tp(4) call path is too long for instruction cache. So, dividing
l2tp(4) Tx context improves CPU use efficiency.
After this commit, l2tp(4) throughput gains 10% on my machine(Atom C3000).
Apply some missing changes lost on the previous commit
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing. Address this situation by having
just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
l2tp(4): avoid having struct ifqueue directly in a percpu storage.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.
Tx processing of l2tp(4) uses normally involves sleepable operations so we
must avoid dereferencing a percpu data (struct ifqueue) after executing Tx
processing. Address this situation by having just a pointer to the data in
a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
Pull up following revision(s) (requested by ozaki-r in ticket #238): sys/netipsec/ipsec_output.c: revision 1.83 sys/net/route.h: revision 1.125 sys/netinet6/ip6_input.c: revision 1.210 sys/netinet6/ip6_input.c: revision 1.211 sys/net/if.c: revision 1.461 sys/net/if_gif.h: revision 1.33 sys/net/route.c: revision 1.220 sys/net/route.c: revision 1.221 sys/net/if.h: revision 1.277 sys/netinet6/ip6_forward.c: revision 1.97 sys/netinet/wqinput.c: revision 1.6 sys/net/if_ipsec.h: revision 1.5 sys/netinet6/in6_l2tp.c: revision 1.18 sys/netinet6/in6_gif.c: revision 1.94 sys/net/if_l2tp.h: revision 1.7 sys/net/if_gif.c: revision 1.149 sys/net/if_l2tp.h: revision 1.8 sys/netinet/in_gif.c: revision 1.95 sys/netinet/in_l2tp.c: revision 1.17 sys/netipsec/ipsecif.c: revision 1.17 sys/net/if_ipsec.c: revision 1.24 sys/net/if_l2tp.c: revision 1.37 sys/netinet/ip_input.c: revision 1.391 sys/net/if_l2tp.c: revision 1.38 sys/netinet/ip_input.c: revision 1.392 sys/net/if_l2tp.c: revision 1.39 Avoid having a rtcache directly in a percpu storage percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead. Reviewed by knakahara@ and yamaguchi@ - wqinput: avoid having struct wqinput_worklist directly in a percpu storage percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Input handlers of wqinput normally involves sleepable operations so we must avoid dereferencing a percpu data (struct wqinput_worklist) after executing an input handler. Address this situation by having just a pointer to the data in a percpu storage instead. Reviewed by knakahara@ and yamaguchi@ - Add missing #include <sys/kmem.h> - Divide Tx context of l2tp(4) to improve performance. It seems l2tp(4) call path is too long for instruction cache. So, dividing l2tp(4) Tx context improves CPU use efficiency. After this commit, l2tp(4) throughput gains 10% on my machine(Atom C3000). - Apply some missing changes lost on the previous commit - Avoid having a rtcache directly in a percpu storage for tunnel protocols. percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead. Reviewed by ozaki-r@ and yamaguchi@ - l2tp(4): avoid having struct ifqueue directly in a percpu storage. percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Tx processing of l2tp(4) uses normally involves sleepable operations so we must avoid dereferencing a percpu data (struct ifqueue) after executing Tx processing. Address this situation by having just a pointer to the data in a percpu storage instead. Reviewed by ozaki-r@ and yamaguchi@
Avoid having a rtcache directly in a percpu storage for tunnel protocols. percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead. Reviewed by ozaki-r@ and yamaguchi@
if_flags is neither int nor short. It's unsigned short.
Simplify "LIST_HEAD();" to make the code more understandable. No functional change.
Sync with HEAD
Pull up following revision(s) (requested by knakahara in ticket #1216): sys/net/if_ipsec.c: revision 1.21 Fix ipsecif(4) memory leak in some ioctl cases.
Fix ipsecif(4) memory leak in some ioctl cases.
Synch with HEAD
Sync with HEAD, resolve a few conflicts
Remove unnecessary addresses in PF_KEY message.
MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5. SPD Update
// snip
SADB_X_SPDADD:
// snip
sadb_x_ipsecrequest_reqid:
An ID for that SA can be passed to the kernel in the
sadb_x_ipsecrequest_reqid field.
If tunnel mode is specified, the sadb_x_ipsecrequest structure is
followed by two sockaddr structures that define the tunnel
endpoint addresses. In the case that transport mode is used, no
additional addresses are specified.
====================
see: https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01
ipsecif(4) uses transport mode, so it should not add addresses.
ipsecif(4) support input drop packet counter.
Pull up following revision(s) (requested by knakahara in ticket #1066): sys/net/if_vlan.c: revision 1.133 sys/net/if_gif.h: revision 1.32 sys/net/if_ipsec.c: revision 1.18 sys/net/if_ipsec.h: revision 1.4 sys/net/if_gif.c: revision 1.144 sys/net/if_l2tp.h: revision 1.6 sys/net/if_l2tp.c: revision 1.30 Fix panic when doing ioctl to multiple pseudo interfaces. Pointed out by k-goda@IIJ. XXX pullup-8
Sync with head
Fix panic when doing ioctl to multiple pseudo interfaces. Pointed out by k-goda@IIJ. XXX pullup-8
Sync with HEAD
Implement the BPF direction filter (BIOC[GS]DIRECTION). It provides backward compatibility with BIOC[GS]SEESENT ioctl. The userland interface is the same as FreeBSD. This change also fixes a bug that the direction is misunderstand on some environment by passing the direction to bpf_mtap*() instead of checking m->m_pkthdr.rcvif.
Sync with HEAD
Pull up following revision(s) (requested by knakahara in ticket #840):
sys/net/if_ipsec.c: revision 1.15,1.16
Fix panic when ipsecif(4) adds discard policy. Pointed out by ohishi@IIJ, thanks.
Reviewd by ohishi@IIJ. Sorry, I jumped the gun and committed.
Fix the following two issues.
- remove extra padding of sizeof(xisr) when adding ipsec policy
- add padding for xpl when adding discard policy
Pull up following revision(s) (requested by knakahara in ticket #839): sys/net/if_ipsec.c: revision 1.14 ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by ohishi@IIJ, thanks.
Reviewd by ohishi@IIJ. Sorry, I jumped the gun and committed.
Fix the following two issues.
- remove extra padding of sizeof(xisr) when adding ipsec policy
- add padding for xpl when adding discard policy
Fix panic when ipsecif(4) adds discard policy. Pointed out by ohishi@IIJ, thanks.
ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by ohishi@IIJ, thanks.
Pull up following revision(s) (requested by knakahara in ticket #829): sys/net/if_l2tp.c: revision 1.24 sys/net/if_ipsec.c: revision 1.13 sys/net/if_gif.h: revision 1.31 sys/netipsec/ipsecif.c: revision 1.8 sys/net/if_gif.c: revision 1.140 sys/netinet6/in6_l2tp.c: revision 1.15 sys/net/if_ipsec.h: revision 1.3 sys/netinet6/in6_gif.c: revision 1.92 sys/net/if_l2tp.h: revision 1.5 sys/netinet/in_l2tp.c: revision 1.13 sys/netinet/in_gif.c: revision 1.93 Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created. The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
Pull up following revision(s) (requested by knakahara in ticket #828): sys/net/if_ipsec.c: revision 1.12 Fix "how" argument of MGET(). Pointed out by maxv@n.o, thanks. MGET() does not have M_ZERO flag, so add memset when it is required.
Synch with HEAD
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created. The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
Fix "how" argument of MGET(). Pointed out by maxv@n.o, thanks. MGET() does not have M_ZERO flag, so add memset when it is required.
Pull up following revision(s) (requested by knakahara in ticket #714):
sys/net/if_ipsec.c: revision 1.8 - 1.11
sys/netipsec/ipsecif.h: revision 1.2
sys/netipsec/ipsecif.c: revision 1.6,1.7
fix ipsec(4) encap_lock leak.
fix ipsecif(4) unmatch curlwp_bind.
fix ipsecif(4) stack overflow.
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a
network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for
the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that
must not cause problems.
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem.
# ifconfig ipsec0 create link0
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
Sync with HEAD. 77 conflicts resolved - all of them $NetBSD$
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem.
# ifconfig ipsec0 create link0
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
fix ipsecif(4) stack overflow. XXX pullup-8
fix ipsecif(4) unmatch curlwp_bind. XXX pullup-8
fix ipsec(4) encap_lock leak. XXX pullup-8
Synch with HEAD
Pull up following revision(s) (requested by knakahara in ticket #627): sys/netipsec/ipsecif.c: revision 1.5 tests/net/if_ipsec/t_ipsec.sh: revision 1.4 sys/net/if_ipsec.c: revision 1.7 Fix IPv6 ipsecif(4) ATF regression, sorry. There must *not* be padding between the src sockaddr and the dst sockaddr after struct sadb_x_policy. Comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks. Enhance assertion ipsecif(4) ATF to avoid confusing setkey(8) error message. When setkey(8) says "syntax error at [-E]", it must mean get_if_ipsec_unique() failed.
Pull up following revision(s) (requested by knakahara in ticket #620): sys/netipsec/ipsecif.c: revision 1.4 sys/net/if_ipsec.c: revision 1.4 sys/net/if_ipsec.c: revision 1.5 sys/net/if_ipsec.c: revision 1.6 NAT-T src and dst port in ipsec_variant should be network byte order. Fix missing sadb_x_ipsecrequest informations for PF_KEY message. Functionalize duplicated code. No functional changes. Fix ipsec(4) I/F esp_frag support.
Fix IPv6 ipsecif(4) ATF regression, sorry. There must *not* be padding between the src sockaddr and the dst sockaddr after struct sadb_x_policy.
Functionalize duplicated code. No functional changes.
Fix missing sadb_x_ipsecrequest informations for PF_KEY message.
NAT-T src and dst port in ipsec_variant should be network byte order.
Pull up following revision(s) (requested by ozaki-r in ticket #536):
distrib/sets/lists/base/shl.mi: 1.825
distrib/sets/lists/comp/mi: 1.2168-1.2169
distrib/sets/lists/comp/shl.mi: 1.310
distrib/sets/lists/debug/mi: 1.234
distrib/sets/lists/debug/shl.mi: 1.188
distrib/sets/lists/man/mi: 1.1570
distrib/sets/lists/tests/mi: 1.772
etc/mtree/NetBSD.dist.tests: 1.150
share/man/man4/Makefile: 1.650
share/man/man4/ipsec.4: 1.42-1.43
share/man/man4/ipsecif.4: 1.1-1.5
sys/arch/amd64/conf/ALL: 1.77
sys/arch/amd64/conf/GENERIC: 1.480
sys/conf/files: 1.1191
sys/net/Makefile: 1.34
sys/net/files.net: 1.14
sys/net/if.c: 1.404
sys/net/if.h: 1.248
sys/net/if_gif.c: 1.135
sys/net/if_ipsec.c: 1.1-1.3
sys/net/if_ipsec.h: 1.1
sys/net/if_l2tp.c: 1.16
sys/net/if_types.h: 1.28
sys/netinet/in.c: 1.214
sys/netinet/in.h: 1.103
sys/netinet/in_gif.c: 1.92
sys/netinet/ip_var.h: 1.122
sys/netinet6/in6.c: 1.257
sys/netinet6/in6.h: 1.88
sys/netinet6/in6_gif.c: 1.90
sys/netinet6/ip6_var.h: 1.75
sys/netipsec/Makefile: 1.6
sys/netipsec/files.netipsec: 1.13
sys/netipsec/ipsec.h: 1.62
sys/netipsec/ipsecif.c: 1.1
sys/netipsec/ipsecif.h: 1.1
sys/netipsec/key.c: 1.246-1.247
sys/netipsec/key.h: 1.34
sys/rump/net/Makefile.rumpnetcomp: 1.20
sys/rump/net/lib/libipsec/IPSEC.ioconf: 1.1
sys/rump/net/lib/libipsec/Makefile: 1.1
sys/rump/net/lib/libipsec/ipsec_component.c: 1.1
tests/net/Makefile: 1.34
tests/net/if_ipsec/Makefile: 1.1
tests/net/if_ipsec/t_ipsec.sh: 1.1-1.2
Don't touch an SP without a reference to it
unify processing to check nesting count for some tunnel protocols.
add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks.
https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
ipsec(4) interface supports rump now.
add ipsec(4) interface ATF.
add ipsec(4) interface man as ipsecif.4.
add ipsec(4) interface to amd64/GENERIC and amd64/ALL configs.
apply in{,6}_tunnel_validate() to gif(4).
Spell IPsec that way. Simplify macro usage. Sort SEE ALSO. Bump
date for previous.
Improve wording and macro use.
Some parts are not clear to me, so someone with knowledge of ipsecif(4)
should improve this some more.
Improve ipsecif.4. Default port ipsec(4) NAT-T is tested now.
pointed out by wiz@n.o and suggested by ozaki-r@n.o, thanks.
Change the prefix of test names to ipsecif_ to distinguish from tests for ipsec(4)
New sentence, new line. Remove empty macro.
Fix PR kern/52920. Pointed out by David Binderman, thanks.
Improve wording, and put a new drawing, from me and Kengo Nakahara.
apply a little more #ifdef INET/INET6. fixes !INET6 builds.
file if_ipsec.c was added on branch netbsd-8 on 2018-02-11 21:17:34 +0000
apply a little more #ifdef INET/INET6. fixes !INET6 builds.
Fix PR kern/52920. Pointed out by David Binderman, thanks.
add ipsec(4) interface, which is used for route-based VPN. man and ATF are added later, please see man for details. reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html