The NetBSD Project

CVS log for src/sys/netipsec/ipsec_output.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / netipsec

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.86 / (download) - annotate - [select for diffs], Fri Jan 27 09:33:43 2023 UTC (10 days, 9 hours ago) by ozaki-r
Branch: MAIN
CVS Tags: HEAD
Changes since 1.85: +4 -15 lines
Diff to previous 1.85 (colored)

ipsec: remove unnecessary splsoftnet

Because the code of IPsec itself is already MP-safe.

Revision 1.85 / (download) - annotate - [select for diffs], Sun Apr 10 09:50:46 2022 UTC (9 months, 4 weeks ago) by andvar
Branch: MAIN
CVS Tags: netbsd-10-base, netbsd-10, bouyer-sunxi-drm-base, bouyer-sunxi-drm
Changes since 1.84: +3 -3 lines
Diff to previous 1.84 (colored)

fix various typos in comments and output/log messages.

Revision 1.80.2.2 / (download) - annotate - [select for diffs], Mon Apr 13 08:05:17 2020 UTC (2 years, 9 months ago) by martin
Branch: phil-wifi
Changes since 1.80.2.1: +16 -16 lines
Diff to previous 1.80.2.1 (colored) to branchpoint 1.80 (colored) next main 1.81 (colored)

Mostly merge changes from HEAD upto 20200411

Revision 1.84 / (download) - annotate - [select for diffs], Fri Nov 1 04:23:21 2019 UTC (3 years, 3 months ago) by knakahara
Branch: MAIN
CVS Tags: thorpej-i2c-spi-conf2-base, thorpej-i2c-spi-conf2, thorpej-i2c-spi-conf-base, thorpej-i2c-spi-conf, thorpej-futex2-base, thorpej-futex2, thorpej-futex-base, thorpej-futex, thorpej-cfargs2-base, thorpej-cfargs2, thorpej-cfargs-base, thorpej-cfargs, phil-wifi-20200421, phil-wifi-20200411, phil-wifi-20200406, phil-wifi-20191119, is-mlppp-base, is-mlppp, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, bouyer-xenpvh-base2, bouyer-xenpvh-base1, bouyer-xenpvh-base, bouyer-xenpvh, ad-namecache-base3, ad-namecache-base2, ad-namecache-base1, ad-namecache-base, ad-namecache
Changes since 1.83: +13 -13 lines
Diff to previous 1.83 (colored)

Fix ipsecif(4) IPV6_MINMTU does not work correctly.

Revision 1.48.2.4 / (download) - annotate - [select for diffs], Tue Sep 24 18:27:09 2019 UTC (3 years, 4 months ago) by martin
Branch: netbsd-8
CVS Tags: netbsd-8-2-RELEASE
Changes since 1.48.2.3: +27 -9 lines
Diff to previous 1.48.2.3 (colored) to branchpoint 1.48 (colored) next main 1.49 (colored)

Pull up following revision(s) (requested by knakahara in ticket #1385):

	sys/net/if.c				1.461
	sys/net/if.h				1.277
	sys/net/if_gif.c			1.149
	sys/net/if_gif.h			1.33
	sys/net/if_ipsec.c			1.19,1.20,1.24
	sys/net/if_ipsec.h			1.5
	sys/net/if_l2tp.c			1.33,1.36-1.39
	sys/net/if_l2tp.h			1.7,1.8
	sys/net/route.c				1.220,1.221
	sys/net/route.h				1.125
	sys/netinet/in_gif.c			1.95
	sys/netinet/in_l2tp.c			1.17
	sys/netinet/ip_input.c			1.391,1.392
	sys/netinet/wqinput.c			1.6
	sys/netinet6/in6_gif.c			1.94
	sys/netinet6/in6_l2tp.c			1.18
	sys/netinet6/ip6_forward.c		1.97
	sys/netinet6/ip6_input.c		1.210,1.211
	sys/netipsec/ipsec_output.c		1.82,1.83 (patched)
	sys/netipsec/ipsecif.c			1.12,1.13,1.15,1.17 (patched)
	sys/netipsec/key.c			1.259,1.260

ipsecif(4) support input drop packet counter.

ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
Remove unnecessary addresses in PF_KEY message.

MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
====================
5.  SPD Update
// snip
   SADB_X_SPDADD:
// snip
      sadb_x_ipsecrequest_reqid:
         An ID for that SA can be passed to the kernel in the
         sadb_x_ipsecrequest_reqid field.
      If tunnel mode is specified, the sadb_x_ipsecrequest structure is
      followed by two sockaddr structures that define the tunnel
      endpoint addresses.  In the case that transport mode is used, no
      additional addresses are specified.
====================
see: <a  rel="nofollow" href="https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01">https://tools.ietf.org/html/draft-schilcher-mobike-pfkey-extension-01</a>

ipsecif(4) uses transport mode, so it should not add addresses.

ipsecif(4) supports multiple peers in the same NAPT.

E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects
NetBSD_A and NetBSD_C at the following figure.
                                        +----------+
                                   +----| NetBSD_B |
 +----------+           +------+   |    +----------+
 | NetBSD_A |--- ... ---| NAPT |---+
 +----------+           +------+   |    +----------+
                                   +----| NetBSD_C |
                                        +----------+

Add ATF later.

l2tp(4): fix output bytes counter. Pointed by k-goda@IIJ, thanks.
remove a variable which is no longer used.

l2tp: initialize mowner variables for MBUFTRACE

Avoid having a rtcache directly in a percpu storage
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by knakahara@ and yamaguchi@


wqinput: avoid having struct wqinput_worklist directly in a percpu storage
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Input handlers of wqinput normally involves sleepable operations so we must
avoid dereferencing a percpu data (struct wqinput_worklist) after executing
an input handler.  Address this situation by having just a pointer to the data
in a percpu storage instead.

Reviewed by knakahara@ and yamaguchi@

Add missing #include <sys/kmem.h>

Divide Tx context of l2tp(4) to improve performance.
It seems l2tp(4) call path is too long for instruction cache. So, dividing
l2tp(4) Tx context improves CPU use efficiency.

After this commit, l2tp(4) throughput gains 10% on my machine(Atom C3000).

Apply some missing changes lost on the previous commit

Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@

l2tp(4): avoid having struct ifqueue directly in a percpu storage.

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Tx processing of l2tp(4) uses normally involves sleepable operations so we
must avoid dereferencing a percpu data (struct ifqueue) after executing Tx
processing.  Address this situation by having just a pointer to the data in
a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@

Revision 1.82.4.1 / (download) - annotate - [select for diffs], Tue Sep 24 03:10:35 2019 UTC (3 years, 4 months ago) by martin
Branch: netbsd-9
CVS Tags: netbsd-9-3-RELEASE, netbsd-9-2-RELEASE, netbsd-9-1-RELEASE, netbsd-9-0-RELEASE, netbsd-9-0-RC2, netbsd-9-0-RC1
Changes since 1.82: +5 -5 lines
Diff to previous 1.82 (colored) next main 1.83 (colored)

Pull up following revision(s) (requested by ozaki-r in ticket #238):

	sys/netipsec/ipsec_output.c: revision 1.83
	sys/net/route.h: revision 1.125
	sys/netinet6/ip6_input.c: revision 1.210
	sys/netinet6/ip6_input.c: revision 1.211
	sys/net/if.c: revision 1.461
	sys/net/if_gif.h: revision 1.33
	sys/net/route.c: revision 1.220
	sys/net/route.c: revision 1.221
	sys/net/if.h: revision 1.277
	sys/netinet6/ip6_forward.c: revision 1.97
	sys/netinet/wqinput.c: revision 1.6
	sys/net/if_ipsec.h: revision 1.5
	sys/netinet6/in6_l2tp.c: revision 1.18
	sys/netinet6/in6_gif.c: revision 1.94
	sys/net/if_l2tp.h: revision 1.7
	sys/net/if_gif.c: revision 1.149
	sys/net/if_l2tp.h: revision 1.8
	sys/netinet/in_gif.c: revision 1.95
	sys/netinet/in_l2tp.c: revision 1.17
	sys/netipsec/ipsecif.c: revision 1.17
	sys/net/if_ipsec.c: revision 1.24
	sys/net/if_l2tp.c: revision 1.37
	sys/netinet/ip_input.c: revision 1.391
	sys/net/if_l2tp.c: revision 1.38
	sys/netinet/ip_input.c: revision 1.392
	sys/net/if_l2tp.c: revision 1.39

Avoid having a rtcache directly in a percpu storage

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@

 -

wqinput: avoid having struct wqinput_worklist directly in a percpu storage

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Input handlers of wqinput normally involves sleepable operations so we must
avoid dereferencing a percpu data (struct wqinput_worklist) after executing
an input handler.  Address this situation by having just a pointer to the data
in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@

 -

Add missing #include <sys/kmem.h>

 -

Divide Tx context of l2tp(4) to improve performance.

It seems l2tp(4) call path is too long for instruction cache. So, dividing
l2tp(4) Tx context improves CPU use efficiency.

After this commit, l2tp(4) throughput gains 10% on my machine(Atom C3000).

 -

Apply some missing changes lost on the previous commit

 -

Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@

 -

l2tp(4): avoid having struct ifqueue directly in a percpu storage.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Tx processing of l2tp(4) uses normally involves sleepable operations so we
must avoid dereferencing a percpu data (struct ifqueue) after executing Tx
processing.  Address this situation by having just a pointer to the data in
a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@

Revision 1.83 / (download) - annotate - [select for diffs], Thu Sep 19 04:08:30 2019 UTC (3 years, 4 months ago) by ozaki-r
Branch: MAIN
Changes since 1.82: +5 -5 lines
Diff to previous 1.82 (colored)

Avoid having a rtcache directly in a percpu storage

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users.  If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing.  Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by knakahara@ and yamaguchi@

Revision 1.80.2.1 / (download) - annotate - [select for diffs], Mon Jun 10 22:09:48 2019 UTC (3 years, 7 months ago) by christos
Branch: phil-wifi
Changes since 1.80: +53 -12 lines
Diff to previous 1.80 (colored)

Sync with HEAD

Revision 1.71.2.6 / (download) - annotate - [select for diffs], Fri Jan 18 08:50:58 2019 UTC (4 years ago) by pgoyette
Branch: pgoyette-compat
CVS Tags: pgoyette-compat-merge-20190127
Changes since 1.71.2.5: +24 -6 lines
Diff to previous 1.71.2.5 (colored) to branchpoint 1.71 (colored) next main 1.72 (colored)

Synch with HEAD

Revision 1.82 / (download) - annotate - [select for diffs], Wed Dec 26 08:58:51 2018 UTC (4 years, 1 month ago) by knakahara
Branch: MAIN
CVS Tags: phil-wifi-20190609, pgoyette-compat-20190127, pgoyette-compat-20190118, netbsd-9-base, isaki-audio2-base, isaki-audio2
Branch point for: netbsd-9
Changes since 1.81: +24 -6 lines
Diff to previous 1.81 (colored)

ipsecif(4) supports multiple peers in the same NAPT.

E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects
NetBSD_A and NetBSD_C at the following figure.

                                        +----------+
                                   +----| NetBSD_B |
 +----------+           +------+   |    +----------+
 | NetBSD_A |--- ... ---| NAPT |---+
 +----------+           +------+   |    +----------+
                                   +----| NetBSD_C |
                                        +----------+

Add ATF later.

Revision 1.71.2.5 / (download) - annotate - [select for diffs], Mon Nov 26 01:52:51 2018 UTC (4 years, 2 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.71.2.4: +31 -8 lines
Diff to previous 1.71.2.4 (colored) to branchpoint 1.71 (colored)

Sync with HEAD, resolve a couple of conflicts

Revision 1.81 / (download) - annotate - [select for diffs], Thu Nov 22 04:48:34 2018 UTC (4 years, 2 months ago) by knakahara
Branch: MAIN
CVS Tags: pgoyette-compat-1226, pgoyette-compat-1126
Changes since 1.80: +31 -8 lines
Diff to previous 1.80 (colored)

Support IPv6 NAT-T. Implemented by hsuenaga@IIJ and ohishi@IIJ.

Add ATF later.

Revision 1.71.2.4 / (download) - annotate - [select for diffs], Mon Jun 25 07:26:07 2018 UTC (4 years, 7 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.71.2.3: +21 -31 lines
Diff to previous 1.71.2.3 (colored) to branchpoint 1.71 (colored)

Sync with HEAD

Revision 1.80 / (download) - annotate - [select for diffs], Thu May 31 15:06:45 2018 UTC (4 years, 8 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base, pgoyette-compat-1020, pgoyette-compat-0930, pgoyette-compat-0906, pgoyette-compat-0728, pgoyette-compat-0625
Branch point for: phil-wifi
Changes since 1.79: +19 -16 lines
Diff to previous 1.79 (colored)

Adapt rev1.75, suggested by Alexander Bluhm. Relax the checks to allow
protocols smaller than two bytes (only IPPROTO_NONE). While here style.

Revision 1.79 / (download) - annotate - [select for diffs], Thu May 31 07:03:57 2018 UTC (4 years, 8 months ago) by maxv
Branch: MAIN
Changes since 1.78: +4 -17 lines
Diff to previous 1.78 (colored)

Remove support for non-IKE markers in the kernel. Discussed on tech-net@,
and now in PR/53334. Basically non-IKE markers come from a deprecated
draft, and our kernel code for them has never worked.

Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.

Perhaps we should also add a check in key_handle_natt_info(), to make
sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.

Revision 1.71.2.3 / (download) - annotate - [select for diffs], Mon May 21 04:36:16 2018 UTC (4 years, 8 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.71.2.2: +6 -10 lines
Diff to previous 1.71.2.2 (colored) to branchpoint 1.71 (colored)

Sync with HEAD

Revision 1.78 / (download) - annotate - [select for diffs], Mon May 7 09:33:51 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0521
Changes since 1.77: +2 -6 lines
Diff to previous 1.77 (colored)

Remove a dummy reference to XF_IP4, explain briefly why we don't use
ipe4_xformsw, and remove unused includes.

Revision 1.77 / (download) - annotate - [select for diffs], Mon May 7 09:25:04 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
Changes since 1.76: +4 -4 lines
Diff to previous 1.76 (colored)

Remove now unused 'isr', 'skip' and 'protoff' arguments from ipip_output.

Revision 1.76 / (download) - annotate - [select for diffs], Mon May 7 09:16:46 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
Changes since 1.75: +4 -4 lines
Diff to previous 1.75 (colored)

Remove unused 'mp' argument from all the xf_output functions. Also clean
up xform.h a bit.

Revision 1.48.2.3 / (download) - annotate - [select for diffs], Sat May 5 19:31:33 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-8
CVS Tags: netbsd-8-1-RELEASE, netbsd-8-1-RC1, netbsd-8-0-RELEASE, netbsd-8-0-RC2
Changes since 1.48.2.2: +17 -13 lines
Diff to previous 1.48.2.2 (colored) to branchpoint 1.48 (colored)

Pull up following revision(s) (requested by maxv in ticket #799):

	sys/netipsec/ipsec_output.c: revision 1.75
	sys/netipsec/ipsec_output.c: revision 1.67

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.40.8.1 / (download) - annotate - [select for diffs], Thu May 3 14:49:50 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-7-0
Changes since 1.40: +17 -13 lines
Diff to previous 1.40 (colored) next main 1.41 (colored)

Pull up following revision(s) (requested by maxv in ticket #1600):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.40.12.1 / (download) - annotate - [select for diffs], Thu May 3 14:48:26 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-7-1
Changes since 1.40: +17 -13 lines
Diff to previous 1.40 (colored) next main 1.41 (colored)

Pull up following revision(s) (requested by maxv in ticket #1600):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.40.4.1 / (download) - annotate - [select for diffs], Thu May 3 14:47:22 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-7
CVS Tags: netbsd-7-2-RELEASE
Changes since 1.40: +17 -13 lines
Diff to previous 1.40 (colored) next main 1.41 (colored)

Pull up following revision(s) (requested by maxv in ticket #1600):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.38.8.1 / (download) - annotate - [select for diffs], Thu May 3 14:37:25 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-6-0
Changes since 1.38: +17 -13 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)

Pull up following revision(s) (requested by maxv in ticket #1546):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.38.16.1 / (download) - annotate - [select for diffs], Thu May 3 14:36:30 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-6-1
Changes since 1.38: +17 -13 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)

Pull up following revision(s) (requested by maxv in ticket #1546):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.38.2.1 / (download) - annotate - [select for diffs], Thu May 3 14:33:30 2018 UTC (4 years, 9 months ago) by martin
Branch: netbsd-6
Changes since 1.38: +17 -13 lines
Diff to previous 1.38 (colored) next main 1.39 (colored)

Pull up following revision(s) (requested by maxv in ticket #1546):

	sys/netipsec/ipsec_output.c: revision 1.67,1.75 (via patch)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.71.2.2 / (download) - annotate - [select for diffs], Wed May 2 07:20:24 2018 UTC (4 years, 9 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.71.2.1: +17 -16 lines
Diff to previous 1.71.2.1 (colored) to branchpoint 1.71 (colored)

Synch with HEAD

Revision 1.75 / (download) - annotate - [select for diffs], Tue May 1 05:42:26 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0502
Changes since 1.74: +17 -13 lines
Diff to previous 1.74 (colored)

Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I
already fixed half of the problem two months ago in rev1.67, back then I
thought it was not triggerable because each packet we emit is guaranteed
to have correctly formed IPv6 options; but it is actually triggerable via
IPv6 forwarding, we emit a packet we just received, and we don't sanitize
its options before invoking IPsec.

Since it would be wrong to just stop the iteration and continue the IPsec
processing, allow compute_ipsec_pos to fail, and when it does, drop the
packet entirely.

Revision 1.74 / (download) - annotate - [select for diffs], Sat Apr 28 15:45:16 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
Changes since 1.73: +2 -5 lines
Diff to previous 1.73 (colored)

Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.

Revision 1.71.2.1 / (download) - annotate - [select for diffs], Sun Apr 22 07:20:28 2018 UTC (4 years, 9 months ago) by pgoyette
Branch: pgoyette-compat
Changes since 1.71: +17 -16 lines
Diff to previous 1.71 (colored)

Sync with HEAD

Revision 1.73 / (download) - annotate - [select for diffs], Thu Apr 19 08:27:38 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0422
Changes since 1.72: +3 -3 lines
Diff to previous 1.72 (colored)

Remove extra long file paths from the headers.

Revision 1.72 / (download) - annotate - [select for diffs], Wed Apr 18 06:52:35 2018 UTC (4 years, 9 months ago) by maxv
Branch: MAIN
Changes since 1.71: +16 -15 lines
Diff to previous 1.71 (colored)

style

Revision 1.71 / (download) - annotate - [select for diffs], Mon Mar 5 11:50:25 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-base, pgoyette-compat-0415, pgoyette-compat-0407, pgoyette-compat-0330, pgoyette-compat-0322, pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.70: +8 -12 lines
Diff to previous 1.70 (colored)

Call m_pullup earlier, fixes one branch.

Revision 1.70 / (download) - annotate - [select for diffs], Sat Mar 3 09:39:29 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.69: +4 -2 lines
Diff to previous 1.69 (colored)

Add KASSERTs, we don't want m_nextpkt in ipsec{4/6}_process_packet.

Revision 1.69 / (download) - annotate - [select for diffs], Mon Feb 26 06:34:39 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.68: +10 -12 lines
Diff to previous 1.68 (colored)

Fix mbuf mistake: we are using ip6 before it is pulled up properly.

Revision 1.68 / (download) - annotate - [select for diffs], Wed Feb 21 17:04:52 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.67: +58 -63 lines
Diff to previous 1.67 (colored)

Style, no functional change.

Revision 1.67 / (download) - annotate - [select for diffs], Wed Feb 21 16:55:53 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.66: +3 -3 lines
Diff to previous 1.66 (colored)

Strengthen this check, to make sure there is room for an ip6_ext structure.
Seems possible to crash m_copydata here (but I didn't test more than that).

Revision 1.66 / (download) - annotate - [select for diffs], Thu Feb 8 20:57:41 2018 UTC (4 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.65: +2 -4 lines
Diff to previous 1.65 (colored)

Remove unused net_osdep.h include.

Revision 1.48.2.2 / (download) - annotate - [select for diffs], Tue Jan 2 10:20:34 2018 UTC (5 years, 1 month ago) by snj
Branch: netbsd-8
CVS Tags: netbsd-8-0-RC1
Changes since 1.48.2.1: +4 -8 lines
Diff to previous 1.48.2.1 (colored) to branchpoint 1.48 (colored)

Pull up following revision(s) (requested by ozaki-r in ticket #456):
	sys/arch/arm/sunxi/sunxi_emac.c: 1.9
	sys/dev/ic/dwc_gmac.c: 1.43-1.44
	sys/dev/pci/if_iwm.c: 1.75
	sys/dev/pci/if_wm.c: 1.543
	sys/dev/pci/ixgbe/ixgbe.c: 1.112
	sys/dev/pci/ixgbe/ixv.c: 1.74
	sys/kern/sys_socket.c: 1.75
	sys/net/agr/if_agr.c: 1.43
	sys/net/bpf.c: 1.219
	sys/net/if.c: 1.397, 1.399, 1.401-1.403, 1.406-1.410, 1.412-1.416
	sys/net/if.h: 1.242-1.247, 1.250, 1.252-1.257
	sys/net/if_bridge.c: 1.140 via patch, 1.142-1.146
	sys/net/if_etherip.c: 1.40
	sys/net/if_ethersubr.c: 1.243, 1.246
	sys/net/if_faith.c: 1.57
	sys/net/if_gif.c: 1.132
	sys/net/if_l2tp.c: 1.15, 1.17
	sys/net/if_loop.c: 1.98-1.101
	sys/net/if_media.c: 1.35
	sys/net/if_pppoe.c: 1.131-1.132
	sys/net/if_spppsubr.c: 1.176-1.177
	sys/net/if_tun.c: 1.142
	sys/net/if_vlan.c: 1.107, 1.109, 1.114-1.121
	sys/net/npf/npf_ifaddr.c: 1.3
	sys/net/npf/npf_os.c: 1.8-1.9
	sys/net/rtsock.c: 1.230
	sys/netcan/if_canloop.c: 1.3-1.5
	sys/netinet/if_arp.c: 1.255
	sys/netinet/igmp.c: 1.65
	sys/netinet/in.c: 1.210-1.211
	sys/netinet/in_pcb.c: 1.180
	sys/netinet/ip_carp.c: 1.92, 1.94
	sys/netinet/ip_flow.c: 1.81
	sys/netinet/ip_input.c: 1.362
	sys/netinet/ip_mroute.c: 1.147
	sys/netinet/ip_output.c: 1.283, 1.285, 1.287
	sys/netinet6/frag6.c: 1.61
	sys/netinet6/in6.c: 1.251, 1.255
	sys/netinet6/in6_pcb.c: 1.162
	sys/netinet6/ip6_flow.c: 1.35
	sys/netinet6/ip6_input.c: 1.183
	sys/netinet6/ip6_output.c: 1.196
	sys/netinet6/mld6.c: 1.90
	sys/netinet6/nd6.c: 1.239-1.240
	sys/netinet6/nd6_nbr.c: 1.139
	sys/netinet6/nd6_rtr.c: 1.136
	sys/netipsec/ipsec_output.c: 1.65
	sys/rump/net/lib/libnetinet/netinet_component.c: 1.9-1.10
kmem_intr_free kmem_intr_[z]alloced memory
the underlying pools are the same but api-wise those should match
Unify IFEF_*_MPSAFE into IFEF_MPSAFE
There are already two flags for if_output and if_start, however, it seems such
MPSAFE flags are eventually needed for all if_XXX operations. Having discrete
flags for each operation is wasteful of if_extflags bits. So let's unify
the flags into one: IFEF_MPSAFE.
Fortunately IFEF_*_MPSAFE flags have never been included in any releases, so
we can change them without breaking backward compatibility of the releases
(though the kernel version of -current should be bumped).
Note that if an interface have both MP-safe and non-MP-safe operations at a
time, we have to set the IFEF_MPSAFE flag and let callees of non-MP-safe
opeartions take the kernel lock.
Proposed on tech-kern@ and tech-net@
Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch
It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..."
scattered all over the source code and makes it easy to identify remaining
KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE.
No functional change
Hold KERNEL_LOCK on if_ioctl selectively based on IFEF_MPSAFE
If IFEF_MPSAFE is set, hold the lock and otherwise don't hold.
This change requires additions of KERNEL_LOCK to subsequence functions from
if_ioctl such as ifmedia_ioctl and ifioctl_common to protect non-MP-safe
components.
Proposed on tech-kern@ and tech-net@
Ensure to hold if_ioctl_lock when calling if_flags_set
Fix locking against myself on ifpromisc
vlan_unconfig_locked could be called with holding if_ioctl_lock.
Ensure to not turn on IFF_RUNNING of an interface until its initialization completes
And ensure to turn off it before destruction as per IFF_RUNNING's description
"resource allocated". (The description is a bit doubtful though, I believe the
change is still proper.)
Ensure to hold if_ioctl_lock on if_up and if_down
One exception for if_down is if_detach; in the case the lock isn't needed
because it's guaranteed that no other one can access ifp at that point.
Make if_link_queue MP-safe if IFEF_MPSAFE
if_link_queue is a queue to store events of link state changes, which is
used to pass events from (typically) an interrupt handler to
if_link_state_change softint. The queue was protected by KERNEL_LOCK so far,
but if IFEF_MPSAFE is enabled, it becomes unsafe because (perhaps) an interrupt
handler of an interface with IFEF_MPSAFE doesn't take KERNEL_LOCK. Protect it
by a spin mutex.
Additionally with this change KERNEL_LOCK of if_link_state_change softint is
omitted if NET_MPSAFE is enabled.
Note that the spin mutex is now ifp->if_snd.ifq_lock as well as the case of
if_timer (see the comment).
Use IFADDR_WRITER_FOREACH instead of IFADDR_READER_FOREACH
At that point no other one modifies the list so IFADDR_READER_FOREACH
is unnecessary. Use of IFADDR_READER_FOREACH is harmless in general though,
if we try to detect contract violations of pserialize, using it violates
the contract. So avoid using it makes life easy.
Ensure to call if_addr_init with holding if_ioctl_lock
Get rid of outdated comments
Fix build of kernels without ether
By throwing out if_enable_vlan_mtu and if_disable_vlan_mtu that
created a unnecessary dependency from if.c to if_ethersubr.c.
PR kern/52790
Rename IFNET_LOCK to IFNET_GLOBAL_LOCK
IFNET_LOCK will be used in another lock, if_ioctl_lock (might be renamed then).
Wrap if_ioctl_lock with IFNET_* macros (NFC)
Also if_ioctl_lock perhaps needs to be renamed to something because it's now
not just for ioctl...
Reorder some destruction routines in if_detach
- Destroy if_ioctl_lock at the end of the if_detach because it's used in various
  destruction routines
- Move psref_target_destroy after pr_purgeif because we want to use psref in
  pr_purgeif (otherwise destruction procedures can be tricky)
Ensure to call if_mcast_op with holding IFNET_LOCK
Note that CARP doesn't deal with IFNET_LOCK yet.
Remove IFNET_GLOBAL_LOCK where it's unnecessary because IFNET_LOCK is held
Describe which lock is used to protect each member variable of struct ifnet
Requested by skrll@
Write a guideline for converting an interface to IFEF_MPSAFE
Requested by skrll@
Note that IFNET_LOCK must not be held in softint
Don't set IFEF_MPSAFE unless NET_MPSAFE at this point
Because recent investigations show that interfaces with IFEF_MPSAFE need to
follow additional restrictions to work with the flag safely. We should enable it
on an interface by default only if the interface surely satisfies the
restrictions, which are described in if.h.
Note that enabling IFEF_MPSAFE solely gains a few benefit on performance because
the network stack is still serialized by the big kernel locks by default.

Revision 1.38.6.3 / (download) - annotate - [select for diffs], Sun Dec 3 11:39:05 2017 UTC (5 years, 2 months ago) by jdolecek
Branch: tls-maxphys
Changes since 1.38.6.2: +264 -243 lines
Diff to previous 1.38.6.2 (colored) to branchpoint 1.38 (colored) next main 1.39 (colored)

update from HEAD

Revision 1.65 / (download) - annotate - [select for diffs], Fri Nov 17 07:37:12 2017 UTC (5 years, 2 months ago) by ozaki-r
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202
Changes since 1.64: +4 -8 lines
Diff to previous 1.64 (colored)

Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch

It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..."
scattered all over the source code and makes it easy to identify remaining
KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE.

No functional change

Revision 1.48.2.1 / (download) - annotate - [select for diffs], Sat Oct 21 19:43:54 2017 UTC (5 years, 3 months ago) by snj
Branch: netbsd-8
CVS Tags: matt-nb8-mediatek-base, matt-nb8-mediatek
Changes since 1.48: +172 -119 lines
Diff to previous 1.48 (colored)

Pull up following revision(s) (requested by ozaki-r in ticket #300):
	crypto/dist/ipsec-tools/src/setkey/parse.y: 1.19
	crypto/dist/ipsec-tools/src/setkey/token.l: 1.20
	distrib/sets/lists/tests/mi: 1.754, 1.757, 1.759
	doc/TODO.smpnet: 1.12-1.13
	sys/net/pfkeyv2.h: 1.32
	sys/net/raw_cb.c: 1.23-1.24, 1.28
	sys/net/raw_cb.h: 1.28
	sys/net/raw_usrreq.c: 1.57-1.58
	sys/net/rtsock.c: 1.228-1.229
	sys/netinet/in_proto.c: 1.125
	sys/netinet/ip_input.c: 1.359-1.361
	sys/netinet/tcp_input.c: 1.359-1.360
	sys/netinet/tcp_output.c: 1.197
	sys/netinet/tcp_var.h: 1.178
	sys/netinet6/icmp6.c: 1.213
	sys/netinet6/in6_proto.c: 1.119
	sys/netinet6/ip6_forward.c: 1.88
	sys/netinet6/ip6_input.c: 1.181-1.182
	sys/netinet6/ip6_output.c: 1.193
	sys/netinet6/ip6protosw.h: 1.26
	sys/netipsec/ipsec.c: 1.100-1.122
	sys/netipsec/ipsec.h: 1.51-1.61
	sys/netipsec/ipsec6.h: 1.18-1.20
	sys/netipsec/ipsec_input.c: 1.44-1.51
	sys/netipsec/ipsec_netbsd.c: 1.41-1.45
	sys/netipsec/ipsec_output.c: 1.49-1.64
	sys/netipsec/ipsec_private.h: 1.5
	sys/netipsec/key.c: 1.164-1.234
	sys/netipsec/key.h: 1.20-1.32
	sys/netipsec/key_debug.c: 1.18-1.21
	sys/netipsec/key_debug.h: 1.9
	sys/netipsec/keydb.h: 1.16-1.20
	sys/netipsec/keysock.c: 1.59-1.62
	sys/netipsec/keysock.h: 1.10
	sys/netipsec/xform.h: 1.9-1.12
	sys/netipsec/xform_ah.c: 1.55-1.74
	sys/netipsec/xform_esp.c: 1.56-1.72
	sys/netipsec/xform_ipcomp.c: 1.39-1.53
	sys/netipsec/xform_ipip.c: 1.50-1.54
	sys/netipsec/xform_tcp.c: 1.12-1.16
	sys/rump/librump/rumpkern/Makefile.rumpkern: 1.170
	sys/rump/librump/rumpnet/net_stub.c: 1.27
	sys/sys/protosw.h: 1.67-1.68
	tests/net/carp/t_basic.sh: 1.7
	tests/net/if_gif/t_gif.sh: 1.11
	tests/net/if_l2tp/t_l2tp.sh: 1.3
	tests/net/ipsec/Makefile: 1.7-1.9
	tests/net/ipsec/algorithms.sh: 1.5
	tests/net/ipsec/common.sh: 1.4-1.6
	tests/net/ipsec/t_ipsec_ah_keys.sh: 1.2
	tests/net/ipsec/t_ipsec_esp_keys.sh: 1.2
	tests/net/ipsec/t_ipsec_gif.sh: 1.6-1.7
	tests/net/ipsec/t_ipsec_l2tp.sh: 1.6-1.7
	tests/net/ipsec/t_ipsec_misc.sh: 1.8-1.18
	tests/net/ipsec/t_ipsec_sockopt.sh: 1.1-1.2
	tests/net/ipsec/t_ipsec_tcp.sh: 1.1-1.2
	tests/net/ipsec/t_ipsec_transport.sh: 1.5-1.6
	tests/net/ipsec/t_ipsec_tunnel.sh: 1.9
	tests/net/ipsec/t_ipsec_tunnel_ipcomp.sh: 1.1-1.2
	tests/net/ipsec/t_ipsec_tunnel_odd.sh: 1.3
	tests/net/mcast/t_mcast.sh: 1.6
	tests/net/net/t_ipaddress.sh: 1.11
	tests/net/net_common.sh: 1.20
	tests/net/npf/t_npf.sh: 1.3
	tests/net/route/t_flags.sh: 1.20
	tests/net/route/t_flags6.sh: 1.16
	usr.bin/netstat/fast_ipsec.c: 1.22
Do m_pullup before mtod

It may fix panicks of some tests on anita/sparc and anita/GuruPlug.
---
KNF
---
Enable DEBUG for babylon5
---
Apply C99-style struct initialization to xformsw
---
Tweak outputs of netstat -s for IPsec

- Get rid of "Fast"
- Use ipsec and ipsec6 for titles to clarify protocol
- Indent outputs of sub protocols

Original outputs were organized like this:

(Fast) IPsec:
IPsec ah:
IPsec esp:
IPsec ipip:
IPsec ipcomp:
(Fast) IPsec:
IPsec ah:
IPsec esp:
IPsec ipip:
IPsec ipcomp:

New outputs are organized like this:

ipsec:
	ah:
	esp:
	ipip:
	ipcomp:
ipsec6:
	ah:
	esp:
	ipip:
	ipcomp:
---
Add test cases for IPComp
---
Simplify IPSEC_OSTAT macro (NFC)
---
KNF; replace leading whitespaces with hard tabs
---
Introduce and use SADB_SASTATE_USABLE_P
---
KNF
---
Add update command for testing

Updating an SA (SADB_UPDATE) requires that a process issuing
SADB_UPDATE is the same as a process issued SADB_ADD (or SADB_GETSPI).
This means that update command must be used with add command in a
configuration of setkey. This usage is normally meaningless but
useful for testing (and debugging) purposes.
---
Add test cases for updating SA/SP

The tests require newly-added udpate command of setkey.
---
PR/52346: Frank Kardel: Fix checksumming for NAT-T
See XXX for improvements.
---
Remove codes for PACKET_TAG_IPSEC_IN_CRYPTO_DONE

It seems that PACKET_TAG_IPSEC_IN_CRYPTO_DONE is for network adapters
that have IPsec accelerators; a driver sets the mtag to a packet
when its device has already encrypted the packet.

Unfortunately no driver implements such offload features for long
years and seems unlikely to implement them soon. (Note that neither
FreeBSD nor Linux doesn't have such drivers.) Let's remove related
(unused) codes and simplify the IPsec code.
---
Fix usages of sadb_msg_errno
---
Avoid updating sav directly

On SADB_UPDATE a target sav was updated directly, which was unsafe.
Instead allocate another sav, copy variables of the old sav to
the new one and replace the old one with the new one.
---
Simplify; we can assume sav->tdb_xform cannot be NULL while it's valid
---
Rename key_alloc* functions (NFC)

We shouldn't use the term "alloc" for functions that just look up
data and actually don't allocate memory.
---
Use explicit_memset to surely zero-clear key_auth and key_enc
---
Make sure to clear keys on error paths of key_setsaval
---
Add missing KEY_FREESAV
---
Make sure a sav is inserted to a sah list after its initialization completes
---
Remove unnecessary zero-clearing codes from key_setsaval

key_setsaval is now used only for a newly-allocated sav. (It was
used to reset variables of an existing sav.)
---
Correct wrong assumption of sav->refcnt in key_delsah

A sav in a list is basically not to be sav->refcnt == 0. And also
KEY_FREESAV assumes sav->refcnt > 0.
---
Let key_getsavbyspi take a reference of a returning sav
---
Use time_mono_to_wall (NFC)
---
Separate sending message routine (NFC)
---
Simplify; remove unnecessary zero-clears

key_freesaval is used only when a target sav is being destroyed.
---
Omit NULL checks for sav->lft_c

sav->lft_c can be NULL only when initializing or destroying sav.
---
Omit unnecessary NULL checks for sav->sah
---
Omit unnecessary check of sav->state

key_allocsa_policy picks a sav of either MATURE or DYING so we
don't need to check its state again.
---
Simplify; omit unnecessary saidx passing

- ipsec_nextisr returns a saidx but no caller uses it
- key_checkrequest is passed a saidx but it can be gotton by
  another argument (isr)
---
Fix splx isn't called on some error paths
---
Fix header size calculation of esp where sav is NULL
---
Fix header size calculation of ah in the case sav is NULL

This fix was also needed for esp.
---
Pass sav directly to opencrypto callback

In a callback, use a passed sav as-is by default and look up a sav
only if the passed sav is dead.
---
Avoid examining freshness of sav on packet processing

If a sav list is sorted (by lft_c->sadb_lifetime_addtime) in advance,
we don't need to examine each sav and also don't need to delete one
on the fly and send up a message. Fortunately every sav lists are sorted
as we need.

Added key_validate_savlist validates that each sav list is surely sorted
(run only if DEBUG because it's not cheap).
---
Add test cases for SAs with different SPIs
---
Prepare to stop using isr->sav

isr is a shared resource and using isr->sav as a temporal storage
for each packet processing is racy. And also having a reference from
isr to sav makes the lifetime of sav non-deterministic; such a reference
is removed when a packet is processed and isr->sav is overwritten by
new one. Let's have a sav locally for each packet processing instead of
using shared isr->sav.

However this change doesn't stop using isr->sav yet because there are
some users of isr->sav. isr->sav will be removed after the users find
a way to not use isr->sav.
---
Fix wrong argument handling
---
fix printf format.
---
Don't validate sav lists of LARVAL or DEAD states

We don't sort the lists so the validation will always fail.

Fix PR kern/52405
---
Make sure to sort the list when changing the state by key_sa_chgstate
---
Rename key_allocsa_policy to key_lookup_sa_bysaidx
---
Separate test files
---
Calculate ah_max_authsize on initialization as well as esp_max_ivlen
---
Remove m_tag_find(PACKET_TAG_IPSEC_PENDING_TDB) because nobody sets the tag
---
Restore a comment removed in previous

The comment is valid for the below code.
---
Make tests more stable

sleep command seems to wait longer than expected on anita so
use polling to wait for a state change.
---
Add tests that explicitly delete SAs instead of waiting for expirations
---
Remove invalid M_AUTHIPDGM check on ESP isr->sav

M_AUTHIPDGM flag is set to a mbuf in ah_input_cb. An sav of ESP can
have AH authentication as sav->tdb_authalgxform. However, in that
case esp_input and esp_input_cb are used to do ESP decryption and
AH authentication and M_AUTHIPDGM never be set to a mbuf. So
checking M_AUTHIPDGM of a mbuf on isr->sav of ESP is meaningless.
---
Look up sav instead of relying on unstable sp->req->sav

This code is executed only in an error path so an additional lookup
doesn't matter.
---
Correct a comment
---
Don't release sav if calling crypto_dispatch again
---
Remove extra KEY_FREESAV from ipsec_process_done

It should be done by the caller.
---
Don't bother the case of crp->crp_buf == NULL in callbacks
---
Hold a reference to an SP during opencrypto processing

An SP has a list of isr (ipsecrequest) that represents a sequence
of IPsec encryption/authentication processing. One isr corresponds
to one opencrypto processing. The lifetime of an isr follows its SP.

We pass an isr to a callback function of opencrypto to continue
to a next encryption/authentication processing. However nobody
guaranteed that the isr wasn't freed, i.e., its SP wasn't destroyed.

In order to avoid such unexpected destruction of isr, hold a reference
to its SP during opencrypto processing.
---
Don't make SAs expired on tests that delete SAs explicitly
---
Fix a debug message
---
Dedup error paths (NFC)
---
Use pool to allocate tdb_crypto

For ESP and AH, we need to allocate an extra variable space in addition
to struct tdb_crypto. The fixed size of pool items may be larger than
an actual requisite size of a buffer, but still the performance
improvement by replacing malloc with pool wins.
---
Don't use unstable isr->sav for header size calculations

We may need to optimize to not look up sav here for users that
don't need to know an exact size of headers (e.g., TCP segmemt size
caclulation).
---
Don't use sp->req->sav when handling NAT-T ESP fragmentation

In order to do this we need to look up a sav however an additional
look-up degrades performance. A sav is later looked up in
ipsec4_process_packet so delay the fragmentation check until then
to avoid an extra look-up.
---
Don't use key_lookup_sp that depends on unstable sp->req->sav

It provided a fast look-up of SP. We will provide an alternative
method in the future (after basic MP-ification finishes).
---
Stop setting isr->sav on looking up sav in key_checkrequest
---
Remove ipsecrequest#sav
---
Stop setting mtag of PACKET_TAG_IPSEC_IN_DONE because there is no users anymore
---
Skip ipsec_spi_*_*_preferred_new_timeout when running on qemu

Probably due to PR 43997
---
Add localcount to rump kernels
---
Remove unused macro
---
Fix key_getcomb_setlifetime

The fix adjusts a soft limit to be 80% of a corresponding hard limit.

I'm not sure the fix is really correct though, at least the original
code is wrong. A passed comb is zero-cleared before calling
key_getcomb_setlifetime, so
  comb->sadb_comb_soft_addtime = comb->sadb_comb_soft_addtime * 80 / 100;
is meaningless.
---
Provide and apply key_sp_refcnt (NFC)

It simplifies further changes.
---
Fix indentation

Pointed out by knakahara@
---
Use pslist(9) for sptree
---
Don't acquire global locks for IPsec if NET_MPSAFE

Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
---
Let PF_KEY socks hold their own lock instead of softnet_lock

Operations on SAD and SPD are executed via PF_KEY socks. The operations
include deletions of SAs and SPs that will use synchronization mechanisms
such as pserialize_perform to wait for references to SAs and SPs to be
released. It is known that using such mechanisms with holding softnet_lock
causes a dead lock. We should avoid the situation.
---
Make IPsec SPD MP-safe

We use localcount(9), not psref(9), to make the sptree and secpolicy (SP)
entries MP-safe because SPs need to be referenced over opencrypto
processing that executes a callback in a different context.

SPs on sockets aren't managed by the sptree and can be destroyed in softint.
localcount_drain cannot be used in softint so we delay the destruction of
such SPs to a thread context. To do so, a list to manage such SPs is added
(key_socksplist) and key_timehandler_spd deletes dead SPs in the list.

For more details please read the locking notes in key.c.

Proposed on tech-kern@ and tech-net@
---
Fix updating ipsec_used

- key_update_used wasn't called in key_api_spddelete2 and key_api_spdflush
- key_update_used wasn't called if an SP had been added/deleted but
  a reply to userland failed
---
Fix updating ipsec_used; turn on when SPs on sockets are added
---
Add missing IPsec policy checks to icmp6_rip6_input

icmp6_rip6_input is quite similar to rip6_input and the same checks exist
in rip6_input.
---
Add test cases for setsockopt(IP_IPSEC_POLICY)
---
Don't use KEY_NEWSP for dummy SP entries

By the change KEY_NEWSP is now not called from softint anymore
and we can use kmem_zalloc with KM_SLEEP for KEY_NEWSP.
---
Comment out unused functions
---
Add test cases that there are SPs but no relevant SAs
---
Don't allow sav->lft_c to be NULL

lft_c of an sav that was created by SADB_GETSPI could be NULL.
---
Clean up clunky eval strings

- Remove unnecessary \ at EOL
  - This allows to omit ; too
- Remove unnecessary quotes for arguments of atf_set
- Don't expand $DEBUG in eval
  - We expect it's expanded on execution

Suggested by kre@
---
Remove unnecessary KEY_FREESAV in an error path

sav should be freed (unreferenced) by the caller.
---
Use pslist(9) for sahtree
---
Use pslist(9) for sah->savtree
---
Rename local variable newsah to sah

It may not be new.
---
MP-ify SAD slightly

- Introduce key_sa_mtx and use it for some list operations
- Use pserialize for some list iterations
---
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future

KEY_SA_UNREF is still key_freesav so no functional change for now.

This change reduces diff of further changes.
---
Remove out-of-date log output

Pointed out by riastradh@
---
Use KDASSERT instead of KASSERT for mutex_ownable

Because mutex_ownable is too heavy to run in a fast path
even for DIAGNOSTIC + LOCKDEBUG.

Suggested by riastradh@
---
Assemble global lists and related locks into cache lines (NFCI)

Also rename variable names from *tree to *list because they are
just lists, not trees.

Suggested by riastradh@
---
Move locking notes
---
Update the locking notes

- Add locking order
- Add locking notes for misc lists such as reglist
- Mention pserialize, key_sp_ref and key_sp_unref on SP operations

Requested by riastradh@
---
Describe constraints of key_sp_ref and key_sp_unref

Requested by riastradh@
---
Hold key_sad.lock on SAVLIST_WRITER_INSERT_TAIL
---
Add __read_mostly to key_psz

Suggested by riastradh@
---
Tweak wording (pserialize critical section => pserialize read section)

Suggested by riastradh@
---
Add missing mutex_exit
---
Fix setkey -D -P outputs

The outputs were tweaked (by me), but I forgot updating libipsec
in my local ATF environment...
---
MP-ify SAD (key_sad.sahlist and sah entries)

localcount(9) is used to protect key_sad.sahlist and sah entries
as well as SPD (and will be used for SAD sav).

Please read the locking notes of SAD for more details.
---
Introduce key_sa_refcnt and replace sav->refcnt with it (NFC)
---
Destroy sav only in the loop for DEAD sav
---
Fix KASSERT(solocked(sb->sb_so)) failure in sbappendaddr that is called eventually from key_sendup_mbuf

If key_sendup_mbuf isn't passed a socket, the assertion fails.
Originally in this case sb->sb_so was softnet_lock and callers
held softnet_lock so the assertion was magically satisfied.
Now sb->sb_so is key_so_mtx and also softnet_lock isn't always
held by callers so the assertion can fail.

Fix it by holding key_so_mtx if key_sendup_mbuf isn't passed a socket.

Reported by knakahara@
Tested by knakahara@ and ozaki-r@
---
Fix locking notes of SAD
---
Fix deadlock between key_sendup_mbuf called from key_acquire and localcount_drain

If we call key_sendup_mbuf from key_acquire that is called on packet
processing, a deadlock can happen like this:
- At key_acquire, a reference to an SP (and an SA) is held
- key_sendup_mbuf will try to take key_so_mtx
- Some other thread may try to localcount_drain to the SP with
  holding key_so_mtx in say key_api_spdflush
- In this case localcount_drain never return because key_sendup_mbuf
  that has stuck on key_so_mtx never release a reference to the SP

Fix the deadlock by deferring key_sendup_mbuf to the timer
(key_timehandler).
---
Fix that prev isn't cleared on retry
---
Limit the number of mbufs queued for deferred key_sendup_mbuf

It's easy to be queued hundreds of mbufs on the list under heavy
network load.
---
MP-ify SAD (savlist)

localcount(9) is used to protect savlist of sah. The basic design is
similar to MP-ifications of SPD and SAD sahlist. Please read the
locking notes of SAD for more details.
---
Simplify ipsec_reinject_ipstack (NFC)
---
Add per-CPU rtcache to ipsec_reinject_ipstack

It reduces route lookups and also reduces rtcache lock contentions
when NET_MPSAFE is enabled.
---
Use pool_cache(9) instead of pool(9) for tdb_crypto objects

The change improves network throughput especially on multi-core systems.
---
Update

ipsec(4), opencrypto(9) and vlan(4) are now MP-safe.
---
Write known issues on scalability
---
Share a global dummy SP between PCBs

It's never be changed so it can be pre-allocated and shared safely between PCBs.
---
Fix race condition on the rawcb list shared by rtsock and keysock

keysock now protects itself by its own mutex, which means that
the rawcb list is protected by two different mutexes (keysock's one
and softnet_lock for rtsock), of course it's useless.

Fix the situation by having a discrete rawcb list for each.
---
Use a dedicated mutex for rt_rawcb instead of softnet_lock if NET_MPSAFE
---
fix localcount leak in sav. fixed by ozaki-r@n.o.

I commit on behalf of him.
---
remove unnecessary comment.
---
Fix deadlock between pserialize_perform and localcount_drain

A typical ussage of localcount_drain looks like this:

  mutex_enter(&mtx);
  item = remove_from_list();
  pserialize_perform(psz);
  localcount_drain(&item->localcount, &cv, &mtx);
  mutex_exit(&mtx);

This sequence can cause a deadlock which happens for example on the following
situation:

- Thread A calls localcount_drain which calls xc_broadcast after releasing
  a specified mutex
- Thread B enters the sequence and calls pserialize_perform with holding
  the mutex while pserialize_perform also calls xc_broadcast
- Thread C (xc_thread) that calls an xcall callback of localcount_drain tries
  to hold the mutex

xc_broadcast of thread B doesn't start until xc_broadcast of thread A
finishes, which is a feature of xcall(9). This means that pserialize_perform
never complete until xc_broadcast of thread A finishes. On the other hand,
thread C that is a callee of xc_broadcast of thread A sticks on the mutex.
Finally the threads block each other (A blocks B, B blocks C and C blocks A).

A possible fix is to serialize executions of the above sequence by another
mutex, but adding another mutex makes the code complex, so fix the deadlock
by another way; the fix is to release the mutex before pserialize_perform
and instead use a condvar to prevent pserialize_perform from being called
simultaneously.

Note that the deadlock has happened only if NET_MPSAFE is enabled.
---
Add missing ifdef NET_MPSAFE
---
Take softnet_lock on pr_input properly if NET_MPSAFE

Currently softnet_lock is taken unnecessarily in some cases, e.g.,
icmp_input and encap4_input from ip_input, or not taken even if needed,
e.g., udp_input and tcp_input from ipsec4_common_input_cb. Fix them.

NFC if NET_MPSAFE is disabled (default).
---
- sanitize key debugging so that we don't print extra newlines or unassociated
  debugging messages.
- remove unused functions and make internal ones static
- print information in one line per message
---
humanize printing of ip addresses
---
cast reduction, NFC.
---
Fix typo in comment
---
Pull out ipsec_fill_saidx_bymbuf (NFC)
---
Don't abuse key_checkrequest just for looking up sav

It does more than expected for example key_acquire.
---
Fix SP is broken on transport mode

isr->saidx was modified accidentally in ipsec_nextisr.

Reported by christos@
Helped investigations by christos@ and knakahara@
---
Constify isr at many places (NFC)
---
Include socketvar.h for softnet_lock
---
Fix buffer length for ipsec_logsastr

Revision 1.64 / (download) - annotate - [select for diffs], Tue Oct 3 08:56:52 2017 UTC (5 years, 4 months ago) by ozaki-r
Branch: MAIN
Changes since 1.63: +7 -7 lines
Diff to previous 1.63 (colored)

Constify isr at many places (NFC)

Revision 1.63 / (download) - annotate - [select for diffs], Tue Oct 3 08:34:28 2017 UTC (5 years, 4 months ago) by ozaki-r
Branch: MAIN
Changes since 1.62: +6 -6 lines
Diff to previous 1.62 (colored)

Fix SP is broken on transport mode

isr->saidx was modified accidentally in ipsec_nextisr.

Reported by christos@
Helped investigations by christos@ and knakahara@

Revision 1.62 / (download) - annotate - [select for diffs], Tue Oct 3 08:25:21 2017 UTC (5 years, 4 months ago) by ozaki-r
Branch: MAIN
Changes since 1.61: +16 -2 lines
Diff to previous 1.61 (colored)

Don't abuse key_checkrequest just for looking up sav

It does more than expected for example key_acquire.

Revision 1.61 / (download) - annotate - [select for diffs], Tue Oct 3 07:32:53 2017 UTC (5 years, 4 months ago) by ozaki-r
Branch: MAIN
Changes since 1.60: +59 -51 lines
Diff to previous 1.60 (colored)

Pull out ipsec_fill_saidx_bymbuf (NFC)

Revision 1.40.6.2 / (download) - annotate - [select for diffs], Mon Aug 28 17:53:13 2017 UTC (5 years, 5 months ago) by skrll
Branch: nick-nhusb
Changes since 1.40.6.1: +196 -192 lines
Diff to previous 1.40.6.1 (colored) to branchpoint 1.40 (colored) next main 1.41 (colored)

Sync with HEAD

Revision 1.60 / (download) - annotate - [select for diffs], Thu Aug 10 06:11:24 2017 UTC (5 years, 5 months ago) by ozaki-r
Branch: MAIN
CVS Tags: nick-nhusb-base-20170825
Changes since 1.59: +15 -4 lines
Diff to previous 1.59 (colored)

Add per-CPU rtcache to ipsec_reinject_ipstack

It reduces route lookups and also reduces rtcache lock contentions
when NET_MPSAFE is enabled.

Revision 1.59 / (download) - annotate - [select for diffs], Thu Aug 10 06:08:59 2017 UTC (5 years, 5 months ago) by ozaki-r
Branch: MAIN
Changes since 1.58: +14 -22 lines
Diff to previous 1.58 (colored)

Simplify ipsec_reinject_ipstack (NFC)

Revision 1.58 / (download) - annotate - [select for diffs], Thu Aug 3 06:32:51 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.57: +8 -8 lines
Diff to previous 1.57 (colored)

Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future

KEY_SA_UNREF is still key_freesav so no functional change for now.

This change reduces diff of further changes.

Revision 1.57 / (download) - annotate - [select for diffs], Thu Jul 27 06:59:28 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.56: +11 -2 lines
Diff to previous 1.56 (colored)

Don't acquire global locks for IPsec if NET_MPSAFE

Note that the change is just to make testing easy and IPsec isn't MP-safe yet.

Revision 1.56 / (download) - annotate - [select for diffs], Fri Jul 21 03:08:10 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.55: +23 -4 lines
Diff to previous 1.55 (colored)

Don't use sp->req->sav when handling NAT-T ESP fragmentation

In order to do this we need to look up a sav however an additional
look-up degrades performance. A sav is later looked up in
ipsec4_process_packet so delay the fragmentation check until then
to avoid an extra look-up.

Revision 1.55 / (download) - annotate - [select for diffs], Wed Jul 19 09:03:52 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.54: +2 -3 lines
Diff to previous 1.54 (colored)

Remove extra KEY_FREESAV from ipsec_process_done

It should be done by the caller.

Revision 1.54 / (download) - annotate - [select for diffs], Fri Jul 14 12:26:26 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
CVS Tags: perseant-stdc-iso10646-base, perseant-stdc-iso10646
Changes since 1.53: +35 -27 lines
Diff to previous 1.53 (colored)

Prepare to stop using isr->sav

isr is a shared resource and using isr->sav as a temporal storage
for each packet processing is racy. And also having a reference from
isr to sav makes the lifetime of sav non-deterministic; such a reference
is removed when a packet is processed and isr->sav is overwritten by
new one. Let's have a sav locally for each packet processing instead of
using shared isr->sav.

However this change doesn't stop using isr->sav yet because there are
some users of isr->sav. isr->sav will be removed after the users find
a way to not use isr->sav.

Revision 1.53 / (download) - annotate - [select for diffs], Thu Jul 13 01:48:52 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.52: +10 -7 lines
Diff to previous 1.52 (colored)

Fix splx isn't called on some error paths

Revision 1.52 / (download) - annotate - [select for diffs], Thu Jul 13 01:22:44 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.51: +7 -9 lines
Diff to previous 1.51 (colored)

Simplify; omit unnecessary saidx passing

- ipsec_nextisr returns a saidx but no caller uses it
- key_checkrequest is passed a saidx but it can be gotton by
  another argument (isr)

Revision 1.51 / (download) - annotate - [select for diffs], Wed Jul 12 07:00:40 2017 UTC (5 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.50: +2 -3 lines
Diff to previous 1.50 (colored)

Omit unnecessary NULL checks for sav->sah

Revision 1.50 / (download) - annotate - [select for diffs], Thu Jul 6 09:49:46 2017 UTC (5 years, 7 months ago) by ozaki-r
Branch: MAIN
Changes since 1.49: +3 -8 lines
Diff to previous 1.49 (colored)

Simplify; we can assume sav->tdb_xform cannot be NULL while it's valid

Revision 1.49 / (download) - annotate - [select for diffs], Tue Jul 4 06:45:05 2017 UTC (5 years, 7 months ago) by ozaki-r
Branch: MAIN
Changes since 1.48: +8 -10 lines
Diff to previous 1.48 (colored)

Simplify IPSEC_OSTAT macro (NFC)

Revision 1.48 / (download) - annotate - [select for diffs], Fri May 19 04:34:09 2017 UTC (5 years, 8 months ago) by ozaki-r
Branch: MAIN
CVS Tags: netbsd-8-base
Branch point for: netbsd-8
Changes since 1.47: +17 -17 lines
Diff to previous 1.47 (colored)

Introduce IPSECLOG and replace ipseclog and DPRINTF with it

Revision 1.45.2.2 / (download) - annotate - [select for diffs], Fri May 19 00:22:58 2017 UTC (5 years, 8 months ago) by pgoyette
Branch: prg-localcount2
Changes since 1.45.2.1: +7 -6 lines
Diff to previous 1.45.2.1 (colored) to branchpoint 1.45 (colored) next main 1.46 (colored)

Resolve conflicts from previous merge (all resulting from $NetBSD
keywork expansion)

Revision 1.47 / (download) - annotate - [select for diffs], Thu May 11 05:55:14 2017 UTC (5 years, 8 months ago) by ryo
Branch: MAIN
CVS Tags: prg-localcount2-base3
Changes since 1.46: +7 -6 lines
Diff to previous 1.46 (colored)

Make ipsec_address() and ipsec_logsastr() mpsafe.

Revision 1.45.2.1 / (download) - annotate - [select for diffs], Thu May 11 02:58:41 2017 UTC (5 years, 8 months ago) by pgoyette
Branch: prg-localcount2
Changes since 1.45: +78 -85 lines
Diff to previous 1.45 (colored)

Sync with HEAD

Revision 1.46 / (download) - annotate - [select for diffs], Mon May 8 06:39:23 2017 UTC (5 years, 9 months ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base2
Changes since 1.45: +78 -85 lines
Diff to previous 1.45 (colored)

Omit two arguments of ipsec4_process_packet

flags is unused and tunalready is always 0. So NFC.

Revision 1.41.2.1 / (download) - annotate - [select for diffs], Wed Apr 26 02:53:29 2017 UTC (5 years, 9 months ago) by pgoyette
Branch: pgoyette-localcount
Changes since 1.41: +18 -39 lines
Diff to previous 1.41 (colored) next main 1.42 (colored)

Sync with HEAD

Revision 1.41.4.1 / (download) - annotate - [select for diffs], Fri Apr 21 16:54:06 2017 UTC (5 years, 9 months ago) by bouyer
Branch: bouyer-socketcan
Changes since 1.41: +18 -39 lines
Diff to previous 1.41 (colored) next main 1.42 (colored)

Sync with HEAD

Revision 1.45 / (download) - annotate - [select for diffs], Wed Apr 19 03:39:14 2017 UTC (5 years, 9 months ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base1, prg-localcount2-base, pgoyette-localcount-20170426, bouyer-socketcan-base1
Branch point for: prg-localcount2
Changes since 1.44: +3 -4 lines
Diff to previous 1.44 (colored)

Retire ipsec_osdep.h

We don't need to care other OSes (FreeBSD) anymore.

Some macros are alive in ipsec_private.h.

Revision 1.44 / (download) - annotate - [select for diffs], Tue Apr 18 05:26:42 2017 UTC (5 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.43: +16 -16 lines
Diff to previous 1.43 (colored)

Convert IPSEC_ASSERT to KASSERT or KASSERTMSG

IPSEC_ASSERT just discarded specified message...

Revision 1.43 / (download) - annotate - [select for diffs], Tue Apr 18 05:25:32 2017 UTC (5 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.42: +2 -24 lines
Diff to previous 1.42 (colored)

Remove __FreeBSD__ and __NetBSD__ switches

No functional changes (except for a debug printf).

Note that there remain some __FreeBSD__ for sysctl knobs which counerparts
to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up
requires actual code changes.

Revision 1.42 / (download) - annotate - [select for diffs], Thu Apr 6 09:20:07 2017 UTC (5 years, 10 months ago) by ozaki-r
Branch: MAIN
CVS Tags: jdolecek-ncq-base, jdolecek-ncq
Changes since 1.41: +4 -2 lines
Diff to previous 1.41 (colored)

Prepare netipsec for rump-ification

- Include "opt_*.h" only if _KERNEL_OPT is defined
- Allow encapinit to be called twice (by ifinit and ipe4_attach)
  - ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called
    it instead), however, on a rump kernel ipe4_attach may not be called
    even if IPSEC is enabled. So we need to allow ifinit to call it anyway
- Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP
- Call ip6flow_invalidate_all in key_spdadd only if in6_present
  - It's possible that a rump kernel loads the ipsec library but not
    the inet6 library

Revision 1.40.6.1 / (download) - annotate - [select for diffs], Mon Apr 6 15:18:23 2015 UTC (7 years, 10 months ago) by skrll
Branch: nick-nhusb
Changes since 1.40: +2 -3 lines
Diff to previous 1.40 (colored)

Sync with HEAD

Revision 1.41 / (download) - annotate - [select for diffs], Mon Mar 30 03:51:50 2015 UTC (7 years, 10 months ago) by ozaki-r
Branch: MAIN
CVS Tags: pgoyette-localcount-base, pgoyette-localcount-20170320, pgoyette-localcount-20170107, pgoyette-localcount-20161104, pgoyette-localcount-20160806, pgoyette-localcount-20160726, nick-nhusb-base-20170204, nick-nhusb-base-20161204, nick-nhusb-base-20161004, nick-nhusb-base-20160907, nick-nhusb-base-20160529, nick-nhusb-base-20160422, nick-nhusb-base-20160319, nick-nhusb-base-20151226, nick-nhusb-base-20150921, nick-nhusb-base-20150606, nick-nhusb-base-20150406, localcount-20160914, bouyer-socketcan-base
Branch point for: pgoyette-localcount, bouyer-socketcan
Changes since 1.40: +2 -3 lines
Diff to previous 1.40 (colored)

Tidy up opt_ipsec.h inclusions

Some inclusions of opt_ipsec.h were for IPSEC_NAT_T and are now unnecessary.
Add inclusions to some C files for IPSEC_DEBUG.

Revision 1.38.6.2 / (download) - annotate - [select for diffs], Wed Aug 20 00:04:36 2014 UTC (8 years, 5 months ago) by tls
Branch: tls-maxphys
Changes since 1.38.6.1: +4 -2 lines
Diff to previous 1.38.6.1 (colored) to branchpoint 1.38 (colored)

Rebase to HEAD as of a few days ago.

Revision 1.37.2.2 / (download) - annotate - [select for diffs], Thu May 22 11:41:10 2014 UTC (8 years, 8 months ago) by yamt
Branch: yamt-pagecache
Changes since 1.37.2.1: +6 -14 lines
Diff to previous 1.37.2.1 (colored) to branchpoint 1.37 (colored) next main 1.38 (colored)

sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs.  ("Protocol error: too many arguments")

Revision 1.39.2.1 / (download) - annotate - [select for diffs], Sun May 18 17:46:14 2014 UTC (8 years, 8 months ago) by rmind
Branch: rmind-smpnet
Changes since 1.39: +6 -4 lines
Diff to previous 1.39 (colored) next main 1.40 (colored)

sync with head

Revision 1.40 / (download) - annotate - [select for diffs], Sun Nov 3 18:37:10 2013 UTC (9 years, 3 months ago) by mrg
Branch: MAIN
CVS Tags: yamt-pagecache-base9, tls-maxphys-base, tls-earlyentropy-base, tls-earlyentropy, rmind-smpnet-nbase, rmind-smpnet-base, riastradh-xf86-video-intel-2-7-1-pre-2-21-15, riastradh-drm2-base3, nick-nhusb-base, netbsd-7-nhusb-base-20170116, netbsd-7-nhusb-base, netbsd-7-nhusb, netbsd-7-base, netbsd-7-1-RELEASE, netbsd-7-1-RC2, netbsd-7-1-RC1, netbsd-7-1-2-RELEASE, netbsd-7-1-1-RELEASE, netbsd-7-0-RELEASE, netbsd-7-0-RC3, netbsd-7-0-RC2, netbsd-7-0-RC1, netbsd-7-0-2-RELEASE, netbsd-7-0-1-RELEASE
Branch point for: nick-nhusb, netbsd-7-1, netbsd-7-0, netbsd-7
Changes since 1.39: +6 -4 lines
Diff to previous 1.39 (colored)

- apply some __diagused
- remove unused variables
- move some variables inside their relevant use #ifdef

Revision 1.38.6.1 / (download) - annotate - [select for diffs], Sun Jun 23 06:20:26 2013 UTC (9 years, 7 months ago) by tls
Branch: tls-maxphys
Changes since 1.38: +2 -12 lines
Diff to previous 1.38 (colored)

resync from head

Revision 1.39 / (download) - annotate - [select for diffs], Tue Jun 4 22:47:37 2013 UTC (9 years, 8 months ago) by christos
Branch: MAIN
CVS Tags: riastradh-drm2-base2, riastradh-drm2-base1, riastradh-drm2-base, riastradh-drm2
Branch point for: rmind-smpnet
Changes since 1.38: +2 -12 lines
Diff to previous 1.38 (colored)

PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access
outdated pointers and pass ESP data to UPD-sockets.
While here, simplify the code and remove the IPSEC_NAT_T option; always
compile nat-traversal in so that it does not bitrot.

Revision 1.37.2.1 / (download) - annotate - [select for diffs], Tue Apr 17 00:08:46 2012 UTC (10 years, 9 months ago) by yamt
Branch: yamt-pagecache
CVS Tags: yamt-pagecache-tag8
Changes since 1.37: +71 -4 lines
Diff to previous 1.37 (colored)

sync with head

Revision 1.37.6.1 / (download) - annotate - [select for diffs], Sat Feb 18 07:35:44 2012 UTC (10 years, 11 months ago) by mrg
Branch: jmcneill-usbmp
Changes since 1.37: +71 -4 lines
Diff to previous 1.37 (colored) next main 1.38 (colored)

merge to -current.

Revision 1.38 / (download) - annotate - [select for diffs], Tue Jan 10 20:01:57 2012 UTC (11 years ago) by drochner
Branch: MAIN
CVS Tags: yamt-pagecache-base8, yamt-pagecache-base7, yamt-pagecache-base6, yamt-pagecache-base5, yamt-pagecache-base4, netbsd-6-base, netbsd-6-1-RELEASE, netbsd-6-1-RC4, netbsd-6-1-RC3, netbsd-6-1-RC2, netbsd-6-1-RC1, netbsd-6-1-5-RELEASE, netbsd-6-1-4-RELEASE, netbsd-6-1-3-RELEASE, netbsd-6-1-2-RELEASE, netbsd-6-1-1-RELEASE, netbsd-6-0-RELEASE, netbsd-6-0-RC2, netbsd-6-0-RC1, netbsd-6-0-6-RELEASE, netbsd-6-0-5-RELEASE, netbsd-6-0-4-RELEASE, netbsd-6-0-3-RELEASE, netbsd-6-0-2-RELEASE, netbsd-6-0-1-RELEASE, matt-nb6-plus-nbase, matt-nb6-plus-base, matt-nb6-plus, khorben-n900, jmcneill-usbmp-base9, jmcneill-usbmp-base8, jmcneill-usbmp-base7, jmcneill-usbmp-base6, jmcneill-usbmp-base5, jmcneill-usbmp-base4, jmcneill-usbmp-base3, jmcneill-usbmp-base2, jmcneill-usbmp-base10, agc-symver-base, agc-symver
Branch point for: tls-maxphys, netbsd-6-1, netbsd-6-0, netbsd-6
Changes since 1.37: +71 -4 lines
Diff to previous 1.37 (colored)

add patch from Arnaud Degroote to handle IPv6 extended options with
(FAST_)IPSEC, tested lightly with a DSTOPTS header consisting
of PAD1

Revision 1.37 / (download) - annotate - [select for diffs], Wed Aug 31 18:31:03 2011 UTC (11 years, 5 months ago) by plunky
Branch: MAIN
CVS Tags: yamt-pagecache-base3, yamt-pagecache-base2, yamt-pagecache-base, jmcneill-usbmp-pre-base2, jmcneill-usbmp-base, jmcneill-audiomp3-base, jmcneill-audiomp3
Branch point for: yamt-pagecache, jmcneill-usbmp
Changes since 1.36: +3 -3 lines
Diff to previous 1.36 (colored)

NULL does not need a cast

Revision 1.32.2.1 / (download) - annotate - [select for diffs], Thu Jun 23 14:20:26 2011 UTC (11 years, 7 months ago) by cherry
Branch: cherry-xenmp
Changes since 1.32: +82 -59 lines
Diff to previous 1.32 (colored) next main 1.33 (colored)

Catchup with rmind-uvmplock merge.

Revision 1.29.4.2 / (download) - annotate - [select for diffs], Sun Jun 12 00:24:31 2011 UTC (11 years, 7 months ago) by rmind
Branch: rmind-uvmplock
Changes since 1.29.4.1: +81 -58 lines
Diff to previous 1.29.4.1 (colored) to branchpoint 1.29 (colored) next main 1.30 (colored)

sync with head

Revision 1.36 / (download) - annotate - [select for diffs], Thu Jun 9 21:04:37 2011 UTC (11 years, 8 months ago) by drochner
Branch: MAIN
CVS Tags: rmind-uvmplock-nbase, rmind-uvmplock-base
Changes since 1.35: +15 -3 lines
Diff to previous 1.35 (colored)

catch a case where an ip6 address with scope embedded was compared with
one without -- interestingly this didn't break the connection but just
caused a useless encapsulation
(this code needs to be rearranged to get it clean)

Revision 1.35 / (download) - annotate - [select for diffs], Tue Jun 7 15:54:57 2011 UTC (11 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.34: +55 -51 lines
Diff to previous 1.34 (colored)

fix tunnel encapsulation in ipsec6_process_packet() -- it is not
completely clean yet, but at least a v6-in-v6 tunnel works now

Revision 1.34 / (download) - annotate - [select for diffs], Tue Jun 7 15:50:42 2011 UTC (11 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.33: +30 -29 lines
Diff to previous 1.33 (colored)

reindent ipsec6_process_packet() - whitespace changes only

Revision 1.33 / (download) - annotate - [select for diffs], Mon Jun 6 16:48:35 2011 UTC (11 years, 8 months ago) by drochner
Branch: MAIN
Changes since 1.32: +11 -5 lines
Diff to previous 1.32 (colored)

remove a limitation that inner and outer IP version must be equal
for an ESP tunnel, and add some fixes which make v4-in-v6 work
(v6 as inner protocol isn't ready, even v6-in-v6 can never have worked)

being here, fix a statistics counter and kill an unused variable

Revision 1.29.6.1 / (download) - annotate - [select for diffs], Mon Jun 6 09:10:01 2011 UTC (11 years, 8 months ago) by jruoho
Branch: jruoho-x86intr
Changes since 1.29: +15 -4 lines
Diff to previous 1.29 (colored) next main 1.30 (colored)

Sync with HEAD.

Revision 1.29.4.1 / (download) - annotate - [select for diffs], Sat Mar 5 20:55:59 2011 UTC (11 years, 11 months ago) by rmind
Branch: rmind-uvmplock
Changes since 1.29: +15 -4 lines
Diff to previous 1.29 (colored)

sync with head

Revision 1.29.8.2 / (download) - annotate - [select for diffs], Sat Mar 5 15:10:47 2011 UTC (11 years, 11 months ago) by bouyer
Branch: bouyer-quota2
Changes since 1.29.8.1: +4 -2 lines
Diff to previous 1.29.8.1 (colored) to branchpoint 1.29 (colored) next main 1.30 (colored)

Sync with HEAD

Revision 1.32 / (download) - annotate - [select for diffs], Fri Feb 18 16:12:26 2011 UTC (11 years, 11 months ago) by drochner
Branch: MAIN
CVS Tags: cherry-xenmp-base, bouyer-quota2-nbase
Branch point for: cherry-xenmp
Changes since 1.31: +4 -2 lines
Diff to previous 1.31 (colored)

do proper statistics counting for outbound packets, fixes PR kern/30182
by Gilles Roy

Revision 1.29.8.1 / (download) - annotate - [select for diffs], Thu Feb 17 12:00:50 2011 UTC (11 years, 11 months ago) by bouyer
Branch: bouyer-quota2
Changes since 1.29: +13 -4 lines
Diff to previous 1.29 (colored)

Sync with HEAD

Revision 1.31 / (download) - annotate - [select for diffs], Thu Feb 10 20:42:30 2011 UTC (11 years, 11 months ago) by drochner
Branch: MAIN
CVS Tags: bouyer-quota2-base
Changes since 1.30: +3 -3 lines
Diff to previous 1.30 (colored)

in rev.1.192 of ip_output.c the semantics of ip_output() was changed:
Before, setting the IP_RAWOUTPUT flag did imply that the ip_id
(the fragmentation thing) was used as-is.
Now, a new ID is diced unless the new IP_NOIPNEWID flag is set.
The ip_id is part of the data which are used to calculate the hash
for AH, so set the IP_NOIPNEWID flag to make sure the IP header
is not modified behind AH's back. Otherwise, the recipient will detect
a checksum mismatch and discard the packet.

Revision 1.30 / (download) - annotate - [select for diffs], Thu Feb 10 20:24:27 2011 UTC (11 years, 11 months ago) by drochner
Branch: MAIN
Changes since 1.29: +13 -4 lines
Diff to previous 1.29 (colored)

-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock
 everywhere splsoftnet() was used before, to fix MP concurrency problems
-pull KERNEL_LOCK where ip(6)_output() is called, as this is what
 the network stack (unfortunately) expects, in particular to avoid
 races for packets in the interface send queues
From Wolfgang Stukenbrock per PR kern/44418, with the application
of KERNEL_LOCK to what I think are the essential points, tested
on a dual-core i386.

Revision 1.27.2.2 / (download) - annotate - [select for diffs], Thu Mar 11 15:04:30 2010 UTC (12 years, 11 months ago) by yamt
Branch: yamt-nfs-mp
Changes since 1.27.2.1: +8 -8 lines
Diff to previous 1.27.2.1 (colored) to branchpoint 1.27 (colored) next main 1.28 (colored)

sync with head

Revision 1.29 / (download) - annotate - [select for diffs], Tue Dec 1 01:01:34 2009 UTC (13 years, 2 months ago) by dyoung
Branch: MAIN
CVS Tags: yamt-nfs-mp-base9, yamt-nfs-mp-base11, yamt-nfs-mp-base10, uebayasi-xip-base4, uebayasi-xip-base3, uebayasi-xip-base2, uebayasi-xip-base1, uebayasi-xip-base, uebayasi-xip, matt-premerge-20091211, matt-mips64-premerge-20101231, jruoho-x86intr-base
Branch point for: rmind-uvmplock, jruoho-x86intr, bouyer-quota2
Changes since 1.28: +8 -8 lines
Diff to previous 1.28 (colored)

Cosmetic: fix indentation, change some spaces to tabs.

Revision 1.26.6.1 / (download) - annotate - [select for diffs], Mon Jun 2 13:24:28 2008 UTC (14 years, 8 months ago) by mjf
Branch: mjf-devfs2
Changes since 1.26: +25 -11 lines
Diff to previous 1.26 (colored) next main 1.27 (colored)

Sync with HEAD.

Revision 1.26.8.1 / (download) - annotate - [select for diffs], Sun May 18 12:35:40 2008 UTC (14 years, 8 months ago) by yamt
Branch: yamt-pf42
Changes since 1.26: +25 -11 lines
Diff to previous 1.26 (colored) next main 1.27 (colored)

sync with head.

Revision 1.27.2.1 / (download) - annotate - [select for diffs], Fri May 16 02:25:45 2008 UTC (14 years, 8 months ago) by yamt
Branch: yamt-nfs-mp
Changes since 1.27: +3 -3 lines
Diff to previous 1.27 (colored)

sync with head.

Revision 1.28 / (download) - annotate - [select for diffs], Mon Apr 28 17:40:11 2008 UTC (14 years, 9 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-pf42-base4, yamt-pf42-base3, yamt-pf42-base2, yamt-nfs-mp-base8, yamt-nfs-mp-base7, yamt-nfs-mp-base6, yamt-nfs-mp-base5, yamt-nfs-mp-base4, yamt-nfs-mp-base3, yamt-nfs-mp-base2, wrstuden-revivesa-base-4, wrstuden-revivesa-base-3, wrstuden-revivesa-base-2, wrstuden-revivesa-base-1, wrstuden-revivesa-base, wrstuden-revivesa, simonb-wapbl-nbase, simonb-wapbl-base, simonb-wapbl, nick-hppapmap-base4, nick-hppapmap-base3, nick-hppapmap-base2, nick-hppapmap-base, nick-hppapmap, netbsd-5-base, netbsd-5-2-RELEASE, netbsd-5-2-RC1, netbsd-5-2-3-RELEASE, netbsd-5-2-2-RELEASE, netbsd-5-2-1-RELEASE, netbsd-5-2, netbsd-5-1-RELEASE, netbsd-5-1-RC4, netbsd-5-1-RC3, netbsd-5-1-RC2, netbsd-5-1-RC1, netbsd-5-1-5-RELEASE, netbsd-5-1-4-RELEASE, netbsd-5-1-3-RELEASE, netbsd-5-1-2-RELEASE, netbsd-5-1-1-RELEASE, netbsd-5-1, netbsd-5-0-RELEASE, netbsd-5-0-RC4, netbsd-5-0-RC3, netbsd-5-0-RC2, netbsd-5-0-RC1, netbsd-5-0-2-RELEASE, netbsd-5-0-1-RELEASE, netbsd-5-0, netbsd-5, mjf-devfs2-base, matt-nb5-pq3-base, matt-nb5-pq3, matt-nb5-mips64-u2-k2-k4-k7-k8-k9, matt-nb5-mips64-u1-k1-k5, matt-nb5-mips64-premerge-20101231, matt-nb5-mips64-premerge-20091211, matt-nb5-mips64-k15, matt-nb5-mips64, matt-nb4-mips64-k7-u2a-k9b, matt-mips64-base2, jymxensuspend-base, jym-xensuspend-nbase, jym-xensuspend-base, jym-xensuspend, hpcarm-cleanup-nbase, haad-nbase2, haad-dm-base2, haad-dm-base1, haad-dm-base, haad-dm, ad-audiomp2-base, ad-audiomp2
Changes since 1.27: +3 -3 lines
Diff to previous 1.27 (colored)

Fix a stupid typo. In ipsec6_process_packet, reinject the packet in AF_INET6,
nor in AF_INET.

Revision 1.27 / (download) - annotate - [select for diffs], Wed Apr 23 06:09:05 2008 UTC (14 years, 9 months ago) by thorpej
Branch: MAIN
CVS Tags: yamt-nfs-mp-base
Branch point for: yamt-nfs-mp
Changes since 1.26: +24 -10 lines
Diff to previous 1.26 (colored)

Make IPSEC and FAST_IPSEC stats per-cpu.  Use <net/net_stats.h> and
netstat_sysctl().

Revision 1.23.2.1 / (download) - annotate - [select for diffs], Mon Feb 18 21:07:13 2008 UTC (14 years, 11 months ago) by mjf
Branch: mjf-devfs
Changes since 1.23: +101 -54 lines
Diff to previous 1.23 (colored) next main 1.24 (colored)

Sync with HEAD.

Revision 1.13.14.5 / (download) - annotate - [select for diffs], Mon Jan 21 09:47:26 2008 UTC (15 years ago) by yamt
Branch: yamt-lazymbuf
Changes since 1.13.14.4: +102 -68 lines
Diff to previous 1.13.14.4 (colored) to branchpoint 1.13 (colored) next main 1.14 (colored)

sync with head

Revision 1.22.8.2 / (download) - annotate - [select for diffs], Wed Jan 9 01:57:42 2008 UTC (15 years, 1 month ago) by matt
Branch: matt-armv6
Changes since 1.22.8.1: +102 -68 lines
Diff to previous 1.22.8.1 (colored) to branchpoint 1.22 (colored) next main 1.23 (colored)

sync with HEAD

Revision 1.17.4.2 / (download) - annotate - [select for diffs], Sun Jan 6 05:01:14 2008 UTC (15 years, 1 month ago) by wrstuden
Branch: wrstuden-fixsa
Changes since 1.17.4.1: +3 -5 lines
Diff to previous 1.17.4.1 (colored) to branchpoint 1.17 (colored) next main 1.18 (colored)

Catch up to netbsd-4.0 release.

Revision 1.24.2.1 / (download) - annotate - [select for diffs], Wed Jan 2 21:57:34 2008 UTC (15 years, 1 month ago) by bouyer
Branch: bouyer-xeni386
CVS Tags: bouyer-xeni386-merge1
Changes since 1.24: +101 -54 lines
Diff to previous 1.24 (colored) next main 1.25 (colored)

Sync with HEAD

Revision 1.26 / (download) - annotate - [select for diffs], Sat Dec 29 16:43:17 2007 UTC (15 years, 1 month ago) by degroote
Branch: MAIN
CVS Tags: yamt-pf42-baseX, yamt-pf42-base, yamt-lazymbuf-base15, yamt-lazymbuf-base14, nick-net80211-sync-base, nick-net80211-sync, mjf-devfs-base, matt-armv6-nbase, matt-armv6-base, keiichi-mipv6-nbase, keiichi-mipv6-base, keiichi-mipv6, hpcarm-cleanup-base, bouyer-xeni386-nbase, bouyer-xeni386-base, ad-socklock-base1
Branch point for: yamt-pf42, mjf-devfs2
Changes since 1.25: +73 -32 lines
Diff to previous 1.25 (colored)

Fix the ipsec processing in case of USE rules with no SA installed.

In case where there is no more isr to process, just tag the packet and reinject
in the ip{,6} stack.

Fix pr/34843

Revision 1.25 / (download) - annotate - [select for diffs], Sat Dec 29 14:53:25 2007 UTC (15 years, 1 month ago) by degroote
Branch: MAIN
Changes since 1.24: +31 -25 lines
Diff to previous 1.24 (colored)

Simplify the FAST_IPSEC output path
Only record an IPSEC_OUT_DONE tag when we have finished the processing
In ip{,6}_output, check this tag to know if we have already processed this
packet.
Remove some dead code (IPSEC_PENDING_TDB is not used in NetBSD)

Fix pr/36870

Revision 1.23.4.1 / (download) - annotate - [select for diffs], Wed Dec 26 19:57:49 2007 UTC (15 years, 1 month ago) by ad
Branch: vmlocking2
Changes since 1.23: +3 -16 lines
Diff to previous 1.23 (colored) next main 1.24 (colored)

Sync with head.

Revision 1.23.6.1 / (download) - annotate - [select for diffs], Tue Dec 11 15:45:41 2007 UTC (15 years, 2 months ago) by yamt
Branch: yamt-kmem
Changes since 1.23: +3 -16 lines
Diff to previous 1.23 (colored) next main 1.24 (colored)

sync with head.

Revision 1.24 / (download) - annotate - [select for diffs], Sun Dec 9 18:27:39 2007 UTC (15 years, 2 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-kmem-base3, yamt-kmem-base2, vmlocking2-base3, cube-autoconf-base, cube-autoconf
Branch point for: bouyer-xeni386
Changes since 1.23: +3 -16 lines
Diff to previous 1.23 (colored)

Kill _IP_VHL ifdef (from netinet/ip.h history, it has never been used in NetBSD so ...)

Revision 1.12.2.1.2.1 / (download) - annotate - [select for diffs], Sat Dec 1 17:33:47 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-2
Changes since 1.12.2.1: +3 -5 lines
Diff to previous 1.12.2.1 (colored) next main 1.12.2.2 (colored)

Pull up following revision(s) (requested by adrianp in ticket #11395):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.12.2.2 / (download) - annotate - [select for diffs], Sat Dec 1 17:33:15 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-2-0
Changes since 1.12.2.1: +3 -5 lines
Diff to previous 1.12.2.1 (colored) to branchpoint 1.12 (colored) next main 1.13 (colored)

Pull up following revision(s) (requested by adrianp in ticket #11395):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.12.2.1.4.1 / (download) - annotate - [select for diffs], Sat Dec 1 17:32:30 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-2-1
Changes since 1.12.2.1: +3 -5 lines
Diff to previous 1.12.2.1 (colored) next main 1.12.2.2 (colored)

Pull up following revision(s) (requested by adrianp in ticket #11395):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.13.24.1 / (download) - annotate - [select for diffs], Thu Nov 22 19:02:17 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-3-1
Changes since 1.13: +3 -5 lines
Diff to previous 1.13 (colored) next main 1.14 (colored)

Pull up following revision(s) (requested by adrianp in ticket #1878):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.13.22.1 / (download) - annotate - [select for diffs], Thu Nov 22 19:01:37 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-3-0
Changes since 1.13: +3 -5 lines
Diff to previous 1.13 (colored) next main 1.14 (colored)

Pull up following revision(s) (requested by adrianp in ticket #1878):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.13.12.1 / (download) - annotate - [select for diffs], Thu Nov 22 19:00:53 2007 UTC (15 years, 2 months ago) by bouyer
Branch: netbsd-3
Changes since 1.13: +3 -5 lines
Diff to previous 1.13 (colored) next main 1.14 (colored)

Pull up following revision(s) (requested by adrianp in ticket #1878):
	sys/netipsec/xform_ah.c: revision 1.19 via patch
	sys/netipsec/ipsec.c: revision 1.34 via patch
	sys/netipsec/xform_ipip.c: revision 1.18 via patch
	sys/netipsec/ipsec_output.c: revision 1.23 via patch
	sys/netipsec/ipsec_osdep.h: revision 1.21 via patch
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.13.14.4 / (download) - annotate - [select for diffs], Thu Nov 15 11:45:17 2007 UTC (15 years, 2 months ago) by yamt
Branch: yamt-lazymbuf
Changes since 1.13.14.3: +3 -5 lines
Diff to previous 1.13.14.3 (colored) to branchpoint 1.13 (colored)

sync with head.

Revision 1.22.12.1 / (download) - annotate - [select for diffs], Tue Nov 13 16:03:04 2007 UTC (15 years, 2 months ago) by bouyer
Branch: bouyer-xenamd64
Changes since 1.22: +3 -5 lines
Diff to previous 1.22 (colored) next main 1.23 (colored)

Sync with HEAD

Revision 1.22.8.1 / (download) - annotate - [select for diffs], Tue Nov 6 23:34:13 2007 UTC (15 years, 3 months ago) by matt
Branch: matt-armv6
CVS Tags: matt-armv6-prevmlocking
Changes since 1.22: +3 -5 lines
Diff to previous 1.22 (colored)

sync with HEAD

Revision 1.17.2.2 / (download) - annotate - [select for diffs], Wed Oct 31 12:39:30 2007 UTC (15 years, 3 months ago) by liamjfoy
Branch: netbsd-4
CVS Tags: wrstuden-fixsa-newbase, wrstuden-fixsa-base-1, wrstuden-fixsa-base, netbsd-4-0-RELEASE, netbsd-4-0-RC5, netbsd-4-0-RC4, netbsd-4-0-1-RELEASE, netbsd-4-0, matt-nb4-arm-base, matt-nb4-arm
Changes since 1.17.2.1: +3 -5 lines
Diff to previous 1.17.2.1 (colored) to branchpoint 1.17 (colored) next main 1.18 (colored)

Pull up following revision(s) (requested by adrianp in ticket #964):
	sys/netipsec/xform_ah.c: revision 1.19
	sys/netipsec/ipsec.c: revision 1.34
	sys/netipsec/xform_ipip.c: revision 1.18
	sys/netipsec/ipsec_output.c: revision 1.23
	sys/netipsec/ipsec_osdep.h: revision 1.21
The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.
Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote&#64;

Revision 1.22.6.1 / (download) - annotate - [select for diffs], Sun Oct 28 20:11:14 2007 UTC (15 years, 3 months ago) by joerg
Branch: jmcneill-pm
Changes since 1.22: +3 -5 lines
Diff to previous 1.22 (colored) next main 1.23 (colored)

Sync with HEAD.

Revision 1.23 / (download) - annotate - [select for diffs], Sun Oct 28 15:48:23 2007 UTC (15 years, 3 months ago) by adrianp
Branch: MAIN
CVS Tags: yamt-kmem-base, vmlocking2-base2, vmlocking2-base1, vmlocking-nbase, reinoud-bufcleanup-nbase, reinoud-bufcleanup-base, jmcneill-pm-base, jmcneill-base, bouyer-xenamd64-base2, bouyer-xenamd64-base
Branch point for: yamt-kmem, vmlocking2, mjf-devfs
Changes since 1.22: +3 -5 lines
Diff to previous 1.22 (colored)

The function ipsec4_get_ulp assumes that ip_off is in host order. This results
in IPsec processing that is dependent on protocol and/or port can be bypassed.

Bug report, analysis and initial fix from Karl Knutsson.
Final patch and ok from degroote@

Revision 1.13.14.3 / (download) - annotate - [select for diffs], Mon Sep 3 14:43:45 2007 UTC (15 years, 5 months ago) by yamt
Branch: yamt-lazymbuf
Changes since 1.13.14.2: +70 -6 lines
Diff to previous 1.13.14.2 (colored) to branchpoint 1.13 (colored)

sync with head.

Revision 1.21.6.1 / (download) - annotate - [select for diffs], Sun Jul 15 13:28:02 2007 UTC (15 years, 6 months ago) by ad
Branch: vmlocking
Changes since 1.21: +70 -6 lines
Diff to previous 1.21 (colored) next main 1.22 (colored)

Sync with head.

Revision 1.21.8.1 / (download) - annotate - [select for diffs], Wed Jul 11 20:11:52 2007 UTC (15 years, 7 months ago) by mjf
Branch: mjf-ufs-trans
Changes since 1.21: +70 -6 lines
Diff to previous 1.21 (colored) next main 1.22 (colored)

Sync with head.

Revision 1.22 / (download) - annotate - [select for diffs], Wed Jun 27 20:38:33 2007 UTC (15 years, 7 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-x86pmap-base4, yamt-x86pmap-base3, yamt-x86pmap-base2, yamt-x86pmap-base, yamt-x86pmap, vmlocking-base, nick-csl-alignment-base5, nick-csl-alignment-base, nick-csl-alignment, mjf-ufs-trans-base, matt-mips64-base, matt-mips64, hpcarm-cleanup
Branch point for: matt-armv6, jmcneill-pm, bouyer-xenamd64
Changes since 1.21: +70 -6 lines
Diff to previous 1.21 (colored)

Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4).

No objection on tech-net@

Revision 1.17.4.1 / (download) - annotate - [select for diffs], Mon Jun 4 01:54:28 2007 UTC (15 years, 8 months ago) by wrstuden
Branch: wrstuden-fixsa
Changes since 1.17: +82 -267 lines
Diff to previous 1.17 (colored)

Update to today's netbsd-4.

Revision 1.17.2.1 / (download) - annotate - [select for diffs], Thu May 24 19:13:12 2007 UTC (15 years, 8 months ago) by pavel
Branch: netbsd-4
CVS Tags: netbsd-4-0-RC3, netbsd-4-0-RC2, netbsd-4-0-RC1
Changes since 1.17: +82 -267 lines
Diff to previous 1.17 (colored)

Pull up following revision(s) (requested by degroote in ticket #667):
	sys/netinet/tcp_input.c: revision 1.260
	sys/netinet/tcp_output.c: revision 1.154
	sys/netinet/tcp_subr.c: revision 1.210
	sys/netinet6/icmp6.c: revision 1.129
	sys/netinet6/in6_proto.c: revision 1.70
	sys/netinet6/ip6_forward.c: revision 1.54
	sys/netinet6/ip6_input.c: revision 1.94
	sys/netinet6/ip6_output.c: revision 1.114
	sys/netinet6/raw_ip6.c: revision 1.81
	sys/netipsec/ipcomp_var.h: revision 1.4
	sys/netipsec/ipsec.c: revision 1.26 via patch,1.31-1.32
	sys/netipsec/ipsec6.h: revision 1.5
	sys/netipsec/ipsec_input.c: revision 1.14
	sys/netipsec/ipsec_netbsd.c: revision 1.18,1.26
	sys/netipsec/ipsec_output.c: revision 1.21 via patch
	sys/netipsec/key.c: revision 1.33,1.44
	sys/netipsec/xform_ipcomp.c: revision 1.9
	sys/netipsec/xform_ipip.c: revision 1.15
	sys/opencrypto/deflate.c: revision 1.8
Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic

Add sysctl tree to modify the fast_ipsec options related to ipv6. Similar
to the sysctl kame interface.

Choose the good default policy, depending of the adress family of the
desired policy

Increase the refcount for the default ipv6 policy so nobody can reclaim it

Always compute the sp index even if we don't have any sp in spd. It will
let us to choose the right default policy (based on the adress family
requested).
While here, fix an error message

Use dynamic array instead of an static array to decompress. It lets us to
decompress any data, whatever is the radio decompressed data / compressed
data.
It fixes the last issues with fast_ipsec and ipcomp.
While here, bzero -> memset, bcopy -> memcpy, FREE -> free
Reviewed a long time ago by sam@

Revision 1.13.14.2 / (download) - annotate - [select for diffs], Mon Feb 26 09:11:56 2007 UTC (15 years, 11 months ago) by yamt
Branch: yamt-lazymbuf
Changes since 1.13.14.1: +80 -263 lines
Diff to previous 1.13.14.1 (colored) to branchpoint 1.13 (colored)

sync with head.

Revision 1.21 / (download) - annotate - [select for diffs], Sat Feb 10 09:43:05 2007 UTC (16 years ago) by degroote
Branch: MAIN
CVS Tags: yamt-idlelwp-base8, yamt-idlelwp, thorpej-atomic-base, thorpej-atomic, reinoud-bufcleanup, ad-audiomp-base, ad-audiomp
Branch point for: vmlocking, mjf-ufs-trans
Changes since 1.20: +80 -263 lines
Diff to previous 1.20 (colored)

Commit my SoC work
Add ipv6 support for fast_ipsec
Note that currently, packet with extensions headers are not correctly
supported
Change the ipcomp logic

Revision 1.14.20.3 / (download) - annotate - [select for diffs], Thu Feb 1 08:48:44 2007 UTC (16 years ago) by ad
Branch: newlock2
Changes since 1.14.20.2: +3 -3 lines
Diff to previous 1.14.20.2 (colored) to branchpoint 1.14 (colored) next main 1.15 (colored)

Sync with head.

Revision 1.20 / (download) - annotate - [select for diffs], Fri Jan 26 19:49:18 2007 UTC (16 years ago) by dyoung
Branch: MAIN
CVS Tags: post-newlock2-merge, newlock2-nbase, newlock2-base
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)

KNF: bzero -> memset.

Revision 1.14.20.2 / (download) - annotate - [select for diffs], Fri Jan 12 01:04:19 2007 UTC (16 years ago) by ad
Branch: newlock2
Changes since 1.14.20.1: +15 -17 lines
Diff to previous 1.14.20.1 (colored) to branchpoint 1.14 (colored)

Sync with head.

Revision 1.13.14.1 / (download) - annotate - [select for diffs], Sat Dec 30 20:50:44 2006 UTC (16 years, 1 month ago) by yamt
Branch: yamt-lazymbuf
Changes since 1.13: +32 -28 lines
Diff to previous 1.13 (colored)

sync with head.

Revision 1.14.22.3 / (download) - annotate - [select for diffs], Mon Dec 18 11:42:23 2006 UTC (16 years, 1 month ago) by yamt
Branch: yamt-splraiseipl
Changes since 1.14.22.2: +13 -13 lines
Diff to previous 1.14.22.2 (colored) to branchpoint 1.14 (colored) next main 1.15 (colored)

sync with head.

Revision 1.19 / (download) - annotate - [select for diffs], Fri Dec 15 21:18:56 2006 UTC (16 years, 1 month ago) by joerg
Branch: MAIN
CVS Tags: yamt-splraiseipl-base5, yamt-splraiseipl-base4
Changes since 1.18: +13 -13 lines
Diff to previous 1.18 (colored)

Introduce new helper functions to abstract the route caching.
rtcache_init and rtcache_init_noclone lookup ro_dst and store
the result in ro_rt, taking care of the reference counting and
calling the domain specific route cache.
rtcache_free checks if a route was cashed and frees the reference.
rtcache_copy copies ro_dst of the given struct route, checking that
enough space is available and incrementing the reference count of the
cached rtentry if necessary.
rtcache_check validates that the cached route is still up. If it isn't,
it tries to look it up again. Afterwards ro_rt is either a valid again
or NULL.
rtcache_copy is used internally.

Adjust to callers of rtalloc/rtflush in the tree to check the sanity of
ro_dst first (if necessary). If it doesn't fit the expectations, free
the cache, otherwise check if the cached route is still valid. After
that combination, a single check for ro_rt == NULL is enough to decide
whether a new lookup needs to be done with a different ro_dst.
Make the route checking in gre stricter by repeating the loop check
after revalidation.
Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly
changed here to first validate the route and check RTF_GATEWAY
afterwards. This is sementically equivalent though.
etherip doesn't need sc_route_expire similiar to the gif changes from
dyoung@ earlier.

Based on the earlier patch from dyoung@, reviewed and discussed with
him.

Revision 1.14.22.2 / (download) - annotate - [select for diffs], Sun Dec 10 07:19:19 2006 UTC (16 years, 2 months ago) by yamt
Branch: yamt-splraiseipl
Changes since 1.14.22.1: +14 -16 lines
Diff to previous 1.14.22.1 (colored) to branchpoint 1.14 (colored)

sync with head.

Revision 1.18 / (download) - annotate - [select for diffs], Sat Dec 9 05:33:09 2006 UTC (16 years, 2 months ago) by dyoung
Branch: MAIN
CVS Tags: yamt-splraiseipl-base3
Changes since 1.17: +8 -10 lines
Diff to previous 1.17 (colored)

Here are various changes designed to protect against bad IPv4
routing caused by stale route caches (struct route).  Route caches
are sprinkled throughout PCBs, the IP fast-forwarding table, and
IP tunnel interfaces (gre, gif, stf).

Stale IPv6 and ISO route caches will be treated by separate patches.

Thank you to Christoph Badura for suggesting the general approach
to invalidating route caches that I take here.

Here are the details:

Add hooks to struct domain for tracking and for invalidating each
domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall.

Introduce helper subroutines, rtflush(ro) for invalidating a route
cache, rtflushall(family) for invalidating all route caches in a
routing domain, and rtcache(ro) for notifying the domain of a new
cached route.

Chain together all IPv4 route caches where ro_rt != NULL.  Provide
in_rtcache() for adding a route to the chain.  Provide in_rtflush()
and in_rtflushall() for invalidating IPv4 route caches.  In
in_rtflush(), set ro_rt to NULL, and remove the route from the
chain.  In in_rtflushall(), walk the chain and remove every route
cache.

In rtrequest1(), call rtflushall() to invalidate route caches when
a route is added.

In gif(4), discard the workaround for stale caches that involves
expiring them every so often.

Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a
call to rtflush(ro).

Update ipflow_fastforward() and all other users of route caches so
that they expect a cached route, ro->ro_rt, to turn to NULL.

Take care when moving a 'struct route' to rtflush() the source and
to rtcache() the destination.

In domain initializers, use .dom_xxx tags.

KNF here and there.

Revision 1.17 / (download) - annotate - [select for diffs], Fri Nov 24 19:47:00 2006 UTC (16 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: netbsd-4-base
Branch point for: wrstuden-fixsa, netbsd-4
Changes since 1.16: +3 -3 lines
Diff to previous 1.16 (colored)

fix spelling of accommodate; from Zapher.

Revision 1.14.20.1 / (download) - annotate - [select for diffs], Sat Nov 18 21:39:41 2006 UTC (16 years, 2 months ago) by ad
Branch: newlock2
Changes since 1.14: +19 -13 lines
Diff to previous 1.14 (colored)

Sync with head.

Revision 1.16 / (download) - annotate - [select for diffs], Thu Nov 16 01:33:49 2006 UTC (16 years, 2 months ago) by christos
Branch: MAIN
Changes since 1.15: +7 -7 lines
Diff to previous 1.15 (colored)

__unused removal on arguments; approved by core.

Revision 1.14.22.1 / (download) - annotate - [select for diffs], Sun Oct 22 06:07:38 2006 UTC (16 years, 3 months ago) by yamt
Branch: yamt-splraiseipl
Changes since 1.14: +19 -13 lines
Diff to previous 1.14 (colored)

sync with head

Revision 1.15 / (download) - annotate - [select for diffs], Fri Oct 13 20:53:59 2006 UTC (16 years, 3 months ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base2
Changes since 1.14: +19 -13 lines
Diff to previous 1.14 (colored)

more __unused

Revision 1.14 / (download) - annotate - [select for diffs], Sun Dec 11 12:25:05 2005 UTC (17 years, 2 months ago) by christos
Branch: MAIN
CVS Tags: yamt-uio_vmspace-base5, yamt-uio_vmspace, yamt-splraiseipl-base, yamt-pdpolicy-base9, yamt-pdpolicy-base8, yamt-pdpolicy-base7, yamt-pdpolicy-base6, yamt-pdpolicy-base5, yamt-pdpolicy-base4, yamt-pdpolicy-base3, yamt-pdpolicy-base2, yamt-pdpolicy-base, yamt-pdpolicy, simonb-timecounters-base, simonb-timecounters, simonb-timcounters-final, rpaulo-netinet-merge-pcb-base, rpaulo-netinet-merge-pcb, peter-altq-base, peter-altq, gdamore-uart-base, gdamore-uart, elad-kernelauth-base, elad-kernelauth, chap-midi-nbase, chap-midi-base, chap-midi, abandoned-netbsd-4-base, abandoned-netbsd-4
Branch point for: yamt-splraiseipl, newlock2
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)

merge ktrace-lwp.

Revision 1.13.2.4 / (download) - annotate - [select for diffs], Tue Sep 21 13:37:48 2004 UTC (18 years, 4 months ago) by skrll
Branch: ktrace-lwp
Changes since 1.13.2.3: +2 -2 lines
Diff to previous 1.13.2.3 (colored) to branchpoint 1.13 (colored) next main 1.14 (colored)

Fix the sync with head I botched.

Revision 1.13.2.3 / (download) - annotate - [select for diffs], Sat Sep 18 14:55:32 2004 UTC (18 years, 4 months ago) by skrll
Branch: ktrace-lwp
Changes since 1.13.2.2: +2 -2 lines
Diff to previous 1.13.2.2 (colored) to branchpoint 1.13 (colored)

Sync with HEAD.

Revision 1.13.2.2 / (download) - annotate - [select for diffs], Tue Aug 3 10:55:29 2004 UTC (18 years, 6 months ago) by skrll
Branch: ktrace-lwp
Changes since 1.13.2.1: +781 -0 lines
Diff to previous 1.13.2.1 (colored) to branchpoint 1.13 (colored)

Sync with HEAD

Revision 1.12.2.1 / (download) - annotate - [select for diffs], Mon May 10 15:02:18 2004 UTC (18 years, 9 months ago) by tron
Branch: netbsd-2-0
CVS Tags: netbsd-2-base, netbsd-2-1-RELEASE, netbsd-2-1-RC6, netbsd-2-1-RC5, netbsd-2-1-RC4, netbsd-2-1-RC3, netbsd-2-1-RC2, netbsd-2-1-RC1, netbsd-2-0-RELEASE, netbsd-2-0-RC5, netbsd-2-0-RC4, netbsd-2-0-RC3, netbsd-2-0-RC2, netbsd-2-0-RC1, netbsd-2-0-3-RELEASE, netbsd-2-0-2-RELEASE, netbsd-2-0-1-RELEASE
Branch point for: netbsd-2-1, netbsd-2
Changes since 1.12: +3 -2 lines
Diff to previous 1.12 (colored)

Pull up revision 1.13 (requested by jonathan in ticket #280):
Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.
New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)
Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)
	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)
	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)
	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)
Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":
New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)
Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)

Revision 1.13.2.1, Fri May 7 00:55:15 2004 UTC (18 years, 9 months ago) by skrll
Branch: ktrace-lwp
Changes since 1.13: +0 -781 lines
FILE REMOVED

file ipsec_output.c was added on branch ktrace-lwp on 2004-08-03 10:55:29 +0000

Revision 1.13 / (download) - annotate - [select for diffs], Fri May 7 00:55:15 2004 UTC (18 years, 9 months ago) by jonathan
Branch: MAIN
CVS Tags: yamt-vop-base3, yamt-vop-base2, yamt-vop-base, yamt-vop, yamt-readahead-pervnode, yamt-readahead-perfile, yamt-readahead-base3, yamt-readahead-base2, yamt-readahead-base, yamt-readahead, yamt-km-base4, yamt-km-base3, yamt-km-base2, yamt-km-base, yamt-km, thorpej-vnode-attr-base, thorpej-vnode-attr, netbsd-3-base, netbsd-3-1-RELEASE, netbsd-3-1-RC4, netbsd-3-1-RC3, netbsd-3-1-RC2, netbsd-3-1-RC1, netbsd-3-1-1-RELEASE, netbsd-3-0-RELEASE, netbsd-3-0-RC6, netbsd-3-0-RC5, netbsd-3-0-RC4, netbsd-3-0-RC3, netbsd-3-0-RC2, netbsd-3-0-RC1, netbsd-3-0-3-RELEASE, netbsd-3-0-2-RELEASE, netbsd-3-0-1-RELEASE, ktrace-lwp-base, kent-audio2-base, kent-audio2, kent-audio1-beforemerge, kent-audio1-base, kent-audio1
Branch point for: yamt-lazymbuf, netbsd-3-1, netbsd-3-0, netbsd-3, ktrace-lwp
Changes since 1.12: +3 -2 lines
Diff to previous 1.12 (colored)

Redo net.inet.* sysctl subtree for fast-ipsec from scratch.
Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB.
Rework netstat to show FAST_IPSEC statistics, via sysctl,  for
netstat -p ipsec.

New kernel files:
	sys/netipsec/Makefile		(new file; install *_var.h includes)
	sys/netipsec/ipsec_var.h	(new 64-bit mib counter struct)

Changed kernel files:
	sys/Makefile			(recurse into sys/netipsec/)
	sys/netinet/in.h		(fake IP_PROTO name for fast_ipsec
					sysctl subtree.)
	sys/netipsec/ipsec.h		(minimal userspace inclusion)
	sys/netipsec/ipsec_osdep.h	(minimal userspace inclusion)
	sys/netipsec/ipsec_netbsd.c	(redo sysctl subtree from scratch)
	sys/netipsec/key*.c		(fix broken net.key subtree)

	sys/netipsec/ah_var.h		(increase all counters to 64 bits)
	sys/netipsec/esp_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipip_var.h		(increase all counters to 64 bits)
	sys/netipsec/ipcomp_var.h	(increase all counters to 64 bits)

	sys/netipsec/ipsec.c		(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_mbuf.c	(add #include netipsec/ipsec_var.h)
	sys/netipsec/ipsec_output.c	(add #include netipsec/ipsec_var.h)

	sys/netinet/raw_ip.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/tcp_input.c		(add #include netipsec/ipsec_var.h)
	sys/netinet/udp_usrreq.c	(add #include netipsec/ipsec_var.h)

Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree
for "netstat -s -p ipsec":

New file:
	usr.bin/netstat/fast_ipsec.c	(print fast-ipsec counters)

Changed files:
	usr.bin/netstat/Makefile	(add fast_ipsec.c)
	usr.bin/netstat/netstat.h	(declarations for fast_ipsec.c)
	usr.bin/netstat/main.c		(call KAME-vs-fast-ipsec dispatcher)

Revision 1.12 / (download) - annotate - [select for diffs], Wed Mar 17 00:21:43 2004 UTC (18 years, 10 months ago) by jonathan
Branch: MAIN
CVS Tags: netbsd-2-0-base
Branch point for: netbsd-2-0
Changes since 1.11: +5 -3 lines
Diff to previous 1.11 (colored)

sys/netinet6/ip6_ecn.h is reportedly a FreeBSD-ism; NetBSD has
prototypes for the IPv6 ECN ingress/egress functions in sys/netinet/ip_ecn.h,
inside an #ifdef INET6 wrapper.   So, wrap sys/netipsec ocurrences of
	#include <netinet6/ip6_ecn.h>
in #ifdef __FreeBSD__/#endif, until both camps can agree on this
teensy little piece of namespace. Affects:
    ipsec_output.c xform_ah.c xform_esp.c xform_ipip.c

Revision 1.11 / (download) - annotate - [select for diffs], Tue Mar 16 22:58:54 2004 UTC (18 years, 10 months ago) by jonathan
Branch: MAIN
Changes since 1.10: +3 -3 lines
Diff to previous 1.10 (colored)

Delint ntohl() as argument to a "%lx" format in a log message.

Revision 1.10 / (download) - annotate - [select for diffs], Tue Mar 16 22:48:29 2004 UTC (18 years, 10 months ago) by jonathan
Branch: MAIN
Changes since 1.9: +4 -2 lines
Diff to previous 1.9 (colored)

#include <net/net_osdep.h>: if INET6 is configured,
ipsec_encapsulate() calls ovbcopy(), which is otherwise deprecated.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Mar 1 23:30:01 2004 UTC (18 years, 11 months ago) by thorpej
Branch: MAIN
Changes since 1.8: +30 -4 lines
Diff to previous 1.8 (colored)

Add missing copyright notice (FreeBSD rev. 1.3.2.2).

Revision 1.8 / (download) - annotate - [select for diffs], Fri Jan 16 11:06:27 2004 UTC (19 years ago) by scw
Branch: MAIN
Changes since 1.7: +6 -3 lines
Diff to previous 1.7 (colored)

Fix ipip_output() to always set *mp to NULL on failure, even if 'm'
is NULL, otherwise ipsec4_process_packet() may try to m_freem() a
bad pointer.

In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output()
already did it.

Revision 1.7 / (download) - annotate - [select for diffs], Mon Oct 6 22:05:15 2003 UTC (19 years, 4 months ago) by tls
Branch: MAIN
Changes since 1.6: +3 -3 lines
Diff to previous 1.6 (colored)

Reversion of "netkey merge", part 2 (replacement of removed files in the
repository by christos was part 1).  netipsec should now be back as it
was on 2003-09-11, with some very minor changes:

1) Some residual platform-dependent code was moved from ipsec.h to
   ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined.  ipsec.h
   now includes ipsec_osdep.h

2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has
   been left in place (it's arguable which name is less confusing but the
   rename is pretty harmless).

3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN
   is invalid and GCC 3 won't compile it.

An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now
gets through "make depend" but fails to build with errors in ip_input.c.
But it's better than it was (thank heaven for small favors).

Revision 1.6 / (download) - annotate - [select for diffs], Fri Sep 12 11:20:58 2003 UTC (19 years, 5 months ago) by itojun
Branch: MAIN
Changes since 1.5: +5 -5 lines
Diff to previous 1.5 (colored)

merge netipsec/key* into netkey/key*.  no need for both.
change confusing filename

Revision 1.5 / (download) - annotate - [select for diffs], Fri Aug 22 21:53:10 2003 UTC (19 years, 5 months ago) by itojun
Branch: MAIN
Changes since 1.4: +3 -3 lines
Diff to previous 1.4 (colored)

change the additional arg to be passed to ip{,6}_output to struct socket *.

this fixes KAME policy lookup which was broken by the previous commit.

Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 20 22:33:40 2003 UTC (19 years, 5 months ago) by jonathan
Branch: MAIN
Changes since 1.3: +4 -2 lines
Diff to previous 1.3 (colored)

opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Aug 15 17:14:31 2003 UTC (19 years, 5 months ago) by jonathan
Branch: MAIN
Changes since 1.2: +8 -3 lines
Diff to previous 1.2 (colored)

Fix bug with IP_DF handling which was breaking TCP: on FreeBSD, ip_off
is assumed to be in host byteorder during the input(?) path.  NetBSD
keeps ip_off and ip_len in network order.  Add (or remove) byteswaps
accordingly.  TCP over fast_ipsec now works with PMTU, as well as without.

Revision 1.2 / (download) - annotate - [select for diffs], Fri Aug 15 03:42:07 2003 UTC (19 years, 5 months ago) by jonathan
Branch: MAIN
Changes since 1.1: +5 -3 lines
Diff to previous 1.1 (colored)

(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if
configured with ``options FAST_IPSEC''.  Kernels with KAME IPsec or
with no IPsec should work as before.

All calls to ip_output() now always pass an additional compulsory
argument: the inpcb associated with the packet being sent,
or 0 if no inpcb is available.

Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.

Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 13 20:06:51 2003 UTC (19 years, 5 months ago) by jonathan
Branch: MAIN

Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4.
Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the
OpenCryptoFramework (and thus hardware crypto accelerators) and
numerous detailed performance improvements.

This import is (aside from SPL-level names) the FreeBSD source,
imported ``as-is'' as a historical snapshot, for future maintenance
and comparison against the FreeBSD source.  For now, several minor
kernel-API differences are hidden by macros a shim file, ipsec_osdep.h,
which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>