![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / netipsec
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: MAIN
Revision 1.86 / (download) - annotate - [select for diffs], Fri Jan 27 09:33:43 2023 UTC (14 months, 3 weeks ago) by ozaki-r
Branch: MAIN
CVS Tags: thorpej-ifq-base,
thorpej-ifq,
thorpej-altq-separation-base,
thorpej-altq-separation,
HEAD
Changes since 1.85: +4 -15
lines
Diff to previous 1.85 (unified)
ipsec: remove unnecessary splsoftnet Because the code of IPsec itself is already MP-safe.
Revision 1.85 / (download) - annotate - [select for diffs], Sun Apr 10 09:50:46 2022 UTC (2 years ago) by andvar
Branch: MAIN
CVS Tags: netbsd-10-base,
netbsd-10-0-RELEASE,
netbsd-10-0-RC6,
netbsd-10-0-RC5,
netbsd-10-0-RC4,
netbsd-10-0-RC3,
netbsd-10-0-RC2,
netbsd-10-0-RC1,
netbsd-10,
bouyer-sunxi-drm-base,
bouyer-sunxi-drm
Changes since 1.84: +3 -3
lines
Diff to previous 1.84 (unified)
fix various typos in comments and output/log messages.
Revision 1.84 / (download) - annotate - [select for diffs], Fri Nov 1 04:23:21 2019 UTC (4 years, 5 months ago) by knakahara
Branch: MAIN
CVS Tags: thorpej-i2c-spi-conf2-base,
thorpej-i2c-spi-conf2,
thorpej-i2c-spi-conf-base,
thorpej-i2c-spi-conf,
thorpej-futex2-base,
thorpej-futex2,
thorpej-futex-base,
thorpej-futex,
thorpej-cfargs2-base,
thorpej-cfargs2,
thorpej-cfargs-base,
thorpej-cfargs,
phil-wifi-20200421,
phil-wifi-20200411,
phil-wifi-20200406,
phil-wifi-20191119,
is-mlppp-base,
is-mlppp,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
bouyer-xenpvh-base2,
bouyer-xenpvh-base1,
bouyer-xenpvh-base,
bouyer-xenpvh,
ad-namecache-base3,
ad-namecache-base2,
ad-namecache-base1,
ad-namecache-base,
ad-namecache
Changes since 1.83: +13 -13
lines
Diff to previous 1.83 (unified)
Fix ipsecif(4) IPV6_MINMTU does not work correctly.
Revision 1.83 / (download) - annotate - [select for diffs], Thu Sep 19 04:08:30 2019 UTC (4 years, 7 months ago) by ozaki-r
Branch: MAIN
Changes since 1.82: +5 -5
lines
Diff to previous 1.82 (unified)
Avoid having a rtcache directly in a percpu storage percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called. Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead. Reviewed by knakahara@ and yamaguchi@
Revision 1.82 / (download) - annotate - [select for diffs], Wed Dec 26 08:58:51 2018 UTC (5 years, 3 months ago) by knakahara
Branch: MAIN
CVS Tags: phil-wifi-20190609,
pgoyette-compat-20190127,
pgoyette-compat-20190118,
netbsd-9-base,
isaki-audio2-base,
isaki-audio2
Branch point for: netbsd-9
Changes since 1.81: +24 -6
lines
Diff to previous 1.81 (unified)
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects
NetBSD_A and NetBSD_C at the following figure.
+----------+
+----| NetBSD_B |
+----------+ +------+ | +----------+
| NetBSD_A |--- ... ---| NAPT |---+
+----------+ +------+ | +----------+
+----| NetBSD_C |
+----------+
Add ATF later.
Revision 1.81 / (download) - annotate - [select for diffs], Thu Nov 22 04:48:34 2018 UTC (5 years, 4 months ago) by knakahara
Branch: MAIN
CVS Tags: pgoyette-compat-1226,
pgoyette-compat-1126
Changes since 1.80: +31 -8
lines
Diff to previous 1.80 (unified)
Support IPv6 NAT-T. Implemented by hsuenaga@IIJ and ohishi@IIJ. Add ATF later.
Revision 1.80 / (download) - annotate - [select for diffs], Thu May 31 15:06:45 2018 UTC (5 years, 10 months ago) by maxv
Branch: MAIN
CVS Tags: phil-wifi-base,
pgoyette-compat-1020,
pgoyette-compat-0930,
pgoyette-compat-0906,
pgoyette-compat-0728,
pgoyette-compat-0625
Branch point for: phil-wifi
Changes since 1.79: +19 -16
lines
Diff to previous 1.79 (unified)
Adapt rev1.75, suggested by Alexander Bluhm. Relax the checks to allow protocols smaller than two bytes (only IPPROTO_NONE). While here style.
Revision 1.79 / (download) - annotate - [select for diffs], Thu May 31 07:03:57 2018 UTC (5 years, 10 months ago) by maxv
Branch: MAIN
Changes since 1.78: +4 -17
lines
Diff to previous 1.78 (unified)
Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked. Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE. Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
Revision 1.78 / (download) - annotate - [select for diffs], Mon May 7 09:33:51 2018 UTC (5 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0521
Changes since 1.77: +2 -6
lines
Diff to previous 1.77 (unified)
Remove a dummy reference to XF_IP4, explain briefly why we don't use ipe4_xformsw, and remove unused includes.
Revision 1.77 / (download) - annotate - [select for diffs], Mon May 7 09:25:04 2018 UTC (5 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.76: +4 -4
lines
Diff to previous 1.76 (unified)
Remove now unused 'isr', 'skip' and 'protoff' arguments from ipip_output.
Revision 1.76 / (download) - annotate - [select for diffs], Mon May 7 09:16:46 2018 UTC (5 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.75: +4 -4
lines
Diff to previous 1.75 (unified)
Remove unused 'mp' argument from all the xf_output functions. Also clean up xform.h a bit.
Revision 1.75 / (download) - annotate - [select for diffs], Tue May 1 05:42:26 2018 UTC (5 years, 11 months ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0502
Changes since 1.74: +17 -13
lines
Diff to previous 1.74 (unified)
Fix the checks in compute_ipsec_pos, otherwise m_copydata could crash. I already fixed half of the problem two months ago in rev1.67, back then I thought it was not triggerable because each packet we emit is guaranteed to have correctly formed IPv6 options; but it is actually triggerable via IPv6 forwarding, we emit a packet we just received, and we don't sanitize its options before invoking IPsec. Since it would be wrong to just stop the iteration and continue the IPsec processing, allow compute_ipsec_pos to fail, and when it does, drop the packet entirely.
Revision 1.74 / (download) - annotate - [select for diffs], Sat Apr 28 15:45:16 2018 UTC (5 years, 11 months ago) by maxv
Branch: MAIN
Changes since 1.73: +2 -5
lines
Diff to previous 1.73 (unified)
Remove IPSEC_SPLASSERT_SOFTNET, it has always been a no-op.
Revision 1.73 / (download) - annotate - [select for diffs], Thu Apr 19 08:27:38 2018 UTC (6 years ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-0422
Changes since 1.72: +3 -3
lines
Diff to previous 1.72 (unified)
Remove extra long file paths from the headers.
Revision 1.72 / (download) - annotate - [select for diffs], Wed Apr 18 06:52:35 2018 UTC (6 years ago) by maxv
Branch: MAIN
Changes since 1.71: +16 -15
lines
Diff to previous 1.71 (unified)
style
Revision 1.71 / (download) - annotate - [select for diffs], Mon Mar 5 11:50:25 2018 UTC (6 years, 1 month ago) by maxv
Branch: MAIN
CVS Tags: pgoyette-compat-base,
pgoyette-compat-0415,
pgoyette-compat-0407,
pgoyette-compat-0330,
pgoyette-compat-0322,
pgoyette-compat-0315
Branch point for: pgoyette-compat
Changes since 1.70: +8 -12
lines
Diff to previous 1.70 (unified)
Call m_pullup earlier, fixes one branch.
Revision 1.70 / (download) - annotate - [select for diffs], Sat Mar 3 09:39:29 2018 UTC (6 years, 1 month ago) by maxv
Branch: MAIN
Changes since 1.69: +4 -2
lines
Diff to previous 1.69 (unified)
Add KASSERTs, we don't want m_nextpkt in ipsec{4/6}_process_packet.
Revision 1.69 / (download) - annotate - [select for diffs], Mon Feb 26 06:34:39 2018 UTC (6 years, 1 month ago) by maxv
Branch: MAIN
Changes since 1.68: +10 -12
lines
Diff to previous 1.68 (unified)
Fix mbuf mistake: we are using ip6 before it is pulled up properly.
Revision 1.68 / (download) - annotate - [select for diffs], Wed Feb 21 17:04:52 2018 UTC (6 years, 1 month ago) by maxv
Branch: MAIN
Changes since 1.67: +58 -63
lines
Diff to previous 1.67 (unified)
Style, no functional change.
Revision 1.67 / (download) - annotate - [select for diffs], Wed Feb 21 16:55:53 2018 UTC (6 years, 1 month ago) by maxv
Branch: MAIN
Changes since 1.66: +3 -3
lines
Diff to previous 1.66 (unified)
Strengthen this check, to make sure there is room for an ip6_ext structure. Seems possible to crash m_copydata here (but I didn't test more than that).
Revision 1.66 / (download) - annotate - [select for diffs], Thu Feb 8 20:57:41 2018 UTC (6 years, 2 months ago) by maxv
Branch: MAIN
Changes since 1.65: +2 -4
lines
Diff to previous 1.65 (unified)
Remove unused net_osdep.h include.
Revision 1.65 / (download) - annotate - [select for diffs], Fri Nov 17 07:37:12 2017 UTC (6 years, 5 months ago) by ozaki-r
Branch: MAIN
CVS Tags: tls-maxphys-base-20171202
Changes since 1.64: +4 -8
lines
Diff to previous 1.64 (unified)
Provide macros for softnet_lock and KERNEL_LOCK hiding NET_MPSAFE switch It reduces C&P codes such as "#ifndef NET_MPSAFE KERNEL_LOCK(1, NULL); ..." scattered all over the source code and makes it easy to identify remaining KERNEL_LOCK and/or softnet_lock that are held even if NET_MPSAFE. No functional change
Revision 1.64 / (download) - annotate - [select for diffs], Tue Oct 3 08:56:52 2017 UTC (6 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.63: +7 -7
lines
Diff to previous 1.63 (unified)
Constify isr at many places (NFC)
Revision 1.63 / (download) - annotate - [select for diffs], Tue Oct 3 08:34:28 2017 UTC (6 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.62: +6 -6
lines
Diff to previous 1.62 (unified)
Fix SP is broken on transport mode isr->saidx was modified accidentally in ipsec_nextisr. Reported by christos@ Helped investigations by christos@ and knakahara@
Revision 1.62 / (download) - annotate - [select for diffs], Tue Oct 3 08:25:21 2017 UTC (6 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.61: +16 -2
lines
Diff to previous 1.61 (unified)
Don't abuse key_checkrequest just for looking up sav It does more than expected for example key_acquire.
Revision 1.61 / (download) - annotate - [select for diffs], Tue Oct 3 07:32:53 2017 UTC (6 years, 6 months ago) by ozaki-r
Branch: MAIN
Changes since 1.60: +59 -51
lines
Diff to previous 1.60 (unified)
Pull out ipsec_fill_saidx_bymbuf (NFC)
Revision 1.60 / (download) - annotate - [select for diffs], Thu Aug 10 06:11:24 2017 UTC (6 years, 8 months ago) by ozaki-r
Branch: MAIN
CVS Tags: nick-nhusb-base-20170825
Changes since 1.59: +15 -4
lines
Diff to previous 1.59 (unified)
Add per-CPU rtcache to ipsec_reinject_ipstack It reduces route lookups and also reduces rtcache lock contentions when NET_MPSAFE is enabled.
Revision 1.59 / (download) - annotate - [select for diffs], Thu Aug 10 06:08:59 2017 UTC (6 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.58: +14 -22
lines
Diff to previous 1.58 (unified)
Simplify ipsec_reinject_ipstack (NFC)
Revision 1.58 / (download) - annotate - [select for diffs], Thu Aug 3 06:32:51 2017 UTC (6 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.57: +8 -8
lines
Diff to previous 1.57 (unified)
Introduce KEY_SA_UNREF and replace KEY_FREESAV with it where sav will never be actually freed in the future KEY_SA_UNREF is still key_freesav so no functional change for now. This change reduces diff of further changes.
Revision 1.57 / (download) - annotate - [select for diffs], Thu Jul 27 06:59:28 2017 UTC (6 years, 8 months ago) by ozaki-r
Branch: MAIN
Changes since 1.56: +11 -2
lines
Diff to previous 1.56 (unified)
Don't acquire global locks for IPsec if NET_MPSAFE Note that the change is just to make testing easy and IPsec isn't MP-safe yet.
Revision 1.56 / (download) - annotate - [select for diffs], Fri Jul 21 03:08:10 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.55: +23 -4
lines
Diff to previous 1.55 (unified)
Don't use sp->req->sav when handling NAT-T ESP fragmentation In order to do this we need to look up a sav however an additional look-up degrades performance. A sav is later looked up in ipsec4_process_packet so delay the fragmentation check until then to avoid an extra look-up.
Revision 1.55 / (download) - annotate - [select for diffs], Wed Jul 19 09:03:52 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.54: +2 -3
lines
Diff to previous 1.54 (unified)
Remove extra KEY_FREESAV from ipsec_process_done It should be done by the caller.
Revision 1.54 / (download) - annotate - [select for diffs], Fri Jul 14 12:26:26 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
CVS Tags: perseant-stdc-iso10646-base,
perseant-stdc-iso10646
Changes since 1.53: +35 -27
lines
Diff to previous 1.53 (unified)
Prepare to stop using isr->sav isr is a shared resource and using isr->sav as a temporal storage for each packet processing is racy. And also having a reference from isr to sav makes the lifetime of sav non-deterministic; such a reference is removed when a packet is processed and isr->sav is overwritten by new one. Let's have a sav locally for each packet processing instead of using shared isr->sav. However this change doesn't stop using isr->sav yet because there are some users of isr->sav. isr->sav will be removed after the users find a way to not use isr->sav.
Revision 1.53 / (download) - annotate - [select for diffs], Thu Jul 13 01:48:52 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.52: +10 -7
lines
Diff to previous 1.52 (unified)
Fix splx isn't called on some error paths
Revision 1.52 / (download) - annotate - [select for diffs], Thu Jul 13 01:22:44 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.51: +7 -9
lines
Diff to previous 1.51 (unified)
Simplify; omit unnecessary saidx passing - ipsec_nextisr returns a saidx but no caller uses it - key_checkrequest is passed a saidx but it can be gotton by another argument (isr)
Revision 1.51 / (download) - annotate - [select for diffs], Wed Jul 12 07:00:40 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.50: +2 -3
lines
Diff to previous 1.50 (unified)
Omit unnecessary NULL checks for sav->sah
Revision 1.50 / (download) - annotate - [select for diffs], Thu Jul 6 09:49:46 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.49: +3 -8
lines
Diff to previous 1.49 (unified)
Simplify; we can assume sav->tdb_xform cannot be NULL while it's valid
Revision 1.49 / (download) - annotate - [select for diffs], Tue Jul 4 06:45:05 2017 UTC (6 years, 9 months ago) by ozaki-r
Branch: MAIN
Changes since 1.48: +8 -10
lines
Diff to previous 1.48 (unified)
Simplify IPSEC_OSTAT macro (NFC)
Revision 1.48 / (download) - annotate - [select for diffs], Fri May 19 04:34:09 2017 UTC (6 years, 11 months ago) by ozaki-r
Branch: MAIN
CVS Tags: netbsd-8-base
Branch point for: netbsd-8
Changes since 1.47: +17 -17
lines
Diff to previous 1.47 (unified)
Introduce IPSECLOG and replace ipseclog and DPRINTF with it
Revision 1.47 / (download) - annotate - [select for diffs], Thu May 11 05:55:14 2017 UTC (6 years, 11 months ago) by ryo
Branch: MAIN
CVS Tags: prg-localcount2-base3
Changes since 1.46: +7 -6
lines
Diff to previous 1.46 (unified)
Make ipsec_address() and ipsec_logsastr() mpsafe.
Revision 1.46 / (download) - annotate - [select for diffs], Mon May 8 06:39:23 2017 UTC (6 years, 11 months ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base2
Changes since 1.45: +78 -85
lines
Diff to previous 1.45 (unified)
Omit two arguments of ipsec4_process_packet flags is unused and tunalready is always 0. So NFC.
Revision 1.45 / (download) - annotate - [select for diffs], Wed Apr 19 03:39:14 2017 UTC (7 years ago) by ozaki-r
Branch: MAIN
CVS Tags: prg-localcount2-base1,
prg-localcount2-base,
pgoyette-localcount-20170426,
bouyer-socketcan-base1
Branch point for: prg-localcount2
Changes since 1.44: +3 -4
lines
Diff to previous 1.44 (unified)
Retire ipsec_osdep.h We don't need to care other OSes (FreeBSD) anymore. Some macros are alive in ipsec_private.h.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Apr 18 05:26:42 2017 UTC (7 years ago) by ozaki-r
Branch: MAIN
Changes since 1.43: +16 -16
lines
Diff to previous 1.43 (unified)
Convert IPSEC_ASSERT to KASSERT or KASSERTMSG IPSEC_ASSERT just discarded specified message...
Revision 1.43 / (download) - annotate - [select for diffs], Tue Apr 18 05:25:32 2017 UTC (7 years ago) by ozaki-r
Branch: MAIN
Changes since 1.42: +2 -24
lines
Diff to previous 1.42 (unified)
Remove __FreeBSD__ and __NetBSD__ switches No functional changes (except for a debug printf). Note that there remain some __FreeBSD__ for sysctl knobs which counerparts to NetBSD don't exist. And ipsec_osdep.h isn't touched yet; tidying it up requires actual code changes.
Revision 1.42 / (download) - annotate - [select for diffs], Thu Apr 6 09:20:07 2017 UTC (7 years ago) by ozaki-r
Branch: MAIN
CVS Tags: jdolecek-ncq-base,
jdolecek-ncq
Changes since 1.41: +4 -2
lines
Diff to previous 1.41 (unified)
Prepare netipsec for rump-ification
- Include "opt_*.h" only if _KERNEL_OPT is defined
- Allow encapinit to be called twice (by ifinit and ipe4_attach)
- ifinit didn't call encapinit if IPSEC is enabled (ipe4_attach called
it instead), however, on a rump kernel ipe4_attach may not be called
even if IPSEC is enabled. So we need to allow ifinit to call it anyway
- Setup sysctls in ipsec_attach explicitly instead of using SYSCTL_SETUP
- Call ip6flow_invalidate_all in key_spdadd only if in6_present
- It's possible that a rump kernel loads the ipsec library but not
the inet6 library
Revision 1.41 / (download) - annotate - [select for diffs], Mon Mar 30 03:51:50 2015 UTC (9 years ago) by ozaki-r
Branch: MAIN
CVS Tags: pgoyette-localcount-base,
pgoyette-localcount-20170320,
pgoyette-localcount-20170107,
pgoyette-localcount-20161104,
pgoyette-localcount-20160806,
pgoyette-localcount-20160726,
nick-nhusb-base-20170204,
nick-nhusb-base-20161204,
nick-nhusb-base-20161004,
nick-nhusb-base-20160907,
nick-nhusb-base-20160529,
nick-nhusb-base-20160422,
nick-nhusb-base-20160319,
nick-nhusb-base-20151226,
nick-nhusb-base-20150921,
nick-nhusb-base-20150606,
nick-nhusb-base-20150406,
localcount-20160914,
bouyer-socketcan-base
Branch point for: pgoyette-localcount,
bouyer-socketcan
Changes since 1.40: +2 -3
lines
Diff to previous 1.40 (unified)
Tidy up opt_ipsec.h inclusions Some inclusions of opt_ipsec.h were for IPSEC_NAT_T and are now unnecessary. Add inclusions to some C files for IPSEC_DEBUG.
Revision 1.40 / (download) - annotate - [select for diffs], Sun Nov 3 18:37:10 2013 UTC (10 years, 5 months ago) by mrg
Branch: MAIN
CVS Tags: yamt-pagecache-base9,
tls-maxphys-base,
tls-earlyentropy-base,
tls-earlyentropy,
rmind-smpnet-nbase,
rmind-smpnet-base,
riastradh-xf86-video-intel-2-7-1-pre-2-21-15,
riastradh-drm2-base3,
nick-nhusb-base,
netbsd-7-nhusb-base-20170116,
netbsd-7-nhusb-base,
netbsd-7-nhusb,
netbsd-7-base,
netbsd-7-1-RELEASE,
netbsd-7-1-RC2,
netbsd-7-1-RC1,
netbsd-7-1-2-RELEASE,
netbsd-7-1-1-RELEASE,
netbsd-7-0-RELEASE,
netbsd-7-0-RC3,
netbsd-7-0-RC2,
netbsd-7-0-RC1,
netbsd-7-0-2-RELEASE,
netbsd-7-0-1-RELEASE
Branch point for: nick-nhusb,
netbsd-7-1,
netbsd-7-0,
netbsd-7
Changes since 1.39: +6 -4
lines
Diff to previous 1.39 (unified)
- apply some __diagused - remove unused variables - move some variables inside their relevant use #ifdef
Revision 1.39 / (download) - annotate - [select for diffs], Tue Jun 4 22:47:37 2013 UTC (10 years, 10 months ago) by christos
Branch: MAIN
CVS Tags: riastradh-drm2-base2,
riastradh-drm2-base1,
riastradh-drm2-base,
riastradh-drm2
Branch point for: rmind-smpnet
Changes since 1.38: +2 -12
lines
Diff to previous 1.38 (unified)
PR/47886: Dr. Wolfgang Stukenbrock: IPSEC_NAT_T enabled kernels may access outdated pointers and pass ESP data to UPD-sockets. While here, simplify the code and remove the IPSEC_NAT_T option; always compile nat-traversal in so that it does not bitrot.
Revision 1.38 / (download) - annotate - [select for diffs], Tue Jan 10 20:01:57 2012 UTC (12 years, 3 months ago) by drochner
Branch: MAIN
CVS Tags: yamt-pagecache-base8,
yamt-pagecache-base7,
yamt-pagecache-base6,
yamt-pagecache-base5,
yamt-pagecache-base4,
netbsd-6-base,
netbsd-6-1-RELEASE,
netbsd-6-1-RC4,
netbsd-6-1-RC3,
netbsd-6-1-RC2,
netbsd-6-1-RC1,
netbsd-6-1-5-RELEASE,
netbsd-6-1-4-RELEASE,
netbsd-6-1-3-RELEASE,
netbsd-6-1-2-RELEASE,
netbsd-6-1-1-RELEASE,
netbsd-6-0-RELEASE,
netbsd-6-0-RC2,
netbsd-6-0-RC1,
netbsd-6-0-6-RELEASE,
netbsd-6-0-5-RELEASE,
netbsd-6-0-4-RELEASE,
netbsd-6-0-3-RELEASE,
netbsd-6-0-2-RELEASE,
netbsd-6-0-1-RELEASE,
matt-nb6-plus-nbase,
matt-nb6-plus-base,
matt-nb6-plus,
khorben-n900,
jmcneill-usbmp-base9,
jmcneill-usbmp-base8,
jmcneill-usbmp-base7,
jmcneill-usbmp-base6,
jmcneill-usbmp-base5,
jmcneill-usbmp-base4,
jmcneill-usbmp-base3,
jmcneill-usbmp-base2,
jmcneill-usbmp-base10,
agc-symver-base,
agc-symver
Branch point for: tls-maxphys,
netbsd-6-1,
netbsd-6-0,
netbsd-6
Changes since 1.37: +71 -4
lines
Diff to previous 1.37 (unified)
add patch from Arnaud Degroote to handle IPv6 extended options with (FAST_)IPSEC, tested lightly with a DSTOPTS header consisting of PAD1
Revision 1.37 / (download) - annotate - [select for diffs], Wed Aug 31 18:31:03 2011 UTC (12 years, 7 months ago) by plunky
Branch: MAIN
CVS Tags: yamt-pagecache-base3,
yamt-pagecache-base2,
yamt-pagecache-base,
jmcneill-usbmp-pre-base2,
jmcneill-usbmp-base,
jmcneill-audiomp3-base,
jmcneill-audiomp3
Branch point for: yamt-pagecache,
jmcneill-usbmp
Changes since 1.36: +3 -3
lines
Diff to previous 1.36 (unified)
NULL does not need a cast
Revision 1.36 / (download) - annotate - [select for diffs], Thu Jun 9 21:04:37 2011 UTC (12 years, 10 months ago) by drochner
Branch: MAIN
CVS Tags: rmind-uvmplock-nbase,
rmind-uvmplock-base
Changes since 1.35: +15 -3
lines
Diff to previous 1.35 (unified)
catch a case where an ip6 address with scope embedded was compared with one without -- interestingly this didn't break the connection but just caused a useless encapsulation (this code needs to be rearranged to get it clean)
Revision 1.35 / (download) - annotate - [select for diffs], Tue Jun 7 15:54:57 2011 UTC (12 years, 10 months ago) by drochner
Branch: MAIN
Changes since 1.34: +55 -51
lines
Diff to previous 1.34 (unified)
fix tunnel encapsulation in ipsec6_process_packet() -- it is not completely clean yet, but at least a v6-in-v6 tunnel works now
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jun 7 15:50:42 2011 UTC (12 years, 10 months ago) by drochner
Branch: MAIN
Changes since 1.33: +30 -29
lines
Diff to previous 1.33 (unified)
reindent ipsec6_process_packet() - whitespace changes only
Revision 1.33 / (download) - annotate - [select for diffs], Mon Jun 6 16:48:35 2011 UTC (12 years, 10 months ago) by drochner
Branch: MAIN
Changes since 1.32: +11 -5
lines
Diff to previous 1.32 (unified)
remove a limitation that inner and outer IP version must be equal for an ESP tunnel, and add some fixes which make v4-in-v6 work (v6 as inner protocol isn't ready, even v6-in-v6 can never have worked) being here, fix a statistics counter and kill an unused variable
Revision 1.32 / (download) - annotate - [select for diffs], Fri Feb 18 16:12:26 2011 UTC (13 years, 2 months ago) by drochner
Branch: MAIN
CVS Tags: cherry-xenmp-base,
bouyer-quota2-nbase
Branch point for: cherry-xenmp
Changes since 1.31: +4 -2
lines
Diff to previous 1.31 (unified)
do proper statistics counting for outbound packets, fixes PR kern/30182 by Gilles Roy
Revision 1.31 / (download) - annotate - [select for diffs], Thu Feb 10 20:42:30 2011 UTC (13 years, 2 months ago) by drochner
Branch: MAIN
CVS Tags: bouyer-quota2-base
Changes since 1.30: +3 -3
lines
Diff to previous 1.30 (unified)
in rev.1.192 of ip_output.c the semantics of ip_output() was changed: Before, setting the IP_RAWOUTPUT flag did imply that the ip_id (the fragmentation thing) was used as-is. Now, a new ID is diced unless the new IP_NOIPNEWID flag is set. The ip_id is part of the data which are used to calculate the hash for AH, so set the IP_NOIPNEWID flag to make sure the IP header is not modified behind AH's back. Otherwise, the recipient will detect a checksum mismatch and discard the packet.
Revision 1.30 / (download) - annotate - [select for diffs], Thu Feb 10 20:24:27 2011 UTC (13 years, 2 months ago) by drochner
Branch: MAIN
Changes since 1.29: +13 -4
lines
Diff to previous 1.29 (unified)
-in opencrypto callbacks (which run in a kernel thread), pull softnet_lock everywhere splsoftnet() was used before, to fix MP concurrency problems -pull KERNEL_LOCK where ip(6)_output() is called, as this is what the network stack (unfortunately) expects, in particular to avoid races for packets in the interface send queues From Wolfgang Stukenbrock per PR kern/44418, with the application of KERNEL_LOCK to what I think are the essential points, tested on a dual-core i386.
Revision 1.29 / (download) - annotate - [select for diffs], Tue Dec 1 01:01:34 2009 UTC (14 years, 4 months ago) by dyoung
Branch: MAIN
CVS Tags: yamt-nfs-mp-base9,
yamt-nfs-mp-base11,
yamt-nfs-mp-base10,
uebayasi-xip-base4,
uebayasi-xip-base3,
uebayasi-xip-base2,
uebayasi-xip-base1,
uebayasi-xip-base,
uebayasi-xip,
matt-premerge-20091211,
matt-mips64-premerge-20101231,
jruoho-x86intr-base
Branch point for: rmind-uvmplock,
jruoho-x86intr,
bouyer-quota2
Changes since 1.28: +8 -8
lines
Diff to previous 1.28 (unified)
Cosmetic: fix indentation, change some spaces to tabs.
Revision 1.28 / (download) - annotate - [select for diffs], Mon Apr 28 17:40:11 2008 UTC (15 years, 11 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-pf42-base4,
yamt-pf42-base3,
yamt-pf42-base2,
yamt-nfs-mp-base8,
yamt-nfs-mp-base7,
yamt-nfs-mp-base6,
yamt-nfs-mp-base5,
yamt-nfs-mp-base4,
yamt-nfs-mp-base3,
yamt-nfs-mp-base2,
wrstuden-revivesa-base-4,
wrstuden-revivesa-base-3,
wrstuden-revivesa-base-2,
wrstuden-revivesa-base-1,
wrstuden-revivesa-base,
wrstuden-revivesa,
simonb-wapbl-nbase,
simonb-wapbl-base,
simonb-wapbl,
nick-hppapmap-base4,
nick-hppapmap-base3,
nick-hppapmap-base2,
nick-hppapmap-base,
nick-hppapmap,
netbsd-5-base,
netbsd-5-2-RELEASE,
netbsd-5-2-RC1,
netbsd-5-2-3-RELEASE,
netbsd-5-2-2-RELEASE,
netbsd-5-2-1-RELEASE,
netbsd-5-2,
netbsd-5-1-RELEASE,
netbsd-5-1-RC4,
netbsd-5-1-RC3,
netbsd-5-1-RC2,
netbsd-5-1-RC1,
netbsd-5-1-5-RELEASE,
netbsd-5-1-4-RELEASE,
netbsd-5-1-3-RELEASE,
netbsd-5-1-2-RELEASE,
netbsd-5-1-1-RELEASE,
netbsd-5-1,
netbsd-5-0-RELEASE,
netbsd-5-0-RC4,
netbsd-5-0-RC3,
netbsd-5-0-RC2,
netbsd-5-0-RC1,
netbsd-5-0-2-RELEASE,
netbsd-5-0-1-RELEASE,
netbsd-5-0,
netbsd-5,
mjf-devfs2-base,
matt-nb5-pq3-base,
matt-nb5-pq3,
matt-nb5-mips64-u2-k2-k4-k7-k8-k9,
matt-nb5-mips64-u1-k1-k5,
matt-nb5-mips64-premerge-20101231,
matt-nb5-mips64-premerge-20091211,
matt-nb5-mips64-k15,
matt-nb5-mips64,
matt-nb4-mips64-k7-u2a-k9b,
matt-mips64-base2,
jymxensuspend-base,
jym-xensuspend-nbase,
jym-xensuspend-base,
jym-xensuspend,
hpcarm-cleanup-nbase,
haad-nbase2,
haad-dm-base2,
haad-dm-base1,
haad-dm-base,
haad-dm,
ad-audiomp2-base,
ad-audiomp2
Changes since 1.27: +3 -3
lines
Diff to previous 1.27 (unified)
Fix a stupid typo. In ipsec6_process_packet, reinject the packet in AF_INET6, nor in AF_INET.
Revision 1.27 / (download) - annotate - [select for diffs], Wed Apr 23 06:09:05 2008 UTC (16 years ago) by thorpej
Branch: MAIN
CVS Tags: yamt-nfs-mp-base
Branch point for: yamt-nfs-mp
Changes since 1.26: +24 -10
lines
Diff to previous 1.26 (unified)
Make IPSEC and FAST_IPSEC stats per-cpu. Use <net/net_stats.h> and netstat_sysctl().
Revision 1.26 / (download) - annotate - [select for diffs], Sat Dec 29 16:43:17 2007 UTC (16 years, 3 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-pf42-baseX,
yamt-pf42-base,
yamt-lazymbuf-base15,
yamt-lazymbuf-base14,
nick-net80211-sync-base,
nick-net80211-sync,
mjf-devfs-base,
matt-armv6-nbase,
matt-armv6-base,
keiichi-mipv6-nbase,
keiichi-mipv6-base,
keiichi-mipv6,
hpcarm-cleanup-base,
bouyer-xeni386-nbase,
bouyer-xeni386-base,
ad-socklock-base1
Branch point for: yamt-pf42,
mjf-devfs2
Changes since 1.25: +73 -32
lines
Diff to previous 1.25 (unified)
Fix the ipsec processing in case of USE rules with no SA installed.
In case where there is no more isr to process, just tag the packet and reinject
in the ip{,6} stack.
Fix pr/34843
Revision 1.25 / (download) - annotate - [select for diffs], Sat Dec 29 14:53:25 2007 UTC (16 years, 3 months ago) by degroote
Branch: MAIN
Changes since 1.24: +31 -25
lines
Diff to previous 1.24 (unified)
Simplify the FAST_IPSEC output path
Only record an IPSEC_OUT_DONE tag when we have finished the processing
In ip{,6}_output, check this tag to know if we have already processed this
packet.
Remove some dead code (IPSEC_PENDING_TDB is not used in NetBSD)
Fix pr/36870
Revision 1.24 / (download) - annotate - [select for diffs], Sun Dec 9 18:27:39 2007 UTC (16 years, 4 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-kmem-base3,
yamt-kmem-base2,
vmlocking2-base3,
cube-autoconf-base,
cube-autoconf
Branch point for: bouyer-xeni386
Changes since 1.23: +3 -16
lines
Diff to previous 1.23 (unified)
Kill _IP_VHL ifdef (from netinet/ip.h history, it has never been used in NetBSD so ...)
Revision 1.23 / (download) - annotate - [select for diffs], Sun Oct 28 15:48:23 2007 UTC (16 years, 5 months ago) by adrianp
Branch: MAIN
CVS Tags: yamt-kmem-base,
vmlocking2-base2,
vmlocking2-base1,
vmlocking-nbase,
reinoud-bufcleanup-nbase,
reinoud-bufcleanup-base,
jmcneill-pm-base,
jmcneill-base,
bouyer-xenamd64-base2,
bouyer-xenamd64-base
Branch point for: yamt-kmem,
vmlocking2,
mjf-devfs
Changes since 1.22: +3 -5
lines
Diff to previous 1.22 (unified)
The function ipsec4_get_ulp assumes that ip_off is in host order. This results in IPsec processing that is dependent on protocol and/or port can be bypassed. Bug report, analysis and initial fix from Karl Knutsson. Final patch and ok from degroote@
Revision 1.22 / (download) - annotate - [select for diffs], Wed Jun 27 20:38:33 2007 UTC (16 years, 9 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-x86pmap-base4,
yamt-x86pmap-base3,
yamt-x86pmap-base2,
yamt-x86pmap-base,
yamt-x86pmap,
vmlocking-base,
nick-csl-alignment-base5,
nick-csl-alignment-base,
nick-csl-alignment,
mjf-ufs-trans-base,
matt-mips64-base,
matt-mips64,
hpcarm-cleanup
Branch point for: matt-armv6,
jmcneill-pm,
bouyer-xenamd64
Changes since 1.21: +70 -6
lines
Diff to previous 1.21 (unified)
Add support for options IPSEC_NAT_T (RFC 3947 and 3948) for fast_ipsec(4). No objection on tech-net@
Revision 1.21 / (download) - annotate - [select for diffs], Sat Feb 10 09:43:05 2007 UTC (17 years, 2 months ago) by degroote
Branch: MAIN
CVS Tags: yamt-idlelwp-base8,
yamt-idlelwp,
thorpej-atomic-base,
thorpej-atomic,
reinoud-bufcleanup,
ad-audiomp-base,
ad-audiomp
Branch point for: vmlocking,
mjf-ufs-trans
Changes since 1.20: +80 -263
lines
Diff to previous 1.20 (unified)
Commit my SoC work Add ipv6 support for fast_ipsec Note that currently, packet with extensions headers are not correctly supported Change the ipcomp logic
Revision 1.20 / (download) - annotate - [select for diffs], Fri Jan 26 19:49:18 2007 UTC (17 years, 2 months ago) by dyoung
Branch: MAIN
CVS Tags: post-newlock2-merge,
newlock2-nbase,
newlock2-base
Changes since 1.19: +3 -3
lines
Diff to previous 1.19 (unified)
KNF: bzero -> memset.
Revision 1.19 / (download) - annotate - [select for diffs], Fri Dec 15 21:18:56 2006 UTC (17 years, 4 months ago) by joerg
Branch: MAIN
CVS Tags: yamt-splraiseipl-base5,
yamt-splraiseipl-base4
Changes since 1.18: +13 -13
lines
Diff to previous 1.18 (unified)
Introduce new helper functions to abstract the route caching. rtcache_init and rtcache_init_noclone lookup ro_dst and store the result in ro_rt, taking care of the reference counting and calling the domain specific route cache. rtcache_free checks if a route was cashed and frees the reference. rtcache_copy copies ro_dst of the given struct route, checking that enough space is available and incrementing the reference count of the cached rtentry if necessary. rtcache_check validates that the cached route is still up. If it isn't, it tries to look it up again. Afterwards ro_rt is either a valid again or NULL. rtcache_copy is used internally. Adjust to callers of rtalloc/rtflush in the tree to check the sanity of ro_dst first (if necessary). If it doesn't fit the expectations, free the cache, otherwise check if the cached route is still valid. After that combination, a single check for ro_rt == NULL is enough to decide whether a new lookup needs to be done with a different ro_dst. Make the route checking in gre stricter by repeating the loop check after revalidation. Remove some unused RADIX_MPATH code in in6_src.c. The logic is slightly changed here to first validate the route and check RTF_GATEWAY afterwards. This is sementically equivalent though. etherip doesn't need sc_route_expire similiar to the gif changes from dyoung@ earlier. Based on the earlier patch from dyoung@, reviewed and discussed with him.
Revision 1.18 / (download) - annotate - [select for diffs], Sat Dec 9 05:33:09 2006 UTC (17 years, 4 months ago) by dyoung
Branch: MAIN
CVS Tags: yamt-splraiseipl-base3
Changes since 1.17: +8 -10
lines
Diff to previous 1.17 (unified)
Here are various changes designed to protect against bad IPv4 routing caused by stale route caches (struct route). Route caches are sprinkled throughout PCBs, the IP fast-forwarding table, and IP tunnel interfaces (gre, gif, stf). Stale IPv6 and ISO route caches will be treated by separate patches. Thank you to Christoph Badura for suggesting the general approach to invalidating route caches that I take here. Here are the details: Add hooks to struct domain for tracking and for invalidating each domain's route caches: dom_rtcache, dom_rtflush, and dom_rtflushall. Introduce helper subroutines, rtflush(ro) for invalidating a route cache, rtflushall(family) for invalidating all route caches in a routing domain, and rtcache(ro) for notifying the domain of a new cached route. Chain together all IPv4 route caches where ro_rt != NULL. Provide in_rtcache() for adding a route to the chain. Provide in_rtflush() and in_rtflushall() for invalidating IPv4 route caches. In in_rtflush(), set ro_rt to NULL, and remove the route from the chain. In in_rtflushall(), walk the chain and remove every route cache. In rtrequest1(), call rtflushall() to invalidate route caches when a route is added. In gif(4), discard the workaround for stale caches that involves expiring them every so often. Replace the pattern 'RTFREE(ro->ro_rt); ro->ro_rt = NULL;' with a call to rtflush(ro). Update ipflow_fastforward() and all other users of route caches so that they expect a cached route, ro->ro_rt, to turn to NULL. Take care when moving a 'struct route' to rtflush() the source and to rtcache() the destination. In domain initializers, use .dom_xxx tags. KNF here and there.
Revision 1.17 / (download) - annotate - [select for diffs], Fri Nov 24 19:47:00 2006 UTC (17 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: netbsd-4-base
Branch point for: wrstuden-fixsa,
netbsd-4
Changes since 1.16: +3 -3
lines
Diff to previous 1.16 (unified)
fix spelling of accommodate; from Zapher.
Revision 1.16 / (download) - annotate - [select for diffs], Thu Nov 16 01:33:49 2006 UTC (17 years, 5 months ago) by christos
Branch: MAIN
Changes since 1.15: +7 -7
lines
Diff to previous 1.15 (unified)
__unused removal on arguments; approved by core.
Revision 1.15 / (download) - annotate - [select for diffs], Fri Oct 13 20:53:59 2006 UTC (17 years, 6 months ago) by christos
Branch: MAIN
CVS Tags: yamt-splraiseipl-base2
Changes since 1.14: +19 -13
lines
Diff to previous 1.14 (unified)
more __unused
Revision 1.14 / (download) - annotate - [select for diffs], Sun Dec 11 12:25:05 2005 UTC (18 years, 4 months ago) by christos
Branch: MAIN
CVS Tags: yamt-uio_vmspace-base5,
yamt-uio_vmspace,
yamt-splraiseipl-base,
yamt-pdpolicy-base9,
yamt-pdpolicy-base8,
yamt-pdpolicy-base7,
yamt-pdpolicy-base6,
yamt-pdpolicy-base5,
yamt-pdpolicy-base4,
yamt-pdpolicy-base3,
yamt-pdpolicy-base2,
yamt-pdpolicy-base,
yamt-pdpolicy,
simonb-timecounters-base,
simonb-timecounters,
simonb-timcounters-final,
rpaulo-netinet-merge-pcb-base,
rpaulo-netinet-merge-pcb,
peter-altq-base,
peter-altq,
gdamore-uart-base,
gdamore-uart,
elad-kernelauth-base,
elad-kernelauth,
chap-midi-nbase,
chap-midi-base,
chap-midi,
abandoned-netbsd-4-base,
abandoned-netbsd-4
Branch point for: yamt-splraiseipl,
newlock2
Changes since 1.13: +2 -2
lines
Diff to previous 1.13 (unified)
merge ktrace-lwp.
Revision 1.13 / (download) - annotate - [select for diffs], Fri May 7 00:55:15 2004 UTC (19 years, 11 months ago) by jonathan
Branch: MAIN
CVS Tags: yamt-vop-base3,
yamt-vop-base2,
yamt-vop-base,
yamt-vop,
yamt-readahead-pervnode,
yamt-readahead-perfile,
yamt-readahead-base3,
yamt-readahead-base2,
yamt-readahead-base,
yamt-readahead,
yamt-km-base4,
yamt-km-base3,
yamt-km-base2,
yamt-km-base,
yamt-km,
thorpej-vnode-attr-base,
thorpej-vnode-attr,
netbsd-3-base,
netbsd-3-1-RELEASE,
netbsd-3-1-RC4,
netbsd-3-1-RC3,
netbsd-3-1-RC2,
netbsd-3-1-RC1,
netbsd-3-1-1-RELEASE,
netbsd-3-0-RELEASE,
netbsd-3-0-RC6,
netbsd-3-0-RC5,
netbsd-3-0-RC4,
netbsd-3-0-RC3,
netbsd-3-0-RC2,
netbsd-3-0-RC1,
netbsd-3-0-3-RELEASE,
netbsd-3-0-2-RELEASE,
netbsd-3-0-1-RELEASE,
ktrace-lwp-base,
kent-audio2-base,
kent-audio2,
kent-audio1-beforemerge,
kent-audio1-base,
kent-audio1
Branch point for: yamt-lazymbuf,
netbsd-3-1,
netbsd-3-0,
netbsd-3,
ktrace-lwp
Changes since 1.12: +3 -2
lines
Diff to previous 1.12 (unified)
Redo net.inet.* sysctl subtree for fast-ipsec from scratch. Attach FAST-IPSEC statistics with 64-bit counters to new sysctl MIB. Rework netstat to show FAST_IPSEC statistics, via sysctl, for netstat -p ipsec. New kernel files: sys/netipsec/Makefile (new file; install *_var.h includes) sys/netipsec/ipsec_var.h (new 64-bit mib counter struct) Changed kernel files: sys/Makefile (recurse into sys/netipsec/) sys/netinet/in.h (fake IP_PROTO name for fast_ipsec sysctl subtree.) sys/netipsec/ipsec.h (minimal userspace inclusion) sys/netipsec/ipsec_osdep.h (minimal userspace inclusion) sys/netipsec/ipsec_netbsd.c (redo sysctl subtree from scratch) sys/netipsec/key*.c (fix broken net.key subtree) sys/netipsec/ah_var.h (increase all counters to 64 bits) sys/netipsec/esp_var.h (increase all counters to 64 bits) sys/netipsec/ipip_var.h (increase all counters to 64 bits) sys/netipsec/ipcomp_var.h (increase all counters to 64 bits) sys/netipsec/ipsec.c (add #include netipsec/ipsec_var.h) sys/netipsec/ipsec_mbuf.c (add #include netipsec/ipsec_var.h) sys/netipsec/ipsec_output.c (add #include netipsec/ipsec_var.h) sys/netinet/raw_ip.c (add #include netipsec/ipsec_var.h) sys/netinet/tcp_input.c (add #include netipsec/ipsec_var.h) sys/netinet/udp_usrreq.c (add #include netipsec/ipsec_var.h) Changes to usr.bin/netstat to print the new fast-ipsec sysctl tree for "netstat -s -p ipsec": New file: usr.bin/netstat/fast_ipsec.c (print fast-ipsec counters) Changed files: usr.bin/netstat/Makefile (add fast_ipsec.c) usr.bin/netstat/netstat.h (declarations for fast_ipsec.c) usr.bin/netstat/main.c (call KAME-vs-fast-ipsec dispatcher)
Revision 1.12 / (download) - annotate - [select for diffs], Wed Mar 17 00:21:43 2004 UTC (20 years, 1 month ago) by jonathan
Branch: MAIN
CVS Tags: netbsd-2-0-base
Branch point for: netbsd-2-0
Changes since 1.11: +5 -3
lines
Diff to previous 1.11 (unified)
sys/netinet6/ip6_ecn.h is reportedly a FreeBSD-ism; NetBSD has
prototypes for the IPv6 ECN ingress/egress functions in sys/netinet/ip_ecn.h,
inside an #ifdef INET6 wrapper. So, wrap sys/netipsec ocurrences of
#include <netinet6/ip6_ecn.h>
in #ifdef __FreeBSD__/#endif, until both camps can agree on this
teensy little piece of namespace. Affects:
ipsec_output.c xform_ah.c xform_esp.c xform_ipip.c
Revision 1.11 / (download) - annotate - [select for diffs], Tue Mar 16 22:58:54 2004 UTC (20 years, 1 month ago) by jonathan
Branch: MAIN
Changes since 1.10: +3 -3
lines
Diff to previous 1.10 (unified)
Delint ntohl() as argument to a "%lx" format in a log message.
Revision 1.10 / (download) - annotate - [select for diffs], Tue Mar 16 22:48:29 2004 UTC (20 years, 1 month ago) by jonathan
Branch: MAIN
Changes since 1.9: +4 -2
lines
Diff to previous 1.9 (unified)
#include <net/net_osdep.h>: if INET6 is configured, ipsec_encapsulate() calls ovbcopy(), which is otherwise deprecated.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Mar 1 23:30:01 2004 UTC (20 years, 1 month ago) by thorpej
Branch: MAIN
Changes since 1.8: +30 -4
lines
Diff to previous 1.8 (unified)
Add missing copyright notice (FreeBSD rev. 1.3.2.2).
Revision 1.8 / (download) - annotate - [select for diffs], Fri Jan 16 11:06:27 2004 UTC (20 years, 3 months ago) by scw
Branch: MAIN
Changes since 1.7: +6 -3
lines
Diff to previous 1.7 (unified)
Fix ipip_output() to always set *mp to NULL on failure, even if 'm' is NULL, otherwise ipsec4_process_packet() may try to m_freem() a bad pointer. In ipsec4_process_packet(), don't try to m_freem() 'm' twice; ipip_output() already did it.
Revision 1.7 / (download) - annotate - [select for diffs], Mon Oct 6 22:05:15 2003 UTC (20 years, 6 months ago) by tls
Branch: MAIN
Changes since 1.6: +3 -3
lines
Diff to previous 1.6 (unified)
Reversion of "netkey merge", part 2 (replacement of removed files in the repository by christos was part 1). netipsec should now be back as it was on 2003-09-11, with some very minor changes: 1) Some residual platform-dependent code was moved from ipsec.h to ipsec_osdep.h; without this, IPSEC_ASSERT() was multiply defined. ipsec.h now includes ipsec_osdep.h 2) itojun's renaming of netipsec/files.ipsec to netipsec/files.netipsec has been left in place (it's arguable which name is less confusing but the rename is pretty harmless). 3) Some #endif TOKEN has been replaced by #endif /* TOKEN */; #endif TOKEN is invalid and GCC 3 won't compile it. An i386 kernel with "options FAST_IPSEC" and "options OPENCRYPTO" now gets through "make depend" but fails to build with errors in ip_input.c. But it's better than it was (thank heaven for small favors).
Revision 1.6 / (download) - annotate - [select for diffs], Fri Sep 12 11:20:58 2003 UTC (20 years, 7 months ago) by itojun
Branch: MAIN
Changes since 1.5: +5 -5
lines
Diff to previous 1.5 (unified)
merge netipsec/key* into netkey/key*. no need for both. change confusing filename
Revision 1.5 / (download) - annotate - [select for diffs], Fri Aug 22 21:53:10 2003 UTC (20 years, 8 months ago) by itojun
Branch: MAIN
Changes since 1.4: +3 -3
lines
Diff to previous 1.4 (unified)
change the additional arg to be passed to ip{,6}_output to struct socket *.
this fixes KAME policy lookup which was broken by the previous commit.
Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 20 22:33:40 2003 UTC (20 years, 8 months ago) by jonathan
Branch: MAIN
Changes since 1.3: +4 -2
lines
Diff to previous 1.3 (unified)
opt_inet6.h is FreeBSD-specific, so wrap it with #ifdef __FreeBSD__/#endif.
Revision 1.3 / (download) - annotate - [select for diffs], Fri Aug 15 17:14:31 2003 UTC (20 years, 8 months ago) by jonathan
Branch: MAIN
Changes since 1.2: +8 -3
lines
Diff to previous 1.2 (unified)
Fix bug with IP_DF handling which was breaking TCP: on FreeBSD, ip_off is assumed to be in host byteorder during the input(?) path. NetBSD keeps ip_off and ip_len in network order. Add (or remove) byteswaps accordingly. TCP over fast_ipsec now works with PMTU, as well as without.
Revision 1.2 / (download) - annotate - [select for diffs], Fri Aug 15 03:42:07 2003 UTC (20 years, 8 months ago) by jonathan
Branch: MAIN
Changes since 1.1: +5 -3
lines
Diff to previous 1.1 (unified)
(fast-ipsec): Add hooks to pass IPv4 IPsec traffic into fast-ipsec, if configured with ``options FAST_IPSEC''. Kernels with KAME IPsec or with no IPsec should work as before. All calls to ip_output() now always pass an additional compulsory argument: the inpcb associated with the packet being sent, or 0 if no inpcb is available. Fast-ipsec tested with ICMP or UDP over ESP. TCP doesn't work, yet.
Revision 1.1 / (download) - annotate - [select for diffs], Wed Aug 13 20:06:51 2003 UTC (20 years, 8 months ago) by jonathan
Branch: MAIN
Initial import of Sam Leffler's `Fast-IPsec' from FreeBSD 4. Fast-IPsec is a rework of the OpenBSD and KAME IPsec code, using the OpenCryptoFramework (and thus hardware crypto accelerators) and numerous detailed performance improvements. This import is (aside from SPL-level names) the FreeBSD source, imported ``as-is'' as a historical snapshot, for future maintenance and comparison against the FreeBSD source. For now, several minor kernel-API differences are hidden by macros a shim file, ipsec_osdep.h, which (aside from SPL names) can be targeted at either NetBSD or FreeBSD.