![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.206 / (download) - annotate - [select for diffs], Sat Sep 16 09:33:27 2023 UTC (8 months, 3 weeks ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
OPENBSD_7_4_BASE,
OPENBSD_7_4,
HEAD
Changes since 1.205: +6 -5 lines
Diff to previous 1.205 (colored)
Allow counters_read(9) to take an optional scratch buffer. Using a scratch buffer makes it possible to take a consistent snapshot of per-CPU counters without having to allocate memory. Makes ddb(4) show uvmexp command work in OOM situations. ok kn@, mvs@, cheloha@
Revision 1.205 / (download) - annotate - [select for diffs], Mon Aug 7 03:43:57 2023 UTC (10 months ago) by dlg
Branch: MAIN
Changes since 1.204: +22 -1 lines
Diff to previous 1.204 (colored)
add the glue between ipsec security associations and sec(4) interfaces. if TDBF_IFACE is set on a tdb, the ipsec stack will pass it to the sec(4) driver to keep track of instead of wiring it up for security associations to use. when sec(4) transmits a packet, it will look up it's list of tdbs to find the right SA to encrypt and send the packet out with. if an incoming ipsec packet arrives with TDBF_IFACE set, it's passed to sec(4) to be injected back into the network stack as if it was received on the sec interface, instead of being reinjected into the IP stack like normal SA/SPD processing does. note that this means you do not have to configure tunnel endpoints on sec(4) interfaces, instead you line the interface unit number in the ipsec config up with the minor number of the sec(4) interfaces. the peer IPs used on the SAs are what's used as the traffic endpoints. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@
Revision 1.204 / (download) - annotate - [select for diffs], Sat May 13 13:35:17 2023 UTC (12 months, 4 weeks ago) by bluhm
Branch: MAIN
Changes since 1.203: +2 -3 lines
Diff to previous 1.203 (colored)
Instead of implementing IPv4 header checksum creation everywhere, introduce in_hdr_cksum_out(). It is used like in_proto_cksum_out(). OK claudio@
Revision 1.203 / (download) - annotate - [select for diffs], Tue Feb 22 01:35:40 2022 UTC (2 years, 3 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3,
OPENBSD_7_2_BASE,
OPENBSD_7_2,
OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.202: +1 -2 lines
Diff to previous 1.202 (colored)
Delete unnecessary #includes of <netinet6/ip6protosw.h>: some never needed it and some no longer need it after moving the externs from there to <sys/protosw.h> ok jsg@
Revision 1.202 / (download) - annotate - [select for diffs], Tue Jan 4 06:32:39 2022 UTC (2 years, 5 months ago) by yasuoka
Branch: MAIN
Changes since 1.201: +3 -3 lines
Diff to previous 1.201 (colored)
Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and trees. ipsp_ids_lookup() returns `ids' with bumped reference counter. original diff from mvs ok mvs
Revision 1.201 / (download) - annotate - [select for diffs], Thu Dec 23 12:21:48 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.200: +3 -1 lines
Diff to previous 1.200 (colored)
IPsec is not MP safe yet. To allow forwarding in parallel without dirty hacks, it is better to protect IPsec input and output with kernel lock. Not much is lost as crypto needs the kernel lock anyway. From here we can refine the lock later. Note that there is no kernel lock in the SPD lockup path. Goal is to keep that lock free to allow fast forwarding with non IPsec traffic. tested by Hrvoje Popovski; OK tobhe@
Revision 1.200 / (download) - annotate - [select for diffs], Wed Dec 22 13:37:46 2021 UTC (2 years, 5 months ago) by tobhe
Branch: MAIN
Changes since 1.199: +5 -17 lines
Diff to previous 1.199 (colored)
Consolidate enc_getif() lookups in IPsec input path to save one lookup per packet and improve readability. ok bluhm@
Revision 1.199 / (download) - annotate - [select for diffs], Mon Dec 20 15:59:10 2021 UTC (2 years, 5 months ago) by mvs
Branch: MAIN
Changes since 1.198: +5 -6 lines
Diff to previous 1.198 (colored)
Use per-CPU counters for tunnel descriptor block (TDB) statistics. 'tdb_data' struct became unused and was removed. Tested by Hrvoje Popovski. ok bluhm@
Revision 1.198 / (download) - annotate - [select for diffs], Mon Dec 20 15:23:32 2021 UTC (2 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.197: +2 -2 lines
Diff to previous 1.197 (colored)
Fix function name in panic string.
Revision 1.197 / (download) - annotate - [select for diffs], Wed Dec 8 14:24:18 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.196: +4 -3 lines
Diff to previous 1.196 (colored)
Start documenting the locking strategy of struct tdb fields. Note that gettdb_dir() is MP safe now. Add the tdb_sadb_mtx mutex in udpencap_ctlinput() to protect the access to tdb_snext. Make the braces consistently for all these TDB loops. Move NET_ASSERT_LOCKED() into the functions where the read access happens. OK mvs@
Revision 1.196 / (download) - annotate - [select for diffs], Thu Dec 2 13:46:42 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.195: +3 -52 lines
Diff to previous 1.195 (colored)
ipsec_common_input_cb() extracted the inner IP header of IPsec tunnels. It is never used, so this is useless code. Remove ipn and ip6n IP header variables and the m_copydata() to fill them. OK mvs@ kn@ sthen@
Revision 1.195 / (download) - annotate - [select for diffs], Thu Dec 2 12:39:15 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.194: +6 -2 lines
Diff to previous 1.194 (colored)
Allow to build kernel without IPSEC or INET6 defines. OK mpi@ mvs@
Revision 1.194 / (download) - annotate - [select for diffs], Wed Dec 1 12:51:09 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.193: +5 -4 lines
Diff to previous 1.193 (colored)
Let ipsp_spd_lookup() return an error instead of a TDB. The TDB is not always needed, but the error value is necessary for the caller. As TDB should be refcounted, it makes not sense to always return it. Pass an output pointer for the TDB which can be NULL. OK mvs@ tobhe@
Revision 1.193 / (download) - annotate - [select for diffs], Thu Nov 25 13:46:02 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.192: +20 -11 lines
Diff to previous 1.192 (colored)
Implement reference counting for IPsec tdbs. Not all cases are covered yet, more ref counts to come. The timeouts are protected, so the racy tdb_reaper() gets retired. The tdb_policy_head, onext and inext lists are protected. All gettdb...() functions return a tdb that is ref counted and has to be unrefed later. A flag ensures that tdb_delete() is called only once. Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@
Revision 1.192 / (download) - annotate - [select for diffs], Sun Nov 21 02:54:56 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.191: +5 -4 lines
Diff to previous 1.191 (colored)
Fix whitespace and long lines.
Revision 1.191 / (download) - annotate - [select for diffs], Thu Nov 11 18:08:18 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.190: +13 -26 lines
Diff to previous 1.190 (colored)
Do not call ip_deliver() recursively from IPsec. As there is no crypto task anymore, it is possible to return the next protocol. Then ip_deliver() will walk the header chain in its loop. IPsec bridge(4) tested by jan@ OK mvs@ tobhe@ jan@
Revision 1.190 / (download) - annotate - [select for diffs], Mon Nov 1 09:19:10 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.189: +3 -2 lines
Diff to previous 1.189 (colored)
In ipsec_common_input_cb() pass mbuf pointer to pf_test() so that all callers get an update if the mbuf changes. OK tobhe@
Revision 1.189 / (download) - annotate - [select for diffs], Sun Oct 24 22:59:47 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.188: +91 -171 lines
Diff to previous 1.188 (colored)
Remove code duplication by merging the v4 and v6 input functions for ah, esp, and ipcomp. Move common code into ipsec_protoff() which finds the offset of the next protocol field in the previous header. OK tobhe@
Revision 1.188 / (download) - annotate - [select for diffs], Sun Oct 24 17:08:27 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.187: +8 -6 lines
Diff to previous 1.187 (colored)
There are more m_pullup() in IPsec input. Pass down the pointer to the mbuf to update it globally. At the end it will reach ip_deliver() which expects a pointer to an mbuf. OK sashan@
Revision 1.187 / (download) - annotate - [select for diffs], Sat Oct 23 22:19:37 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.186: +11 -10 lines
Diff to previous 1.186 (colored)
There is an m_pullup() down in AH input. As it may free or change the mbuf, the callers must be careful. Although there is no bug, use the common pattern to handle this. Pass down an mbuf pointer mp and let m_pullup() update the pointer in all callers. It looks like the tcp signature functions should not be called. Avoid an mbuf leak and return an error. OK mvs@
Revision 1.186 / (download) - annotate - [select for diffs], Sat Oct 23 15:42:35 2021 UTC (2 years, 7 months ago) by tobhe
Branch: MAIN
Changes since 1.185: +1 -73 lines
Diff to previous 1.185 (colored)
Retire asynchronous crypto API as it is no longer required by any driver and adds unnecessary complexity. Dedicated crypto offloading devices are not common anymore. Modern CPU crypto acceleration works synchronously, eliminating the need for callbacks. Replace all occurrences of crypto_dispatch() with crypto_invoke(), which is blocking and only returns after the operation has completed or an error occured. Invoke callback functions directly from the consumer (e.g. IPsec, softraid) instead of relying on the crypto driver to call crypto_done(). ok bluhm@ mvs@ patrick@
Revision 1.185 / (download) - annotate - [select for diffs], Fri Oct 22 15:44:20 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.184: +22 -33 lines
Diff to previous 1.184 (colored)
Make error handling in IPsec consistent. Pass errors to the callers. OK tobhe@
Revision 1.184 / (download) - annotate - [select for diffs], Wed Oct 13 22:49:11 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.183: +1 -14 lines
Diff to previous 1.183 (colored)
Remove redundant NULL checks in IPsec which are never reached. ok mvs@
Revision 1.183 / (download) - annotate - [select for diffs], Wed Oct 13 22:43:44 2021 UTC (2 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.182: +2 -6 lines
Diff to previous 1.182 (colored)
The function crypto_dispatch() never returns an error. Make it void and remove error handling in the callers. OK patrick@ mvs@
Revision 1.182 / (download) - annotate - [select for diffs], Tue Oct 5 11:45:26 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.181: +2 -3 lines
Diff to previous 1.181 (colored)
Cleanup the error handling in ipsec ipip_output() and consistently goto drop instead of return. An ENOBUFS should be EINVAL in IPv6 case. Also use combined packet and byte counter. OK sthen@ dlg@
Revision 1.181 / (download) - annotate - [select for diffs], Tue Oct 5 11:34:35 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.180: +26 -31 lines
Diff to previous 1.180 (colored)
Move setting ipsec mtu into a function. The NULL and invalid check in ipsec_common_ctlinput() is not necessary, the loop in ipsec_set_mtu() does that anyway. udpencap_ctlinput() did not work for bundled SA, this also needs the loop in ipsec_set_mtu(). OK sthen@
Revision 1.180 / (download) - annotate - [select for diffs], Wed Sep 29 22:08:13 2021 UTC (2 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.179: +2 -1 lines
Diff to previous 1.179 (colored)
Global variables to track initialisation behave poorly with MP. Move the tdb pool init into an init function. OK mvs@
Revision 1.179 / (download) - annotate - [select for diffs], Tue Jul 27 17:13:03 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.178: +8 -7 lines
Diff to previous 1.178 (colored)
Revert "Use per-CPU counters for tunnel descriptor block" diff. Panic reported by Hrvoje Popovski.
Revision 1.178 / (download) - annotate - [select for diffs], Mon Jul 26 23:17:07 2021 UTC (2 years, 10 months ago) by mvs
Branch: MAIN
Changes since 1.177: +7 -8 lines
Diff to previous 1.177 (colored)
Use per-CPU counters for tunnel descriptor block (tdb) statistics. 'tdb_data' struct became unused and was removed. ok bluhm@
Revision 1.177 / (download) - annotate - [select for diffs], Mon Jul 26 21:27:57 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.176: +7 -14 lines
Diff to previous 1.176 (colored)
Do not queue crypto operations for IPsec. The packet entries in task queues were unlimited and could overflow during havy traffic. Even if we still use hardware drivers that sleep, softnet task instead of soft interrupt can handle this now. Without queues net lock is inherited and kernel lock is only needed once per packet. This results in less lock contention and faster IPsec. Also protect tdb drop counters with net lock and avoid a leak in crypto dispatch error handling. intense testing Hrvoje Popovski; OK mpi@
Revision 1.176 / (download) - annotate - [select for diffs], Wed Jul 21 12:23:32 2021 UTC (2 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.175: +7 -2 lines
Diff to previous 1.175 (colored)
Also count crypto errors in ipsec_input_cb() like IPsec output in previous commit.
Revision 1.175 / (download) - annotate - [select for diffs], Thu Jul 8 15:13:14 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.174: +50 -49 lines
Diff to previous 1.174 (colored)
Debug printfs in encdebug were inconsistent, some missing newlines produced ugly output. Move the function name and the newline into the DPRINTF macro. This simplifies the debug statements. OK tobhe@
Revision 1.174 / (download) - annotate - [select for diffs], Fri Jun 18 15:34:21 2021 UTC (2 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.173: +3 -1 lines
Diff to previous 1.173 (colored)
The crypto(9) framework used by IPsec runs on a kernel task that is protected by kernel lock. There were crashes in swcr_authenc() when it was accessing swcr_sessions. As a quick fix, protect all calls from network stack to crypto with kernel lock. This also covers the rekeying case that is called from pfkey via tdb_init(). OK mvs@
Revision 1.173 / (download) - annotate - [select for diffs], Tue Sep 1 01:53:34 2020 UTC (3 years, 9 months ago) by gnezdo
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9,
OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.172: +33 -11 lines
Diff to previous 1.172 (colored)
Convert *_sysctl in ipsec_input.c to sysctl_bounded_arr The best-guessed limits will be tested by trial.
Revision 1.172 / (download) - annotate - [select for diffs], Sat Aug 1 23:41:55 2020 UTC (3 years, 10 months ago) by gnezdo
Branch: MAIN
Changes since 1.171: +21 -33 lines
Diff to previous 1.171 (colored)
Move range check inside sysctl_int_arr Range violations are now consistently reported as EOPNOTSUPP. Previously they were mixed with ENOPROTOOPT. OK kn@
Revision 1.171 / (download) - annotate - [select for diffs], Wed Jun 24 22:03:43 2020 UTC (3 years, 11 months ago) by cheloha
Branch: MAIN
Changes since 1.170: +5 -5 lines
Diff to previous 1.170 (colored)
kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9) time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
Revision 1.170 / (download) - annotate - [select for diffs], Thu Apr 23 19:38:08 2020 UTC (4 years, 1 month ago) by tobhe
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.169: +8 -5 lines
Diff to previous 1.169 (colored)
Add support for autmatically moving traffic between rdomains on ipsec(4) encryption or decryption. This allows us to keep plaintext and encrypted network traffic seperated and reduces the attack surface for network sidechannel attacks. The only way to reach the inner rdomain from outside is by successful decryption and integrity verification through the responsible Security Association (SA). The only way for internal traffic to get out is getting encrypted and moved through the outgoing SA. Multiple plaintext rdomains can share the same encrypted rdomain while the unencrypted packets are still kept seperate. The encrypted and unencrypted rdomains can have different default routes. The rdomains can be configured with the new SADB_X_EXT_RDOMAIN pfkey extension. Each SA (tdb) gets a new attribute 'tdb_rdomain_post'. If this differs from 'tdb_rdomain' then the packet is moved to 'tdb_rdomain_post' afer IPsec processing. Flows and outgoing IPsec SAs are installed in the plaintext rdomain, incoming IPsec SAs are installed in the encrypted rdomain. IPCOMP SAs are always installed in the plaintext rdomain. They can be viewed with 'route -T X exec ipsecctl -sa' where X is the rdomain ID. As the kernel does not create encX devices automatically when creating rdomains they have to be added by hand with ifconfig for IPsec to work in non-default rdomains. discussed with chris@ and kn@ ok markus@, patrick@
Revision 1.169 / (download) - annotate - [select for diffs], Mon Sep 30 01:53:05 2019 UTC (4 years, 8 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.168: +2 -2 lines
Diff to previous 1.168 (colored)
remove the "copy function" argument to bpf_mtap_hdr. it was previously (ab)used by pflog, which has since been fixed. apart from that nothing else used it, so we can trim the cruft. ok kn@ claudio@ visa@ visa@ also made sure i fixed ipw(4) so i386 won't break.
Revision 1.168 / (download) - annotate - [select for diffs], Fri Nov 9 13:26:12 2018 UTC (5 years, 7 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.167: +1 -4 lines
Diff to previous 1.167 (colored)
Remove the last few XXX rdomain markers. Even those functions respect the rdomain now and are therefor rdomain save. OK mpi@
Revision 1.167 / (download) - annotate - [select for diffs], Fri Sep 14 23:40:10 2018 UTC (5 years, 8 months ago) by mestre
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.166: +3 -3 lines
Diff to previous 1.166 (colored)
Initialize the TDB to NULL in ipsec_common_input() and
ipsec_{input,output}_cb() so that in the case of sending or receiving a bogus
mbuf (NULL) we don't end up trying to dereference the TDB, while being an
uninitialized pointer, to increase the drops.
Coverity IDs 1473312, 1473313 and 1473317.
OK mpi@ visa@
Revision 1.166 / (download) - annotate - [select for diffs], Tue Aug 28 15:15:02 2018 UTC (5 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.165: +15 -3 lines
Diff to previous 1.165 (colored)
Add per-TDB counters and a new SADB extension to export them to userland. Inputs from markus@, ok sthen@
Revision 1.165 / (download) - annotate - [select for diffs], Wed Jul 11 09:07:59 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.164: +9 -3 lines
Diff to previous 1.164 (colored)
Convert AH & IPcomp to ipsec_input_cb() and count drops on input. ok markus@
Revision 1.164 / (download) - annotate - [select for diffs], Tue Jul 10 11:34:12 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.163: +110 -15 lines
Diff to previous 1.163 (colored)
Introduce new IPsec (per-CPU) statistics and refactor ESP input callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
Revision 1.163 / (download) - annotate - [select for diffs], Mon May 14 15:24:23 2018 UTC (6 years ago) by bluhm
Branch: MAIN
Changes since 1.162: +43 -25 lines
Diff to previous 1.162 (colored)
When checking the IPsec enable sysctls, ipsec_common_input() had switches for protocol and address family. Move this code to the specific functions from where the common function is called. As a consequence the raw ip input functions can never be called from udp_input() anymore. If IPsec is disabled, the functions ah6_input(), esp6_input(), and ipcomp6_input() do not start processing the header chain. The raw ip input functions are called with the mbuf and offset pointers from the protocol walking loop which is the usual behavior. OK mpi@ markus@
Revision 1.162 / (download) - annotate - [select for diffs], Sat May 12 21:24:43 2018 UTC (6 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.161: +27 -24 lines
Diff to previous 1.161 (colored)
Cleanup IPsec common input error handling with consistent goto drop. from markus@; OK mpi@
Revision 1.161 / (download) - annotate - [select for diffs], Mon Nov 20 10:35:24 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.160: +2 -1 lines
Diff to previous 1.160 (colored)
Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running pr_input handlers without KERNEL_LOCK(). ok visa@
Revision 1.160 / (download) - annotate - [select for diffs], Tue Nov 14 09:30:17 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.159: +62 -1 lines
Diff to previous 1.159 (colored)
Introduce ipsec_sysctl() and move IPsec tunables where they belong. ok bluhm@, visa@
Revision 1.159 / (download) - annotate - [select for diffs], Wed Nov 8 16:29:20 2017 UTC (6 years, 7 months ago) by visa
Branch: MAIN
Changes since 1.158: +98 -78 lines
Diff to previous 1.158 (colored)
Make {ah,esp,ipcomp}stat use percpu counters.
OK bluhm@, mpi@
Revision 1.158 / (download) - annotate - [select for diffs], Mon Nov 6 15:12:43 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.157: +34 -37 lines
Diff to previous 1.157 (colored)
Use %s and __func__ in DPRINTF() to reduce false positive with grep(1). ok kettenis@, dhill@, visa@, jca@
Revision 1.157 / (download) - annotate - [select for diffs], Mon Oct 9 08:35:38 2017 UTC (6 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.156: +43 -16 lines
Diff to previous 1.156 (colored)
Reduces the scope of the NET_LOCK() in sysctl(2) path. Exposes per-CPU counters to real parrallelism. ok visa@, bluhm@, jca@
Revision 1.156 / (download) - annotate - [select for diffs], Wed Jul 5 11:34:10 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.155: +2 -16 lines
Diff to previous 1.155 (colored)
The IP in IP input function strips the outer header and reinserts the inner IP packet into the internet queue. The IPv6 local delivery code has a loop to deal with header chains. The idea is to use this loop and avoid the queueing and rescheduling. The IPsec packet will be processed in a single flow. Merge the IP deliver loop from both IP versions into a single ip_deliver() function that can handle both addresss families. This allows to process an IP in IP header like a normal extension header. If af != AF_UNSPEC, we are already in a deliver loop and have the kernel look. Then we can just return the next protocol. Otherwise we enqueue. The dequeue thread has the kernel lock and starts an IP delivery loop. OK mpi@
Revision 1.155 / (download) - annotate - [select for diffs], Mon Jun 19 17:58:49 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.154: +7 -13 lines
Diff to previous 1.154 (colored)
When dealing with mbuf pointers passed down as function parameters, bugs could easily result in use-after-free or double free. Introduce m_freemp() which automatically resets the pointer before freeing it. So we have less dangling pointers in the kernel. OK krw@ mpi@ claudio@
Revision 1.154 / (download) - annotate - [select for diffs], Sun May 28 09:25:51 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.153: +4 -4 lines
Diff to previous 1.153 (colored)
Rename ip_local() to ip_deliver() and give it the same parameters as the pr_input functions. Add an assert that IPv4 delivery ends in IP proto done to assure that IPv4 protocol functions work like IPv6. OK mpi@
Revision 1.153 / (download) - annotate - [select for diffs], Mon May 22 22:23:11 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.152: +96 -1 lines
Diff to previous 1.152 (colored)
Move IPsec forward and local policy check functions to ipsec_input.c and give them better names. input and OK mikeb@
Revision 1.152 / (download) - annotate - [select for diffs], Tue May 16 12:24:02 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.151: +3 -3 lines
Diff to previous 1.151 (colored)
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED(). ok visa@
Revision 1.151 / (download) - annotate - [select for diffs], Fri May 12 23:05:58 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.150: +27 -33 lines
Diff to previous 1.150 (colored)
IPsec packets were passed through ip_input() a second time after they have been decrypted. That means that all the IP header fields were checked twice. Also fragment reassembly was tried twice. At pf incoming packets in tunnel mode appeared twice on the enc0 interface, once as IP-in-IP and once as the inner packet. In the outgoing path pf only sees the inner packet. Asymmetry is bad for stateful filtering. IPv6 shows that IPsec works without that. After decrypting immediately continue with local delivery. In tunnel mode the IP-in-IP protocol functions pass the inner header to ip6_input(). In transport mode only pf_test() has to be called for the enc0 device. Introduce ip_local() to avoid needless processing and cleaner pf behavior in IPv4 IPsec. OK mikeb@
Revision 1.150 / (download) - annotate - [select for diffs], Fri May 12 14:31:23 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.149: +21 -19 lines
Diff to previous 1.149 (colored)
Instead of printing a debug message at the end of processing, panic early if the IPsec security protocol is unknown. ipsec_common_input() and ipsec_common_input_cb() can only be called with the IP protocols ESP, AH, or IPComp. Everything else is a programming mistake. OK claudio@
Revision 1.149 / (download) - annotate - [select for diffs], Thu May 11 12:14:43 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.148: +27 -1 lines
Diff to previous 1.148 (colored)
IPv6 IPsec transport mode did not work if pf is enabled. The decrypted packets in the input path were not checked with pf. So with stateful filtering on enc0, direction aware protocols like ping or TCP did not pass. Add an explicit pf_test() in ipsec_common_input_cb() for IPv6 transport mode to fix this. OK mikeb@
Revision 1.148 / (download) - annotate - [select for diffs], Fri May 5 11:04:18 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.147: +3 -3 lines
Diff to previous 1.147 (colored)
Expand SA_LEN(), there is no benefit for using the macro in the kernel. It was only used in IPsec sources. No binary change OK deraadt@
Revision 1.147 / (download) - annotate - [select for diffs], Fri Apr 14 20:46:31 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.146: +9 -9 lines
Diff to previous 1.146 (colored)
Pass down the address family through the pr_input calls. This allows to simplify code used for both IPv4 and IPv6. OK mikeb@ deraadt@
Revision 1.146 / (download) - annotate - [select for diffs], Thu Apr 6 14:25:18 2017 UTC (7 years, 2 months ago) by dhill
Branch: MAIN
Changes since 1.145: +3 -4 lines
Diff to previous 1.145 (colored)
Replace bcopy with a simple assignment where both variables are properly aligned and sockaddr_union fields, or with memcpy when the memory doesn't overlap. OK bluhm@
Revision 1.145 / (download) - annotate - [select for diffs], Tue Feb 28 09:59:34 2017 UTC (7 years, 3 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.144: +2 -2 lines
Diff to previous 1.144 (colored)
Some refactoring in ip6_input() needed to un-KERNEL_LOCK() the IPv6 forwarding path. Rename ip6_ours() in ip6_local() as this function dispatches packets to the upper layer. Introduce ip6_ours() and get rid of 'goto hbhcheck'. This function will be later used to enqueue local packets. As a bonus this reduces differences with IPv4. Inputs and ok bluhm@
Revision 1.144 / (download) - annotate - [select for diffs], Wed Feb 8 12:37:43 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.143: +22 -149 lines
Diff to previous 1.143 (colored)
Remove the ipsec protocol callbacks which all do the same. Implement it in ipsec_common_input_cb() instead. The code that was copied to ah6_input_cb() is now in ip6_ours() so we can call it directly. OK mpi@
Revision 1.143 / (download) - annotate - [select for diffs], Tue Feb 7 22:28:37 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.142: +45 -52 lines
Diff to previous 1.142 (colored)
Error propagation does neither make sense for ip input path nor for asynchronous callbacks. Make the IPsec functions void, there is already a counter in the error path. OK mpi@
Revision 1.142 / (download) - annotate - [select for diffs], Sun Feb 5 16:04:14 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
Changes since 1.141: +3 -3 lines
Diff to previous 1.141 (colored)
Use percpu counters for ip6stat Try to follow the existing examples. Some notes: - don't implement counters_dec() yet, which could be used in two similar chunks of code. Let's see if there are more users first. - stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent. Input from mpi@, ok bluhm@ mpi@
Revision 1.141 / (download) - annotate - [select for diffs], Sun Jan 29 19:58:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.140: +17 -15 lines
Diff to previous 1.140 (colored)
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
Revision 1.140 / (download) - annotate - [select for diffs], Thu Jan 26 13:03:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.139: +14 -16 lines
Diff to previous 1.139 (colored)
Reduce the difference between struct protosw and ip6protosw. The IPv4 pr_ctlinput functions did return a void pointer that was always NULL and never used. Make all functions void like in the IPv6 case. OK mpi@
Revision 1.139 / (download) - annotate - [select for diffs], Wed Jan 25 17:34:31 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.138: +4 -24 lines
Diff to previous 1.138 (colored)
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
Revision 1.138 / (download) - annotate - [select for diffs], Mon Jan 23 09:10:06 2017 UTC (7 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.137: +4 -10 lines
Diff to previous 1.137 (colored)
Assert for IPL_SOFTNET rather than raising SPL recursively. ok benno@
Revision 1.137 / (download) - annotate - [select for diffs], Fri Jan 20 04:22:58 2017 UTC (7 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.136: +5 -14 lines
Diff to previous 1.136 (colored)
Kill recursive splsofnet()/splx() dances. Tested by Hrvoje Popovski, ok visa@
Revision 1.136 / (download) - annotate - [select for diffs], Fri Sep 2 09:39:32 2016 UTC (7 years, 9 months ago) by vgross
Branch: MAIN
Changes since 1.135: +11 -1 lines
Diff to previous 1.135 (colored)
Drop non-encapulated ESP packets using a UDP-encapsulating TDB, and add the relevant counters. Ok mikeb@
Revision 1.135 / (download) - annotate - [select for diffs], Thu Sep 10 17:52:05 2015 UTC (8 years, 9 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0,
OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.134: +3 -3 lines
Diff to previous 1.134 (colored)
It is time to put inet6 on a diet. Use the flensing knife and cut out the 3rd argument of in6_recoverscope() and make it return void. OK dlg@ mikeb@
Revision 1.134 / (download) - annotate - [select for diffs], Wed Sep 9 12:50:08 2015 UTC (8 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.133: +1 -6 lines
Diff to previous 1.133 (colored)
Kill a couple of if_get()s only needed to increment per-ifp IPv6 stats. We do not export those per-ifp statistics and they will soon all die. "We're putting inet6 on a diet" claudio@ ok dlg@, mikeb@, claudio@
Revision 1.133 / (download) - annotate - [select for diffs], Tue Jun 16 11:09:40 2015 UTC (8 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.132: +7 -3 lines
Diff to previous 1.132 (colored)
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
Revision 1.132 / (download) - annotate - [select for diffs], Thu Jun 11 15:59:17 2015 UTC (9 years ago) by mikeb
Branch: MAIN
Changes since 1.131: +5 -10 lines
Diff to previous 1.131 (colored)
Move away from using hzto(9); OK dlg
Revision 1.131 / (download) - annotate - [select for diffs], Wed May 13 10:42:46 2015 UTC (9 years, 1 month ago) by jsg
Branch: MAIN
Changes since 1.130: +2 -2 lines
Diff to previous 1.130 (colored)
test mbuf pointers against NULL not 0 ok krw@ miod@
Revision 1.130 / (download) - annotate - [select for diffs], Fri Apr 17 11:04:02 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.129: +3 -8 lines
Diff to previous 1.129 (colored)
Stubs and support code for NIC-enabled IPsec bite the dust. No objection from reyk@, OK markus, hshoexer
Revision 1.129 / (download) - annotate - [select for diffs], Tue Apr 14 14:20:01 2015 UTC (9 years, 1 month ago) by mikeb
Branch: MAIN
Changes since 1.128: +26 -13 lines
Diff to previous 1.128 (colored)
make ipsp_address thread safe; ok mpi
Revision 1.128 / (download) - annotate - [select for diffs], Fri Apr 10 13:58:20 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.127: +4 -35 lines
Diff to previous 1.127 (colored)
replace the use of ifqueues for most input queues serviced by netisr with niqueues. this change is so big because there's a lot of code that takes pointers to different input queues (eg, ether_input picks between ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through to code to enqueue packets against the pointer. if i changed only one of the input queues id have to add sepearate code paths, one for ifqueues and one for niqueues in each of these places by flipping all these input queues at once i can keep the currently common code common. testing by mpi@ sthen@ and rafael zalamena ok mpi@ sthen@ claudio@ henning@
Revision 1.127 / (download) - annotate - [select for diffs], Thu Mar 26 12:21:37 2015 UTC (9 years, 2 months ago) by mikeb
Branch: MAIN
Changes since 1.126: +1 -123 lines
Diff to previous 1.126 (colored)
Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone? ok markus, hshoexer
Revision 1.126 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.125: +5 -5 lines
Diff to previous 1.125 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.125 / (download) - annotate - [select for diffs], Fri Dec 19 17:14:40 2014 UTC (9 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.124: +1 -17 lines
Diff to previous 1.124 (colored)
unifdef INET in net code as a precursor to removing the pretend option. long live the one true internet. ok henning mikeb
Revision 1.124 / (download) - annotate - [select for diffs], Fri Dec 5 15:50:04 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.123: +2 -1 lines
Diff to previous 1.123 (colored)
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>. ok mikeb@, krw@, bluhm@, tedu@
Revision 1.123 / (download) - annotate - [select for diffs], Thu Nov 20 14:51:42 2014 UTC (9 years, 6 months ago) by krw
Branch: MAIN
Changes since 1.122: +1 -4 lines
Diff to previous 1.122 (colored)
Yet more #include de-duplication. ok deraadt@ tedu@
Revision 1.122 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.121: +1 -2 lines
Diff to previous 1.121 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.121 / (download) - annotate - [select for diffs], Wed Jul 9 09:30:49 2014 UTC (9 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.120: +1 -1 lines
Diff to previous 1.120 (colored)
bpf code surgery / shuffling / simplification. the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_catchpacket. use an internal _bpf_mtap as "backend" for bpf_mtap and friends. extend bpf_mtap_hdr so that it covers all common cases: if dlen is 0, nothing gets prepended. copy function can be given, if NULL the default bpf_mcopy is used. adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn. re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr. re-implement bpf_mtap_ether using bpf_map_hdr re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper ok bluhm benno
Revision 1.120 / (download) - annotate - [select for diffs], Mon Apr 14 09:06:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored)
"struct pkthdr" holds a routing table ID, not a routing domain one. Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
Revision 1.119 / (download) - annotate - [select for diffs], Thu Jan 9 06:29:06 2014 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.118: +9 -9 lines
Diff to previous 1.118 (colored)
bzero/bcmp -> memset/memcmp. ok matthew
Revision 1.118 / (download) - annotate - [select for diffs], Mon Nov 11 09:15:35 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.117: +21 -5 lines
Diff to previous 1.117 (colored)
Replace most of our formating functions to convert IPv4/6 addresses from network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
Revision 1.117 / (download) - annotate - [select for diffs], Wed Oct 23 15:12:42 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.116: +1 -2 lines
Diff to previous 1.116 (colored)
Remove the number of in_var.h inclusions by moving some functions and global variables to in.h. ok mikeb@, deraadt@
Revision 1.116 / (download) - annotate - [select for diffs], Thu Oct 17 16:27:44 2013 UTC (10 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.115: +2 -1 lines
Diff to previous 1.115 (colored)
The header file netinet/in_var.h included netinet6/in6_var.h. This created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
Revision 1.115 / (download) - annotate - [select for diffs], Sat Jun 1 16:29:00 2013 UTC (11 years ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.114: +2 -2 lines
Diff to previous 1.114 (colored)
Fix typo backswards -> backwards.
Revision 1.114 / (download) - annotate - [select for diffs], Wed Apr 24 10:17:08 2013 UTC (11 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.113: +1 -6 lines
Diff to previous 1.113 (colored)
Instead of having various extern declarations for protocol variables, declare them once in their corresponding header file.
Revision 1.113 / (download) - annotate - [select for diffs], Thu Apr 11 12:06:25 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.112: +12 -1 lines
Diff to previous 1.112 (colored)
Remove the extern keyword from function declarations, document sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
Revision 1.112 / (download) - annotate - [select for diffs], Wed Apr 10 08:50:59 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.111: +1 -2 lines
Diff to previous 1.111 (colored)
Remove various external variable declaration from sources files and move them to the corresponding header with an appropriate comment if necessary. ok guenther@
Revision 1.111 / (download) - annotate - [select for diffs], Sun Mar 31 00:59:52 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.110: +4 -1 lines
Diff to previous 1.110 (colored)
Do not transfer diverted packets into IPsec processing. They should reach the socket that the user has specified in pf.conf. OK reyk@
Revision 1.110 / (download) - annotate - [select for diffs], Thu Mar 28 23:10:06 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.109: +2 -1 lines
Diff to previous 1.109 (colored)
code that calls timeout functions should include timeout.h slipped by on i386, but the zaurus doesn't automagically pick it up. spotted by patrick
Revision 1.109 / (download) - annotate - [select for diffs], Thu Mar 28 16:45:16 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.108: +1 -2 lines
Diff to previous 1.108 (colored)
no need for a lot of code to include proc.h
Revision 1.108 / (download) - annotate - [select for diffs], Wed Sep 26 14:53:23 2012 UTC (11 years, 8 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.107: +3 -3 lines
Diff to previous 1.107 (colored)
add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys) are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
Revision 1.107 / (download) - annotate - [select for diffs], Thu Sep 20 10:25:03 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.106: +4 -4 lines
Diff to previous 1.106 (colored)
spltdb() was really just #define'd to be splsoftnet(); replace the former with the latter no change in md5 checksum of generated files ok claudio@ henning@
Revision 1.106 / (download) - annotate - [select for diffs], Thu Dec 22 13:36:06 2011 UTC (12 years, 5 months ago) by sperreault
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
Fix RFC reference section spotted by bluhm@, ok yasuoka@
Revision 1.105 / (download) - annotate - [select for diffs], Wed Dec 21 14:53:26 2011 UTC (12 years, 5 months ago) by sperreault
Branch: MAIN
Changes since 1.104: +9 -1 lines
Diff to previous 1.104 (colored)
Compute mandatory UDP checksum for IPv6 packets ok yasuoka@ bluhm@
Revision 1.104 / (download) - annotate - [select for diffs], Mon Dec 19 02:43:19 2011 UTC (12 years, 5 months ago) by yasuoka
Branch: MAIN
Changes since 1.103: +48 -1 lines
Diff to previous 1.103 (colored)
Fix checksum of UDP/TCP packets following RFC 3948. This is required for transport mode IPsec NAT-T. ok markus
Revision 1.103 / (download) - annotate - [select for diffs], Tue Apr 26 22:30:38 2011 UTC (13 years, 1 month ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.102: +20 -2 lines
Diff to previous 1.102 (colored)
In ipsec_common_input() the packet can be either IPv4 or IPv6. So pass it to the correct raw ip input function if IPsec is disabled. ok todd@ mpf@ mikeb@ blambert@ matthew@ deraadt@
Revision 1.102 / (download) - annotate - [select for diffs], Wed Apr 6 19:15:34 2011 UTC (13 years, 2 months ago) by markus
Branch: MAIN
Changes since 1.101: +11 -2 lines
Diff to previous 1.101 (colored)
uncompress a packet with an IPcomp header only once; this prevents endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy; it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@; feedback and ok matthew@, deraadt@, djm@, claudio@
Revision 1.101 / (download) - annotate - [select for diffs], Sun Apr 3 15:51:09 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.100: +2 -1 lines
Diff to previous 1.100 (colored)
don't rely on implict net/route.h inclusion via pf, claudio ok
Revision 1.100 / (download) - annotate - [select for diffs], Sat Mar 5 01:53:16 2011 UTC (13 years, 3 months ago) by bluhm
Branch: MAIN
Changes since 1.99: +2 -3 lines
Diff to previous 1.99 (colored)
The function pf_tag_packet() never fails. Remove a redundant check and make it void. ok henning@, markus@, mcbride@
Revision 1.99 / (download) - annotate - [select for diffs], Tue Dec 21 19:16:15 2010 UTC (13 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.98: +10 -1 lines
Diff to previous 1.98 (colored)
don't leak short packets; ok mikeb@
Revision 1.98 / (download) - annotate - [select for diffs], Fri Jul 9 16:58:06 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.97: +15 -10 lines
Diff to previous 1.97 (colored)
Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
Revision 1.97 / (download) - annotate - [select for diffs], Thu Jul 1 02:09:45 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.96: +18 -3 lines
Diff to previous 1.96 (colored)
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
Revision 1.96 / (download) - annotate - [select for diffs], Tue Jun 29 21:28:38 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
Changes since 1.95: +16 -15 lines
Diff to previous 1.95 (colored)
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
Revision 1.95 / (download) - annotate - [select for diffs], Tue Apr 20 22:05:43 2010 UTC (14 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.94: +2 -1 lines
Diff to previous 1.94 (colored)
remove proc.h include from uvm_map.h. This has far reaching effects, as sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
Revision 1.94 / (download) - annotate - [select for diffs], Sat Jan 2 18:35:48 2010 UTC (14 years, 5 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.93: +4 -3 lines
Diff to previous 1.93 (colored)
uninitalized protocol version for ipv6; from mickey; ok claudio
Revision 1.93 / (download) - annotate - [select for diffs], Fri Nov 13 20:54:05 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.92: +7 -4 lines
Diff to previous 1.92 (colored)
Extend the protosw pr_ctlinput function to include the rdomain. This is needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@
Revision 1.92 / (download) - annotate - [select for diffs], Sun Aug 9 12:47:50 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.91: +2 -5 lines
Diff to previous 1.91 (colored)
once again ipsec tries to be clever and plays fast, this time by recycling an mbuf tag and changing its type. just always get a new one. theo ok
Revision 1.91 / (download) - annotate - [select for diffs], Wed Oct 22 23:04:45 2008 UTC (15 years, 7 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6,
OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.90: +2 -2 lines
Diff to previous 1.90 (colored)
#if INET => #ifdef INET #if INET6 => #ifdef INET6
Revision 1.90 / (download) - annotate - [select for diffs], Wed Oct 22 14:36:08 2008 UTC (15 years, 7 months ago) by markus
Branch: MAIN
Changes since 1.89: +3 -7 lines
Diff to previous 1.89 (colored)
filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4; ok bluhm, fries, mpf; fixes pr 4188
Revision 1.89 / (download) - annotate - [select for diffs], Tue Aug 26 12:18:01 2008 UTC (15 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.88: +2 -4 lines
Diff to previous 1.88 (colored)
call pf_pkt_addr_changed instead of manually clearing the pf state key ptr
Revision 1.88 / (download) - annotate - [select for diffs], Thu Jul 24 10:55:44 2008 UTC (15 years, 10 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.87: +4 -1 lines
Diff to previous 1.87 (colored)
ipsec is glued into the stack in a very weird way, violating all kinds of expected semantics. thus, for return packets coming out of an ipsec tunnel, we need to clear the pf state key pointer in the mbuf header to prevent a state for encapsulated traffic to be linked to the decapsulated traffic one. problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some time to understand what the hell was going on. ok ryan
Revision 1.87 / (download) - annotate - [select for diffs], Sat Jun 14 23:18:20 2008 UTC (16 years ago) by todd
Branch: MAIN
Changes since 1.86: +2 -2 lines
Diff to previous 1.86 (colored)
make easier to read, found during a bug hunt earlier ok bluhm@
Revision 1.86 / (download) - annotate - [select for diffs], Wed Jun 11 17:39:51 2008 UTC (16 years ago) by canacar
Branch: MAIN
Changes since 1.85: +3 -4 lines
Diff to previous 1.85 (colored)
fix an old typo that prevented outer ipv6 headers from being corrected, also fix the correction amount. This was only really visible on tcpdump, as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made it into the stack just fine, minus a few sanity checks. reported by and debuged together with and ok todd@
Revision 1.85 / (download) - annotate - [select for diffs], Fri Dec 14 18:33:41 2007 UTC (16 years, 6 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.84: +49 -13 lines
Diff to previous 1.84 (colored)
add sysctl entry points into various network layers, in particular to provide netstat(1) with data it needs; ok claudio reyk
Revision 1.84 / (download) - annotate - [select for diffs], Mon May 28 17:16:39 2007 UTC (17 years ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.83: +2 -2 lines
Diff to previous 1.83 (colored)
double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
Revision 1.83 / (download) - annotate - [select for diffs], Thu Feb 8 15:25:30 2007 UTC (17 years, 4 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.82: +16 -7 lines
Diff to previous 1.82 (colored)
- AH: when computing crypto checksum for output, massage source-routing header. - ipsec_input: fix mistake in IPv6 next-header chasing. - ipsec_output: look for the position to insert AH more carefully. - ip6_output: enable use of AH with extension headers. avoid tunnellinng when source-routing header is present. ok by deraad, naddy, hshoexer
Revision 1.82 / (download) - annotate - [select for diffs], Fri Dec 15 09:32:30 2006 UTC (17 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.81: +4 -1 lines
Diff to previous 1.81 (colored)
make enc(4) count; ok markus@ henning@ deraadt@
Revision 1.81 / (download) - annotate - [select for diffs], Tue Dec 5 09:17:12 2006 UTC (17 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.80: +9 -1 lines
Diff to previous 1.80 (colored)
do not install pmtu routes for transport mode SAs, as they do not the dest IP; PMTU debugging support; ok hshoexer
Revision 1.80 / (download) - annotate - [select for diffs], Fri Nov 24 13:52:14 2006 UTC (17 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.79: +13 -1 lines
Diff to previous 1.79 (colored)
add support to tag ipsec traffic belonging to specific IKE-initiated phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
Revision 1.79 / (download) - annotate - [select for diffs], Sat Mar 25 22:41:48 2006 UTC (18 years, 2 months ago) by djm
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.78: +3 -2 lines
Diff to previous 1.78 (colored)
allow bpf(4) to ignore packets based on their direction (inbound or outbound), using a new BIOCSDIRFILT ioctl; guidance, feedback and ok canacar@
Revision 1.78 / (download) - annotate - [select for diffs], Sat Mar 4 22:40:16 2006 UTC (18 years, 3 months ago) by brad
Branch: MAIN
Changes since 1.77: +4 -4 lines
Diff to previous 1.77 (colored)
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet. ok miod@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Jan 13 10:11:23 2006 UTC (18 years, 5 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.76: +55 -1 lines
Diff to previous 1.76 (colored)
Path MTU discovery for NAT-T. OK markus@, "looks good" hshoexer@
Revision 1.76 / (download) - annotate - [select for diffs], Sun Jul 31 03:52:19 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE,
OPENBSD_3_8
Changes since 1.75: +2 -15 lines
Diff to previous 1.75 (colored)
Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@
Revision 1.75 / (download) - annotate - [select for diffs], Thu Nov 25 21:54:54 2004 UTC (19 years, 6 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE,
OPENBSD_3_7
Changes since 1.74: +2 -4 lines
Diff to previous 1.74 (colored)
resolve conflict between M_TUNNEL and M_ANYCAST6, remove M_COMP (it's only set and never read), update documentation; ok fgsch, deraadt, millert
Revision 1.74 / (download) - annotate - [select for diffs], Mon Jun 21 23:50:37 2004 UTC (19 years, 11 months ago) by tholo
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE,
OPENBSD_3_6
Changes since 1.73: +4 -8 lines
Diff to previous 1.73 (colored)
First step towards more sane time handling in the kernel -- this changes things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Revision 1.73 / (download) - annotate - [select for diffs], Mon Jun 21 20:44:54 2004 UTC (19 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.72: +3 -1 lines
Diff to previous 1.72 (colored)
make it possble to use IPsec over link-local address (policy table uses sin6_scope_id, IPsec porion uses embedded form). beck ok
Revision 1.19.2.9 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:25 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.19.2.8: +21 -44 lines
Diff to previous 1.19.2.8 (colored) to branchpoint 1.19 (colored) next main 1.20 (colored)
Merge with the trunk
Revision 1.72 / (download) - annotate - [select for diffs], Sun Apr 18 16:41:40 2004 UTC (20 years, 1 month ago) by markus
Branch: MAIN
CVS Tags: SMP_SYNC_B,
SMP_SYNC_A
Changes since 1.71: +3 -5 lines
Diff to previous 1.71 (colored)
pass esp/ah/ipcmp to rawip if processing is disabled with sysctl; allows userland ipsec; tested by sturm@; ok deraadt@, ho@, hshoexer@
Revision 1.19.2.8 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:24 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.19.2.7: +59 -17 lines
Diff to previous 1.19.2.7 (colored) to branchpoint 1.19 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.71 / (download) - annotate - [select for diffs], Tue Feb 17 12:07:45 2004 UTC (20 years, 3 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.70: +20 -41 lines
Diff to previous 1.70 (colored)
switch to sysctl_int_arr(); ok henning, deraadt
Revision 1.70 / (download) - annotate - [select for diffs], Tue Dec 2 23:16:29 2003 UTC (20 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.69: +22 -10 lines
Diff to previous 1.69 (colored)
UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) ok deraadt@
Revision 1.69 / (download) - annotate - [select for diffs], Mon Jul 28 10:10:16 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.68: +4 -1 lines
Diff to previous 1.68 (colored)
allow gif(4) over ipsec: mark mbuf for transport mode SA, so in_gif_input can detect whether a proto 4 header is due to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023 ok itojun@. provos@ and angelos@ agree; tested by sturm@
Revision 1.68 / (download) - annotate - [select for diffs], Thu Jul 24 11:13:47 2003 UTC (20 years, 10 months ago) by markus
Branch: MAIN
Changes since 1.67: +1 -0 lines
Diff to previous 1.67 (colored)
update ip_len to reflect tunnel header removal (lost duing ip_len flip changes); ok itojun; noticed by jrrs@ice-nine.org
Revision 1.67 / (download) - annotate - [select for diffs], Wed Jul 9 22:03:16 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.66: +1 -3 lines
Diff to previous 1.66 (colored)
do not flip ip_len/ip_off in netinet stack. deraadt ok. (please test, especially PF portion)
Revision 1.66 / (download) - annotate - [select for diffs], Tue Jul 8 11:01:20 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.65: +31 -3 lines
Diff to previous 1.65 (colored)
make sure the packets contains a complete inner header
for ip{4,6}-in-ip{4,6} encapsulation; fixes panic
for truncated ip-in-ip over ipsec; ok angelos@
Revision 1.65 / (download) - annotate - [select for diffs], Fri Jul 4 16:40:55 2003 UTC (20 years, 11 months ago) by markus
Branch: MAIN
Changes since 1.64: +5 -5 lines
Diff to previous 1.64 (colored)
knf typo
Revision 1.54.2.4 / (download) - annotate - [select for diffs], Mon May 19 22:40:41 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.54.2.3: +6 -5 lines
Diff to previous 1.54.2.3 (colored) to branchpoint 1.54 (colored) next main 1.55 (colored)
sync
Revision 1.19.2.7 / (download) - annotate - [select for diffs], Tue May 13 19:36:17 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.19.2.6: +2 -1 lines
Diff to previous 1.19.2.6 (colored) to branchpoint 1.19 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.64 / (download) - annotate - [select for diffs], Sat May 3 01:43:07 2003 UTC (21 years, 1 month ago) by itojun
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.63: +2 -1 lines
Diff to previous 1.63 (colored)
just as a safety measure, set m_flags to 0 for mbufs allocated on stack. dhartmei ok
Revision 1.19.2.6 / (download) - annotate - [select for diffs], Fri Mar 28 00:06:54 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.19.2.5: +21 -28 lines
Diff to previous 1.19.2.5 (colored) to branchpoint 1.19 (colored)
Sync the SMP branch with 3.3
Revision 1.63 / (download) - annotate - [select for diffs], Thu Feb 20 18:35:43 2003 UTC (21 years, 3 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.62: +2 -3 lines
Diff to previous 1.62 (colored)
knf
Revision 1.62 / (download) - annotate - [select for diffs], Thu Feb 20 18:33:49 2003 UTC (21 years, 3 months ago) by jason
Branch: MAIN
Changes since 1.61: +4 -3 lines
Diff to previous 1.61 (colored)
If there's no tag to be reset, don't reset it (avoids a NULL deref in the IPCOMP case)
Revision 1.54.2.3 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:47 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.54.2.2: +16 -23 lines
Diff to previous 1.54.2.2 (colored) to branchpoint 1.54 (colored)
sync to -current
Revision 1.61 / (download) - annotate - [select for diffs], Fri Jun 28 19:07:03 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
CVS Tags: UBC_SYNC_B,
OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.60: +2 -2 lines
Diff to previous 1.60 (colored)
Fix usage counter for IPCOMP --- sam@errno.com
Revision 1.60 / (download) - annotate - [select for diffs], Tue Jun 25 00:38:54 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.59: +2 -2 lines
Diff to previous 1.59 (colored)
Forgot variable.
Revision 1.59 / (download) - annotate - [select for diffs], Tue Jun 25 00:20:38 2002 UTC (21 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.58: +7 -11 lines
Diff to previous 1.58 (colored)
Handle correctly return values from xf_input methods --- since the return value was ignored anyway, this wasn't a problem so far. From sam@errno.com
Revision 1.58 / (download) - annotate - [select for diffs], Thu Jun 13 08:02:36 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.57: +1 -4 lines
Diff to previous 1.57 (colored)
Remove whitespace from the end of the file.
Revision 1.54.2.2 / (download) - annotate - [select for diffs], Tue Jun 11 03:31:37 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.54.2.1: +3 -3 lines
Diff to previous 1.54.2.1 (colored) to branchpoint 1.54 (colored)
Sync UBC branch to -current
Revision 1.57 / (download) - annotate - [select for diffs], Sun Jun 9 16:26:10 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.56: +8 -8 lines
Diff to previous 1.56 (colored)
whitespace
Revision 1.56 / (download) - annotate - [select for diffs], Sun Jun 9 00:58:33 2002 UTC (22 years ago) by angelos
Branch: MAIN
Changes since 1.55: +3 -3 lines
Diff to previous 1.55 (colored)
Set/clear M_AUTH_AH.
Revision 1.19.2.5 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:07 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.19.2.4: +15 -6 lines
Diff to previous 1.19.2.4 (colored) to branchpoint 1.19 (colored)
Merge in trunk
Revision 1.54.2.1 / (download) - annotate - [select for diffs], Thu Jan 31 22:55:45 2002 UTC (22 years, 4 months ago) by niklas
Branch: UBC
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
Merge in -current, builds on i386, otherwise untested
Revision 1.55 / (download) - annotate - [select for diffs], Wed Jan 23 21:34:53 2002 UTC (22 years, 4 months ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)
disable pmtu for ipsec when the sysctl says so; bug report cjkim2000@yahoo.com
Revision 1.54 / (download) - annotate - [select for diffs], Thu Dec 6 22:52:10 2001 UTC (22 years, 6 months ago) by angelos
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.53: +14 -5 lines
Diff to previous 1.53 (colored)
Use hzto() to handle overflow of (hz * timeout) cases --- when using extremely long SA expirations.
Revision 1.19.2.4 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:03 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.19.2.3: +178 -74 lines
Diff to previous 1.19.2.3 (colored) to branchpoint 1.19 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.53 / (download) - annotate - [select for diffs], Thu Aug 9 15:44:32 2001 UTC (22 years, 10 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.52: +1 -51 lines
Diff to previous 1.52 (colored)
Don't check the source address on the packet vs. the one on the SA, as this prevents use of ESP in mobility; pointed out on the IETF mailing list by Francis Dupont.
Revision 1.52 / (download) - annotate - [select for diffs], Wed Aug 8 15:07:04 2001 UTC (22 years, 10 months ago) by jjbg
Branch: MAIN
Changes since 1.51: +1 -9 lines
Diff to previous 1.51 (colored)
Remove IPCOMP option, it's now part of IPSEC option. You still need to enable ipcomp via sysctl to use it. deraadt@ ok.
Revision 1.51 / (download) - annotate - [select for diffs], Tue Aug 7 14:07:47 2001 UTC (22 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.50: +3 -3 lines
Diff to previous 1.50 (colored)
enable ah & esp by default, now that we trust the code more
Revision 1.50 / (download) - annotate - [select for diffs], Fri Jul 6 19:35:38 2001 UTC (22 years, 11 months ago) by jjbg
Branch: MAIN
Changes since 1.49: +3 -2 lines
Diff to previous 1.49 (colored)
Don't use enc0 interface for IPComp. angelos@ ok.
Revision 1.49 / (download) - annotate - [select for diffs], Thu Jul 5 16:45:55 2001 UTC (22 years, 11 months ago) by jjbg
Branch: MAIN
Changes since 1.48: +186 -25 lines
Diff to previous 1.48 (colored)
IPComp support. angelos@ ok.
Revision 1.19.2.3 / (download) - annotate - [select for diffs], Wed Jul 4 10:55:01 2001 UTC (22 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.19.2.2: +682 -565 lines
Diff to previous 1.19.2.2 (colored) to branchpoint 1.19 (colored)
Merge in -current from two days ago in the SMP branch. As usual with merges, they do not indicate progress, so do not hold your breath for working SMP, and do not mail me and ask about the state of it. It has not changed. There is work ongoing, but very, very slowly. The commit is done in parts as to not lock up the tree in too big chunks at a time.
Revision 1.48 / (download) - annotate - [select for diffs], Tue Jun 26 04:17:57 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.47: +598 -575 lines
Diff to previous 1.47 (colored)
KNF
Revision 1.47 / (download) - annotate - [select for diffs], Mon Jun 25 05:11:59 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.46: +3 -3 lines
Diff to previous 1.46 (colored)
Copyright.
Revision 1.46 / (download) - annotate - [select for diffs], Sun Jun 24 18:22:47 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.45: +89 -1 lines
Diff to previous 1.45 (colored)
path mtu discovery for ipsec. on receiving a need fragment icmp match against active tdb and store the ipsec header size corrected mtu
Revision 1.45 / (download) - annotate - [select for diffs], Sat Jun 23 16:15:56 2001 UTC (22 years, 11 months ago) by fgsch
Branch: MAIN
Changes since 1.44: +1 -2 lines
Diff to previous 1.44 (colored)
Remove unneeded ip_id convertions. Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment.
Revision 1.44 / (download) - annotate - [select for diffs], Tue Jun 19 00:48:23 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.43: +2 -1 lines
Diff to previous 1.43 (colored)
mop up after angelos
Revision 1.43 / (download) - annotate - [select for diffs], Fri Jun 8 03:13:15 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.42: +1 -9 lines
Diff to previous 1.42 (colored)
Trim include files.
Revision 1.42 / (download) - annotate - [select for diffs], Tue Jun 5 11:10:12 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.41: +4 -2 lines
Diff to previous 1.41 (colored)
Add a few DPRINTF()'s
Revision 1.41 / (download) - annotate - [select for diffs], Tue May 29 01:19:37 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.40: +3 -1 lines
Diff to previous 1.40 (colored)
Record last use time for SAs.
Revision 1.40 / (download) - annotate - [select for diffs], Sun May 27 03:49:14 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.39: +25 -15 lines
Diff to previous 1.39 (colored)
If we are passed a packet tag, it's an IPSEC_IN_CRYPTO_DONE so convert it to IPSEC_IN_DONE, rather than adding a new one.
Revision 1.39 / (download) - annotate - [select for diffs], Sun May 27 03:37:23 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
Forgot to convert this tag.
Revision 1.38 / (download) - annotate - [select for diffs], Sun May 20 08:33:33 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.37: +12 -12 lines
Diff to previous 1.37 (colored)
Use packet tags to signal input IPsec processing to upper layer protocols.
Revision 1.19.2.2 / (download) - annotate - [select for diffs], Mon May 14 22:40:14 2001 UTC (23 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.19.2.1: +170 -197 lines
Diff to previous 1.19.2.1 (colored) to branchpoint 1.19 (colored)
merge in approximately 2.9 into SMP branch
Revision 1.37 / (download) - annotate - [select for diffs], Fri May 11 17:20:11 2001 UTC (23 years, 1 month ago) by aaron
Branch: MAIN
Changes since 1.36: +3 -3 lines
Diff to previous 1.36 (colored)
Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ ok
Revision 1.36 / (download) - annotate - [select for diffs], Fri Apr 6 04:42:08 2001 UTC (23 years, 2 months ago) by csapuntz
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.35: +1 -5 lines
Diff to previous 1.35 (colored)
Move offsetof define into sys/param.h
Revision 1.35 / (download) - annotate - [select for diffs], Fri Mar 30 19:22:54 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.34: +11 -3 lines
Diff to previous 1.34 (colored)
Protect the IF_XXX macros in the callback routines with splimp(). Doh! Thanks to erik@ipunplugged.com
Revision 1.34 / (download) - annotate - [select for diffs], Wed Mar 28 20:03:06 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.33: +8 -20 lines
Diff to previous 1.33 (colored)
Allow tdbi's to appear in mbufs throughout the stack; this allows security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
Revision 1.33 / (download) - annotate - [select for diffs], Thu Mar 15 06:31:00 2001 UTC (23 years, 3 months ago) by mickey
Branch: MAIN
Changes since 1.32: +16 -13 lines
Diff to previous 1.32 (colored)
convert SA expirations to the new timeouts. simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
Revision 1.32 / (download) - annotate - [select for diffs], Tue Sep 19 03:20:59 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE,
OPENBSD_2_8
Changes since 1.31: +28 -124 lines
Diff to previous 1.31 (colored)
Lots and lots of changes.
Revision 1.23.2.2 / (download) - annotate - [select for diffs], Mon Sep 18 17:02:51 2000 UTC (23 years, 8 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.23.2.1: +8 -1 lines
Diff to previous 1.23.2.1 (colored) to branchpoint 1.23 (colored) next main 1.24 (colored)
Pull in patch from current: Errata: Bad ESP/AH packets could cause a crash under certain conditions. Fix (angelos): Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and mfranz@cisco.com for finding the problem).
Revision 1.31 / (download) - annotate - [select for diffs], Sun Sep 17 19:52:24 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.30: +8 -1 lines
Diff to previous 1.30 (colored)
Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net and mfranz@cisco.com for finding the problem).
Revision 1.23.2.1 / (download) - annotate - [select for diffs], Wed Jul 12 13:53:33 2000 UTC (23 years, 11 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.23: +2 -1 lines
Diff to previous 1.23 (colored)
Pull in patch from current: Fix (millert): Correctly handle ip_off; angelos@
Revision 1.30 / (download) - annotate - [select for diffs], Tue Jul 11 21:11:08 2000 UTC (23 years, 11 months ago) by millert
Branch: MAIN
Changes since 1.29: +2 -1 lines
Diff to previous 1.29 (colored)
Correctly handle ip_off; angelos@
Revision 1.29 / (download) - annotate - [select for diffs], Tue Jun 20 04:54:58 2000 UTC (23 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.28: +21 -7 lines
Diff to previous 1.28 (colored)
do not play with rcvif, if the traffic is non-IPv4. by setting rcvif to enc*, we break IPv6 scope considerations.
Revision 1.28 / (download) - annotate - [select for diffs], Mon Jun 19 17:11:32 2000 UTC (23 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.27: +29 -15 lines
Diff to previous 1.27 (colored)
correct header chasing code. take care of AH length.
Revision 1.27 / (download) - annotate - [select for diffs], Sun Jun 18 19:10:50 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.26: +3 -3 lines
Diff to previous 1.26 (colored)
Arguments.
Revision 1.26 / (download) - annotate - [select for diffs], Sun Jun 18 19:05:50 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.25: +3 -3 lines
Diff to previous 1.25 (colored)
Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()
Revision 1.25 / (download) - annotate - [select for diffs], Sun Jun 18 05:58:46 2000 UTC (23 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.24: +65 -24 lines
Diff to previous 1.24 (colored)
IPv6 AH/ESP support, inbound side only. tested with KAME.
Revision 1.24 / (download) - annotate - [select for diffs], Sun Jun 18 00:24:11 2000 UTC (23 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.23: +1 -9 lines
Diff to previous 1.23 (colored)
Remove outdated comment.
Revision 1.23 / (download) - annotate - [select for diffs], Wed Mar 29 10:15:22 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE
Branch point for: OPENBSD_2_7
Changes since 1.22: +4 -3 lines
Diff to previous 1.22 (colored)
Be consistent about packet properties.
Revision 1.22 / (download) - annotate - [select for diffs], Wed Mar 29 09:37:02 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.21: +14 -6 lines
Diff to previous 1.21 (colored)
Fix problem with TCP/UDP and ACLs.
Revision 1.21 / (download) - annotate - [select for diffs], Wed Mar 29 08:50:38 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.20: +8 -12 lines
Diff to previous 1.20 (colored)
Minor cleanup.
Revision 1.19.2.1 / (download) - annotate - [select for diffs], Fri Mar 24 09:09:38 2000 UTC (24 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.19: +187 -132 lines
Diff to previous 1.19 (colored)
Sync with -current
Revision 1.20 / (download) - annotate - [select for diffs], Fri Mar 17 10:25:23 2000 UTC (24 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.19: +187 -132 lines
Diff to previous 1.19 (colored)
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
Revision 1.19 / (download) - annotate - [select for diffs], Mon Feb 7 06:09:09 2000 UTC (24 years, 4 months ago) by itojun
Branch: MAIN
CVS Tags: SMP_BASE
Branch point for: SMP
Changes since 1.18: +3 -3 lines
Diff to previous 1.18 (colored)
fix include file path related to ip6.
Revision 1.18 / (download) - annotate - [select for diffs], Thu Jan 27 08:09:12 2000 UTC (24 years, 4 months ago) by angelos
Branch: MAIN
Changes since 1.17: +7 -7 lines
Diff to previous 1.17 (colored)
Merge "old" and "new" ESP and AH in two files (one for each). Fix a couple of buglets with ingress flow deletion. tcpdump on enc0 should now show all outgoing packets *before* being processed, and all incoming packets *after* being processed. Good to be in Canada (land of the free commits).
Revision 1.17 / (download) - annotate - [select for diffs], Tue Jan 25 17:18:59 2000 UTC (24 years, 4 months ago) by espie
Branch: MAIN
Changes since 1.16: +4 -2 lines
Diff to previous 1.16 (colored)
Ok, so setsoftnet is md. Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h... Nit-fix: / * INET6 */ -> /* INET6 */
Revision 1.16 / (download) - annotate - [select for diffs], Sat Jan 15 20:03:05 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.15: +1 -3 lines
Diff to previous 1.15 (colored)
Remove unnecessary definition.
Revision 1.15 / (download) - annotate - [select for diffs], Sat Jan 15 19:37:28 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.14: +4 -1 lines
Diff to previous 1.14 (colored)
Add function prototype.
Revision 1.14 / (download) - annotate - [select for diffs], Sat Jan 15 18:27:51 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)
Change function type to non-static.
Revision 1.13 / (download) - annotate - [select for diffs], Mon Jan 10 04:16:52 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)
1) Setup a silent TDB expiration for embryonic SAs. 2) Fix check_ipsec_policy() to deal with v6 PCBs. 3) Fix ACL protocol check.
Revision 1.12 / (download) - annotate - [select for diffs], Mon Jan 10 02:45:12 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.11: +12 -12 lines
Diff to previous 1.11 (colored)
Fix tdbi setup for TCP and UDP packets.
Revision 1.11 / (download) - annotate - [select for diffs], Mon Jan 10 01:23:27 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
Typo.
Revision 1.10 / (download) - annotate - [select for diffs], Mon Jan 10 01:20:53 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.9: +26 -2 lines
Diff to previous 1.9 (colored)
Quick-drop packets (before real processing) if ingress filtering is on and the SA ACL is empty.
Revision 1.9 / (download) - annotate - [select for diffs], Mon Jan 10 01:09:16 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)
Fix error message.
Revision 1.8 / (download) - annotate - [select for diffs], Sun Jan 9 23:42:37 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.7: +125 -35 lines
Diff to previous 1.7 (colored)
Add ingress ACL for IPsec: after being processed, IPsec packets are matched against a list of acceptable packet classes, if sysctl variable net.inet.ip.ipsec-acl is set to 1.
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jan 8 01:59:25 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.6: +44 -19 lines
Diff to previous 1.6 (colored)
Fix serious crash-and-burn bug I introduced with last revision.
Revision 1.6 / (download) - annotate - [select for diffs], Mon Jan 3 12:58:13 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.5: +67 -22 lines
Diff to previous 1.5 (colored)
Chase down the IPv6 header chain to find the right place swap the Next Payload value. Note to self: it would be nice if we had a very of m_copydata() with memory (so it wouldn't need to start the search from the begining of the mbuf).
Revision 1.5 / (download) - annotate - [select for diffs], Sun Jan 2 11:12:03 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.4: +59 -50 lines
Diff to previous 1.4 (colored)
Move the requeueing logic from ipsec_input() to ah_input() and esp_input(), since this is only needed for IPv4; IPv6 header processing follows a different approach.
Revision 1.4 / (download) - annotate - [select for diffs], Sun Jan 2 10:56:32 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.3: +49 -53 lines
Diff to previous 1.3 (colored)
Change ipsec_input() to return error.
Revision 1.3 / (download) - annotate - [select for diffs], Fri Dec 31 22:19:43 1999 UTC (24 years, 5 months ago) by itojun
Branch: MAIN
Changes since 1.2: +33 -23 lines
Diff to previous 1.2 (colored)
fix IPv6 ipsec template lossage.
- previous code grabbed new nexthdr mistakingly
- parameter passing must follow ip6protows
(actually the code will never get called until in6_proto.c is updated)
the current code assumes that {AH,ESP} is right next to IPv6 header.
the assumption must be removed, but it means that we need to chase
header chain...
Revision 1.2 / (download) - annotate - [select for diffs], Sat Dec 25 07:09:43 1999 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.1: +17 -9 lines
Diff to previous 1.1 (colored)
Change some function prototypes, dont unnecessarily initialize some variables.
Revision 1.1 / (download) - annotate - [select for diffs], Thu Dec 9 10:15:23 1999 UTC (24 years, 6 months ago) by angelos
Branch: MAIN
So I was lying...unify ESP and AH wrapper-input processing. The new file contains a common routine for massaging the packet, doing peripheral checks, update statistics, etc. common for both AH/ESP, both IPv4/IPv6. Also wrapper routines for AH/ESP-v4/v6, and the sysctl routines from ip_ah.c/ip_esp.c