diff options
| author | ume <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
|---|---|---|
| committer | ume <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
| commit | 373abd94036be0e5643f5134aa9fb8bb694d1624 (patch) | |
| tree | fdad404b77778d90d4bdccd4cb96415d0821c8d5 /sys/netinet6/udp6_usrreq.c | |
| parent | b5882bdf826f86fe99c8ba32265622dcc6139367 (diff) | |
| download | FreeBSD-src-373abd94036be0e5643f5134aa9fb8bb694d1624.zip FreeBSD-src-373abd94036be0e5643f5134aa9fb8bb694d1624.tar.gz | |
- cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
Diffstat (limited to 'sys/netinet6/udp6_usrreq.c')
| -rw-r--r-- | sys/netinet6/udp6_usrreq.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c index 93d7b1d..eb6bbac 100644 --- a/sys/netinet6/udp6_usrreq.c +++ b/sys/netinet6/udp6_usrreq.c @@ -261,7 +261,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject(m, last)) + if (ipsec6_in_reject_so(m, last->inp_socket)) ipsec6stat.in_polvio++; /* do not inject data into pcb */ else @@ -327,7 +327,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject(m, last)) { + if (ipsec6_in_reject_so(m, last->inp_socket)) { ipsec6stat.in_polvio++; goto bad; } @@ -383,7 +383,7 @@ udp6_input(mp, offp, proto) /* * Check AH/ESP integrity. */ - if (ipsec6_in_reject(m, in6p)) { + if (ipsec6_in_reject_so(m, in6p->inp_socket)) { ipsec6stat.in_polvio++; goto bad; } |
