diff options
author | ume <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
---|---|---|
committer | ume <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
commit | 373abd94036be0e5643f5134aa9fb8bb694d1624 (patch) | |
tree | fdad404b77778d90d4bdccd4cb96415d0821c8d5 /sys/netinet | |
parent | b5882bdf826f86fe99c8ba32265622dcc6139367 (diff) | |
download | FreeBSD-src-373abd94036be0e5643f5134aa9fb8bb694d1624.zip FreeBSD-src-373abd94036be0e5643f5134aa9fb8bb694d1624.tar.gz |
- cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
Diffstat (limited to 'sys/netinet')
-rw-r--r-- | sys/netinet/in_pcb.c | 18 | ||||
-rw-r--r-- | sys/netinet/ip_input.c | 2 | ||||
-rw-r--r-- | sys/netinet/ip_output.c | 13 | ||||
-rw-r--r-- | sys/netinet/tcp_output.c | 7 | ||||
-rw-r--r-- | sys/netinet/tcp_syncache.c | 6 |
5 files changed, 37 insertions, 9 deletions
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c index ec51ad4..e473f2f 100644 --- a/sys/netinet/in_pcb.c +++ b/sys/netinet/in_pcb.c @@ -79,7 +79,6 @@ #include <netipsec/ipsec.h> #include <netipsec/key.h> -#define IPSEC #endif /* FAST_IPSEC */ struct in_addr zeroin_addr; @@ -162,7 +161,7 @@ in_pcballoc(so, pcbinfo, td) struct thread *td; { register struct inpcb *inp; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) int error; #endif inp = uma_zalloc(pcbinfo->ipi_zone, M_NOWAIT | M_ZERO); @@ -171,8 +170,12 @@ in_pcballoc(so, pcbinfo, td) inp->inp_gencnt = ++pcbinfo->ipi_gencnt; inp->inp_pcbinfo = pcbinfo; inp->inp_socket = so; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) +#ifdef FAST_IPSEC error = ipsec_init_policy(so, &inp->inp_sp); +#else + error = ipsec_init_pcbpolicy(so, &inp->inp_sp); +#endif if (error != 0) { uma_zfree(pcbinfo->ipi_zone, inp); return error; @@ -473,6 +476,10 @@ in_pcbconnect(inp, nam, td) inp->inp_faddr.s_addr = faddr; inp->inp_fport = fport; in_pcbrehash(inp); +#ifdef IPSEC + if (inp->inp_socket->so_type == SOCK_STREAM) + ipsec_pcbconn(inp->inp_sp); +#endif if (anonport) inp->inp_flags |= INP_ANONPORT; return (0); @@ -655,6 +662,9 @@ in_pcbdisconnect(inp) in_pcbrehash(inp); if (inp->inp_socket->so_state & SS_NOFDREF) in_pcbdetach(inp); +#ifdef IPSEC + ipsec_pcbdisconn(inp->inp_sp); +#endif } void @@ -664,7 +674,7 @@ in_pcbdetach(inp) struct socket *so = inp->inp_socket; struct inpcbinfo *ipi = inp->inp_pcbinfo; -#ifdef IPSEC +#if defined(IPSEC) || defined(FAST_IPSEC) ipsec4_delete_pcbpolicy(inp); #endif /*IPSEC*/ inp->inp_gencnt = ++ipi->ipi_gencnt; diff --git a/sys/netinet/ip_input.c b/sys/netinet/ip_input.c index 2518154..09f3f41 100644 --- a/sys/netinet/ip_input.c +++ b/sys/netinet/ip_input.c @@ -492,7 +492,7 @@ tooshort: /* * Bypass packet filtering for packets from a tunnel (gif). */ - if (ipsec_gethist(m, NULL)) + if (ipsec_getnhist(m)) goto pass; #endif #if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF) diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c index aedab7f..0831784 100644 --- a/sys/netinet/ip_output.c +++ b/sys/netinet/ip_output.c @@ -144,6 +144,7 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, struct in_addr pkt_dst; #ifdef IPSEC struct route iproute; + struct socket *so; struct secpolicy *sp = NULL; #endif #ifdef FAST_IPSEC @@ -195,6 +196,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, } m = m0; +#ifdef IPSEC + so = ipsec_getsocket(m); + (void)ipsec_setsocket(m, NULL); +#endif /*IPSEC*/ + M_ASSERTPKTHDR(m); #ifndef FAST_IPSEC KASSERT(ro != NULL, ("ip_output: no route, proto %d", @@ -488,10 +494,11 @@ ip_output(struct mbuf *m0, struct mbuf *opt, struct route *ro, sendit: #ifdef IPSEC /* get SP for this packet */ - if (inp == NULL) - sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, flags, &error); + if (so == NULL) + sp = ipsec4_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND, + flags, &error); else - sp = ipsec4_getpolicybypcb(m, IPSEC_DIR_OUTBOUND, inp, &error); + sp = ipsec4_getpolicybysock(m, IPSEC_DIR_OUTBOUND, so, &error); if (sp == NULL) { ipsecstat.out_inval++; diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 1267aaf..b7ddc23 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -880,6 +880,13 @@ send: : NULL); /* TODO: IPv6 IP6TOS_ECT bit on */ +#ifdef IPSEC + if (ipsec_setsocket(m, so) != 0) { + m_freem(m); + error = ENOBUFS; + goto out; + } +#endif /*IPSEC*/ error = ip6_output(m, tp->t_inpcb->in6p_outputopts, &tp->t_inpcb->in6p_route, diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 902e711..c83e9b2 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -96,7 +96,6 @@ #include <netipsec/ipsec6.h> #endif #include <netipsec/key.h> -#define IPSEC #endif /*FAST_IPSEC*/ #include <machine/in_cksum.h> @@ -621,6 +620,11 @@ syncache_socket(sc, lso, m) } #ifdef IPSEC /* copy old policy into new socket's */ + if (ipsec_copy_pcbpolicy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) + printf("syncache_expand: could not copy policy\n"); +#endif +#ifdef FAST_IPSEC + /* copy old policy into new socket's */ if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp)) printf("syncache_expand: could not copy policy\n"); #endif |