summaryrefslogtreecommitdiffstats
path: root/sys/net/if_enc.c
Commit message (Collapse)AuthorAgeFilesLines
* Increase statistic counters for enc0 interface when enabledvanhu2008-08-121-1/+1
| | | | | | | and processing IPSec traffic. Approved by: gnn (mentor) MFC after: 1 week
* Remove redundant inclusions of net/bpfdesc.h.jkim2008-03-241-1/+0
|
* Fix a panic where if the mbuf was consumed by the filter for requeueingthompsa2007-12-261-0/+7
| | | | | | | | | (dummynet), ipsec_filter() would return the empty error code and the ipsec code would continue to forward/deference the null mbuf. Found by: m0n0wall Reviewed by: bz MFC after: 3 days
* Add sysctls to if_enc(4) to control whether the firewalls orbz2007-11-281-11/+74
| | | | | | | | | | | | | | | | | | | bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
* Various bpf(4) related fixes to catch places up to the new bpf(4)jhb2006-12-291-1/+1
| | | | | | | | | | | | | semantics. - Stop testing bpf pointers for NULL. In some cases use bpf_peers_present() and then call the function directly inside the conditional block instead of the macro. - For places where the entire conditional block is the macro, remove the test and make the macro unconditional. - Use BPF_MTAP() in if_pfsync on FreeBSD instead of an expanded version of the old semantics. Reviewed by: csjp (older version)
* Catch up with the revised network interface cloning which takes an optionalthompsa2006-07-101-2/+2
| | | | opaque parameter that can specify configuration parameters.
* Fix a braino in the last revision, enc_clone_destroy needs return void insteadthompsa2006-07-041-12/+3
| | | | | | | of int. The clone system will ensure that our first interface is not destroyed so we dont need the extra checking anyway. Tested by: Scott Ullrich
* A small race existed where the lock was dropped between when encif wasthompsa2006-06-281-24/+20
| | | | | | | | | | | | tested and then set. [1] Reorganise things to eliminate this, we now ensure that enc0 can not be destroyed which as the benefit of no longer needing to lock in ipsec_filter and ipsec_bpf. The cloner will create one interface during the init so we can guarantee that encif will be valid before any SPD entries are added to ipsec. Spotted by: glebius [1]
* Simplify ipsec_bpf by using bpf_mtap2().thompsa2006-06-271-9/+2
|
* Add a pseudo interface for packet filtering IPSec connections before or afterthompsa2006-06-261-0/+323
encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
OpenPOWER on IntegriCloud