summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_ipsec.c
Commit message (Collapse)AuthorAgeFilesLines
* Take the route mtu into account, if available, when sending anbz2008-04-091-2/+1
| | | | | | | | | | | | | | | | ICMP unreach, frag needed. Up to now we only looked at the interface MTU. Make sure to only use the minimum of the two. In case IPSEC is compiled in, loop the mtu through ip_ipsec_mtu() to avoid any further conditional maths. Without this, PMTU was broken in those cases when there was a route with a lower MTU than the MTU of the outgoing interface. PR: kern/122338 Tested by: Mark Cammidge mark peralex.com Reviewed by: silence on net@ MFC after: 2 weeks
* Correct IPsec behaviour with a 'use' level in SP but no SA available.bz2008-03-141-0/+12
| | | | | | | | | In that case return an continue processing the packet without IPsec. PR: 121384 MFC after: 5 days Reported by: Cyrus Rahman (crahman gmail.com) Tested by: Cyrus Rahman (crahman gmail.com) [slightly older version]
* Add FBSDID to all files in netinet so that people can moresilby2007-10-071-2/+3
| | | | | | easily include file version information in bug reports. Approved by: re (kensmith)
* Rename option IPSEC_FILTERGIF to IPSEC_FILTERTUNNEL.bz2007-08-051-3/+3
| | | | | | | | | | | | | | | | | | | | | Also rename the related functions in a similar way. There are no functional changes. For a packet coming in with IPsec tunnel mode, the default is to only call into the firewall with the "outer" IP header and payload. With this option turned on, in addition to the "outer" parts, the "inner" IP header and payload are passed to the firewall too when going through ip_input() the second time. The option was never only related to a gif(4) tunnel within an IPsec tunnel and thus the name was very misleading. Discussed at: BSDCan 2007 Best new name suggested by: rwatson Reviewed by: rwatson Approved by: re (bmah)
* Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSECgnn2007-07-031-10/+10
| | | | | | | | option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC. Approved by: re Sponsored by: Secure Computing
* Commit IPv6 support for FAST_IPSEC to the tree.gnn2007-07-011-194/+2
| | | | | | | | | This commit includes only the kernel files, the rest of the files will follow in a second commit. Reviewed by: bz Approved by: re Supported by: Secure Computing
* Move universally to ANSI C function declarations, with relativelyrwatson2007-05-101-3/+2
| | | | consistent style(9)-ish layout.
* Remove unneeded mac.h include.rwatson2006-07-061-1/+0
| | | | MFC after: 3 days
* Make sure the ip data pointer is correct before touching it againbz2006-05-051-0/+1
| | | | | | | | after ipsec4_output processing else KAME IPSec using the handbook configuration with gif(4) will panic the kernel. Problem reported by: t. patterson <tp lot.org> Tested by: t. patterson <tp lot.org>
* Move the IPSEC related code blocks to their own file to unclutterandre2006-02-011-0/+579
and signifincantly improve the readability of ip_input() and ip_output() again. The resulting IPSEC hooks in ip_input() and ip_output() may be used later on for making IPSEC loadable. This move is mostly mechanical and should preserve current IPSEC behaviour as-is. Nothing shall prevent improvements in the way IPSEC interacts with the IPv4 stack. Discussed with: bz, gnn, rwatson; (earlier version)
OpenPOWER on IntegriCloud