summaryrefslogtreecommitdiffstats
path: root/sys/netinet6
Commit message (Collapse)AuthorAgeFilesLines
* in icmp6_mtudisc_update(), use ND link mtu to detect if the path MTUume2004-02-241-1/+3
| | | | | | should be updated. Helped by: andre
* Fix array overflow: If len=128, don't access [16] of a 16-byte IPv6cperciva2004-02-241-1/+2
| | | | | | | | address, even if we subsequently ignore its value by applying a >>8 to it. Reported by: "Ted Unangst" <tedu@coverity.com> Approved by: rwatson (mentor), {ume, suz} (KAME)
* - call ip6_output() instead of nd6_output() when ipsec tunnelume2004-02-191-3/+21
| | | | | | | | | | | | mode is applied, since tunneled packets are considered to be generated packets from a tunnel encapsulating node. - tunnel mode may not be applied if SA mode is ANY and policy does not say "tunnel it". check if we have extra IPv6 header on the packet after ipsec6_output_tunnel() and call ip6_output() only if additional IPv6 header is added. - free the copyed packet before returning. Obtained from: KAME
* IPSEC and FAST_IPSEC have the same internal API now;ume2004-02-173-57/+20
| | | | | | so merge these (IPSEC has an extra ipsecstat) Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
* correct function name in comment.ume2004-02-161-18/+18
| | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
* nuke unused functions.ume2004-02-163-53/+0
| | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
* we don't need to include ipsec.h.ume2004-02-161-8/+0
| | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
* - wrap mappedaddr block by #ifdef INET for IPv6-only kernel in future.ume2004-02-131-38/+42
| | | | | | | | | | | | - rejects IPv6 packet toward IPv4-mapped address if its source address is not an IPv4-mapped IPv6 address, since the converted IPv4 packets would have an unexpected IPv4 source address. - when V6ONLY socket option is set, discard packets destined to a v4/ipv4 mapped ipv6 address. - have PULLDOWN_TEST codepath. - get rid of in6_mcmatch(). Obtained from: KAME
* supported IPV6_RECVPATHMTU socket option.ume2004-02-135-6/+68
| | | | Obtained from: KAME
* Initial import of RFC 2385 (TCP-MD5) digest support.bms2004-02-111-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC. For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence. Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB. There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity. Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem. This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment. Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request. Sponsored by: sentex.net
* fix build with FAST_IPSEC.ume2004-02-091-2/+1
| | | | Reported by: cjc
* - obey ip6po_minmtu.ume2004-02-081-3/+30
| | | | | | - notify a proper path MTU to applications. Obtained from: KAME
* KNFume2004-02-041-8/+7
| | | | Obtained from: KAME
* pass pcb rather than so. it is expected that per socket policyume2004-02-039-133/+76
| | | | works again.
* protect access to ifnet structure with mutex.ume2004-01-281-0/+2
|
* call ipsec_pcbconn()/ipsec_pcbdisconn() from in6_pcbconnect().ume2004-01-131-0/+7
| | | | Obtained from: KAME
* correct spellingume2004-01-131-7/+7
| | | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun
* fix potential 'cannot-happen' memory leakume2004-01-131-1/+4
| | | | | Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun
* try rtinit() only when the route is not installed.ume2004-01-101-2/+5
| | | | | | | | this allows, e.g., duplicated attempts of 'ifconfig lo0 ::1' like for IPv4. Obtained from: KAME MFC after: 1 week
* Don't execute the code in in6_ifdetach() that removes the link-localtruckman2004-01-101-7/+9
| | | | | | | | allnodes multicast route if the routing table has not been initialized. This avoids a panic during boot if an interface detaches before the routing table is initialized. Submitted by: sam
* in set{peer, sock}addr, do not convert the unspecifiedume2004-01-101-2/+2
| | | | | | | | address (::) to the mapped address form. PR: kern/22868 Obtained from: KAME MFC after: 3 days
* When calculating the sequence number to use in an ip6fw reset, remember todwmalone2003-12-251-0/+2
| | | | | | | | | add one if the SYN flag was set in the original packet. This seems to make ip6fw reset work correctly for new and in-progress connections. Update the man page to reflect the fact it now seems to work. Glanced at by: ume MFC after: 2 weeks
* Catch a few places where NULL (pointer) was used where 0 (integer) wasume2003-12-231-2/+2
| | | | expected (fix build).
* Catch a few places where NULL (pointer) was used where 0 (integer) waspeter2003-12-233-5/+5
| | | | expected.
* fixed a bug that IPv6 routing header does not work properly if specified ↵suz2003-12-221-1/+1
| | | | | | from userland application reviewed by: ume
* fixed an IPv6 path MTU discovery failure owing to a lack of initializationsuz2003-12-171-1/+1
| | | | | | Reviewed by: ume Approved by: re (scottl) MFC after: 1 day
* validate the argument for multicast routing socket optionsume2003-12-101-27/+38
| | | | | | | correctly. Obtained from: KAME MFC after: 3 days
* - changed the logic in nd6_is_addr_neighbor(); check on-link prefixesume2003-12-081-17/+23
| | | | | | | | | | | | | | (not interface addresses) to see if a given address is on-link. - skip offlink prefixes in neighbor determination in nd6_is_addr_neighbor. - in nd6_is_addr_neighbor, regarded every address as on-link when the default router list is empty. otherwise, we'd not be able make a neighbor cache for the address. this algorithm is applied to hosts only. - in nd6_is_addr_neighbor, check if the default interface is equal to the interface in question in addition to check if the default router list is empty. Obtained from: KAME
* Split the "inp" mutex class into separate classes for each of divert,sam2003-11-262-2/+2
| | | | | | | | raw, tcp, udp, raw6, and udp6 sockets to avoid spurious witness complaints. Reviewed by: rwatson Approved by: re (rwatson)
* pktopt may be null.ume2003-11-241-0/+3
| | | | Approved by: re (rwatson)
* Introduce tcp_hostcache and remove the tcp specific metrics fromandre2003-11-201-6/+3
| | | | | | | | | | | | | | | | | | | | | | | the routing table. Move all usage and references in the tcp stack from the routing table metrics to the tcp hostcache. It caches measured parameters of past tcp sessions to provide better initial start values for following connections from or to the same source or destination. Depending on the network parameters to/from the remote host this can lead to significant speedups for new tcp connections after the first one because they inherit and shortcut the learning curve. tcp_hostcache is designed for multiple concurrent access in SMP environments with high contention and is hash indexed by remote ip address. It removes significant locking requirements from the tcp stack with regard to the routing table. Reviewed by: sam (mentor), bms Reviewed by: -net, -current, core@kame.net (IPv6 parts) Approved by: re (scottl)
* Introduce tcp_hostcache and remove the tcp specific metrics fromandre2003-11-206-81/+79
| | | | | | | | | | | | | | | | | | | | | | | the routing table. Move all usage and references in the tcp stack from the routing table metrics to the tcp hostcache. It caches measured parameters of past tcp sessions to provide better initial start values for following connections from or to the same source or destination. Depending on the network parameters to/from the remote host this can lead to significant speedups for new tcp connections after the first one because they inherit and shortcut the learning curve. tcp_hostcache is designed for multiple concurrent access in SMP environments with high contention and is hash indexed by remote ip address. It removes significant locking requirements from the tcp stack with regard to the routing table. Reviewed by: sam (mentor), bms Reviewed by: -net, -current, core@kame.net (IPv6 parts) Approved by: re (scottl)
* Remove RTF_PRCLONING from routing table and adjust users of itandre2003-11-204-19/+7
| | | | | | | | | | | | accordingly. The define is left intact for ABI compatibility with userland. This is a pre-step for the introduction of tcp_hostcache. The network stack remains fully useable with this change. Reviewed by: sam (mentor), bms Reviewed by: -net, -current, core@kame.net (IPv6 parts) Approved by: re (scottl)
* Introduce a MAC label reference in 'struct inpcb', which cachesrwatson2003-11-182-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | the MAC label referenced from 'struct socket' in the IPv4 and IPv6-based protocols. This permits MAC labels to be checked during network delivery operations without dereferencing inp->inp_socket to get to so->so_label, which will eventually avoid our having to grab the socket lock during delivery at the network layer. This change introduces 'struct inpcb' as a labeled object to the MAC Framework, along with the normal circus of entry points: initialization, creation from socket, destruction, as well as a delivery access control check. For most policies, the inpcb label will simply be a cache of the socket label, so a new protocol switch method is introduced, pr_sosetlabel() to notify protocols that the socket layer label has been updated so that the cache can be updated while holding appropriate locks. Most protocols implement this using pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use the the worker function in_pcbsosetlabel(), which calls into the MAC Framework to perform a cache update. Biba, LOMAC, and MLS implement these entry points, as do the stub policy, and test policy. Reviewed by: sam, bms Obtained from: TrustedBSD Project Sponsored by: DARPA, Network Associates Laboratories
* correct to look right interface.ume2003-11-171-1/+1
|
* - m_cat() may free the mbuf on 2nd arg, so m_pkthdr manipulation hasume2003-11-154-20/+14
| | | | | | | | to happen before the call to m_cat(). - correct signedness mixups. - remove variable that is only assigned too but not referenced. Obtained from: KAME
* oops, correct wrong change in previous commit.ume2003-11-151-1/+0
|
* increase AH_MAXSUMSIZE for hmac-sha2-512ume2003-11-151-1/+2
| | | | Obtained from: KAME
* preparation for 64bit sequence number.ume2003-11-151-1/+1
| | | | Obtained from: KAME
* fixed a bug comparing sav->key_auth and SADB_AALG_NONE.ume2003-11-151-1/+1
| | | | Obtained from: KAME
* reflect ip6_pktopts and ip6_moptions into embeded scope ofume2003-11-121-3/+17
| | | | | | destination address. it makes `ping6 -I <if> <link-local>' work again. since we don't merge scope cleanup yet, we need this for workaround.
* cleanup rijndael API.ume2003-11-111-32/+12
| | | | | | | since there are naming conflicts with opencrypto, #define was added to rename functions intend to avoid conflicts. Obtained from: KAME
* enable aes-xcbc-mac and aes-ctr, again.ume2003-11-103-9/+1
|
* replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREFsam2003-11-084-7/+7
| | | | | | | macros that expand to include assertions when the system is built with INVARIANTS Supported by: FreeBSD Foundation
* o add a flags parameter to netisr_register that is used to specifysam2003-11-081-1/+2
| | | | | | | | | | | | | | | | whether or not the isr needs to hold Giant when running; Giant-less operation is also controlled by the setting of debug_mpsafenet o mark all netisr's except NETISR_IP as needing Giant o add a GIANT_REQUIRED assertion to the top of netisr's that need Giant o pickup Giant (when debug_mpsafenet is 1) inside ip_input before calling up with a packet o change netisr handling so swi_net runs w/o Giant; instead we grab Giant before invoking handlers based on whether the handler needs Giant o change netisr handling so that netisr's that are marked MPSAFE may have multiple instances active at a time o add netisr statistics for packets dropped because the isr is inactive Supported by: FreeBSD Foundation
* nuke obsoleted ipsec_gethist(). it just did panic to notify userume2003-11-072-10/+0
| | | | | | | that it was obsoleted. it is better to fail than just hiding use of ipsec_gethist() at build. Sugessted by: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
* correct behavior when ipv6mr_interface is 0. Matthias Drochnerume2003-11-061-4/+4
| | | | | Notified by: itojun Obtained from: NetBSD
* byebye in6_ifawithscope(). it was a function for old sourceume2003-11-052-283/+0
| | | | | | address selection. Obtained from: KAME
* make sure to treat destrination address as KAME internal formume2003-11-051-29/+8
| | | | of embedscope.
* source address selection part of RFC3484.ume2003-11-045-110/+569
| | | | | | | | TODO: since there is scope issue to be solved, multicast and link-local address are treated as special for workaround for now. Obtained from: KAME
OpenPOWER on IntegriCloud