summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/ipsec_input.c
Commit message (Collapse)AuthorAgeFilesLines
* Rather than using hidden includes (with cicular dependencies),bz2008-12-021-0/+1
| | | | | | | | | | | directly include only the header files needed. This reduces the unneeded spamming of various headers into lots of files. For now, this leaves us with very few modules including vnet.h and thus needing to depend on opt_route.h. Reviewed by: brooks, gnn, des, zec, imp Sponsored by: The FreeBSD Foundation
* Step 1.5 of importing the network stack virtualization infrastructurezec2008-10-021-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
* Commit step 1 of the vimage project, (network stack)bz2008-08-171-57/+58
| | | | | | | | | | | | | | | | | | | | | | | | virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
* Increase statistic counters for enc0 interface when enabledvanhu2008-08-121-0/+11
| | | | | | | and processing IPSec traffic. Approved by: gnn (mentor) MFC after: 1 week
* In addition to the ipsec_osdep.h removal a week ago, now also eliminatebz2008-05-241-2/+0
| | | | IPSEC_SPLASSERT_SOFTNET which has been 'unused' since FreeBSD 5.0.
* Add sysctls to if_enc(4) to control whether the firewalls orbz2007-11-281-2/+21
| | | | | | | | | | | | | | | | | | | bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
* Fix for an infinite loop in processing ESP, IPv6 packets.gnn2007-09-121-4/+17
| | | | | | | | The control input routine passes a NULL as its void argument when it has reached the innermost header, which terminates the loop. Reported by: Pawel Worach <pawel.worach@gmail.com> Approved by: re
* Replace hard coded options by their defined PFIL_{IN,OUT} names.bz2007-07-191-1/+2
| | | | Approved by: re (hrs)
* Looking at {ah,esp}_input_cb it seems we might be able to end upbz2007-06-151-1/+1
| | | | | | | | | without an mtag in ipsec4_common_input_cb. So in case of !IPCOMP (AH,ESP) only change the m_tag_id if an mtag was passed to ipsec4_common_input_cb. Found with: Coverity Prevent(tm) CID: 2523
* s,#,*, in a multi-line comment. This is C.bz2007-06-151-1/+1
| | | | No functional change.
* Though we are only called for the three security protocols we canbz2007-06-151-0/+4
| | | | | | | | handle, document those sprotos using an IPSEC_ASSERT so that it will be clear that 'spi' will always be initialized when used the first time. Found with: Coverity Prevent(tm) CID: 2533
* s,#if INET6,#ifdef INET6,bz2006-12-141-1/+1
| | | | | | This unbreaks the build for FAST_IPSEC && !INET6 and was wrong anyway. Reported by: Dmitry Pryanishnikov <dmitry atlantis.dp.ua>
* MFp4: 92972, 98913 + one more changebz2006-12-121-2/+10
| | | | | | | In ip6_sprintf no longer use and return one of eight static buffers for printing/logging ipv6 addresses. The caller now has to hand in a sufficiently large buffer as first argument.
* Add a pseudo interface for packet filtering IPSec connections before or afterthompsa2006-06-261-0/+13
| | | | | | | | | | | encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
* Change '#if INET' and '#if INET6' to '#ifdef INET' and '#ifdef INET6'.pjd2006-06-041-1/+1
| | | | This unbreaks compiling a kernel with FAST_IPSEC and no INET6.
* Extend the notdef #ifdef to cover the packet copy as there is no point in ↵gnn2006-06-041-8/+4
| | | | | | | doing that if we're not doing the rest of the work. Submitted by: thompsa MFC after: 1 week
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* Apply error and success logic consistently to the function netisr_queue() andandre2004-08-271-2/+2
| | | | | | | | | | | | | | | | | | its users. netisr_queue() now returns (0) on success and ERRNO on failure. At the moment ENXIO (netisr queue not functional) and ENOBUFS (netisr queue full) are supported. Previously it would return (1) on success but the return value of IF_HANDOFF() was interpreted wrongly and (0) was actually returned on success. Due to this schednetisr() was never called to kick the scheduling of the isr. However this was masked by other normal packets coming through netisr_dispatch() causing the dequeueing of waiting packets. PR: kern/70988 Found by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp> MFC after: 3 days
* MFp4: portability work, general cleanup, locking fixessam2003-09-291-135/+146
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation
* Locking and misc cleanups; most of which I've been running for >4 months:sam2003-09-011-6/+1
| | | | | | | | | | o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
* make sure the packets contains a complete inner headersam2003-08-131-0/+28
| | | | | | | | for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec Submitted by: Markus Friedl <markus@openbsd.org> Obtained from: OpenBSD (rev 1.66 ipsec_input.c)
* add missing copyright noticessam2003-03-281-1/+36
| | | | Noticed by: Robert Watson
* Update netisr handling; Each SWI now registers its queue, and all queuejlemon2003-03-041-2/+1
| | | | | | | | | | drain routines are done by swi_net, which allows for better queue control at some future point. Packets may also be directly dispatched to a netisr instead of queued, this may be of interest at some installations, but currently defaults to off. Reviewed by: hsu, silby, jayanth, sam Sponsored by: DARPA, NAI Labs
* FAST_IPSEC fixups:sam2002-11-081-0/+18
| | | | | | | | | | | o fix #ifdef typo o must use "bounce functions" when dispatched from the protosw table don't know how this stuff was missed in my testing; must've committed the wrong bits Pointy hat: sam Submitted by: "Doug Ambrisko" <ambrisko@verniernetworks.com>
* "Fast IPsec": this is an experimental IPsec implementation that is derivedsam2002-10-161-0/+728
from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
OpenPOWER on IntegriCloud