summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/key.c
Commit message (Collapse)AuthorAgeFilesLines
* MFC r316490:ae2017-04-111-2/+4
| | | | | | | | | | | | | | | | When we are doing SA lookup for TCP-MD5, check both source and destination addresses. Previous code has used only destination address for lookup. But for inbound packets the source address was used as SA destination address. Thus only outbound SA were used for both directions. Now we use addresses from a packet as is, thus SAs for both directions are needed. Reported by: Mike Tancsa MFC r316507,316508: In the example section show that TCP-MD5 connection needs SA for both directions. Use unique SPI.
* MFC r316133:ae2017-04-011-2/+2
| | | | | | | Fix bug in r308972 that leads to panic when non-compressed IPComp packet is received. Reported by: Denis Ahrens <denis h3q com>
* MFC r304572 (by bz):ae2017-03-181-2809/+3293
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove the kernel optoion for IPSEC_FILTERTUNNEL, which was deprecated more than 7 years ago in favour of a sysctl in r192648. MFC r305122: Remove redundant sanity checks from ipsec[46]_common_input_cb(). This check already has been done in the each protocol callback. MFC r309144,309174,309201 (by fabient): IPsec RFC6479 support for replay window sizes up to 2^32 - 32 packets. Since the previous algorithm, based on bit shifting, does not scale with large replay windows, the algorithm used here is based on RFC 6479: IPsec Anti-Replay Algorithm without Bit Shifting. The replay window will be fast to be updated, but will cost as many bits in RAM as its size. The previous implementation did not provide a lock on the replay window, which may lead to replay issues. Obtained from: emeric.poupon@stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D8468 MFC r309143,309146 (by fabient): In a dual processor system (2*6 cores) during IPSec throughput tests, we see a lot of contention on the arc4 lock, used to generate the IV of the ESP output packets. The idea of this patch is to split this mutex in order to reduce the contention on this lock. Update r309143 to prevent false sharing. Reviewed by: delphij, markm, ache Approved by: so Obtained from: emeric.poupon@stormshield.eu Sponsored by: Stormshield Differential Revision: https://reviews.freebsd.org/D8130 MFC r313330: Merge projects/ipsec into head/. Small summary ------------- o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting. Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352 MFC r313331: Add removed headers into the ObsoleteFiles.inc. MFC r313561 (by glebius): Move tcp_fields_to_net() static inline into tcp_var.h, just below its friend tcp_fields_to_host(). There is third party code that also uses this inline. MFC r313697: Remove IPsec related PCB code from SCTP. The inpcb structure has inp_sp pointer that is initialized by ipsec_init_pcbpolicy() function. This pointer keeps strorage for IPsec security policies associated with a specific socket. An application can use IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options to configure these security policies. Then ip[6]_output() uses inpcb pointer to specify that an outgoing packet is associated with some socket. And IPSEC_OUTPUT() method can use a security policy stored in the inp_sp. For inbound packet the protocol-specific input routine uses IPSEC_CHECK_POLICY() method to check that a packet conforms to inbound security policy configured in the inpcb. SCTP protocol doesn't specify inpcb for ip[6]_output() when it sends packets. Thus IPSEC_OUTPUT() method does not consider such packets as associated with some socket and can not apply security policies from inpcb, even if they are configured. Since IPSEC_CHECK_POLICY() method is called from protocol-specific input routine, it can specify inpcb pointer and associated with socket inbound policy will be checked. But there are two problems: 1. Such check is asymmetric, becasue we can not apply security policy from inpcb for outgoing packet. 2. IPSEC_CHECK_POLICY() expects that caller holds INPCB lock and access to inp_sp is protected. But for SCTP this is not correct, becasue SCTP uses own locks to protect inpcb. To fix these problems remove IPsec related PCB code from SCTP. This imply that IP_IPSEC_POLICY and IPV6_IPSEC_POLICY socket options will be not applicable to SCTP sockets. To be able correctly check inbound security policies for SCTP, mark its protocol header with the PR_LASTHDR flag. Differential Revision: https://reviews.freebsd.org/D9538 MFC r313746: Add missing check to fix the build with IPSEC_SUPPORT and without MAC. MFC r313805: Fix LINT build for powerpc. Build kernel modules support only when both IPSEC and TCP_SIGNATURE are not defined. MFC r313922: For translated packets do not adjust UDP checksum if it is zero. In case when decrypted and decapsulated packet is an UDP datagram, check that its checksum is not zero before doing incremental checksum adjustment. MFC r314339: Document that the size of AH ICV for HMAC-SHA2-NNN should be half of NNN bits as described in RFC4868. PR: 215978 MFC r314812: Introduce the concept of IPsec security policies scope. Currently are defined three scopes: global, ifnet, and pcb. Generic security policies that IKE daemon can add via PF_KEY interface or an administrator creates with setkey(8) utility have GLOBAL scope. Such policies can be applied by the kernel to outgoing packets and checked agains inbound packets after IPsec processing. Security policies created by if_ipsec(4) interfaces have IFNET scope. Such policies are applied to packets that are passed through if_ipsec(4) interface. And security policies created by application using setsockopt() IP_IPSEC_POLICY option have PCB scope. Such policies are applied to packets related to specific socket. Currently there is no way to list PCB policies via setkey(8) utility. Modify setkey(8) and libipsec(3) to be able distinguish the scope of security policies in the `setkey -DP` listing. Add two optional flags: '-t' to list only policies related to virtual *tunneling* interfaces, i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL scope. By default policies from all scopes are listed. To implement this PF_KEY's sadb_x_policy structure was modified. sadb_x_policy_reserved field is used to pass the policy scope from the kernel to userland. SADB_SPDDUMP message extended to support filtering by scope: sadb_msg_satype field is used to specify bit mask of requested scopes. For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy is used to pass if_ipsec's interface if_index to the userland. For GLOBAL policies sadb_x_policy_priority is used only to manage order of security policies in the SPDB. For IFNET policies it is not used, so it can be used to keep if_index. After this change the output of `setkey -DP` now looks like: # setkey -DPt 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0 refcnt=1 # setkey -DPg ::/0 ::/0 icmp6 135,0 out none spid=5 seq=1 pid=872 scope=global refcnt=1 Obtained from: Yandex LLC Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9805 PR: 212018 Relnotes: yes Sponsored by: Yandex LLC
* netipsec: Fix minor style nitcem2016-05-101-1/+1
| | | | | | | | | Coverity points out that 'continue' is equivalent to 'break' in a do {} while(false) loop. Reported by: Coverity CID: 1354983 Sponsored by: EMC / Isilon Storage Division
* sys/net*: minor spelling fixes.pfg2016-05-031-6/+6
| | | | No functional change.
* Handle non-compressed packets for IPComp in tunnel mode.ae2016-04-241-0/+60
| | | | | | | | | | | | | | | | | RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062
* kernel: use our nitems() macro when it is available through param.h.pfg2016-04-191-4/+4
| | | | | | No functional change, only trivial cases are done in this sweep, Discussed in: freebsd-current
* sys/net* : for pointers replace 0 with NULL.pfg2016-04-151-6/+6
| | | | | | Mostly cosmetical, no functional change. Found with devel/coccinelle.
* Put IPSec's anouncement of its successful intialisation under bootverbose:rwatson2016-03-131-1/+2
| | | | | now that it's a default kernel option, we don't really need to tell the world about it on every boot, especially as it won't be used by most users.
* Set tres to NULL to avoid a double free if the m_pullup() below fails.markj2016-03-021-0/+1
| | | | | | Reviewed by: glebius MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D5497
* Fix useless check. m_pkthdr.len should be equal to orglen.ae2016-02-241-2/+1
| | | | MFC after: 2 weeks
* Implement the sadb_x_policy_priority field as it is done in Linux:fabient2015-11-171-7/+30
| | | | | | | | lower priority policies are inserted first. Submitted by: Emeric Poupon <emeric.poupon@stormshield.eu> Reviewed by: ae Sponsored by: Stormshield
* Use explicitly specified ivsize instead of blocksize when we mean IV size.ae2015-11-161-1/+1
| | | | | | | | Set zero ivsize for enc_xform_null and remove special handling from xform_esp.c. Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D1503
* Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsecjmg2015-08-041-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | defines the keys differently than NIST does, so we have to muck with key lengths and nonce/IVs to be standard compliant... Remove the iv from secasvar as it was unused... Add a counter protected by a mutex to ensure that the counter for GCM and ICM will never be repeated.. This is a requirement for security.. I would use atomics, but we don't have a 64bit one on all platforms.. Fix a bug where IPsec was depending upon the OCF to ensure that the blocksize was always at least 4 bytes to maintain alignment... Move this logic into IPsec so changes to OCF won't break IPsec... In one place, espx was always non-NULL, so don't test that it's non-NULL before doing work.. minor style cleanups... drop setting key and klen as they were not used... Enforce that OCF won't pass invalid key lengths to AES that would panic the machine... This was has been tested by others too... I tested this against NetBSD 6.1.5 using mini-test suite in https://github.com/jmgurney/ipseccfgs and the only things that don't pass are keyed md5 and sha1, and 3des-deriv (setkey syntax error), all other modes listed in setkey's man page... The nice thing is that NetBSD uses setkey, so same config files were used on both... Reviewed by: gnn
* Fill the port and protocol information in the SADB_ACQUIRE messageae2015-07-061-8/+60
| | | | | | | | in case when security policy has it as required by RFC 2367. PR: 192774 Differential Revision: https://reviews.freebsd.org/D2972 MFC after: 1 week
* drop key_sa_stir_iv as it isn't used...jmg2015-06-111-8/+0
| | | | Reviewed by: eri, ae
* CALLOUT_MPSAFE has lost its meaning since r141428, i.e., for more than tenjkim2015-05-221-1/+1
| | | | | | | | | | years for head. However, it is continuously misused as the mpsafe argument for callout_init(9). Deprecate the flag and clean up callout_init() calls to make them more consistent. Differential Revision: https://reviews.freebsd.org/D2613 Reviewed by: jhb MFC after: 2 weeks
* In the reply to SADB_X_SPDGET message use the same sequence number thatae2015-05-201-2/+3
| | | | | | | | was in the request. Some IKE deamons expect it will the same. Linux and NetBSD also follow this behaviour. PR: 137309 MFC after: 2 weeks
* Change SA's state before sending SADB_EXPIRE message. This state willae2015-05-191-2/+2
| | | | | | be reported to keying daemon. MFC after: 2 weeks
* Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARDae2015-05-191-40/+38
| | | | | | | | | | | | | extension header type. The key_flush_sad() now will send SADB_EXPIRE message when HARD lifetime expires. This is required by RFC 2367 and some keying daemons rely on these messages. HARD lifetime messages have precedence over SOFT lifetime messages, so now they will be checked first. Also now SADB_EXPIRE messages will be send even the SA has not been used, because keying daemons might want to rekey such SA. PR: 200282, 200283 Submitted by: Tobias Brunner <tobias at strongswan dot org> MFC after: 2 weeks
* Fix handling of scoped IPv6 addresses in IPSec code.ae2015-04-181-36/+7
| | | | | | | | | | | | | | | | | | | | | * in ipsec_encap() embed scope zone ids into link-local addresses in the new IPv6 header, this helps ip6_output() disambiguate the scope; * teach key_ismyaddr6() use in6_localip(). in6_localip() is less strict than key_sockaddrcmp(). It doesn't compare all fileds of struct sockaddr_in6, but it is faster and it should be safe, because all SA's data was checked for correctness. Also, since IPv6 link-local addresses in the &V_in6_ifaddrhead are stored in kernel-internal form, we need to embed scope zone id from SA into the address before calling in6_localip. * in ipsec_common_input() take scope zone id embedded in the address and use it to initialize sin6_scope_id, then use this sockaddr structure to lookup SA, because we keep addresses in the SADB without embedded scope zone id. Differential Revision: https://reviews.freebsd.org/D2304 Reviewed by: gnn Sponsored by: Yandex LLC
* Remove extra '&'. sin6 is already a pointer.ae2015-03-071-1/+1
| | | | | PR: 195011 MFC after: 1 week
* Fix possible memory leak and several races in the IPsec policy managementae2015-02-241-1/+15
| | | | | | | | | | | | | | | | | | | | | code. Resurrect the state field in the struct secpolicy, it has IPSEC_SPSTATE_ALIVE value when security policy linked in the chain, and IPSEC_SPSTATE_DEAD value in all other cases. This field protects from trying to unlink one security policy several times from the different threads. Take additional reference in the key_flush_spd() to be sure that policy won't be freed from the different thread while we are sending SPDEXPIRE message. Add KEY_FREESP() call to the key_unlink() to release additional reference that we take when use key_getsp*() functions. Differential Revision: https://reviews.freebsd.org/D1914 Tested by: Emeric POUPON <emeric.poupon at stormshield dot eu> Reviewed by: hrs Sponsored by: Yandex LLC
* key_spdget uses key_setdumpsp() without SPTREE_RLOCK held (it usesae2015-01-271-2/+0
| | | | | | | | | referenced pointer to sp). Remove SPTREE_RLOCK_ASSERT from key_setdumpsp() to fix wrong assertion. Reported by: Emeric POUPON Obtained from: Yandex LLC Sponsored by: Yandex LLC
* In order to reduce use of M_EXT outside of the mbuf allocator andrwatson2015-01-061-10/+5
| | | | | | | | | | | | | | | | | | | | | socket-buffer implementations, introduce a return value for MCLGET() (and m_cljget() that underlies it) to allow the caller to avoid testing M_EXT itself. Update all callers to use the return value. With this change, very few network device drivers remain aware of M_EXT; the primary exceptions lie in mbuf-chain pretty printers for debugging, and in a few cases, custom mbuf and cluster allocation implementations. NB: This is a difficult-to-test change as it touches many drivers for which I don't have physical devices. Instead we've gone for intensive review, but further post-commit review would definitely be appreciated to spot errors where changes could not easily be made mechanically, but were largely mechanical in nature. Differential Revision: https://reviews.freebsd.org/D1440 Reviewed by: adrian, bz, gnn Sponsored by: EMC / Isilon Storage Division
* Fix VIMAGE build.ae2014-12-251-1/+1
|
* Rename ip4_def_policy variable to def_policy. It is used by both IPv4 andae2014-12-241-172/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6. Initialize it only once in def_policy_init(). Remove its initialization from key_init() and make it static. Remove several fields from struct secpolicy: * lock - it isn't so useful having mutex in the structure, but the only thing we do with it is initialization and destroying. * state - it has only two values - DEAD and ALIVE. Instead of take a lock and change the state to DEAD, then take lock again in GC function and delete policy from the chain - keep in the chain only ALIVE policies. * scangen - it was used in GC function to protect from sending several SADB_SPDEXPIRE messages for one SPD entry. Now we don't keep DEAD entries in the chain and there is no need to have scangen variable. Use TAILQ to implement SPD entries chain. Use rmlock to protect access to SPD entries chain. Protect all SP lookup with RLOCK, and use WLOCK when we are inserting (or removing) SP entry in the chain. Instead of using pattern "LOCK(); refcnt++; UNLOCK();", use refcount(9) API to implement refcounting in SPD. Merge code from key_delsp() and _key_delsp() into _key_freesp(). And use KEY_FREESP() macro in all cases when we want to release reference or just delete SP entry. Obtained from: Yandex LLC Sponsored by: Yandex LLC
* key_getspacq() returns holding the spacq_lock. Unlock it in all cases.ae2014-12-071-1/+2
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Remove __P() macro.ae2014-12-031-112/+111
| | | | | Suggested by: kevlo Sponsored by: Yandex LLC
* ANSIfy function declarations.ae2014-12-031-202/+80
| | | | Sponsored by: Yandex LLC
* Remove route chaching support from ipsec code. It isn't used for some time.ae2014-12-021-25/+0
| | | | | | | | | * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
* Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed.glebius2014-11-071-24/+24
| | | | Sponsored by: Nginx, Inc.
* Use in_localip() instead of handmade implementation.ae2014-10-311-21/+2
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Use a static callout to drive key_timehandler() instead of timeout().jhb2014-10-231-4/+9
| | | | | | | While here, make key_timehandler() private to key.c. Submitted by: bz (2) Tested by: bz
* Only do a ports check if this is a NAT-T SA. Otherwise otherbz2014-05-241-6/+20
| | | | | | lookups providing ports may get unexpected results. MFC After: 2 weeks
* The r48589 promised to remove implicit inclusion of if_var.h soon. Prepareglebius2013-10-261-1/+2
| | | | | | | | to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
* Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,ae2013-06-201-19/+19
| | | | | | PFKEY. MFC after: 2 weeks
* Use m_get2() + m_align() instead of hand made key_alloc_mbuf(). Codeglebius2013-03-151-104/+50
| | | | | | | examination shows, that although key_alloc_mbuf() could return chains, the callers never use chains, so m_get2() should suffice. Sponsored by: Nginx, Inc.
* Mechanically substitute flags from historic mbuf allocator withglebius2012-12-051-21/+21
| | | | | | | | | malloc(9) flags within sys. Exceptions: - sys/contrib not touched - sys/mbuf.h edited manually
* Mechanically remove the last stray remains of spl* calls from net*/*.andre2012-10-181-6/+0
| | | | They have been Noop's for a long time now.
* In NAT-T transport mode, allow a client to open a new connection just aftervanhu2012-09-121-3/+5
| | | | | | | | closing another. It worked only in tunnel mode before. Submitted by: Andreas Longwitz <longwitz@incore.de> MFC after: 1M
* Unexpand a couple of TAILQ_FOREACH()s.jhb2012-08-171-2/+1
|
* Add missing va_end() in an error case to clean up after va_start()brueffer2011-10-071-0/+1
| | | | | | | | (already done in the non-error case). CID: 4726 Found with: Coverity Prevent(tm) MFC after: 1 week
* Release SP's refcount in key_get_spdbyid().vanhu2011-05-091-0/+1
| | | | | | PR: 156676 Submitted by: Tobias Brunner (tobias@strongswan.org) MFC after: 1 week
* Make IPsec compile without INET adding appropriate #ifdef checks.bz2011-04-271-1/+1
| | | | | | | | | | | | Unfold the IPSEC_COMMON_INPUT_CB() macro in xform_{ah,esp,ipcomp}.c to not need three different versions depending on INET, INET6 or both. Mark two places preparing for not yet supported functionality with IPv6. Reviewed by: gnn Sponsored by: The FreeBSD Foundation Sponsored by: iXsystems MFC after: 4 days
* Optimisation in IPSEC(4):fabient2011-03-311-30/+27
| | | | | | | | | | - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. Gain on 6 cores CPU with SHA1/AES128 can be up to 30%. Reviewed by: vanhu MFC after: 1 month
* Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant.vanhu2011-02-181-1/+8
| | | | | | | | | This will break interoperability with all older versions of FreeBSD for those algorithms. Reviewed by: bz, gnn Obtained from: NETASQ MFC after: 1w
* After some off-list discussion, revert a number of changes to thedim2010-11-221-18/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | DPCPU_DEFINE and VNET_DEFINE macros, as these cause problems for various people working on the affected files. A better long-term solution is still being considered. This reversal may give some modules empty set_pcpu or set_vnet sections, but these are harmless. Changes reverted: ------------------------------------------------------------------------ r215318 | dim | 2010-11-14 21:40:55 +0100 (Sun, 14 Nov 2010) | 4 lines Instead of unconditionally emitting .globl's for the __start_set_xxx and __stop_set_xxx symbols, only emit them when the set_vnet or set_pcpu sections are actually defined. ------------------------------------------------------------------------ r215317 | dim | 2010-11-14 21:38:11 +0100 (Sun, 14 Nov 2010) | 3 lines Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughout the tree. ------------------------------------------------------------------------ r215316 | dim | 2010-11-14 21:23:02 +0100 (Sun, 14 Nov 2010) | 2 lines Add macros to define static instances of VNET_DEFINE and DPCPU_DEFINE.
* Apply the STATIC_VNET_DEFINE and STATIC_DPCPU_DEFINE macros throughoutdim2010-11-141-18/+18
| | | | the tree.
* Make the IPsec SADB embedded route cache a union to be able to hold both thebz2010-10-231-4/+4
| | | | | | | | | legacy and IPv6 route destination address. Previously in case of IPv6, there was a memory overwrite due to not enough space for the IPv6 address. PR: kern/122565 MFC After: 2 weeks
OpenPOWER on IntegriCloud