summaryrefslogtreecommitdiffstats
path: root/sys/netipsec/key.h
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Handle non-compressed packets for IPComp in tunnel mode."Renato Botelho2016-04-261-4/+0
| | | | This reverts commit c718f329f435eb15fb3939ce5c2c1777a009abe6.
* Handle non-compressed packets for IPComp in tunnel mode.ae2016-04-251-0/+4
| | | | | | | | | | | | | | | | | | | RFC3173 says that the IP datagram MUST be sent in the original non-compressed form, when the total size of a compressed payload and the IPComp header is not smaller than the size of the original payload. In tunnel mode for small packets IPComp will send encapsulated IP datagrams without IPComp header. Add ip_encap handler for IPPROTO_IPV4 and IPPROTO_IPV6 to handle these datagrams. The handler does lookup for SA related to IPComp protocol and given from mbuf source and destination addresses as tunnel endpoints. It decapsulates packets only when corresponding SA is found. Reported by: gnn Reviewed by: gnn Differential Revision: https://reviews.freebsd.org/D6062 (cherry picked from commit dcf50398ab66cfcba0ae4484efe3b5ce40fb9824)
* cryptostats is failing to build and this was the only recent change, trying ↵Chris Buechler2016-04-241-4/+0
| | | | | | without. Revert "Import patch from https://reviews.freebsd.org/D6062 Ticket #6167" This reverts commit e683099e983e453c350827e0a31c3d6da2feaa2b.
* Import patch from https://reviews.freebsd.org/D6062 Ticket #6167Chris Buechler2016-04-221-0/+4
|
* MFC r284259:Luiz Otavio O Souza2015-10-201-1/+0
| | | | | | | | | drop key_sa_stir_iv as it isn't used... Reviewed by: eri, ae TAG: IPSEC-HEAD Issue: #4841
* MFC r275390:ae2015-06-021-19/+18
| | | | | | | | | | | | Remove unused declartations. MFC r275437: ANSIfy function declarations. MFC r275438: Remove __P() macro. Sponsored by: Yandex LLC
* MFC r275392:ae2015-06-021-1/+0
| | | | | | | | | | Remove route chaching support from ipsec code. It isn't used for some time. * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
* Optimisation in IPSEC(4):fabient2011-03-311-0/+3
| | | | | | | | | | - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. Gain on 6 cores CPU with SHA1/AES128 can be up to 30%. Reviewed by: vanhu MFC after: 1 month
* Added support for NAT-Traversal (RFC 3948) in IPsec stack.vanhu2009-06-121-0/+5
| | | | | | | | | | | | | | Thanks to (no special order) Emmanuel Dreyfus (manu@netbsd.org), Larry Baird (lab@gta.com), gnn, bz, and other FreeBSD devs, Julien Vanherzeele (julien.vanherzeele@netasq.com, for years of bug reporting), the PFSense team, and all people who used / tried the NAT-T patch for years and reported bugs, patches, etc... X-MFC: never Reviewed by: bz Approved by: gnn(mentor) Obtained from: NETASQ
* Introduce an infrastructure for dismantling vnet instances.zec2009-06-081-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | Vnet modules and protocol domains may now register destructor functions to clean up and release per-module state. The destructor mechanisms can be triggered by invoking "vimage -d", or a future equivalent command which will be provided via the new jail framework. While this patch introduces numerous placeholder destructor functions, many of those are currently incomplete, thus leaking memory or (even worse) failing to stop all running timers. Many of such issues are already known and will be incrementaly fixed over the next weeks in smaller incremental commits. Apart from introducing new fields in structs ifnet, domain, protosw and vnet_net, which requires the kernel and modules to be rebuilt, this change should have no impact on nooptions VIMAGE builds, since vnet destructors can only be called in VIMAGE kernels. Moreover, destructor functions should be in general compiled in only in options VIMAGE builds, except for kernel modules which can be safely kldunloaded at run time. Bump __FreeBSD_version to 800097. Reviewed by: bz, julian Approved by: rwatson, kib (re), julian (mentor)
* key_gettunnel() has been unsued with FAST_IPSEC (now IPSEC).bz2009-04-271-0/+4
| | | | | | | KAME had explicit checks at one point using it, so just hide it behind #if 0 for now until we are sure if we can completely dump it or not. MFC after: 1 month
* /* -> /*- for license, minor formatting changesimp2005-01-071-1/+1
|
* Add missing locking for secpolicy refcnt manipulations.sam2004-09-301-0/+1
| | | | Submitted by: Roselyn Lee
* Locking and misc cleanups; most of which I've been running for >4 months:sam2003-09-011-1/+8
| | | | | | | | | | o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
* "Fast IPsec": this is an experimental IPsec implementation that is derivedsam2002-10-161-0/+107
from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
OpenPOWER on IntegriCloud