| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
Remove unused structure declarations.
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Remove ip4_input() declaration. It was removed in r275133.
MFC after: 1 month
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Do not use xform_ipip as decapsulation fallback.
xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.
Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.
Differential Revision: https://reviews.freebsd.org/D1220
MFC after: 1 month
Sponsored by: Yandex LLC
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_altq.RELENG_10.diff"
This reverts commit 5b128f054452e56b96564210c998510e0dd45130.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_improvement.diff"
This reverts commit 29b5f15dd163f4c415bb883fef4a53cf17f9e4e2.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch aesgcm.soft.1.patch"
This reverts commit 46e99a8858f1c843c1774e472c11d422ca2163ae.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec-oneshot-dump.diff"
This reverts commit d3b775b3db2819bebcac765dca33db7f8f5143c7.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_direct_dispatch.diff"
This reverts commit 9ed545f35cdf6da23726dadeb0e999d0d81e62eb.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_SPD_lock_split.diff"
This reverts commit 269a8b44fb6ae59c4ccc4d6f2353f2541547e70a.
TAG: IPSEC-HEAD
Issue: #4841
|
|
|
|
|
|
|
|
|
| |
Revert "Importing pfSense patch ipsec_transport_filterfix.diff"
This reverts commit 924a927559577e9cea5abf4a725e679acad834bf.
TAG: IPSEC-HEAD
Issue: #4841
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Fill the port and protocol information in the SADB_ACQUIRE message
in case when security policy has it as required by RFC 2367.
PR: 192774
Approved by: re (delphij)
|
|
|
|
|
|
|
|
| |
In the reply to SADB_X_SPDGET message use the same sequence number that
was in the request. Some IKE deamons expect it will the same. Linux and
NetBSD also follow this behaviour.
PR: 137309
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Teach key_expire() send SADB_EXPIRE message with the SADB_EXT_LIFETIME_HARD
extension header type. The key_flush_sad() now will send SADB_EXPIRE
message when HARD lifetime expires. This is required by RFC 2367 and some
keying daemons rely on these messages. HARD lifetime messages have
precedence over SOFT lifetime messages, so now they will be checked first.
Also now SADB_EXPIRE messages will be send even the SA has not been used,
because keying daemons might want to rekey such SA.
PR: 200282, 200283
MFC r283102:
Change SA's state before sending SADB_EXPIRE message. This state will
be reported to keying daemon.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove unused declartations.
MFC r275437:
ANSIfy function declarations.
MFC r275438:
Remove __P() macro.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
| |
Remove route chaching support from ipsec code. It isn't used for some time.
* remove sa_route_union declaration and route_cache member from struct secashead;
* remove key_sa_routechange() call from ICMP and ICMPv6 code;
* simplify ip_ipsec_mtu();
* remove #include <net/route.h>;
Sponsored by: Yandex LLC
|
|
|
|
|
|
| |
Remove unneded mbuf length adjustment, M_PREPEND() already did that.
PR: 139387
|
|
|
|
|
|
| |
Remove extra '&'. sin6 is already a pointer.
PR: 195011
|
|
|
|
|
|
|
|
|
|
|
| |
Remove unneded check. No need to do m_pullup to the size that we prepended.
MFC r275473:
Fix style(9) and remove m_freem(NULL).
Add XXX comment, it looks incorrect, because m_pkthdr.len is already
incremented by M_PREPEND().
Sponsored by: Yandex LLC
|
|
|
|
|
|
| |
key_getspacq() returns holding the spacq_lock. Unlock it in all cases.
Sponsored by: Yandex LLC
|
|
|
|
|
| |
Pass mbuf to pfil processing before stripping outer IP header as it
is described in if_enc(4).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix ips_out_nosa errors accounting.
MFC r274454:
ipsec6_process_packet is called before ip6_output fixes ip6_plen.
Update ip6_plen before bpf processing to be able see correct value.
MFC r274455:
We don't return sp pointer, thus NULL assignment isn't needed.
And reference to sp will be freed at the end.
MFC r274465:
Remove redundant ip6_plen initialization.
MFC r274466:
Strip IP header only when we act in tunnel mode.
MFC r274467:
Count statistics for the specific address family.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
When mode isn't explicitly specified (wildcard) and inner protocol isn't
IPv4 or IPv6, assume it is the transport mode.
Sponsored by: Yandex LLC
|
|
|
|
|
|
| |
Use in_localip() instead of handmade implementation.
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.
For IPv6-in-IPv4, you may need to do the following command
on the tunnel interface if it is configured as IPv4 only:
ifconfig <interface> inet6 -ifdisabled
Code logic inspired from NetBSD.
PR: kern/169438
MC r266822 by bz:
Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6
version. This also unbreaks the NOINET6 builds after r266800.
MFC r268083 by zec:
The assumption in ipsec4_process_packet() that the payload may be
only IPv4 is wrong, so check the IP version before mangling the
payload header.
MFC r272394:
Do not strip outer header when operating in transport mode.
Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
encapsulation, it will be handled with tunneling interface. And thus proper
interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
interface will see packets in both directions.
PR: 194761
|
|
|
|
|
|
|
| |
- De-vnet hash sizes and hash masks.
- Fix multiple issues related to arguments passed to SYSCTL macros.
Sponsored by: Mellanox Technologies
|
|
|
|
|
| |
Only do a ports check if this is a NAT-T SA. Otherwise other
lookups providing ports may get unexpected results.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove dead code.
MFC r264125:
Remove unused variable.
MFC r264126:
The check for local address spoofing lacks ifaddr locking.
Remove these loops and use in_localip() and in6_localip()
functions instead.
MFC r264520:
Remove _IP_VHL* macros and related ifdefs.
|
|
|
|
|
|
| |
Initialize prot variable.
PR: 177417
|
|
|
|
|
|
|
|
| |
ever intended for use in sysctl(8) and it has not used them for many
years.
Reviewed by: bde
Tested by: exp-run by bdrewery
|
|
|
|
|
|
|
|
|
|
|
| |
structure is used, but they already have equal fields in the struct
newipsecstat, that was introduced with FAST_IPSEC and then was merged
together with old ipsecstat structure.
This fixes kernel stack overflow on some architectures after migration
ipsecstat to PCPU counters.
Reported by: Taku YAMAMOTO, Maciej Milewski
|
|
|
|
| |
ipsec4stat, ipsec6stat to PCPU counters.
|
|
|
|
|
|
|
|
|
|
| |
Use uint64_t as type for all fields of structures.
Changed structures: ahstat, arpstat, espstat, icmp6_ifstat, icmp6stat,
in6_ifstat, ip6stat, ipcompstat, ipipstat, ipsecstat, mrt6stat, mrtstat,
pfkeystat, pim6stat, pimstat, rip6stat, udpstat.
Discussed with: arch@
|
|
|
|
|
|
| |
PFKEY.
MFC after: 2 weeks
|
|
|
|
|
|
| |
accounting.
MFC after: 2 weeks
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
| |
examination shows, that although key_alloc_mbuf() could return chains,
the callers never use chains, so m_get2() should suffice.
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
|
| |
malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched
- sys/mbuf.h edited manually
|
|
|
|
|
|
|
|
|
|
|
| |
before passing a packet to protocol input routines.
For several protocols this mean that now protocol needs to
do subtraction itself, and for another half this means that
we do not need to add header length back to the packet.
Make ip_stripoptions() to adjust ip_len, since now we enter
this function with a packet header whose ip_len does represent
length of entire packet, not payload only.
|
|
|
|
|
| |
- Add XXX comment about necessity of the entire block,
that "fixes up" the IP header.
|
|
|
|
| |
IPv4 stack to network byte order.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in network byte order. Any host byte order processing is
done in local variables and host byte order values are
never[1] written to a packet.
After this change a packet processed by the stack isn't
modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to
scratch his head trying to figure out what is the byte order
at the given place in the stack.
[1] One exception still remains. The raw sockets convert host
byte order before pass a packet to an application. Probably
this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len,
but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru>
Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
|
|
|
|
| |
They have been Noop's for a long time now.
|
| |
|