summaryrefslogtreecommitdiffstats
path: root/sys/netipsec
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove route chaching support from ipsec code. It isn't used for some time.ae2014-12-0215-47/+4
| | | | | | | | | * remove sa_route_union declaration and route_cache member from struct secashead; * remove key_sa_routechange() call from ICMP and ICMPv6 code; * simplify ip_ipsec_mtu(); * remove #include <net/route.h>; Sponsored by: Yandex LLC
* Remove unused structure declarations.ae2014-12-021-11/+0
| | | | Sponsored by: Yandex LLC
* Remove unused declartations.ae2014-12-021-10/+0
| | | | Sponsored by: Yandex LLC
* Remove ip4_input() declaration. It was removed in r275133.ae2014-11-271-1/+0
| | | | MFC after: 1 month
* Do not use xform_ipip as decapsulation fallback.ae2014-11-263-433/+6
| | | | | | | | | | | | | | | xform_ipip was used as fallback with low priority for IPIP encapsulated packets that were decrypted. In some cases it can decapsulate packets, that it shouldn't. This leads to situations, when wrong configurations are magically working. Also it can propagate wrong ingress interface and this can break security. Now we redesigned the IPSEC code and IPIP encapsulation is called directly from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr. Differential Revision: https://reviews.freebsd.org/D1220 MFC after: 1 month Sponsored by: Yandex LLC
* Count statistics for the specific address family.ae2014-11-131-1/+2
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Strip IP header only when we act in tunnel mode.ae2014-11-131-29/+30
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Remove redundant ip6_plen initialization.ae2014-11-131-3/+0
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* ipsec6_process_packet is called before ip6_output fixes ip6_plen.ae2014-11-121-5/+2
| | | | | | | Update ip6_plen before bpf processing to be able see correct value. MFC after: 1 week Sponsored by: Yandex LLC
* Fix ips_out_nosa errors accounting.ae2014-11-121-1/+10
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Pass mbuf to pfil processing before stripping outer IP header as itae2014-11-071-17/+6
| | | | | | | is described in if_enc(4). MFC after: 2 week Sponsored by: Yandex LLC
* Remove SYSCTL_VNET_* macros, and simply put CTLFLAG_VNET where needed.glebius2014-11-076-74/+74
| | | | Sponsored by: Nginx, Inc.
* When mode isn't explicitly specified (wildcard) and inner protocol isn'tae2014-11-061-1/+10
| | | | | | | | IPv4 or IPv6, assume it is the transport mode. Reported by: jmg MFC after: 1 week Sponsored by: Yandex LLC
* Use in_localip() instead of handmade implementation.ae2014-10-311-21/+2
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Use a static callout to drive key_timehandler() instead of timeout().jhb2014-10-232-5/+9
| | | | | | | While here, make key_timehandler() private to key.c. Submitted by: bz (2) Tested by: bz
* Fix multiple incorrect SYSCTL arguments in the kernel:hselasky2014-10-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | - Wrong integer type was specified. - Wrong or missing "access" specifier. The "access" specifier sometimes included the SYSCTL type, which it should not, except for procedural SYSCTL nodes. - Logical OR where binary OR was expected. - Properly assert the "access" argument passed to all SYSCTL macros, using the CTASSERT macro. This applies to both static- and dynamically created SYSCTLs. - Properly assert the the data type for both static and dynamic SYSCTLs. In the case of static SYSCTLs we only assert that the data pointed to by the SYSCTL data pointer has the correct size, hence there is no easy way to assert types in the C language outside a C-function. - Rewrote some code which doesn't pass a constant "access" specifier when creating dynamic SYSCTL nodes, which is now a requirement. - Updated "EXAMPLES" section in SYSCTL manual page. MFC after: 3 days Sponsored by: Mellanox Technologies
* Do not strip outer header when operating in transport mode.ae2014-10-021-2/+10
| | | | | | | | | Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP encapsulation, it will be handled with tunneling interface. And thus proper interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling interface will see packets in both directions. Sponsored by: Yandex LLC
* Mechanically convert to if_inc_counter().glebius2014-09-192-8/+8
|
* Change pr_output's prototype to avoid the need for explicit casts.kevlo2014-08-152-2/+2
| | | | | | | This is a follow up to r269699. Phabric: D564 Reviewed by: jhb
* Merge 'struct ip6protosw' and 'struct protosw' into one. Now we havekevlo2014-08-084-14/+40
| | | | | | | only one protocol switch structure that is shared between ipv4 and ipv6. Phabric: D476 Reviewed by: jhb
* Fix style bug: rename the refcount field of m_ext to ext_cnt, to matchglebius2014-07-111-2/+2
| | | | | | other members. Sponsored by: Nginx, Inc.
* The assumption in ipsec4_process_packet() that the payload may bezec2014-07-011-3/+5
| | | | | only IPv4 is wrong, so check the IP version before mangling the payload header.
* Use IPv4 statistics in ipsec4_process_packet() rather than the IPv6bz2014-05-281-2/+2
| | | | version. This also unbreaks the NOINET6 builds after r266800.
* Fixed IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels.vanhu2014-05-284-338/+207
| | | | | | | | | | | | | For IPv6-in-IPv4, you may need to do the following command on the tunnel interface if it is configured as IPv4 only: ifconfig <interface> inet6 -ifdisabled Code logic inspired from NetBSD. PR: kern/169438 Submitted by: emeric.poupon@netasq.com Reviewed by: fabient, ae Obtained from: NETASQ
* Only do a ports check if this is a NAT-T SA. Otherwise otherbz2014-05-241-6/+20
| | | | | | lookups providing ports may get unexpected results. MFC After: 2 weeks
* Remove _IP_VHL* macros and related ifdefs.ae2014-04-162-24/+0
| | | | MFC after: 1 week
* The check for local address spoofing lacks ifaddr locking.ae2014-04-041-44/+13
| | | | | | | | Remove these loops and use in_localip() and in6_localip() functions instead. MFC after: 1 week Sponsored by: Yandex LLC
* Remove unused variable.ae2014-04-041-3/+0
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Remove dead code.ae2014-04-041-13/+0
| | | | | MFC after: 1 week Sponsored by: Yandex LLC
* Remove more constants related to static sysctl nodes. The MAXID constantsjhb2014-02-252-5/+0
| | | | | | | | were primarily used to size the sysctl name list macros that were removed in r254295. A few other constants either did not have an associated sysctl node, or the associated node used OID_AUTO instead. PR: ports/184525 (exp-run)
* Initialize prot variable.ae2013-11-111-0/+1
| | | | | PR: 177417 MFC after: 1 week
* Provide includes that are needed in these files, and before were readglebius2013-10-263-1/+5
| | | | | | | in implicitly via if.h -> if_var.h pollution. Sponsored by: Netflix Sponsored by: Nginx, Inc.
* The r48589 promised to remove implicit inclusion of if_var.h soon. Prepareglebius2013-10-265-1/+6
| | | | | | | | to this event, adding if_var.h to files that do need it. Also, include all includes that now are included due to implicit pollution via if_var.h Sponsored by: Netflix Sponsored by: Nginx, Inc.
* Remove most of the remaining sysctl name list macros. They were onlyjhb2013-08-262-50/+0
| | | | | | | | ever intended for use in sysctl(8) and it has not used them for many years. Reviewed by: bde Tested by: exp-run by bdrewery
* Remove the large part of struct ipsecstat. Only few fields of thisae2013-07-231-30/+4
| | | | | | | | | | | structure is used, but they already have equal fields in the struct newipsecstat, that was introduced with FAST_IPSEC and then was merged together with old ipsecstat structure. This fixes kernel stack overflow on some architectures after migration ipsecstat to PCPU counters. Reported by: Taku YAMAMOTO, Maciej Milewski
* Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat,ae2013-07-0913-55/+94
| | | | ipsec4stat, ipsec6stat to PCPU counters.
* Prepare network statistics structures for migration to PCPU counters.ae2013-07-097-135/+131
| | | | | | | | | | Use uint64_t as type for all fields of structures. Changed structures: ahstat, arpstat, espstat, icmp6_ifstat, icmp6stat, in6_ifstat, ip6stat, ipcompstat, ipipstat, ipsecstat, mrt6stat, mrtstat, pfkeystat, pim6stat, pimstat, rip6stat, udpstat. Discussed with: arch@
* Use corresponding macros to update statistics for AH, ESP, IPIP, IPCOMP,ae2013-06-2013-202/+194
| | | | | | PFKEY. MFC after: 2 weeks
* Use IPSECSTAT_INC() and IPSEC6STAT_INC() macros for ipsec statisticsae2013-06-205-14/+16
| | | | | | accounting. MFC after: 2 weeks
* Use IP6STAT_INC/IP6STAT_DEC macros to update ip6 stats.ae2013-04-092-3/+3
| | | | MFC after: 1 week
* Use m_get2() + m_align() instead of hand made key_alloc_mbuf(). Codeglebius2013-03-151-104/+50
| | | | | | | examination shows, that although key_alloc_mbuf() could return chains, the callers never use chains, so m_get2() should suffice. Sponsored by: Nginx, Inc.
* Mechanically substitute flags from historic mbuf allocator withglebius2012-12-055-33/+33
| | | | | | | | | malloc(9) flags within sys. Exceptions: - sys/contrib not touched - sys/mbuf.h edited manually
* Do not reduce ip_len by size of IP header in the ip_input()glebius2012-10-231-3/+0
| | | | | | | | | | | before passing a packet to protocol input routines. For several protocols this mean that now protocol needs to do subtraction itself, and for another half this means that we do not need to add header length back to the packet. Make ip_stripoptions() to adjust ip_len, since now we enter this function with a packet header whose ip_len does represent length of entire packet, not payload only.
* - Fix one more miss from r241913.glebius2012-10-231-2/+4
| | | | | - Add XXX comment about necessity of the entire block, that "fixes up" the IP header.
* Couple of changes missed from r241913, which convertedglebius2012-10-222-23/+9
| | | | IPv4 stack to network byte order.
* Switch the entire IPv4 stack to keep the IP packet headerglebius2012-10-221-3/+2
| | | | | | | | | | | | | | | | | | | | | | | in network byte order. Any host byte order processing is done in local variables and host byte order values are never[1] written to a packet. After this change a packet processed by the stack isn't modified at all[2] except for TTL. After this change a network stack hacker doesn't need to scratch his head trying to figure out what is the byte order at the given place in the stack. [1] One exception still remains. The raw sockets convert host byte order before pass a packet to an application. Probably this would remain for ages for compatibility. [2] The ip_input() still subtructs header len from ip->ip_len, but this is planned to be fixed soon. Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru> Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
* Mechanically remove the last stray remains of spl* calls from net*/*.andre2012-10-181-6/+0
| | | | They have been Noop's for a long time now.
* Add missing breakkevlo2012-09-181-0/+1
|
* In NAT-T transport mode, allow a client to open a new connection just aftervanhu2012-09-121-3/+5
| | | | | | | | closing another. It worked only in tunnel mode before. Submitted by: Andreas Longwitz <longwitz@incore.de> MFC after: 1M
* Merge the projects/pf/head branch, that was worked on for last six months,glebius2012-09-083-6/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | into head. The most significant achievements in the new code: o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port. New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers. Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged: r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212. I'd like to thank people who participated in early testing: Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
OpenPOWER on IntegriCloud