| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
| |
* remove sa_route_union declaration and route_cache member from struct secashead;
* remove key_sa_routechange() call from ICMP and ICMPv6 code;
* simplify ip_ipsec_mtu();
* remove #include <net/route.h>;
Sponsored by: Yandex LLC
|
|
|
|
| |
Sponsored by: Yandex LLC
|
|
|
|
| |
Sponsored by: Yandex LLC
|
|
|
|
| |
MFC after: 1 month
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xform_ipip was used as fallback with low priority for IPIP
encapsulated packets that were decrypted. In some cases
it can decapsulate packets, that it shouldn't. This leads to situations,
when wrong configurations are magically working. Also it can propagate
wrong ingress interface and this can break security.
Now we redesigned the IPSEC code and IPIP encapsulation is called directly
from ipsec_output, and decapsulation is done in the ipsec_input with m_striphdr.
Differential Revision: https://reviews.freebsd.org/D1220
MFC after: 1 month
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
Update ip6_plen before bpf processing to be able see correct value.
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
is described in if_enc(4).
MFC after: 2 week
Sponsored by: Yandex LLC
|
|
|
|
| |
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
| |
IPv4 or IPv6, assume it is the transport mode.
Reported by: jmg
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
| |
While here, make key_timehandler() private to key.c.
Submitted by: bz (2)
Tested by: bz
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Wrong integer type was specified.
- Wrong or missing "access" specifier. The "access" specifier
sometimes included the SYSCTL type, which it should not, except for
procedural SYSCTL nodes.
- Logical OR where binary OR was expected.
- Properly assert the "access" argument passed to all SYSCTL macros,
using the CTASSERT macro. This applies to both static- and dynamically
created SYSCTLs.
- Properly assert the the data type for both static and dynamic
SYSCTLs. In the case of static SYSCTLs we only assert that the data
pointed to by the SYSCTL data pointer has the correct size, hence
there is no easy way to assert types in the C language outside a
C-function.
- Rewrote some code which doesn't pass a constant "access" specifier
when creating dynamic SYSCTL nodes, which is now a requirement.
- Updated "EXAMPLES" section in SYSCTL manual page.
MFC after: 3 days
Sponsored by: Mellanox Technologies
|
|
|
|
|
|
|
|
|
| |
Instead requeue mbuf back to IPv4 protocol handler. If there is one extra IP-IP
encapsulation, it will be handled with tunneling interface. And thus proper
interface will be exposed into mbuf's rcvif. Also, tcpdump that listens on tunneling
interface will see packets in both directions.
Sponsored by: Yandex LLC
|
| |
|
|
|
|
|
|
|
| |
This is a follow up to r269699.
Phabric: D564
Reviewed by: jhb
|
|
|
|
|
|
|
| |
only one protocol switch structure that is shared between ipv4 and ipv6.
Phabric: D476
Reviewed by: jhb
|
|
|
|
|
|
| |
other members.
Sponsored by: Nginx, Inc.
|
|
|
|
|
| |
only IPv4 is wrong, so check the IP version before mangling the
payload header.
|
|
|
|
| |
version. This also unbreaks the NOINET6 builds after r266800.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For IPv6-in-IPv4, you may need to do the following command
on the tunnel interface if it is configured as IPv4 only:
ifconfig <interface> inet6 -ifdisabled
Code logic inspired from NetBSD.
PR: kern/169438
Submitted by: emeric.poupon@netasq.com
Reviewed by: fabient, ae
Obtained from: NETASQ
|
|
|
|
|
|
| |
lookups providing ports may get unexpected results.
MFC After: 2 weeks
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
|
| |
Remove these loops and use in_localip() and in6_localip()
functions instead.
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
| |
MFC after: 1 week
Sponsored by: Yandex LLC
|
|
|
|
|
|
|
|
| |
were primarily used to size the sysctl name list macros that were removed
in r254295. A few other constants either did not have an associated
sysctl node, or the associated node used OID_AUTO instead.
PR: ports/184525 (exp-run)
|
|
|
|
|
| |
PR: 177417
MFC after: 1 week
|
|
|
|
|
|
|
| |
in implicitly via if.h -> if_var.h pollution.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
| |
to this event, adding if_var.h to files that do need it. Also, include
all includes that now are included due to implicit pollution via if_var.h
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
| |
ever intended for use in sysctl(8) and it has not used them for many
years.
Reviewed by: bde
Tested by: exp-run by bdrewery
|
|
|
|
|
|
|
|
|
|
|
| |
structure is used, but they already have equal fields in the struct
newipsecstat, that was introduced with FAST_IPSEC and then was merged
together with old ipsecstat structure.
This fixes kernel stack overflow on some architectures after migration
ipsecstat to PCPU counters.
Reported by: Taku YAMAMOTO, Maciej Milewski
|
|
|
|
| |
ipsec4stat, ipsec6stat to PCPU counters.
|
|
|
|
|
|
|
|
|
|
| |
Use uint64_t as type for all fields of structures.
Changed structures: ahstat, arpstat, espstat, icmp6_ifstat, icmp6stat,
in6_ifstat, ip6stat, ipcompstat, ipipstat, ipsecstat, mrt6stat, mrtstat,
pfkeystat, pim6stat, pimstat, rip6stat, udpstat.
Discussed with: arch@
|
|
|
|
|
|
| |
PFKEY.
MFC after: 2 weeks
|
|
|
|
|
|
| |
accounting.
MFC after: 2 weeks
|
|
|
|
| |
MFC after: 1 week
|
|
|
|
|
|
|
| |
examination shows, that although key_alloc_mbuf() could return chains,
the callers never use chains, so m_get2() should suffice.
Sponsored by: Nginx, Inc.
|
|
|
|
|
|
|
|
|
| |
malloc(9) flags within sys.
Exceptions:
- sys/contrib not touched
- sys/mbuf.h edited manually
|
|
|
|
|
|
|
|
|
|
|
| |
before passing a packet to protocol input routines.
For several protocols this mean that now protocol needs to
do subtraction itself, and for another half this means that
we do not need to add header length back to the packet.
Make ip_stripoptions() to adjust ip_len, since now we enter
this function with a packet header whose ip_len does represent
length of entire packet, not payload only.
|
|
|
|
|
| |
- Add XXX comment about necessity of the entire block,
that "fixes up" the IP header.
|
|
|
|
| |
IPv4 stack to network byte order.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in network byte order. Any host byte order processing is
done in local variables and host byte order values are
never[1] written to a packet.
After this change a packet processed by the stack isn't
modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to
scratch his head trying to figure out what is the byte order
at the given place in the stack.
[1] One exception still remains. The raw sockets convert host
byte order before pass a packet to an application. Probably
this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len,
but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru>
Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
|
|
|
|
| |
They have been Noop's for a long time now.
|
| |
|
|
|
|
|
|
|
|
| |
closing another.
It worked only in tunnel mode before.
Submitted by: Andreas Longwitz <longwitz@incore.de>
MFC after: 1M
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
into head. The most significant achievements in the new code:
o Fine grained locking, thus much better performance.
o Fixes to many problems in pf, that were specific to FreeBSD port.
New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.
Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:
r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
I'd like to thank people who participated in early testing:
Tested by: Florian Smeets <flo freebsd.org>
Tested by: Chekaluk Vitaly <artemrts ukr.net>
Tested by: Ben Wilber <ben desync.com>
Tested by: Ian FREISLICH <ianf cloudseed.co.za>
|