freebsd-nq/sys/netipsec
Bjoern A. Zeeb 89856f7e2d Get closer to a VIMAGE network stack teardown from top to bottom rather
than removing the network interfaces first. This change is rather larger
and convoluted as the ordering requirements cannot be separated.

Move the pfil(9) framework to SI_SUB_PROTO_PFIL, move Firewalls and
related modules to their own SI_SUB_PROTO_FIREWALL.
Move initialization of "physical" interfaces to SI_SUB_DRIVERS,
move virtual (cloned) interfaces to SI_SUB_PSEUDO.
Move Multicast to SI_SUB_PROTO_MC.

Re-work parts of multicast initialisation and teardown, not taking the
huge amount of memory into account if used as a module yet.

For interface teardown we try to do as many of them as we can on
SI_SUB_INIT_IF, but for some this makes no sense, e.g., when tunnelling
over a higher layer protocol such as IP. In that case the interface
has to go along (or before) the higher layer protocol is shutdown.

Kernel hhooks need to go last on teardown as they may be used at various
higher layers and we cannot remove them before we cleaned up the higher
layers.

For interface teardown there are multiple paths:
(a) a cloned interface is destroyed (inside a VIMAGE or in the base system),
(b) any interface is moved from a virtual network stack to a different
network stack ("vmove"), or (c) a virtual network stack is being shut down.
All code paths go through if_detach_internal() where we, depending on the
vmove flag or the vnet state, make a decision on how much to shut down;
in case we are destroying a VNET the individual protocol layers will
cleanup their own parts thus we cannot do so again for each interface as
we end up with, e.g., double-frees, destroying locks twice or acquiring
already destroyed locks.
When calling into protocol cleanups we equally have to tell them
whether they need to detach upper layer protocols ("ulp") or not
(e.g., in6_ifdetach()).

Provide or enahnce helper functions to do proper cleanup at a protocol
rather than at an interface level.

Approved by:		re (hrs)
Obtained from:		projects/vnet
Reviewed by:		gnn, jhb
Sponsored by:		The FreeBSD Foundation
MFC after:		2 weeks
Differential Revision:	https://reviews.freebsd.org/D6747
2016-06-21 13:48:49 +00:00
..
ah_var.h
ah.h
esp_var.h
esp.h Summary: Remove spurious, extra, next header comments. 2015-05-15 18:04:49 +00:00
ipcomp_var.h
ipcomp.h
ipsec6.h Constify mbuf pointer for IPSEC functions where mbuf isn't modified. 2016-04-21 10:58:07 +00:00
ipsec_input.c Overhaul if_enc(4) and make it loadable in run-time. 2015-11-25 07:31:59 +00:00
ipsec_mbuf.c sys/net* : for pointers replace 0 with NULL. 2016-04-15 17:30:33 +00:00
ipsec_output.c sys/net*: minor spelling fixes. 2016-05-03 18:05:43 +00:00
ipsec.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
ipsec.h Remove stale function declaration 2016-04-21 11:02:06 +00:00
key_debug.c Use ipsec_address() function to print IP addresses. 2016-04-24 09:05:29 +00:00
key_debug.h Constify mbuf pointer for IPSEC functions where mbuf isn't modified. 2016-04-21 10:58:07 +00:00
key_var.h
key.c netipsec: Fix minor style nit 2016-05-10 20:14:11 +00:00
key.h Handle non-compressed packets for IPComp in tunnel mode. 2016-04-24 09:02:17 +00:00
keydb.h Make IPsec work with AES-GCM and AES-ICM (aka CTR) in OCF... IPsec 2015-08-04 17:47:11 +00:00
keysock.c kernel: use our nitems() macro when it is available through param.h. 2016-04-19 23:48:27 +00:00
keysock.h
xform_ah.c Take extra reference to security policy before calling crypto_dispatch(). 2015-09-30 08:16:33 +00:00
xform_esp.c Use explicitly specified ivsize instead of blocksize when we mean IV size. 2015-11-16 07:10:42 +00:00
xform_ipcomp.c Fix build for NOINET and NOINET6 kernels. 2016-04-24 17:09:51 +00:00
xform_tcp.c Get closer to a VIMAGE network stack teardown from top to bottom rather 2016-06-21 13:48:49 +00:00
xform.h RFC4868 section 2.3 requires that the output be half... This fixes 2015-07-29 07:15:16 +00:00