Commit Graph

47 Commits

Author SHA1 Message Date
ume
994ac6118a Newer SA is prefered for a out-bound packet than old one
when net.key.prefered_oldsa is set to zero.

Obtained from:	KAME
MFC after:	1 week
2001-12-05 05:40:49 +00:00
ume
a58314c120 Fixed the behavior when there is no inbound policy for the ipsec
tunneled packet.
When there is no suitable inbound policy for the packet of the ipsec
tunnel mode, the kernel never decapsulate the tunneled packet
as the ipsec tunnel mode even when the system wide policy is "none".
Then the kernel leaves the generic tunnel module to process this
packet.  If there is no rule of the generic tunnel, the packet
is rejected and the statistics will be counted up.

Obtained from:	KAME
MFC after:	1 week
2001-11-06 22:45:29 +00:00
ume
6bd8569386 - net.inet.ipsec.esp_auth hasn't been there
- nuke all debug printfs, which are unneeded by now.
- get rid of #ifdef IPSEC_DEBUG in headers
- now that key_debug_level is always defined, there's no need for
  #ifdef IPSEC_DEBUG around sysctl MIB code (net.key.debug).
- switch all debug printf() to ipseclog().

Obtained from:	KAME
MFC after:	1 week
2001-11-05 16:46:24 +00:00
ume
66d7b6370f Unbreak build without INET6.
Reported by:	Christopher N . Harrell <cnh@netvmg.com>
MFC after:	1 week
2001-11-03 20:47:50 +00:00
ume
d30f6152e3 System wide policy should be returned when no policy found in the SPD.
The packet was rejected in ipsec[46]_tunnel_validate().

Obtained from:	KAME
MFC after:	1 week
2001-10-29 16:29:41 +00:00
ume
4ec2993d48 Fixed the value of the prefixlen in the sadb_address structure.
When pfkey message relative to SA is sent, the prefixlen was incorrect.

Obtained from:	KAME
MFC after:	1 week
2001-10-22 20:19:47 +00:00
ume
b44023b126 The behavior of SPDUPDATE has been changed.
SPDUPDATE doesn't depend on whether there is a SP or not.
This change makes `generate_policy on' of racoon work.

Obtained from:	KAME
MFC after:	1 week
2001-10-17 13:01:39 +00:00
julian
5596676e6c KSE Milestone 2
Note ALL MODULES MUST BE RECOMPILED
make the kernel aware that there are smaller units of scheduling than the
process. (but only allow one thread per process at this time).
This is functionally equivalent to teh previousl -current except
that there is a thread associated with each process.

Sorry john! (your next MFC will be a doosie!)

Reviewed by: peter@freebsd.org, dillon@freebsd.org

X-MFC after:    ha ha ha ha
2001-09-12 08:38:13 +00:00
ume
840f9b9d5f printed current sequence number of the SA. accordingly, changed
into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2
structure.  Also the output of setkey is changed.  sequence number
of the sadb is replaced to the end of the output.

Obtained from:	KAME
2001-08-06 19:40:01 +00:00
ume
08fac6b999 do not play too much trick with evaluation order. from netbsd
Obtained from:	KAME
2001-08-06 19:34:41 +00:00
ume
08477b7373 fixed to make a response in key_spdadd(). reported by <R.P.Koster@kpn.com>
Obtained from:	KAME
2001-08-06 19:32:47 +00:00
ume
77164dfb77 merged key_cmpsaidx_*.
Obtained from:	KAME
2001-08-06 19:31:13 +00:00
ume
832f8d2249 Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
  - The definitions of SADB_* in sys/net/pfkeyv2.h are still different
    from RFC2407/IANA assignment because of binary compatibility
    issue.  It should be fixed under 5-CURRENT.
  - ip6po_m member of struct ip6_pktopts is no longer used.  But, it
    is still there because of binary compatibility issue.  It should
    be removed under 5-CURRENT.

Reviewed by:	itojun
Obtained from:	KAME
MFC after:	3 weeks
2001-06-11 12:39:29 +00:00
jhb
3fbeaa9056 Remove unneeded includes of sys/ipl.h and machine/ipl.h. 2001-05-15 23:22:29 +00:00
markm
bcca5847d5 Undo part of the tangle of having sys/lock.h and sys/mutex.h included in
other "system" header files.

Also help the deprecation of lockmgr.h by making it a sub-include of
sys/lock.h and removing sys/lockmgr.h form kernel .c files.

Sort sys/*.h includes where possible in affected files.

OK'ed by:	bde (with reservations)
2001-05-01 08:13:21 +00:00
ume
6ea140035b fixed possibility of panic at key_acquire().
key_acquire() does not require a secpolicy structure.

Obtained from:	KAME
2001-01-14 17:25:08 +00:00
kris
2ba8b5cbd1 Revert previous commit after discussion with phk. 2000-10-30 09:13:46 +00:00
phk
94a5006c9a Remove unneeded #include <sys/proc.h> lines. 2000-10-29 13:57:19 +00:00
phk
54ca48450c Convert all users of fldoff() to offsetof(). fldoff() is bad
because it only takes a struct tag which makes it impossible to
use unions, typedefs etc.

Define __offsetof() in <machine/ansi.h>

Define offsetof() in terms of __offsetof() in <stddef.h> and <sys/types.h>

Remove myriad of local offsetof() definitions.

Remove includes of <stddef.h> in kernel code.

NB: Kernelcode should *never* include from /usr/include !

Make <sys/queue.h> include <machine/ansi.h> to avoid polluting the API.

Deprecate <struct.h> with a warning.  The warning turns into an error on
01-12-2000 and the file gets removed entirely on 01-01-2001.

Paritials reviews by:   various.
Significant brucifications by:  bde
2000-10-27 11:45:49 +00:00
ume
b00485b521 make sure we have IV that is random enough. memory allocator on
some of platforms give us almost constant number (oops).

Obtained from:	KAME
2000-08-28 08:24:46 +00:00
dwmalone
df0e25bf6c Replace the mbuf external reference counting code with something
that should be better.

The old code counted references to mbuf clusters by using the offset
of the cluster from the start of memory allocated for mbufs and
clusters as an index into an array of chars, which did the reference
counting. If the external storage was not a cluster then reference
counting had to be done by the code using that external storage.

NetBSD's system of linked lists of mbufs was cosidered, but Alfred
felt it would have locking issues when the kernel was made more
SMP friendly.

The system implimented uses a pool of unions to track external
storage. The union contains an int for counting the references and
a pointer for forming a free list. The reference counts are
incremented and decremented atomically and so should be SMP friendly.
This system can track reference counts for any sort of external
storage.

Access to the reference counting stuff is now through macros defined
in mbuf.h, so it should be easier to make changes to the system in
the future.

The possibility of storing the reference count in one of the
referencing mbufs was considered, but was rejected 'cos it would
often leave extra mbufs allocated. Storing the reference count in
the cluster was also considered, but because the external storage
may not be a cluster this isn't an option.

The size of the pool of reference counters is available in the
stats provided by "netstat -m".

PR:		19866
Submitted by:	Bosko Milekic <bmilekic@dsuper.net>
Reviewed by:	alfred (glanced at by others on -net)
2000-08-19 08:32:59 +00:00
kris
33e12cc804 Add missing #include to unbreak IPSEC_DEBUG builds
Submitted by:	Jim Bloom <bloom@reyim.ne.mediaone.net>
2000-07-07 08:36:00 +00:00
itojun
5f4e854de1 sync with kame tree as of july00. tons of bug fixes/improvements.
API changes:
- additional IPv6 ioctls
- IPsec PF_KEY API was changed, it is mandatory to upgrade setkey(8).
  (also syntax change)
2000-07-04 16:35:15 +00:00
jlemon
556a99d957 Check for MGET* returning NULL and return ENOBUFS in this case.
Submitted by: Bosko Milekic <bmilekic@technokratis.com>
2000-06-10 17:55:57 +00:00
jake
961b97d434 Back out the previous change to the queue(3) interface.
It was not discussed and should probably not happen.

Requested by:		msmith and others
2000-05-26 02:09:24 +00:00
jake
d93fbc9916 Change the way that the queue(3) structures are declared; don't assume that
the type argument to *_HEAD and *_ENTRY is a struct.

Suggested by:	phk
Reviewed by:	phk
Approved by:	mdodd
2000-05-23 20:41:01 +00:00
shin
d0bf8a1ad7 comment the string after #endif
Specified by: bde
2000-01-15 05:15:06 +00:00
shin
8813e718dc Change struct sockaddr_storage member name, because following change
is very likely to become consensus as recent ietf/ipng mailing list
discussion. Also recent KAME repository and other KAME patched BSDs
also applied it.

  s/__ss_family/ss_family/
  s/__ss_len/ss_len/

Makeworld is confirmed, and no application should be affected by this change
yet.
2000-01-13 14:52:53 +00:00
peter
15b9bcb121 Change #ifdef KERNEL to #ifdef _KERNEL in the public headers. "KERNEL"
is an application space macro and the applications are supposed to be free
to use it as they please (but cannot).  This is consistant with the other
BSD's who made this change quite some time ago.  More commits to come.
1999-12-29 04:46:21 +00:00
shin
50ba589c66 IPSEC support in the kernel.
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-12-22 19:13:38 +00:00
shin
cad2014b27 KAME netinet6 basic part(no IPsec,no V6 Multicast Forwarding, no UDP/TCP
for IPv6 yet)

With this patch, you can assigne IPv6 addr automatically, and can reply to
IPv6 ping.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
1999-11-22 02:45:11 +00:00
billf
675a3e4837 Fix a printf(3) formatter to match its variable.
Reviewed by:	bde
1999-08-17 22:11:02 +00:00
eivind
35cb53859a #ifdef out unused function key_freetables. 1999-01-12 12:38:31 +00:00
archie
60d13c7a9d The "easy" fixes for compiling the kernel -Wunused: remove unreferenced static
and local variables, goto labels, and functions declared but not defined.
1998-12-07 21:58:50 +00:00
bde
08a3400100 Fixed printf format errors. 1998-08-17 01:05:25 +00:00
peter
631390e349 Really make this compile..
Pointed out by: bde
1998-04-06 05:11:42 +00:00
peter
fdb7a2eb67 Maybe fix netkey. I am not sure how to test this.. 1998-04-05 05:19:00 +00:00
phk
7d5c35ecb4 Substitute a panic for a undefined function so LINT will compile. 1998-04-04 18:07:01 +00:00
phk
9b703b1455 Eradicate the variable "time" from the kernel, using various measures.
"time" wasn't a atomic variable, so splfoo() protection were needed
around any access to it, unless you just wanted the seconds part.

Most uses of time.tv_sec now uses the new variable time_second instead.

gettime() changed to getmicrotime(0.

Remove a couple of unneeded splfoo() protections, the new getmicrotime()
is atomic, (until Bruce sets a breakpoint in it).

A couple of places needed random data, so use read_random() instead
of mucking about with time which isn't random.

Add a new nfs_curusec() function.

Mark a couple of bogosities involving the now disappeard time variable.

Update ffs_update() to avoid the weird "== &time" checks, by fixing the
one remaining call that passwd &time as args.

Change profiling in ncr.c to use ticks instead of time.  Resolution is
the same.

Add new function "tvtohz()" to avoid the bogus "splfoo(), add time, call
hzto() which subtracts time" sequences.

Reviewed by:	bde
1998-03-30 09:56:58 +00:00
bde
b5ae2c779b Removed unused #includes. 1998-03-28 13:25:01 +00:00
itojun
2b90249289 key_getspi() bugfix.
Submitted by:	k-sugyou@ccs.mt.nec.co.jp
1998-03-23 14:49:12 +00:00
itojun
674a989231 polish the code.
use tradictional decls.  tabify.  remove bogus #defines.  prototypes.
1998-02-27 11:10:18 +00:00
itojun
74e335fcf2 make sys/netkey/key{,_debug}.c compile. I believe it works but not tested.
I'll polish the code later on.
1998-02-27 10:02:49 +00:00
bde
aac1570b6f Added a used #include.
"options KEY" is not in LINT, and consequently doesn't actually compile,
even with this change.
1998-02-25 06:41:47 +00:00
phk
36e7a51ea1 Last major round (Unless Bruce thinks of somthing :-) of malloc changes.
Distribute all but the most fundamental malloc types.  This time I also
remembered the trick to making things static:  Put "static" in front of
them.

A couple of finer points by:	bde
1997-10-12 20:26:33 +00:00
phk
645e7b2ab6 Distribute and statizice a lot of the malloc M_* types.
Substantial input from:	bde
1997-10-11 18:31:40 +00:00
wollman
845782b7e0 This is the `netkey' kernel key-management service (the PF_KEY analogue
to PF_ROUTE) from NRL's IPv6 distribution, heavily modified by me for
better source layout, formatting, and textual conventions.  I am told
that this code is no longer under active development, but it's a useful
hack for those interested in doing work on network security, key management,
etc.  This code has only been tested twice, so it should be considered
highly experimental.

Obtained from: ftp.ripe.net
1996-06-14 17:22:18 +00:00