Commit Graph

28 Commits

Author SHA1 Message Date
rwatson
9c969b771a Introduce a MAC label reference in 'struct inpcb', which caches
the   MAC label referenced from 'struct socket' in the IPv4 and
IPv6-based protocols.  This permits MAC labels to be checked during
network delivery operations without dereferencing inp->inp_socket
to get to so->so_label, which will eventually avoid our having to
grab the socket lock during delivery at the network layer.

This change introduces 'struct inpcb' as a labeled object to the
MAC Framework, along with the normal circus of entry points:
initialization, creation from socket, destruction, as well as a
delivery access control check.

For most policies, the inpcb label will simply be a cache of the
socket label, so a new protocol switch method is introduced,
pr_sosetlabel() to notify protocols that the socket layer label
has been updated so that the cache can be updated while holding
appropriate locks.  Most protocols implement this using
pru_sosetlabel_null(), but IPv4/IPv6 protocols using inpcbs use
the the worker function in_pcbsosetlabel(), which calls into the
MAC Framework to perform a cache update.

Biba, LOMAC, and MLS implement these entry points, as do the stub
policy, and test policy.

Reviewed by:	sam, bms
Obtained from:	TrustedBSD Project
Sponsored by:	DARPA, Network Associates Laboratories
2003-11-18 00:39:07 +00:00
sam
0a6c1d4242 MFp4: portability work, general cleanup, locking fixes
change 38496
o add ipsec_osdep.h that holds os-specific definitions for portability
o s/KASSERT/IPSEC_ASSERT/ for portability
o s/SPLASSERT/IPSEC_SPLASSERT/ for portability
o remove function names from ASSERT strings since line#+file pinpints
  the location
o use __func__ uniformly to reduce string storage
o convert some random #ifdef DIAGNOSTIC code to assertions
o remove some debuggging assertions no longer needed

change 38498
o replace numerous bogus panic's with equally bogus assertions
  that at least go away on a production system

change 38502 + 38530
o change explicit mtx operations to #defines to simplify
  future changes to a different lock type

change 38531
o hookup ipv4 ctlinput paths to a noop routine; we should be
  handling path mtu changes at least
o correct potential null pointer deref in ipsec4_common_input_cb

chnage 38685
o fix locking for bundled SA's and for when key exchange is required

change 38770
o eliminate recursion on the SAHTREE lock

change 38804
o cleanup some types: long -> time_t
o remove refrence to dead #define

change 38805
o correct some types: long -> time_t
o add scan generation # to secpolicy to deal with locking issues

change 38806
o use LIST_FOREACH_SAFE instead of handrolled code
o change key_flush_spd to drop the sptree lock before purging
  an entry to avoid lock recursion and to avoid holding the lock
  over a long-running operation
o misc cleanups of tangled and twisty code

There is still much to do here but for now things look to be
working again.

Supported by:	FreeBSD Foundation
2003-09-29 22:57:43 +00:00
sam
9dc7c620e4 os dependency glue file for improving portability
Submitted by:	<jonathan@decru.com>
Supported by:	FreeBSD Foundation
Obtained from:	NetBSD
2003-09-29 22:47:45 +00:00
sam
7a8c89dde1 Locking and misc cleanups; most of which I've been running for >4 months:
o add locking
o strip irrelevant spl's
o split malloc types to better account for memory use
o remove unused IPSEC_NONBLOCK_ACQUIRE code
o remove dead code

Sponsored by:	FreeBSD Foundation
2003-09-01 05:35:55 +00:00
sam
7945dbb7bd make sure the packets contains a complete inner header
for ip{4,6}-in-ip{4,6} encapsulation; fixes panic
for truncated ip-in-ip over ipsec

Submitted by:	Markus Friedl <markus@openbsd.org>
Obtained from:	OpenBSD (rev 1.66 ipsec_input.c)
2003-08-13 22:36:24 +00:00
sam
e6dfb3860a consolidate callback optimization check in one location by adding a flag
for crypto operations that indicates the crypto code should do the check
in crypto_done

MFC after:	1 day
2003-06-30 05:09:32 +00:00
sam
53954a1dfd correct transfer statistics
Submitted by:	Larry Baird <lab@gta.com>
MFC after:	1 day
2003-06-30 05:05:19 +00:00
sam
68cba55362 plug xform memory leaks:
o add missing zeroize op when deleting an SA
o don't re-initialize an xform for an SA that already has one

Submitted by:	Doug Ambrisko <ambrisko@verniernetworks.com>
MFC after:	1 day
2003-06-29 23:58:38 +00:00
sam
546c8585af Check crypto driver capabilities and if the driver operates synchronously
mark crypto requests with ``callback immediately'' to avoid doing a context
switch to return crypto results.  This completes the work to eliminate
context switches for using software crypto via the crypto subsystem (with
symmetric crypto ops).
2003-06-27 20:10:03 +00:00
des
567ac2b268 Introduce an M_ASSERTPKTHDR() macro which performs the very common task
of asserting that an mbuf has a packet header.  Use it instead of hand-
rolled versions wherever applicable.

Submitted by:	Hiten Pandya <hiten@unixdaemons.com>
2003-04-08 14:25:47 +00:00
des
5a1181a557 ovbcopy -> bcopy 2003-04-04 12:56:20 +00:00
des
fd534acfd9 Replace ovbcopy() with bcopy(). 2003-04-04 12:15:20 +00:00
sam
1f636f052e add missing copyright notices
Noticed by:	Robert Watson
2003-03-28 20:28:05 +00:00
jlemon
04e28d5a81 Update netisr handling; Each SWI now registers its queue, and all queue
drain routines are done by swi_net, which allows for better queue control
at some future point.  Packets may also be directly dispatched to a netisr
instead of queued, this may be of interest at some installations, but
currently defaults to off.

Reviewed by: hsu, silby, jayanth, sam
Sponsored by: DARPA, NAI Labs
2003-03-04 23:19:55 +00:00
sam
eec059c88c fix compilation w/o INET6
Noticed by:	"James E. Flemer" <jflemer@acm.jhu.edu>
2003-02-28 20:06:29 +00:00
jlemon
17b1f4c526 Update to work with the new timewait state.
Reviewed by: sam
2003-02-24 02:06:02 +00:00
sam
9da403e48c o add a CRYPTO_F_CBIMM flag to symmetric ops to indicate the callback
should be done in crypto_done rather than in the callback thread
o use this flag to mark operations from /dev/crypto since the callback
  routine just does a wakeup; this eliminates the last unneeded ctx switch
o change CRYPTO_F_NODELAY to CRYPTO_F_BATCH with an inverted meaning
  so "0" becomes the default/desired setting (needed for user-mode
  compatibility with openbsd)
o change crypto_dispatch to honor CRYPTO_F_BATCH instead of always
  dispatching immediately
o remove uses of CRYPTO_F_NODELAY
o define COP_F_BATCH for ops submitted through /dev/crypto and pass
  this on to the op that is submitted

Similar changes and more eventually coming for asymmetric ops.

MFC if re gives approval.
2003-02-23 07:25:48 +00:00
imp
cf874b345d Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
ache
61f86586d8 Comment out srandom():
1) Already called in init_main.c:proc0_post()
2) Seed is bad
2003-02-05 15:32:24 +00:00
alfred
bf8e8a6e8f Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
sam
89f4943170 o handle jumbograms in m_clone
o fixup some comments

Submitted by:	Doug Ambrisko <ambrisko@verniernetworks.com>
2003-01-09 05:30:25 +00:00
schweikh
d3367c5f5d Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup,
especially in troff files.
2003-01-01 18:49:04 +00:00
sam
b16cb0a948 Correct mbuf packet header propagation. Previously, packet headers
were sometimes propagated using M_COPY_PKTHDR which actually did
something between a "move" and a  "copy" operation.  This is replaced
by M_MOVE_PKTHDR (which copies the pkthdr contents and "removes" it
from the source mbuf) and m_dup_pkthdr which copies the packet
header contents including any m_tag chain.  This corrects numerous
problems whereby mbuf tags could be lost during packet manipulations.

These changes also introduce arguments to m_tag_copy and m_tag_copy_chain
to specify if the tag copy work should potentially block.  This
introduces an incompatibility with openbsd which we may want to revisit.

Note that move/dup of packet headers does not handle target mbufs
that have a cluster bound to them.  We may want to support this;
for now we watch for it with an assert.

Finally, M_COPYFLAGS was updated to include M_FIRSTFRAG|M_LASTFRAG.

Supported by:	Vernier Networks
Reviewed by:	Robert Watson <rwatson@FreeBSD.org>
2002-12-30 20:22:40 +00:00
sam
e4e2a625b8 o cannot use M_COPY_PKTHDR on an mbuf that has a cluster; if we need to
do this avoid m_getcl so we can copy the packet header to a clean mbuf
  before adding the cluster
o move an assert to the right place

Supported by:	Vernier Networks
2002-12-30 02:15:18 +00:00
hsu
82e1e3bab0 SMP locking for ifnet list. 2002-12-22 05:35:03 +00:00
bmilekic
514c635ee6 o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
  bpf_alloc() and pass the 'canwait' flag(s) along.  It's been changed
  to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
  flag (and only one of those two).

Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
2002-12-19 22:58:27 +00:00
sam
ef62292833 FAST_IPSEC fixups:
o fix #ifdef typo
o must use "bounce functions" when dispatched from the protosw table

don't know how this stuff was missed in my testing; must've committed
the wrong bits

Pointy hat:	sam
Submitted by:	"Doug Ambrisko" <ambrisko@verniernetworks.com>
2002-11-08 23:37:50 +00:00
sam
f6bdcf8ff2 "Fast IPsec": this is an experimental IPsec implementation that is derived
from the KAME IPsec implementation, but with heavy borrowing and influence
of openbsd.  A key feature of this implementation is that it uses the kernel
crypto framework to do all crypto work so when h/w crypto support is present
IPsec operation is automatically accelerated.  Otherwise the protocol
implementations are rather differet while the SADB and policy management
code is very similar to KAME (for the moment).

Note that this implementation is enabled with a FAST_IPSEC option.  With this
you get all protocols; i.e. there is no FAST_IPSEC_ESP option.

FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a
single system.

This software is well tested with IPv4 but should be considered very
experimental (i.e. do not deploy in production environments).  This software
does NOT currently support IPv6.  In fact do not configure FAST_IPSEC and
INET6 in the same system.

Obtained from:	KAME + openbsd
Supported by:	Vernier Networks
2002-10-16 02:10:08 +00:00