0f9ade718d
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
|
||
|---|---|---|
| .. | ||
| ah6.h | ||
| ah_aesxcbcmac.c | ||
| ah_aesxcbcmac.h | ||
| ah_core.c | ||
| ah_input.c | ||
| ah_output.c | ||
| ah.h | ||
| dest6.c | ||
| esp6.h | ||
| esp_aesctr.c | ||
| esp_aesctr.h | ||
| esp_core.c | ||
| esp_input.c | ||
| esp_output.c | ||
| esp_rijndael.c | ||
| esp_rijndael.h | ||
| esp.h | ||
| frag6.c | ||
| icmp6.c | ||
| icmp6.h | ||
| in6_cksum.c | ||
| in6_gif.c | ||
| in6_gif.h | ||
| in6_ifattach.c | ||
| in6_ifattach.h | ||
| in6_pcb.c | ||
| in6_pcb.h | ||
| in6_prefix.c | ||
| in6_prefix.h | ||
| in6_proto.c | ||
| in6_rmx.c | ||
| in6_src.c | ||
| in6_var.h | ||
| in6.c | ||
| in6.h | ||
| ip6_ecn.h | ||
| ip6_forward.c | ||
| ip6_fw.c | ||
| ip6_fw.h | ||
| ip6_id.c | ||
| ip6_input.c | ||
| ip6_mroute.c | ||
| ip6_mroute.h | ||
| ip6_output.c | ||
| ip6_var.h | ||
| ip6.h | ||
| ip6protosw.h | ||
| ipcomp6.h | ||
| ipcomp_core.c | ||
| ipcomp_input.c | ||
| ipcomp_output.c | ||
| ipcomp.h | ||
| ipsec6.h | ||
| ipsec.c | ||
| ipsec.h | ||
| mld6_var.h | ||
| mld6.c | ||
| nd6_nbr.c | ||
| nd6_rtr.c | ||
| nd6.c | ||
| nd6.h | ||
| pim6_var.h | ||
| pim6.h | ||
| raw_ip6.c | ||
| raw_ip6.h | ||
| README | ||
| route6.c | ||
| scope6_var.h | ||
| scope6.c | ||
| tcp6_var.h | ||
| udp6_output.c | ||
| udp6_usrreq.c | ||
| udp6_var.h | ||
a note to committers about KAME tree $FreeBSD$ KAME project FreeBSD IPv6/IPsec tree is from KAMEproject (http://www.kame.net/). To synchronize KAME tree and FreeBSD better today and in the future, please understand the following: - DO NOT MAKE COSTMETIC CHANGES. "Cosmetic changes" here includes tabify, untabify, removal of space at EOL, minor KNF items, and whatever adds more output lines on "diff freebsd kame". To make future synchronization easier. it is critical to preserve certain statements in the code. Also, as KAME tree supports all 4 BSDs (Free, Open, Net, BSD/OS) in single shared tree, it is not always possible to backport FreeBSD changes into KAME tree. So again, please do not make cosmetic changes. Even if you think it a right thing, that will bite KAME guys badly during upgrade attempts, and prevent us from synchronizing two trees. (you don't usually make cosmetic changes against third-party code, do you?) - REPORT CHANGES/BUGS TO KAME GUYS. It is not always possible for KAME guys to watch all the freebsd mailing list traffic, as the traffic is HUGE. So if possible, please, inform kame guys of changes you made in IPv6/IPsec related portion. Contact path would be snap-users@kame.net or KAME PR database on www.kame.net. (or to core@kame.net if it is necessary to make it confidential) Thank you for your cooperation and have a happy IPv6 life! Note: KAME-origin code is in the following locations. The above notice applies to corresponding manpages too. The list may not be complete. If you see $KAME$ in the code, it is from KAME distribution. If you see some file that is IPv6/IPsec related, it is highly possible that the file is from KAME distribution. include/ifaddrs.h lib/libc/net lib/libc/net/getaddrinfo.c lib/libc/net/getifaddrs.c lib/libc/net/getnameinfo.c lib/libc/net/ifname.c lib/libc/net/ip6opt.c lib/libc/net/map_v4v6.c lib/libc/net/name6.c lib/libftpio lib/libipsec sbin/ip6fw sbin/ping6 sbin/rtsol share/doc/IPv6 share/man/man4/ip6.4 share/man/man4/inet6.4 sys/crypto (except sys/crypto/rc4) sys/kern/uipc_mbuf2.c sys/net/if_faith.[ch] sys/net/if_gif.[ch] sys/net/if_stf.[ch] sys/net/pfkeyv2.h sys/netinet/icmp6.h sys/netinet/in_gif.[ch] sys/netinet/ip6.h sys/netinet/ip_encap.[ch] sys/netinet6 sys/netkey usr.sbin/faithd usr.sbin/gifconfig usr.sbin/ifmcstat usr.sbin/mld6query usr.sbin/ndp usr.sbin/pim6dd usr.sbin/pim6sd usr.sbin/prefix usr.sbin/rip6query usr.sbin/route6d usr.sbin/rrenumd usr.sbin/rtadvd usr.sbin/rtsold usr.sbin/scope6config usr.sbin/setkey usr.sbin/traceroute6