373abd9403
- share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME |
||
---|---|---|
.. | ||
libalias | ||
accf_data.c | ||
accf_http.c | ||
icmp6.h | ||
icmp_var.h | ||
if_atm.c | ||
if_atm.h | ||
if_ether.c | ||
if_ether.h | ||
igmp_var.h | ||
igmp.c | ||
igmp.h | ||
in_cksum.c | ||
in_gif.c | ||
in_gif.h | ||
in_pcb.c | ||
in_pcb.h | ||
in_proto.c | ||
in_rmx.c | ||
in_systm.h | ||
in_var.h | ||
in.c | ||
in.h | ||
ip6.h | ||
ip_divert.c | ||
ip_dummynet.c | ||
ip_dummynet.h | ||
ip_ecn.c | ||
ip_ecn.h | ||
ip_encap.c | ||
ip_encap.h | ||
ip_flow.c | ||
ip_flow.h | ||
ip_fw2.c | ||
ip_fw.h | ||
ip_gre.c | ||
ip_gre.h | ||
ip_icmp.c | ||
ip_icmp.h | ||
ip_id.c | ||
ip_input.c | ||
ip_mroute.c | ||
ip_mroute.h | ||
ip_output.c | ||
ip_var.h | ||
ip.h | ||
ipprotosw.h | ||
pim_var.h | ||
pim.h | ||
raw_ip.c | ||
tcp_debug.c | ||
tcp_debug.h | ||
tcp_fsm.h | ||
tcp_input.c | ||
tcp_output.c | ||
tcp_reass.c | ||
tcp_seq.h | ||
tcp_subr.c | ||
tcp_syncache.c | ||
tcp_timer.c | ||
tcp_timer.h | ||
tcp_timewait.c | ||
tcp_usrreq.c | ||
tcp_var.h | ||
tcp.h | ||
tcpip.h | ||
udp_usrreq.c | ||
udp_var.h | ||
udp.h |