| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
ok stsp mpi
|
| | |
|
| |
|
|
| |
No objection from reyk@, OK markus, hshoexer
|
| | |
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
| |
ok mikeb@, krw@, bluhm@, tedu@
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| | |
|
| |
|
|
| |
after discussions with beck deraadt kettenis.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
| |
|
|
|
| |
the anti-replay window size to 2100 entries; plus small ESN
related improvements. ok markus
|
| |
|
|
|
|
|
|
| |
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
code. Missing chunks of the API are imported from the libc version,
with a few #ifdef's to port it into the kernel environment.
The bootblocks already used the newer code, and should encounter no
surprises since there are so few changes to the existing files. In
the kernel, ipcomp and kernel ppp are changed to the new API.
ipcomp has been tested.
ok tedu the brave
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
| |
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
| |
|
|
|
|
| |
Found by LLVM/Clang Static Analyzer.
ok mpf@ looks good mk@ ok henning@
|
| | |
|
| |
|
|
|
|
|
|
| |
In ip_esp.c all allocated memory is now zero'd in the
"malloc(sizeof(*tc) + alen ..." case. The +alen memory was not
initialized by the bzero() call. Noticed by chl@.
"Looks good" art@ "seems ok" chl@
|
| |
|
|
|
| |
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@
|
| |
|
|
|
| |
the mbuf before encryption. otherwise mbufs with M_EXT but w/o M_CLUSTER
get modified; ok hshoexer
|
| |
|
|
|
|
|
|
|
|
| |
to bpf with either an address family or other header added.
These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.
commit now, tune after deraadt@
|
| |
|
|
| |
only set and never read), update documentation; ok fgsch, deraadt, millert
|
| |
|
|
| |
ok hshoexer, jfb
|
| | |
|
| |
|
|
|
|
|
| |
o return errno, not NULL.
o add some missing error values
o proper crypto_freereq() in ip_ipcomp.c
From Patrick Latifi; OK angelos@
|
| |
|
|
|
| |
Also move the session ID reset into the crp_etype == EAGAIN case
(noticed by angelos@). OK jason@ and angelos@
|
| |
|
|
| |
jason@ OK
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
re-submit it. From sam@errno.com
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
is in the tree
|
deraadt
mikeb
jsg
tedu
mpi
henning
blambert
reyk
chl
krw
djm
markus
pascoe
jason
millert
ho
angelos
itojun
jjbg