summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_output.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* fix up mtu for routes and ongoing tcp connection when if mtu changesprovos2001-06-231-1/+13
| | | | from FreeBSD; fixes pr/1878
* TCP, UDP, IPv4 input hardware checksumming processing; also IPv4angelos2001-06-231-7/+32
| | | | | | | | | output hardware checksumming. Not tested yet, but should be done tonight. Remain to be solved: interactions with bridge, TCP/UDP output checksumming, interactions of TCP/UDP checksumming with routing changes.
* revert parts that were meant to be committed (June 12th commit)jasoni2001-06-191-4/+5
| | | | - ok angelos@
* limited broadcast 255.255.255.255 was not recognized correctly, reportedprovos2001-06-141-4/+9
| | | | by crh@ubiqx.mn.org, fix from NetBSD; okay angelos@
* IPsec-related socket options; these can be set/removed/retrieved, butangelos2001-06-121-22/+137
| | | | are not taken into consideration in anything just yet.
* Cut down on include files.angelos2001-06-081-17/+2
|
* That debug message was just too chatty, even as a debug message :-)angelos2001-06-051-2/+1
|
* Update to match prototype.angelos2001-05-301-3/+2
|
* Remove ipf. Darren Reed has interpreted his (old, new, whichever)deraadt2001-05-301-44/+1
| | | | | | | | | | | | | | | licence in a way that makes ipf not free according to the rules we established over 5 years ago, at www.openbsd.org/goals.html (and those same basic rules govern the other *BSD projects too). Specifically, Darren says that modified versions are not permitted. But software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia. Furthermore, we know of a number of companies using ipf with modification like us, who are now in the same situation, and we hope that some of them will work with us to fill this gap that now exists in OpenBSD (temporarily, we hope).
* Make sure packets that need crypto processing on the NIC don't escapeangelos2001-05-291-19/+32
| | | | (because of routing changes etc.)
* Don't check IP_ENCAPSULATED.angelos2001-05-281-6/+1
|
* And clear the M_PKTHDR flag.angelos2001-05-271-1/+2
|
* Copy tags to first mbuf.angelos2001-05-271-1/+3
|
* Placeholders for the new socket options.angelos2001-05-271-4/+57
|
* Use the new IPsec tags.angelos2001-05-271-4/+8
|
* Record outgoing SA processing, do loop detection.angelos2001-05-201-3/+20
|
* No need to check M_WAIT/M_WAITOK malloc return values. (art@ ok)ho2001-05-161-3/+1
|
* Minor changes, preparing for real socket-attached TDBs; also, moreangelos2001-04-141-2/+3
| | | | information will be stored in the TDB. ok ho@ provos@
* Move offsetof define into sys/param.hcsapuntz2001-04-061-5/+1
|
* Allow tdbi's to appear in mbufs throughout the stack; this allowsangelos2001-03-281-11/+13
| | | | | | | | | security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
* More careful spl usage for the IPSEC case in ip_output(); from angelos@aaron2001-03-071-7/+8
|
* Fix fastroute-related panic, fixes PR 1541 (cas@trans-nt.com)angelos2000-12-031-6/+15
|
* initialize tdb pointer correctly, from Jean-Jacques.Bernard@hsc.frprovos2000-11-071-7/+9
|
* Do not null deref in the IPSEC+PMTU case; provos@ ok. Thanks toaaron2000-10-251-2/+2
| | | | andrews@crt.se for testing.
* Outgoing packets that hit IPsec will be IPF/IPNAT processed as well onangelos2000-09-291-1/+23
| | | | the enc* interface, usually enc0; cedric@wireless-networks.com
* Lots and lots of changes.angelos2000-09-191-76/+14
|
* Path MTU discovery based on NetBSD but with the decision to use the DFprovos2000-09-181-1/+9
| | | | | flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@
* Don't set the source IP address if doing multicast; this is a quickangelos2000-07-291-2/+3
| | | | | fix -- the logic has to be reworked to allow for multicast-over-IPsec. Patch from gene@lucky.net.
* Fix gateway function; ok angelos@form2000-06-211-4/+4
| | | | angelos, be more careful :)
* Big oops on my previous commit, broke gateway function; patch fromangelos2000-06-201-2/+3
| | | | form@openbsd.ru
* Oops on checking inp_tdb etc. (itojun@)angelos2000-06-181-4/+4
|
* sanity check: panic if AF_INET6 inpcb is passed to ip_outputitojun2000-06-181-1/+3
|
* remove obsolete IP_DF handling from KAME tree (#if 0'ed all the time)itojun2000-06-181-11/+1
|
* for mcdonald-simple-ipsec-api get/setsockopt, variable size was mixed up.itojun2000-06-181-8/+10
| | | | | | | | in some place sizeof(u_char), and in some place sizeof(int) were used. previous code can cause problem in big endian machines. now it always uses "int" (isakmpd uses int, so it should be okay) set m_len properly on mcdonald-simple-ipsec-api getsockopt.
* Change processing sequence:angelos2000-06-171-106/+265
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - if the source IP address if unset (INADDR_ANY) - if higher level protocol has cached the SA to use, and the SA specifies the source address, use that - otherwise, do a routing lookup to determine our outgoing interface and fix the source address - do an SPD lookup (which is why we needed the source address) - if no IPsec is needed, proceed to multicast processing (if necessary), IPF, etc. -- transmit the packet as usual; use the routing information from before (if routing lookup was performed), or do a routing lookup at this point. - if IPsec is needed, do multicast processing (if needed), then do IPsec processing, then call ip_output() recursively. Currently, the second invocation does not do another SPD lookup (it will be changed to do so in the near future, to support independent nested tunnels without infinite loops). Note that if the inner packet (the one that will have IPsec applied to) is multicast or broadcast, the interface flags are not checked (since it's not clear what their meaning is in this case). If the IPsec destination address is multicast/broadcast, the interface flags are checked of course. It is no longer necessary to have routing entries for private networks on IPsec gateways (or default routing entries if they're not needed, for that matter). Finally, this patch solves a problem with ever-increasing reference counts on routing entries when doing IPsec processing.
* Use the cached entry for security requirements from the inp.angelos2000-06-011-8/+8
|
* Use ipsp_spd_lookup() in ip_output()angelos2000-06-011-294/+15
|
* parse IPv4 options more carefully. make boundary checks against everyitojun2000-05-151-4/+14
| | | | | steps (including option type/length field - there were no checks, seems to me 4.4BSD bug)
* Bypass routes only worked for one packet, then they effectively became aniklas2000-05-041-4/+13
| | | | filter.
* When fragmenting a packet, inherit the multicast and broadcast flags so thatart2000-04-131-1/+3
| | | | the link layer can choose the right address.
* Set re_rt to NULL, so we don't double free.angelos2000-03-301-2/+4
|
* Cryptographic services framework, and software "device driver". Theangelos2000-03-171-88/+42
| | | | | | | | | | | | | | | | | | | | idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto No support for a userland device yet. IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH). Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
* Correct sa_require handling.angelos2000-01-111-2/+2
|
* Use default values when requesting dynamic VPNs.angelos2000-01-111-9/+106
|
* No need for extern definition of pfkeyv2_acquire()angelos2000-01-101-3/+1
|
* Transport port is in network order...angelos2000-01-091-5/+5
|
* Move the IPsec packet-processing loop to a separate routine, so we canangelos1999-12-251-136/+23
| | | | | reuse it in ip6_output and the bridge. The policy-lookup code will probably follow suit in a separate routine sometime soon.
* Initialize variable.angelos1999-12-211-2/+2
|
* Fix kernel panic involving multicast packet (patch different from theangelos1999-12-181-2/+2
| | | | one provided by pavlin@catarina.usc.edu)
* Add code to allow for IPv6 IPsec destinations in IPv4 IPsec flows (e.g.,angelos1999-12-101-76/+104
| | | | | | | | | packets from 10.0.0.1 going to 11.0.0.1 should be ESP encrypted to host 1:2:3:4:5:6:7:8). ip6_output() needs to be modified to honor IP_RAWOUTPUT (or some such) and IP_ENCAPSULATED, to not prepend an IPv6 header to the packet, and to not do IPsec processing respectively.
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.