summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_spd.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* make it possble to use IPsec over link-local address (policy table usesitojun2004-06-211-3/+3
| | | | sin6_scope_id, IPsec porion uses embedded form). beck ok
* simpler ipsp_aux_match() API; ok henning, hshoexermarkus2004-04-141-17/+14
|
* Check for undersized IP header, found by jbm@, ok angelos@dhartmei2002-11-121-1/+9
|
* whitespaceitojun2002-06-091-2/+2
|
* Per-socket policies and authentication. Finally.angelos2002-05-311-63/+382
|
* Search the correct ACQUIRE list --- shifflett@nps.navy.milangelos2002-02-181-2/+2
|
* It looks like there has been one crack smoking and a few cut and pastes.art2002-01-231-3/+3
| | | | | PR_FREEHEADER should not be set in pool_init by the caller. It shouldn't be set in pool_init at all. Besides, it's going away soon anyway.
* Pool deals fairly well with physical memory shortage, but it doesn't dealart2002-01-231-5/+3
| | | | | | | | | | | | | | | | | | well (not at all) with shortages of the vm_map where the pages are mapped (usually kmem_map). Try to deal with it: - group all information the backend allocator for a pool in a separate struct. The pool will only have a pointer to that struct. - change the pool_init API to reflect that. - link all pools allocating from the same allocator on a linked list. - Since an allocator is responsible to wait for physical memory it will only fail (waitok) when it runs out of its backing vm_map, carefully drain pools using the same allocator so that va space is freed. (see comments in code for caveats and details). - change pool_reclaim to return if it actually succeeded to free some memory, use that information to make draining easier and more efficient. - get rid of PR_URGENT, noone uses it.
* at least ; required after label or case; openbsd@davidkrause.comderaadt2002-01-021-1/+2
|
* Reset the error return value if the cached TDB matches theangelos2001-09-241-1/+2
| | | | policy. Pointed out by jdmcbride@iol.ie
* When the outgoing socket has BYPASS set, don't bother calling theangelos2001-08-211-5/+4
| | | | PCB-checking routine.
* bcmp done wrong, detected at bakeoff. Hint: always useniklas2001-08-151-2/+2
| | | | relational operators when using *cmp APIs in conditional expressions.
* Don't drop packets if we're using an ACQUIRE policy and some errorangelos2001-08-061-15/+12
| | | | | | occurs while notifying key mgmt; also, always check for new TDBs for policies where the destination gateway is left unspecified (end-to-end IPsec case), to avoid asking for new SAs from key mgmt.
* Use TAILQ_FOREACH() instead of hand-crafted for loops.angelos2001-06-271-5/+3
|
* When determining whether there's a pending acquire wrt a policy, lookangelos2001-06-271-4/+4
| | | | at the acquires associated with the policy only.
* Attach IPsec acquire state to policy entries, and relevant cleanups.angelos2001-06-271-3/+15
|
* Don't cache packets that hit policies -- we'll do that at the PCB forangelos2001-06-271-91/+18
| | | | local packets.
* Use the ACQUIRE sequence number to "wake up" acquire state kept andangelos2001-06-261-73/+45
| | | | | | cause retransmission of outgoing packets. Also, only store outgoing packets -- just drop incoming packets that cause an SA acquisition. Some comment fixup.
* ifdef out some currently unused codeangelos2001-06-261-1/+3
|
* Rewrite ipsp_clear_acquire() to be more readable, after all the KNF'ingangelos2001-06-261-75/+69
|
* Use pool(9) for IPsec acquires too.angelos2001-06-261-12/+19
|
* Use pool(9) for IPsec policy structures.angelos2001-06-261-6/+15
|
* Keep the PFKEY sequence number at the TDB, plus a little bit of KNFangelos2001-06-261-8/+12
|
* KNFangelos2001-06-261-700/+692
|
* Copyright.angelos2001-06-251-4/+3
|
* use new timeouts for spd expirations; ho@ okmickey2001-06-241-36/+8
|
* Trim include files.angelos2001-06-081-8/+2
|
* Simplify SPD logic (and correct some input cases).angelos2001-06-071-335/+138
|
* Match prototype.angelos2001-05-301-3/+3
|
* Correctly free information attached to the policy.angelos2001-05-301-4/+6
|
* Check that SAs also match on the credentials and the IDs. This meansangelos2001-05-051-23/+30
| | | | | | that flows with different source/destination ID requirements will cause different SAs to be established by IKE (or whatever other protocol). Also, use the new data types for allocated memory.
* Missing splx in error handling.art2001-04-231-1/+3
|
* Minor changes, preparing for real socket-attached TDBs; also, moreangelos2001-04-141-3/+3
| | | | information will be stored in the TDB. ok ho@ provos@
* allow host-to-host negotiations if no gateway has been specified.provos2001-04-101-5/+9
| | | | from angelos@
* Move offsetof define into sys/param.hcsapuntz2001-04-061-5/+1
|
* Allow tdbi's to appear in mbufs throughout the stack; this allowsangelos2001-03-281-3/+7
| | | | | | | | | security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
* include <machine/cpu.h>, since schednetisr needs to do a splsoftnetbjc2001-03-151-1/+3
|
* Pretty.angelos2001-02-281-2/+7
|
* Handle failures more gracefully.angelos2001-02-281-10/+11
|
* Keep the last packet sent or received that matched an SPD entry, andangelos2001-02-281-86/+167
| | | | retransmit if we eventually have an SA setup for that policy.
* Compile in non-INET6 kernels.angelos2000-12-141-3/+9
|
* Always look for a suitable TDB if the gateway is left unspecified.angelos2000-12-141-5/+32
|
* All-1s addresses as policy destinations is also reserved for futureangelos2000-11-171-29/+51
| | | | use (policy discovery).
* Fix compile error if lacking -DINET6chris2000-10-181-1/+3
|
* ASKPOLICY message; used by key management to inquire about policyangelos2000-10-141-10/+184
| | | | triggering an ACQUIRE.
* Make sure there's enough data on the mbuf for the TCP/UDP ports (ifangelos2000-09-291-1/+15
| | | | applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com
* Fix checking for incoming packets when the remote gateway has beenangelos2000-09-271-11/+41
| | | | fully specified in the flow.
* Add IDENTITY payloads to flow establishment (and cleanup accordingly)angelos2000-09-201-1/+5
| | | | | -- this will address one of itojun's question on how are IDs for IKE to be determined (need to add support for this to ipsecadm).
* Lots and lots of changes.angelos2000-09-191-0/+791
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.