| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
ok visa@ as part of a larger bigger diff
|
| |
|
|
| |
OK mikeb@
|
| |
|
|
|
|
| |
This will allows us to get rid of the list.
ok visa@
|
| | |
|
| |
|
|
|
|
| |
This enforces an order and will allow us to get rid of the global list.
ok millert@, visa@, markus@
|
| |
|
|
|
|
|
|
|
|
| |
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
| |
|
|
|
|
|
| |
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.
OK bluhm@
|
| |
|
|
| |
OK natano@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
| |
|
|
|
|
| |
thank you to everyone who helped reviewed these diffs
ok mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.
This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:
- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.
This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.
While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().
ok claudio@, mikeb@
|
| |
|
|
|
| |
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@
|
| |
|
|
|
|
|
|
| |
reaching around through the routing table
original diff by myself, much improved by mikeb@ and mpi@
ok and testing mikeb@ mpi@
|
| |
|
|
|
| |
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@
|
| |
|
|
|
| |
change in ip_spd.c 1.59 makes it appear that there is a cut & pasto.
OK mikeb@
|
| |
|
|
| |
ok mikeb
|
| |
|
|
|
|
|
|
|
| |
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
| |
|
|
| |
OK markus, hshoexer
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
any good to our network stack.
The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?
This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.
Tweak & ok claudio@
|
| |
|
|
|
|
| |
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
| |
|
|
|
|
| |
kill the macro.
ok mikeb@, henning@
|
| |
|
|
|
|
| |
rely on "struct route" that should die.
ok claudio@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
| | |
|
| |
|
|
|
|
| |
global variables to in6.h.
ok deraadt@
|
| |
|
|
|
|
| |
global variables to in.h.
ok mikeb@, deraadt@
|
| | |
|
| |
|
|
|
|
|
| |
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
| |
|
|
|
| |
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
| |
|
|
|
|
|
| |
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
| |
an 8 year old bug exposed by recent uvm changes
ok thib@ tedu@ deraadt@
|
| |
|
|
|
|
| |
With input from oga@ and krw@
ok oga@ krw@ thib@ markus@ mk@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.
To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.
tested by todd@, ok hshoexer@, angelos@, todd@
|
| |
|
|
|
|
|
| |
Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.
ok art@, krw@
|
| |
|
|
| |
ok hshoexer claudio mpf henning
|
| |
|
|
|
|
| |
as an aid to readability
ok and thinko-catching henning@
|
| |
|
|
| |
OK henning@
|
| |
|
|
|
|
| |
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
| |
|
|
| |
ok kettenis@ cloder@ tom@ henning@
|
| |
|
|
|
|
| |
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer
|
| |
|
|
|
|
|
| |
- sturct -> struct (spotted by pedro)
- elimination of consecutive 'the' words
ok jmc@, henning@, krw@, robert@, some whining by jolan@
|
| |
|
|
|
|
|
|
| |
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
cheloha
mpi
reyk
dhill
fcambus
dlg
claudio
blambert
markus
millert
mikeb
jsg
tedu
deraadt
david
chl
bluhm
henning
jfb
tholo