summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ipsec_input.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* It is time to put inet6 on a diet. Use the flensing knife and cut outclaudio2015-09-101-3/+3
| | | | | the 3rd argument of in6_recoverscope() and make it return void. OK dlg@ mikeb@
* Kill a couple of if_get()s only needed to increment per-ifp IPv6 stats.mpi2015-09-091-6/+1
| | | | | | | | We do not export those per-ifp statistics and they will soon all die. "We're putting inet6 on a diet" claudio@ ok dlg@, mikeb@, claudio@
* Store a unique ID, an interface index, rather than a pointer to thempi2015-06-161-3/+7
| | | | | | | | | | | | | | | receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
* Move away from using hzto(9); OK dlgmikeb2015-06-111-10/+5
|
* test mbuf pointers against NULL not 0jsg2015-05-131-2/+2
| | | | ok krw@ miod@
* Stubs and support code for NIC-enabled IPsec bite the dust.mikeb2015-04-171-8/+3
| | | | No objection from reyk@, OK markus, hshoexer
* make ipsp_address thread safe; ok mpimikeb2015-04-141-13/+26
|
* replace the use of ifqueues for most input queues serviced by netisrdlg2015-04-101-35/+4
| | | | | | | | | | | | | | | | | with niqueues. this change is so big because there's a lot of code that takes pointers to different input queues (eg, ether_input picks between ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through to code to enqueue packets against the pointer. if i changed only one of the input queues id have to add sepearate code paths, one for ifqueues and one for niqueues in each of these places by flipping all these input queues at once i can keep the currently common code common. testing by mpi@ sthen@ and rafael zalamena ok mpi@ sthen@ claudio@ henning@
* Remove bits of unfinished IPsec proxy support. DNS' KX records, anyone?mikeb2015-03-261-123/+1
| | | | ok markus, hshoexer
* Userland (base & ports) was adapted to always include <netinet/in.h>deraadt2015-01-241-5/+5
| | | | | | before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
* unifdef INET in net code as a precursor to removing the pretend option.tedu2014-12-191-17/+1
| | | | | long live the one true internet. ok henning mikeb
* Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.mpi2014-12-051-1/+2
| | | | ok mikeb@, krw@, bluhm@, tedu@
* Yet more #include de-duplication.krw2014-11-201-4/+1
| | | | ok deraadt@ tedu@
* Fewer <netinet/in_systm.h> !mpi2014-07-221-2/+1
|
* bpf code surgery / shuffling / simplification.henning2014-07-091-2/+2
| | | | | | | | | | | | | | | the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_catchpacket. use an internal _bpf_mtap as "backend" for bpf_mtap and friends. extend bpf_mtap_hdr so that it covers all common cases: if dlen is 0, nothing gets prepended. copy function can be given, if NULL the default bpf_mcopy is used. adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn. re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr. re-implement bpf_mtap_ether using bpf_map_hdr re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper ok bluhm benno
* "struct pkthdr" holds a routing table ID, not a routing domain one.mpi2014-04-141-2/+2
| | | | | | | | | | | | | | Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
* bzero/bcmp -> memset/memcmp. ok matthewtedu2014-01-091-9/+9
|
* Replace most of our formating functions to convert IPv4/6 addresses frommpi2013-11-111-5/+21
| | | | | | | | network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
* Remove the number of in_var.h inclusions by moving some functions andmpi2013-10-231-2/+1
| | | | | | global variables to in.h. ok mikeb@, deraadt@
* The header file netinet/in_var.h included netinet6/in6_var.h. Thisbluhm2013-10-171-1/+2
| | | | | | | created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
* Fix typo backswards -> backwards.bluhm2013-06-011-2/+2
|
* Instead of having various extern declarations for protocol variables,mpi2013-04-241-6/+1
| | | | declare them once in their corresponding header file.
* Remove the extern keyword from function declarations, documentmpi2013-04-111-1/+12
| | | | | | | sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
* Remove various external variable declaration from sources files andmpi2013-04-101-2/+1
| | | | | | | move them to the corresponding header with an appropriate comment if necessary. ok guenther@
* Do not transfer diverted packets into IPsec processing. They shouldbluhm2013-03-311-1/+4
| | | | | reach the socket that the user has specified in pf.conf. OK reyk@
* code that calls timeout functions should include timeout.htedu2013-03-281-1/+2
| | | | | slipped by on i386, but the zaurus doesn't automagically pick it up. spotted by patrick
* no need for a lot of code to include proc.htedu2013-03-281-2/+1
|
* add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)markus2012-09-261-3/+3
| | | | are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
* spltdb() was really just #define'd to be splsoftnet(); replace the formerblambert2012-09-201-4/+4
| | | | | | | | with the latter no change in md5 checksum of generated files ok claudio@ henning@
* Fix RFC reference sectionsperreault2011-12-221-2/+2
| | | | spotted by bluhm@, ok yasuoka@
* Compute mandatory UDP checksum for IPv6 packetssperreault2011-12-211-1/+9
| | | | ok yasuoka@ bluhm@
* Fix checksum of UDP/TCP packets following RFC 3948. This is required foryasuoka2011-12-191-1/+48
| | | | | | transport mode IPsec NAT-T. ok markus
* In ipsec_common_input() the packet can be either IPv4 or IPv6. Sobluhm2011-04-261-2/+20
| | | | | pass it to the correct raw ip input function if IPsec is disabled. ok todd@ mpf@ mikeb@ blambert@ matthew@ deraadt@
* uncompress a packet with an IPcomp header only once; this preventsmarkus2011-04-061-2/+11
| | | | | | endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy; it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@; feedback and ok matthew@, deraadt@, djm@, claudio@
* don't rely on implict net/route.h inclusion via pf, claudio okhenning2011-04-031-1/+2
|
* The function pf_tag_packet() never fails. Remove a redundant checkbluhm2011-03-051-3/+2
| | | | | and make it void. ok henning@, markus@, mcbride@
* don't leak short packets; ok mikeb@markus2010-12-211-1/+10
|
* Add support for using IPsec in multiple rdomains.reyk2010-07-091-10/+15
| | | | | | | | | | | | | | | | | This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
* Allow to specify an alternative enc(4) interface for an SA. Allreyk2010-07-011-3/+18
| | | | | | | | | | | | | | | | | | | traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
* Replace enc(4) with a new implementation as a cloner device. We stillreyk2010-06-291-14/+15
| | | | | | | | | | create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
* remove proc.h include from uvm_map.h. This has far reaching effects, astedu2010-04-201-1/+2
| | | | | | sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
* uninitalized protocol version for ipv6; from mickey; ok claudiomarkus2010-01-021-3/+4
|
* Extend the protosw pr_ctlinput function to include the rdomain. This isclaudio2009-11-131-4/+7
| | | | | | | | needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@
* once again ipsec tries to be clever and plays fast, this time byhenning2009-08-091-5/+2
| | | | | recycling an mbuf tag and changing its type. just always get a new one. theo ok
* #if INET => #ifdef INETmpf2008-10-221-2/+2
| | | | #if INET6 => #ifdef INET6
* filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4;markus2008-10-221-7/+3
| | | | ok bluhm, fries, mpf; fixes pr 4188
* call pf_pkt_addr_changed instead of manually clearing the pf state key ptrhenning2008-08-261-4/+2
|
* ipsec is glued into the stack in a very weird way, violating all kindshenning2008-07-241-1/+4
| | | | | | | | | of expected semantics. thus, for return packets coming out of an ipsec tunnel, we need to clear the pf state key pointer in the mbuf header to prevent a state for encapsulated traffic to be linked to the decapsulated traffic one. problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some time to understand what the hell was going on. ok ryan
* make easier to read, found during a bug hunt earliertodd2008-06-141-2/+2
| | | | ok bluhm@
* fix an old typo that prevented outer ipv6 headers from being corrected,canacar2008-06-111-4/+3
| | | | | | | also fix the correction amount. This was only really visible on tcpdump, as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made it into the stack just fine, minus a few sanity checks. reported by and debuged together with and ok todd@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.