summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ipsec_input.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* make it possble to use IPsec over link-local address (policy table usesitojun2004-06-211-1/+3
| | | | sin6_scope_id, IPsec porion uses embedded form). beck ok
* pass esp/ah/ipcmp to rawip if processing is disabled with sysctl;markus2004-04-181-5/+3
| | | | allows userland ipsec; tested by sturm@; ok deraadt@, ho@, hshoexer@
* switch to sysctl_int_arr(); ok henning, deraadtmarkus2004-02-171-41/+20
|
* UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)markus2003-12-021-10/+22
| | | | ok deraadt@
* allow gif(4) over ipsec: mark mbuf for transport mode SA,markus2003-07-281-1/+4
| | | | | | so in_gif_input can detect whether a proto 4 header is due to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023 ok itojun@. provos@ and angelos@ agree; tested by sturm@
* update ip_len to reflect tunnel header removal (lost duing ip_lenmarkus2003-07-241-1/+2
| | | | flip changes); ok itojun; noticed by jrrs@ice-nine.org
* do not flip ip_len/ip_off in netinet stack. deraadt ok.itojun2003-07-091-3/+1
| | | | (please test, especially PF portion)
* make sure the packets contains a complete inner headermarkus2003-07-081-3/+31
| | | | | for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec; ok angelos@
* knf typomarkus2003-07-041-5/+5
|
* just as a safety measure, set m_flags to 0 for mbufs allocated on stack.itojun2003-05-031-1/+2
| | | | dhartmei ok
* knfderaadt2003-02-201-3/+2
|
* If there's no tag to be reset, don't reset it (avoids a NULL deref in the IPCOMP case)jason2003-02-201-3/+4
|
* Fix usage counter for IPCOMP --- sam@errno.comangelos2002-06-281-2/+2
|
* Forgot variable.angelos2002-06-251-2/+2
|
* Handle correctly return values from xf_input methods --- since theangelos2002-06-251-11/+7
| | | | | return value was ignored anyway, this wasn't a problem so far. From sam@errno.com
* Remove whitespace from the end of the file.angelos2002-06-131-4/+1
|
* whitespaceitojun2002-06-091-8/+8
|
* Set/clear M_AUTH_AH.angelos2002-06-091-3/+3
|
* disable pmtu for ipsec when the sysctl says so; bug report cjkim2000@yahoo.comprovos2002-01-231-2/+2
|
* Use hzto() to handle overflow of (hz * timeout) cases --- when usingangelos2001-12-061-5/+14
| | | | extremely long SA expirations.
* Don't check the source address on the packet vs. the one on the SA, asangelos2001-08-091-51/+1
| | | | | this prevents use of ESP in mobility; pointed out on the IETF mailing list by Francis Dupont.
* Remove IPCOMP option, it's now part of IPSEC option. You still need tojjbg2001-08-081-9/+1
| | | | enable ipcomp via sysctl to use it. deraadt@ ok.
* enable ah & esp by default, now that we trust the code morederaadt2001-08-071-3/+3
|
* Don't use enc0 interface for IPComp. angelos@ ok.jjbg2001-07-061-2/+3
|
* IPComp support. angelos@ ok.jjbg2001-07-051-25/+186
|
* KNFangelos2001-06-261-581/+604
|
* Copyright.angelos2001-06-251-3/+3
|
* path mtu discovery for ipsec. on receiving a need fragment icmp matchprovos2001-06-241-1/+89
| | | | against active tdb and store the ipsec header size corrected mtu
* Remove unneeded ip_id convertions.fgsch2001-06-231-2/+1
| | | | | | Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment.
* mop up after angelosderaadt2001-06-191-1/+2
|
* Trim include files.angelos2001-06-081-9/+1
|
* Add a few DPRINTF()'sangelos2001-06-051-2/+4
|
* Record last use time for SAs.angelos2001-05-291-1/+3
|
* If we are passed a packet tag, it's an IPSEC_IN_CRYPTO_DONE so convertangelos2001-05-271-15/+25
| | | | it to IPSEC_IN_DONE, rather than adding a new one.
* Forgot to convert this tag.angelos2001-05-271-2/+2
|
* Use packet tags to signal input IPsec processing to upper layer protocols.angelos2001-05-201-12/+12
|
* Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ okaaron2001-05-111-3/+3
|
* Move offsetof define into sys/param.hcsapuntz2001-04-061-5/+1
|
* Protect the IF_XXX macros in the callback routines with splimp(). Doh!angelos2001-03-301-3/+11
| | | | Thanks to erik@ipunplugged.com
* Allow tdbi's to appear in mbufs throughout the stack; this allowsangelos2001-03-281-20/+8
| | | | | | | | | security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
* convert SA expirations to the new timeouts.mickey2001-03-151-13/+16
| | | | | | | | | | simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
* Lots and lots of changes.angelos2000-09-191-124/+28
|
* Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net andangelos2000-09-171-1/+8
| | | | mfranz@cisco.com for finding the problem).
* Correctly handle ip_off; angelos@millert2000-07-111-1/+2
|
* do not play with rcvif, if the traffic is non-IPv4.itojun2000-06-201-7/+21
| | | | by setting rcvif to enc*, we break IPv6 scope considerations.
* correct header chasing code. take care of AH length.itojun2000-06-191-15/+29
|
* Arguments.angelos2000-06-181-3/+3
|
* Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()angelos2000-06-181-3/+3
|
* IPv6 AH/ESP support, inbound side only. tested with KAME.itojun2000-06-181-24/+65
|
* Remove outdated comment.angelos2000-06-181-9/+1
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.