summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ipsec_input.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Yet more #include de-duplication.krw2014-11-201-4/+1
| | | | ok deraadt@ tedu@
* Fewer <netinet/in_systm.h> !mpi2014-07-221-2/+1
|
* bpf code surgery / shuffling / simplification.henning2014-07-091-2/+2
| | | | | | | | | | | | | | | the various bpf_mtap_* are very similiar, they differ in what (and to some extent how) they prepend something, and what copy function they pass to bpf_catchpacket. use an internal _bpf_mtap as "backend" for bpf_mtap and friends. extend bpf_mtap_hdr so that it covers all common cases: if dlen is 0, nothing gets prepended. copy function can be given, if NULL the default bpf_mcopy is used. adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn. re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr. re-implement bpf_mtap_ether using bpf_map_hdr re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper ok bluhm benno
* "struct pkthdr" holds a routing table ID, not a routing domain one.mpi2014-04-141-2/+2
| | | | | | | | | | | | | | Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
* bzero/bcmp -> memset/memcmp. ok matthewtedu2014-01-091-9/+9
|
* Replace most of our formating functions to convert IPv4/6 addresses frommpi2013-11-111-5/+21
| | | | | | | | network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
* Remove the number of in_var.h inclusions by moving some functions andmpi2013-10-231-2/+1
| | | | | | global variables to in.h. ok mikeb@, deraadt@
* The header file netinet/in_var.h included netinet6/in6_var.h. Thisbluhm2013-10-171-1/+2
| | | | | | | created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
* Fix typo backswards -> backwards.bluhm2013-06-011-2/+2
|
* Instead of having various extern declarations for protocol variables,mpi2013-04-241-6/+1
| | | | declare them once in their corresponding header file.
* Remove the extern keyword from function declarations, documentmpi2013-04-111-1/+12
| | | | | | | sysctl declarations, move variables and functions used in only one place in their corresponding file. No functional change. No objection from markus@, ok mikeb@
* Remove various external variable declaration from sources files andmpi2013-04-101-2/+1
| | | | | | | move them to the corresponding header with an appropriate comment if necessary. ok guenther@
* Do not transfer diverted packets into IPsec processing. They shouldbluhm2013-03-311-1/+4
| | | | | reach the socket that the user has specified in pf.conf. OK reyk@
* code that calls timeout functions should include timeout.htedu2013-03-281-1/+2
| | | | | slipped by on i386, but the zaurus doesn't automagically pick it up. spotted by patrick
* no need for a lot of code to include proc.htedu2013-03-281-2/+1
|
* add M_ZEROIZE as an mbuf flag, so copied PFKEY messages (with embedded keys)markus2012-09-261-3/+3
| | | | are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
* spltdb() was really just #define'd to be splsoftnet(); replace the formerblambert2012-09-201-4/+4
| | | | | | | | with the latter no change in md5 checksum of generated files ok claudio@ henning@
* Fix RFC reference sectionsperreault2011-12-221-2/+2
| | | | spotted by bluhm@, ok yasuoka@
* Compute mandatory UDP checksum for IPv6 packetssperreault2011-12-211-1/+9
| | | | ok yasuoka@ bluhm@
* Fix checksum of UDP/TCP packets following RFC 3948. This is required foryasuoka2011-12-191-1/+48
| | | | | | transport mode IPsec NAT-T. ok markus
* In ipsec_common_input() the packet can be either IPv4 or IPv6. Sobluhm2011-04-261-2/+20
| | | | | pass it to the correct raw ip input function if IPsec is disabled. ok todd@ mpf@ mikeb@ blambert@ matthew@ deraadt@
* uncompress a packet with an IPcomp header only once; this preventsmarkus2011-04-061-2/+11
| | | | | | endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy; it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@; feedback and ok matthew@, deraadt@, djm@, claudio@
* don't rely on implict net/route.h inclusion via pf, claudio okhenning2011-04-031-1/+2
|
* The function pf_tag_packet() never fails. Remove a redundant checkbluhm2011-03-051-3/+2
| | | | | and make it void. ok henning@, markus@, mcbride@
* don't leak short packets; ok mikeb@markus2010-12-211-1/+10
|
* Add support for using IPsec in multiple rdomains.reyk2010-07-091-10/+15
| | | | | | | | | | | | | | | | | This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
* Allow to specify an alternative enc(4) interface for an SA. Allreyk2010-07-011-3/+18
| | | | | | | | | | | | | | | | | | | traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
* Replace enc(4) with a new implementation as a cloner device. We stillreyk2010-06-291-14/+15
| | | | | | | | | | create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
* remove proc.h include from uvm_map.h. This has far reaching effects, astedu2010-04-201-1/+2
| | | | | | sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
* uninitalized protocol version for ipv6; from mickey; ok claudiomarkus2010-01-021-3/+4
|
* Extend the protosw pr_ctlinput function to include the rdomain. This isclaudio2009-11-131-4/+7
| | | | | | | | needed so that the route and inp lookups done in TCP and UDP know where to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain argument as well for similar reasons. With this tcp seems to be now fully rdomain save and no longer leaks single packets into the main domain. Looks good markus@, henning@
* once again ipsec tries to be clever and plays fast, this time byhenning2009-08-091-5/+2
| | | | | recycling an mbuf tag and changing its type. just always get a new one. theo ok
* #if INET => #ifdef INETmpf2008-10-221-2/+2
| | | | #if INET6 => #ifdef INET6
* filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4;markus2008-10-221-7/+3
| | | | ok bluhm, fries, mpf; fixes pr 4188
* call pf_pkt_addr_changed instead of manually clearing the pf state key ptrhenning2008-08-261-4/+2
|
* ipsec is glued into the stack in a very weird way, violating all kindshenning2008-07-241-1/+4
| | | | | | | | | of expected semantics. thus, for return packets coming out of an ipsec tunnel, we need to clear the pf state key pointer in the mbuf header to prevent a state for encapsulated traffic to be linked to the decapsulated traffic one. problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some time to understand what the hell was going on. ok ryan
* make easier to read, found during a bug hunt earliertodd2008-06-141-2/+2
| | | | ok bluhm@
* fix an old typo that prevented outer ipv6 headers from being corrected,canacar2008-06-111-4/+3
| | | | | | | also fix the correction amount. This was only really visible on tcpdump, as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made it into the stack just fine, minus a few sanity checks. reported by and debuged together with and ok todd@
* add sysctl entry points into various network layers, in particular toderaadt2007-12-141-13/+49
| | | | provide netstat(1) with data it needs; ok claudio reyk
* double pf performance.henning2007-05-281-2/+2
| | | | | | | | | | | | | boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
* - AH: when computing crypto checksum for output, massage source-routingitojun2007-02-081-7/+16
| | | | | | | | | | header. - ipsec_input: fix mistake in IPv6 next-header chasing. - ipsec_output: look for the position to insert AH more carefully. - ip6_output: enable use of AH with extension headers. avoid tunnellinng when source-routing header is present. ok by deraad, naddy, hshoexer
* make enc(4) count; ok markus@ henning@ deraadt@otto2006-12-151-1/+4
|
* do not install pmtu routes for transport mode SAs, as they do notmarkus2006-12-051-1/+9
| | | | the dest IP; PMTU debugging support; ok hshoexer
* add support to tag ipsec traffic belonging to specific IKE-initiatedreyk2006-11-241-1/+13
| | | | | | | | | | | phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
* allow bpf(4) to ignore packets based on their direction (inbound ordjm2006-03-251-2/+3
| | | | | outbound), using a new BIOCSDIRFILT ioctl; guidance, feedback and ok canacar@
* With the exception of two other small uncommited diffs this movesbrad2006-03-041-4/+4
| | | | | | the remainder of the network stack from splimp to splnet. ok miod@
* Path MTU discovery for NAT-T.mpf2006-01-131-1/+55
| | | | OK markus@, "looks good" hshoexer@
* Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chainpascoe2005-07-311-15/+2
| | | | | | | | | | to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@
* resolve conflict between M_TUNNEL and M_ANYCAST6, remove M_COMP (it'smarkus2004-11-251-4/+2
| | | | only set and never read), update documentation; ok fgsch, deraadt, millert
* First step towards more sane time handling in the kernel -- this changestholo2004-06-211-8/+4
| | | | | | | | things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.