| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
ipsec_{input,output}_cb() so that in the case of sending or receiving a bogus
mbuf (NULL) we don't end up trying to dereference the TDB, while being an
uninitialized pointer, to increase the drops.
Coverity IDs 1473312, 1473313 and 1473317.
OK mpi@ visa@
|
| |
|
|
|
|
| |
userland.
Inputs from markus@, ok sthen@
|
| |
|
|
|
|
|
|
| |
dropped packets in the output path.
While here fix a memory leak when compression is not needed w/ IPcomp.
ok markus@
|
| |
|
|
| |
from markus@; OK mpi@
|
| |
|
|
|
|
| |
next extension header is within the packet length. Also check at
the end that the IPv4 headers are not longer than the packet.
reported by Maxime Villard; from markus@ via NetBSD; OK mpi@
|
| |
|
|
| |
OK bluhm@, mpi@
|
| |
|
|
| |
ok kettenis@, dhill@, visa@, jca@
|
| |
|
|
|
|
|
|
|
|
| |
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
|
|
| |
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.
OK bluhm@
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok visa@
|
| | |
|
| |
|
|
| |
with m_makespace(4) from freebsd; ok mpi@, bluhm@, mikeb@, dlg@
|
| |
|
|
|
|
|
| |
construct an IPv6 packet instead of an IPv4.
Diff from Patrick Wildt <patrick at blueri ! se> with input from
bluhm@; ok mpi, bluhm
|
| |
|
|
|
|
|
| |
ifpp - XXX: just for statistics
ifpp is always NULL in all callers so that statistic confirms ifpp is
dying
OK mpi@
|
| |
|
|
| |
ok stsp mpi
|
| | |
|
| |
|
|
| |
No objection from reyk@, OK markus, hshoexer
|
| | |
|
| |
|
|
|
|
| |
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
| |
ok miod@ mpi@
|
| | |
|
| |
|
|
|
|
| |
ever used to pass on uint32 (for ipsec). stop that madness and just pass
the uint32, 0 in all cases but the two that pass the ipsec flowinfo.
ok deraadt reyk guenther
|
| |
|
|
| |
ok gcc & md5 (alas, no binary change)
|
| |
|
|
|
|
| |
global variables to in6.h.
ok deraadt@
|
| | |
|
| |
|
|
|
|
|
| |
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
| |
|
|
|
| |
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
| |
|
|
|
|
|
|
| |
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
| |
|
|
|
| |
anywhere) as well as the matching TDBF_{HALFIV,RANDOMPADDING,NOREPLAY} code.
ok mikeb@
|
| |
|
|
|
| |
and make it void.
ok henning@, markus@, mcbride@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(1) use correct (message) block size of 128 byte (instead of 64
bytes) for HMAC-SHA512/384 (RFC4634).
(2) RFC4868 specifies that HMAC-SHA-{256,384,512} is truncated to
nnn/2 bits, while we still use 96 bits. 96 bits have been
specified in draft-ietf-ipsec-ciph-sha-256-00 while
draft-ietf-ipsec-ciph-sha-256-01 changed it to 128 bits.
WARNING: this change makes IPsec with SHA-256 (the default)
incompatible with older OpenBSD versions and other IPsec-implementations
that share this bug.
ok+tests naddy, fries; requested by reyk/deraadt
|
| | |
|
| |
|
|
|
|
| |
header of the matching address family is available. Especially do
not read ip->ip_off from an IPv6 packet header.
ok markus
|
| |
|
|
|
|
| |
we need a pointer to the inpcb to decide, which was not previously
passed to ip6_output, so this diff is a little bigger.
from itojun, ok ryan
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
| |
|
|
|
|
|
|
|
|
| |
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.
ok by deraad, naddy, hshoexer
|
| |
|
|
| |
to INET6 too, so move it outside. markus ok
|
| |
|
|
| |
the dest IP; PMTU debugging support; ok hshoexer
|
| |
|
|
|
|
|
|
|
|
|
| |
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
| | |
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
(please test, especially PF portion)
|
| |
|
|
| |
minimum compression threshold.
|
mestre
mpi
bluhm
visa
dhill
mikeb
markus
claudio
deraadt
tedu
jsg
henning
blambert
reyk
itojun
ho
tholo
jason