CVS log for src/sys/netipsec/ipsec.h
![[BACK]](/gifs/back.gif){kind=small}
Up to [FreeBSD] / src / sys / netipsec
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
Revision 1.29.2.1.2.1: download - view: text, markup, annotated - select for diffs
Fri Nov 11 04:20:22 2011 UTC (3 months ago) by kensmith
Branches: RELENG_9_0
CVS tags: RELENG_9_0_0_RELEASE
Diff to: previous 1.29.2.1: preferred, colored
Changes since revision 1.29.2.1: +0 -0 lines
SVN rev 227445 on 2011-11-11 04:20:22Z by kensmith Copy stable/9 to releng/9.0 as part of the FreeBSD 9.0-RELEASE release cycle. Approved by: re (implicit)
Revision 1.29.2.1: download - view: text, markup, annotated - select for diffs
Fri Sep 23 00:51:37 2011 UTC (4 months, 2 weeks ago) by kensmith
Branches: RELENG_9
CVS tags: RELENG_9_0_BP
Branch point for: RELENG_9_0
Diff to: previous 1.29: preferred, colored
Changes since revision 1.29: +0 -0 lines
SVN rev 225736 on 2011-09-23 00:51:37Z by kensmith Copy head to stable/9 as part of 9.0-RELEASE release cycle. Approved by: re (implicit)
Revision 1.26.2.3: download - view: text, markup, annotated - select for diffs
Fri May 6 13:24:10 2011 UTC (9 months ago) by fabient
Branches: RELENG_8
Diff to: previous 1.26.2.2: preferred, colored; branchpoint 1.26: preferred, colored; next MAIN 1.27: preferred, colored
Changes since revision 1.26.2.2: +10 -6 lines
SVN rev 221525 on 2011-05-06 13:24:10Z by fabient MFC r220206: Optimisation in IPSEC(4): - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback.
Revision 1.29: download - view: text, markup, annotated - select for diffs
Thu Mar 31 15:23:32 2011 UTC (10 months, 1 week ago) by fabient
Branches: MAIN
CVS tags: RELENG_9_BP, HEAD
Branch point for: RELENG_9
Diff to: previous 1.28: preferred, colored
Changes since revision 1.28: +10 -6 lines
SVN rev 220206 on 2011-03-31 15:23:32Z by fabient Optimisation in IPSEC(4): - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. Gain on 6 cores CPU with SHA1/AES128 can be up to 30%. Reviewed by: vanhu MFC after: 1 month
Revision 1.13.2.3.6.1: download - view: text, markup, annotated - select for diffs
Tue Dec 21 17:10:29 2010 UTC (13 months, 2 weeks ago) by kensmith
Branches: RELENG_7_4
CVS tags: RELENG_7_4_0_RELEASE
Diff to: previous 1.13.2.3: preferred, colored; next MAIN 1.14: preferred, colored
Changes since revision 1.13.2.3: +0 -0 lines
SVN rev 216618 on 2010-12-21 17:10:29Z by kensmith Copy stable/7 to releng/7.4 in preparation for FreeBSD-7.4 release. Approved by: re (implicit)
Revision 1.26.2.2.4.1: download - view: text, markup, annotated - select for diffs
Tue Dec 21 17:09:25 2010 UTC (13 months, 2 weeks ago) by kensmith
Branches: RELENG_8_2
CVS tags: RELENG_8_2_0_RELEASE
Diff to: previous 1.26.2.2: preferred, colored; next MAIN 1.26.2.3: preferred, colored
Changes since revision 1.26.2.2: +0 -0 lines
SVN rev 216617 on 2010-12-21 17:09:25Z by kensmith Copy stable/8 to releng/8.2 in preparation for FreeBSD-8.2 release. Approved by: re (implicit)
Revision 1.26.2.2.2.1: download - view: text, markup, annotated - select for diffs
Mon Jun 14 02:09:06 2010 UTC (19 months, 4 weeks ago) by kensmith
Branches: RELENG_8_1
CVS tags: RELENG_8_1_0_RELEASE
Diff to: previous 1.26.2.2: preferred, colored; next MAIN 1.26.2.3: preferred, colored
Changes since revision 1.26.2.2: +0 -0 lines
SVN rev 209145 on 2010-06-14 02:09:06Z by kensmith Copy stable/8 to releng/8.1 in preparation for 8.1-RC1. Approved by: re (implicit)
Revision 1.26.2.2: download - view: text, markup, annotated - select for diffs
Thu May 6 06:44:19 2010 UTC (21 months ago) by bz
Branches: RELENG_8
CVS tags: RELENG_8_2_BP, RELENG_8_1_BP
Branch point for: RELENG_8_2, RELENG_8_1
Diff to: previous 1.26.2.1: preferred, colored; branchpoint 1.26: preferred, colored
Changes since revision 1.26.2.1: +22 -22 lines
SVN rev 207695 on 2010-05-06 06:44:19Z by bz MFC r207369: MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
Revision 1.28: download - view: text, markup, annotated - select for diffs
Thu Apr 29 11:52:42 2010 UTC (21 months, 1 week ago) by bz
Branches: MAIN
Diff to: previous 1.27: preferred, colored
Changes since revision 1.27: +22 -22 lines
SVN rev 207369 on 2010-04-29 11:52:42Z by bz MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH MFC after: 6 days
Revision 1.13.2.3.4.1: download - view: text, markup, annotated - select for diffs
Wed Feb 10 00:26:20 2010 UTC (2 years ago) by kensmith
Branches: RELENG_7_3
CVS tags: RELENG_7_3_0_RELEASE
Diff to: previous 1.13.2.3: preferred, colored; next MAIN 1.14: preferred, colored
Changes since revision 1.13.2.3: +0 -0 lines
SVN rev 203736 on 2010-02-10 00:26:20Z by kensmith Copy stable/7 to releng/7.3 as part of the 7.3-RELEASE process. Approved by: re (implicit)
Revision 1.26.2.1.2.1: download - view: text, markup, annotated - select for diffs
Sun Oct 25 01:10:29 2009 UTC (2 years, 3 months ago) by kensmith
Branches: RELENG_8_0
CVS tags: RELENG_8_0_0_RELEASE
Diff to: previous 1.26.2.1: preferred, colored; next MAIN 1.26.2.2: preferred, colored
Changes since revision 1.26.2.1: +0 -0 lines
SVN rev 198460 on 2009-10-25 01:10:29Z by kensmith Copy stable/8 to releng/8.0 as part of 8.0-RELEASE release procedure. Approved by: re (implicit)
Revision 1.27: download - view: text, markup, annotated - select for diffs
Sun Sep 6 07:30:21 2009 UTC (2 years, 5 months ago) by pjd
Branches: MAIN
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +1 -1 lines
SVN rev 196882 on 2009-09-06 07:30:21Z by pjd Correct typo in comment.
Revision 1.26.2.1: download - view: text, markup, annotated - select for diffs
Mon Aug 3 08:13:06 2009 UTC (2 years, 6 months ago) by kensmith
Branches: RELENG_8
CVS tags: RELENG_8_0_BP
Branch point for: RELENG_8_0
Diff to: previous 1.26: preferred, colored
Changes since revision 1.26: +0 -0 lines
SVN rev 196045 on 2009-08-03 08:13:06Z by kensmith Copy head to stable/8 as part of 8.0 Release cycle. Approved by: re (Implicit)
Revision 1.26: download - view: text, markup, annotated - select for diffs
Thu Jul 16 21:13:04 2009 UTC (2 years, 6 months ago) by rwatson
Branches: MAIN
CVS tags: RELENG_8_BP
Branch point for: RELENG_8
Diff to: previous 1.25: preferred, colored
Changes since revision 1.25: +14 -14 lines
SVN rev 195727 on 2009-07-16 21:13:04Z by rwatson Remove unused VNET_SET() and related macros; only VNET_GET() is ever actually used. Rename VNET_GET() to VNET() to shorten variable references. Discussed with: bz, julian Reviewed by: bz Approved by: re (kensmith, kib)
Revision 1.25: download - view: text, markup, annotated - select for diffs
Tue Jul 14 22:48:30 2009 UTC (2 years, 6 months ago) by rwatson
Branches: MAIN
Diff to: previous 1.24: preferred, colored
Changes since revision 1.24: +32 -20 lines
SVN rev 195699 on 2009-07-14 22:48:30Z by rwatson Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
Revision 1.24: download - view: text, markup, annotated - select for diffs
Sat May 23 16:42:38 2009 UTC (2 years, 8 months ago) by bz
Branches: MAIN
Diff to: previous 1.23: preferred, colored
Changes since revision 1.23: +1 -0 lines
SVN rev 192648 on 2009-05-23 16:42:38Z by bz Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL kernel option. This also permits tuning of the option per virtual network stack, as well as separately per inet, inet6. The kernel option is left for a transition period, marked deprecated, and will be removed soon. Initially requested by: phk (1 year 1 day ago) MFC after: 4 weeks
Revision 1.13.2.3.2.1: download - view: text, markup, annotated - select for diffs
Wed Apr 15 03:14:26 2009 UTC (2 years, 9 months ago) by kensmith
Branches: RELENG_7_2
CVS tags: RELENG_7_2_0_RELEASE
Diff to: previous 1.13.2.3: preferred, colored; next MAIN 1.14: preferred, colored
Changes since revision 1.13.2.3: +0 -0 lines
SVN rev 191087 on 2009-04-15 03:14:26Z by kensmith Create releng/7.2 from stable/7 in preparation for 7.2-RELEASE. Approved by: re (implicit)
Revision 1.13.2.3: download - view: text, markup, annotated - select for diffs
Fri Mar 20 23:06:16 2009 UTC (2 years, 10 months ago) by bz
Branches: RELENG_7
CVS tags: RELENG_7_4_BP, RELENG_7_3_BP, RELENG_7_2_BP
Branch point for: RELENG_7_4, RELENG_7_3, RELENG_7_2
Diff to: previous 1.13.2.2: preferred, colored; branchpoint 1.13: preferred, colored; next MAIN 1.14: preferred, colored
Changes since revision 1.13.2.2: +1 -1 lines
SVN rev 190190 on 2009-03-20 23:06:16Z by bz MFC r185366: Unify ipsec[46]_delete_pcbpolicy in ipsec_delete_pcbpolicy. Ignoring different names because of macros (in6pcb, in6p_sp) and inp vs. in6p variable name both functions were entirely identical.
Revision 1.23: download - view: text, markup, annotated - select for diffs
Sun Feb 8 09:27:07 2009 UTC (3 years ago) by bz
Branches: MAIN
Diff to: previous 1.22: preferred, colored
Changes since revision 1.22: +3 -3 lines
SVN rev 188306 on 2009-02-08 09:27:07Z by bz Try to remove/assimilate as much of formerly IPv4/6 specific (duplicate) code in sys/netipsec/ipsec.c and fold it into common, INET/6 independent functions. The file local functions ipsec4_setspidx_inpcb() and ipsec6_setspidx_inpcb() were 1:1 identical after the change in r186528. Rename to ipsec_setspidx_inpcb() and remove the duplicate. Public functions ipsec[46]_get_policy() were 1:1 identical. Remove one copy and merge in the factored out code from ipsec_get_policy() into the other. The public function left is now called ipsec_get_policy() and callers were adapted. Public functions ipsec[46]_set_policy() were 1:1 identical. Rename file local ipsec_set_policy() function to ipsec_set_policy_internal(). Remove one copy of the public functions, rename the other to ipsec_set_policy() and adapt callers. Public functions ipsec[46]_hdrsiz() were logically identical (ignoring one questionable assert in the v6 version). Rename the file local ipsec_hdrsiz() to ipsec_hdrsiz_internal(), the public function to ipsec_hdrsiz(), remove the duplicate copy and adapt the callers. The v6 version had been unused anyway. Cleanup comments. Public functions ipsec[46]_in_reject() were logically identical apart from statistics. Move the common code into a file local ipsec46_in_reject() leaving vimage+statistics in small AF specific wrapper functions. Note: unfortunately we already have a public ipsec_in_reject(). Reviewed by: sam Discussed with: rwatson (renaming to *_internal) MFC after: 26 days X-MFC: keep wrapper functions for public symbols?
Revision 1.22: download - view: text, markup, annotated - select for diffs
Sat Dec 27 09:36:22 2008 UTC (3 years, 1 month ago) by bz
Branches: MAIN
Diff to: previous 1.21: preferred, colored
Changes since revision 1.21: +0 -2 lines
SVN rev 186508 on 2008-12-27 09:36:22Z by bz Make ipsec_getpolicybysock() static and no longer export it. It has not been used outside this file since about the FAST_IPSEC -> IPSEC change. MFC after: 4 weeks
Revision 1.21: download - view: text, markup, annotated - select for diffs
Thu Nov 27 10:43:08 2008 UTC (3 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.20: preferred, colored
Changes since revision 1.20: +1 -1 lines
SVN rev 185366 on 2008-11-27 10:43:08Z by bz Unify ipsec[46]_delete_pcbpolicy in ipsec_delete_pcbpolicy. Ignoring different names because of macros (in6pcb, in6p_sp) and inp vs. in6p variable name both functions were entirely identical. Reviewed by: rwatson (as part of a larger changeset) MFC after: 6 weeks (*) (*) possibly need to leave a stub wrappers in 7 to keep the symbols.
Revision 1.13.2.2.2.1: download - view: text, markup, annotated - select for diffs
Tue Nov 25 02:59:29 2008 UTC (3 years, 2 months ago) by kensmith
Branches: RELENG_7_1
CVS tags: RELENG_7_1_0_RELEASE
Diff to: previous 1.13.2.2: preferred, colored; next MAIN 1.13.2.3: preferred, colored
Changes since revision 1.13.2.2: +0 -0 lines
SVN rev 185281 on 2008-11-25 02:59:29Z by kensmith Create releng/7.1 in preparation for moving into RC phase of 7.1 release cycle. Approved by: re (implicit)
Revision 1.20: download - view: text, markup, annotated - select for diffs
Wed Nov 19 09:39:34 2008 UTC (3 years, 2 months ago) by zec
Branches: MAIN
Diff to: previous 1.19: preferred, colored
Changes since revision 1.19: +1 -0 lines
SVN rev 185088 on 2008-11-19 09:39:34Z by zec Change the initialization methodology for global variables scheduled for virtualization. Instead of initializing the affected global variables at instatiation, assign initial values to them in initializer functions. As a rule, initialization at instatiation for such variables should never be introduced again from now on. Furthermore, enclose all instantiations of such global variables in #ifdef VIMAGE_GLOBALS blocks. Essentialy, this change should have zero functional impact. In the next phase of merging network stack virtualization infrastructure from p4/vimage branch, the new initialization methology will allow us to switch between using global variables and their counterparts residing in virtualization containers with minimum code churn, and in the long run allow us to intialize multiple instances of such container structures. Discussed at: devsummit Strassburg Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
Revision 1.13.2.2: download - view: text, markup, annotated - select for diffs
Sun Oct 5 17:41:46 2008 UTC (3 years, 4 months ago) by bz
Branches: RELENG_7
CVS tags: RELENG_7_1_BP
Branch point for: RELENG_7_1
Diff to: previous 1.13.2.1: preferred, colored; branchpoint 1.13: preferred, colored
Changes since revision 1.13.2.1: +9 -2 lines
SVN rev 183630 on 2008-10-05 17:41:46Z by bz MFC: rev. 1.7 net/if_enc.c rev. 1.14 netipsec/ipsec.h, 1.20 netipsec/ipsec_input.c rev. 1.17 netipsec/ipsec_output.c rev. 1.4 netipsec/xform.h, 1.16 netipsec/xform_ipip.c SVN r174054, 174055 Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Note: The defaults were not changed but you may want to do that. See the the man page for more details. PR: kern/127785 Approved by: re (gnn)
Revision 1.19: download - view: text, markup, annotated - select for diffs
Thu Oct 2 15:37:58 2008 UTC (3 years, 4 months ago) by zec
Branches: MAIN
Diff to: previous 1.18: preferred, colored
Changes since revision 1.18: +4 -1 lines
SVN rev 183550 on 2008-10-02 15:37:58Z by zec Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs. Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT(). Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.). All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*). (*) netipsec/keysock.c did not validate depending on compile time options. Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
Revision 1.8.2.2.6.1: download - view: text, markup, annotated - select for diffs
Thu Oct 2 02:57:24 2008 UTC (3 years, 4 months ago) by kensmith
Branches: RELENG_6_4
CVS tags: RELENG_6_4_0_RELEASE
Diff to: previous 1.8.2.2: preferred, colored; next MAIN 1.9: preferred, colored
Changes since revision 1.8.2.2: +0 -0 lines
SVN rev 183531 on 2008-10-02 02:57:24Z by kensmith Create releng/6.4 from stable/6 in preparation for 6.4-RC1. Approved by: re (implicit)
Revision 1.18: download - view: text, markup, annotated - select for diffs
Sun Aug 17 23:27:27 2008 UTC (3 years, 5 months ago) by bz
Branches: MAIN
Diff to: previous 1.17: preferred, colored
Changes since revision 1.17: +2 -2 lines
SVN rev 181803 on 2008-08-17 23:27:27Z by bz Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@). This is the first in a series of commits over the course of the next few weeks. Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only. We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again. Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
Revision 1.17: download - view: text, markup, annotated - select for diffs
Sat May 24 15:32:46 2008 UTC (3 years, 8 months ago) by bz
Branches: MAIN
Diff to: previous 1.16: preferred, colored
Changes since revision 1.16: +0 -1 lines
In addition to the ipsec_osdep.h removal a week ago, now also eliminate IPSEC_SPLASSERT_SOFTNET which has been 'unused' since FreeBSD 5.0.
Revision 1.16: download - view: text, markup, annotated - select for diffs
Sat May 17 04:00:11 2008 UTC (3 years, 8 months ago) by gnn
Branches: MAIN
Diff to: previous 1.15: preferred, colored
Changes since revision 1.15: +8 -1 lines
Remove last bits of OS adaptation code from the IPSec code. Reviewed By: bz
Revision 1.13.2.1: download - view: text, markup, annotated - select for diffs
Sun Mar 9 21:04:55 2008 UTC (3 years, 11 months ago) by bz
Branches: RELENG_7
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +1 -1 lines
MFC 1.278 sys/netinet/ip_output.c 1.114 sys/netinet6/ip6_output.c 1.26 sys/netipsec/ipsec.c 1.15 sys/netipsec/ipsec.h 1.4 sys/netipsec/ipsec6.h Rather than passing around a cached 'priv', pass in an ucred to ipsec*_set_policy and do the privilege check only if needed. Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy.
Revision 1.15: download - view: text, markup, annotated - select for diffs
Sat Feb 2 14:11:31 2008 UTC (4 years ago) by bz
Branches: MAIN
Diff to: previous 1.14: preferred, colored
Changes since revision 1.14: +1 -1 lines
Rather than passing around a cached 'priv', pass in an ucred to ipsec*_set_policy and do the privilege check only if needed. Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy. Reviewed by: rwatson
Revision 1.14: download - view: text, markup, annotated - select for diffs
Wed Nov 28 22:33:52 2007 UTC (4 years, 2 months ago) by bz
Branches: MAIN
Diff to: previous 1.13: preferred, colored
Changes since revision 1.13: +9 -2 lines
Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets. This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see. Last but not least it gives you if_enc(4) for IPv6 as well. [ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ] Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
Revision 1.13: download - view: text, markup, annotated - select for diffs
Sun Jul 1 11:38:29 2007 UTC (4 years, 7 months ago) by gnn
Branches: MAIN
CVS tags: RELENG_7_BP, RELENG_7_0_BP, RELENG_7_0_0_RELEASE, RELENG_7_0
Branch point for: RELENG_7
Diff to: previous 1.12: preferred, colored
Changes since revision 1.12: +2 -9 lines
Commit IPv6 support for FAST_IPSEC to the tree. This commit includes only the kernel files, the rest of the files will follow in a second commit. Reviewed by: bz Approved by: re Supported by: Secure Computing
Revision 1.8.2.2: download - view: text, markup, annotated - select for diffs
Mon Jul 24 23:20:59 2006 UTC (5 years, 6 months ago) by thompsa
Branches: RELENG_6
CVS tags: RELENG_6_4_BP, RELENG_6_3_BP, RELENG_6_3_0_RELEASE, RELENG_6_3, RELENG_6_2_BP, RELENG_6_2_0_RELEASE, RELENG_6_2
Branch point for: RELENG_6_4
Diff to: previous 1.8.2.1: preferred, colored; branchpoint 1.8: preferred, colored; next MAIN 1.9: preferred, colored
Changes since revision 1.8.2.1: +2 -0 lines
MFC Add a pseudo interface for packet filtering IPSec connections before or after encryption. r1.2 src/share/man/man4/enc.4 r1.4 src/share/man/man4/fast_ipsec.4 r1.1126 src/sys/conf/files r1.549 src/sys/conf/options r1.4 src/sys/net/if_enc.c r1.22 src/sys/net/if_types.h r1.12 src/sys/netipsec/ipsec.h r1.12 src/sys/netipsec/ipsec_input.c r1.12 src/sys/netipsec/ipsec_output.c r1.13 src/sys/netipsec/xform_ipip.c
Revision 1.12: download - view: text, markup, annotated - select for diffs
Mon Jun 26 22:30:08 2006 UTC (5 years, 7 months ago) by thompsa
Branches: MAIN
Diff to: previous 1.11: preferred, colored
Changes since revision 1.11: +2 -0 lines
Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering. Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
Revision 1.11: download - view: text, markup, annotated - select for diffs
Mon Apr 10 15:04:36 2006 UTC (5 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.10: preferred, colored
Changes since revision 1.10: +2 -0 lines
Hide net.inet.ipsec.test_{replay,integrity} sysctls under #ifdef REGRESSION.
Requested by: sam, rwatson
Revision 1.10: download - view: text, markup, annotated - select for diffs
Sun Apr 9 19:11:45 2006 UTC (5 years, 10 months ago) by pjd
Branches: MAIN
Diff to: previous 1.9: preferred, colored
Changes since revision 1.9: +2 -0 lines
Introduce two new sysctls: net.inet.ipsec.test_replay - When set to 1, IPsec will send packets with the same sequence number. This allows to verify if the other side has proper replay attacks detection. net.inet.ipsec.test_integrity - When set 1, IPsec will send packets with corrupted HMAC. This allows to verify if the other side properly detects modified packets. I used the first one to discover that we don't have proper replay attacks detection in ESP (in fast_ipsec(4)).
Revision 1.8.2.1: download - view: text, markup, annotated - select for diffs
Thu Mar 23 23:24:32 2006 UTC (5 years, 10 months ago) by sam
Branches: RELENG_6
CVS tags: RELENG_6_1_BP, RELENG_6_1_0_RELEASE, RELENG_6_1
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +0 -1 lines
MFC: promote fast ipsec's m_clone routine for public use; it is renamed
m_unshare and the caller can now control how mbufs are allocated
Approved by: re (hrs)
Revision 1.9: download - view: text, markup, annotated - select for diffs
Wed Mar 15 21:11:11 2006 UTC (5 years, 10 months ago) by sam
Branches: MAIN
Diff to: previous 1.8: preferred, colored
Changes since revision 1.8: +0 -1 lines
promote fast ipsec's m_clone routine for public use; it is renamed m_unshare and the caller can now control how mbufs are allocated Reviewed by: andre, luigi, mlaier MFC after: 1 week
Revision 1.7.2.1: download - view: text, markup, annotated - select for diffs
Mon Jan 31 23:26:41 2005 UTC (7 years ago) by imp
Branches: RELENG_5
CVS tags: RELENG_5_5_BP, RELENG_5_5_0_RELEASE, RELENG_5_5, RELENG_5_4_BP, RELENG_5_4_0_RELEASE, RELENG_5_4
Diff to: previous 1.7: preferred, colored; next MAIN 1.8: preferred, colored
Changes since revision 1.7: +1 -1 lines
MFC: /*- and related license changes
Revision 1.8: download - view: text, markup, annotated - select for diffs
Fri Jan 7 01:45:46 2005 UTC (7 years, 1 month ago) by imp
Branches: MAIN
CVS tags: RELENG_6_BP, RELENG_6_0_BP, RELENG_6_0_0_RELEASE, RELENG_6_0
Branch point for: RELENG_6
Diff to: previous 1.7: preferred, colored
Changes since revision 1.7: +1 -1 lines
/* -> /*- for license, minor formatting changes
Revision 1.2.4.2: download - view: text, markup, annotated - select for diffs
Sat Feb 14 22:23:23 2004 UTC (7 years, 11 months ago) by bms
Branches: RELENG_4
CVS tags: RELENG_4_11_BP, RELENG_4_11_0_RELEASE, RELENG_4_11, RELENG_4_10_BP, RELENG_4_10_0_RELEASE, RELENG_4_10
Diff to: previous 1.2.4.1: preferred, colored; branchpoint 1.2: preferred, colored; next MAIN 1.3: preferred, colored
Changes since revision 1.2.4.1: +1 -0 lines
MFC: Import of TCP-MD5 (RFC2385) support. Sponsored by: sentex.net
Revision 1.7: download - view: text, markup, annotated - select for diffs
Wed Feb 11 04:26:03 2004 UTC (8 years ago) by bms
Branches: MAIN
CVS tags: RELENG_5_BP, RELENG_5_3_BP, RELENG_5_3_0_RELEASE, RELENG_5_3
Branch point for: RELENG_5
Diff to: previous 1.6: preferred, colored
Changes since revision 1.6: +1 -0 lines
Initial import of RFC 2385 (TCP-MD5) digest support. This is the first of two commits; bringing in the kernel support first. This can be enabled by compiling a kernel with options TCP_SIGNATURE and FAST_IPSEC. For the uninitiated, this is a TCP option which provides for a means of authenticating TCP sessions which came into being before IPSEC. It is still relevant today, however, as it is used by many commercial router vendors, particularly with BGP, and as such has become a requirement for interconnect at many major Internet points of presence. Several parts of the TCP and IP headers, including the segment payload, are digested with MD5, including a shared secret. The PF_KEY interface is used to manage the secrets using security associations in the SADB. There is a limitation here in that as there is no way to map a TCP flow per-port back to an SPI without polluting tcpcb or using the SPD; the code to do the latter is unstable at this time. Therefore this code only supports per-host keying granularity. Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6), TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective users of this feature, this will not pose any problem. This implementation is output-only; that is, the option is honoured when responding to a host initiating a TCP session, but no effort is made [yet] to authenticate inbound traffic. This is, however, sufficient to interwork with Cisco equipment. Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with local patches. Patches for tcpdump to validate TCP-MD5 sessions are also available from me upon request. Sponsored by: sentex.net
Revision 1.6: download - view: text, markup, annotated - select for diffs
Tue Jan 27 17:42:57 2004 UTC (8 years ago) by sam
Branches: MAIN
Diff to: previous 1.5: preferred, colored
Changes since revision 1.5: +3 -0 lines
add spdcachelookup and spdcachemiss to our version of struct ipsecstat so netstat works properly Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Revision 1.5: download - view: text, markup, annotated - select for diffs
Tue Jan 20 22:44:21 2004 UTC (8 years ago) by sam
Branches: MAIN
Diff to: previous 1.4: preferred, colored
Changes since revision 1.4: +4 -0 lines
fix build after KAME changes
Revision 1.4: download - view: text, markup, annotated - select for diffs
Mon Sep 29 22:57:42 2003 UTC (8 years, 4 months ago) by sam
Branches: MAIN
CVS tags: RELENG_5_2_BP, RELENG_5_2_1_RELEASE, RELENG_5_2_0_RELEASE, RELENG_5_2
Diff to: previous 1.3: preferred, colored
Changes since revision 1.3: +27 -5 lines
MFp4: portability work, general cleanup, locking fixes change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb chnage 38685 o fix locking for bundled SA's and for when key exchange is required change 38770 o eliminate recursion on the SAHTREE lock change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code There is still much to do here but for now things look to be working again. Supported by: FreeBSD Foundation
Revision 1.3: download - view: text, markup, annotated - select for diffs
Mon Sep 1 05:35:55 2003 UTC (8 years, 5 months ago) by sam
Branches: MAIN
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +5 -0 lines
Locking and misc cleanups; most of which I've been running for >4 months: o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code Sponsored by: FreeBSD Foundation
Revision 1.2.4.1: download - view: text, markup, annotated - select for diffs
Fri Jan 24 05:11:35 2003 UTC (9 years ago) by sam
Branches: RELENG_4
CVS tags: RELENG_4_9_BP, RELENG_4_9_0_RELEASE, RELENG_4_9, RELENG_4_8_BP, RELENG_4_8_0_RELEASE, RELENG_4_8
Diff to: previous 1.2: preferred, colored
Changes since revision 1.2: +0 -3 lines
MFC: Fast IPsec "Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Supported by: Vernier Networks
Revision 1.2: download - view: text, markup, annotated - select for diffs
Fri Nov 8 23:37:50 2002 UTC (9 years, 3 months ago) by sam
Branches: MAIN
CVS tags: RELENG_5_1_BP, RELENG_5_1_0_RELEASE, RELENG_5_1, RELENG_5_0_BP, RELENG_5_0_0_RELEASE, RELENG_5_0
Branch point for: RELENG_4
Diff to: previous 1.1: preferred, colored
Changes since revision 1.1: +3 -0 lines
FAST_IPSEC fixups: o fix #ifdef typo o must use "bounce functions" when dispatched from the protosw table don't know how this stuff was missed in my testing; must've committed the wrong bits Pointy hat: sam Submitted by: "Doug Ambrisko" <ambrisko@verniernetworks.com>
Revision 1.1: download - view: text, markup, annotated - select for diffs
Wed Oct 16 02:10:07 2002 UTC (9 years, 3 months ago) by sam
Branches: MAIN
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks