| Age | Commit message (Collapse) | Author |
|---|
|
This will allows us to get rid of the list.
ok visa@
|
|
It isn't safe to manipulate PF_KEY sockets without KERNEL_LOCK() because
they aren't protected by the NET_LOCK().
I missed this in my previous audit and neither my tests, the regression
tests nor the IPsec performance tests exposed the problem. Hopefully I
added the right check to soassertlocked() a while back.
Found the hardway by and ok sthen@
|
|
IPsec is enabled.
This is currently a no-op since we still use a single taskq. But it
will allows us to experiment with multiple forwarding threads and the
PF_LOCK() without having to fix IPsec at the same time.
ok sashan@, visa@
|
|
by & OK mpi, input & OK visa
|
|
Suggested by and OK mpi, OK visa
|
|
functions to pave way for more fine grained locking.
Suggested by, comments & OK mpi
|
|
This enforces an order and will allow us to get rid of the global list.
ok millert@, visa@, markus@
|
|
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
|
Exposes per-CPU counters to real parrallelism.
ok visa@, bluhm@, jca@
|
|
|
|
Tested by Hrvoje Popovski, ok bluhm@
|
|
Suggested by and OK bluhm@ OK mpi@
|
|
to simplify the locking of those lists. For now move the LIST_ENTRY from
rawcb into routecb and in the pfkey case a new keycb. Do some cleanup and
renaming in the pfkey code but more to come.
OK bluhm@ mpi@
|
|
buffers.
This is one step towards unlocking TCP input path. Note that all the
functions asserting for the socket lock are not necessarilly MP-safe.
All the fields of 'struct socket' aren't protected.
Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to
tell when a filter needs to lock the underlying data structures. Logic
and name taken from NetBSD.
Tested by Hrvoje Popovski.
ok claudio@, bluhm@, mikeb@
|
|
destination address is used as an index when looking for a TDB, we need
to supply the new destination address in a different member. For this,
re-use the proxy address, that so far no one else has been using. It
would make sense to rename this member in the future.
ok claudio@
|
|
|
|
to pfkeyv2.c. These structs are nowhere else needed.
OK gcc
|
|
abstraction. First step of making PF_KEY a bit more like PF_ROUTE.
OK mpi@
|
|
Only pfkeyv2_send() needs the NET_LOCK() so grab it at the start and release
at the end. This should allow to push the locks down in other places.
OK mpi@, bluhm@
|
|
time soon so remove all the code to support multiple pfkey versions.
OK mpi@
|
|
ok visa@
|
|
kernel. It was only used in IPsec sources. No binary change
OK deraadt@
|
|
bundles together. Extend the kernel interface to export the bundle
information to userland. Then ipsecctl -ss -v can show the internal
relations. Unfortunately the header SADB_X_EXT_PROTOCOL was reused
by SADB_X_GRPSPIS, so it cannot be used to transfer the second sa
type with sysctl. Introduce a new SADB_X_EXT_SATYPE2 and use it
consistently.
OK hshoexer@ markus@
|
|
OK millert@
|
|
ok mikeb@, bluhm@
|
|
rectification.
|
|
Tested by Hrvoje Popovski, ok bluhm@
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
ok markus@
|
|
DES is insecure since brute force attacks are practical due to its
short key length.
This removes support for DES-CBC encryption in ESP and in IKE main
and quick mode from the kernel, isakmpd(8), ipsecctl(8), and iked(8).
ok mikeb@
|
|
reaching around through the routing table
original diff by myself, much improved by mikeb@ and mpi@
ok and testing mikeb@ mpi@
|
|
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@
|
|
ok mikeb
|
|
(fixes sadb_ident_type conversion for policies)
|
|
This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.
No objections from reyk and hshoexer, with and OK markus.
|
|
there's no need to do it in m_devget(9).
Stop passing an ``ifp'' will help for upcoming interface pointer -> index
conversion.
While here remove unused ``ifp'' argument from m_clget(9) and kill two
birds^W layer violations in one commit.
ok henning@
|
|
ok markus, hshoexer
|
|
long live the one true internet.
ok henning mikeb
|
|
any good to our network stack.
The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?
This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.
Tweak & ok claudio@
|
|
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
|
kill the macro.
ok mikeb@, henning@
|
|
rely on "struct route" that should die.
ok claudio@
|
|
after discussions with beck deraadt kettenis.
|
|
reduce stack space requirements.
ok mikeb mpi
|
|
alternative to bcopy since noone uses it.
while there use memcpy instead of bcopy because we know the memory cannot
overlap.
ok henning@ matthew@ mikeb@ deraadt@
|
|
is clearer; ok sthen
|
|
than checking if they're zero - export_address() is always called for these.
Fixes memory corruption when doing ipsecctl -ssa with md5sig. Debugging
hints from deraadt@, ok kettenis@ deraadt@
|
|
|
|
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
