summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_ipsp.c
AgeCommit message (Collapse)Author
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
ok kettenis@ cloder@ tom@ henning@
2007-01-18allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC toHenning Brauer
compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-01-13Path MTU discovery for NAT-T.Marco Pfatschbacher
OK markus@, "looks good" hshoexer@
2005-11-24Remove kernfs, okay deraadt@.Pedro Martelletto
2005-05-28Add SA replay counter synchronization to pfsync(4). Required for IPsecHakan Olsson
failover gateways. ok mcbride@, "looks good" hshoexer@
2005-05-27long overdue snprintf cleanup in kernfs related codeHans-Joerg Hoexer
ok cloder
2005-04-21handle return value of snprintf correctlyHans-Joerg Hoexer
ok deraadt@
2004-11-19Plug memory leak. Found by pat@. Thanks!Hans-Joerg Hoexer
ok myself markus@
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
2004-04-14simpler ipsp_aux_match() API; ok henning, hshoexerMarkus Friedl
2004-03-31in gettdbbysrcdst(), allow matching with either src or dst beeing a wildcardHenning Brauer
(emtpy) entry ok markus@
2004-02-15check TDBF_INVALID for TCP MD5 SA lookups; ok mcbride, henningMarkus Friedl
2004-01-27in gettdbbysrcdst(): hash by SRC and lookup SA in the tdbsrc[] hash tableMarkus Friedl
with hshoexer@
2004-01-22add gettdbbysrcdst(), just like gettdb(), but compares tdb_src as well; ok ↵Markus Friedl
mcbride@
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-05-09string cleaning; ok teduTheo de Raadt
2003-05-06string cleaning; tedu okTheo de Raadt
2002-11-19Use queue.h macrosJason Wright
2002-06-09whitespaceJun-ichiro itojun Hagino
2002-06-09Comment out currently-unused code (it's there for the ethernet-ipsecAngelos D. Keromytis
cards, none of which we support at the moment).
2002-05-31Move some common code to separate routines; also, fix the problem ofAngelos D. Keromytis
using the same SA for different traffic classes. Now, different SAs will be renegotiated as needed. XXX It's a sub-optimal (but correct) solution, as it looks for an exact match -- it should be checking for subset/subnet. One of these days...
2002-03-14First round of __P removal in sysTodd C. Miller
2002-02-23Print compression algorithm name too.Angelos D. Keromytis
2001-12-05KNF whackTheo de Raadt
2001-10-03If the TDB doesn't have an attached src/dst ID, it can be used for anyAngelos D. Keromytis
type of traffic.
2001-09-05use %ll instead of %qTheo de Raadt
2001-08-08Remove IPCOMP option, it's now part of IPSEC option. You still need toJean-Jacques Bernard-Gundol
enable ipcomp via sysctl to use it. deraadt@ ok.
2001-07-05IPComp support. angelos@ ok.Jean-Jacques Bernard-Gundol
2001-06-27Minor nits.Angelos D. Keromytis
2001-06-27Don't cache packets that hit policies -- we'll do that at the PCB forAngelos D. Keromytis
local packets.
2001-06-26Keep the PFKEY sequence number at the TDB, plus a little bit of KNFAngelos D. Keromytis
2001-06-26KNFAngelos D. Keromytis
2001-06-25Copyright.Angelos D. Keromytis
2001-06-24print mtu of tdb if discoveredNiels Provos
2001-06-24Print TDBF_USEDTUNNEL in ipsp_kern()Angelos D. Keromytis
2001-06-23Having to update queue(3) for DLIST_* is a major PITA; thus, just useAngelos D. Keromytis
SLIST and be done with it.
2001-06-23Use DLIST for tags.Angelos D. Keromytis
2001-06-08Trim include files.Angelos D. Keromytis
2001-06-07Simplify SPD logic (and correct some input cases).Angelos D. Keromytis
2001-06-05That DPRINTF() is not needed.Angelos D. Keromytis
2001-06-05Clear acquires only if TDB was established correctly.Angelos D. Keromytis
2001-06-05Correct credential matching logic.Angelos D. Keromytis
2001-06-04use a faster arc4random() for random spi generation; angelos@ okMichael Shalayeff
2001-06-01Merge two m_copydata() calls into one, and (hopefully) correct theAngelos D. Keromytis
self-describing padding verification.
2001-06-01ipsp_parse_headers() goes down a list of IPv4/IPv6/AH/ESP headers andAngelos D. Keromytis
creates a tag for each of the ESP/AH headers. This will be used by IPsec-aware NIC device drivers that need to notify IPsec that crypto processing has already been done. There is an excessive amount of m_copydata() calls used by this routine, but there's no way around it that I can think of.
2001-05-30IPSP_IDENTITY_MBOX -> IPSP_IDENTITY_FQDN, and print type of creds/authAngelos D. Keromytis
in kernfs
2001-05-30Free remote authentication material on TDB free.Angelos D. Keromytis
2001-05-30Free local auth on TDB free.Angelos D. Keromytis
2001-05-29Keep track of when a TDB was last marked/unmared as SKIPCRYPTO, andAngelos D. Keromytis
print the relevant information on KERNFS.
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-28 04:53:40 +0000