summaryrefslogtreecommitdiff
path: root/sys/netinet/ipsec_input.c
AgeCommit message (Collapse)Author
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
2004-06-21make it possble to use IPsec over link-local address (policy table usesJun-ichiro itojun Hagino
sin6_scope_id, IPsec porion uses embedded form). beck ok
2004-04-18pass esp/ah/ipcmp to rawip if processing is disabled with sysctl;Markus Friedl
allows userland ipsec; tested by sturm@; ok deraadt@, ho@, hshoexer@
2004-02-17switch to sysctl_int_arr(); ok henning, deraadtMarkus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-07-28allow gif(4) over ipsec: mark mbuf for transport mode SA,Markus Friedl
so in_gif_input can detect whether a proto 4 header is due to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023 ok itojun@. provos@ and angelos@ agree; tested by sturm@
2003-07-24update ip_len to reflect tunnel header removal (lost duing ip_lenMarkus Friedl
flip changes); ok itojun; noticed by jrrs@ice-nine.org
2003-07-09do not flip ip_len/ip_off in netinet stack. deraadt ok.Jun-ichiro itojun Hagino
(please test, especially PF portion)
2003-07-08make sure the packets contains a complete inner headerMarkus Friedl
for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec; ok angelos@
2003-07-04knf typoMarkus Friedl
2003-05-03just as a safety measure, set m_flags to 0 for mbufs allocated on stack.Jun-ichiro itojun Hagino
dhartmei ok
2003-02-20knfTheo de Raadt
2003-02-20If there's no tag to be reset, don't reset it (avoids a NULL deref in the ↵Jason Wright
IPCOMP case)
2002-06-28Fix usage counter for IPCOMP --- sam@errno.comAngelos D. Keromytis
2002-06-25Forgot variable.Angelos D. Keromytis
2002-06-25Handle correctly return values from xf_input methods --- since theAngelos D. Keromytis
return value was ignored anyway, this wasn't a problem so far. From sam@errno.com
2002-06-13Remove whitespace from the end of the file.Angelos D. Keromytis
2002-06-09whitespaceJun-ichiro itojun Hagino
2002-06-09Set/clear M_AUTH_AH.Angelos D. Keromytis
2002-01-23disable pmtu for ipsec when the sysctl says so; bug report cjkim2000@yahoo.comNiels Provos
2001-12-06Use hzto() to handle overflow of (hz * timeout) cases --- when usingAngelos D. Keromytis
extremely long SA expirations.
2001-08-09Don't check the source address on the packet vs. the one on the SA, asAngelos D. Keromytis
this prevents use of ESP in mobility; pointed out on the IETF mailing list by Francis Dupont.
2001-08-08Remove IPCOMP option, it's now part of IPSEC option. You still need toJean-Jacques Bernard-Gundol
enable ipcomp via sysctl to use it. deraadt@ ok.
2001-08-07enable ah & esp by default, now that we trust the code moreTheo de Raadt
2001-07-06Don't use enc0 interface for IPComp. angelos@ ok.Jean-Jacques Bernard-Gundol
2001-07-05IPComp support. angelos@ ok.Jean-Jacques Bernard-Gundol
2001-06-26KNFAngelos D. Keromytis
2001-06-25Copyright.Angelos D. Keromytis
2001-06-24path mtu discovery for ipsec. on receiving a need fragment icmp matchNiels Provos
against active tdb and store the ipsec header size corrected mtu
2001-06-23Remove unneeded ip_id convertions.Federico G. Schwindt
Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment.
2001-06-19mop up after angelosTheo de Raadt
2001-06-08Trim include files.Angelos D. Keromytis
2001-06-05Add a few DPRINTF()'sAngelos D. Keromytis
2001-05-29Record last use time for SAs.Angelos D. Keromytis
2001-05-27If we are passed a packet tag, it's an IPSEC_IN_CRYPTO_DONE so convertAngelos D. Keromytis
it to IPSEC_IN_DONE, rather than adding a new one.
2001-05-27Forgot to convert this tag.Angelos D. Keromytis
2001-05-20Use packet tags to signal input IPsec processing to upper layer protocols.Angelos D. Keromytis
2001-05-11Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ okAaron Campbell
2001-04-06Move offsetof define into sys/param.hConstantine Sapuntzakis
2001-03-30Protect the IF_XXX macros in the callback routines with splimp(). Doh!Angelos D. Keromytis
Thanks to erik@ipunplugged.com
2001-03-28Allow tdbi's to appear in mbufs throughout the stack; this allowsAngelos D. Keromytis
security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
2001-03-15convert SA expirations to the new timeouts.Michael Shalayeff
simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
2000-09-19Lots and lots of changes.Angelos D. Keromytis
2000-09-17Drop dubious ESP/AH packets without crashing (thanks to dr@kyx.net andAngelos D. Keromytis
mfranz@cisco.com for finding the problem).
2000-07-11Correctly handle ip_off; angelos@Todd C. Miller
2000-06-20do not play with rcvif, if the traffic is non-IPv4.Jun-ichiro itojun Hagino
by setting rcvif to enc*, we break IPv6 scope considerations.
2000-06-19correct header chasing code. take care of AH length.Jun-ichiro itojun Hagino
2000-06-18Arguments.Angelos D. Keromytis
2000-06-18Use ip6_sprintf() rather than the home-cooked inet6_ntoa4()Angelos D. Keromytis
2000-06-18IPv6 AH/ESP support, inbound side only. tested with KAME.Jun-ichiro itojun Hagino