| Age | Commit message (Collapse) | Author |
|---|
|
|
|
network to presentation format to inet_ntop().
The few remaining functions will be soon converted.
ok mikeb@, deraadt@ and moral support from henning@
|
|
global variables to in.h.
ok mikeb@, deraadt@
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
|
|
declare them once in their corresponding header file.
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
reach the socket that the user has specified in pf.conf.
OK reyk@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
|
|
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
spotted by bluhm@, ok yasuoka@
|
|
ok yasuoka@ bluhm@
|
|
transport mode IPsec NAT-T.
ok markus
|
|
pass it to the correct raw ip input function if IPsec is disabled.
ok todd@ mpf@ mikeb@ blambert@ matthew@ deraadt@
|
|
endless loops by IPcomp-quine attacks as discovered by Tavis Ormandy;
it also prevents nested IPcomp-IPIP-IPcomp attacks provied by matthew@;
feedback and ok matthew@, deraadt@, djm@, claudio@
|
|
|
|
and make it void.
ok henning@, markus@, mcbride@
|
|
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
|
|
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
|
recycling an mbuf tag and changing its type. just always get a new one.
theo ok
|
|
#if INET6 => #ifdef INET6
|
|
ok bluhm, fries, mpf; fixes pr 4188
|
|
|
|
of expected semantics. thus, for return packets coming out of an ipsec
tunnel, we need to clear the pf state key pointer in the mbuf header
to prevent a state for encapsulated traffic to be linked to the
decapsulated traffic one.
problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some
time to understand what the hell was going on. ok ryan
|
|
ok bluhm@
|
|
also fix the correction amount. This was only really visible on tcpdump,
as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made
it into the stack just fine, minus a few sanity checks.
reported by and debuged together with and ok todd@
|
|
provide netstat(1) with data it needs; ok claudio reyk
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.
ok by deraad, naddy, hshoexer
|
|
|
|
the dest IP; PMTU debugging support; ok hshoexer
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
OK markus@, "looks good" hshoexer@
|
|
to bpf with either an address family or other header added.
These helpers only allocate a much smaller struct m_hdr on the stack when
needed, rather than leaving 256 byte struct mbufs on the stack in deep
call paths. Also removes a fair bit of duplicated code.
commit now, tune after deraadt@
|
|
only set and never read), update documentation; ok fgsch, deraadt, millert
|
|
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
|
sin6_scope_id, IPsec porion uses embedded form). beck ok
|
|
allows userland ipsec; tested by sturm@; ok deraadt@, ho@, hshoexer@
|
|
|
|
ok deraadt@
|
