| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2007-05-28 | double pf performance. | Henning Brauer | |
| boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk | |||
| 2007-02-08 | - AH: when computing crypto checksum for output, massage source-routing | Jun-ichiro itojun Hagino | |
| header. - ipsec_input: fix mistake in IPv6 next-header chasing. - ipsec_output: look for the position to insert AH more carefully. - ip6_output: enable use of AH with extension headers. avoid tunnellinng when source-routing header is present. ok by deraad, naddy, hshoexer | |||
| 2006-12-15 | make enc(4) count; ok markus@ henning@ deraadt@ | Otto Moerbeek | |
| 2006-12-05 | do not install pmtu routes for transport mode SAs, as they do not | Markus Friedl | |
| the dest IP; PMTU debugging support; ok hshoexer | |||
| 2006-11-24 | add support to tag ipsec traffic belonging to specific IKE-initiated | Reyk Floeter | |
| phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@ | |||
| 2006-03-25 | allow bpf(4) to ignore packets based on their direction (inbound or | Damien Miller | |
| outbound), using a new BIOCSDIRFILT ioctl; guidance, feedback and ok canacar@ | |||
| 2006-03-04 | With the exception of two other small uncommited diffs this moves | Brad Smith | |
| the remainder of the network stack from splimp to splnet. ok miod@ | |||
| 2006-01-13 | Path MTU discovery for NAT-T. | Marco Pfatschbacher | |
| OK markus@, "looks good" hshoexer@ | |||
| 2005-07-31 | Introduce bpf_mtap_af and bpf_mtap_hdr to be used when passing a mbuf chain | Christopher Pascoe | |
| to bpf with either an address family or other header added. These helpers only allocate a much smaller struct m_hdr on the stack when needed, rather than leaving 256 byte struct mbufs on the stack in deep call paths. Also removes a fair bit of duplicated code. commit now, tune after deraadt@ | |||
| 2004-11-25 | resolve conflict between M_TUNNEL and M_ANYCAST6, remove M_COMP (it's | Markus Friedl | |
| only set and never read), update documentation; ok fgsch, deraadt, millert | |||
| 2004-06-21 | First step towards more sane time handling in the kernel -- this changes | Thorsten Lockert | |
| things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@ | |||
| 2004-06-21 | make it possble to use IPsec over link-local address (policy table uses | Jun-ichiro itojun Hagino | |
| sin6_scope_id, IPsec porion uses embedded form). beck ok | |||
| 2004-04-18 | pass esp/ah/ipcmp to rawip if processing is disabled with sysctl; | Markus Friedl | |
| allows userland ipsec; tested by sturm@; ok deraadt@, ho@, hshoexer@ | |||
| 2004-02-17 | switch to sysctl_int_arr(); ok henning, deraadt | Markus Friedl | |
| 2003-12-02 | UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt) | Markus Friedl | |
| ok deraadt@ | |||
| 2003-07-28 | allow gif(4) over ipsec: mark mbuf for transport mode SA, | Markus Friedl | |
| so in_gif_input can detect whether a proto 4 header is due to ipsec tunnel mode or gif(4) encapsulation; fixes pr 3023 ok itojun@. provos@ and angelos@ agree; tested by sturm@ | |||
| 2003-07-24 | update ip_len to reflect tunnel header removal (lost duing ip_len | Markus Friedl | |
| flip changes); ok itojun; noticed by jrrs@ice-nine.org | |||
| 2003-07-09 | do not flip ip_len/ip_off in netinet stack. deraadt ok. | Jun-ichiro itojun Hagino | |
| (please test, especially PF portion) | |||
| 2003-07-08 | make sure the packets contains a complete inner header | Markus Friedl | |
| for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec; ok angelos@ | |||
| 2003-07-04 | knf typo | Markus Friedl | |
| 2003-05-03 | just as a safety measure, set m_flags to 0 for mbufs allocated on stack. | Jun-ichiro itojun Hagino | |
| dhartmei ok | |||
| 2003-02-20 | knf | Theo de Raadt | |
| 2003-02-20 | If there's no tag to be reset, don't reset it (avoids a NULL deref in the ↵ | Jason Wright | |
| IPCOMP case) | |||
| 2002-06-28 | Fix usage counter for IPCOMP --- sam@errno.com | Angelos D. Keromytis | |
| 2002-06-25 | Forgot variable. | Angelos D. Keromytis | |
| 2002-06-25 | Handle correctly return values from xf_input methods --- since the | Angelos D. Keromytis | |
| return value was ignored anyway, this wasn't a problem so far. From sam@errno.com | |||
| 2002-06-13 | Remove whitespace from the end of the file. | Angelos D. Keromytis | |
| 2002-06-09 | whitespace | Jun-ichiro itojun Hagino | |
| 2002-06-09 | Set/clear M_AUTH_AH. | Angelos D. Keromytis | |
| 2002-01-23 | disable pmtu for ipsec when the sysctl says so; bug report cjkim2000@yahoo.com | Niels Provos | |
| 2001-12-06 | Use hzto() to handle overflow of (hz * timeout) cases --- when using | Angelos D. Keromytis | |
| extremely long SA expirations. | |||
| 2001-08-09 | Don't check the source address on the packet vs. the one on the SA, as | Angelos D. Keromytis | |
| this prevents use of ESP in mobility; pointed out on the IETF mailing list by Francis Dupont. | |||
| 2001-08-08 | Remove IPCOMP option, it's now part of IPSEC option. You still need to | Jean-Jacques Bernard-Gundol | |
| enable ipcomp via sysctl to use it. deraadt@ ok. | |||
| 2001-08-07 | enable ah & esp by default, now that we trust the code more | Theo de Raadt | |
| 2001-07-06 | Don't use enc0 interface for IPComp. angelos@ ok. | Jean-Jacques Bernard-Gundol | |
| 2001-07-05 | IPComp support. angelos@ ok. | Jean-Jacques Bernard-Gundol | |
| 2001-06-26 | KNF | Angelos D. Keromytis | |
| 2001-06-25 | Copyright. | Angelos D. Keromytis | |
| 2001-06-24 | path mtu discovery for ipsec. on receiving a need fragment icmp match | Niels Provos | |
| against active tdb and store the ipsec header size corrected mtu | |||
| 2001-06-23 | Remove unneeded ip_id convertions. | Federico G. Schwindt | |
| Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment. | |||
| 2001-06-19 | mop up after angelos | Theo de Raadt | |
| 2001-06-08 | Trim include files. | Angelos D. Keromytis | |
| 2001-06-05 | Add a few DPRINTF()'s | Angelos D. Keromytis | |
| 2001-05-29 | Record last use time for SAs. | Angelos D. Keromytis | |
| 2001-05-27 | If we are passed a packet tag, it's an IPSEC_IN_CRYPTO_DONE so convert | Angelos D. Keromytis | |
| it to IPSEC_IN_DONE, rather than adding a new one. | |||
| 2001-05-27 | Forgot to convert this tag. | Angelos D. Keromytis | |
| 2001-05-20 | Use packet tags to signal input IPsec processing to upper layer protocols. | Angelos D. Keromytis | |
| 2001-05-11 | Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ ok | Aaron Campbell | |
| 2001-04-06 | Move offsetof define into sys/param.h | Constantine Sapuntzakis | |
| 2001-03-30 | Protect the IF_XXX macros in the callback routines with splimp(). Doh! | Angelos D. Keromytis | |
| Thanks to erik@ipunplugged.com | |||
 |
index : src | |
| OpenBSD base system |
| summaryrefslogtreecommitdiff |