summaryrefslogtreecommitdiff
path: root/sys/netinet/ipsec_output.c
AgeCommit message (Collapse)Author
2007-06-01apply the "skip ipsec if there are no flows" speedup diff to IPv6 too.Henning Brauer
we need a pointer to the inpcb to decide, which was not previously passed to ip6_output, so this diff is a little bigger. from itojun, ok ryan
2007-05-28double pf performance.Henning Brauer
boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
2007-02-08- AH: when computing crypto checksum for output, massage source-routingJun-ichiro itojun Hagino
header. - ipsec_input: fix mistake in IPv6 next-header chasing. - ipsec_output: look for the position to insert AH more carefully. - ip6_output: enable use of AH with extension headers. avoid tunnellinng when source-routing header is present. ok by deraad, naddy, hshoexer
2006-12-19TDBF_USEDTUNNEL flag manipulation was inside #ifdef INET. it appliesJun-ichiro itojun Hagino
to INET6 too, so move it outside. markus ok
2006-12-05do not install pmtu routes for transport mode SAs, as they do notMarkus Friedl
the dest IP; PMTU debugging support; ok hshoexer
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2005-04-12handle PMTU for ipip SAs, too; ok hshoexer, cloderMarkus Friedl
2004-09-24pmtu support for udpencap; ok hshoexer, hoMarkus Friedl
2004-06-26Default enable udpencap. Add 'disable' sysctl to sysctl.conf. markus@ ok.Hakan Olsson
2004-06-21First step towards more sane time handling in the kernel -- this changesThorsten Lockert
things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
2004-06-21don't send UDP encapsulated packets w/o UDP header if encap is disabled; ok ho@Markus Friedl
2003-12-02UDP encapsulation for ESP in transport mode (draft-ietf-ipsec-udp-encaps-XX.txt)Markus Friedl
ok deraadt@
2003-07-09do not flip ip_len/ip_off in netinet stack. deraadt ok.Jun-ichiro itojun Hagino
(please test, especially PF portion)
2003-02-19add a counter for times ipcomp is skipped because the packet is below theJason Wright
minimum compression threshold.
2002-08-28Fix a problem where passing NULL as a pointer with varargs does not promotePer Fogelstrom
NULL to full 64 bits on a 64 bit address system. Soultion is to add a (void *) cast before NULL. This makes a 64 bit MIPS kernel work and will probably help future 64 bit ports as well. OK from art@
2002-07-01Move mtod() after the m_pullup() --- noted by sam@errno.com (who seemsAngelos D. Keromytis
to be going over the IPsec code with a magnifying glass)
2002-06-19Remove redundant address family check -- sam@errno.comAngelos D. Keromytis
2002-06-09whitespaceJun-ichiro itojun Hagino
2002-02-19IPsec is written ``IPsec'', not ``IPSec''.Miod Vallat
2001-12-06Use hzto() to handle overflow of (hz * timeout) cases --- when usingAngelos D. Keromytis
extremely long SA expirations.
2001-08-08Remove IPCOMP option, it's now part of IPSEC option. You still need toJean-Jacques Bernard-Gundol
enable ipcomp via sysctl to use it. deraadt@ ok.
2001-07-05IPComp support. angelos@ ok.Jean-Jacques Bernard-Gundol
2001-06-26KNFAngelos D. Keromytis
2001-06-25Copyright.Angelos D. Keromytis
2001-06-24path mtu discovery for ipsec. on receiving a need fragment icmp matchNiels Provos
against active tdb and store the ipsec header size corrected mtu
2001-06-08Trim include files.Angelos D. Keromytis
2001-05-30Update to match prototypes.Angelos D. Keromytis
2001-05-29Record last use time for SAs.Angelos D. Keromytis
2001-05-28Don't use IPV6_ENCAPSULATED, tags are used instead.Angelos D. Keromytis
2001-05-27New tags.Angelos D. Keromytis
2001-05-22Add an IPSEC_NEEDED tag if SKIPCRYPTO is set in the TDBAngelos D. Keromytis
2001-05-20Record outgoing SA processing, do loop detection.Angelos D. Keromytis
2001-05-11Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ okAaron Campbell
2001-04-14Minor changes, preparing for real socket-attached TDBs; also, moreAngelos D. Keromytis
information will be stored in the TDB. ok ho@ provos@
2001-04-06Move offsetof define into sys/param.hConstantine Sapuntzakis
2001-03-28Allow tdbi's to appear in mbufs throughout the stack; this allowsAngelos D. Keromytis
security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
2001-03-15convert SA expirations to the new timeouts.Michael Shalayeff
simplifies expirations handling a lot. tdb_exp_timeout and tdb_soft_timeout are made consistant throughout the code to be a relative time offsets, just like first_use timeouts. tested on singlehost isakmpd setup. lots of dangling spaces and tabs removed. angelos@ ok
2000-09-19SA bundles.Angelos D. Keromytis
2000-09-19Lots and lots of changes.Angelos D. Keromytis
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-26 22:07:00 +0000