Revision tags: release/6.4.0_cvs, release/6.4.0 |
|
#
8b615593 |
| 02-Oct-2008 |
Marko Zec <zec@FreeBSD.org> |
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduc
Step 1.5 of importing the network stack virtualization infrastructure from the vimage project, as per plan established at devsummit 08/08: http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator macros, and CURVNET_SET() context setting macros, all currently resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a family of SYSCTL_V_*() macros, currently resolving to their global counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header files specific to virtualized subsystems (sys/net/vnet.h, sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this point in time by doing MD5 comparision between pre- and post-change object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec Reviewed by: julian, bz, brooks, kris, rwatson, ... Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
show more ...
|
#
603724d3 |
| 18-Aug-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course of the next few weeks.
Mark all uses of g
Commit step 1 of the vimage project, (network stack) virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course of the next few weeks.
Mark all uses of global variables to be virtualized with a V_ prefix. Use macros to map them back to their global names for now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/... Reviewed by: brooks, des, ed, mav, julian, jamie, kris, rwatson, zec, ... (various people I forgot, different versions) md5 (with a bit of help) Sponsored by: NLnet Foundation, The FreeBSD Foundation X-MFC after: never V_Commit_Message_Reviewed_By: more people than the patch
show more ...
|
#
97c2a697 |
| 12-Aug-2008 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Increase statistic counters for enc0 interface when enabled and processing IPSec traffic.
Approved by: gnn (mentor) MFC after: 1 week
|
#
eaa9325f |
| 24-May-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
In addition to the ipsec_osdep.h removal a week ago, now also eliminate IPSEC_SPLASSERT_SOFTNET which has been 'unused' since FreeBSD 5.0.
|
Revision tags: release/7.0.0_cvs, release/7.0.0, release/6.3.0_cvs, release/6.3.0 |
|
#
19ad9831 |
| 28-Nov-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets.
This is useful in bpf to not
Add sysctls to if_enc(4) to control whether the firewalls or bpf will see inner and outer headers or just inner or outer headers for incoming and outgoing IPsec packets.
This is useful in bpf to not have over long lines for debugging or selcting packets based on the inner headers. It also properly defines the behavior of what the firewalls see.
Last but not least it gives you if_enc(4) for IPv6 as well.
[ As some auxiliary state was not available in the later input path we save it in the tdbi. That way tcpdump can give a consistent view of either of (authentic,confidential) for both before and after states. ]
Discussed with: thompsa (2007-04-25, basic idea of unifying paths) Reviewed by: thompsa, gnn
show more ...
|
#
e61a9df5 |
| 12-Sep-2007 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Fix for an infinite loop in processing ESP, IPv6 packets.
The control input routine passes a NULL as its void argument when it has reached the innermost header, which terminates the loop.
Reported
Fix for an infinite loop in processing ESP, IPv6 packets.
The control input routine passes a NULL as its void argument when it has reached the innermost header, which terminates the loop.
Reported by: Pawel Worach <pawel.worach@gmail.com> Approved by: re
show more ...
|
#
b28cd334 |
| 19-Jul-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Replace hard coded options by their defined PFIL_{IN,OUT} names.
Approved by: re (hrs)
|
#
0e41ce65 |
| 16-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Looking at {ah,esp}_input_cb it seems we might be able to end up without an mtag in ipsec4_common_input_cb. So in case of !IPCOMP (AH,ESP) only change the m_tag_id if an mtag was passed to ipsec4_com
Looking at {ah,esp}_input_cb it seems we might be able to end up without an mtag in ipsec4_common_input_cb. So in case of !IPCOMP (AH,ESP) only change the m_tag_id if an mtag was passed to ipsec4_common_input_cb.
Found with: Coverity Prevent(tm) CID: 2523
show more ...
|
#
ceda1e7c |
| 15-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
s,#,*, in a multi-line comment. This is C. No functional change.
|
#
f4760821 |
| 15-Jun-2007 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Though we are only called for the three security protocols we can handle, document those sprotos using an IPSEC_ASSERT so that it will be clear that 'spi' will always be initialized when used the fir
Though we are only called for the three security protocols we can handle, document those sprotos using an IPSEC_ASSERT so that it will be clear that 'spi' will always be initialized when used the first time.
Found with: Coverity Prevent(tm) CID: 2533
show more ...
|
Revision tags: release/6.2.0_cvs, release/6.2.0 |
|
#
224c45c4 |
| 14-Dec-2006 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
s,#if INET6,#ifdef INET6, This unbreaks the build for FAST_IPSEC && !INET6 and was wrong anyway.
Reported by: Dmitry Pryanishnikov <dmitry atlantis.dp.ua>
|
#
1d54aa3b |
| 12-Dec-2006 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFp4: 92972, 98913 + one more change
In ip6_sprintf no longer use and return one of eight static buffers for printing/logging ipv6 addresses. The caller now has to hand in a sufficiently large buffe
MFp4: 92972, 98913 + one more change
In ip6_sprintf no longer use and return one of eight static buffers for printing/logging ipv6 addresses. The caller now has to hand in a sufficiently large buffer as first argument.
show more ...
|
#
bdea400f |
| 27-Jun-2006 |
Andrew Thompson <thompsa@FreeBSD.org> |
Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump kno
Add a pseudo interface for packet filtering IPSec connections before or after encryption. There are two functions, a bpf tap which has a basic header with the SPI number which our current tcpdump knows how to display, and handoff to pfil(9) for packet filtering.
Obtained from: OpenBSD Based on: kern/94829 No objections: arch, net MFC after: 1 month
show more ...
|
#
49ddabdf |
| 04-Jun-2006 |
Pawel Jakub Dawidek <pjd@FreeBSD.org> |
Change '#if INET' and '#if INET6' to '#ifdef INET' and '#ifdef INET6'. This unbreaks compiling a kernel with FAST_IPSEC and no INET6.
|
#
79bc655b |
| 04-Jun-2006 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Extend the notdef #ifdef to cover the packet copy as there is no point in doing that if we're not doing the rest of the work.
Submitted by: thompsa MFC after: 1 week
|
Revision tags: release/5.5.0_cvs, release/5.5.0, release/6.1.0_cvs, release/6.1.0, release/6.0.0_cvs, release/6.0.0, release/5.4.0_cvs, release/5.4.0, release/4.11.0_cvs, release/4.11.0 |
|
#
c398230b |
| 07-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
Revision tags: release/5.3.0_cvs, release/5.3.0 |
|
#
3161f583 |
| 27-Aug-2004 |
Andre Oppermann <andre@FreeBSD.org> |
Apply error and success logic consistently to the function netisr_queue() and its users.
netisr_queue() now returns (0) on success and ERRNO on failure. At the moment ENXIO (netisr queue not functi
Apply error and success logic consistently to the function netisr_queue() and its users.
netisr_queue() now returns (0) on success and ERRNO on failure. At the moment ENXIO (netisr queue not functional) and ENOBUFS (netisr queue full) are supported.
Previously it would return (1) on success but the return value of IF_HANDOFF() was interpreted wrongly and (0) was actually returned on success. Due to this schednetisr() was never called to kick the scheduling of the isr. However this was masked by other normal packets coming through netisr_dispatch() causing the dequeueing of waiting packets.
PR: kern/70988 Found by: MOROHOSHI Akihiko <moro@remus.dti.ne.jp> MFC after: 3 days
show more ...
|
Revision tags: release/4.10.0_cvs, release/4.10.0, release/5.2.1_cvs, release/5.2.1, release/5.2.0_cvs, release/5.2.0, release/4.9.0_cvs, release/4.9.0 |
|
#
9ffa9677 |
| 30-Sep-2003 |
Sam Leffler <sam@FreeBSD.org> |
MFp4: portability work, general cleanup, locking fixes
change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPS
MFp4: portability work, general cleanup, locking fixes
change 38496 o add ipsec_osdep.h that holds os-specific definitions for portability o s/KASSERT/IPSEC_ASSERT/ for portability o s/SPLASSERT/IPSEC_SPLASSERT/ for portability o remove function names from ASSERT strings since line#+file pinpints the location o use __func__ uniformly to reduce string storage o convert some random #ifdef DIAGNOSTIC code to assertions o remove some debuggging assertions no longer needed
change 38498 o replace numerous bogus panic's with equally bogus assertions that at least go away on a production system
change 38502 + 38530 o change explicit mtx operations to #defines to simplify future changes to a different lock type
change 38531 o hookup ipv4 ctlinput paths to a noop routine; we should be handling path mtu changes at least o correct potential null pointer deref in ipsec4_common_input_cb
chnage 38685 o fix locking for bundled SA's and for when key exchange is required
change 38770 o eliminate recursion on the SAHTREE lock
change 38804 o cleanup some types: long -> time_t o remove refrence to dead #define
change 38805 o correct some types: long -> time_t o add scan generation # to secpolicy to deal with locking issues
change 38806 o use LIST_FOREACH_SAFE instead of handrolled code o change key_flush_spd to drop the sptree lock before purging an entry to avoid lock recursion and to avoid holding the lock over a long-running operation o misc cleanups of tangled and twisty code
There is still much to do here but for now things look to be working again.
Supported by: FreeBSD Foundation
show more ...
|
#
6464079f |
| 01-Sep-2003 |
Sam Leffler <sam@FreeBSD.org> |
Locking and misc cleanups; most of which I've been running for >4 months:
o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_
Locking and misc cleanups; most of which I've been running for >4 months:
o add locking o strip irrelevant spl's o split malloc types to better account for memory use o remove unused IPSEC_NONBLOCK_ACQUIRE code o remove dead code
Sponsored by: FreeBSD Foundation
show more ...
|
#
4dbc6e51 |
| 14-Aug-2003 |
Sam Leffler <sam@FreeBSD.org> |
make sure the packets contains a complete inner header for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec
Submitted by: Markus Friedl <markus@openbsd.org> Obtained f
make sure the packets contains a complete inner header for ip{4,6}-in-ip{4,6} encapsulation; fixes panic for truncated ip-in-ip over ipsec
Submitted by: Markus Friedl <markus@openbsd.org> Obtained from: OpenBSD (rev 1.66 ipsec_input.c)
show more ...
|
Revision tags: release/5.1.0_cvs, release/5.1.0, release/4.8.0_cvs, release/4.8.0 |
|
#
aaea26ef |
| 28-Mar-2003 |
Sam Leffler <sam@FreeBSD.org> |
add missing copyright notices
Noticed by: Robert Watson
|
#
1cafed39 |
| 05-Mar-2003 |
Jonathan Lemon <jlemon@FreeBSD.org> |
Update netisr handling; Each SWI now registers its queue, and all queue drain routines are done by swi_net, which allows for better queue control at some future point. Packets may also be directly d
Update netisr handling; Each SWI now registers its queue, and all queue drain routines are done by swi_net, which allows for better queue control at some future point. Packets may also be directly dispatched to a netisr instead of queued, this may be of interest at some installations, but currently defaults to off.
Reviewed by: hsu, silby, jayanth, sam Sponsored by: DARPA, NAI Labs
show more ...
|
Revision tags: release/5.0.0_cvs, release/5.0.0 |
|
#
e8539d32 |
| 09-Nov-2002 |
Sam Leffler <sam@FreeBSD.org> |
FAST_IPSEC fixups:
o fix #ifdef typo o must use "bounce functions" when dispatched from the protosw table
don't know how this stuff was missed in my testing; must've committed the wrong bits
Point
FAST_IPSEC fixups:
o fix #ifdef typo o must use "bounce functions" when dispatched from the protosw table
don't know how this stuff was missed in my testing; must've committed the wrong bits
Pointy hat: sam Submitted by: "Doug Ambrisko" <ambrisko@verniernetworks.com>
show more ...
|
#
88768458 |
| 16-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment).
Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option.
FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system.
This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system.
Obtained from: KAME + openbsd Supported by: Vernier Networks
show more ...
|