#
1.22 |
|
01-Sep-2023 |
andvar |
fix typos in comments, mainly s/innner/inner/.
|
Revision tags: netbsd-10-base
|
#
1.21 |
|
08-Dec-2022 |
knakahara |
Fix: update lastused of ipsecif(4) IPv6 out SP.
|
#
1.20 |
|
07-Dec-2022 |
knakahara |
gif(4), ipsec(4) and l2tp(4) use encap_attach_addr().
|
Revision tags: bouyer-sunxi-drm-base thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3
|
#
1.19 |
|
31-Jan-2020 |
knakahara |
Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ.
XXX pullup-8, pullup-9
|
Revision tags: ad-namecache-base2 ad-namecache-base1 ad-namecache-base phil-wifi-20191119
|
#
1.18 |
|
01-Nov-2019 |
knakahara |
branches: 1.18.2; Make global and per-interface ipsecif(4) pmtu tunable like gif(4).
And make hop limit tunable same as gif(4).
See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
|
#
1.17 |
|
19-Sep-2019 |
knakahara |
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.16 |
|
17-May-2019 |
knakahara |
branches: 1.16.2; Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
branches: 1.10.2; Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.21 |
|
08-Dec-2022 |
knakahara |
Fix: update lastused of ipsecif(4) IPv6 out SP.
|
#
1.20 |
|
07-Dec-2022 |
knakahara |
gif(4), ipsec(4) and l2tp(4) use encap_attach_addr().
|
Revision tags: bouyer-sunxi-drm-base thorpej-i2c-spi-conf2-base thorpej-futex2-base thorpej-cfargs2-base cjep_sun2x-base1 cjep_sun2x-base cjep_staticlib_x-base1 cjep_staticlib_x-base thorpej-i2c-spi-conf-base thorpej-cfargs-base thorpej-futex-base bouyer-xenpvh-base2 phil-wifi-20200421 bouyer-xenpvh-base1 phil-wifi-20200411 bouyer-xenpvh-base is-mlppp-base phil-wifi-20200406 ad-namecache-base3
|
#
1.19 |
|
31-Jan-2020 |
knakahara |
Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ.
XXX pullup-8, pullup-9
|
Revision tags: ad-namecache-base2 ad-namecache-base1 ad-namecache-base phil-wifi-20191119
|
#
1.18 |
|
01-Nov-2019 |
knakahara |
branches: 1.18.2; Make global and per-interface ipsecif(4) pmtu tunable like gif(4).
And make hop limit tunable same as gif(4).
See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
|
#
1.17 |
|
19-Sep-2019 |
knakahara |
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.16 |
|
17-May-2019 |
knakahara |
branches: 1.16.2; Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
branches: 1.10.2; Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.19 |
|
31-Jan-2020 |
knakahara |
Fix IPv6 over IPv4 ipsecif(4) uses IPv4 SP wrongly. Pointed out by ohishi@IIJ.
XXX pullup-8, pullup-9
|
Revision tags: ad-namecache-base2 ad-namecache-base1 ad-namecache-base phil-wifi-20191119
|
#
1.18 |
|
01-Nov-2019 |
knakahara |
Make global and per-interface ipsecif(4) pmtu tunable like gif(4).
And make hop limit tunable same as gif(4).
See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
|
#
1.17 |
|
19-Sep-2019 |
knakahara |
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.16 |
|
17-May-2019 |
knakahara |
branches: 1.16.2; Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
branches: 1.10.2; Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.18 |
|
01-Nov-2019 |
knakahara |
Make global and per-interface ipsecif(4) pmtu tunable like gif(4).
And make hop limit tunable same as gif(4).
See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
|
#
1.17 |
|
19-Sep-2019 |
knakahara |
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.16 |
|
17-May-2019 |
knakahara |
branches: 1.16.2; Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
branches: 1.10.2; Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.17 |
|
19-Sep-2019 |
knakahara |
Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece to users. If the storages went short, percpu(9) enlarges them by allocating new larger memory areas, replacing old ones with them and destroying the old ones. A percpu storage referenced by a pointer gotten via percpu_getref can be destroyed by the mechanism after a running thread sleeps even if percpu_putref has not been called.
Using rtcache, i.e., packet processing, typically involves sleepable operations such as rwlock so we must avoid dereferencing a rtcache that is directly stored in a percpu storage during packet processing. Address this situation by having just a pointer to a rtcache in a percpu storage instead.
Reviewed by ozaki-r@ and yamaguchi@
|
Revision tags: netbsd-9-base phil-wifi-20190609
|
#
1.16 |
|
17-May-2019 |
knakahara |
Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
branches: 1.10.2; Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.16 |
|
17-May-2019 |
knakahara |
Don't clear calculated Tx tos value for IPv[46] over IPv6.
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
Revision tags: isaki-audio2-base
|
#
1.15 |
|
12-Apr-2019 |
knakahara |
remove a variable which is no longer used.
|
#
1.14 |
|
18-Mar-2019 |
msaitoh |
s/pakcet/packet/ in comment.
|
Revision tags: pgoyette-compat-20190127 pgoyette-compat-20190118
|
#
1.13 |
|
26-Dec-2018 |
knakahara |
ipsecif(4) supports multiple peers in the same NAPT.
E.g. ipsec0 connects between NetBSD_A and NetBSD_B, ipsec1 connects NetBSD_A and NetBSD_C at the following figure.
+----------+ +----| NetBSD_B | +----------+ +------+ | +----------+ | NetBSD_A |--- ... ---| NAPT |---+ +----------+ +------+ | +----------+ +----| NetBSD_C | +----------+
Add ATF later.
|
Revision tags: pgoyette-compat-1226
|
#
1.12 |
|
07-Dec-2018 |
knakahara |
ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
|
Revision tags: pgoyette-compat-1126
|
#
1.11 |
|
15-Nov-2018 |
maxv |
Remove the 't' argument from m_tag_find().
|
Revision tags: pgoyette-compat-1020 pgoyette-compat-0930 pgoyette-compat-0906 pgoyette-compat-0728 phil-wifi-base pgoyette-compat-0625
|
#
1.10 |
|
31-May-2018 |
maxv |
Remove support for non-IKE markers in the kernel. Discussed on tech-net@, and now in PR/53334. Basically non-IKE markers come from a deprecated draft, and our kernel code for them has never worked.
Setsockopt will now reject UDP_ENCAP_ESPINUDP_NON_IKE.
Perhaps we should also add a check in key_handle_natt_info(), to make sure we also reject UDP_ENCAP_ESPINUDP_NON_IKE in the SADB.
|
Revision tags: pgoyette-compat-0521
|
#
1.9 |
|
09-May-2018 |
maxv |
static const on ipsecif4_encapsw
|
Revision tags: pgoyette-compat-0502
|
#
1.8 |
|
27-Apr-2018 |
knakahara |
Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.
The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex itself in percpu area. When percpu_cpu_enlarge() run, the address of the mutex in percpu area becomes different from the address which lockdebug saved. That can cause "already initialized" false detection.
|
Revision tags: pgoyette-compat-0422 pgoyette-compat-0415 pgoyette-compat-0407
|
#
1.7 |
|
06-Apr-2018 |
knakahara |
Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem. # ifconfig ipsec0 create link0 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501 # ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
|
#
1.6 |
|
06-Apr-2018 |
knakahara |
Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a network where reordering occurs.
Alghough this modification has been applied, IPv4 ID is not set for the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that must not cause problems.
XXX pullup-8
|
Revision tags: pgoyette-compat-0330 pgoyette-compat-0322 pgoyette-compat-0315
|
#
1.5 |
|
13-Mar-2018 |
knakahara |
comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.
|
#
1.4 |
|
09-Mar-2018 |
knakahara |
Fix ipsec(4) I/F esp_frag support.
|
#
1.3 |
|
06-Mar-2018 |
knakahara |
Fix fragment processing in ipsec4_fragout(). Pointed out by maxv@n.o, thanks.
XXX need pullup-8
|
Revision tags: pgoyette-compat-base
|
#
1.2 |
|
26-Feb-2018 |
maxv |
branches: 1.2.2; Merge some minor (mostly stylistic) changes from last week.
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
branches: 1.1.2; add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|
#
1.1 |
|
10-Jan-2018 |
knakahara |
add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks. https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
|