#
1.79 |
|
29-Aug-2022 |
bluhm |
Use struct refcnt for interface address reference counting. There was a crash due to use after free of the ifa although it is ref counted. As ifa_refcnt was a simple integer increment, there may be a path where multiple CPUs access it concurrently. So change to struct refcnt which is MP safe and provides dt(4) leak debugging. Link level address for IPsec enc(4) and various MPLS interfaces is special. There ifa is part of struct sc. Use refcount anyway and add a panic to detect use after free. bug report stsp@; OK mvs@
|
Revision tags: OPENBSD_6_9_BASE OPENBSD_7_0_BASE OPENBSD_7_1_BASE
|
#
1.78 |
|
28-Dec-2020 |
kn |
Remove unused start routine
enc(4) does not use the ifqueue API at all; IPsec packets are directly transformed in the IP input/output routines.
enc_start() is never called (by design) so remove it for clarity.
OK mpi
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.77 |
|
10-Jul-2020 |
patrick |
Change users of IFQ_DEQUEUE(), IFQ_ENQUEUE() and IFQ_LEN() to use the "new" API.
ok dlg@ tobhe@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.76 |
|
24-Jan-2020 |
jsg |
cleanup unused headers generated by config
ok tedu@ krw@ deraadt@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.75 |
|
14-Jul-2019 |
florian |
newlen was a dead store, but what we could use is oldlen to simplify the code. Pointed out by daniel@ with the help of their friend gcc9 OK kn
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.78 |
|
28-Dec-2020 |
kn |
Remove unused start routine
enc(4) does not use the ifqueue API at all; IPsec packets are directly transformed in the IP input/output routines.
enc_start() is never called (by design) so remove it for clarity.
OK mpi
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.77 |
|
10-Jul-2020 |
patrick |
Change users of IFQ_DEQUEUE(), IFQ_ENQUEUE() and IFQ_LEN() to use the "new" API.
ok dlg@ tobhe@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.76 |
|
24-Jan-2020 |
jsg |
cleanup unused headers generated by config
ok tedu@ krw@ deraadt@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.75 |
|
14-Jul-2019 |
florian |
newlen was a dead store, but what we could use is oldlen to simplify the code. Pointed out by daniel@ with the help of their friend gcc9 OK kn
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.77 |
|
10-Jul-2020 |
patrick |
Change users of IFQ_DEQUEUE(), IFQ_ENQUEUE() and IFQ_LEN() to use the "new" API.
ok dlg@ tobhe@
|
Revision tags: OPENBSD_6_7_BASE
|
#
1.76 |
|
24-Jan-2020 |
jsg |
cleanup unused headers generated by config
ok tedu@ krw@ deraadt@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.75 |
|
14-Jul-2019 |
florian |
newlen was a dead store, but what we could use is oldlen to simplify the code. Pointed out by daniel@ with the help of their friend gcc9 OK kn
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.76 |
|
24-Jan-2020 |
jsg |
cleanup unused headers generated by config
ok tedu@ krw@ deraadt@
|
Revision tags: OPENBSD_6_6_BASE
|
#
1.75 |
|
14-Jul-2019 |
florian |
newlen was a dead store, but what we could use is oldlen to simplify the code. Pointed out by daniel@ with the help of their friend gcc9 OK kn
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.75 |
|
14-Jul-2019 |
florian |
newlen was a dead store, but what we could use is oldlen to simplify the code. Pointed out by daniel@ with the help of their friend gcc9 OK kn
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.74 |
|
17-Jun-2019 |
mpi |
free(9) sizes.
ok reyk@
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.73 |
|
08-Jul-2018 |
jca |
"id" is too generic, rename to "rdomain" for clarity and easier grepping
ok benno@ mpi@
|
#
1.72 |
|
08-Jul-2018 |
jca |
Use the same test pattern as for enc_ifps, for consistency
ok denis@
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.71 |
|
25-Jun-2018 |
denis |
Fix a kernelpanic when using rdomain(4) and enc(4)
OK jca@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|
#
1.70 |
|
16-Oct-2017 |
mpi |
Last changes before running IPsec w/o KERNEL_LOCK().
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
Revision tags: OPENBSD_6_2_BASE
|
#
1.69 |
|
11-Aug-2017 |
mpi |
Remove NET_LOCK()'s argument.
Tested by Hrvoje Popovski, ok bluhm@
|
#
1.68 |
|
28-May-2017 |
mpi |
Protect the global array of interfaces with the NET_LOCK().
ok sashan@
|
Revision tags: OPENBSD_6_1_BASE
|
#
1.67 |
|
23-Jan-2017 |
mpi |
Flag pseudo-interfaces as such in order to call add_net_randomness() only once per packet.
Fix a regression introduced when if_input() started to be called by every pseudo-driver.
ok claudio@, dlg@
|
#
1.66 |
|
20-Jan-2017 |
mpi |
No need to handle SIOCAIFADDR in drivers, it's never passed down to them.
ok claudio@
|
#
1.65 |
|
04-Sep-2016 |
krw |
Make enc_output() return EAFNOSUPPORT after dropping the packet, instead of 0. Makes it consistent with other similar interfaces.
ok mpi@ vgross@
|
Revision tags: OPENBSD_5_9_BASE OPENBSD_6_0_BASE
|
#
1.64 |
|
09-Nov-2015 |
dlg |
use IFQ_DEQUEUE to pull of the send queue.
|
#
1.63 |
|
30-Oct-2015 |
bluhm |
Rename rtrequest1() to rtrequest(). OK mpi@
|
#
1.62 |
|
22-Oct-2015 |
mpi |
Kill link_rtrequest(), introduce in 1990 to "fix" the result of rt_getifa() when adding link level route from outside the kernel.
ok claudio@
|
#
1.61 |
|
22-Oct-2015 |
bluhm |
Inspired by satosin(), use inline functions to convert sockaddr dl. Instead of casts they check wether the incoming object has the expected type. So introduce satosdl() and sdltosa() in the kernel. OK mpi@
|
Revision tags: OPENBSD_5_8_BASE
|
#
1.60 |
|
14-Mar-2015 |
jsg |
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
Revision tags: OPENBSD_5_7_BASE
|
#
1.59 |
|
13-Dec-2014 |
doug |
yet more mallocarray() changes.
ok tedu@ deraadt@
|
#
1.58 |
|
08-Dec-2014 |
mpi |
There's no good reason to keep into "struct ifnet" a pointer that's only used by enc(4) devices to attach their routes.
ok sthen@, mikeb@
|
#
1.57 |
|
05-Dec-2014 |
mpi |
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>.
ok mikeb@, krw@, bluhm@, tedu@
|
#
1.56 |
|
08-Sep-2014 |
jsg |
remove uneeded route.h includes ok miod@ mpi@
|
Revision tags: OPENBSD_5_6_BASE
|
#
1.55 |
|
12-Jul-2014 |
tedu |
add a size argument to free. will be used soon, but for now default to 0. after discussions with beck deraadt kettenis.
|
#
1.54 |
|
21-May-2014 |
mpi |
Fix IPsec route addition broken since the removal of the link-layer addresses from the per-ifp list.
While here document why enc(4) needs a link-layer address, or at least something that seems to be one.
Found the hard way and fix tested by naddy@, ok mikeb@, henning@
|
Revision tags: OPENBSD_5_5_BASE
|
#
1.53 |
|
27-Sep-2013 |
bluhm |
The error return codes for the enc interface were inconsistent. Always return the appropriate errno. OK reyk@ mikeb@
|
Revision tags: OPENBSD_4_8_BASE OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE
|
#
1.52 |
|
03-Jul-2010 |
guenther |
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
#
1.51 |
|
01-Jul-2010 |
reyk |
Allow to specify an alternative enc(4) interface for an SA. All traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
#
1.50 |
|
01-Jul-2010 |
reyk |
We have to add enc0 to the "enc" interface group manually on boot. Adopted from the loop lo0 code.
|
#
1.49 |
|
29-Jun-2010 |
reyk |
Replace enc(4) with a new implementation as a cloner device. We still create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
|
#
1.48 |
|
09-Apr-2010 |
oga |
encif is a global variable and thus pre-zeroed, don't bother bzero()ing it after the fact.
ok henning@, claudio@
|
Revision tags: OPENBSD_4_3_BASE OPENBSD_4_4_BASE OPENBSD_4_5_BASE OPENBSD_4_6_BASE OPENBSD_4_7_BASE
|
#
1.47 |
|
20-Dec-2007 |
brad |
return with ENOTTY instead of EINVAL for unknown ioctl requests.
ok claudio@ krw@ jason@ dlg@
|
Revision tags: OPENBSD_4_2_BASE
|
#
1.46 |
|
26-May-2007 |
jason |
one extern seems to be better than 20 for ifqmaxlen; ok krw
|
Revision tags: OPENBSD_4_1_BASE
|
#
1.45 |
|
12-Dec-2006 |
reyk |
ansify the enc code
ok otto@
|
Revision tags: OPENBSD_4_0_BASE
|
#
1.44 |
|
28-Jun-2006 |
claudio |
Kill unused encrtrequest(). OK markus@
|
#
1.43 |
|
04-Mar-2006 |
brad |
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet.
ok miod@
|
Revision tags: OPENBSD_3_8_BASE OPENBSD_3_9_BASE
|
#
1.42 |
|
08-Jun-2005 |
henning |
no more netns handling for the various tunnel devices and loopback
|
Revision tags: OPENBSD_3_7_BASE
|
#
1.41 |
|
15-Sep-2004 |
grange |
Kill more netiso ghosts.
ok millert@
|
Revision tags: OPENBSD_3_4_BASE OPENBSD_3_5_BASE OPENBSD_3_6_BASE SMP_SYNC_A SMP_SYNC_B UBC_SYNC_A
|
#
1.40 |
|
03-May-2003 |
deraadt |
string fixes; tedu ok
|
Revision tags: OPENBSD_3_2_BASE OPENBSD_3_3_BASE UBC_SYNC_B
|
#
1.39 |
|
30-Jun-2002 |
itojun |
allocate sockaddr_dl for ifnet in if_alloc_sadl(), as we don't always know the size of sockaddr_dl on if_attach() - for instance, see ether_ifattach(). from netbsd. fgs ok
|
#
1.38 |
|
29-May-2002 |
itojun |
attach nd_ifinfo structure to if_afdata. split IPv6 MTU (advertised by RA) from real link MTU. sync with kame
|
Revision tags: OPENBSD_3_1_BASE
|
#
1.37 |
|
14-Mar-2002 |
millert |
First round of __P removal in sys
|
Revision tags: OPENBSD_3_0_BASE UBC_BASE
|
#
1.36 |
|
27-Jun-2001 |
provos |
branches: 1.36.4; KNF
|
#
1.35 |
|
25-Jun-2001 |
angelos |
Copyright update.
|
#
1.34 |
|
08-Jun-2001 |
angelos |
One more include cleanup, just to piss off Aaron :-)
|
Revision tags: OPENBSD_2_9_BASE
|
#
1.33 |
|
06-Apr-2001 |
csapuntz |
Move offsetof define into sys/param.h
|
#
1.32 |
|
30-Dec-2000 |
angelos |
For bridged IPsec, use the gif* interfaces.
|
Revision tags: OPENBSD_2_8_BASE
|
#
1.31 |
|
20-Jun-2000 |
itojun |
initialize mtu/hlim for enc interface at encattach().
backgronud: inbound ipsec packet will have enc* as m->m_pkthdr.rcvif. when we try to reflect the packet back in the kernel (like icmp6 echo), we'd generate packet toward enc* interface. icmp6_reflect() will take hoplimit value from nd_ifinfo[enc*], which was not initialized by the old code.
XXX the change to m->m_pkthdr.rcvif violates IPv6 scoped routing. we will need to disable it, for at least IPv6.
|
Revision tags: OPENBSD_2_7_BASE
|
#
1.30 |
|
18-Apr-2000 |
angelos |
Stats for bridge output too.
|
#
1.29 |
|
18-Apr-2000 |
angelos |
Sanity check on dequeued mbufs, also keep track of correct interface for statistics purposes.
|
#
1.28 |
|
12-Apr-2000 |
angelos |
Fix checksum for outgoing etherip/ipip packets from enc interfaces.
|
#
1.27 |
|
10-Apr-2000 |
angelos |
Minor oops in sanity logic, IFF_RUNNING is set/unset with IFF_UP, be paranoid with uninitialized variable.
|
#
1.26 |
|
10-Apr-2000 |
angelos |
output routine enqueues and calls start, rather than requeueing for input.
|
#
1.25 |
|
10-Apr-2000 |
angelos |
Typo.
|
#
1.24 |
|
10-Apr-2000 |
angelos |
SIOCAIFADDR.
|
#
1.23 |
|
10-Apr-2000 |
angelos |
Allow setting address.
|
#
1.22 |
|
08-Apr-2000 |
angelos |
If IFF_LINK0 is set, do IP-in-IP instead of Ethernet-in-IP. This will be used to implement overlay networks and more flexible road-warrior support.
|
#
1.21 |
|
17-Mar-2000 |
angelos |
Cryptographic services framework, and software "device driver". The idea is to support various cryptographic hardware accelerators (which may be (detachable) cards, secondary/tertiary/etc processors, software crypto, etc). Supports session migration between crypto devices. What it doesn't (yet) support: - multiple instances of the same algorithm used in the same session - use of multiple crypto drivers in the same session - asymmetric crypto
No support for a userland device yet.
IPsec code path modified to allow for asynchronous cryptography (callbacks used in both input and output processing). Some unrelated code simplification done in the process (especially for AH).
Development of this code kindly supported by Network Security Technologies (NSTI). The code was writen mostly in Greece, and is being committed from Montreal.
|
Revision tags: SMP_BASE
|
#
1.20 |
|
07-Feb-2000 |
itojun |
branches: 1.20.2; fix include file path related to ip6.
|
#
1.19 |
|
25-Jan-2000 |
espie |
Ok, so setsoftnet is md.
Well, on the amiga, setsoftnet *REQUIRES* machine/cpu.h to work... and no include mentioned in those files pulls machine/cpu.h...
Nit-fix: / * INET6 */ -> /* INET6 */
|
#
1.18 |
|
15-Jan-2000 |
angelos |
Can't bind SAs to enc0
|
#
1.17 |
|
07-Jan-2000 |
angelos |
Add missing IF_DROPs
|
#
1.16 |
|
02-Jan-2000 |
angelos |
Properly handle non-IPSEC case.
|
#
1.15 |
|
27-Dec-1999 |
angelos |
Add SRCSA and CLEARSA ioctls.
|
#
1.14 |
|
27-Dec-1999 |
angelos |
Implement ioctls for binding SAs to enc interfaces (to be used with the bridge).
|
Revision tags: kame_19991208
|
#
1.13 |
|
02-Nov-1999 |
angelos |
Fix *stupid* typo/error that was causing the panics in post 2.6, found by art@
|
#
1.12 |
|
29-Oct-1999 |
angelos |
Use enc_softc instead of ifnet for encif.
|
Revision tags: OPENBSD_2_6_BASE
|
#
1.11 |
|
05-Jul-1999 |
deraadt |
remove bogus entry from if_enc address list; and rename enc_softc to encif
|
#
1.10 |
|
16-May-1999 |
niklas |
The enc interface should not be IFF_LOOPBACK, as AH and ESP uses that as receiving interface for filtering
|
Revision tags: OPENBSD_2_4_BASE OPENBSD_2_5_BASE
|
#
1.9 |
|
28-Jun-1998 |
deraadt |
indent
|
#
1.8 |
|
10-Jun-1998 |
provos |
make the packets which were successfully processed by IPSec available to bpf via the enc0 interface, using linktype DLT_ENC.
|
#
1.7 |
|
18-May-1998 |
provos |
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
|
Revision tags: OPENBSD_2_3_BASE
|
#
1.6 |
|
04-Nov-1997 |
provos |
make it easier to add additional transforms. add blowfish and cast encryption. some more info for kernfs/ipsec.
|
Revision tags: OPENBSD_2_2_BASE
|
#
1.5 |
|
11-Jul-1997 |
provos |
put old esp/ah and new esp/ah in different files. generalised way of handling transforms.
|
#
1.4 |
|
01-Jul-1997 |
provos |
major restructuring
|
Revision tags: OPENBSD_2_1_BASE
|
#
1.3 |
|
27-Feb-1997 |
angelos |
BPF support ifdefed.
|
#
1.2 |
|
24-Feb-1997 |
niklas |
OpenBSD tags + some prototyping police
|
#
1.1 |
|
20-Feb-1997 |
deraadt |
IPSEC package by John Ioannidis and Angelos D. Keromytis. Written in Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz
|