cvs commit: src/sys/netinet in_pcb.c ip_input.c ip_output.c
tcp_output.c tcp_syncache.c src/sys/netinet6 icmp6.c ip6_forward.c
ip6_output.c ipsec.c ipsec.h ipsec6.h nd6.c nd6_nbr.c raw_ip6.c...
Hajimu UMEMOTO
ume at FreeBSD.org
Tue Nov 4 08:02:13 PST 2003
ume 2003/11/04 08:02:05 PST
FreeBSD src repository
Modified files:
sys/netinet in_pcb.c ip_input.c ip_output.c
tcp_output.c tcp_syncache.c
sys/netinet6 icmp6.c ip6_forward.c ip6_output.c
ipsec.c ipsec.h ipsec6.h nd6.c nd6_nbr.c
raw_ip6.c udp6_output.c udp6_usrreq.c
sys/netkey key.c key.h key_debug.c keydb.c keydb.h
Log:
- cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
Revision Changes Path
1.126 +14 -4 src/sys/netinet/in_pcb.c
1.249 +1 -1 src/sys/netinet/ip_input.c
1.197 +10 -3 src/sys/netinet/ip_output.c
1.80 +7 -0 src/sys/netinet/tcp_output.c
1.44 +5 -1 src/sys/netinet/tcp_syncache.c
1.48 +9 -2 src/sys/netinet6/icmp6.c
1.23 +49 -5 src/sys/netinet6/ip6_forward.c
1.66 +10 -7 src/sys/netinet6/ip6_output.c
1.29 +688 -489 src/sys/netinet6/ipsec.c
1.13 +57 -13 src/sys/netinet6/ipsec.h
1.7 +4 -7 src/sys/netinet6/ipsec6.h
1.36 +4 -0 src/sys/netinet6/nd6.c
1.23 +8 -0 src/sys/netinet6/nd6_nbr.c
1.33 +9 -2 src/sys/netinet6/raw_ip6.c
1.14 +6 -0 src/sys/netinet6/udp6_output.c
1.38 +3 -3 src/sys/netinet6/udp6_usrreq.c
1.57 +652 -515 src/sys/netkey/key.c
1.10 +14 -7 src/sys/netkey/key.h
1.24 +13 -12 src/sys/netkey/key_debug.c
1.5 +76 -3 src/sys/netkey/keydb.c
1.10 +16 -7 src/sys/netkey/keydb.h
More information about the cvs-src
mailing list