svn commit: r313361 - in projects/netbsd-tests-upstream-01-2017: . bin/ed contrib/netcat etc lib/libipsec lib/libstand sbin/ifconfig sbin/kldload sbin/setkey secure/usr.bin secure/usr.bin/bdes shar...
Ngie Cooper
ngie at FreeBSD.org
Tue Feb 7 01:33:43 UTC 2017
Author: ngie
Date: Tue Feb 7 01:33:39 2017
New Revision: 313361
URL: https://svnweb.freebsd.org/changeset/base/313361
Log:
MFhead at r313360
Added:
projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c
- copied unchanged from r313360, head/sbin/ifconfig/ifipsec.c
projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4
- copied unchanged from r313360, head/share/man/man4/if_ipsec.4
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_notif_wait.c
- copied unchanged from r313360, head/sys/dev/iwm/if_iwm_notif_wait.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_notif_wait.h
- copied unchanged from r313360, head/sys/dev/iwm/if_iwm_notif_wait.h
projects/netbsd-tests-upstream-01-2017/sys/modules/ipsec/
- copied from r313360, head/sys/modules/ipsec/
projects/netbsd-tests-upstream-01-2017/sys/modules/tcp/tcpmd5/
- copied from r313360, head/sys/modules/tcp/tcpmd5/
projects/netbsd-tests-upstream-01-2017/sys/net/if_ipsec.c
- copied unchanged from r313360, head/sys/net/if_ipsec.c
projects/netbsd-tests-upstream-01-2017/sys/net/if_ipsec.h
- copied unchanged from r313360, head/sys/net/if_ipsec.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_mod.c
- copied unchanged from r313360, head/sys/netipsec/ipsec_mod.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_pcb.c
- copied unchanged from r313360, head/sys/netipsec/ipsec_pcb.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_support.h
- copied unchanged from r313360, head/sys/netipsec/ipsec_support.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/subr_ipsec.c
- copied unchanged from r313360, head/sys/netipsec/subr_ipsec.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/udpencap.c
- copied unchanged from r313360, head/sys/netipsec/udpencap.c
Deleted:
projects/netbsd-tests-upstream-01-2017/secure/usr.bin/bdes/
projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_ipsec.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_ipsec.h
projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_ipsec.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_ipsec.h
Modified:
projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc
projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1
projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c
projects/netbsd-tests-upstream-01-2017/etc/devd.conf
projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c
projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c
projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h
projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile
projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c
projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8
projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile
projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile
projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4
projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4
projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4
projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_syscall.h
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_syscalls.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_sysent.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_systrace_args.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/syscalls.master
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_dummy.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_proto.h
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_syscall.h
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_syscalls.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_sysent.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_systrace_args.c
projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/syscalls.master
projects/netbsd-tests-upstream-01-2017/sys/arm/arm/identcpu-v4.c
projects/netbsd-tests-upstream-01-2017/sys/arm/include/counter.h
projects/netbsd-tests-upstream-01-2017/sys/arm64/arm64/cpufunc_asm.S
projects/netbsd-tests-upstream-01-2017/sys/arm64/include/counter.h
projects/netbsd-tests-upstream-01-2017/sys/arm64/include/cpufunc.h
projects/netbsd-tests-upstream-01-2017/sys/boot/common/bcache.c
projects/netbsd-tests-upstream-01-2017/sys/boot/common/bootstrap.h
projects/netbsd-tests-upstream-01-2017/sys/boot/common/disk.c
projects/netbsd-tests-upstream-01-2017/sys/boot/common/part.c
projects/netbsd-tests-upstream-01-2017/sys/boot/common/part.h
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/include/efilib.h
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/libefi/devpath.c
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/libefi/efipart.c
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/conf.c
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/devicename.c
projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/main.c
projects/netbsd-tests-upstream-01-2017/sys/boot/i386/btx/lib/btxv86.h
projects/netbsd-tests-upstream-01-2017/sys/boot/i386/libi386/bioscd.c
projects/netbsd-tests-upstream-01-2017/sys/boot/i386/libi386/biosdisk.c
projects/netbsd-tests-upstream-01-2017/sys/boot/usb/storage/umass_loader.c
projects/netbsd-tests-upstream-01-2017/sys/boot/zfs/zfs.c
projects/netbsd-tests-upstream-01-2017/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace_xoroshiro128_plus.h
projects/netbsd-tests-upstream-01-2017/sys/compat/cloudabi/cloudabi_mem.c
projects/netbsd-tests-upstream-01-2017/sys/compat/freebsd32/freebsd32_misc.c
projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_file.c
projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_misc.c
projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_mmap.c
projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_socket.h
projects/netbsd-tests-upstream-01-2017/sys/conf/NOTES
projects/netbsd-tests-upstream-01-2017/sys/conf/files
projects/netbsd-tests-upstream-01-2017/sys/conf/files.amd64
projects/netbsd-tests-upstream-01-2017/sys/conf/files.arm
projects/netbsd-tests-upstream-01-2017/sys/conf/files.arm64
projects/netbsd-tests-upstream-01-2017/sys/conf/files.i386
projects/netbsd-tests-upstream-01-2017/sys/conf/files.mips
projects/netbsd-tests-upstream-01-2017/sys/conf/files.powerpc
projects/netbsd-tests-upstream-01-2017/sys/conf/files.riscv
projects/netbsd-tests-upstream-01-2017/sys/conf/files.sparc64
projects/netbsd-tests-upstream-01-2017/sys/conf/kern.opts.mk
projects/netbsd-tests-upstream-01-2017/sys/conf/options
projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/t4_main.c
projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_connect.c
projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_listen.c
projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_tom.c
projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_tom.h
projects/netbsd-tests-upstream-01-2017/sys/dev/gxemul/disk/gxemul_disk.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_mac_ctxt.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_pcie_trans.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_ctxt.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_db.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_db.h
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_scan.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_util.c
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_util.h
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwmreg.h
projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwmvar.h
projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/uftdi.c
projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/usb_serial.c
projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/usb_serial.h
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_dummy.c
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_proto.h
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_syscall.h
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_syscalls.c
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_sysent.c
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_systrace_args.c
projects/netbsd-tests-upstream-01-2017/sys/i386/linux/syscalls.master
projects/netbsd-tests-upstream-01-2017/sys/kern/kern_cpuset.c
projects/netbsd-tests-upstream-01-2017/sys/kern/kern_mutex.c
projects/netbsd-tests-upstream-01-2017/sys/kern/kern_rwlock.c
projects/netbsd-tests-upstream-01-2017/sys/kern/kern_sx.c
projects/netbsd-tests-upstream-01-2017/sys/kern/subr_intr.c
projects/netbsd-tests-upstream-01-2017/sys/kern/vfs_mountroot.c
projects/netbsd-tests-upstream-01-2017/sys/kern/vfs_subr.c
projects/netbsd-tests-upstream-01-2017/sys/mips/include/atomic.h
projects/netbsd-tests-upstream-01-2017/sys/modules/Makefile
projects/netbsd-tests-upstream-01-2017/sys/modules/iwm/Makefile
projects/netbsd-tests-upstream-01-2017/sys/net/pfkeyv2.h
projects/netbsd-tests-upstream-01-2017/sys/netinet/in_pcb.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/in_proto.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_input.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_output.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/raw_ip.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_input.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_os_bsd.h
projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_pcb.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_input.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_output.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_stacks/fastpath.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_subr.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_syncache.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_usrreq.c
projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_var.h
projects/netbsd-tests-upstream-01-2017/sys/netinet/udp.h
projects/netbsd-tests-upstream-01-2017/sys/netinet/udp_usrreq.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/in6.h
projects/netbsd-tests-upstream-01-2017/sys/netinet6/in6_proto.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_forward.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_input.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_output.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/raw_ip6.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/sctp6_usrreq.c
projects/netbsd-tests-upstream-01-2017/sys/netinet6/udp6_usrreq.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec6.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_input.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_mbuf.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_output.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/key.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/key.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/key_debug.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/key_debug.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/keydb.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/keysock.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform.h
projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_ah.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_esp.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_ipcomp.c
projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_tcp.c
projects/netbsd-tests-upstream-01-2017/sys/netpfil/ipfw/dn_heap.h
projects/netbsd-tests-upstream-01-2017/sys/sys/lockstat.h
projects/netbsd-tests-upstream-01-2017/sys/sys/mutex.h
projects/netbsd-tests-upstream-01-2017/sys/sys/rwlock.h
projects/netbsd-tests-upstream-01-2017/sys/sys/sdt.h
projects/netbsd-tests-upstream-01-2017/sys/sys/sx.h
projects/netbsd-tests-upstream-01-2017/sys/sys/syscallsubr.h
projects/netbsd-tests-upstream-01-2017/sys/vm/vm_extern.h
projects/netbsd-tests-upstream-01-2017/sys/vm/vm_mmap.c
projects/netbsd-tests-upstream-01-2017/tools/tools/nanobsd/embedded/common
projects/netbsd-tests-upstream-01-2017/usr.bin/Makefile
projects/netbsd-tests-upstream-01-2017/usr.bin/enigma/enigma.1
projects/netbsd-tests-upstream-01-2017/usr.bin/gzip/unxz.c
projects/netbsd-tests-upstream-01-2017/usr.bin/netstat/inet.c
projects/netbsd-tests-upstream-01-2017/usr.bin/sed/main.c
projects/netbsd-tests-upstream-01-2017/usr.sbin/syslogd/syslogd.c
Directory Properties:
projects/netbsd-tests-upstream-01-2017/ (props changed)
projects/netbsd-tests-upstream-01-2017/contrib/netcat/ (props changed)
projects/netbsd-tests-upstream-01-2017/sys/cddl/contrib/opensolaris/ (props changed)
Modified: projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc Tue Feb 7 01:33:39 2017 (r313361)
@@ -38,6 +38,13 @@
# xargs -n1 | sort | uniq -d;
# done
+# 20170206: remove bdes(1)
+OLD_FILES+=usr/bin/bdes
+OLD_FILES+=usr/lib/debug/usr/bin/bdes.debug
+OLD_FILES+=usr/share/man/man1/bdes.1.gz
+# 20170206: merged projects/ipsec
+OLD_FILES+=usr/include/netinet/ip_ipsec.h
+OLD_FILES+=usr/include/netinet6/ip6_ipsec.h
# 20170128: remove pc98 support
OLD_FILES+=usr/include/dev/ic/i8251.h
OLD_FILES+=usr/include/dev/ic/i8255.h
Modified: projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 Tue Feb 7 01:33:39 2017 (r313361)
@@ -1,5 +1,5 @@
.\" $FreeBSD$
-.Dd October 2, 2016
+.Dd February 5, 2017
.Dt ED 1
.Os
.Sh NAME
@@ -871,9 +871,6 @@ writes.
If a newline alone is entered as the key, then encryption is
turned off.
Otherwise, echoing is disabled while a key is read.
-Encryption/decryption is done using the
-.Xr bdes 1
-algorithm.
.It Pf (.+1)z n
Scroll
.Ar n
@@ -962,7 +959,6 @@ results in an error.
If the command is entered a second time, it succeeds,
but any changes to the buffer are lost.
.Sh SEE ALSO
-.Xr bdes 1 ,
.Xr sed 1 ,
.Xr sh 1 ,
.Xr vi 1 ,
Modified: projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c Tue Feb 7 01:33:39 2017 (r313361)
@@ -131,7 +131,7 @@ ssize_t drainbuf(int, unsigned char *, s
ssize_t fillbuf(int, unsigned char *, size_t *);
#ifdef IPSEC
-void add_ipsec_policy(int, char *);
+void add_ipsec_policy(int, int, char *);
char *ipsec_policy[2];
#endif
@@ -642,12 +642,6 @@ remote_connect(const char *host, const c
if ((s = socket(res0->ai_family, res0->ai_socktype,
res0->ai_protocol)) < 0)
continue;
-#ifdef IPSEC
- if (ipsec_policy[0] != NULL)
- add_ipsec_policy(s, ipsec_policy[0]);
- if (ipsec_policy[1] != NULL)
- add_ipsec_policy(s, ipsec_policy[1]);
-#endif
if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_SETFIB,
&rtableid, sizeof(rtableid)) == -1))
@@ -765,12 +759,7 @@ local_listen(char *host, char *port, str
ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x));
if (ret == -1)
err(1, NULL);
-#ifdef IPSEC
- if (ipsec_policy[0] != NULL)
- add_ipsec_policy(s, ipsec_policy[0]);
- if (ipsec_policy[1] != NULL)
- add_ipsec_policy(s, ipsec_policy[1]);
-#endif
+
if (FreeBSD_Oflag) {
if (setsockopt(s, IPPROTO_TCP, TCP_NOOPT,
&FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1)
@@ -1235,6 +1224,12 @@ set_common_sockopts(int s, int af)
&FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1)
err(1, "disable TCP options");
}
+#ifdef IPSEC
+ if (ipsec_policy[0] != NULL)
+ add_ipsec_policy(s, af, ipsec_policy[0]);
+ if (ipsec_policy[1] != NULL)
+ add_ipsec_policy(s, af, ipsec_policy[1]);
+#endif
}
int
@@ -1360,7 +1355,7 @@ help(void)
#ifdef IPSEC
void
-add_ipsec_policy(int s, char *policy)
+add_ipsec_policy(int s, int af, char *policy)
{
char *raw;
int e;
@@ -1369,8 +1364,12 @@ add_ipsec_policy(int s, char *policy)
if (raw == NULL)
errx(1, "ipsec_set_policy `%s': %s", policy,
ipsec_strerror());
- e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw,
- ipsec_get_policylen(raw));
+ if (af == AF_INET)
+ e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw,
+ ipsec_get_policylen(raw));
+ if (af == AF_INET6)
+ e = setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, raw,
+ ipsec_get_policylen(raw));
if (e < 0)
err(1, "ipsec policy cannot be configured");
free(raw);
Modified: projects/netbsd-tests-upstream-01-2017/etc/devd.conf
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/etc/devd.conf Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/etc/devd.conf Tue Feb 7 01:33:39 2017 (r313361)
@@ -272,7 +272,7 @@ nomatch 10 {
match "bus" "pccard[0-9]+";
match "manufacturer" "0x1234";
match "product" "0x2323";
- action "kldload if_deqna";
+ action "kldload -n if_deqna";
};
attach 10 {
device-name "deqna[0-9]+";
Modified: projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c Tue Feb 7 01:33:39 2017 (r313361)
@@ -1776,21 +1776,17 @@ pfkey_align(msg, mhp)
case SADB_EXT_SPIRANGE:
case SADB_X_EXT_POLICY:
case SADB_X_EXT_SA2:
- case SADB_X_EXT_SA_REPLAY:
- mhp[ext->sadb_ext_type] = (caddr_t)ext;
- break;
case SADB_X_EXT_NAT_T_TYPE:
case SADB_X_EXT_NAT_T_SPORT:
case SADB_X_EXT_NAT_T_DPORT:
- /* case SADB_X_EXT_NAT_T_OA: is OAI */
case SADB_X_EXT_NAT_T_OAI:
case SADB_X_EXT_NAT_T_OAR:
case SADB_X_EXT_NAT_T_FRAG:
- if (feature_present("ipsec_natt")) {
- mhp[ext->sadb_ext_type] = (caddr_t)ext;
- break;
- }
- /* FALLTHROUGH */
+ case SADB_X_EXT_SA_REPLAY:
+ case SADB_X_EXT_NEW_ADDRESS_SRC:
+ case SADB_X_EXT_NEW_ADDRESS_DST:
+ mhp[ext->sadb_ext_type] = (caddr_t)ext;
+ break;
default:
__ipsec_errcode = EIPSEC_INVAL_EXTTYPE;
return -1;
Modified: projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c Tue Feb 7 01:33:39 2017 (r313361)
@@ -220,6 +220,9 @@ pfkey_sadump(m)
struct sadb_ident *m_sid, *m_did;
struct sadb_sens *m_sens;
struct sadb_x_sa_replay *m_sa_replay;
+ struct sadb_x_nat_t_type *natt_type;
+ struct sadb_x_nat_t_port *natt_sport, *natt_dport;
+ struct sadb_address *natt_oai, *natt_oar;
/* check pfkey message. */
if (pfkey_align(m, mhp)) {
@@ -245,33 +248,46 @@ pfkey_sadump(m)
m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST];
m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY];
m_sa_replay = (struct sadb_x_sa_replay *)mhp[SADB_X_EXT_SA_REPLAY];
+ natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE];
+ natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT];
+ natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT];
+ natt_oai = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAI];
+ natt_oar = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAR];
+
/* source address */
if (m_saddr == NULL) {
printf("no ADDRESS_SRC extension.\n");
return;
}
- printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
+ printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1)));
+ if (natt_type != NULL && natt_sport != NULL)
+ printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port));
/* destination address */
if (m_daddr == NULL) {
- printf("no ADDRESS_DST extension.\n");
+ printf("\nno ADDRESS_DST extension.\n");
return;
}
- printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
+ printf(" %s", str_ipaddr((struct sockaddr *)(m_daddr + 1)));
+ if (natt_type != NULL && natt_dport != NULL)
+ printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port));
/* SA type */
if (m_sa == NULL) {
- printf("no SA extension.\n");
+ printf("\nno SA extension.\n");
return;
}
if (m_sa2 == NULL) {
- printf("no SA2 extension.\n");
+ printf("\nno SA2 extension.\n");
return;
}
printf("\n\t");
- GETMSGSTR(str_satype, m->sadb_msg_satype);
+ if (m->sadb_msg_satype == SADB_SATYPE_ESP && natt_type != NULL)
+ printf("esp-udp ");
+ else
+ GETMSGSTR(str_satype, m->sadb_msg_satype);
printf("mode=");
GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode);
@@ -282,6 +298,18 @@ pfkey_sadump(m)
(u_int32_t)m_sa2->sadb_x_sa2_reqid,
(u_int32_t)m_sa2->sadb_x_sa2_reqid);
+ /* other NAT-T information */
+ if (natt_type != NULL && (natt_oai != NULL || natt_oar != NULL)) {
+ printf("\tNAT:");
+ if (natt_oai != NULL)
+ printf(" OAI=%s",
+ str_ipaddr((struct sockaddr *)(natt_oai + 1)));
+ if (natt_oar != NULL)
+ printf(" OAR=%s",
+ str_ipaddr((struct sockaddr *)(natt_oar + 1)));
+ printf("\n");
+ }
+
/* encryption key */
if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) {
printf("\tC: ");
Modified: projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h Tue Feb 7 01:33:39 2017 (r313361)
@@ -168,6 +168,7 @@ struct devdesc
#define DEVT_NET 2
#define DEVT_CD 3
#define DEVT_ZFS 4
+#define DEVT_FD 5
int d_unit;
void *d_opendata;
};
Modified: projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile Tue Feb 7 01:33:39 2017 (r313361)
@@ -34,6 +34,7 @@ SRCS+= ifvlan.c # SIOC[GS]ETVLAN suppor
SRCS+= ifvxlan.c # VXLAN support
SRCS+= ifgre.c # GRE keys etc
SRCS+= ifgif.c # GIF reversed header workaround
+SRCS+= ifipsec.c # IPsec VTI
SRCS+= sfp.c # SFP/SFP+ information
LIBADD+= m
Copied: projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c (from r313360, head/sbin/ifconfig/ifipsec.c)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c Tue Feb 7 01:33:39 2017 (r313361, copy of r313360, head/sbin/ifconfig/ifipsec.c)
@@ -0,0 +1,101 @@
+/*-
+ * Copyright (c) 2016 Yandex LLC
+ * Copyright (c) 2016 Andrey V. Elsukov <ae at FreeBSD.org>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/param.h>
+#include <sys/ioctl.h>
+#include <sys/socket.h>
+#include <sys/sockio.h>
+#include <sys/stdint.h>
+
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <net/ethernet.h>
+#include <net/if.h>
+#include <net/if_ipsec.h>
+#include <net/route.h>
+
+#include <ctype.h>
+#include <stdio.h>
+#include <string.h>
+#include <err.h>
+#include <errno.h>
+
+#include "ifconfig.h"
+
+static void
+ipsec_status(int s)
+{
+ uint32_t reqid;
+
+ ifr.ifr_data = (caddr_t)&reqid;
+ if (ioctl(s, IPSECGREQID, &ifr) == -1)
+ return;
+ printf("\treqid: %u\n", reqid);
+}
+
+static
+DECL_CMD_FUNC(setreqid, val, arg)
+{
+ char *ep;
+ uint32_t v;
+
+ v = strtoul(val, &ep, 0);
+ if (*ep != '\0') {
+ warn("Invalid reqid value %s", val);
+ return;
+ }
+ ifr.ifr_data = (char *)&v;
+ if (ioctl(s, IPSECSREQID, &ifr) == -1) {
+ warn("ioctl(IPSECSREQID)");
+ return;
+ }
+}
+
+static struct cmd ipsec_cmds[] = {
+ DEF_CMD_ARG("reqid", setreqid),
+};
+
+static struct afswtch af_ipsec = {
+ .af_name = "af_ipsec",
+ .af_af = AF_UNSPEC,
+ .af_other_status = ipsec_status,
+};
+
+static __constructor void
+ipsec_ctor(void)
+{
+ size_t i;
+
+ for (i = 0; i < nitems(ipsec_cmds); i++)
+ cmd_register(&ipsec_cmds[i]);
+ af_register(&af_ipsec);
+#undef N
+}
Modified: projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c Tue Feb 7 01:33:39 2017 (r313361)
@@ -41,9 +41,6 @@ __FBSDID("$FreeBSD$");
#define PATHCTL "kern.module_path"
-static int path_check(const char *, int);
-static void usage(void);
-
/*
* Check to see if the requested module is specified as a filename with no
* path. If so and if a file by the same name exists in the module path,
@@ -52,43 +49,37 @@ static void usage(void);
static int
path_check(const char *kldname, int quiet)
{
- int mib[5], found;
- size_t miblen, pathlen;
- char kldpath[MAXPATHLEN];
char *path, *tmppath, *element;
struct stat sb;
+ int mib[5];
+ char kldpath[MAXPATHLEN];
+ size_t miblen, pathlen;
dev_t dev;
ino_t ino;
+ int found;
- if (strchr(kldname, '/') != NULL) {
+ if (strchr(kldname, '/') != NULL)
return (0);
- }
- if (strstr(kldname, ".ko") == NULL) {
+ if (strstr(kldname, ".ko") == NULL)
return (0);
- }
- if (stat(kldname, &sb) != 0) {
+ if (stat(kldname, &sb) != 0)
return (0);
- }
found = 0;
dev = sb.st_dev;
ino = sb.st_ino;
miblen = nitems(mib);
- if (sysctlnametomib(PATHCTL, mib, &miblen) != 0) {
+ if (sysctlnametomib(PATHCTL, mib, &miblen) != 0)
err(1, "sysctlnametomib(%s)", PATHCTL);
- }
- if (sysctl(mib, miblen, NULL, &pathlen, NULL, 0) == -1) {
+ if (sysctl(mib, miblen, NULL, &pathlen, NULL, 0) == -1)
err(1, "getting path: sysctl(%s) - size only", PATHCTL);
- }
path = malloc(pathlen + 1);
- if (path == NULL) {
+ if (path == NULL)
err(1, "allocating %lu bytes for the path",
(unsigned long)pathlen + 1);
- }
- if (sysctl(mib, miblen, path, &pathlen, NULL, 0) == -1) {
+ if (sysctl(mib, miblen, path, &pathlen, NULL, 0) == -1)
err(1, "getting path: sysctl(%s)", PATHCTL);
- }
tmppath = path;
while ((element = strsep(&tmppath, ";")) != NULL) {
@@ -97,39 +88,36 @@ path_check(const char *kldname, int quie
strlcat(kldpath, "/", MAXPATHLEN);
}
strlcat(kldpath, kldname, MAXPATHLEN);
-
- if (stat(kldpath, &sb) == -1) {
+
+ if (stat(kldpath, &sb) == -1)
continue;
- }
found = 1;
if (sb.st_dev != dev || sb.st_ino != ino) {
- if (!quiet) {
+ if (!quiet)
warnx("%s will be loaded from %s, not the "
"current directory", kldname, element);
- }
break;
- } else if (sb.st_dev == dev && sb.st_ino == ino) {
+ } else if (sb.st_dev == dev && sb.st_ino == ino)
break;
- }
}
free(path);
-
+
if (!found) {
- if (!quiet) {
+ if (!quiet)
warnx("%s is not in the module path", kldname);
- }
return (-1);
}
-
+
return (0);
}
static void
usage(void)
{
+
fprintf(stderr, "usage: kldload [-nqv] file ...\n");
exit(1);
}
@@ -138,17 +126,17 @@ int
main(int argc, char** argv)
{
int c;
+ int check_loaded;
int errors;
int fileid;
- int verbose;
int quiet;
- int check_loaded;
+ int verbose;
errors = 0;
verbose = 0;
quiet = 0;
check_loaded = 0;
-
+
while ((c = getopt(argc, argv, "nqv")) != -1) {
switch (c) {
case 'q':
@@ -204,9 +192,8 @@ main(int argc, char** argv)
printf("Loaded %s, id=%d\n", argv[0],
fileid);
}
- } else {
+ } else
errors++;
- }
argv++;
}
Modified: projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 Tue Feb 7 01:33:39 2017 (r313361)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 3, 2016
+.Dd February 6, 2017
.Dt SETKEY 8
.Os
.\"
@@ -270,8 +270,6 @@ must be a decimal number, or a hexadecim
prefix.
SPI values between 0 and 255 are reserved for future use by IANA
and they cannot be used.
-TCP-MD5 associations must use 0x1000 and therefore only have per-host
-granularity at this time.
.\"
.Pp
.It Ar extensions
Modified: projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile Tue Feb 7 01:33:39 2017 (r313361)
@@ -4,7 +4,7 @@
SUBDIR=
.if ${MK_OPENSSL} != "no"
-SUBDIR+=bdes openssl
+SUBDIR+=openssl
.if ${MK_OPENSSH} != "no"
SUBDIR+=scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
.endif
Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile Tue Feb 7 01:33:39 2017 (r313361)
@@ -201,6 +201,7 @@ MAN= aac.4 \
icmp.4 \
icmp6.4 \
ida.4 \
+ if_ipsec.4 \
ifmib.4 \
ig4.4 \
igb.4 \
Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 Tue Feb 7 01:33:39 2017 (r313361)
@@ -167,6 +167,10 @@ Tunables can be set at the
.Xr loader 8
prompt before booting the kernel or stored in
.Xr loader.conf 5 .
+There are multiple tunables that control the number of queues of various
+types.
+A negative value for such a tunable instructs the driver to create
+up to that many queues if there are enough CPU cores available.
.Bl -tag -width indent
.It Va hw.cxgbe.ntxq10g
Number of tx queues used for a 10Gb or higher-speed port.
Copied: projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4 (from r313360, head/share/man/man4/if_ipsec.4)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4 Tue Feb 7 01:33:39 2017 (r313361, copy of r313360, head/share/man/man4/if_ipsec.4)
@@ -0,0 +1,141 @@
+.\" Copyright (c) 2017 Andrey V. Elsukov <ae at FreeBSD.org>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 6, 2017
+.Dt if_ipsec 4
+.Os
+.Sh NAME
+.Nm if_ipsec
+.Nd IPsec virtual tunneling interface
+.Sh SYNOPSIS
+The
+.Cm if_ipsec
+network interface is a part of the
+.Fx
+IPsec implementation.
+To compile it into the kernel, place this line in the kernel
+configuration file:
+.Bd -ragged -offset indent
+.Cd "options IPSEC"
+.Ed
+.Pp
+It can also be loaded as part of the
+.Cm ipsec
+kernel module if the kernel was compiled with
+.Bd -ragged -offset indent
+.Cd "options IPSEC_SUPPORT"
+.Ed
+.Sh DESCRIPTION
+The
+.Nm
+network interface is targeted for creating route-based VPNs.
+It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure
+it with ESP.
+.Pp
+.Nm
+interfaces are dynamically created and destroyed with the
+.Xr ifconfig 8
+.Cm create
+and
+.Cm destroy
+subcommands.
+The administrator must configure IPsec
+.Cm tunnel
+endpoint addresses.
+These addresses will be used for the outer IP header of ESP packets.
+The administrator can also configure the protocol and addresses for the inner
+IP header with
+.Xr ifconfig 8 ,
+and modify the routing table to route the packets through the
+.Nm
+interface.
+.Pp
+When the
+.Nm
+interface is configured, it automatically creates special security policies.
+These policies can be used to acquire security associations from the IKE daemon,
+which are needed for establishing an IPsec tunnel.
+It is also possible to create needed security associations manually with the
+.Xr setkey 8
+utility.
+.Pp
+Each
+.Nm
+interface has an additional numeric configuration option
+.Cm reqid Ar id .
+This
+.Ar id
+is used to distinguish traffic and security policies between several
+.Nm
+interfaces.
+The
+.Cm reqid
+can be specified on interface creation and changed later.
+If not specified, it is automatically assigned.
+Note that changing
+.Cm reqid
+will lead to generation of new security policies, and this
+may require creating new security associations.
+.Sh EXAMPLES
+The example below shows manual configuration of an IPsec tunnel
+between two FreeBSD hosts.
+Host A has the IP address 192.168.0.3, and host B has the IP address
+192.168.0.5.
+.Pp
+On host A:
+.Bd -literal -offset indent
+ifconfig ipsec0 create reqid 100
+ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5
+ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5
+setkey -c
+add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1";
+add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2";
+^D
+.Ed
+.Pp
+On host B:
+.Bd -literal -offset indent
+ifconfig ipsec0 create reqid 200
+ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3
+ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3
+setkey -c
+add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1";
+add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2";
+^D
+.Ed
+.Pp
+Note the value 100 on host A and value 200 on host B are used as reqid.
+The same value must be used as identifier of the policy entry in the
+.Xr setkey 8
+command.
+.Sh SEE ALSO
+.Xr gif 4 ,
+.Xr gre 4 ,
+.Xr ipsec 4 ,
+.Xr ifconfig 8 ,
+.Xr setkey 8
+.Sh AUTHORS
+.An Andrey V. Elsukov Aq Mt ae at FreeBSD.org
Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 Tue Feb 7 01:33:39 2017 (r313361)
@@ -29,7 +29,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd November 29, 2009
+.Dd February 6, 2017
.Dt IPSEC 4
.Os
.Sh NAME
@@ -37,6 +37,7 @@
.Nd Internet Protocol Security protocol
.Sh SYNOPSIS
.Cd "options IPSEC"
+.Cd "options IPSEC_SUPPORT"
.Cd "device crypto"
.Pp
.In sys/types.h
@@ -151,6 +152,16 @@ Refer to
.Xr setkey 8
on how to use it.
.Pp
+Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6
+transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options
+may be used to configure per-socket security policies.
+A properly-formed IPsec policy specification structure can be
+created using
+.Xr ipsec_set_policy 3
+function and used as socket option value for the
+.Xr setsockopt 2
+call.
+.Pp
When setting policies using the
.Xr setkey 8
command, the
@@ -228,6 +239,8 @@ for tweaking the kernel's IPsec behavior
.It "net.inet.ipsec.dfbit integer yes"
.It "net.inet.ipsec.ecn integer yes"
.It "net.inet.ipsec.debug integer yes"
+.It "net.inet.ipsec.natt_cksum_policy integer yes"
+.It "net.inet.ipsec.check_policy_history integer yes"
.It "net.inet6.ipsec6.ecn integer yes"
.It "net.inet6.ipsec6.debug integer yes"
.El
@@ -270,6 +283,23 @@ talks more about the behavior.
.It Li ipsec.debug
If set to non-zero, debug messages will be generated via
.Xr syslog 3 .
+.It Li ipsec.natt_cksum_policy
+Controls how the kernel handles TCP and UDP checksums when ESP in UDP
+encapsulation is used for IPsec transport mode.
+If set to a non-zero value, the kernel fully recomputes checksums for
+inbound TCP segments and UDP datagrams after they are decapsulated and
+decrypted.
+If set to 0 and original addresses were configured for corresponding SA
+by the IKE daemon, the kernel incrementally recomputes checksums for
+inbound TCP segments and UDP datagrams.
+If addresses were not configured, the checksums are ignored.
+.It Li ipsec.check_policy_history
+Enables strict policy checking for inbound packets.
+By default, inbound security policies check that packets handled by IPsec
+have been decrypted and authenticated.
+If this variable is set to a non-zero value, each packet handled by IPsec
+is checked against the history of IPsec security associations.
+The IPsec security protocol, mode, and SA addresses must match.
.El
.Pp
Variables under the
@@ -305,6 +335,7 @@ routines from looking into the IP payloa
.Xr ipsec_set_policy 3 ,
.Xr crypto 4 ,
.Xr enc 4 ,
+.Xr if_ipsec 4 ,
.Xr icmp6 4 ,
.Xr intro 4 ,
.Xr ip6 4 ,
Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 Tue Feb 7 01:33:39 2017 (r313361)
@@ -34,7 +34,7 @@
.\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd Jan 29, 2017
+.Dd February 6, 2017
.Dt TCP 4
.Os
.Sh NAME
@@ -272,33 +272,27 @@ or the internal send buffer is filled.
This option enables the use of MD5 digests (also known as TCP-MD5)
on writes to the specified socket.
Outgoing traffic is digested;
-digests on incoming traffic are verified if the
-.Va net.inet.tcp.signature_verify_input
-sysctl is nonzero.
-The current default behavior for the system is to respond to a system
-advertising this option with TCP-MD5; this may change.
+digests on incoming traffic are verified.
+When this option is enabled on a socket, all inbound and outgoing
+TCP segments must be signed with MD5 digests.
.Pp
One common use for this in a
.Fx
router deployment is to enable
based routers to interwork with Cisco equipment at peering points.
Support for this feature conforms to RFC 2385.
-Only IPv4
-.Pq Dv AF_INET
-sessions are supported.
.Pp
In order for this option to function correctly, it is necessary for the
administrator to add a tcp-md5 key entry to the system's security
associations database (SADB) using the
.Xr setkey 8
utility.
-This entry must have an SPI of 0x1000 and can therefore only be specified
-on a per-host basis at this time.
+This entry can only be specified on a per-host basis at this time.
.Pp
-If an SADB entry cannot be found for the destination, the outgoing traffic
-will have an invalid digest option prepended, and the following error message
-will be visible on the system console:
-.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" .
+If an SADB entry cannot be found for the destination,
+the system does not send any outgoing segments and drops any inbound segments.
+.Pp
+Each dropped segment is taken into account in the TCP protocol statistics.
.El
.Pp
The option level for the
Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 Tue Feb 7 01:33:39 2017 (r313361)
@@ -28,7 +28,7 @@
.\" @(#)udp.4 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
-.Dd June 5, 1993
+.Dd February 6, 2017
.Dt UDP 4
.Os
.Sh NAME
@@ -99,6 +99,17 @@ transport level may be used with
.Tn UDP ;
see
.Xr ip 4 .
+.Tn UDP_ENCAP
+socket option may be used at the
+.Tn IPPROTO_UDP
+level to encapsulate
+.Tn ESP
+packets in
+.Tn UDP .
+Only one value is supported for this option:
+.Tn UDP_ENCAP_ESPINUDP
+from RFC 3948, defined in
+.In netinet/udp.h .
.Sh MIB VARIABLES
The
.Nm
@@ -158,7 +169,8 @@ exists.
.Xr blackhole 4 ,
.Xr inet 4 ,
.Xr intro 4 ,
-.Xr ip 4
+.Xr ip 4 ,
+.Xr udplite 4
.Sh HISTORY
The
.Nm
Modified: projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c Tue Feb 7 01:33:39 2017 (r313361)
@@ -82,41 +82,86 @@ DUMMY(mq_timedreceive);
DUMMY(mq_notify);
DUMMY(mq_getsetattr);
DUMMY(kexec_load);
+/* linux 2.6.11: */
DUMMY(add_key);
DUMMY(request_key);
DUMMY(keyctl);
+/* linux 2.6.13: */
DUMMY(ioprio_set);
DUMMY(ioprio_get);
DUMMY(inotify_init);
DUMMY(inotify_add_watch);
DUMMY(inotify_rm_watch);
+/* linux 2.6.16: */
DUMMY(migrate_pages);
DUMMY(unshare);
+/* linux 2.6.17: */
DUMMY(splice);
DUMMY(tee);
DUMMY(sync_file_range);
DUMMY(vmsplice);
+/* linux 2.6.18: */
DUMMY(move_pages);
+/* linux 2.6.22: */
DUMMY(signalfd);
-DUMMY(timerfd);
+DUMMY(timerfd_create);
+/* linux 2.6.25: */
DUMMY(timerfd_settime);
DUMMY(timerfd_gettime);
+/* linux 2.6.27: */
DUMMY(signalfd4);
DUMMY(inotify_init1);
+/* linux 2.6.30: */
DUMMY(preadv);
DUMMY(pwritev);
-DUMMY(rt_tsigqueueinfo);
+/* linux 2.6.31: */
+DUMMY(rt_tgsigqueueinfo);
DUMMY(perf_event_open);
+/* linux 2.6.38: */
DUMMY(fanotify_init);
DUMMY(fanotify_mark);
+/* linux 2.6.39: */
DUMMY(name_to_handle_at);
DUMMY(open_by_handle_at);
DUMMY(clock_adjtime);
+/* linux 3.0: */
DUMMY(setns);
+DUMMY(getcpu);
+/* linux 3.2: */
DUMMY(process_vm_readv);
DUMMY(process_vm_writev);
+/* linux 3.5: */
DUMMY(kcmp);
+/* linux 3.8: */
DUMMY(finit_module);
+DUMMY(sched_setattr);
+DUMMY(sched_getattr);
+/* linux 3.14: */
+DUMMY(renameat2);
+/* linux 3.15: */
+DUMMY(seccomp);
+DUMMY(getrandom);
+DUMMY(memfd_create);
+DUMMY(kexec_file_load);
+/* linux 3.18: */
+DUMMY(bpf);
+/* linux 3.19: */
+DUMMY(execveat);
+/* linux 4.2: */
+DUMMY(userfaultfd);
+/* linux 4.3: */
+DUMMY(membarrier);
+/* linux 4.4: */
+DUMMY(mlock2);
+/* linux 4.5: */
+DUMMY(copy_file_range);
+/* linux 4.6: */
+DUMMY(preadv2);
+DUMMY(pwritev2);
+/* linux 4.8: */
+DUMMY(pkey_mprotect);
+DUMMY(pkey_alloc);
+DUMMY(pkey_free);
#define DUMMY_XATTR(s) \
int \
Modified: projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h
==============================================================================
--- projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h Tue Feb 7 01:28:55 2017 (r313360)
+++ projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h Tue Feb 7 01:33:39 2017 (r313361)
@@ -3,7 +3,7 @@
*
* DO NOT EDIT-- this file is automatically generated.
* $FreeBSD$
- * created from FreeBSD: head/sys/amd64/linux/syscalls.master 302515 2016-07-10 08:15:50Z dchagin
+ * created from FreeBSD: head/sys/amd64/linux/syscalls.master 313284 2017-02-05 14:17:09Z dchagin
*/
#ifndef _LINUX_SYSPROTO_H_
@@ -1000,7 +1000,7 @@ struct linux_epoll_pwait_args {
struct linux_signalfd_args {
register_t dummy;
};
-struct linux_timerfd_args {
+struct linux_timerfd_create_args {
register_t dummy;
};
struct linux_eventfd_args {
@@ -1044,16 +1044,27 @@ struct linux_pipe2_args {
char flags_l_[PADL_(l_int)]; l_int flags; char flags_r_[PADR_(l_int)];
};
struct linux_inotify_init1_args {
- register_t dummy;
+ char flags_l_[PADL_(l_int)]; l_int flags; char flags_r_[PADR_(l_int)];
};
struct linux_preadv_args {
- register_t dummy;
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list