#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
2c2b37ad |
|
13-Jan-2023 |
Justin Hibbits <jhibbits@FreeBSD.org> |
ifnet/API: Move struct ifnet definition to a <net/if_private.h> Hide the ifnet structure definition, no user serviceable parts inside, it's a netstack implementation detail. Include it temporarily in <net/if_var.h> until all drivers are updated to use the accessors exclusively. Reviewed by: glebius Sponsored by: Juniper Networks, Inc. Differential Revision: https://reviews.freebsd.org/D38046
|
#
b1d10b49 |
|
16-Jan-2023 |
Konstantin Belousov <kib@FreeBSD.org> |
if_ipsec(4): handle situations where there are no policy or SADB entry for if Reviewed by: ae, hselasky Sponsored by: NVIDIA Networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D38093
|
#
eac97154 |
|
16-Jan-2023 |
Konstantin Belousov <kib@FreeBSD.org> |
if_ipsec(4): protect against user supplying unknown address family Reviewed by: ae, hselasky Sponsored by: NVIDIA Networking MFC after: 1 week Differential revision: https://reviews.freebsd.org/D38093
|
#
c8ee75f2 |
|
10-Oct-2021 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Use network epoch to protect local IPv4 addresses hash. The modification to the hash are already naturally locked by in_control_sx. Convert the hash lists to CK lists. Remove the in_ifaddr_rmlock. Assert the network epoch where necessary. Most cases when the hash lookup is done the epoch is already entered. Cover a few cases, that need entering the epoch, which mostly is initial configuration of tunnel interfaces and multicast addresses. Reviewed by: melifaro Differential revision: https://reviews.freebsd.org/D32584
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
dd4490fd |
|
03-Jun-2020 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add if_reassing method to all tunneling interfaces. After r339550 tunneling interfaces have started handle appearing and disappearing of ingress IP address on the host system. When such interfaces are moving into VNET jail, they lose ability to properly handle ifaddr_event_ext event. And this leads to need to reconfigure tunnel to make it working again. Since moving an interface into VNET jail leads to removing of all IP addresses, it looks consistent, that tunnel configuration should also be cleared. This is what will do if_reassing method. Reported by: John W. O'Brien <john saltant com> MFC after: 1 week
|
#
28d2a72b |
|
29-May-2020 |
John Baldwin <jhb@FreeBSD.org> |
Consistently include opt_ipsec.h for consumers of <netipsec/ipsec.h>. This fixes ipsec.ko to include all of IPSEC_DEBUG. Reviewed by: imp MFC after: 2 weeks Sponsored by: Netflix Differential Revision: https://reviews.freebsd.org/D25046
|
#
97168be8 |
|
14-Jan-2020 |
Gleb Smirnoff <glebius@FreeBSD.org> |
Mechanically substitute assertion of in_epoch(net_epoch_preempt) to NET_EPOCH_ASSERT(). NFC
|
#
ad43bf34 |
|
16-Nov-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Allow configuration of several ipsec interfaces with the same tunnel endpoints. This can be used to configure several IPsec tunnels between two hosts with different security associations. Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC
|
#
221022e1 |
|
23-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add the check that current VNET is ready and access to srchash is allowed. ipsec_srcaddr() callback can be called during VNET teardown, since ingress address checking subsystem isn't VNET specific. And thus callback can make access to already freed memory. To prevent this, use V_ipsec_idhtbl pointer as indicator of VNET readiness. And make epoch_wait() after resetting it to NULL in vnet_ipsec_uninit() to be sure that ipsec_srcaddr() is finished its work. Reported by: kp MFC after: 20 days
|
#
e6b383b2 |
|
22-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove softc from idhash when interface is destroyed. MFC after: 20 days
|
#
cc958ed2 |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Follow the fix in r339532 (by glebius): Fix exiting an epoch(9) we never entered. May happen only with MAC. MFC after: 1 month
|
#
2c87fdf0 |
|
21-Oct-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Rework if_ipsec(4) to use epoch(9) instead of rmlock. * use CK_LIST and FNV hash to keep chains of softc; * read access to softc is protected by epoch(); * write access is protected by ipsec_ioctl_sx. Changing of softc fields is allowed only when softc is unlinked from CK_LIST chains. * linking/unlinking of softc is allowed only when ipsec_ioctl_sx is exclusive locked. * the plain LIST of all softc is replaced by hash table that uses ingress address of tunnels as a key. * added support for appearing/disappearing of ingress address handling. Now it is allowed configure non-local ingress IP address, and thus the problem with if_ipsec(4) configuration that happens on boot, when ingress address is not yet configured, is solved. MFC after: 1 month Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D17190
|
#
5f901c92 |
|
24-Jul-2018 |
Andrew Turner <andrew@FreeBSD.org> |
Use the new VNET_DEFINE_STATIC macro when we are defining static VNET variables. Reviewed by: bz Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D16147
|
#
e287c474 |
|
11-May-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Apply the change from r272770 to if_ipsec(4) interface. It is guaranteed that if_ipsec(4) interface is used only for tunnel mode IPsec, i.e. decrypted and decapsultaed packet has its own IP header. Thus we can consider it as new packet and clear the protocols flags. This allows ICMP/ICMPv6 properly handle errors that may cause this packet. PR: 228108 MFC after: 1 week
|
#
541d96aa |
|
30-Mar-2018 |
Brooks Davis <brooks@FreeBSD.org> |
Use an accessor function to access ifr_data. This fixes 32-bit compat (no ioctl command defintions are required as struct ifreq is the same size). This is believed to be sufficent to fully support ifconfig on 32-bit systems. Reviewed by: kib Obtained from: CheriBSD MFC after: 1 week Relnotes: yes Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D14900
|
#
22986c67 |
|
06-Mar-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Introduce the concept of IPsec security policies scope. Currently are defined three scopes: global, ifnet, and pcb. Generic security policies that IKE daemon can add via PF_KEY interface or an administrator creates with setkey(8) utility have GLOBAL scope. Such policies can be applied by the kernel to outgoing packets and checked agains inbound packets after IPsec processing. Security policies created by if_ipsec(4) interfaces have IFNET scope. Such policies are applied to packets that are passed through if_ipsec(4) interface. And security policies created by application using setsockopt() IP_IPSEC_POLICY option have PCB scope. Such policies are applied to packets related to specific socket. Currently there is no way to list PCB policies via setkey(8) utility. Modify setkey(8) and libipsec(3) to be able distinguish the scope of security policies in the `setkey -DP` listing. Add two optional flags: '-t' to list only policies related to virtual *tunneling* interfaces, i.e. policies with IFNET scope, and '-g' to list only policies with GLOBAL scope. By default policies from all scopes are listed. To implement this PF_KEY's sadb_x_policy structure was modified. sadb_x_policy_reserved field is used to pass the policy scope from the kernel to userland. SADB_SPDDUMP message extended to support filtering by scope: sadb_msg_satype field is used to specify bit mask of requested scopes. For IFNET policies the sadb_x_policy_priority field of struct sadb_x_policy is used to pass if_ipsec's interface if_index to the userland. For GLOBAL policies sadb_x_policy_priority is used only to manage order of security policies in the SPDB. For IFNET policies it is not used, so it can be used to keep if_index. After this change the output of `setkey -DP` now looks like: # setkey -DPt 0.0.0.0/0[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/87.250.242.144-87.250.242.145/unique:145 spid=7 seq=3 pid=58025 scope=ifnet ifname=ipsec0 refcnt=1 # setkey -DPg ::/0 ::/0 icmp6 135,0 out none spid=5 seq=1 pid=872 scope=global refcnt=1 No objection from: #network Obtained from: Yandex LLC MFC after: 2 weeks Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9805
|
#
fcf59617 |
|
06-Feb-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Merge projects/ipsec into head/. Small summary ------------- o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting. Reviewed by: gnn, wblock Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352
|