#
71625ec9 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c comment pattern Remove /^/[*/]\s*\$FreeBSD\$.*\n/
|
#
809fef29 |
|
03-Oct-2022 |
Gleb Smirnoff <glebius@FreeBSD.org> |
netipsec: move specific ipsecmethods declarations to ipsec_support.h where struct ipsec_methods is defined. Not a functional change. Allows further modification of method prototypes without breaking compilation of other ipsec compilation units. Differential revision: https://reviews.freebsd.org/D36730
|
#
9dfc8606 |
|
24-Sep-2021 |
Bartlomiej Grzesik <bag@semihalf.com> |
ipsec: Add support for PMTUD for IPv6 tunnels Discard and send ICMPv6 Packet Too Big to sender when we try to encapsulate and forward a packet which total length exceeds the PMTU. Logic is based on the IPv4 implementation. Common code was moved to a separate function. Differential revision: https://reviews.freebsd.org/D31771 Obtained from: Semihalf Sponsored by: Stormshield
|
#
d9d59bb1 |
|
08-Aug-2021 |
Wojciech Macek <wma@FreeBSD.org> |
ipsec: Handle ICMP NEEDFRAG message. It will be needed for upcoming PMTU implementation in ipsec. For now simply create/update an entry in tcp hostcache when needed. The code is based on https://people.freebsd.org/~ae/ipsec_transport_mode_ctlinput.diff Authored by: Kornel Duleba <mindal@semihalf.com> Differential revision: https://reviews.freebsd.org/D30992 Reviewed by: tuxen Sponsored by: Stormshield Obtained from: Semihalf
|
#
51369649 |
|
20-Nov-2017 |
Pedro F. Giffuni <pfg@FreeBSD.org> |
sys: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 3-Clause license. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts. Special thanks to Wind River for providing access to "The Duke of Highlander" tool: an older (2014) run over FreeBSD tree was useful as a starting point.
|
#
22bbefb2 |
|
21-Aug-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Fix the regression introduced in r275710. When a security policy should match TCP connection with specific ports, the SYN+ACK segment send by syncache_respond() is considered as forwarded packet, because at this moment TCP connection does not have PCB structure, and ip_output() is called without inpcb pointer. In this case SPIDX filled for SP lookup will not contain TCP ports and security policy will not be found. This can lead to unencrypted SYN+ACK on the wire. This patch restores the old behavior, when ports will not be filled only for forwarded packets. Reported by: Dewayne Geraghty <dewayne.geraghty at heuristicsystems.com.au> MFC after: 1 week
|
#
fcf59617 |
|
06-Feb-2017 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Merge projects/ipsec into head/. Small summary ------------- o Almost all IPsec releated code was moved into sys/netipsec. o New kernel modules added: ipsec.ko and tcpmd5.ko. New kernel option IPSEC_SUPPORT added. It enables support for loading and unloading of ipsec.ko and tcpmd5.ko kernel modules. o IPSEC_NAT_T option was removed. Now NAT-T support is enabled by default. The UDP_ENCAP_ESPINUDP_NON_IKE encapsulation type support was removed. Added TCP/UDP checksum handling for inbound packets that were decapsulated by transport mode SAs. setkey(8) modified to show run-time NAT-T configuration of SA. o New network pseudo interface if_ipsec(4) added. For now it is build as part of ipsec.ko module (or with IPSEC kernel). It implements IPsec virtual tunnels to create route-based VPNs. o The network stack now invokes IPsec functions using special methods. The only one header file <netipsec/ipsec_support.h> should be included to declare all the needed things to work with IPsec. o All IPsec protocols handlers (ESP/AH/IPCOMP protosw) were removed. Now these protocols are handled directly via IPsec methods. o TCP_SIGNATURE support was reworked to be more close to RFC. o PF_KEY SADB was reworked: - now all security associations stored in the single SPI namespace, and all SAs MUST have unique SPI. - several hash tables added to speed up lookups in SADB. - SADB now uses rmlock to protect access, and concurrent threads can do SA lookups in the same time. - many PF_KEY message handlers were reworked to reflect changes in SADB. - SADB_UPDATE message was extended to support new PF_KEY headers: SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. They can be used by IKE daemon to change SA addresses. o ipsecrequest and secpolicy structures were cardinally changed to avoid locking protection for ipsecrequest. Now we support only limited number (4) of bundled SAs, but they are supported for both INET and INET6. o INPCB security policy cache was introduced. Each PCB now caches used security policies to avoid SP lookup for each packet. o For inbound security policies added the mode, when the kernel does check for full history of applied IPsec transforms. o References counting rules for security policies and security associations were changed. The proper SA locking added into xform code. o xform code was also changed. Now it is possible to unregister xforms. tdb_xxx structures were changed and renamed to reflect changes in SADB/SPDB, and changed rules for locking and refcounting. Reviewed by: gnn, wblock Obtained from: Yandex LLC Relnotes: yes Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D9352
|
#
efb10c3c |
|
21-Apr-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Constify mbuf pointer for IPSEC functions where mbuf isn't modified.
|
#
f0514a8b |
|
11-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove now unused mtag argument from ipsec*_common_input_cb. Obtained from: Yandex LLC Sponsored by: Yandex LLC
|
#
18961126 |
|
02-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove __P() macro. Suggested by: kevlo Sponsored by: Yandex LLC
|
#
0e23cc37 |
|
01-Dec-2014 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Remove unused declartations. Sponsored by: Yandex LLC
|
#
aaf2cfc0 |
|
27-May-2014 |
VANHULLEBUS Yvan <vanhu@FreeBSD.org> |
Fixed IPv4-in-IPv6 and IPv6-in-IPv4 IPsec tunnels. For IPv6-in-IPv4, you may need to do the following command on the tunnel interface if it is configured as IPv4 only: ifconfig <interface> inet6 -ifdisabled Code logic inspired from NetBSD. PR: kern/169438 Submitted by: emeric.poupon@netasq.com Reviewed by: fabient, ae Obtained from: NETASQ
|
#
db8c0879 |
|
09-Jul-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat, ipsec4stat, ipsec6stat to PCPU counters.
|
#
6659296c |
|
20-Jun-2013 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Use IPSECSTAT_INC() and IPSEC6STAT_INC() macros for ipsec statistics accounting. MFC after: 2 weeks
|
#
a7d5f7eb |
|
19-Oct-2010 |
Jamie Gritton <jamie@FreeBSD.org> |
A new jail(8) with a configuration file, to replace the work currently done by /etc/rc.d/jail.
|
#
480d7c6c |
|
06-May-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFC r207369: MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH
|
#
82cea7e6 |
|
29-Apr-2010 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
MFP4: @176978-176982, 176984, 176990-176994, 177441 "Whitspace" churn after the VIMAGE/VNET whirls. Remove the need for some "init" functions within the network stack, like pim6_init(), icmp_init() or significantly shorten others like ip6_init() and nd6_init(), using static initialization again where possible and formerly missed. Move (most) variables back to the place they used to be before the container structs and VIMAGE_GLOABLS (before r185088) and try to reduce the diff to stable/7 and earlier as good as possible, to help out-of-tree consumers to update from 6.x or 7.x to 8 or 9. This also removes some header file pollution for putatively static global variables. Revert VIMAGE specific changes in ipfilter::ip_auth.c, that are no longer needed. Reviewed by: jhb Discussed with: rwatson Sponsored by: The FreeBSD Foundation Sponsored by: CK Software GmbH MFC after: 6 days
|
#
1e77c105 |
|
16-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Remove unused VNET_SET() and related macros; only VNET_GET() is ever actually used. Rename VNET_GET() to VNET() to shorten variable references. Discussed with: bz, julian Reviewed by: bz Approved by: re (kensmith, kib)
|
#
eddfbb76 |
|
14-Jul-2009 |
Robert Watson <rwatson@FreeBSD.org> |
Build on Jeff Roberson's linker-set based dynamic per-CPU allocator (DPCPU), as suggested by Peter Wemm, and implement a new per-virtual network stack memory allocator. Modify vnet to use the allocator instead of monolithic global container structures (vinet, ...). This change solves many binary compatibility problems associated with VIMAGE, and restores ELF symbols for virtualized global variables. Each virtualized global variable exists as a "reference copy", and also once per virtual network stack. Virtualized global variables are tagged at compile-time, placing the in a special linker set, which is loaded into a contiguous region of kernel memory. Virtualized global variables in the base kernel are linked as normal, but those in modules are copied and relocated to a reserved portion of the kernel's vnet region with the help of a the kernel linker. Virtualized global variables exist in per-vnet memory set up when the network stack instance is created, and are initialized statically from the reference copy. Run-time access occurs via an accessor macro, which converts from the current vnet and requested symbol to a per-vnet address. When "options VIMAGE" is not compiled into the kernel, normal global ELF symbols will be used instead and indirection is avoided. This change restores static initialization for network stack global variables, restores support for non-global symbols and types, eliminates the need for many subsystem constructors, eliminates large per-subsystem structures that caused many binary compatibility issues both for monitoring applications (netstat) and kernel modules, removes the per-function INIT_VNET_*() macros throughout the stack, eliminates the need for vnet_symmap ksym(2) munging, and eliminates duplicate definitions of virtualized globals under VIMAGE_GLOBALS. Bump __FreeBSD_version and update UPDATING. Portions submitted by: bz Reviewed by: bz, zec Discussed with: gnn, jamie, jeff, jhb, julian, sam Suggested by: peter Approved by: re (kensmith)
|
#
db2e4792 |
|
23-May-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Add sysctls to toggle the behaviour of the (former) IPSEC_FILTERTUNNEL kernel option. This also permits tuning of the option per virtual network stack, as well as separately per inet, inet6. The kernel option is left for a transition period, marked deprecated, and will be removed soon. Initially requested by: phk (1 year 1 day ago) MFC after: 4 weeks
|
#
97aa4a51 |
|
08-Feb-2009 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Try to remove/assimilate as much of formerly IPv4/6 specific (duplicate) code in sys/netipsec/ipsec.c and fold it into common, INET/6 independent functions. The file local functions ipsec4_setspidx_inpcb() and ipsec6_setspidx_inpcb() were 1:1 identical after the change in r186528. Rename to ipsec_setspidx_inpcb() and remove the duplicate. Public functions ipsec[46]_get_policy() were 1:1 identical. Remove one copy and merge in the factored out code from ipsec_get_policy() into the other. The public function left is now called ipsec_get_policy() and callers were adapted. Public functions ipsec[46]_set_policy() were 1:1 identical. Rename file local ipsec_set_policy() function to ipsec_set_policy_internal(). Remove one copy of the public functions, rename the other to ipsec_set_policy() and adapt callers. Public functions ipsec[46]_hdrsiz() were logically identical (ignoring one questionable assert in the v6 version). Rename the file local ipsec_hdrsiz() to ipsec_hdrsiz_internal(), the public function to ipsec_hdrsiz(), remove the duplicate copy and adapt the callers. The v6 version had been unused anyway. Cleanup comments. Public functions ipsec[46]_in_reject() were logically identical apart from statistics. Move the common code into a file local ipsec46_in_reject() leaving vimage+statistics in small AF specific wrapper functions. Note: unfortunately we already have a public ipsec_in_reject(). Reviewed by: sam Discussed with: rwatson (renaming to *_internal) MFC after: 26 days X-MFC: keep wrapper functions for public symbols?
|
#
6974bd9e |
|
27-Nov-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Unify ipsec[46]_delete_pcbpolicy in ipsec_delete_pcbpolicy. Ignoring different names because of macros (in6pcb, in6p_sp) and inp vs. in6p variable name both functions were entirely identical. Reviewed by: rwatson (as part of a larger changeset) MFC after: 6 weeks (*) (*) possibly need to leave a stub wrappers in 7 to keep the symbols.
|
#
d7f03759 |
|
19-Oct-2008 |
Ulf Lilleengen <lulf@FreeBSD.org> |
- Import the HEAD csup code which is the basis for the cvsmode work.
|
#
3377c961 |
|
20-Jul-2008 |
Tom Rhodes <trhodes@FreeBSD.org> |
Document a few sysctls. While here, remove dead code related to ip4_esp_randpad. Reviewed by: gnn, bz (older version) Approved by: gnn Tested with: make universe
|
#
c26fe973 |
|
02-Feb-2008 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
Rather than passing around a cached 'priv', pass in an ucred to ipsec*_set_policy and do the privilege check only if needed. Try to assimilate both ip*_ctloutput code blocks calling ipsec*_set_policy. Reviewed by: rwatson
|
#
2cb64cb2 |
|
01-Jul-2007 |
George V. Neville-Neil <gnn@FreeBSD.org> |
Commit IPv6 support for FAST_IPSEC to the tree. This commit includes only the kernel files, the rest of the files will follow in a second commit. Reviewed by: bz Approved by: re Supported by: Secure Computing
|
#
c398230b |
|
06-Jan-2005 |
Warner Losh <imp@FreeBSD.org> |
/* -> /*- for license, minor formatting changes
|
#
88768458 |
|
15-Oct-2002 |
Sam Leffler <sam@FreeBSD.org> |
"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Obtained from: KAME + openbsd Supported by: Vernier Networks
|