Use struct ipsec_level within inpcb.

Instead of passing around u_char[4], introduce struct ipsec_level
that contains 4 ipsec levels. This provides better type safety.
The embedding struct inpcb is globally visible for netstat(1), so
put struct ipsec_level outside of #ifdef _KERNEL.

OK deraadt@ mvs@

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@

Call pfkeyv2_sysctl_policydumper() with shared netlock. It performs
read-olny access to netlock protected data, so the radix tree will
not be modified during spd_table_walk() run.

Also change netlock assertion within spd_table_add() and
ipsec_delete_policy() to exclusive. These are correlating functions
which modifies radix tree, so make us sure spd_table_walk() run with
shared netlock is safe.

Feedback and ok by bluhm@

The timeout for ipsec acquire does not decrement the reference
counter to 0 properly. We have one reference count for the lists,
and one for the timeout handler. When the timout fires, it has to
decrement the reference to itself. Then the ipa is removed from
the lists and decremented again.
from Stefan Butz; OK tobhe@ mvs@

In ipsp_spd_lookup() rename the parameter tdbp to tdbin as it is
always the incoming TDB that has to be checked.
from markus@

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@

Usually we check ipsec_in_use as shortcut to avoid IPsec lookups,
but that does not work when coming from tcp_output() as inp != NULL.
This seems to be done to block packets from sockets with options
in inp_seclevel. But instead of doing the route lookup, go directly
to ipsp_spd_inp() where the socket policy checks are done. Calling
rtable_l2() before the shortcut also costs a bit, do it when needed.
OK tobhe@

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Fix a tiny race in tdb_delete() between TDBF_DELETED, tdb_unlink()
and tdb_cleanspd(). gettdb...() can return a TDB before tdb_unlink().
Then ipsp_spd_lookup() could add it to tdb_policy_head after
tdb_cleanspd(). There it would stay until it hits the kassert in
tdb_free().
OK tobhe@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Add TDB reference counting to ipsp_spd_lookup(). If an output
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Initialize `ipsec_acquire_pool' pool (9) within pfkey_init() instead of
doing that in runtime within ipsp_acquire_sa().

ok bluhm@

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Make bundled IPcomp/ESP policies work with IPSEC_LEVEL_REQUIRE.
We only install flows for IPcomp. When processing an incoming ESP SA,
look for a bundled IPcomp SA and use that in the policy check.

ok bluhm@

free(9) sizes for M_RTABLE.

ok kn@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Assert that the NET_LOCK() is held when iterating over `ipsec_acquire_head'.

ok visa@ as part of a larger bigger diff

Fix kernel builds without IPSEC.

OK mikeb@

Flush flows using the radix-tree instead of a global list.

This will allows us to get rid of the list.

ok visa@

Remove unused debug macro.

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Replace bcopy with a simple assignment where both variables are
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.

OK bluhm@

Remove empty #ifdef and #ifndef blocks

OK natano@

all pools have their ipl set via pool_setipl, so fold it into pool_init.

the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.

most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.

the manpage and subr_pool.c bits i did myself.

ok tedu@ jmatthew@

@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);

pool_setipl for various netinet and netinet6 bits

thank you to everyone who helped reviewed these diffs

ok mpi@

Initialize the routing table before domains.

The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.

This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:

- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.

This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.

While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().

ok claudio@, mikeb@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Merge two identical if() statements in ipsp_acquire_sa(). The
change in ip_spd.c 1.59 makes it appear that there is a cut & pasto.
OK mikeb@

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@

Rename rtalloc1() into rtalloc(9) and convert its flags to only enable
functionnality instead of a mix of enable/disable.

ok bluhm@, jca@

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Remove the number of in_var.h inclusions by moving some functions and
global variables to in.h.

ok mikeb@, deraadt@

Fix build with ENCDEBUG defined.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage

missing PR_NOWAIT

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

don't reference an item after it has been returned to the pool
an 8 year old bug exposed by recent uvm changes

ok thib@ tedu@ deraadt@

Replace pool_get() + bzero() with pool_get(..., PR_ZERO).

With input from oga@ and krw@

ok oga@ krw@ thib@ markus@ mk@

In IPsec acquire mode, if the flow was configured for the "any"
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.

To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.

tested by todd@, ok hshoexer@, angelos@, todd@

Convert timeout_add() calls using multiples of hz to timeout_add_sec()

Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.

ok art@, krw@

Assign the struct size to sin6_len instead of sin6_family.
ok hshoexer claudio mpf henning

0 -> PR_NOWAIT (which is defined as 0) in pool_get
as an aid to readability

ok and thinko-catching henning@

more rtrequest() to rtrequest1() replacement.
OK henning@

since the
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

adjust functions dealing with the routing table to take a table ID as
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer

miscellaneous typo fixes:
- sturct -> struct (spotted by pedro)
- elimination of consecutive 'the' words

ok jmc@, henning@, krw@, robert@, some whining by jolan@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

make it possble to use IPsec over link-local address (policy table uses
sin6_scope_id, IPsec porion uses embedded form). beck ok

simpler ipsp_aux_match() API; ok henning, hshoexer

Check for undersized IP header, found by jbm@, ok angelos@

branches: 1.46.2;
whitespace

Per-socket policies and authentication. Finally.

Search the correct ACQUIRE list --- shifflett@nps.navy.mil

It looks like there has been one crack smoking and a few cut and pastes.
PR_FREEHEADER should not be set in pool_init by the caller. It shouldn't
be set in pool_init at all. Besides, it's going away soon anyway.

Pool deals fairly well with physical memory shortage, but it doesn't deal
well (not at all) with shortages of the vm_map where the pages are mapped
(usually kmem_map).

Try to deal with it:
- group all information the backend allocator for a pool in a separate
struct. The pool will only have a pointer to that struct.
- change the pool_init API to reflect that.
- link all pools allocating from the same allocator on a linked list.
- Since an allocator is responsible to wait for physical memory it will
only fail (waitok) when it runs out of its backing vm_map, carefully
drain pools using the same allocator so that va space is freed.
(see comments in code for caveats and details).
- change pool_reclaim to return if it actually succeeded to free some
memory, use that information to make draining easier and more efficient.
- get rid of PR_URGENT, noone uses it.

at least ; required after label or case; openbsd@davidkrause.com

branches: 1.40.4;
Reset the error return value if the cached TDB matches the
policy. Pointed out by jdmcbride@iol.ie

When the outgoing socket has BYPASS set, don't bother calling the
PCB-checking routine.

bcmp done wrong, detected at bakeoff. Hint: always use
relational operators when using *cmp APIs in conditional expressions.

Don't drop packets if we're using an ACQUIRE policy and some error
occurs while notifying key mgmt; also, always check for new TDBs for
policies where the destination gateway is left unspecified (end-to-end
IPsec case), to avoid asking for new SAs from key mgmt.

Use TAILQ_FOREACH() instead of hand-crafted for loops.

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.

Attach IPsec acquire state to policy entries, and relevant cleanups.

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.

Use the ACQUIRE sequence number to "wake up" acquire state kept and
cause retransmission of outgoing packets. Also, only store outgoing
packets -- just drop incoming packets that cause an SA
acquisition. Some comment fixup.

ifdef out some currently unused code

Rewrite ipsp_clear_acquire() to be more readable, after all the KNF'ing

Use pool(9) for IPsec acquires too.

Use pool(9) for IPsec policy structures.

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF

KNF

Copyright.

use new timeouts for spd expirations; ho@ ok

Trim include files.

Simplify SPD logic (and correct some input cases).

Match prototype.

Correctly free information attached to the policy.

branches: 1.19.2;
Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.

Missing splx in error handling.

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

allow host-to-host negotiations if no gateway has been specified.
from angelos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

include <machine/cpu.h>, since schednetisr needs to do a splsoftnet

Pretty.

Handle failures more gracefully.

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.

Compile in non-INET6 kernels.

Always look for a suitable TDB if the gateway is left unspecified.

All-1s addresses as policy destinations is also reserved for future
use (policy discovery).

branches: 1.6.2;
Fix compile error if lacking -DINET6

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.

Make sure there's enough data on the mbuf for the TCP/UDP ports (if
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com

Fix checking for incoming packets when the remote gateway has been
fully specified in the flow.

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).

Lots and lots of changes.

Remove inp parameter from ip_output().

ip_output() received inp as parameter. This is only used to lookup
the IPsec level of the socket. Reasoning about MP locking is much
easier if only relevant data is passed around. Convert ip_output()
to receive constant inp_seclevel as argument and mark it as protected
by net lock.

OK mvs@

Call pfkeyv2_sysctl_policydumper() with shared netlock. It performs
read-olny access to netlock protected data, so the radix tree will
not be modified during spd_table_walk() run.

Also change netlock assertion within spd_table_add() and
ipsec_delete_policy() to exclusive. These are correlating functions
which modifies radix tree, so make us sure spd_table_walk() run with
shared netlock is safe.

Feedback and ok by bluhm@

The timeout for ipsec acquire does not decrement the reference
counter to 0 properly. We have one reference count for the lists,
and one for the timeout handler. When the timout fires, it has to
decrement the reference to itself. Then the ipa is removed from
the lists and decremented again.
from Stefan Butz; OK tobhe@ mvs@

In ipsp_spd_lookup() rename the parameter tdbp to tdbin as it is
always the incoming TDB that has to be checked.
from markus@

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@

Usually we check ipsec_in_use as shortcut to avoid IPsec lookups,
but that does not work when coming from tcp_output() as inp != NULL.
This seems to be done to block packets from sockets with options
in inp_seclevel. But instead of doing the route lookup, go directly
to ipsp_spd_inp() where the socket policy checks are done. Calling
rtable_l2() before the shortcut also costs a bit, do it when needed.
OK tobhe@

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Fix a tiny race in tdb_delete() between TDBF_DELETED, tdb_unlink()
and tdb_cleanspd(). gettdb...() can return a TDB before tdb_unlink().
Then ipsp_spd_lookup() could add it to tdb_policy_head after
tdb_cleanspd(). There it would stay until it hits the kassert in
tdb_free().
OK tobhe@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Add TDB reference counting to ipsp_spd_lookup(). If an output
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Initialize `ipsec_acquire_pool' pool (9) within pfkey_init() instead of
doing that in runtime within ipsp_acquire_sa().

ok bluhm@

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Make bundled IPcomp/ESP policies work with IPSEC_LEVEL_REQUIRE.
We only install flows for IPcomp. When processing an incoming ESP SA,
look for a bundled IPcomp SA and use that in the policy check.

ok bluhm@

free(9) sizes for M_RTABLE.

ok kn@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Assert that the NET_LOCK() is held when iterating over `ipsec_acquire_head'.

ok visa@ as part of a larger bigger diff

Fix kernel builds without IPSEC.

OK mikeb@

Flush flows using the radix-tree instead of a global list.

This will allows us to get rid of the list.

ok visa@

Remove unused debug macro.

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Replace bcopy with a simple assignment where both variables are
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.

OK bluhm@

Remove empty #ifdef and #ifndef blocks

OK natano@

all pools have their ipl set via pool_setipl, so fold it into pool_init.

the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.

most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.

the manpage and subr_pool.c bits i did myself.

ok tedu@ jmatthew@

@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);

pool_setipl for various netinet and netinet6 bits

thank you to everyone who helped reviewed these diffs

ok mpi@

Initialize the routing table before domains.

The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.

This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:

- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.

This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.

While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().

ok claudio@, mikeb@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Merge two identical if() statements in ipsp_acquire_sa(). The
change in ip_spd.c 1.59 makes it appear that there is a cut & pasto.
OK mikeb@

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@

Rename rtalloc1() into rtalloc(9) and convert its flags to only enable
functionnality instead of a mix of enable/disable.

ok bluhm@, jca@

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Remove the number of in_var.h inclusions by moving some functions and
global variables to in.h.

ok mikeb@, deraadt@

Fix build with ENCDEBUG defined.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage

missing PR_NOWAIT

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

don't reference an item after it has been returned to the pool
an 8 year old bug exposed by recent uvm changes

ok thib@ tedu@ deraadt@

Replace pool_get() + bzero() with pool_get(..., PR_ZERO).

With input from oga@ and krw@

ok oga@ krw@ thib@ markus@ mk@

In IPsec acquire mode, if the flow was configured for the "any"
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.

To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.

tested by todd@, ok hshoexer@, angelos@, todd@

Convert timeout_add() calls using multiples of hz to timeout_add_sec()

Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.

ok art@, krw@

Assign the struct size to sin6_len instead of sin6_family.
ok hshoexer claudio mpf henning

0 -> PR_NOWAIT (which is defined as 0) in pool_get
as an aid to readability

ok and thinko-catching henning@

more rtrequest() to rtrequest1() replacement.
OK henning@

since the
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

adjust functions dealing with the routing table to take a table ID as
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer

miscellaneous typo fixes:
- sturct -> struct (spotted by pedro)
- elimination of consecutive 'the' words

ok jmc@, henning@, krw@, robert@, some whining by jolan@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

make it possble to use IPsec over link-local address (policy table uses
sin6_scope_id, IPsec porion uses embedded form). beck ok

simpler ipsp_aux_match() API; ok henning, hshoexer

Check for undersized IP header, found by jbm@, ok angelos@

branches: 1.46.2;
whitespace

Per-socket policies and authentication. Finally.

Search the correct ACQUIRE list --- shifflett@nps.navy.mil

It looks like there has been one crack smoking and a few cut and pastes.
PR_FREEHEADER should not be set in pool_init by the caller. It shouldn't
be set in pool_init at all. Besides, it's going away soon anyway.

Pool deals fairly well with physical memory shortage, but it doesn't deal
well (not at all) with shortages of the vm_map where the pages are mapped
(usually kmem_map).

Try to deal with it:
- group all information the backend allocator for a pool in a separate
struct. The pool will only have a pointer to that struct.
- change the pool_init API to reflect that.
- link all pools allocating from the same allocator on a linked list.
- Since an allocator is responsible to wait for physical memory it will
only fail (waitok) when it runs out of its backing vm_map, carefully
drain pools using the same allocator so that va space is freed.
(see comments in code for caveats and details).
- change pool_reclaim to return if it actually succeeded to free some
memory, use that information to make draining easier and more efficient.
- get rid of PR_URGENT, noone uses it.

at least ; required after label or case; openbsd@davidkrause.com

branches: 1.40.4;
Reset the error return value if the cached TDB matches the
policy. Pointed out by jdmcbride@iol.ie

When the outgoing socket has BYPASS set, don't bother calling the
PCB-checking routine.

bcmp done wrong, detected at bakeoff. Hint: always use
relational operators when using *cmp APIs in conditional expressions.

Don't drop packets if we're using an ACQUIRE policy and some error
occurs while notifying key mgmt; also, always check for new TDBs for
policies where the destination gateway is left unspecified (end-to-end
IPsec case), to avoid asking for new SAs from key mgmt.

Use TAILQ_FOREACH() instead of hand-crafted for loops.

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.

Attach IPsec acquire state to policy entries, and relevant cleanups.

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.

Use the ACQUIRE sequence number to "wake up" acquire state kept and
cause retransmission of outgoing packets. Also, only store outgoing
packets -- just drop incoming packets that cause an SA
acquisition. Some comment fixup.

ifdef out some currently unused code

Rewrite ipsp_clear_acquire() to be more readable, after all the KNF'ing

Use pool(9) for IPsec acquires too.

Use pool(9) for IPsec policy structures.

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF

KNF

Copyright.

use new timeouts for spd expirations; ho@ ok

Trim include files.

Simplify SPD logic (and correct some input cases).

Match prototype.

Correctly free information attached to the policy.

branches: 1.19.2;
Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.

Missing splx in error handling.

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

allow host-to-host negotiations if no gateway has been specified.
from angelos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

include <machine/cpu.h>, since schednetisr needs to do a splsoftnet

Pretty.

Handle failures more gracefully.

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.

Compile in non-INET6 kernels.

Always look for a suitable TDB if the gateway is left unspecified.

All-1s addresses as policy destinations is also reserved for future
use (policy discovery).

branches: 1.6.2;
Fix compile error if lacking -DINET6

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.

Make sure there's enough data on the mbuf for the TCP/UDP ports (if
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com

Fix checking for incoming packets when the remote gateway has been
fully specified in the flow.

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).

Lots and lots of changes.

Call pfkeyv2_sysctl_policydumper() with shared netlock. It performs
read-olny access to netlock protected data, so the radix tree will
not be modified during spd_table_walk() run.

Also change netlock assertion within spd_table_add() and
ipsec_delete_policy() to exclusive. These are correlating functions
which modifies radix tree, so make us sure spd_table_walk() run with
shared netlock is safe.

Feedback and ok by bluhm@

The timeout for ipsec acquire does not decrement the reference
counter to 0 properly. We have one reference count for the lists,
and one for the timeout handler. When the timout fires, it has to
decrement the reference to itself. Then the ipa is removed from
the lists and decremented again.
from Stefan Butz; OK tobhe@ mvs@

In ipsp_spd_lookup() rename the parameter tdbp to tdbin as it is
always the incoming TDB that has to be checked.
from markus@

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@

Usually we check ipsec_in_use as shortcut to avoid IPsec lookups,
but that does not work when coming from tcp_output() as inp != NULL.
This seems to be done to block packets from sockets with options
in inp_seclevel. But instead of doing the route lookup, go directly
to ipsp_spd_inp() where the socket policy checks are done. Calling
rtable_l2() before the shortcut also costs a bit, do it when needed.
OK tobhe@

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Fix a tiny race in tdb_delete() between TDBF_DELETED, tdb_unlink()
and tdb_cleanspd(). gettdb...() can return a TDB before tdb_unlink().
Then ipsp_spd_lookup() could add it to tdb_policy_head after
tdb_cleanspd(). There it would stay until it hits the kassert in
tdb_free().
OK tobhe@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Add TDB reference counting to ipsp_spd_lookup(). If an output
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Initialize `ipsec_acquire_pool' pool (9) within pfkey_init() instead of
doing that in runtime within ipsp_acquire_sa().

ok bluhm@

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Make bundled IPcomp/ESP policies work with IPSEC_LEVEL_REQUIRE.
We only install flows for IPcomp. When processing an incoming ESP SA,
look for a bundled IPcomp SA and use that in the policy check.

ok bluhm@

free(9) sizes for M_RTABLE.

ok kn@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Assert that the NET_LOCK() is held when iterating over `ipsec_acquire_head'.

ok visa@ as part of a larger bigger diff

Fix kernel builds without IPSEC.

OK mikeb@

Flush flows using the radix-tree instead of a global list.

This will allows us to get rid of the list.

ok visa@

Remove unused debug macro.

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Replace bcopy with a simple assignment where both variables are
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.

OK bluhm@

Remove empty #ifdef and #ifndef blocks

OK natano@

all pools have their ipl set via pool_setipl, so fold it into pool_init.

the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.

most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.

the manpage and subr_pool.c bits i did myself.

ok tedu@ jmatthew@

@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);

pool_setipl for various netinet and netinet6 bits

thank you to everyone who helped reviewed these diffs

ok mpi@

Initialize the routing table before domains.

The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.

This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:

- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.

This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.

While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().

ok claudio@, mikeb@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Merge two identical if() statements in ipsp_acquire_sa(). The
change in ip_spd.c 1.59 makes it appear that there is a cut & pasto.
OK mikeb@

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@

Rename rtalloc1() into rtalloc(9) and convert its flags to only enable
functionnality instead of a mix of enable/disable.

ok bluhm@, jca@

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Remove the number of in_var.h inclusions by moving some functions and
global variables to in.h.

ok mikeb@, deraadt@

Fix build with ENCDEBUG defined.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick

add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4)
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage

missing PR_NOWAIT

Add support for using IPsec in multiple rdomains.

This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.

Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.

ok claudio@ naddy@

don't reference an item after it has been returned to the pool
an 8 year old bug exposed by recent uvm changes

ok thib@ tedu@ deraadt@

Replace pool_get() + bzero() with pool_get(..., PR_ZERO).

With input from oga@ and krw@

ok oga@ krw@ thib@ markus@ mk@

In IPsec acquire mode, if the flow was configured for the "any"
network 0.0.0.0/0 or ::/0, the SA was established for the IP address
in the packet instead of the network in the flow. That means the
SA was not negotiated for the network 0.0.0.0 with mask 0 but for
the remote IP with mask 255.255.255.255. This SA did not match the
flow and did not work.

To differentiate between general flows that are used to trigger
specific host-to-host SAs and flows for matching network SAs, the
if condition only uses the ipo->ipo_dst field now. For a flow
without peer, an SA must be negotiated for each host-to-host
combination. Otherwise, if a peer exists at the flow, the kernel
acquires one SA for the whole network.

tested by todd@, ok hshoexer@, angelos@, todd@

Convert timeout_add() calls using multiples of hz to timeout_add_sec()

Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.

ok art@, krw@

Assign the struct size to sin6_len instead of sin6_family.
ok hshoexer claudio mpf henning

0 -> PR_NOWAIT (which is defined as 0) in pool_get
as an aid to readability

ok and thinko-catching henning@

more rtrequest() to rtrequest1() replacement.
OK henning@

since the
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>

Consistently spell FALLTHROUGH to appease lint.
ok kettenis@ cloder@ tom@ henning@

adjust functions dealing with the routing table to take a table ID as
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer

miscellaneous typo fixes:
- sturct -> struct (spotted by pedro)
- elimination of consecutive 'the' words

ok jmc@, henning@, krw@, robert@, some whining by jolan@

First step towards more sane time handling in the kernel -- this changes
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.

ok art@ niklas@ nordin@

make it possble to use IPsec over link-local address (policy table uses
sin6_scope_id, IPsec porion uses embedded form). beck ok

simpler ipsp_aux_match() API; ok henning, hshoexer

Check for undersized IP header, found by jbm@, ok angelos@

branches: 1.46.2;
whitespace

Per-socket policies and authentication. Finally.

Search the correct ACQUIRE list --- shifflett@nps.navy.mil

It looks like there has been one crack smoking and a few cut and pastes.
PR_FREEHEADER should not be set in pool_init by the caller. It shouldn't
be set in pool_init at all. Besides, it's going away soon anyway.

Pool deals fairly well with physical memory shortage, but it doesn't deal
well (not at all) with shortages of the vm_map where the pages are mapped
(usually kmem_map).

Try to deal with it:
- group all information the backend allocator for a pool in a separate
struct. The pool will only have a pointer to that struct.
- change the pool_init API to reflect that.
- link all pools allocating from the same allocator on a linked list.
- Since an allocator is responsible to wait for physical memory it will
only fail (waitok) when it runs out of its backing vm_map, carefully
drain pools using the same allocator so that va space is freed.
(see comments in code for caveats and details).
- change pool_reclaim to return if it actually succeeded to free some
memory, use that information to make draining easier and more efficient.
- get rid of PR_URGENT, noone uses it.

at least ; required after label or case; openbsd@davidkrause.com

branches: 1.40.4;
Reset the error return value if the cached TDB matches the
policy. Pointed out by jdmcbride@iol.ie

When the outgoing socket has BYPASS set, don't bother calling the
PCB-checking routine.

bcmp done wrong, detected at bakeoff. Hint: always use
relational operators when using *cmp APIs in conditional expressions.

Don't drop packets if we're using an ACQUIRE policy and some error
occurs while notifying key mgmt; also, always check for new TDBs for
policies where the destination gateway is left unspecified (end-to-end
IPsec case), to avoid asking for new SAs from key mgmt.

Use TAILQ_FOREACH() instead of hand-crafted for loops.

When determining whether there's a pending acquire wrt a policy, look
at the acquires associated with the policy only.

Attach IPsec acquire state to policy entries, and relevant cleanups.

Don't cache packets that hit policies -- we'll do that at the PCB for
local packets.

Use the ACQUIRE sequence number to "wake up" acquire state kept and
cause retransmission of outgoing packets. Also, only store outgoing
packets -- just drop incoming packets that cause an SA
acquisition. Some comment fixup.

ifdef out some currently unused code

Rewrite ipsp_clear_acquire() to be more readable, after all the KNF'ing

Use pool(9) for IPsec acquires too.

Use pool(9) for IPsec policy structures.

Keep the PFKEY sequence number at the TDB, plus a little bit of KNF

KNF

Copyright.

use new timeouts for spd expirations; ho@ ok

Trim include files.

Simplify SPD logic (and correct some input cases).

Match prototype.

Correctly free information attached to the policy.

branches: 1.19.2;
Check that SAs also match on the credentials and the IDs. This means
that flows with different source/destination ID requirements will
cause different SAs to be established by IKE (or whatever other
protocol). Also, use the new data types for allocated memory.

Missing splx in error handling.

Minor changes, preparing for real socket-attached TDBs; also, more
information will be stored in the TDB. ok ho@ provos@

allow host-to-host negotiations if no gateway has been specified.
from angelos@

Move offsetof define into sys/param.h

Allow tdbi's to appear in mbufs throughout the stack; this allows
security properties of the packets to be pushed up to the application
(not done yet). Eventually, this will be turned into a packet
attributes framework.

Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS)
does weird things with mbufs.

include <machine/cpu.h>, since schednetisr needs to do a splsoftnet

Pretty.

Handle failures more gracefully.

Keep the last packet sent or received that matched an SPD entry, and
retransmit if we eventually have an SA setup for that policy.

Compile in non-INET6 kernels.

Always look for a suitable TDB if the gateway is left unspecified.

All-1s addresses as policy destinations is also reserved for future
use (policy discovery).

branches: 1.6.2;
Fix compile error if lacking -DINET6

ASKPOLICY message; used by key management to inquire about policy
triggering an ACQUIRE.

Make sure there's enough data on the mbuf for the TCP/UDP ports (if
applicable) -- bug located thanks to a crashdump from HJungheim@vpnet.com

Fix checking for incoming packets when the remote gateway has been
fully specified in the flow.

Add IDENTITY payloads to flow establishment (and cleanup accordingly)
-- this will address one of itojun's question on how are IDs for IKE
to be determined (need to add support for this to ipsecadm).

Lots and lots of changes.

The timeout for ipsec acquire does not decrement the reference
counter to 0 properly. We have one reference count for the lists,
and one for the timeout handler. When the timout fires, it has to
decrement the reference to itself. Then the ipa is removed from
the lists and decremented again.
from Stefan Butz; OK tobhe@ mvs@

In ipsp_spd_lookup() rename the parameter tdbp to tdbin as it is
always the incoming TDB that has to be checked.
from markus@

Hrvoje has hit a crash with IPsec acquire while testing the parallel
IP forwarding diff. Add mutex and refcount to make memory management
of struct ipsec_acquire MP safe.
testing Hrvoje Popovski; input sashan@; OK mvs@

In IPsec policy replace integer refcount with atomic refcount.
OK tobhe@ mvs@

Usually we check ipsec_in_use as shortcut to avoid IPsec lookups,
but that does not work when coming from tcp_output() as inp != NULL.
This seems to be done to block packets from sockets with options
in inp_seclevel. But instead of doing the route lookup, go directly
to ipsp_spd_inp() where the socket policy checks are done. Calling
rtable_l2() before the shortcut also costs a bit, do it when needed.
OK tobhe@

Delete unnecessary #includes of <sys/domain.h> and/or <sys/protosw.h>

net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@

Add `ipsec_flows_mtx' mutex(9) to protect `ipsp_ids_*' list and
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs

ok mvs

Fix a tiny race in tdb_delete() between TDBF_DELETED, tdb_unlink()
and tdb_cleanspd(). gettdb...() can return a TDB before tdb_unlink().
Then ipsp_spd_lookup() could add it to tdb_policy_head after
tdb_cleanspd(). There it would stay until it hits the kassert in
tdb_free().
OK tobhe@

To cache lookups, the policy ipo is linked to its SA tdb. There
is also a list of SAs that belong to a policy. To make it MP safe,
protect these pointers with a mutex.
tested by Hrvoje Popovski; OK mvs@

Add TDB reference counting to ipsp_spd_lookup(). If an output
pointer is passed to the function, it will return a refcounted TDB.
The ref happens when ipsp_spd_inp() copies the pointer from
ipo->ipo_tdb. The caller of ipsp_spd_lookup() has to unref after
using it.
tested by Hrvoje Popovski; OK mvs@ tobhe@

Let ipsp_spd_lookup() return an error instead of a TDB. The TDB
is not always needed, but the error value is necessary for the
caller. As TDB should be refcounted, it makes not sense to always
return it. Pass an output pointer for the TDB which can be NULL.
OK mvs@ tobhe@

Remove unused parameter from ipsp_spd_inp().
OK mvs@ yasuoka@

Implement reference counting for IPsec tdbs. Not all cases are
covered yet, more ref counts to come. The timeouts are protected,
so the racy tdb_reaper() gets retired. The tdb_policy_head, onext
and inext lists are protected. All gettdb...() functions return a
tdb that is ref counted and has to be unrefed later. A flag ensures
that tdb_delete() is called only once.
Tested by Hrvoje Popovski; OK sthen@ mvs@ tobhe@

Initialize `ipsec_acquire_pool' pool (9) within pfkey_init() instead of
doing that in runtime within ipsp_acquire_sa().

ok bluhm@

Initialize `ipsec_policy_pool' within pfkey_init() instead of doing that
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.

ok bluhm@ mpi@

kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)

time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.

This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).

There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.

There is no performance cost on 64-bit (__LP64__) platforms.

With input from visa@, dlg@, and tedu@.

Several bugs squashed by visa@.

ok kettenis@

Make bundled IPcomp/ESP policies work with IPSEC_LEVEL_REQUIRE.
We only install flows for IPcomp. When processing an incoming ESP SA,
look for a bundled IPcomp SA and use that in the policy check.

ok bluhm@

free(9) sizes for M_RTABLE.

ok kn@

ipsec: use monotonic clock for SA creation/lookup timestamps; ok dlg@

Assert that the NET_LOCK() is held when iterating over `ipsec_acquire_head'.

ok visa@ as part of a larger bigger diff

Fix kernel builds without IPSEC.

OK mikeb@

Flush flows using the radix-tree instead of a global list.

This will allows us to get rid of the list.

ok visa@

Remove unused debug macro.

Dump IPsec flows by iterating over the rafdix-tree.

This enforces an order and will allow us to get rid of the global list.

ok millert@, visa@, markus@

Last changes before running IPsec w/o KERNEL_LOCK().

Put more NET_ASSERT_LOCK() and document which globals it protects.

Add a mutex for pfkeyv2 globals.

Convert ipsp_delete_acquire() to timeout_set_proc().

Tested by Hrvoje Popovski, ok bluhm@ visa@

Replace bcopy with a simple assignment where both variables are
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.

OK bluhm@

Remove empty #ifdef and #ifndef blocks

OK natano@

all pools have their ipl set via pool_setipl, so fold it into pool_init.

the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.

most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.

the manpage and subr_pool.c bits i did myself.

ok tedu@ jmatthew@

@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);

pool_setipl for various netinet and netinet6 bits

thank you to everyone who helped reviewed these diffs

ok mpi@

Initialize the routing table before domains.

The routing table is not an optional component of the network stack
and initializing it inside the "routing domain" requires some ugly
introspection in the domain interface.

This put the rtable* layer at the same level of the if* level. These
two subsystem are organized around the two global data structure used
in the network stack:

- the global &ifnet list, to be used in process context only, and
- the routing table which can be read in interrupt context.

This change makes the rtable_* layer domain-aware and extends the
"struct domain" such that INET, INET6 and MPLS can specify the length
of the binary key used in lookups. This allows us to keep, or move
towards, AF-free route and rtable layers.

While here stop the madness and pass the size of the maximum key length
in *byte* to rn_inithead0().

ok claudio@, mikeb@

It is time to put inet6 on a diet. Use the flensing knife and cut out
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@

manage spd entries by using the radix api directly instead of
reaching around through the routing table

original diff by myself, much improved by mikeb@ and mpi@

ok and testing mikeb@ mpi@

introduce ipsec-id bundles and use them for ipsecflowinfo,
fixes rekeying for l2tp/ipsec against multiple windows clients
and saves memory (for many SAs to same peers); feedback and ok mikeb@

Merge two identical if() statements in ipsp_acquire_sa(). The
change in ip_spd.c 1.59 makes it appear that there is a cut & pasto.
OK mikeb@

remove unfinished/unused support for socket-attached ipsec-policies
ok mikeb

Remove support for storing credentials and auth information in the kernel.

This code is largely unfinished and is not used for anything. The change
leaves identities as only objects referenced by ipsec_ref structure and
their handling requires some changes to support more advanced matching of
IPsec connections.

No objections from reyk and hshoexer, with and OK markus.

Perform IPsec bypass check on a socket before performing TDB lookups.
OK markus, hshoexer

Rename gettdbbyaddr to gettdbbydst; OK markus, hshoexer, mpi

Remove unused arguments from gettdb* functions; OK markus, hshoexer, mpi

Remove some includes include-what-you-use claims don't
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.

ok tedu@ deraadt@

unifdef INET in net code as a precursor to removing the pretend option.
long live the one true internet.
ok henning mikeb

The proliferation of "struct route" in all its flavors didn't make
any good to our network stack.

The most visible effect is the maze of #ifdef's and casts. But the
real problem is the very fragile way of checking if a (cached) route
entry is still valid or not. What should we do if the route jumped
to another ifaddr or if its gateway has been changed?

This change start the dance of "struct route" & friends removal by
sending the completly useless "struct route_enc" to the bucket.

Tweak & ok claudio@

Rename rtalloc1() into rtalloc(9) and convert its flags to only enable
functionnality instead of a mix of enable/disable.

ok bluhm@, jca@

Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and
kill the macro.

ok mikeb@, henning@

Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer
rely on "struct route" that should die.

ok claudio@

Fewer <netinet/in_systm.h> !

"struct pkthdr" holds a routing table ID, not a routing domain one.
Avoid the confusion by using an appropriate name for the variable.

Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:

rtableid = rdomain

But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).

claudio@ likes it, ok mikeb@

bzero/bcmp -> memset/memcmp. ok matthew

Remove the number of in6_var.h inclusions by moving some functions and
global variables to in6.h.

ok deraadt@

Remove the number of in_var.h inclusions by moving some functions and
global variables to in.h.

ok mikeb@, deraadt@

Fix build with ENCDEBUG defined.

Remove the extern keyword from function declarations, document
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.

No objection from markus@, ok mikeb@

code that calls timeout functions should include timeout.h
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick