src/sys/netinet6/ipsec.c, branch release/5.3.0_cvs FreeBSD source tree This commit was manufactured by cvs2svn to create tag 2004-11-04T19:12:42+00:00 cvs2svn cvs2svn@FreeBSD.org 2004-11-04T19:12:42+00:00 3f86d8a2ea3f3265afaa1fd263b0004c5c000e69 'RELENG_5_3_0_RELEASE'. This commit was manufactured to restore the state of the 5.3-RELEASE image. 
'RELENG_5_3_0_RELEASE'.

This commit was manufactured to restore the state of the 5.3-RELEASE image.
Merge sys/netgraph/ng_tty.c:1.30, sys/netinet6/ipsec.c:1.37, 2004-09-03T03:12:58+00:00 Robert Watson rwatson@FreeBSD.org 2004-09-03T03:12:58+00:00 bbee142b17555cbfe1cc643d5178d63b42214690 sys/netipx/ipx.c:1.27 to RELENG_5: Mark Netgraph TTY, KAME IPSEC, and IPX/SPX as requiring Giant for correct operation using NET_NEEDS_GIANT(). This will result in a boot-time restoration of Giant-enabled network operation, or run-time warning on dynamic load (applicable only to the Netgraph component). Additional components will likely need to be marked with this in the future. Approved by: re (scottl, kensmith) 
sys/netipx/ipx.c:1.27 to RELENG_5:

  Mark Netgraph TTY, KAME IPSEC, and IPX/SPX as requiring Giant for correct
  operation using NET_NEEDS_GIANT().  This will result in a boot-time
  restoration of Giant-enabled network operation, or run-time warning on
  dynamic load (applicable only to the Netgraph component).  Additional
  components will likely need to be marked with this in the future.

Approved by:	re (scottl, kensmith)
Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD 2004-08-14T15:32:40+00:00 David Malone dwmalone@FreeBSD.org 2004-08-14T15:32:40+00:00 1f44b0a1b539198ce55bf97e73d51ded20a55ab4 have already done this, so I have styled the patch on their work: 1) introduce a ip_newid() static inline function that checks the sysctl and then decides if it should return a sequential or random IP ID. 2) named the sysctl net.inet.ip.random_id 3) IPv6 flow IDs and fragment IDs are now always random. Flow IDs and frag IDs are significantly less common in the IPv6 world (ie. rarely generated per-packet), so there should be smaller performance concerns. The sysctl defaults to 0 (sequential IP IDs). Reviewed by: andre, silby, mlaier, ume Based on: NetBSD MFC after: 2 months 
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
correct function name in comment. 2004-02-16T18:07:53+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2004-02-16T18:07:53+00:00 ce9f8a4f5a9a05f8ad5ac757b0878ed3136bd557 Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> 
Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
nuke unused functions. 2004-02-16T17:02:44+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2004-02-16T17:02:44+00:00 06a72d12d153841a2084e7a580d8fbd4c8fc29d9 Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> 
Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
pass pcb rather than so. it is expected that per socket policy 2004-02-03T18:20:55+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2004-02-03T18:20:55+00:00 f073c60f73b0212a7c2cdde142b0e79e8a3981fa works again. 
works again.
correct spelling 2004-01-13T05:39:07+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2004-01-13T05:39:07+00:00 22acb4fa32aefd5680c89d50dc949d28c9013e32 Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun 
Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by:	itojun
fix potential 'cannot-happen' memory leak 2004-01-13T05:32:12+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2004-01-13T05:32:12+00:00 7495684acaaeafd590fcf067af9a1ae8ad65f12c Submitted by: "Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net> Reviewed by: itojun 
Submitted by:	"Bjoern A. Zeeb" <bzeeb+freebsd@zabbadoz.net>
Reviewed by:	itojun
nuke obsoleted ipsec_gethist(). it just did panic to notify user 2003-11-07T20:38:45+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2003-11-07T20:38:45+00:00 ba3484d9435b92c9229049532d73ff22b9441ae4 that it was obsoleted. it is better to fail than just hiding use of ipsec_gethist() at build. Sugessted by: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> 
that it was obsoleted.  it is better to fail than just hiding use
of ipsec_gethist() at build.

Sugessted by:	"Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
- cleanup SP refcnt issue. 2003-11-04T16:02:05+00:00 Hajimu UMEMOTO ume@FreeBSD.org 2003-11-04T16:02:05+00:00 0f9ade718da4248226297bed41f3e9e372fd5f4d - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME 
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all.  secpolicy no longer contain
  spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy.  assign ID field to
  all SPD entries.  make it possible for racoon to grab SPD entry on
  pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header.  a mode is always needed
  to compare them.
- fixed that the incorrect time was set to
  sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
  because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
  alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
  XXX in theory refcnt should do the right thing, however, we have
  "spdflush" which would touch all SPs.  another solution would be to
  de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion.  ipsec_*_policy ->
  ipsec_*_pcbpolicy.
- avoid variable name confusion.
  (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
  secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
  can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
  "src" of the spidx specifies ICMP type, and the port field in "dst"
  of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
  kernel forwards the packets.

Tested by:	nork
Obtained from:	KAME