mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Commit the change from FAST_IPSEC to IPSEC. The FAST_IPSEC
option is now deprecated, as well as the KAME IPsec code. What was FAST_IPSEC is now IPSEC. Approved by: re Sponsored by: Secure Computing
This commit is contained in:
parent
25929d7851
commit
b2630c2934
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=171167
@ -495,8 +495,7 @@ options HWPMC_HOOKS # Other necessary kernel hooks
|
|||||||
#
|
#
|
||||||
options INET #Internet communications protocols
|
options INET #Internet communications protocols
|
||||||
options INET6 #IPv6 communications protocols
|
options INET6 #IPv6 communications protocols
|
||||||
#options IPSEC #IP security
|
options IPSEC #IP security
|
||||||
#options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
|
|
||||||
#options IPSEC_DEBUG #debug for IP security
|
#options IPSEC_DEBUG #debug for IP security
|
||||||
#
|
#
|
||||||
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
|
# Set IPSEC_FILTERGIF to force packets coming through a gif tunnel
|
||||||
@ -509,8 +508,6 @@ options INET6 #IPv6 communications protocols
|
|||||||
#
|
#
|
||||||
#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
|
#options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
|
||||||
|
|
||||||
options FAST_IPSEC #new IPsec (cannot define w/ IPSEC)
|
|
||||||
|
|
||||||
options IPX #IPX/SPX communications protocols
|
options IPX #IPX/SPX communications protocols
|
||||||
|
|
||||||
options NCP #NetWare Core protocol
|
options NCP #NetWare Core protocol
|
||||||
@ -786,7 +783,7 @@ device pflog #logging support interface for PF
|
|||||||
device pfsync #synchronization interface for PF
|
device pfsync #synchronization interface for PF
|
||||||
options PF_MPSAFE_UGID #Workaround LOR with user/group rules
|
options PF_MPSAFE_UGID #Workaround LOR with user/group rules
|
||||||
device carp #Common Address Redundancy Protocol
|
device carp #Common Address Redundancy Protocol
|
||||||
device enc #IPSec interface (needs FAST_IPSEC)
|
device enc #IPsec interface
|
||||||
device ppp #Point-to-point protocol
|
device ppp #Point-to-point protocol
|
||||||
options PPP_BSDCOMP #PPP BSD-compress support
|
options PPP_BSDCOMP #PPP BSD-compress support
|
||||||
options PPP_DEFLATE #PPP zlib/deflate/gzip support
|
options PPP_DEFLATE #PPP zlib/deflate/gzip support
|
||||||
@ -880,8 +877,8 @@ options ACCEPT_FILTER_HTTP
|
|||||||
# carried in TCP option 19. This option is commonly used to protect
|
# carried in TCP option 19. This option is commonly used to protect
|
||||||
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
|
# TCP sessions (e.g. BGP) where IPSEC is not available nor desirable.
|
||||||
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
|
# This is enabled on a per-socket basis using the TCP_MD5SIG socket option.
|
||||||
# This requires the use of 'device crypto', 'options FAST_IPSEC' or 'options
|
# This requires the use of 'device crypto', 'options IPSEC'
|
||||||
# IPSEC', and 'device cryptodev'.
|
# or 'device cryptodev'.
|
||||||
#options TCP_SIGNATURE #include support for RFC 2385
|
#options TCP_SIGNATURE #include support for RFC 2385
|
||||||
|
|
||||||
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
|
# DUMMYNET enables the "dummynet" bandwidth limiter. You need IPFIREWALL
|
||||||
@ -2513,7 +2510,7 @@ options DCONS_FORCE_GDB=1 # force to be the gdb device
|
|||||||
# crypto subsystem
|
# crypto subsystem
|
||||||
#
|
#
|
||||||
# This is a port of the OpenBSD crypto framework. Include this when
|
# This is a port of the OpenBSD crypto framework. Include this when
|
||||||
# configuring FAST_IPSEC and when you have a h/w crypto device to accelerate
|
# configuring IPSEC and when you have a h/w crypto device to accelerate
|
||||||
# user applications that link to OpenSSL.
|
# user applications that link to OpenSSL.
|
||||||
#
|
#
|
||||||
# Drivers are ports from OpenBSD with some simple enhancements that have
|
# Drivers are ports from OpenBSD with some simple enhancements that have
|
||||||
|
@ -338,12 +338,12 @@ contrib/pf/net/pf_table.c optional pf \
|
|||||||
contrib/pf/net/pf_osfp.c optional pf \
|
contrib/pf/net/pf_osfp.c optional pf \
|
||||||
compile-with "${NORMAL_C} -I$S/contrib/pf"
|
compile-with "${NORMAL_C} -I$S/contrib/pf"
|
||||||
contrib/pf/netinet/in4_cksum.c optional pf inet
|
contrib/pf/netinet/in4_cksum.c optional pf inet
|
||||||
crypto/blowfish/bf_ecb.c optional ipsec ipsec_esp
|
crypto/blowfish/bf_ecb.c optional ipsec
|
||||||
crypto/blowfish/bf_skey.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_skey.c optional crypto | ipsec
|
||||||
crypto/camellia/camellia.c optional crypto | ipsec ipsec_esp
|
crypto/camellia/camellia.c optional crypto | ipsec
|
||||||
crypto/camellia/camellia-api.c optional crypto | ipsec ipsec_esp
|
crypto/camellia/camellia-api.c optional crypto | ipsec
|
||||||
crypto/des/des_ecb.c optional crypto | ipsec ipsec_esp | netsmb
|
crypto/des/des_ecb.c optional crypto | ipsec | netsmb
|
||||||
crypto/des/des_setkey.c optional crypto | ipsec ipsec_esp | netsmb
|
crypto/des/des_setkey.c optional crypto | ipsec | netsmb
|
||||||
crypto/rc4/rc4.c optional netgraph_mppc_encryption
|
crypto/rc4/rc4.c optional netgraph_mppc_encryption
|
||||||
crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
|
crypto/rijndael/rijndael-alg-fst.c optional crypto | geom_bde | \
|
||||||
ipsec | random | wlan_ccmp
|
ipsec | random | wlan_ccmp
|
||||||
@ -1829,7 +1829,7 @@ netinet/ip_fw2.c optional ipfirewall
|
|||||||
netinet/ip_fw_pfil.c optional ipfirewall
|
netinet/ip_fw_pfil.c optional ipfirewall
|
||||||
netinet/ip_icmp.c optional inet
|
netinet/ip_icmp.c optional inet
|
||||||
netinet/ip_input.c optional inet
|
netinet/ip_input.c optional inet
|
||||||
netinet/ip_ipsec.c optional fast_ipsec
|
netinet/ip_ipsec.c optional ipsec
|
||||||
netinet/ip_mroute.c optional mrouting inet | mrouting inet6
|
netinet/ip_mroute.c optional mrouting inet | mrouting inet6
|
||||||
netinet/ip_options.c optional inet
|
netinet/ip_options.c optional inet
|
||||||
netinet/ip_output.c optional inet
|
netinet/ip_output.c optional inet
|
||||||
@ -1880,7 +1880,7 @@ netinet6/ip6_id.c optional inet6
|
|||||||
netinet6/ip6_input.c optional inet6
|
netinet6/ip6_input.c optional inet6
|
||||||
netinet6/ip6_mroute.c optional mrouting inet6
|
netinet6/ip6_mroute.c optional mrouting inet6
|
||||||
netinet6/ip6_output.c optional inet6
|
netinet6/ip6_output.c optional inet6
|
||||||
netinet6/ip6_ipsec.c optional inet6 fast_ipsec
|
netinet6/ip6_ipsec.c optional ipsec
|
||||||
netinet6/mld6.c optional inet6
|
netinet6/mld6.c optional inet6
|
||||||
netinet6/nd6.c optional inet6
|
netinet6/nd6.c optional inet6
|
||||||
netinet6/nd6_nbr.c optional inet6
|
netinet6/nd6_nbr.c optional inet6
|
||||||
@ -1891,18 +1891,18 @@ netinet6/scope6.c optional inet6
|
|||||||
netinet6/sctp6_usrreq.c optional inet6 sctp
|
netinet6/sctp6_usrreq.c optional inet6 sctp
|
||||||
netinet6/udp6_output.c optional inet6
|
netinet6/udp6_output.c optional inet6
|
||||||
netinet6/udp6_usrreq.c optional inet6
|
netinet6/udp6_usrreq.c optional inet6
|
||||||
netipsec/ipsec.c optional fast_ipsec
|
netipsec/ipsec.c optional ipsec
|
||||||
netipsec/ipsec_input.c optional fast_ipsec
|
netipsec/ipsec_input.c optional ipsec
|
||||||
netipsec/ipsec_mbuf.c optional fast_ipsec
|
netipsec/ipsec_mbuf.c optional ipsec
|
||||||
netipsec/ipsec_output.c optional fast_ipsec
|
netipsec/ipsec_output.c optional ipsec
|
||||||
netipsec/key.c optional fast_ipsec
|
netipsec/key.c optional ipsec
|
||||||
netipsec/key_debug.c optional fast_ipsec
|
netipsec/key_debug.c optional ipsec
|
||||||
netipsec/keysock.c optional fast_ipsec
|
netipsec/keysock.c optional ipsec
|
||||||
netipsec/xform_ah.c optional fast_ipsec
|
netipsec/xform_ah.c optional ipsec
|
||||||
netipsec/xform_esp.c optional fast_ipsec
|
netipsec/xform_esp.c optional ipsec
|
||||||
netipsec/xform_ipcomp.c optional fast_ipsec
|
netipsec/xform_ipcomp.c optional ipsec
|
||||||
netipsec/xform_ipip.c optional fast_ipsec
|
netipsec/xform_ipip.c optional ipsec
|
||||||
netipsec/xform_tcp.c optional fast_ipsec tcp_signature
|
netipsec/xform_tcp.c optional ipsec tcp_signature
|
||||||
netipx/ipx.c optional ipx
|
netipx/ipx.c optional ipx
|
||||||
netipx/ipx_cksum.c optional ipx
|
netipx/ipx_cksum.c optional ipx
|
||||||
netipx/ipx_input.c optional ipx
|
netipx/ipx_input.c optional ipx
|
||||||
@ -1959,7 +1959,7 @@ nfsserver/nfs_srvcache.c optional nfsserver
|
|||||||
nfsserver/nfs_srvsubs.c optional nfsserver
|
nfsserver/nfs_srvsubs.c optional nfsserver
|
||||||
nfsserver/nfs_syscalls.c optional nfsserver
|
nfsserver/nfs_syscalls.c optional nfsserver
|
||||||
# crypto support
|
# crypto support
|
||||||
opencrypto/cast.c optional crypto | ipsec ipsec_esp
|
opencrypto/cast.c optional crypto | ipsec
|
||||||
opencrypto/criov.c optional crypto
|
opencrypto/criov.c optional crypto
|
||||||
opencrypto/crypto.c optional crypto
|
opencrypto/crypto.c optional crypto
|
||||||
opencrypto/cryptodev.c optional cryptodev
|
opencrypto/cryptodev.c optional cryptodev
|
||||||
|
@ -135,9 +135,8 @@ amd64/isa/isa_dma.c standard
|
|||||||
amd64/isa/nmi.c standard
|
amd64/isa/nmi.c standard
|
||||||
amd64/pci/pci_bus.c optional pci
|
amd64/pci/pci_bus.c optional pci
|
||||||
amd64/pci/pci_cfgreg.c optional pci
|
amd64/pci/pci_cfgreg.c optional pci
|
||||||
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
netsmb
|
|
||||||
dev/acpica/acpi_if.m standard
|
dev/acpica/acpi_if.m standard
|
||||||
dev/arcmsr/arcmsr.c optional arcmsr pci
|
dev/arcmsr/arcmsr.c optional arcmsr pci
|
||||||
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
||||||
|
@ -1,7 +1,6 @@
|
|||||||
# $FreeBSD$
|
# $FreeBSD$
|
||||||
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
netsmb
|
|
||||||
arm/arm/autoconf.c standard
|
arm/arm/autoconf.c standard
|
||||||
arm/arm/bcopy_page.S standard
|
arm/arm/bcopy_page.S standard
|
||||||
arm/arm/bcopyinout.S standard
|
arm/arm/bcopyinout.S standard
|
||||||
|
@ -132,11 +132,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci
|
|||||||
contrib/dev/oltr/trlldbm.c optional oltr
|
contrib/dev/oltr/trlldbm.c optional oltr
|
||||||
contrib/dev/oltr/trlldhm.c optional oltr
|
contrib/dev/oltr/trlldhm.c optional oltr
|
||||||
contrib/dev/oltr/trlldmac.c optional oltr
|
contrib/dev/oltr/trlldmac.c optional oltr
|
||||||
bf_enc.o optional crypto | ipsec ipsec_esp \
|
bf_enc.o optional crypto | ipsec \
|
||||||
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
|
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
|
||||||
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
|
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
|
||||||
no-implicit-rule
|
no-implicit-rule
|
||||||
crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb
|
crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
|
||||||
crypto/via/padlock.c optional padlock
|
crypto/via/padlock.c optional padlock
|
||||||
crypto/via/padlock_cipher.c optional padlock
|
crypto/via/padlock_cipher.c optional padlock
|
||||||
crypto/via/padlock_hash.c optional padlock
|
crypto/via/padlock_hash.c optional padlock
|
||||||
|
@ -42,9 +42,8 @@ contrib/ia64/libuwx/src/uwx_swap.c standard
|
|||||||
contrib/ia64/libuwx/src/uwx_trace.c standard
|
contrib/ia64/libuwx/src/uwx_trace.c standard
|
||||||
contrib/ia64/libuwx/src/uwx_uinfo.c standard
|
contrib/ia64/libuwx/src/uwx_uinfo.c standard
|
||||||
contrib/ia64/libuwx/src/uwx_utable.c standard
|
contrib/ia64/libuwx/src/uwx_utable.c standard
|
||||||
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
netsmb
|
|
||||||
dev/advansys/adv_isa.c optional adv isa
|
dev/advansys/adv_isa.c optional adv isa
|
||||||
dev/aic/aic_isa.c optional aic isa
|
dev/aic/aic_isa.c optional aic isa
|
||||||
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
||||||
|
@ -93,11 +93,11 @@ contrib/dev/oltr/if_oltr_pci.c optional oltr pci
|
|||||||
contrib/dev/oltr/trlldbm.c optional oltr
|
contrib/dev/oltr/trlldbm.c optional oltr
|
||||||
contrib/dev/oltr/trlldhm.c optional oltr
|
contrib/dev/oltr/trlldhm.c optional oltr
|
||||||
contrib/dev/oltr/trlldmac.c optional oltr
|
contrib/dev/oltr/trlldmac.c optional oltr
|
||||||
bf_enc.o optional crypto | ipsec ipsec_esp \
|
bf_enc.o optional crypto | ipsec \
|
||||||
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
|
dependency "$S/crypto/blowfish/arch/i386/bf_enc.S $S/crypto/blowfish/arch/i386/bf_enc_586.S $S/crypto/blowfish/arch/i386/bf_enc_686.S" \
|
||||||
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
|
compile-with "${CC} -c -I$S/crypto/blowfish/arch/i386 ${ASM_CFLAGS} ${WERROR} ${.IMPSRC}" \
|
||||||
no-implicit-rule
|
no-implicit-rule
|
||||||
crypto/des/arch/i386/des_enc.S optional crypto | ipsec ipsec_esp | netsmb
|
crypto/des/arch/i386/des_enc.S optional crypto | ipsec | netsmb
|
||||||
dev/aic/aic_cbus.c optional aic isa
|
dev/aic/aic_cbus.c optional aic isa
|
||||||
dev/ar/if_ar.c optional ar
|
dev/ar/if_ar.c optional ar
|
||||||
dev/ar/if_ar_pci.c optional ar pci
|
dev/ar/if_ar_pci.c optional ar pci
|
||||||
|
@ -75,8 +75,8 @@ powerpc/powerpc/db_interface.c optional ddb
|
|||||||
powerpc/powerpc/db_hwwatch.c optional ddb
|
powerpc/powerpc/db_hwwatch.c optional ddb
|
||||||
powerpc/powerpc/db_trace.c optional ddb
|
powerpc/powerpc/db_trace.c optional ddb
|
||||||
|
|
||||||
crypto/blowfish/bf_enc.c optional ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional ipsec ipsec_esp | netsmb
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
|
|
||||||
dev/ofw/openfirm.c standard
|
dev/ofw/openfirm.c standard
|
||||||
dev/ofw/ofw_bus_if.m standard
|
dev/ofw/ofw_bus_if.m standard
|
||||||
|
@ -32,9 +32,8 @@ opt_ah.h optional ath_hal \
|
|||||||
no-obj no-implicit-rule before-depend \
|
no-obj no-implicit-rule before-depend \
|
||||||
clean "opt_ah.h"
|
clean "opt_ah.h"
|
||||||
#
|
#
|
||||||
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
netsmb
|
|
||||||
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
dev/atkbdc/atkbd.c optional atkbd atkbdc
|
||||||
dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc
|
dev/atkbdc/atkbd_atkbdc.c optional atkbd atkbdc
|
||||||
dev/atkbdc/atkbdc.c optional atkbdc
|
dev/atkbdc/atkbdc.c optional atkbdc
|
||||||
|
@ -18,9 +18,8 @@ ukbdmap.h optional ukbd_dflt_keymap \
|
|||||||
clean "ukbdmap.h"
|
clean "ukbdmap.h"
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
crypto/blowfish/bf_enc.c optional crypto | ipsec ipsec_esp
|
crypto/blowfish/bf_enc.c optional crypto | ipsec
|
||||||
crypto/des/des_enc.c optional crypto | ipsec ipsec_esp | \
|
crypto/des/des_enc.c optional crypto | ipsec | netsmb
|
||||||
netsmb
|
|
||||||
dev/ofw/ofw_bus_if.m standard
|
dev/ofw/ofw_bus_if.m standard
|
||||||
dev/ofw/ofw_bus_subr.c standard
|
dev/ofw/ofw_bus_subr.c standard
|
||||||
dev/ofw/ofw_console.c optional ofw_console
|
dev/ofw/ofw_console.c optional ofw_console
|
||||||
|
@ -358,10 +358,8 @@ MROUTING opt_mrouting.h
|
|||||||
INET opt_inet.h
|
INET opt_inet.h
|
||||||
INET6 opt_inet6.h
|
INET6 opt_inet6.h
|
||||||
IPSEC opt_ipsec.h
|
IPSEC opt_ipsec.h
|
||||||
IPSEC_ESP opt_ipsec.h
|
|
||||||
IPSEC_DEBUG opt_ipsec.h
|
IPSEC_DEBUG opt_ipsec.h
|
||||||
IPSEC_FILTERGIF opt_ipsec.h
|
IPSEC_FILTERGIF opt_ipsec.h
|
||||||
FAST_IPSEC opt_ipsec.h
|
|
||||||
IPDIVERT
|
IPDIVERT
|
||||||
DUMMYNET opt_ipdn.h
|
DUMMYNET opt_ipdn.h
|
||||||
IPFILTER opt_ipfilter.h
|
IPFILTER opt_ipfilter.h
|
||||||
|
@ -199,7 +199,7 @@ padlock_newsession(device_t dev, uint32_t *sidp, struct cryptoini *cri)
|
|||||||
|
|
||||||
/*
|
/*
|
||||||
* We only support HMAC algorithms to be able to work with
|
* We only support HMAC algorithms to be able to work with
|
||||||
* fast_ipsec(4), so if we are asked only for authentication without
|
* ipsec(4), so if we are asked only for authentication without
|
||||||
* encryption, don't pretend we can accellerate it.
|
* encryption, don't pretend we can accellerate it.
|
||||||
*/
|
*/
|
||||||
if (encini == NULL)
|
if (encini == NULL)
|
||||||
|
@ -328,7 +328,7 @@ struct sadb_x_ipsecrequest {
|
|||||||
/* private allocations - based on RFC4312/IANA assignment */
|
/* private allocations - based on RFC4312/IANA assignment */
|
||||||
#define SADB_X_EALG_CAMELLIACBC 22
|
#define SADB_X_EALG_CAMELLIACBC 22
|
||||||
/* private allocations should use 249-255 (RFC2407) */
|
/* private allocations should use 249-255 (RFC2407) */
|
||||||
#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for FAST_IPSEC */
|
#define SADB_X_EALG_SKIPJACK 249 /*250*/ /* for IPSEC */
|
||||||
#define SADB_X_EALG_AESCTR 250 /*249*/ /* draft-ietf-ipsec-ciph-aes-ctr-03 */
|
#define SADB_X_EALG_AESCTR 250 /*249*/ /* draft-ietf-ipsec-ciph-aes-ctr-03 */
|
||||||
|
|
||||||
/* private allocations - based on RFC2407/IANA assignment */
|
/* private allocations - based on RFC2407/IANA assignment */
|
||||||
|
@ -74,10 +74,10 @@
|
|||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
|
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <security/mac/mac_framework.h>
|
#include <security/mac/mac_framework.h>
|
||||||
|
|
||||||
@ -193,11 +193,11 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
|
|||||||
SOCK_UNLOCK(so);
|
SOCK_UNLOCK(so);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
error = ipsec_init_policy(so, &inp->inp_sp);
|
error = ipsec_init_policy(so, &inp->inp_sp);
|
||||||
if (error != 0)
|
if (error != 0)
|
||||||
goto out;
|
goto out;
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
if (INP_SOCKAF(so) == AF_INET6) {
|
if (INP_SOCKAF(so) == AF_INET6) {
|
||||||
inp->inp_vflag |= INP_IPV6PROTO;
|
inp->inp_vflag |= INP_IPV6PROTO;
|
||||||
@ -215,7 +215,7 @@ in_pcballoc(struct socket *so, struct inpcbinfo *pcbinfo)
|
|||||||
INP_LOCK(inp);
|
INP_LOCK(inp);
|
||||||
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
|
inp->inp_gencnt = ++pcbinfo->ipi_gencnt;
|
||||||
|
|
||||||
#if defined(FAST_IPSEC) || defined(MAC)
|
#if defined(IPSEC) || defined(MAC)
|
||||||
out:
|
out:
|
||||||
if (error != 0)
|
if (error != 0)
|
||||||
uma_zfree(pcbinfo->ipi_zone, inp);
|
uma_zfree(pcbinfo->ipi_zone, inp);
|
||||||
@ -711,9 +711,9 @@ in_pcbfree(struct inpcb *inp)
|
|||||||
INP_INFO_WLOCK_ASSERT(ipi);
|
INP_INFO_WLOCK_ASSERT(ipi);
|
||||||
INP_LOCK_ASSERT(inp);
|
INP_LOCK_ASSERT(inp);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
ipsec4_delete_pcbpolicy(inp);
|
ipsec4_delete_pcbpolicy(inp);
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
inp->inp_gencnt = ++ipi->ipi_gencnt;
|
inp->inp_gencnt = ++ipi->ipi_gencnt;
|
||||||
in_pcbremlists(inp);
|
in_pcbremlists(inp);
|
||||||
if (inp->inp_options)
|
if (inp->inp_options)
|
||||||
|
@ -69,9 +69,9 @@
|
|||||||
|
|
||||||
static struct pr_usrreqs nousrreqs;
|
static struct pr_usrreqs nousrreqs;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#ifdef SCTP
|
#ifdef SCTP
|
||||||
#include <netinet/in_pcb.h>
|
#include <netinet/in_pcb.h>
|
||||||
@ -210,7 +210,7 @@ struct protosw inetsw[] = {
|
|||||||
.pr_ctloutput = rip_ctloutput,
|
.pr_ctloutput = rip_ctloutput,
|
||||||
.pr_usrreqs = &rip_usrreqs
|
.pr_usrreqs = &rip_usrreqs
|
||||||
},
|
},
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
{
|
{
|
||||||
.pr_type = SOCK_RAW,
|
.pr_type = SOCK_RAW,
|
||||||
.pr_domain = &inetdomain,
|
.pr_domain = &inetdomain,
|
||||||
@ -237,7 +237,7 @@ struct protosw inetsw[] = {
|
|||||||
.pr_input = ipcomp4_input,
|
.pr_input = ipcomp4_input,
|
||||||
.pr_usrreqs = &nousrreqs
|
.pr_usrreqs = &nousrreqs
|
||||||
},
|
},
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
{
|
{
|
||||||
.pr_type = SOCK_RAW,
|
.pr_type = SOCK_RAW,
|
||||||
.pr_domain = &inetdomain,
|
.pr_domain = &inetdomain,
|
||||||
@ -368,14 +368,14 @@ SYSCTL_NODE(_net_inet, IPPROTO_TCP, tcp, CTLFLAG_RW, 0, "TCP");
|
|||||||
SYSCTL_NODE(_net_inet, IPPROTO_SCTP, sctp, CTLFLAG_RW, 0, "SCTP");
|
SYSCTL_NODE(_net_inet, IPPROTO_SCTP, sctp, CTLFLAG_RW, 0, "SCTP");
|
||||||
#endif
|
#endif
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP");
|
SYSCTL_NODE(_net_inet, IPPROTO_IGMP, igmp, CTLFLAG_RW, 0, "IGMP");
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* XXX no protocol # to use, pick something "reserved" */
|
/* XXX no protocol # to use, pick something "reserved" */
|
||||||
SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC");
|
SYSCTL_NODE(_net_inet, 253, ipsec, CTLFLAG_RW, 0, "IPSEC");
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH");
|
SYSCTL_NODE(_net_inet, IPPROTO_AH, ah, CTLFLAG_RW, 0, "AH");
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP");
|
SYSCTL_NODE(_net_inet, IPPROTO_ESP, esp, CTLFLAG_RW, 0, "ESP");
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP");
|
SYSCTL_NODE(_net_inet, IPPROTO_IPCOMP, ipcomp, CTLFLAG_RW, 0, "IPCOMP");
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP");
|
SYSCTL_NODE(_net_inet, IPPROTO_IPIP, ipip, CTLFLAG_RW, 0, "IPIP");
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW");
|
SYSCTL_NODE(_net_inet, IPPROTO_RAW, raw, CTLFLAG_RW, 0, "RAW");
|
||||||
#ifdef DEV_PFSYNC
|
#ifdef DEV_PFSYNC
|
||||||
SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC");
|
SYSCTL_NODE(_net_inet, IPPROTO_PFSYNC, pfsync, CTLFLAG_RW, 0, "PFSYNC");
|
||||||
|
@ -3143,7 +3143,7 @@ do { \
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case O_IPSEC:
|
case O_IPSEC:
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
match = (m_tag_find(m,
|
match = (m_tag_find(m,
|
||||||
PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
|
PACKET_TAG_IPSEC_IN_DONE, NULL) != NULL);
|
||||||
#endif
|
#endif
|
||||||
|
@ -59,7 +59,7 @@
|
|||||||
#include <netinet/tcpip.h>
|
#include <netinet/tcpip.h>
|
||||||
#include <netinet/icmp_var.h>
|
#include <netinet/icmp_var.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif
|
#endif
|
||||||
@ -579,7 +579,7 @@ icmp_input(struct mbuf *m, int off)
|
|||||||
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
|
(struct sockaddr *)0, RTF_GATEWAY | RTF_HOST,
|
||||||
(struct sockaddr *)&icmpgw);
|
(struct sockaddr *)&icmpgw);
|
||||||
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
|
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&icmpsrc);
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
key_sa_routechange((struct sockaddr *)&icmpsrc);
|
key_sa_routechange((struct sockaddr *)&icmpsrc);
|
||||||
#endif
|
#endif
|
||||||
break;
|
break;
|
||||||
|
@ -70,9 +70,9 @@
|
|||||||
#ifdef DEV_CARP
|
#ifdef DEV_CARP
|
||||||
#include <netinet/ip_carp.h>
|
#include <netinet/ip_carp.h>
|
||||||
#endif
|
#endif
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netinet/ip_ipsec.h>
|
#include <netinet/ip_ipsec.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <sys/socketvar.h>
|
#include <sys/socketvar.h>
|
||||||
|
|
||||||
@ -391,13 +391,13 @@ ip_input(struct mbuf *m)
|
|||||||
} else
|
} else
|
||||||
m_adj(m, ip->ip_len - m->m_pkthdr.len);
|
m_adj(m, ip->ip_len - m->m_pkthdr.len);
|
||||||
}
|
}
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Bypass packet filtering for packets from a tunnel (gif).
|
* Bypass packet filtering for packets from a tunnel (gif).
|
||||||
*/
|
*/
|
||||||
if (ip_ipsec_filtergif(m))
|
if (ip_ipsec_filtergif(m))
|
||||||
goto passin;
|
goto passin;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Run through list of hooks for input packets.
|
* Run through list of hooks for input packets.
|
||||||
@ -601,10 +601,10 @@ ip_input(struct mbuf *m)
|
|||||||
ipstat.ips_cantforward++;
|
ipstat.ips_cantforward++;
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
} else {
|
} else {
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
if (ip_ipsec_fwd(m))
|
if (ip_ipsec_fwd(m))
|
||||||
goto bad;
|
goto bad;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
ip_forward(m, dchg);
|
ip_forward(m, dchg);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
@ -645,7 +645,7 @@ ip_input(struct mbuf *m)
|
|||||||
*/
|
*/
|
||||||
ip->ip_len -= hlen;
|
ip->ip_len -= hlen;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* enforce IPsec policy checking if we are seeing last header.
|
* enforce IPsec policy checking if we are seeing last header.
|
||||||
* note that we do not visit this with protocols with pcb layer
|
* note that we do not visit this with protocols with pcb layer
|
||||||
@ -653,7 +653,7 @@ ip_input(struct mbuf *m)
|
|||||||
*/
|
*/
|
||||||
if (ip_ipsec_input(m))
|
if (ip_ipsec_input(m))
|
||||||
goto bad;
|
goto bad;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Switch out to protocol's input routine.
|
* Switch out to protocol's input routine.
|
||||||
@ -1390,9 +1390,9 @@ ip_forward(struct mbuf *m, int srcrt)
|
|||||||
type = ICMP_UNREACH;
|
type = ICMP_UNREACH;
|
||||||
code = ICMP_UNREACH_NEEDFRAG;
|
code = ICMP_UNREACH_NEEDFRAG;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
mtu = ip_ipsec_mtu(m);
|
mtu = ip_ipsec_mtu(m);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
/*
|
/*
|
||||||
* If the MTU wasn't set before use the interface mtu or
|
* If the MTU wasn't set before use the interface mtu or
|
||||||
* fall back to the next smaller mtu step compared to the
|
* fall back to the next smaller mtu step compared to the
|
||||||
|
@ -55,11 +55,11 @@
|
|||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/xform.h>
|
#include <netipsec/xform.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
extern struct protosw inetsw[];
|
extern struct protosw inetsw[];
|
||||||
|
|
||||||
@ -71,7 +71,7 @@ extern struct protosw inetsw[];
|
|||||||
int
|
int
|
||||||
ip_ipsec_filtergif(struct mbuf *m)
|
ip_ipsec_filtergif(struct mbuf *m)
|
||||||
{
|
{
|
||||||
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
|
#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
|
||||||
/*
|
/*
|
||||||
* Bypass packet filtering for packets from a tunnel (gif).
|
* Bypass packet filtering for packets from a tunnel (gif).
|
||||||
*/
|
*/
|
||||||
@ -90,7 +90,7 @@ ip_ipsec_filtergif(struct mbuf *m)
|
|||||||
int
|
int
|
||||||
ip_ipsec_fwd(struct mbuf *m)
|
ip_ipsec_fwd(struct mbuf *m)
|
||||||
{
|
{
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct m_tag *mtag;
|
struct m_tag *mtag;
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
struct secpolicy *sp;
|
struct secpolicy *sp;
|
||||||
@ -122,7 +122,7 @@ ip_ipsec_fwd(struct mbuf *m)
|
|||||||
ipstat.ips_cantforward++;
|
ipstat.ips_cantforward++;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -137,7 +137,7 @@ int
|
|||||||
ip_ipsec_input(struct mbuf *m)
|
ip_ipsec_input(struct mbuf *m)
|
||||||
{
|
{
|
||||||
struct ip *ip = mtod(m, struct ip *);
|
struct ip *ip = mtod(m, struct ip *);
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct m_tag *mtag;
|
struct m_tag *mtag;
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
struct secpolicy *sp;
|
struct secpolicy *sp;
|
||||||
@ -179,7 +179,7 @@ ip_ipsec_input(struct mbuf *m)
|
|||||||
if (error)
|
if (error)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -237,14 +237,14 @@ ip_ipsec_mtu(struct mbuf *m)
|
|||||||
*
|
*
|
||||||
* Called from ip_output().
|
* Called from ip_output().
|
||||||
* 1 = drop packet, 0 = continue processing packet,
|
* 1 = drop packet, 0 = continue processing packet,
|
||||||
* -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
|
* -1 = packet was reinjected and stop processing packet
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
||||||
struct route **ro, struct route *iproute, struct sockaddr_in **dst,
|
struct route **ro, struct route *iproute, struct sockaddr_in **dst,
|
||||||
struct in_ifaddr **ia, struct ifnet **ifp)
|
struct in_ifaddr **ia, struct ifnet **ifp)
|
||||||
{
|
{
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct secpolicy *sp = NULL;
|
struct secpolicy *sp = NULL;
|
||||||
struct ip *ip = mtod(*m, struct ip *);
|
struct ip *ip = mtod(*m, struct ip *);
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
@ -381,6 +381,6 @@ ip_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
|||||||
if (sp != NULL)
|
if (sp != NULL)
|
||||||
KEY_FREESP(&sp);
|
KEY_FREESP(&sp);
|
||||||
return 1;
|
return 1;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -59,10 +59,10 @@
|
|||||||
#include <netinet/ip_var.h>
|
#include <netinet/ip_var.h>
|
||||||
#include <netinet/ip_options.h>
|
#include <netinet/ip_options.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netinet/ip_ipsec.h>
|
#include <netinet/ip_ipsec.h>
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#endif /* FAST_IPSEC*/
|
#endif /* IPSEC*/
|
||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
@ -412,7 +412,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
|
|||||||
}
|
}
|
||||||
|
|
||||||
sendit:
|
sendit:
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) {
|
switch(ip_ipsec_output(&m, inp, &flags, &error, &ro, &iproute, &dst, &ia, &ifp)) {
|
||||||
case 1:
|
case 1:
|
||||||
goto bad;
|
goto bad;
|
||||||
@ -425,7 +425,7 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
|
|||||||
/* Update variables that are affected by ipsec4_output(). */
|
/* Update variables that are affected by ipsec4_output(). */
|
||||||
ip = mtod(m, struct ip *);
|
ip = mtod(m, struct ip *);
|
||||||
hlen = ip->ip_hl << 2;
|
hlen = ip->ip_hl << 2;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/* Jump over all PFIL processing if hooks are not active. */
|
/* Jump over all PFIL processing if hooks are not active. */
|
||||||
if (!PFIL_HOOKED(&inet_pfil_hook))
|
if (!PFIL_HOOKED(&inet_pfil_hook))
|
||||||
@ -966,7 +966,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
|
|||||||
INP_UNLOCK(inp);
|
INP_UNLOCK(inp);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
case IP_IPSEC_POLICY:
|
case IP_IPSEC_POLICY:
|
||||||
{
|
{
|
||||||
caddr_t req;
|
caddr_t req;
|
||||||
@ -1000,7 +1000,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
error = ENOPROTOOPT;
|
error = ENOPROTOOPT;
|
||||||
@ -1104,7 +1104,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
|
|||||||
error = inp_getmoptions(inp, sopt);
|
error = inp_getmoptions(inp, sopt);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
case IP_IPSEC_POLICY:
|
case IP_IPSEC_POLICY:
|
||||||
{
|
{
|
||||||
struct mbuf *m = NULL;
|
struct mbuf *m = NULL;
|
||||||
@ -1122,7 +1122,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
error = ENOPROTOOPT;
|
error = ENOPROTOOPT;
|
||||||
|
@ -66,9 +66,9 @@
|
|||||||
#include <netinet/ip_fw.h>
|
#include <netinet/ip_fw.h>
|
||||||
#include <netinet/ip_dummynet.h>
|
#include <netinet/ip_dummynet.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <security/mac/mac_framework.h>
|
#include <security/mac/mac_framework.h>
|
||||||
|
|
||||||
@ -155,12 +155,12 @@ raw_append(struct inpcb *last, struct ip *ip, struct mbuf *n)
|
|||||||
|
|
||||||
INP_LOCK_ASSERT(last);
|
INP_LOCK_ASSERT(last);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* check AH/ESP integrity. */
|
/* check AH/ESP integrity. */
|
||||||
if (ipsec4_in_reject(n, last)) {
|
if (ipsec4_in_reject(n, last)) {
|
||||||
policyfail = 1;
|
policyfail = 1;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
#ifdef MAC
|
#ifdef MAC
|
||||||
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
|
if (!policyfail && mac_check_inpcb_deliver(last, n) != 0)
|
||||||
policyfail = 1;
|
policyfail = 1;
|
||||||
|
@ -4927,7 +4927,7 @@ sctp_input(i_pak, off)
|
|||||||
} else if (stcb == NULL) {
|
} else if (stcb == NULL) {
|
||||||
refcount_up = 1;
|
refcount_up = 1;
|
||||||
}
|
}
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* I very much doubt any of the IPSEC stuff will work but I have no
|
* I very much doubt any of the IPSEC stuff will work but I have no
|
||||||
* idea, so I will leave it in place.
|
* idea, so I will leave it in place.
|
||||||
|
@ -74,14 +74,14 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <netinet/icmp_var.h>
|
#include <netinet/icmp_var.h>
|
||||||
|
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /* IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
#include <sys/domain.h>
|
#include <sys/domain.h>
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif
|
#endif
|
||||||
#include <netinet/ip6.h>
|
#include <netinet/ip6.h>
|
||||||
|
@ -1807,7 +1807,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
|
|||||||
inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
|
inp->partial_delivery_point = SCTP_SB_LIMIT_RCV(so) >> SCTP_PARTIAL_DELIVERY_SHIFT;
|
||||||
inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT;
|
inp->sctp_frag_point = SCTP_DEFAULT_MAXSEGMENT;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
{
|
{
|
||||||
struct inpcbpolicy *pcb_sp = NULL;
|
struct inpcbpolicy *pcb_sp = NULL;
|
||||||
|
|
||||||
@ -1821,7 +1821,7 @@ sctp_inpcb_alloc(struct socket *so, uint32_t vrf_id)
|
|||||||
SCTP_INP_INFO_WUNLOCK();
|
SCTP_INP_INFO_WUNLOCK();
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
SCTP_INCR_EP_COUNT();
|
SCTP_INCR_EP_COUNT();
|
||||||
inp->ip_inp.inp.inp_ip_ttl = ip_defttl;
|
inp->ip_inp.inp.inp_ip_ttl = ip_defttl;
|
||||||
SCTP_INP_INFO_WUNLOCK();
|
SCTP_INP_INFO_WUNLOCK();
|
||||||
@ -2833,9 +2833,9 @@ sctp_inpcb_free(struct sctp_inpcb *inp, int immediate, int from)
|
|||||||
*/
|
*/
|
||||||
cnt = 0;
|
cnt = 0;
|
||||||
if (so) {
|
if (so) {
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
ipsec4_delete_pcbpolicy(ip_pcb);
|
ipsec4_delete_pcbpolicy(ip_pcb);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/* Unlocks not needed since the socket is gone now */
|
/* Unlocks not needed since the socket is gone now */
|
||||||
}
|
}
|
||||||
|
@ -485,7 +485,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
|
|||||||
int error;
|
int error;
|
||||||
uint32_t vrf_id = SCTP_DEFAULT_VRFID;
|
uint32_t vrf_id = SCTP_DEFAULT_VRFID;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
uint32_t flags;
|
uint32_t flags;
|
||||||
#endif
|
#endif
|
||||||
inp = (struct sctp_inpcb *)so->so_pcb;
|
inp = (struct sctp_inpcb *)so->so_pcb;
|
||||||
@ -508,7 +508,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
|
|||||||
ip_inp->inp_vflag |= INP_IPV4;
|
ip_inp->inp_vflag |= INP_IPV4;
|
||||||
ip_inp->inp_ip_ttl = ip_defttl;
|
ip_inp->inp_ip_ttl = ip_defttl;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
error = ipsec_init_policy(so, &ip_inp->inp_sp);
|
error = ipsec_init_policy(so, &ip_inp->inp_sp);
|
||||||
#ifdef SCTP_LOG_CLOSING
|
#ifdef SCTP_LOG_CLOSING
|
||||||
sctp_log_closing(inp, NULL, 17);
|
sctp_log_closing(inp, NULL, 17);
|
||||||
@ -528,7 +528,7 @@ sctp_attach(struct socket *so, int proto, struct thread *p)
|
|||||||
}
|
}
|
||||||
return error;
|
return error;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
SCTP_INP_WUNLOCK(inp);
|
SCTP_INP_WUNLOCK(inp);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -82,10 +82,10 @@
|
|||||||
#include <netinet/tcp_debug.h>
|
#include <netinet/tcp_debug.h>
|
||||||
#endif /* TCPDEBUG */
|
#endif /* TCPDEBUG */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
@ -445,7 +445,7 @@ tcp_input(struct mbuf *m, int off0)
|
|||||||
m->m_pkthdr.rcvif);
|
m->m_pkthdr.rcvif);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) {
|
if (isipv6 && inp != NULL && ipsec6_in_reject(m, inp)) {
|
||||||
ipsec6stat.in_polvio++;
|
ipsec6stat.in_polvio++;
|
||||||
@ -456,7 +456,7 @@ tcp_input(struct mbuf *m, int off0)
|
|||||||
ipsec4stat.in_polvio++;
|
ipsec4stat.in_polvio++;
|
||||||
goto dropunlock;
|
goto dropunlock;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If the INPCB does not exist then all data in the incoming
|
* If the INPCB does not exist then all data in the incoming
|
||||||
|
@ -72,9 +72,9 @@
|
|||||||
#include <netinet/tcp_debug.h>
|
#include <netinet/tcp_debug.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
@ -695,7 +695,7 @@ tcp_output(struct tcpcb *tp)
|
|||||||
offsetof(struct ipoption, ipopt_list);
|
offsetof(struct ipoption, ipopt_list);
|
||||||
else
|
else
|
||||||
ipoptlen = 0;
|
ipoptlen = 0;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
ipoptlen += ipsec_hdrsiz_tcp(tp);
|
ipoptlen += ipsec_hdrsiz_tcp(tp);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -91,14 +91,14 @@
|
|||||||
#endif
|
#endif
|
||||||
#include <netinet6/ip6protosw.h>
|
#include <netinet6/ip6protosw.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/xform.h>
|
#include <netipsec/xform.h>
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif
|
#endif
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
#include <sys/md5.h>
|
#include <sys/md5.h>
|
||||||
@ -1634,7 +1634,7 @@ tcp_maxmtu6(struct in_conninfo *inc, int *flags)
|
|||||||
}
|
}
|
||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* compute ESP/AH header size for TCP, including outer IP header. */
|
/* compute ESP/AH header size for TCP, including outer IP header. */
|
||||||
size_t
|
size_t
|
||||||
ipsec_hdrsiz_tcp(struct tcpcb *tp)
|
ipsec_hdrsiz_tcp(struct tcpcb *tp)
|
||||||
@ -1675,7 +1675,7 @@ ipsec_hdrsiz_tcp(struct tcpcb *tp)
|
|||||||
m_free(m);
|
m_free(m);
|
||||||
return (hdrsiz);
|
return (hdrsiz);
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
|
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
|
||||||
|
@ -80,13 +80,13 @@
|
|||||||
#include <netinet6/tcp6_var.h>
|
#include <netinet6/tcp6_var.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#ifdef INET6
|
#ifdef INET6
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif
|
#endif
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
@ -621,7 +621,7 @@ syncache_socket(struct syncache *sc, struct socket *lso, struct mbuf *m)
|
|||||||
inp->inp_lport = 0;
|
inp->inp_lport = 0;
|
||||||
goto abort;
|
goto abort;
|
||||||
}
|
}
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* Copy old policy into new socket's. */
|
/* Copy old policy into new socket's. */
|
||||||
if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
|
if (ipsec_copy_policy(sotoinpcb(lso)->inp_sp, inp->inp_sp))
|
||||||
printf("syncache_socket: could not copy policy\n");
|
printf("syncache_socket: could not copy policy\n");
|
||||||
|
@ -78,7 +78,7 @@
|
|||||||
#include <netinet/udp.h>
|
#include <netinet/udp.h>
|
||||||
#include <netinet/udp_var.h>
|
#include <netinet/udp_var.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -495,14 +495,14 @@ udp_append(struct inpcb *inp, struct ip *ip, struct mbuf *n, int off,
|
|||||||
|
|
||||||
INP_LOCK_ASSERT(inp);
|
INP_LOCK_ASSERT(inp);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* check AH/ESP integrity. */
|
/* check AH/ESP integrity. */
|
||||||
if (ipsec4_in_reject(n, inp)) {
|
if (ipsec4_in_reject(n, inp)) {
|
||||||
ipsec4stat.in_polvio++;
|
ipsec4stat.in_polvio++;
|
||||||
m_freem(n);
|
m_freem(n);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
#ifdef MAC
|
#ifdef MAC
|
||||||
if (mac_check_inpcb_deliver(inp, n) != 0) {
|
if (mac_check_inpcb_deliver(inp, n) != 0) {
|
||||||
m_freem(n);
|
m_freem(n);
|
||||||
|
@ -99,7 +99,7 @@
|
|||||||
#include <netinet6/mld6_var.h>
|
#include <netinet6/mld6_var.h>
|
||||||
#include <netinet6/nd6.h>
|
#include <netinet6/nd6.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif
|
#endif
|
||||||
@ -2417,9 +2417,9 @@ icmp6_redirect_input(m, off)
|
|||||||
sdst.sin6_len = sizeof(struct sockaddr_in6);
|
sdst.sin6_len = sizeof(struct sockaddr_in6);
|
||||||
bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
|
bcopy(&reddst6, &sdst.sin6_addr, sizeof(struct in6_addr));
|
||||||
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
|
pfctlinput(PRC_REDIRECT_HOST, (struct sockaddr *)&sdst);
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
key_sa_routechange((struct sockaddr *)&sdst);
|
key_sa_routechange((struct sockaddr *)&sdst);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
}
|
}
|
||||||
|
|
||||||
freeit:
|
freeit:
|
||||||
|
@ -409,9 +409,9 @@ struct route_in6 {
|
|||||||
#define IPV6_BINDV6ONLY IPV6_V6ONLY
|
#define IPV6_BINDV6ONLY IPV6_V6ONLY
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */
|
#define IPV6_IPSEC_POLICY 28 /* struct; get/set security policy */
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */
|
#define IPV6_FAITH 29 /* bool; accept FAITH'ed connections */
|
||||||
|
|
||||||
|
@ -99,11 +99,11 @@
|
|||||||
#include <netinet6/in6_pcb.h>
|
#include <netinet6/in6_pcb.h>
|
||||||
#include <netinet6/scope6_var.h>
|
#include <netinet6/scope6_var.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
struct in6_addr zeroin6_addr;
|
struct in6_addr zeroin6_addr;
|
||||||
|
|
||||||
@ -427,10 +427,10 @@ in6_pcbfree(struct inpcb *inp)
|
|||||||
INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
|
INP_INFO_WLOCK_ASSERT(inp->inp_pcbinfo);
|
||||||
INP_LOCK_ASSERT(inp);
|
INP_LOCK_ASSERT(inp);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
if (inp->in6p_sp != NULL)
|
if (inp->in6p_sp != NULL)
|
||||||
ipsec6_delete_pcbpolicy(inp);
|
ipsec6_delete_pcbpolicy(inp);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
inp->inp_gencnt = ++ipi->ipi_gencnt;
|
inp->inp_gencnt = ++ipi->ipi_gencnt;
|
||||||
in_pcbremlists(inp);
|
in_pcbremlists(inp);
|
||||||
ip6_freepcbopts(inp->in6p_outputopts);
|
ip6_freepcbopts(inp->in6p_outputopts);
|
||||||
|
@ -115,10 +115,10 @@
|
|||||||
#include <netinet6/sctp6_var.h>
|
#include <netinet6/sctp6_var.h>
|
||||||
#endif /* SCTP */
|
#endif /* SCTP */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <netinet6/ip6protosw.h>
|
#include <netinet6/ip6protosw.h>
|
||||||
|
|
||||||
@ -252,7 +252,7 @@ struct ip6protosw inet6sw[] = {
|
|||||||
.pr_input = frag6_input,
|
.pr_input = frag6_input,
|
||||||
.pr_usrreqs = &nousrreqs
|
.pr_usrreqs = &nousrreqs
|
||||||
},
|
},
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
{
|
{
|
||||||
.pr_type = SOCK_RAW,
|
.pr_type = SOCK_RAW,
|
||||||
.pr_domain = &inet6domain,
|
.pr_domain = &inet6domain,
|
||||||
@ -278,7 +278,7 @@ struct ip6protosw inet6sw[] = {
|
|||||||
.pr_input = ipsec6_common_input,
|
.pr_input = ipsec6_common_input,
|
||||||
.pr_usrreqs = &nousrreqs,
|
.pr_usrreqs = &nousrreqs,
|
||||||
},
|
},
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
#ifdef INET
|
#ifdef INET
|
||||||
{
|
{
|
||||||
.pr_type = SOCK_RAW,
|
.pr_type = SOCK_RAW,
|
||||||
@ -438,9 +438,9 @@ SYSCTL_NODE(_net_inet6, IPPROTO_TCP, tcp6, CTLFLAG_RW, 0, "TCP6");
|
|||||||
#ifdef SCTP
|
#ifdef SCTP
|
||||||
SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6");
|
SYSCTL_NODE(_net_inet6, IPPROTO_SCTP, sctp6, CTLFLAG_RW, 0, "SCTP6");
|
||||||
#endif
|
#endif
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6");
|
SYSCTL_NODE(_net_inet6, IPPROTO_ESP, ipsec6, CTLFLAG_RW, 0, "IPSEC6");
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/* net.inet6.ip6 */
|
/* net.inet6.ip6 */
|
||||||
static int
|
static int
|
||||||
|
@ -65,11 +65,11 @@
|
|||||||
|
|
||||||
#include <netinet/in_pcb.h>
|
#include <netinet/in_pcb.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <netinet6/ip6protosw.h>
|
#include <netinet6/ip6protosw.h>
|
||||||
|
|
||||||
@ -101,7 +101,7 @@ ip6_forward(m, srcrt)
|
|||||||
struct ifnet *origifp; /* maybe unnecessary */
|
struct ifnet *origifp; /* maybe unnecessary */
|
||||||
u_int32_t inzone, outzone;
|
u_int32_t inzone, outzone;
|
||||||
struct in6_addr src_in6, dst_in6;
|
struct in6_addr src_in6, dst_in6;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct secpolicy *sp = NULL;
|
struct secpolicy *sp = NULL;
|
||||||
int ipsecrt = 0;
|
int ipsecrt = 0;
|
||||||
#endif
|
#endif
|
||||||
@ -109,7 +109,7 @@ ip6_forward(m, srcrt)
|
|||||||
|
|
||||||
GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */
|
GIANT_REQUIRED; /* XXX bz: ip6_forward_rt */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Check AH/ESP integrity.
|
* Check AH/ESP integrity.
|
||||||
*/
|
*/
|
||||||
@ -122,7 +122,7 @@ ip6_forward(m, srcrt)
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Do not forward packets to multicast destination (should be handled
|
* Do not forward packets to multicast destination (should be handled
|
||||||
@ -175,7 +175,7 @@ ip6_forward(m, srcrt)
|
|||||||
*/
|
*/
|
||||||
mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
|
mcopy = m_copy(m, 0, imin(m->m_pkthdr.len, ICMPV6_PLD_MAXLEN));
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/* get a security policy for this packet */
|
/* get a security policy for this packet */
|
||||||
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
|
sp = ipsec_getpolicybyaddr(m, IPSEC_DIR_OUTBOUND,
|
||||||
IP_FORWARDING, &error);
|
IP_FORWARDING, &error);
|
||||||
@ -346,9 +346,9 @@ ip6_forward(m, srcrt)
|
|||||||
ipsecrt = 1;
|
ipsecrt = 1;
|
||||||
}
|
}
|
||||||
skip_ipsec:
|
skip_ipsec:
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
if (ipsecrt)
|
if (ipsecrt)
|
||||||
goto skip_routing;
|
goto skip_routing;
|
||||||
#endif
|
#endif
|
||||||
@ -401,7 +401,7 @@ ip6_forward(m, srcrt)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
rt = ip6_forward_rt.ro_rt;
|
rt = ip6_forward_rt.ro_rt;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
skip_routing:;
|
skip_routing:;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -429,7 +429,7 @@ ip6_forward(m, srcrt)
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (inzone != outzone
|
if (inzone != outzone
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
&& !ipsecrt
|
&& !ipsecrt
|
||||||
#endif
|
#endif
|
||||||
) {
|
) {
|
||||||
@ -475,14 +475,14 @@ ip6_forward(m, srcrt)
|
|||||||
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
|
in6_ifstat_inc(rt->rt_ifp, ifs6_in_toobig);
|
||||||
if (mcopy) {
|
if (mcopy) {
|
||||||
u_long mtu;
|
u_long mtu;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct secpolicy *sp;
|
struct secpolicy *sp;
|
||||||
int ipsecerror;
|
int ipsecerror;
|
||||||
size_t ipsechdrsiz;
|
size_t ipsechdrsiz;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
mtu = IN6_LINKMTU(rt->rt_ifp);
|
mtu = IN6_LINKMTU(rt->rt_ifp);
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* When we do IPsec tunnel ingress, we need to play
|
* When we do IPsec tunnel ingress, we need to play
|
||||||
* with the link value (decrement IPsec header size
|
* with the link value (decrement IPsec header size
|
||||||
@ -505,7 +505,7 @@ ip6_forward(m, srcrt)
|
|||||||
*/
|
*/
|
||||||
if (mtu < IPV6_MMTU)
|
if (mtu < IPV6_MMTU)
|
||||||
mtu = IPV6_MMTU;
|
mtu = IPV6_MMTU;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
|
icmp6_error(mcopy, ICMP6_PACKET_TOO_BIG, 0, mtu);
|
||||||
}
|
}
|
||||||
m_freem(m);
|
m_freem(m);
|
||||||
@ -525,9 +525,9 @@ ip6_forward(m, srcrt)
|
|||||||
* modified by a redirect.
|
* modified by a redirect.
|
||||||
*/
|
*/
|
||||||
if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
|
if (ip6_sendredirects && rt->rt_ifp == m->m_pkthdr.rcvif && !srcrt &&
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
!ipsecrt &&
|
!ipsecrt &&
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
|
(rt->rt_flags & (RTF_DYNAMIC|RTF_MODIFIED)) == 0) {
|
||||||
if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
|
if ((rt->rt_ifp->if_flags & IFF_POINTOPOINT) != 0) {
|
||||||
/*
|
/*
|
||||||
|
@ -101,11 +101,11 @@
|
|||||||
#include <netinet6/in6_ifattach.h>
|
#include <netinet6/in6_ifattach.h>
|
||||||
#include <netinet6/nd6.h>
|
#include <netinet6/nd6.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netinet6/ip6_ipsec.h>
|
#include <netinet6/ip6_ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <netinet6/ip6protosw.h>
|
#include <netinet6/ip6protosw.h>
|
||||||
|
|
||||||
@ -224,7 +224,7 @@ ip6_input(m)
|
|||||||
|
|
||||||
GIANT_REQUIRED; /* XXX for now */
|
GIANT_REQUIRED; /* XXX for now */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* should the inner packet be considered authentic?
|
* should the inner packet be considered authentic?
|
||||||
* see comment in ah4_input().
|
* see comment in ah4_input().
|
||||||
@ -234,7 +234,7 @@ ip6_input(m)
|
|||||||
m->m_flags &= ~M_AUTHIPHDR;
|
m->m_flags &= ~M_AUTHIPHDR;
|
||||||
m->m_flags &= ~M_AUTHIPDGM;
|
m->m_flags &= ~M_AUTHIPDGM;
|
||||||
|
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* make sure we don't have onion peering information into m_tag.
|
* make sure we don't have onion peering information into m_tag.
|
||||||
@ -761,7 +761,7 @@ ip6_input(m)
|
|||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* enforce IPsec policy checking if we are seeing last header.
|
* enforce IPsec policy checking if we are seeing last header.
|
||||||
* note that we do not visit this with protocols with pcb layer
|
* note that we do not visit this with protocols with pcb layer
|
||||||
@ -769,7 +769,7 @@ ip6_input(m)
|
|||||||
*/
|
*/
|
||||||
if (ip6_ipsec_input(m, nxt))
|
if (ip6_ipsec_input(m, nxt))
|
||||||
goto bad;
|
goto bad;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
|
nxt = (*inet6sw[ip6_protox[nxt]].pr_input)(&m, &off, nxt);
|
||||||
}
|
}
|
||||||
return;
|
return;
|
||||||
|
@ -55,7 +55,7 @@
|
|||||||
|
|
||||||
#include <machine/in_cksum.h>
|
#include <machine/in_cksum.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#include <netipsec/xform.h>
|
#include <netipsec/xform.h>
|
||||||
@ -65,7 +65,7 @@
|
|||||||
#else
|
#else
|
||||||
#define KEYDEBUG(lev,arg)
|
#define KEYDEBUG(lev,arg)
|
||||||
#endif
|
#endif
|
||||||
#endif /*FAST_IPSEC*/
|
#endif /*IPSEC*/
|
||||||
|
|
||||||
#include <netinet6/ip6_ipsec.h>
|
#include <netinet6/ip6_ipsec.h>
|
||||||
|
|
||||||
@ -79,7 +79,7 @@ extern struct protosw inet6sw[];
|
|||||||
int
|
int
|
||||||
ip6_ipsec_filtergif(struct mbuf *m)
|
ip6_ipsec_filtergif(struct mbuf *m)
|
||||||
{
|
{
|
||||||
#if defined(FAST_IPSEC) && !defined(IPSEC_FILTERGIF)
|
#if defined(IPSEC) && !defined(IPSEC_FILTERGIF)
|
||||||
/*
|
/*
|
||||||
* Bypass packet filtering for packets from a tunnel (gif).
|
* Bypass packet filtering for packets from a tunnel (gif).
|
||||||
*/
|
*/
|
||||||
@ -98,7 +98,7 @@ ip6_ipsec_filtergif(struct mbuf *m)
|
|||||||
int
|
int
|
||||||
ip6_ipsec_fwd(struct mbuf *m)
|
ip6_ipsec_fwd(struct mbuf *m)
|
||||||
{
|
{
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct m_tag *mtag;
|
struct m_tag *mtag;
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
struct secpolicy *sp;
|
struct secpolicy *sp;
|
||||||
@ -129,7 +129,7 @@ ip6_ipsec_fwd(struct mbuf *m)
|
|||||||
ipstat.ips_cantforward++;
|
ipstat.ips_cantforward++;
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,7 +144,7 @@ int
|
|||||||
ip6_ipsec_input(struct mbuf *m, int nxt)
|
ip6_ipsec_input(struct mbuf *m, int nxt)
|
||||||
|
|
||||||
{
|
{
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct m_tag *mtag;
|
struct m_tag *mtag;
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
struct secpolicy *sp;
|
struct secpolicy *sp;
|
||||||
@ -188,21 +188,21 @@ ip6_ipsec_input(struct mbuf *m, int nxt)
|
|||||||
if (error)
|
if (error)
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Called from ip6_output().
|
* Called from ip6_output().
|
||||||
* 1 = drop packet, 0 = continue processing packet,
|
* 1 = drop packet, 0 = continue processing packet,
|
||||||
* -1 = packet was reinjected and stop processing packet (FAST_IPSEC only)
|
* -1 = packet was reinjected and stop processing packet
|
||||||
*/
|
*/
|
||||||
|
|
||||||
int
|
int
|
||||||
ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
||||||
struct ifnet **ifp, struct secpolicy **sp)
|
struct ifnet **ifp, struct secpolicy **sp)
|
||||||
{
|
{
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct tdb_ident *tdbi;
|
struct tdb_ident *tdbi;
|
||||||
struct m_tag *mtag;
|
struct m_tag *mtag;
|
||||||
int s;
|
int s;
|
||||||
@ -309,7 +309,7 @@ ip6_ipsec_output(struct mbuf **m, struct inpcb *inp, int *flags, int *error,
|
|||||||
if (*sp != NULL)
|
if (*sp != NULL)
|
||||||
KEY_FREESP(sp);
|
KEY_FREESP(sp);
|
||||||
return 1;
|
return 1;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -332,12 +332,12 @@ ip6_ipsec_mtu(struct mbuf *m)
|
|||||||
int ipsecerror;
|
int ipsecerror;
|
||||||
int ipsechdr;
|
int ipsechdr;
|
||||||
struct route *ro;
|
struct route *ro;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
sp = ipsec_getpolicybyaddr(m,
|
sp = ipsec_getpolicybyaddr(m,
|
||||||
IPSEC_DIR_OUTBOUND,
|
IPSEC_DIR_OUTBOUND,
|
||||||
IP_FORWARDING,
|
IP_FORWARDING,
|
||||||
&ipsecerror);
|
&ipsecerror);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
if (sp != NULL) {
|
if (sp != NULL) {
|
||||||
/* count IPsec header size */
|
/* count IPsec header size */
|
||||||
ipsechdr = ipsec4_hdrsiz(m,
|
ipsechdr = ipsec4_hdrsiz(m,
|
||||||
@ -360,9 +360,9 @@ ip6_ipsec_mtu(struct mbuf *m)
|
|||||||
mtu -= ipsechdr;
|
mtu -= ipsechdr;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
KEY_FREESP(&sp);
|
KEY_FREESP(&sp);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
}
|
}
|
||||||
return mtu;
|
return mtu;
|
||||||
}
|
}
|
||||||
|
@ -91,12 +91,12 @@
|
|||||||
#include <netinet/tcp_var.h>
|
#include <netinet/tcp_var.h>
|
||||||
#include <netinet6/nd6.h>
|
#include <netinet6/nd6.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#include <netipsec/key.h>
|
#include <netipsec/key.h>
|
||||||
#include <netinet6/ip6_ipsec.h>
|
#include <netinet6/ip6_ipsec.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <netinet6/ip6protosw.h>
|
#include <netinet6/ip6protosw.h>
|
||||||
#include <netinet6/scope6_var.h>
|
#include <netinet6/scope6_var.h>
|
||||||
@ -208,13 +208,13 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
|||||||
struct route_in6 *ro_pmtu = NULL;
|
struct route_in6 *ro_pmtu = NULL;
|
||||||
int hdrsplit = 0;
|
int hdrsplit = 0;
|
||||||
int needipsec = 0;
|
int needipsec = 0;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
struct ipsec_output_state state;
|
struct ipsec_output_state state;
|
||||||
struct ip6_rthdr *rh = NULL;
|
struct ip6_rthdr *rh = NULL;
|
||||||
int needipsectun = 0;
|
int needipsectun = 0;
|
||||||
int segleft_org = 0;
|
int segleft_org = 0;
|
||||||
struct secpolicy *sp = NULL;
|
struct secpolicy *sp = NULL;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
ip6 = mtod(m, struct ip6_hdr *);
|
ip6 = mtod(m, struct ip6_hdr *);
|
||||||
if (ip6 == NULL) {
|
if (ip6 == NULL) {
|
||||||
@ -253,7 +253,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
|||||||
* IPSec checking which handles several cases.
|
* IPSec checking which handles several cases.
|
||||||
* FAST IPSEC: We re-injected the packet.
|
* FAST IPSEC: We re-injected the packet.
|
||||||
*/
|
*/
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp))
|
switch(ip6_ipsec_output(&m, inp, &flags, &error, &ifp, &sp))
|
||||||
{
|
{
|
||||||
case 1: /* Bad packet */
|
case 1: /* Bad packet */
|
||||||
@ -264,7 +264,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
|||||||
default:
|
default:
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Calculate the total length of the extension header chain.
|
* Calculate the total length of the extension header chain.
|
||||||
@ -362,7 +362,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
|||||||
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
|
MAKE_CHAIN(exthdrs.ip6e_rthdr, mprev, nexthdrp,
|
||||||
IPPROTO_ROUTING);
|
IPPROTO_ROUTING);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
if (!needipsec)
|
if (!needipsec)
|
||||||
goto skip_ipsec2;
|
goto skip_ipsec2;
|
||||||
|
|
||||||
@ -418,7 +418,7 @@ ip6_output(m0, opt, ro, flags, im6o, ifpp, inp)
|
|||||||
rh->ip6r_segleft = segleft_org;
|
rh->ip6r_segleft = segleft_org;
|
||||||
}
|
}
|
||||||
skip_ipsec2:;
|
skip_ipsec2:;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* If there is a routing header, replace the destination address field
|
* If there is a routing header, replace the destination address field
|
||||||
@ -522,12 +522,9 @@ skip_ipsec2:;
|
|||||||
ip6->ip6_hlim = ip6_defmcasthlim;
|
ip6->ip6_hlim = ip6_defmcasthlim;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Same as similar comment above.
|
* We may re-inject packets into the stack here.
|
||||||
* We only want to do regular IPSEC here and leave this pure
|
|
||||||
* in the case that we're using FAST_IPSEC which uses
|
|
||||||
* this code to re-inject packets.
|
|
||||||
*/
|
*/
|
||||||
if (needipsec && needipsectun) {
|
if (needipsec && needipsectun) {
|
||||||
struct ipsec_output_state state;
|
struct ipsec_output_state state;
|
||||||
@ -586,7 +583,7 @@ skip_ipsec2:;
|
|||||||
|
|
||||||
exthdrs.ip6e_ip6 = m;
|
exthdrs.ip6e_ip6 = m;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/* adjust pointer */
|
/* adjust pointer */
|
||||||
ip6 = mtod(m, struct ip6_hdr *);
|
ip6 = mtod(m, struct ip6_hdr *);
|
||||||
@ -1774,7 +1771,7 @@ do { \
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
case IPV6_IPSEC_POLICY:
|
case IPV6_IPSEC_POLICY:
|
||||||
{
|
{
|
||||||
caddr_t req = NULL;
|
caddr_t req = NULL;
|
||||||
@ -1794,7 +1791,7 @@ do { \
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
error = ENOPROTOOPT;
|
error = ENOPROTOOPT;
|
||||||
@ -1991,7 +1988,7 @@ do { \
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
case IPV6_IPSEC_POLICY:
|
case IPV6_IPSEC_POLICY:
|
||||||
{
|
{
|
||||||
caddr_t req = NULL;
|
caddr_t req = NULL;
|
||||||
@ -2020,7 +2017,7 @@ do { \
|
|||||||
m_freem(m);
|
m_freem(m);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
error = ENOPROTOOPT;
|
error = ENOPROTOOPT;
|
||||||
|
@ -474,7 +474,7 @@ nd6_llinfo_timer(arg)
|
|||||||
ln->ln_hold = m0;
|
ln->ln_hold = m0;
|
||||||
clear_llinfo_pqueue(ln);
|
clear_llinfo_pqueue(ln);
|
||||||
}
|
}
|
||||||
if (rt)
|
if (rt && rt->rt_llinfo)
|
||||||
(void)nd6_free(rt, 0);
|
(void)nd6_free(rt, 0);
|
||||||
ln = NULL;
|
ln = NULL;
|
||||||
}
|
}
|
||||||
@ -489,7 +489,8 @@ nd6_llinfo_timer(arg)
|
|||||||
case ND6_LLINFO_STALE:
|
case ND6_LLINFO_STALE:
|
||||||
/* Garbage Collection(RFC 2461 5.3) */
|
/* Garbage Collection(RFC 2461 5.3) */
|
||||||
if (!ND6_LLINFO_PERMANENT(ln)) {
|
if (!ND6_LLINFO_PERMANENT(ln)) {
|
||||||
(void)nd6_free(rt, 1);
|
if (rt && rt->rt_llinfo)
|
||||||
|
(void)nd6_free(rt, 1);
|
||||||
ln = NULL;
|
ln = NULL;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -525,7 +526,8 @@ nd6_llinfo_timer(arg)
|
|||||||
ln->ln_expire = 0; /* make it permanent */
|
ln->ln_expire = 0; /* make it permanent */
|
||||||
ln->ln_state = ND6_LLINFO_STALE;
|
ln->ln_state = ND6_LLINFO_STALE;
|
||||||
} else {
|
} else {
|
||||||
(void)nd6_free(rt, 0);
|
if (rt && rt->rt_llinfo)
|
||||||
|
(void)nd6_free(rt, 0);
|
||||||
ln = NULL;
|
ln = NULL;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@ -2009,7 +2011,7 @@ nd6_output(ifp, origifp, m0, dst, rt0)
|
|||||||
rt = rt->rt_gwroute;
|
rt = rt->rt_gwroute;
|
||||||
RT_LOCK(rt); /* NB: gwroute */
|
RT_LOCK(rt); /* NB: gwroute */
|
||||||
if ((rt->rt_flags & RTF_UP) == 0) {
|
if ((rt->rt_flags & RTF_UP) == 0) {
|
||||||
rtfree(rt); /* unlock gwroute */
|
RTFREE_LOCKED(rt); /* unlock gwroute */
|
||||||
rt = rt0;
|
rt = rt0;
|
||||||
lookup:
|
lookup:
|
||||||
RT_UNLOCK(rt0);
|
RT_UNLOCK(rt0);
|
||||||
@ -2322,7 +2324,8 @@ nd6_sysctl_drlist(SYSCTL_HANDLER_ARGS)
|
|||||||
d->rtaddr.sin6_family = AF_INET6;
|
d->rtaddr.sin6_family = AF_INET6;
|
||||||
d->rtaddr.sin6_len = sizeof(d->rtaddr);
|
d->rtaddr.sin6_len = sizeof(d->rtaddr);
|
||||||
d->rtaddr.sin6_addr = dr->rtaddr;
|
d->rtaddr.sin6_addr = dr->rtaddr;
|
||||||
sa6_recoverscope(&d->rtaddr);
|
if (error = sa6_recoverscope(&d->rtaddr) != 0)
|
||||||
|
return (error);
|
||||||
d->flags = dr->flags;
|
d->flags = dr->flags;
|
||||||
d->rtlifetime = dr->rtlifetime;
|
d->rtlifetime = dr->rtlifetime;
|
||||||
d->expire = dr->expire;
|
d->expire = dr->expire;
|
||||||
|
@ -95,10 +95,10 @@
|
|||||||
#include <netinet6/raw_ip6.h>
|
#include <netinet6/raw_ip6.h>
|
||||||
#include <netinet6/scope6_var.h>
|
#include <netinet6/scope6_var.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
#include <machine/stdarg.h>
|
#include <machine/stdarg.h>
|
||||||
|
|
||||||
@ -181,7 +181,7 @@ rip6_input(mp, offp, proto)
|
|||||||
if (last) {
|
if (last) {
|
||||||
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
|
struct mbuf *n = m_copy(m, 0, (int)M_COPYALL);
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Check AH/ESP integrity.
|
* Check AH/ESP integrity.
|
||||||
*/
|
*/
|
||||||
@ -190,7 +190,7 @@ rip6_input(mp, offp, proto)
|
|||||||
ipsec6stat.in_polvio++;
|
ipsec6stat.in_polvio++;
|
||||||
/* do not inject data into pcb */
|
/* do not inject data into pcb */
|
||||||
} else
|
} else
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
if (n) {
|
if (n) {
|
||||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||||
@ -212,7 +212,7 @@ rip6_input(mp, offp, proto)
|
|||||||
}
|
}
|
||||||
last = in6p;
|
last = in6p;
|
||||||
}
|
}
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Check AH/ESP integrity.
|
* Check AH/ESP integrity.
|
||||||
*/
|
*/
|
||||||
@ -223,7 +223,7 @@ rip6_input(mp, offp, proto)
|
|||||||
/* do not inject data into pcb */
|
/* do not inject data into pcb */
|
||||||
INP_UNLOCK(last);
|
INP_UNLOCK(last);
|
||||||
} else
|
} else
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
if (last) {
|
if (last) {
|
||||||
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
if (last->in6p_flags & IN6P_CONTROLOPTS ||
|
||||||
last->in6p_socket->so_options & SO_TIMESTAMP)
|
last->in6p_socket->so_options & SO_TIMESTAMP)
|
||||||
|
@ -52,12 +52,12 @@ __FBSDID("$FreeBSD$");
|
|||||||
#include <netinet/sctp_output.h>
|
#include <netinet/sctp_output.h>
|
||||||
#include <netinet/sctp_bsd_addr.h>
|
#include <netinet/sctp_bsd_addr.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#if defined(INET6)
|
#if defined(INET6)
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /* INET6 */
|
#endif /* INET6 */
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
extern struct protosw inetsw[];
|
extern struct protosw inetsw[];
|
||||||
|
|
||||||
@ -207,7 +207,7 @@ sctp6_input(i_pak, offp, proto)
|
|||||||
refcount_up = 1;
|
refcount_up = 1;
|
||||||
}
|
}
|
||||||
in6p_ip = (struct inpcb *)in6p;
|
in6p_ip = (struct inpcb *)in6p;
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Check AH/ESP integrity.
|
* Check AH/ESP integrity.
|
||||||
*/
|
*/
|
||||||
@ -216,7 +216,7 @@ sctp6_input(i_pak, offp, proto)
|
|||||||
ipsec6stat.in_polvio++;
|
ipsec6stat.in_polvio++;
|
||||||
goto bad;
|
goto bad;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* CONTROL chunk processing
|
* CONTROL chunk processing
|
||||||
|
@ -102,10 +102,10 @@
|
|||||||
#include <netinet6/udp6_var.h>
|
#include <netinet6/udp6_var.h>
|
||||||
#include <netinet6/scope6_var.h>
|
#include <netinet6/scope6_var.h>
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
#include <netipsec/ipsec.h>
|
#include <netipsec/ipsec.h>
|
||||||
#include <netipsec/ipsec6.h>
|
#include <netipsec/ipsec6.h>
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* UDP protocol inplementation.
|
* UDP protocol inplementation.
|
||||||
@ -124,7 +124,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
|
|||||||
|
|
||||||
/* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */
|
/* XXXRW: Not yet: INP_LOCK_ASSERT(in6p); */
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
/*
|
/*
|
||||||
* Check AH/ESP integrity.
|
* Check AH/ESP integrity.
|
||||||
*/
|
*/
|
||||||
@ -133,7 +133,7 @@ udp6_append(struct inpcb *in6p, struct mbuf *n, int off,
|
|||||||
ipsec6stat.in_polvio++;
|
ipsec6stat.in_polvio++;
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
|
||||||
opts = NULL;
|
opts = NULL;
|
||||||
if (in6p->in6p_flags & IN6P_CONTROLOPTS ||
|
if (in6p->in6p_flags & IN6P_CONTROLOPTS ||
|
||||||
|
@ -606,7 +606,7 @@ ipip_output(
|
|||||||
return (error);
|
return (error);
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef FAST_IPSEC
|
#ifdef IPSEC
|
||||||
static int
|
static int
|
||||||
ipe4_init(struct secasvar *sav, struct xformsw *xsp)
|
ipe4_init(struct secasvar *sav, struct xformsw *xsp)
|
||||||
{
|
{
|
||||||
@ -685,4 +685,4 @@ ipe4_attach(void)
|
|||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
|
SYSINIT(ipe4_xform_init, SI_SUB_PROTO_DOMAIN, SI_ORDER_MIDDLE, ipe4_attach, NULL);
|
||||||
#endif /* FAST_IPSEC */
|
#endif /* IPSEC */
|
||||||
|
Loading…
Reference in New Issue
Block a user