src-test2/sys/netipsec, branch release/8.4.0

src-test2/sys/netipsec, branch release/8.4.0 FreeBSD source tree https://cgit-dev.freebsd.org/src-test2/atom?h=release%2F8.4.0 2012-03-05T17:33:01Z MFC r231852,232127: 2012-03-05T17:33:01Z Bjoern A. Zeeb bz@FreeBSD.org 2012-03-05T17:33:01Z urn:sha1:140dd7d09d20f9188fdba0f96720c8a9c73d2914 Merge multi-FIB IPv6 support. Extend the so far IPv4-only support for multiple routing tables (FIBs) introduced in r178888 to IPv6 providing feature parity. This includes an extended rtalloc(9) KPI for IPv6, the necessary adjustments to the network stack, and user land support as in netstat. Sponsored by: Cisco Systems, Inc. MFC: r226117 2011-10-15T13:03:25Z Christian Brueffer brueffer@FreeBSD.org 2011-10-15T13:03:25Z urn:sha1:0278bd111c3addaf97797a358f5420cb29dca69d Add missing va_end() in an error case to clean up after va_start() (already done in the non-error case). MFC: 2011-08-19T13:41:00Z VANHULLEBUS Yvan vanhu@FreeBSD.org 2011-08-19T13:41:00Z urn:sha1:e82854b75d3895b360d0352bcf092fd8fb8772bd fixed two race conditions when inserting/removing SAs via PFKey, which can both lead to a kernel panic when adding/removing quickly a lot of SAs. Obtained from: NETASQ MFC: Release SP's refcount in key_get_spdbyid(). 2011-08-19T09:06:00Z VANHULLEBUS Yvan vanhu@FreeBSD.org 2011-08-19T09:06:00Z urn:sha1:b406212cbe4bda1ee4f00d8851b2da30a9a207ed PR: 156676 Submitted by: Tobias Brunner (tobias@strongswan.org) MFC r220206: 2011-05-06T13:24:10Z Fabien Thomas fabient@FreeBSD.org 2011-05-06T13:24:10Z urn:sha1:cf716cbabc6b89c4ca3ea8e46814d8bb160506d7 Optimisation in IPSEC(4): - Remove contention on ISR during the crypto operation by using rwlock(9). - Remove a second lookup of the SA in the callback. MFC r220194: 2011-05-06T13:12:45Z Fabien Thomas fabient@FreeBSD.org 2011-05-06T13:12:45Z urn:sha1:643d4c75cfa91af3e99e83233f909bf805b30696 Fix two SA refcount: - AH does not release the SA like in ESP/IPCOMP when handling EAGAIN - ipsec_process_done incorrectly release the SA. MFC 218794, 219026: 2011-04-28T08:49:43Z VANHULLEBUS Yvan vanhu@FreeBSD.org 2011-04-28T08:49:43Z urn:sha1:8f6f640494c790ae27acf17a211424bbacd3b502 Fixed IPsec's HMAC_SHA256-512 support to be RFC4868 compliant. This will break interoperability with all older versions of FreeBSD for those algorithms. Reviewed by: bz, gnn Obtained from: NETASQ MFC r220247: 2011-04-09T10:53:36Z Bjoern A. Zeeb bz@FreeBSD.org 2011-04-09T10:53:36Z urn:sha1:b979590a90aec1d2b81cf498fec9927e36397ef7 Do not allow directly recursive RFC3173 IPComp payload. Security: CVE-2011-1547 MFC r214565: 2010-11-13T01:28:56Z Bjoern A. Zeeb bz@FreeBSD.org 2010-11-13T01:28:56Z urn:sha1:4078adbf1a91b447cc1c02bc16f571535b5c5239 Announce both IPsec and UDP Encap (NAT-T) if available for feature_present(3) checks. This will help to run-time detect and conditionally handle specific optionas of either feature in user space (i.e. in libipsec). Descriptions read by: rwatson MFC r214250: 2010-11-06T14:46:24Z Bjoern A. Zeeb bz@FreeBSD.org 2010-11-06T14:46:24Z urn:sha1:c241774266168834304a6048ce5ea19a6351751f Make the IPsec SADB embedded route cache a union to be able to hold both the legacy and IPv6 route destination address. Previously in case of IPv6, there was a memory overwrite due to not enough space for the IPv6 address. PR: kern/122565