src/sys/netinet/ip_input.c, branch release/4.8.0_cvs

This commit was manufactured by cvs2svn to create tag

2003-04-03T18:49:23Z

'RELENG_4_8_0_RELEASE'. This commit was manufactured to restore the state of the 4.8-RELEASE image. Releases prior to 5.3-RELEASE are omitting the secure/ and crypto/ subdirs.

MFC rev 1.227

2003-03-07T07:01:28Z

Submitted by: maxim Approved by: re

A correct MFC:

2003-02-27T04:50:02Z

ip_input.c revs 1.225, 1.229 ip_var.h rev 1.71 Approved by: re (bmah)

Backout:

2003-02-27T04:12:01Z

ip_input 1.130.2.49 ip_var.h 1.50.2.10 This is not even close to a straight mfc, my mistake.

IP frag per packet limits

2003-02-27T03:55:46Z

MFC ip_input.c rev 1.225 ip_var.h rev 1.71 Approved by: re (bmah)

MFC: IPSEC_FILTERGIF config option

2003-02-23T17:45:28Z

Add a new config option IPSEC_FILTERGIF to control whether or not packets coming out of a GIF tunnel are re-processed by ipfw, et. al. By default they are not reprocessed. With the option they are. This reverts 1.214. Prior to that change packets were not re-processed. After they were which caused problems because packets do not have distinguishing characteristics (like a special network if) that allows them to be filtered specially. PR: 48159 Reviewed by: Guido van Rooij Approved by: re (jhb, murray)

MFC revs 1.221 -> 1.223

2003-02-06T05:05:38Z

MFC: Fast IPsec

2003-01-24T05:11:36Z

"Fast IPsec": this is an experimental IPsec implementation that is derived from the KAME IPsec implementation, but with heavy borrowing and influence of openbsd. A key feature of this implementation is that it uses the kernel crypto framework to do all crypto work so when h/w crypto support is present IPsec operation is automatically accelerated. Otherwise the protocol implementations are rather differet while the SADB and policy management code is very similar to KAME (for the moment). Note that this implementation is enabled with a FAST_IPSEC option. With this you get all protocols; i.e. there is no FAST_IPSEC_ESP option. FAST_IPSEC and IPSEC are mutually exclusive; you cannot build both into a single system. This software is well tested with IPv4 but should be considered very experimental (i.e. do not deploy in production environments). This software does NOT currently support IPv6. In fact do not configure FAST_IPSEC and INET6 in the same system. Supported by: Vernier Networks

MFC: m_tag support

2003-01-23T21:06:48Z

Replace aux mbufs with packet tags: o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version

MFC rev 1.217

2002-11-25T05:23:00Z

Add a sysctl to control the generation of source quench packets, and set it to 0 by default. Partially obtained from: NetBSD Suggested by: David Gilbert