FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=releng%2F5.3 2003-11-04T16:02:05Z 2003-11-04T16:02:05Z Hajimu UMEMOTO ume@FreeBSD.org 2003-11-04T16:02:05Z urn:sha1:0f9ade718da4248226297bed41f3e9e372fd5f4d - share policy-on-socket for listening socket. - don't copy policy-on-socket at all. secpolicy no longer contain spidx, which saves a lot of memory. - deep-copy pcb policy if it is an ipsec policy. assign ID field to all SPD entries. make it possible for racoon to grab SPD entry on pcb. - fixed the order of searching SA table for packets. - fixed to get a security association header. a mode is always needed to compare them. - fixed that the incorrect time was set to sadb_comb_{hard|soft}_usetime. - disallow port spec for tunnel mode policy (as we don't reassemble). - an user can define a policy-id. - clear enc/auth key before freeing. - fixed that the kernel crashed when key_spdacquire() was called because key_spdacquire() had been implemented imcopletely. - preparation for 64bit sequence number. - maintain ordered list of SA, based on SA id. - cleanup secasvar management; refcnt is key.c responsibility; alloc/free is keydb.c responsibility. - cleanup, avoid double-loop. - use hash for spi-based lookup. - mark persistent SP "persistent". XXX in theory refcnt should do the right thing, however, we have "spdflush" which would touch all SPs. another solution would be to de-register persistent SPs from sptree. - u_short -> u_int16_t - reduce kernel stack usage by auto variable secasindex. - clarify function name confusion. ipsec_*_policy -> ipsec_*_pcbpolicy. - avoid variable name confusion. (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct secpolicy *) - count number of ipsec encapsulations on ipsec4_output, so that we can tell ip_output() how to handle the packet further. - When the value of the ul_proto is ICMP or ICMPV6, the port field in "src" of the spidx specifies ICMP type, and the port field in "dst" of the spidx specifies ICMP code. - avoid from applying IPsec transport mode to the packets when the kernel forwards the packets. Tested by: nork Obtained from: KAME 2003-11-02T12:28:04Z Hajimu UMEMOTO ume@FreeBSD.org 2003-11-02T12:28:04Z urn:sha1:2dc334e089e30fae4adb186266fe10b38d2e6a34 Obtained from: KAME 2003-11-02T11:43:07Z Hajimu UMEMOTO ume@FreeBSD.org 2003-11-02T11:43:07Z urn:sha1:b67d3260ead7e234c804dc18f20dad9c3b7ac82a Obtained from: KAME 2003-11-02T11:26:42Z Hajimu UMEMOTO ume@FreeBSD.org 2003-11-02T11:26:42Z urn:sha1:c7ebbcde04734d7ec57dd4ca4042bc7856c10abd Obtained from: KAME 2003-09-25T13:36:51Z Hajimu UMEMOTO ume@FreeBSD.org 2003-09-25T13:36:51Z urn:sha1:4bcf9f8e6f5d6f5f81b948458913596de0162944 Obtained from: KAME 2003-06-11T05:37:42Z David E. O'Brien obrien@FreeBSD.org 2003-06-11T05:37:42Z urn:sha1:ab0de15baf7234734b1b64c3145cd36f867c98ea 2002-04-19T04:46:24Z SUZUKI Shinsuke suz@FreeBSD.org 2002-04-19T04:46:24Z urn:sha1:88ff5695c1e53c3398142ea10e3f041ff4b5a03f (based on freebsd4-snap-20020128) Reviewed by: ume MFC after: 1 week 2002-03-20T02:39:27Z Alfred Perlstein alfred@FreeBSD.org 2002-03-20T02:39:27Z urn:sha1:96abb1618a1d3123e80a90f7324ab93bd625f6ac 2001-11-05T16:46:24Z Hajimu UMEMOTO ume@FreeBSD.org 2001-11-05T16:46:24Z urn:sha1:3bc1038274009db6d6f0e7db120e5b5e2980ae6a - nuke all debug printfs, which are unneeded by now. - get rid of #ifdef IPSEC_DEBUG in headers - now that key_debug_level is always defined, there's no need for #ifdef IPSEC_DEBUG around sysctl MIB code (net.key.debug). - switch all debug printf() to ipseclog(). Obtained from: KAME MFC after: 1 week 2001-08-06T19:40:01Z Hajimu UMEMOTO ume@FreeBSD.org 2001-08-06T19:40:01Z urn:sha1:232bdaf61fa5b080a8119ad5ad3e757604fc6a7e into sadb_x_sa2_sequence from sadb_x_sa2_reserved3 in the sadb_x_sa2 structure. Also the output of setkey is changed. sequence number of the sadb is replaced to the end of the output. Obtained from: KAME