cvs commit: src/sys/netinet in_pcb.c ip_input.c ip_output.c tcp_output.c tcp_syncache.c src/sys/netinet6 icmp6.c ip6_forward.c ip6_output.c ipsec.c ipsec.h ipsec6.h nd6.c nd6_nbr.c raw_ip6.c...

Hajimu UMEMOTO ume at FreeBSD.org
Tue Nov 4 08:02:13 PST 2003


ume         2003/11/04 08:02:05 PST

  FreeBSD src repository

  Modified files:
    sys/netinet          in_pcb.c ip_input.c ip_output.c 
                         tcp_output.c tcp_syncache.c 
    sys/netinet6         icmp6.c ip6_forward.c ip6_output.c 
                         ipsec.c ipsec.h ipsec6.h nd6.c nd6_nbr.c 
                         raw_ip6.c udp6_output.c udp6_usrreq.c 
    sys/netkey           key.c key.h key_debug.c keydb.c keydb.h 
  Log:
  - cleanup SP refcnt issue.
  - share policy-on-socket for listening socket.
  - don't copy policy-on-socket at all.  secpolicy no longer contain
    spidx, which saves a lot of memory.
  - deep-copy pcb policy if it is an ipsec policy.  assign ID field to
    all SPD entries.  make it possible for racoon to grab SPD entry on
    pcb.
  - fixed the order of searching SA table for packets.
  - fixed to get a security association header.  a mode is always needed
    to compare them.
  - fixed that the incorrect time was set to
    sadb_comb_{hard|soft}_usetime.
  - disallow port spec for tunnel mode policy (as we don't reassemble).
  - an user can define a policy-id.
  - clear enc/auth key before freeing.
  - fixed that the kernel crashed when key_spdacquire() was called
    because key_spdacquire() had been implemented imcopletely.
  - preparation for 64bit sequence number.
  - maintain ordered list of SA, based on SA id.
  - cleanup secasvar management; refcnt is key.c responsibility;
    alloc/free is keydb.c responsibility.
  - cleanup, avoid double-loop.
  - use hash for spi-based lookup.
  - mark persistent SP "persistent".
    XXX in theory refcnt should do the right thing, however, we have
    "spdflush" which would touch all SPs.  another solution would be to
    de-register persistent SPs from sptree.
  - u_short -> u_int16_t
  - reduce kernel stack usage by auto variable secasindex.
  - clarify function name confusion.  ipsec_*_policy ->
    ipsec_*_pcbpolicy.
  - avoid variable name confusion.
    (struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
    secpolicy *)
  - count number of ipsec encapsulations on ipsec4_output, so that we
    can tell ip_output() how to handle the packet further.
  - When the value of the ul_proto is ICMP or ICMPV6, the port field in
    "src" of the spidx specifies ICMP type, and the port field in "dst"
    of the spidx specifies ICMP code.
  - avoid from applying IPsec transport mode to the packets when the
    kernel forwards the packets.
  
  Tested by:      nork
  Obtained from:  KAME
  
  Revision  Changes    Path
  1.126     +14 -4     src/sys/netinet/in_pcb.c
  1.249     +1 -1      src/sys/netinet/ip_input.c
  1.197     +10 -3     src/sys/netinet/ip_output.c
  1.80      +7 -0      src/sys/netinet/tcp_output.c
  1.44      +5 -1      src/sys/netinet/tcp_syncache.c
  1.48      +9 -2      src/sys/netinet6/icmp6.c
  1.23      +49 -5     src/sys/netinet6/ip6_forward.c
  1.66      +10 -7     src/sys/netinet6/ip6_output.c
  1.29      +688 -489  src/sys/netinet6/ipsec.c
  1.13      +57 -13    src/sys/netinet6/ipsec.h
  1.7       +4 -7      src/sys/netinet6/ipsec6.h
  1.36      +4 -0      src/sys/netinet6/nd6.c
  1.23      +8 -0      src/sys/netinet6/nd6_nbr.c
  1.33      +9 -2      src/sys/netinet6/raw_ip6.c
  1.14      +6 -0      src/sys/netinet6/udp6_output.c
  1.38      +3 -3      src/sys/netinet6/udp6_usrreq.c
  1.57      +652 -515  src/sys/netkey/key.c
  1.10      +14 -7     src/sys/netkey/key.h
  1.24      +13 -12    src/sys/netkey/key_debug.c
  1.5       +76 -3     src/sys/netkey/keydb.c
  1.10      +16 -7     src/sys/netkey/keydb.h


More information about the cvs-src mailing list