diff options
author | Hajimu UMEMOTO <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
---|---|---|
committer | Hajimu UMEMOTO <ume@FreeBSD.org> | 2003-11-04 16:02:05 +0000 |
commit | 0f9ade718da4248226297bed41f3e9e372fd5f4d (patch) | |
tree | fdad404b77778d90d4bdccd4cb96415d0821c8d5 /sys/netkey/key.h | |
parent | 7430623f55ac6ed7b26314ff11e9a31d14255e46 (diff) | |
download | src-0f9ade718da4248226297bed41f3e9e372fd5f4d.tar.gz src-0f9ade718da4248226297bed41f3e9e372fd5f4d.zip |
- cleanup SP refcnt issue.
- share policy-on-socket for listening socket.
- don't copy policy-on-socket at all. secpolicy no longer contain
spidx, which saves a lot of memory.
- deep-copy pcb policy if it is an ipsec policy. assign ID field to
all SPD entries. make it possible for racoon to grab SPD entry on
pcb.
- fixed the order of searching SA table for packets.
- fixed to get a security association header. a mode is always needed
to compare them.
- fixed that the incorrect time was set to
sadb_comb_{hard|soft}_usetime.
- disallow port spec for tunnel mode policy (as we don't reassemble).
- an user can define a policy-id.
- clear enc/auth key before freeing.
- fixed that the kernel crashed when key_spdacquire() was called
because key_spdacquire() had been implemented imcopletely.
- preparation for 64bit sequence number.
- maintain ordered list of SA, based on SA id.
- cleanup secasvar management; refcnt is key.c responsibility;
alloc/free is keydb.c responsibility.
- cleanup, avoid double-loop.
- use hash for spi-based lookup.
- mark persistent SP "persistent".
XXX in theory refcnt should do the right thing, however, we have
"spdflush" which would touch all SPs. another solution would be to
de-register persistent SPs from sptree.
- u_short -> u_int16_t
- reduce kernel stack usage by auto variable secasindex.
- clarify function name confusion. ipsec_*_policy ->
ipsec_*_pcbpolicy.
- avoid variable name confusion.
(struct inpcbpolicy *)pcb_sp, spp (struct secpolicy **), sp (struct
secpolicy *)
- count number of ipsec encapsulations on ipsec4_output, so that we
can tell ip_output() how to handle the packet further.
- When the value of the ul_proto is ICMP or ICMPV6, the port field in
"src" of the spidx specifies ICMP type, and the port field in "dst"
of the spidx specifies ICMP code.
- avoid from applying IPsec transport mode to the packets when the
kernel forwards the packets.
Tested by: nork
Obtained from: KAME
Notes
Notes:
svn path=/head/; revision=122062
Diffstat (limited to 'sys/netkey/key.h')
-rw-r--r-- | sys/netkey/key.h | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/sys/netkey/key.h b/sys/netkey/key.h index 4cbe358d5ddf..6bd18501c136 100644 --- a/sys/netkey/key.h +++ b/sys/netkey/key.h @@ -1,5 +1,5 @@ /* $FreeBSD$ */ -/* $KAME: key.h,v 1.21 2001/07/27 03:51:30 itojun Exp $ */ +/* $KAME: key.h,v 1.32 2003/09/07 05:25:20 itojun Exp $ */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. @@ -35,8 +35,13 @@ #ifdef _KERNEL +#include <sys/queue.h> + extern struct key_cb key_cb; +extern TAILQ_HEAD(_satailq, secasvar) satailq; +extern TAILQ_HEAD(_sptailq, secpolicy) sptailq; + struct secpolicy; struct secpolicyindex; struct ipsecrequest; @@ -46,22 +51,24 @@ struct socket; struct sadb_msg; struct sadb_x_policy; -extern struct secpolicy *key_allocsp(struct secpolicyindex *, u_int); +extern struct secpolicy *key_allocsp(u_int16_t, struct secpolicyindex *, + u_int); extern struct secpolicy *key_gettunnel(struct sockaddr *, struct sockaddr *, struct sockaddr *, struct sockaddr *); extern int key_checkrequest (struct ipsecrequest *isr, struct secasindex *); extern struct secasvar *key_allocsa(u_int, caddr_t, caddr_t, u_int, u_int32_t); extern void key_freesp(struct secpolicy *); -extern void key_freeso(struct socket *); extern void key_freesav(struct secasvar *); -extern struct secpolicy *key_newsp(void); +extern struct secpolicy *key_newsp(u_int32_t); extern struct secpolicy *key_msg2sp(struct sadb_x_policy *, size_t, int *); extern struct mbuf *key_sp2msg(struct secpolicy *); -extern int key_ismyaddr(struct sockaddr *); +extern int key_cmpspidx_exactly + (struct secpolicyindex *, struct secpolicyindex *); +extern int key_cmpspidx_withmask + (struct secpolicyindex *, struct secpolicyindex *); extern int key_spdacquire(struct secpolicy *); -extern void key_timehandler(void); -extern u_long key_random(void); +extern void key_timehandler(void *); extern void key_randomfill(void *, size_t); extern void key_freereg(struct socket *); extern int key_parse(struct mbuf *, struct socket *); |