Commit IPv6 support for FAST_IPSEC to the tree.

This commit includes all remaining changes for the time being including
user space updates.

Submitted by:    bz
Approved by:    re
This commit is contained in:
George V. Neville-Neil 2007-07-01 12:08:08 +00:00
parent 5f308feb93
commit 8409aedfa6
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=171135
38 changed files with 76 additions and 133 deletions

View File

@ -42,7 +42,7 @@
#include <netinet/in.h>
#include <netinet/in_systm.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#endif
#include <netinet/tcp.h>
#include <netinet/ip.h>

View File

@ -72,7 +72,7 @@ typedef unsigned char cc_t;
#include <string.h>
#if defined(IPSEC)
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#if defined(IPSEC_POLICY_IPSEC)
extern char *ipsec_policy_in;
extern char *ipsec_policy_out;

View File

@ -228,7 +228,7 @@ static const char rcsid[] =
#ifdef IPSEC
#include <net/route.h>
#include <netinet6/ipsec.h> /* XXX */
#include <netipsec/ipsec.h> /* XXX */
#endif /* IPSEC */
#include <ctype.h>

View File

@ -231,8 +231,6 @@
..
netipx
..
netkey
..
netnatm
api
..

View File

@ -34,7 +34,7 @@ LHDRS= aio.h errno.h fcntl.h linker_set.h poll.h stdint.h syslog.h \
termios.h ucontext.h
LDIRS= bsm cam geom net net80211 netatalk netatm netgraph netinet netinet6 \
netipsec ${_netipx} netkey netnatm ${_netncp} netsmb \
netipsec ${_netipx} netnatm ${_netncp} netsmb \
nfs nfsclient nfsserver \
pccard sys vm

View File

@ -39,7 +39,7 @@ CFLAGS+=-DIPSEC_DEBUG -DIPSEC
CFLAGS+=-DINET6
.endif
#.PATH: ${.CURDIR}/../../sys/netkey
#.PATH: ${.CURDIR}/../../sys/netipsec
#SRCS= pfkey.c pfkey_dump.c
SRCS+= ipsec_strerror.c policy_parse.y policy_token.l
SRCS+= ipsec_dump_policy.c ipsec_get_policylen.c

View File

@ -36,9 +36,9 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/socket.h>
#include <netkey/key_var.h>
#include <netipsec/key_var.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <arpa/inet.h>

View File

@ -35,7 +35,7 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <net/pfkeyv2.h>

View File

@ -41,7 +41,7 @@
.Sh LIBRARY
.Lb libipsec
.Sh SYNOPSIS
.In netinet6/ipsec.h
.In netipsec/ipsec.h
.Ft "char *"
.Fn ipsec_set_policy "char *policy" "int len"
.Ft int

View File

@ -38,12 +38,12 @@
.Nd error messages for the IPsec policy manipulation library
.\"
.Sh SYNOPSIS
.In netinet6/ipsec.h
.In netipsec/ipsec.h
.Ft "const char *"
.Fn ipsec_strerror
.\"
.Sh DESCRIPTION
.In netinet6/ipsec.h
.In netipsec/ipsec.h
declares
.Pp
.Dl extern int ipsec_errcode;

View File

@ -36,7 +36,7 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <string.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include "ipsec_strerror.h"

View File

@ -36,9 +36,9 @@ __FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/socket.h>
#include <net/pfkeyv2.h>
#include <netkey/key_var.h>
#include <netipsec/key_var.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <stdlib.h>
#include <unistd.h>

View File

@ -35,13 +35,12 @@ __FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <sys/param.h>
#include <sys/socket.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <net/pfkeyv2.h>
#include <netkey/key_var.h>
#include <netkey/key_debug.h>
#include <netipsec/key_var.h>
#include <netipsec/key_debug.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <arpa/inet.h>
#include <stdlib.h>

View File

@ -57,7 +57,7 @@ __FBSDID("$FreeBSD$");
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <stdlib.h>
#include <stdio.h>

View File

@ -36,9 +36,9 @@
#include <sys/socket.h>
#include <net/route.h>
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
#include <netipsec/keydb.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <stdlib.h>
#include <limits.h>

View File

@ -38,8 +38,8 @@ __FBSDID("$FreeBSD$");
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#include <netkey/key_debug.h>
#include <netinet6/ipsec.h>
#include <netipsec/key_debug.h>
#include <netipsec/ipsec.h>
#include <stdio.h>
#include <stdlib.h>

View File

@ -76,7 +76,7 @@ __FBSDID("$FreeBSD$");
#include <arpa/inet.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#endif /*IPSEC*/
#include <ctype.h>

View File

@ -3,7 +3,7 @@
PROG= ping6
MAN= ping6.8
CFLAGS+=-DIPSEC -DKAME_SCOPEID -DUSE_RFC2292BIS \
CFLAGS+=-DIPSEC -DFAST_IPSEC -DKAME_SCOPEID -DUSE_RFC2292BIS \
-DHAVE_POLL_H -DHAVE_ARC4RANDOM
WARNS?= 2

View File

@ -134,8 +134,8 @@ static const char rcsid[] =
#endif
#ifdef IPSEC
#include <netinet6/ah.h>
#include <netinet6/ipsec.h>
#include <netipsec/ah.h>
#include <netipsec/ipsec.h>
#endif
#include <md5.h>

View File

@ -44,9 +44,9 @@ CLEANFILES= y.tab.c y.tab.h key_test.o keytest
# libpfkey
# ipsec_strerror.c is for avoiding shlib reference to non-exported function.
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netkey
.PATH: ${.CURDIR}/../../lib/libipsec ${.CURDIR}/../../sys/netipsec
SRCS+= pfkey.c pfkey_dump.c key_debug.c ipsec_strerror.c
CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netkey
CFLAGS+= -I${.CURDIR}/../../lib/libipsec -I${.CURDIR}/../../sys/netipsec
SRCS+= y.tab.h
y.tab.h: parse.y

View File

@ -38,8 +38,8 @@
#include <net/route.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#include <netkey/key_var.h>
#include <netinet6/ipsec.h>
#include <netipsec/key_var.h>
#include <netipsec/ipsec.h>
#include <arpa/inet.h>
#include <string.h>

View File

@ -38,9 +38,9 @@
#include <net/route.h>
#include <netinet/in.h>
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
#include <netkey/key_debug.h>
#include <netinet6/ipsec.h>
#include <netipsec/keydb.h>
#include <netipsec/key_debug.h>
#include <netipsec/ipsec.h>
#include <stdio.h>
#include <stdlib.h>

View File

@ -36,9 +36,9 @@
#include <net/route.h>
#include <net/pfkeyv2.h>
#include <netinet/in.h>
#include <netkey/keydb.h>
#include <netkey/key_var.h>
#include <netkey/key_debug.h>
#include <netipsec/keydb.h>
#include <netipsec/key_var.h>
#include <netipsec/key_debug.h>
#include <stdio.h>
#include <stdlib.h>

View File

@ -34,11 +34,10 @@
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet6/in6.h>
#include <netkey/keyv2.h>
#include <netipsec/ipsec.h>
#include <stdlib.h>
#include <string.h>
#include <netinet6/ipsec.h>
char *requests[] = {
"must_error", /* must be error */

View File

@ -36,10 +36,10 @@
#include <sys/socket.h>
#include <net/route.h>
#include <net/pfkeyv2.h>
#include <netkey/keydb.h>
#include <netkey/key_debug.h>
#include <netipsec/keydb.h>
#include <netipsec/key_debug.h>
#include <netinet/in.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#include <stdlib.h>
#include <limits.h>

View File

@ -32,7 +32,7 @@
.\" @(#)hier.7 8.1 (Berkeley) 6/5/93
.\" $FreeBSD$
.\"
.Dd June 10, 2007
.Dd June 28, 2007
.Dt HIER 7
.Os
.Sh NAME
@ -318,10 +318,12 @@ see
C include files for Internet protocol version 6;
see
.Xr inet6 4
.It Pa netipsec/
kernel key-management service;
see
.Xr ipsec 4
.It Pa netipx/
IPX/SPX protocol stacks
.It Pa netkey/
kernel key-management service
.It Pa netnatm/
NATM include files;
see

View File

@ -10,7 +10,6 @@ SRCS= if.c inet.c main.c mbuf.c mcast.c mroute.c route.c \
WARNS?= 3
CFLAGS+=-DIPSEC
CFLAGS+=-DFAST_IPSEC
CFLAGS+=-DSCTP
.if ${MK_INET6_SUPPORT} != "no"

View File

@ -104,11 +104,7 @@ __FBSDID("$FreeBSD$");
#include <netinet/in.h>
#if defined(IPSEC) && !defined(FAST_IPSEC)
#include <netinet6/ipsec.h>
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/ipsec.h>
#include <netipsec/ah_var.h>
#include <netipsec/esp_var.h>
@ -250,9 +246,24 @@ print_ipsecstats(const struct ipsecstat *ipsecstat)
hist(ipsecstat->out_comphist, ipsec_compnames, "IPComp output");
p(spdcachelookup, "\t%ju SPD cache lookup%s\n");
pes(spdcachemiss, "\t%ju SPD cache miss%s\n");
#undef p
#undef pes
#undef hist
p(ips_in_polvio, "\t%ju inbound packet%s violated process "
"security policy\n");
p(ips_out_polvio, "\t%ju outbound packet%s violated process "
"security policy\n");
p(ips_out_nosa, "\t%ju outbound packet%s with no SA available\n");
p(ips_out_nomem, "\t%ju outbound packet%s failed due to "
"insufficient memory\n");
p(ips_out_noroute, "\t%ju outbound packet%s with no route "
"available\n");
p(ips_out_inval, "\t%ju invalid outbound packet%s\n");
p(ips_out_bundlesa, "\t%ju outbound packet%s with bundled SAs\n");
p(ips_mbcoalesced, "\t%ju mbuf%s coalesced during clone\n");
p(ips_clcoalesced, "\t%ju cluster%s coalesced during clone\n");
p(ips_clcopied, "\t%ju cluster%s copied during clone\n");
p(ips_mbinserted, "\t%ju mbuf%s inserted during makespace\n");
#undef p
}
void
@ -269,11 +280,8 @@ ipsec_stats(u_long off, const char *name, int af1 __unused)
}
#ifdef FAST_IPSEC
static void ipsec_hist_new(const u_int32_t *hist, size_t histmax,
const struct val2str *name, const char *title);
static void print_newipsecstats(const struct newipsecstat *newipsecstat);
static void print_ahstats(const struct ahstat *ahstat);
static void print_espstats(const struct espstat *espstat);
static void print_ipcompstats(const struct ipcompstat *ipcompstat);
@ -310,43 +318,6 @@ ipsec_hist_new(const u_int32_t *hist, size_t histmax,
}
}
static void
print_newipsecstats(const struct newipsecstat *newipsecstat)
{
#define p(f, m) if (newipsecstat->f || sflag <= 1) \
printf(m, newipsecstat->f, plural(newipsecstat->f))
p(ips_in_polvio, "\t%u inbound packet%s violated process "
"security policy\n");
p(ips_out_polvio, "\t%u outbound packet%s violated process "
"security policy\n");
p(ips_out_nosa, "\t%u outbound packet%s with no SA available\n");
p(ips_out_nomem, "\t%u outbound packet%s failed due to "
"insufficient memory\n");
p(ips_out_noroute, "\t%u outbound packet%s with no route "
"available\n");
p(ips_out_inval, "\t%u invalid outbound packet%s\n");
p(ips_out_bundlesa, "\t%u outbound packet%s with bundled SAs\n");
p(ips_mbcoalesced, "\t%u mbuf%s coalesced during clone\n");
p(ips_clcoalesced, "\t%u cluster%s coalesced during clone\n");
p(ips_clcopied, "\t%u cluster%s copied during clone\n");
p(ips_mbinserted, "\t%u mbuf%s inserted during makespace\n");
#undef p
}
void
ipsec_stats_new(u_long off, const char *name, int family __unused)
{
struct newipsecstat newipsecstat;
if (off == 0)
return;
printf ("%s:\n", name);
kread(off, (char *)&newipsecstat, sizeof(newipsecstat));
print_newipsecstats(&newipsecstat);
}
static void
print_ahstats(const struct ahstat *ahstat)
{
@ -491,5 +462,4 @@ ipcomp_stats(u_long off, const char *name, int family __unused)
print_ipcompstats(&ipcompstat);
}
#endif /* FAST_IPSEC */
#endif /*IPSEC*/

View File

@ -100,7 +100,7 @@ static struct nlist nl[] = {
#define N_ICMP6STAT 13
{ .n_name = "_icmp6stat" },
#define N_IPSECSTAT 14
{ .n_name = "_ipsecstat" },
{ .n_name = "_ipsec4stat" },
#define N_IPSEC6STAT 15
{ .n_name = "_ipsec6stat" },
#define N_PIM6STAT 16
@ -141,8 +141,6 @@ static struct nlist nl[] = {
{ .n_name = "_carpstats" },
#define N_PFSYNCSTAT 34
{ .n_name = "_pfsyncstats" },
#define N_FAST_IPSECSTAT 35
{ .n_name = "_newipsecstat" },
#define N_AHSTAT 36
{ .n_name = "_ahstat" },
#define N_ESPSTAT 37
@ -181,18 +179,14 @@ struct protox {
{ -1, -1, 1, protopr,
igmp_stats, NULL, "igmp", IPPROTO_IGMP },
#ifdef IPSEC
{ -1, N_IPSECSTAT, 1, NULL,
{ -1, N_IPSECSTAT, 1, NULL, /* keep as compat */
ipsec_stats, NULL, "ipsec", 0},
#ifdef FAST_IPSEC
{ -1, N_FAST_IPSECSTAT, 1, 0,
ipsec_stats_new, NULL, "fastipsec", 0},
{ -1, N_AHSTAT, 1, 0,
{ -1, N_AHSTAT, 1, NULL,
ah_stats, NULL, "ah", 0},
{ -1, N_ESPSTAT, 1, 0,
{ -1, N_ESPSTAT, 1, NULL,
esp_stats, NULL, "esp", 0},
{ -1, N_IPCOMPSTAT, 1, 0,
{ -1, N_IPCOMPSTAT, 1, NULL,
ipcomp_stats, NULL, "ipcomp", 0},
#endif
#endif
{ -1, -1, 1, protopr,
pim_stats, NULL, "pim", IPPROTO_PIM },
@ -526,17 +520,6 @@ main(int argc, char *argv[])
kread(0, 0, 0);
if (tp) {
#ifdef FAST_IPSEC
/*
* HACK: fallback to printing the new FAST IPSEC stats
* if the kernel was built with FAST_IPSEC rather
* than the KAME IPSEC stack (the two are mutually
* exclusive).
*/
if (nl[tp->pr_sindex].n_value == 0 &&
strcmp(tp->pr_name, "ipsec") == 0)
tp = name2protox("fastipsec");
#endif
printproto(tp, tp->pr_name);
exit(0);
}

View File

@ -80,13 +80,10 @@ void carp_stats (u_long, const char *, int);
void pfsync_stats (u_long, const char *, int);
#ifdef IPSEC
void ipsec_stats(u_long, const char *, int);
#ifdef FAST_IPSEC
void ipsec_stats_new (u_long, const char *, int);
void esp_stats (u_long, const char *, int);
void ah_stats (u_long, const char *, int);
void ipcomp_stats (u_long, const char *, int);
#endif
#endif
#ifdef INET6
void ip6_stats(u_long, const char *, int);

View File

@ -79,11 +79,7 @@ static const char rcsid[] =
#include <netinet/in.h>
#if defined(IPSEC) && !defined(FAST_IPSEC)
#include <netkey/keysock.h>
#endif
#ifdef FAST_IPSEC
#ifdef IPSEC
#include <netipsec/keysock.h>
#endif

View File

@ -23,7 +23,7 @@ DPADD= ${LIBTERMCAP} ${LIBTELNET}
LDADD= -ltermcap ${LIBTELNET}
.if !defined(RELEASE_CRUNCH)
CFLAGS+= -DIPSEC
CFLAGS+= -DIPSEC -DFAST_IPSEC
DPADD+= ${LIBIPSEC}
LDADD+= -lipsec
.else
@ -35,7 +35,7 @@ CFLAGS+= -DHAS_CGETENT
.if !defined(RELEASE_CRUNCH)
.if ${MK_OPENSSL} != "no"
SRCS+= authenc.c
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DIPSEC
CFLAGS+= -DENCRYPTION -DAUTHENTICATION -DIPSEC -DFAST_IPSEC
DPADD+= ${LIBMP} ${LIBCRYPTO} ${LIBCRYPT} ${LIBIPSEC} ${LIBPAM}
LDADD+= -lmp -lcrypto -lcrypt -lipsec ${MINUSLPAM}
.endif

View File

@ -21,7 +21,7 @@ LDADD= -lutil -lwrap
# XXX for src/release/picobsd
.if !defined(RELEASE_CRUNCH)
CFLAGS+= -DIPSEC
CFLAGS+= -DIPSEC -DFAST_IPSEC
DPADD+= ${LIBIPSEC}
LDADD+= -lipsec
.endif

View File

@ -144,7 +144,7 @@ __FBSDID("$FreeBSD$");
#include "pathnames.h"
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#ifndef IPSEC_POLICY_IPSEC /* no ipsec support on old ipsec */
#undef IPSEC
#endif

View File

@ -18,7 +18,7 @@ PROG= rrenumd
MAN= rrenumd.conf.5 rrenumd.8
SRCS= rrenumd.c parser.y lexer.l
CFLAGS+= -DIPSEC -I. -I${.CURDIR}
CFLAGS+= -DIPSEC -DFAST_IPSEC -I. -I${.CURDIR}
YFLAGS= -d
LDADD= -lipsec -ll -ly

View File

@ -49,7 +49,7 @@
#include <arpa/inet.h>
#ifdef IPSEC
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#endif
#include <stdio.h>

View File

@ -18,7 +18,7 @@ MAN= traceroute6.8
BINOWN= root
BINMODE= 4555
CFLAGS+= -DIPSEC -DUSE_RFC2292BIS -DHAVE_POLL
CFLAGS+= -DIPSEC -DFAST_IPSEC -DUSE_RFC2292BIS -DHAVE_POLL
DPADD= ${LIBIPSEC}
LDADD= -lipsec

View File

@ -279,7 +279,7 @@ static const char rcsid[] =
#ifdef IPSEC
#include <net/route.h>
#include <netinet6/ipsec.h>
#include <netipsec/ipsec.h>
#endif
#define DUMMY_PORT 10010