From owner-freebsd-arch Thu Dec 16 10: 5:46 1999 Delivered-To: freebsd-arch@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id C094714D99 for ; Thu, 16 Dec 1999 10:05:38 -0800 (PST) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id TAA17819 for ; Thu, 16 Dec 1999 19:05:36 +0100 (CET) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA79228 for freebsd-arch@freebsd.org; Thu, 16 Dec 1999 19:05:36 +0100 (MET) Received: from orange.kame.net (orange.kame.net [203.178.141.194]) by hub.freebsd.org (Postfix) with ESMTP id 4C8E7151F2; Thu, 16 Dec 1999 10:05:10 -0800 (PST) (envelope-from shin@nd.net.fujitsu.co.jp) Received: from localhost (kame209.kame.net [203.178.141.209]) by orange.kame.net (8.9.1+3.1W/3.7W) with ESMTP id DAA16433; Fri, 17 Dec 1999 03:05:03 +0900 (JST) To: freebsd-arch@freebsd.org, cvs-committers@freebsd.org Subject: Re: [Solicite review for KAME 5th patch] In-Reply-To: <19991212223550M.shin@nd.net.fujitsu.co.jp> References: <19991212040532I.shin@nd.net.fujitsu.co.jp> <19991212094142.F32274@daemon.ninth-circle.org> <19991212223550M.shin@nd.net.fujitsu.co.jp> X-Mailer: Mew version 1.94 on Emacs 20.4 / Mule 4.0 (HANANOEN) X-Prom-Mew: Prom-Mew 1.93.4 (procmail reader for Mew) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19991217030527N.shin@nd.net.fujitsu.co.jp> Date: Fri, 17 Dec 1999 03:05:27 +0900 From: Yoshinobu Inoue X-Dispatcher: imput version 990905(IM130) Lines: 60 Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, 5th KAME patch is updated, as below. http://paradise.kame.net/v6proxy/diana2/shin/work/freebsd/kernel-ipsec.19991217 Changes from previous version: -IPSEC patch is completed, and small changes are added to dummynet. dummynet seems to be working after this patch, as far as I tried the sample configuration written in 'man dummynet'. -IPV6 FW is temporary removed Important points are (which I noticed), (Sorry for long explanations) -netinet *_input routines prototype is changed, and ipprotosw.h is added for the purpose. This is necessary for chained protocol header support in IPSEC and IPV6. An alternative is to change sys/net/protosw.h, but it affects other protocol stacks. -KAME IPSEC use sending mbuf's m_pkthdr.rcvif to keep a pointer to the socket, and it conflicts with IPFW etc in ip_output(). This is necessary to support IPSEC over socket communications, because their IPSEC related informations are attached to their sockets, and IP layer would like to see it. So I added new flag IP_SOCKINMRCVIF which is passed to ip_output() as one of 'flags' arg's bit. Only when this is set in ip_output()'s 'flags' arg, the sending mbuf's m_pkthdr.rcvif is a pointer to the socket. It is saved into 'so' at the top of ip_output(), and then m_pkthdr.rcvif is NULL cleared. This should be safe, because sending packet doesn't have received interface. An alternative is increasing ip_output() arguments, but ip_output() is called from many place, so it affects much. IP_SOCKINMRCVIF is only need to be specified by transport layer who wants to use IPSEC. Also as this change, now 'flags' info need to be kept over dummynet queue. So I added 'flags' info to the dn_pkt structure. And it is specified as 'flags' arg in ip_output() from dn_move(). Now dn_dst (which was specified via 'flags' arg from dn_move()) is not passed as an argument, but as a member of dn_pkt in 1st mbuf. These changes seems to be working in my enviroment, but please review it if it is best way or not. -sys/netkey is completely replaced to PF_KEY Version 2 based one. So the patches are not human readable. As this change, usr.sbin/keyadmin will become not buildable. Instead, PF_KEY Version 2 based 'setkey' command will be added. And also, please let me commit KAME 4th patches.(IPv6 specific functions in libc/net) Which only affect comming IPv6 related apps, and I think it is most effectively confirmed with those apps. Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message