Date: Tue, 7 Feb 2017 01:33:39 +0000 (UTC) From: Ngie Cooper <ngie@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r313361 - in projects/netbsd-tests-upstream-01-2017: . bin/ed contrib/netcat etc lib/libipsec lib/libstand sbin/ifconfig sbin/kldload sbin/setkey secure/usr.bin secure/usr.bin/bdes shar... Message-ID: <201702070133.v171XdHq091162@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: ngie Date: Tue Feb 7 01:33:39 2017 New Revision: 313361 URL: https://svnweb.freebsd.org/changeset/base/313361 Log: MFhead@r313360 Added: projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c - copied unchanged from r313360, head/sbin/ifconfig/ifipsec.c projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4 - copied unchanged from r313360, head/share/man/man4/if_ipsec.4 projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_notif_wait.c - copied unchanged from r313360, head/sys/dev/iwm/if_iwm_notif_wait.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_notif_wait.h - copied unchanged from r313360, head/sys/dev/iwm/if_iwm_notif_wait.h projects/netbsd-tests-upstream-01-2017/sys/modules/ipsec/ - copied from r313360, head/sys/modules/ipsec/ projects/netbsd-tests-upstream-01-2017/sys/modules/tcp/tcpmd5/ - copied from r313360, head/sys/modules/tcp/tcpmd5/ projects/netbsd-tests-upstream-01-2017/sys/net/if_ipsec.c - copied unchanged from r313360, head/sys/net/if_ipsec.c projects/netbsd-tests-upstream-01-2017/sys/net/if_ipsec.h - copied unchanged from r313360, head/sys/net/if_ipsec.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_mod.c - copied unchanged from r313360, head/sys/netipsec/ipsec_mod.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_pcb.c - copied unchanged from r313360, head/sys/netipsec/ipsec_pcb.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_support.h - copied unchanged from r313360, head/sys/netipsec/ipsec_support.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/subr_ipsec.c - copied unchanged from r313360, head/sys/netipsec/subr_ipsec.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/udpencap.c - copied unchanged from r313360, head/sys/netipsec/udpencap.c Deleted: projects/netbsd-tests-upstream-01-2017/secure/usr.bin/bdes/ projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_ipsec.c projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_ipsec.h projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_ipsec.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_ipsec.h Modified: projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c projects/netbsd-tests-upstream-01-2017/etc/devd.conf projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_syscall.h projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_syscalls.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_sysent.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_systrace_args.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/syscalls.master projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_dummy.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_proto.h projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_syscall.h projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_syscalls.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_sysent.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/linux32_systrace_args.c projects/netbsd-tests-upstream-01-2017/sys/amd64/linux32/syscalls.master projects/netbsd-tests-upstream-01-2017/sys/arm/arm/identcpu-v4.c projects/netbsd-tests-upstream-01-2017/sys/arm/include/counter.h projects/netbsd-tests-upstream-01-2017/sys/arm64/arm64/cpufunc_asm.S projects/netbsd-tests-upstream-01-2017/sys/arm64/include/counter.h projects/netbsd-tests-upstream-01-2017/sys/arm64/include/cpufunc.h projects/netbsd-tests-upstream-01-2017/sys/boot/common/bcache.c projects/netbsd-tests-upstream-01-2017/sys/boot/common/bootstrap.h projects/netbsd-tests-upstream-01-2017/sys/boot/common/disk.c projects/netbsd-tests-upstream-01-2017/sys/boot/common/part.c projects/netbsd-tests-upstream-01-2017/sys/boot/common/part.h projects/netbsd-tests-upstream-01-2017/sys/boot/efi/include/efilib.h projects/netbsd-tests-upstream-01-2017/sys/boot/efi/libefi/devpath.c projects/netbsd-tests-upstream-01-2017/sys/boot/efi/libefi/efipart.c projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/conf.c projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/devicename.c projects/netbsd-tests-upstream-01-2017/sys/boot/efi/loader/main.c projects/netbsd-tests-upstream-01-2017/sys/boot/i386/btx/lib/btxv86.h projects/netbsd-tests-upstream-01-2017/sys/boot/i386/libi386/bioscd.c projects/netbsd-tests-upstream-01-2017/sys/boot/i386/libi386/biosdisk.c projects/netbsd-tests-upstream-01-2017/sys/boot/usb/storage/umass_loader.c projects/netbsd-tests-upstream-01-2017/sys/boot/zfs/zfs.c projects/netbsd-tests-upstream-01-2017/sys/cddl/contrib/opensolaris/uts/common/dtrace/dtrace_xoroshiro128_plus.h projects/netbsd-tests-upstream-01-2017/sys/compat/cloudabi/cloudabi_mem.c projects/netbsd-tests-upstream-01-2017/sys/compat/freebsd32/freebsd32_misc.c projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_file.c projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_misc.c projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_mmap.c projects/netbsd-tests-upstream-01-2017/sys/compat/linux/linux_socket.h projects/netbsd-tests-upstream-01-2017/sys/conf/NOTES projects/netbsd-tests-upstream-01-2017/sys/conf/files projects/netbsd-tests-upstream-01-2017/sys/conf/files.amd64 projects/netbsd-tests-upstream-01-2017/sys/conf/files.arm projects/netbsd-tests-upstream-01-2017/sys/conf/files.arm64 projects/netbsd-tests-upstream-01-2017/sys/conf/files.i386 projects/netbsd-tests-upstream-01-2017/sys/conf/files.mips projects/netbsd-tests-upstream-01-2017/sys/conf/files.powerpc projects/netbsd-tests-upstream-01-2017/sys/conf/files.riscv projects/netbsd-tests-upstream-01-2017/sys/conf/files.sparc64 projects/netbsd-tests-upstream-01-2017/sys/conf/kern.opts.mk projects/netbsd-tests-upstream-01-2017/sys/conf/options projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/t4_main.c projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_connect.c projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_listen.c projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_tom.c projects/netbsd-tests-upstream-01-2017/sys/dev/cxgbe/tom/t4_tom.h projects/netbsd-tests-upstream-01-2017/sys/dev/gxemul/disk/gxemul_disk.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_mac_ctxt.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_pcie_trans.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_ctxt.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_db.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_phy_db.h projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_scan.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_util.c projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwm_util.h projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwmreg.h projects/netbsd-tests-upstream-01-2017/sys/dev/iwm/if_iwmvar.h projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/uftdi.c projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/usb_serial.c projects/netbsd-tests-upstream-01-2017/sys/dev/usb/serial/usb_serial.h projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_dummy.c projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_proto.h projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_syscall.h projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_syscalls.c projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_sysent.c projects/netbsd-tests-upstream-01-2017/sys/i386/linux/linux_systrace_args.c projects/netbsd-tests-upstream-01-2017/sys/i386/linux/syscalls.master projects/netbsd-tests-upstream-01-2017/sys/kern/kern_cpuset.c projects/netbsd-tests-upstream-01-2017/sys/kern/kern_mutex.c projects/netbsd-tests-upstream-01-2017/sys/kern/kern_rwlock.c projects/netbsd-tests-upstream-01-2017/sys/kern/kern_sx.c projects/netbsd-tests-upstream-01-2017/sys/kern/subr_intr.c projects/netbsd-tests-upstream-01-2017/sys/kern/vfs_mountroot.c projects/netbsd-tests-upstream-01-2017/sys/kern/vfs_subr.c projects/netbsd-tests-upstream-01-2017/sys/mips/include/atomic.h projects/netbsd-tests-upstream-01-2017/sys/modules/Makefile projects/netbsd-tests-upstream-01-2017/sys/modules/iwm/Makefile projects/netbsd-tests-upstream-01-2017/sys/net/pfkeyv2.h projects/netbsd-tests-upstream-01-2017/sys/netinet/in_pcb.c projects/netbsd-tests-upstream-01-2017/sys/netinet/in_proto.c projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_input.c projects/netbsd-tests-upstream-01-2017/sys/netinet/ip_output.c projects/netbsd-tests-upstream-01-2017/sys/netinet/raw_ip.c projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_input.c projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_os_bsd.h projects/netbsd-tests-upstream-01-2017/sys/netinet/sctp_pcb.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_input.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_output.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_stacks/fastpath.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_subr.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_syncache.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_usrreq.c projects/netbsd-tests-upstream-01-2017/sys/netinet/tcp_var.h projects/netbsd-tests-upstream-01-2017/sys/netinet/udp.h projects/netbsd-tests-upstream-01-2017/sys/netinet/udp_usrreq.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/in6.h projects/netbsd-tests-upstream-01-2017/sys/netinet6/in6_proto.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_forward.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_input.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/ip6_output.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/raw_ip6.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/sctp6_usrreq.c projects/netbsd-tests-upstream-01-2017/sys/netinet6/udp6_usrreq.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec6.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_input.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_mbuf.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/ipsec_output.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/key.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/key.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/key_debug.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/key_debug.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/keydb.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/keysock.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform.h projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_ah.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_esp.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_ipcomp.c projects/netbsd-tests-upstream-01-2017/sys/netipsec/xform_tcp.c projects/netbsd-tests-upstream-01-2017/sys/netpfil/ipfw/dn_heap.h projects/netbsd-tests-upstream-01-2017/sys/sys/lockstat.h projects/netbsd-tests-upstream-01-2017/sys/sys/mutex.h projects/netbsd-tests-upstream-01-2017/sys/sys/rwlock.h projects/netbsd-tests-upstream-01-2017/sys/sys/sdt.h projects/netbsd-tests-upstream-01-2017/sys/sys/sx.h projects/netbsd-tests-upstream-01-2017/sys/sys/syscallsubr.h projects/netbsd-tests-upstream-01-2017/sys/vm/vm_extern.h projects/netbsd-tests-upstream-01-2017/sys/vm/vm_mmap.c projects/netbsd-tests-upstream-01-2017/tools/tools/nanobsd/embedded/common projects/netbsd-tests-upstream-01-2017/usr.bin/Makefile projects/netbsd-tests-upstream-01-2017/usr.bin/enigma/enigma.1 projects/netbsd-tests-upstream-01-2017/usr.bin/gzip/unxz.c projects/netbsd-tests-upstream-01-2017/usr.bin/netstat/inet.c projects/netbsd-tests-upstream-01-2017/usr.bin/sed/main.c projects/netbsd-tests-upstream-01-2017/usr.sbin/syslogd/syslogd.c Directory Properties: projects/netbsd-tests-upstream-01-2017/ (props changed) projects/netbsd-tests-upstream-01-2017/contrib/netcat/ (props changed) projects/netbsd-tests-upstream-01-2017/sys/cddl/contrib/opensolaris/ (props changed) Modified: projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc ============================================================================== --- projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/ObsoleteFiles.inc Tue Feb 7 01:33:39 2017 (r313361) @@ -38,6 +38,13 @@ # xargs -n1 | sort | uniq -d; # done +# 20170206: remove bdes(1) +OLD_FILES+=usr/bin/bdes +OLD_FILES+=usr/lib/debug/usr/bin/bdes.debug +OLD_FILES+=usr/share/man/man1/bdes.1.gz +# 20170206: merged projects/ipsec +OLD_FILES+=usr/include/netinet/ip_ipsec.h +OLD_FILES+=usr/include/netinet6/ip6_ipsec.h # 20170128: remove pc98 support OLD_FILES+=usr/include/dev/ic/i8251.h OLD_FILES+=usr/include/dev/ic/i8255.h Modified: projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/bin/ed/ed.1 Tue Feb 7 01:33:39 2017 (r313361) @@ -1,5 +1,5 @@ .\" $FreeBSD$ -.Dd October 2, 2016 +.Dd February 5, 2017 .Dt ED 1 .Os .Sh NAME @@ -871,9 +871,6 @@ writes. If a newline alone is entered as the key, then encryption is turned off. Otherwise, echoing is disabled while a key is read. -Encryption/decryption is done using the -.Xr bdes 1 -algorithm. .It Pf (.+1)z n Scroll .Ar n @@ -962,7 +959,6 @@ results in an error. If the command is entered a second time, it succeeds, but any changes to the buffer are lost. .Sh SEE ALSO -.Xr bdes 1 , .Xr sed 1 , .Xr sh 1 , .Xr vi 1 , Modified: projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c ============================================================================== --- projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/contrib/netcat/netcat.c Tue Feb 7 01:33:39 2017 (r313361) @@ -131,7 +131,7 @@ ssize_t drainbuf(int, unsigned char *, s ssize_t fillbuf(int, unsigned char *, size_t *); #ifdef IPSEC -void add_ipsec_policy(int, char *); +void add_ipsec_policy(int, int, char *); char *ipsec_policy[2]; #endif @@ -642,12 +642,6 @@ remote_connect(const char *host, const c if ((s = socket(res0->ai_family, res0->ai_socktype, res0->ai_protocol)) < 0) continue; -#ifdef IPSEC - if (ipsec_policy[0] != NULL) - add_ipsec_policy(s, ipsec_policy[0]); - if (ipsec_policy[1] != NULL) - add_ipsec_policy(s, ipsec_policy[1]); -#endif if (rtableid >= 0 && (setsockopt(s, SOL_SOCKET, SO_SETFIB, &rtableid, sizeof(rtableid)) == -1)) @@ -765,12 +759,7 @@ local_listen(char *host, char *port, str ret = setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &x, sizeof(x)); if (ret == -1) err(1, NULL); -#ifdef IPSEC - if (ipsec_policy[0] != NULL) - add_ipsec_policy(s, ipsec_policy[0]); - if (ipsec_policy[1] != NULL) - add_ipsec_policy(s, ipsec_policy[1]); -#endif + if (FreeBSD_Oflag) { if (setsockopt(s, IPPROTO_TCP, TCP_NOOPT, &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1) @@ -1235,6 +1224,12 @@ set_common_sockopts(int s, int af) &FreeBSD_Oflag, sizeof(FreeBSD_Oflag)) == -1) err(1, "disable TCP options"); } +#ifdef IPSEC + if (ipsec_policy[0] != NULL) + add_ipsec_policy(s, af, ipsec_policy[0]); + if (ipsec_policy[1] != NULL) + add_ipsec_policy(s, af, ipsec_policy[1]); +#endif } int @@ -1360,7 +1355,7 @@ help(void) #ifdef IPSEC void -add_ipsec_policy(int s, char *policy) +add_ipsec_policy(int s, int af, char *policy) { char *raw; int e; @@ -1369,8 +1364,12 @@ add_ipsec_policy(int s, char *policy) if (raw == NULL) errx(1, "ipsec_set_policy `%s': %s", policy, ipsec_strerror()); - e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw, - ipsec_get_policylen(raw)); + if (af == AF_INET) + e = setsockopt(s, IPPROTO_IP, IP_IPSEC_POLICY, raw, + ipsec_get_policylen(raw)); + if (af == AF_INET6) + e = setsockopt(s, IPPROTO_IPV6, IPV6_IPSEC_POLICY, raw, + ipsec_get_policylen(raw)); if (e < 0) err(1, "ipsec policy cannot be configured"); free(raw); Modified: projects/netbsd-tests-upstream-01-2017/etc/devd.conf ============================================================================== --- projects/netbsd-tests-upstream-01-2017/etc/devd.conf Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/etc/devd.conf Tue Feb 7 01:33:39 2017 (r313361) @@ -272,7 +272,7 @@ nomatch 10 { match "bus" "pccard[0-9]+"; match "manufacturer" "0x1234"; match "product" "0x2323"; - action "kldload if_deqna"; + action "kldload -n if_deqna"; }; attach 10 { device-name "deqna[0-9]+"; Modified: projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c ============================================================================== --- projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey.c Tue Feb 7 01:33:39 2017 (r313361) @@ -1776,21 +1776,17 @@ pfkey_align(msg, mhp) case SADB_EXT_SPIRANGE: case SADB_X_EXT_POLICY: case SADB_X_EXT_SA2: - case SADB_X_EXT_SA_REPLAY: - mhp[ext->sadb_ext_type] = (caddr_t)ext; - break; case SADB_X_EXT_NAT_T_TYPE: case SADB_X_EXT_NAT_T_SPORT: case SADB_X_EXT_NAT_T_DPORT: - /* case SADB_X_EXT_NAT_T_OA: is OAI */ case SADB_X_EXT_NAT_T_OAI: case SADB_X_EXT_NAT_T_OAR: case SADB_X_EXT_NAT_T_FRAG: - if (feature_present("ipsec_natt")) { - mhp[ext->sadb_ext_type] = (caddr_t)ext; - break; - } - /* FALLTHROUGH */ + case SADB_X_EXT_SA_REPLAY: + case SADB_X_EXT_NEW_ADDRESS_SRC: + case SADB_X_EXT_NEW_ADDRESS_DST: + mhp[ext->sadb_ext_type] = (caddr_t)ext; + break; default: __ipsec_errcode = EIPSEC_INVAL_EXTTYPE; return -1; Modified: projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c ============================================================================== --- projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/lib/libipsec/pfkey_dump.c Tue Feb 7 01:33:39 2017 (r313361) @@ -220,6 +220,9 @@ pfkey_sadump(m) struct sadb_ident *m_sid, *m_did; struct sadb_sens *m_sens; struct sadb_x_sa_replay *m_sa_replay; + struct sadb_x_nat_t_type *natt_type; + struct sadb_x_nat_t_port *natt_sport, *natt_dport; + struct sadb_address *natt_oai, *natt_oar; /* check pfkey message. */ if (pfkey_align(m, mhp)) { @@ -245,33 +248,46 @@ pfkey_sadump(m) m_did = (struct sadb_ident *)mhp[SADB_EXT_IDENTITY_DST]; m_sens = (struct sadb_sens *)mhp[SADB_EXT_SENSITIVITY]; m_sa_replay = (struct sadb_x_sa_replay *)mhp[SADB_X_EXT_SA_REPLAY]; + natt_type = (struct sadb_x_nat_t_type *)mhp[SADB_X_EXT_NAT_T_TYPE]; + natt_sport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_SPORT]; + natt_dport = (struct sadb_x_nat_t_port *)mhp[SADB_X_EXT_NAT_T_DPORT]; + natt_oai = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAI]; + natt_oar = (struct sadb_address *)mhp[SADB_X_EXT_NAT_T_OAR]; + /* source address */ if (m_saddr == NULL) { printf("no ADDRESS_SRC extension.\n"); return; } - printf("%s ", str_ipaddr((struct sockaddr *)(m_saddr + 1))); + printf("%s", str_ipaddr((struct sockaddr *)(m_saddr + 1))); + if (natt_type != NULL && natt_sport != NULL) + printf("[%u]", ntohs(natt_sport->sadb_x_nat_t_port_port)); /* destination address */ if (m_daddr == NULL) { - printf("no ADDRESS_DST extension.\n"); + printf("\nno ADDRESS_DST extension.\n"); return; } - printf("%s ", str_ipaddr((struct sockaddr *)(m_daddr + 1))); + printf(" %s", str_ipaddr((struct sockaddr *)(m_daddr + 1))); + if (natt_type != NULL && natt_dport != NULL) + printf("[%u]", ntohs(natt_dport->sadb_x_nat_t_port_port)); /* SA type */ if (m_sa == NULL) { - printf("no SA extension.\n"); + printf("\nno SA extension.\n"); return; } if (m_sa2 == NULL) { - printf("no SA2 extension.\n"); + printf("\nno SA2 extension.\n"); return; } printf("\n\t"); - GETMSGSTR(str_satype, m->sadb_msg_satype); + if (m->sadb_msg_satype == SADB_SATYPE_ESP && natt_type != NULL) + printf("esp-udp "); + else + GETMSGSTR(str_satype, m->sadb_msg_satype); printf("mode="); GETMSGSTR(str_mode, m_sa2->sadb_x_sa2_mode); @@ -282,6 +298,18 @@ pfkey_sadump(m) (u_int32_t)m_sa2->sadb_x_sa2_reqid, (u_int32_t)m_sa2->sadb_x_sa2_reqid); + /* other NAT-T information */ + if (natt_type != NULL && (natt_oai != NULL || natt_oar != NULL)) { + printf("\tNAT:"); + if (natt_oai != NULL) + printf(" OAI=%s", + str_ipaddr((struct sockaddr *)(natt_oai + 1))); + if (natt_oar != NULL) + printf(" OAR=%s", + str_ipaddr((struct sockaddr *)(natt_oar + 1))); + printf("\n"); + } + /* encryption key */ if (m->sadb_msg_satype == SADB_X_SATYPE_IPCOMP) { printf("\tC: "); Modified: projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h ============================================================================== --- projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/lib/libstand/stand.h Tue Feb 7 01:33:39 2017 (r313361) @@ -168,6 +168,7 @@ struct devdesc #define DEVT_NET 2 #define DEVT_CD 3 #define DEVT_ZFS 4 +#define DEVT_FD 5 int d_unit; void *d_opendata; }; Modified: projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile ============================================================================== --- projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/Makefile Tue Feb 7 01:33:39 2017 (r313361) @@ -34,6 +34,7 @@ SRCS+= ifvlan.c # SIOC[GS]ETVLAN suppor SRCS+= ifvxlan.c # VXLAN support SRCS+= ifgre.c # GRE keys etc SRCS+= ifgif.c # GIF reversed header workaround +SRCS+= ifipsec.c # IPsec VTI SRCS+= sfp.c # SFP/SFP+ information LIBADD+= m Copied: projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c (from r313360, head/sbin/ifconfig/ifipsec.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/netbsd-tests-upstream-01-2017/sbin/ifconfig/ifipsec.c Tue Feb 7 01:33:39 2017 (r313361, copy of r313360, head/sbin/ifconfig/ifipsec.c) @@ -0,0 +1,101 @@ +/*- + * Copyright (c) 2016 Yandex LLC + * Copyright (c) 2016 Andrey V. Elsukov <ae@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/ioctl.h> +#include <sys/socket.h> +#include <sys/sockio.h> +#include <sys/stdint.h> + +#include <stdlib.h> +#include <unistd.h> + +#include <net/ethernet.h> +#include <net/if.h> +#include <net/if_ipsec.h> +#include <net/route.h> + +#include <ctype.h> +#include <stdio.h> +#include <string.h> +#include <err.h> +#include <errno.h> + +#include "ifconfig.h" + +static void +ipsec_status(int s) +{ + uint32_t reqid; + + ifr.ifr_data = (caddr_t)&reqid; + if (ioctl(s, IPSECGREQID, &ifr) == -1) + return; + printf("\treqid: %u\n", reqid); +} + +static +DECL_CMD_FUNC(setreqid, val, arg) +{ + char *ep; + uint32_t v; + + v = strtoul(val, &ep, 0); + if (*ep != '\0') { + warn("Invalid reqid value %s", val); + return; + } + ifr.ifr_data = (char *)&v; + if (ioctl(s, IPSECSREQID, &ifr) == -1) { + warn("ioctl(IPSECSREQID)"); + return; + } +} + +static struct cmd ipsec_cmds[] = { + DEF_CMD_ARG("reqid", setreqid), +}; + +static struct afswtch af_ipsec = { + .af_name = "af_ipsec", + .af_af = AF_UNSPEC, + .af_other_status = ipsec_status, +}; + +static __constructor void +ipsec_ctor(void) +{ + size_t i; + + for (i = 0; i < nitems(ipsec_cmds); i++) + cmd_register(&ipsec_cmds[i]); + af_register(&af_ipsec); +#undef N +} Modified: projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c ============================================================================== --- projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/sbin/kldload/kldload.c Tue Feb 7 01:33:39 2017 (r313361) @@ -41,9 +41,6 @@ __FBSDID("$FreeBSD$"); #define PATHCTL "kern.module_path" -static int path_check(const char *, int); -static void usage(void); - /* * Check to see if the requested module is specified as a filename with no * path. If so and if a file by the same name exists in the module path, @@ -52,43 +49,37 @@ static void usage(void); static int path_check(const char *kldname, int quiet) { - int mib[5], found; - size_t miblen, pathlen; - char kldpath[MAXPATHLEN]; char *path, *tmppath, *element; struct stat sb; + int mib[5]; + char kldpath[MAXPATHLEN]; + size_t miblen, pathlen; dev_t dev; ino_t ino; + int found; - if (strchr(kldname, '/') != NULL) { + if (strchr(kldname, '/') != NULL) return (0); - } - if (strstr(kldname, ".ko") == NULL) { + if (strstr(kldname, ".ko") == NULL) return (0); - } - if (stat(kldname, &sb) != 0) { + if (stat(kldname, &sb) != 0) return (0); - } found = 0; dev = sb.st_dev; ino = sb.st_ino; miblen = nitems(mib); - if (sysctlnametomib(PATHCTL, mib, &miblen) != 0) { + if (sysctlnametomib(PATHCTL, mib, &miblen) != 0) err(1, "sysctlnametomib(%s)", PATHCTL); - } - if (sysctl(mib, miblen, NULL, &pathlen, NULL, 0) == -1) { + if (sysctl(mib, miblen, NULL, &pathlen, NULL, 0) == -1) err(1, "getting path: sysctl(%s) - size only", PATHCTL); - } path = malloc(pathlen + 1); - if (path == NULL) { + if (path == NULL) err(1, "allocating %lu bytes for the path", (unsigned long)pathlen + 1); - } - if (sysctl(mib, miblen, path, &pathlen, NULL, 0) == -1) { + if (sysctl(mib, miblen, path, &pathlen, NULL, 0) == -1) err(1, "getting path: sysctl(%s)", PATHCTL); - } tmppath = path; while ((element = strsep(&tmppath, ";")) != NULL) { @@ -97,39 +88,36 @@ path_check(const char *kldname, int quie strlcat(kldpath, "/", MAXPATHLEN); } strlcat(kldpath, kldname, MAXPATHLEN); - - if (stat(kldpath, &sb) == -1) { + + if (stat(kldpath, &sb) == -1) continue; - } found = 1; if (sb.st_dev != dev || sb.st_ino != ino) { - if (!quiet) { + if (!quiet) warnx("%s will be loaded from %s, not the " "current directory", kldname, element); - } break; - } else if (sb.st_dev == dev && sb.st_ino == ino) { + } else if (sb.st_dev == dev && sb.st_ino == ino) break; - } } free(path); - + if (!found) { - if (!quiet) { + if (!quiet) warnx("%s is not in the module path", kldname); - } return (-1); } - + return (0); } static void usage(void) { + fprintf(stderr, "usage: kldload [-nqv] file ...\n"); exit(1); } @@ -138,17 +126,17 @@ int main(int argc, char** argv) { int c; + int check_loaded; int errors; int fileid; - int verbose; int quiet; - int check_loaded; + int verbose; errors = 0; verbose = 0; quiet = 0; check_loaded = 0; - + while ((c = getopt(argc, argv, "nqv")) != -1) { switch (c) { case 'q': @@ -204,9 +192,8 @@ main(int argc, char** argv) printf("Loaded %s, id=%d\n", argv[0], fileid); } - } else { + } else errors++; - } argv++; } Modified: projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/sbin/setkey/setkey.8 Tue Feb 7 01:33:39 2017 (r313361) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 3, 2016 +.Dd February 6, 2017 .Dt SETKEY 8 .Os .\" @@ -270,8 +270,6 @@ must be a decimal number, or a hexadecim prefix. SPI values between 0 and 255 are reserved for future use by IANA and they cannot be used. -TCP-MD5 associations must use 0x1000 and therefore only have per-host -granularity at this time. .\" .Pp .It Ar extensions Modified: projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile ============================================================================== --- projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/secure/usr.bin/Makefile Tue Feb 7 01:33:39 2017 (r313361) @@ -4,7 +4,7 @@ SUBDIR= .if ${MK_OPENSSL} != "no" -SUBDIR+=bdes openssl +SUBDIR+=openssl .if ${MK_OPENSSH} != "no" SUBDIR+=scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan .endif Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile ============================================================================== --- projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/Makefile Tue Feb 7 01:33:39 2017 (r313361) @@ -201,6 +201,7 @@ MAN= aac.4 \ icmp.4 \ icmp6.4 \ ida.4 \ + if_ipsec.4 \ ifmib.4 \ ig4.4 \ igb.4 \ Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/cxgbe.4 Tue Feb 7 01:33:39 2017 (r313361) @@ -167,6 +167,10 @@ Tunables can be set at the .Xr loader 8 prompt before booting the kernel or stored in .Xr loader.conf 5 . +There are multiple tunables that control the number of queues of various +types. +A negative value for such a tunable instructs the driver to create +up to that many queues if there are enough CPU cores available. .Bl -tag -width indent .It Va hw.cxgbe.ntxq10g Number of tx queues used for a 10Gb or higher-speed port. Copied: projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4 (from r313360, head/share/man/man4/if_ipsec.4) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/if_ipsec.4 Tue Feb 7 01:33:39 2017 (r313361, copy of r313360, head/share/man/man4/if_ipsec.4) @@ -0,0 +1,141 @@ +.\" Copyright (c) 2017 Andrey V. Elsukov <ae@FreeBSD.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 6, 2017 +.Dt if_ipsec 4 +.Os +.Sh NAME +.Nm if_ipsec +.Nd IPsec virtual tunneling interface +.Sh SYNOPSIS +The +.Cm if_ipsec +network interface is a part of the +.Fx +IPsec implementation. +To compile it into the kernel, place this line in the kernel +configuration file: +.Bd -ragged -offset indent +.Cd "options IPSEC" +.Ed +.Pp +It can also be loaded as part of the +.Cm ipsec +kernel module if the kernel was compiled with +.Bd -ragged -offset indent +.Cd "options IPSEC_SUPPORT" +.Ed +.Sh DESCRIPTION +The +.Nm +network interface is targeted for creating route-based VPNs. +It can tunnel IPv4 and IPv6 traffic over either IPv4 or IPv6 and secure +it with ESP. +.Pp +.Nm +interfaces are dynamically created and destroyed with the +.Xr ifconfig 8 +.Cm create +and +.Cm destroy +subcommands. +The administrator must configure IPsec +.Cm tunnel +endpoint addresses. +These addresses will be used for the outer IP header of ESP packets. +The administrator can also configure the protocol and addresses for the inner +IP header with +.Xr ifconfig 8 , +and modify the routing table to route the packets through the +.Nm +interface. +.Pp +When the +.Nm +interface is configured, it automatically creates special security policies. +These policies can be used to acquire security associations from the IKE daemon, +which are needed for establishing an IPsec tunnel. +It is also possible to create needed security associations manually with the +.Xr setkey 8 +utility. +.Pp +Each +.Nm +interface has an additional numeric configuration option +.Cm reqid Ar id . +This +.Ar id +is used to distinguish traffic and security policies between several +.Nm +interfaces. +The +.Cm reqid +can be specified on interface creation and changed later. +If not specified, it is automatically assigned. +Note that changing +.Cm reqid +will lead to generation of new security policies, and this +may require creating new security associations. +.Sh EXAMPLES +The example below shows manual configuration of an IPsec tunnel +between two FreeBSD hosts. +Host A has the IP address 192.168.0.3, and host B has the IP address +192.168.0.5. +.Pp +On host A: +.Bd -literal -offset indent +ifconfig ipsec0 create reqid 100 +ifconfig ipsec0 inet tunnel 192.168.0.3 192.168.0.5 +ifconfig ipsec0 inet 172.16.0.3/16 172.16.0.5 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 100 -E rijndael-cbc "VerySecureKey!!2"; +^D +.Ed +.Pp +On host B: +.Bd -literal -offset indent +ifconfig ipsec0 create reqid 200 +ifconfig ipsec0 inet tunnel 192.168.0.5 192.168.0.3 +ifconfig ipsec0 inet 172.16.0.5/16 172.16.0.3 +setkey -c +add 192.168.0.3 192.168.0.5 esp 10000 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!1"; +add 192.168.0.5 192.168.0.3 esp 10001 -m tunnel -u 200 -E rijndael-cbc "VerySecureKey!!2"; +^D +.Ed +.Pp +Note the value 100 on host A and value 200 on host B are used as reqid. +The same value must be used as identifier of the policy entry in the +.Xr setkey 8 +command. +.Sh SEE ALSO +.Xr gif 4 , +.Xr gre 4 , +.Xr ipsec 4 , +.Xr ifconfig 8 , +.Xr setkey 8 +.Sh AUTHORS +.An Andrey V. Elsukov Aq Mt ae@FreeBSD.org Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/ipsec.4 Tue Feb 7 01:33:39 2017 (r313361) @@ -29,7 +29,7 @@ .\" .\" $FreeBSD$ .\" -.Dd November 29, 2009 +.Dd February 6, 2017 .Dt IPSEC 4 .Os .Sh NAME @@ -37,6 +37,7 @@ .Nd Internet Protocol Security protocol .Sh SYNOPSIS .Cd "options IPSEC" +.Cd "options IPSEC_SUPPORT" .Cd "device crypto" .Pp .In sys/types.h @@ -151,6 +152,16 @@ Refer to .Xr setkey 8 on how to use it. .Pp +Depending on the socket's address family, IPPROTO_IP or IPPROTO_IPV6 +transport level and IP_IPSEC_POLICY or IPV6_IPSEC_POLICY socket options +may be used to configure per-socket security policies. +A properly-formed IPsec policy specification structure can be +created using +.Xr ipsec_set_policy 3 +function and used as socket option value for the +.Xr setsockopt 2 +call. +.Pp When setting policies using the .Xr setkey 8 command, the @@ -228,6 +239,8 @@ for tweaking the kernel's IPsec behavior .It "net.inet.ipsec.dfbit integer yes" .It "net.inet.ipsec.ecn integer yes" .It "net.inet.ipsec.debug integer yes" +.It "net.inet.ipsec.natt_cksum_policy integer yes" +.It "net.inet.ipsec.check_policy_history integer yes" .It "net.inet6.ipsec6.ecn integer yes" .It "net.inet6.ipsec6.debug integer yes" .El @@ -270,6 +283,23 @@ talks more about the behavior. .It Li ipsec.debug If set to non-zero, debug messages will be generated via .Xr syslog 3 . +.It Li ipsec.natt_cksum_policy +Controls how the kernel handles TCP and UDP checksums when ESP in UDP +encapsulation is used for IPsec transport mode. +If set to a non-zero value, the kernel fully recomputes checksums for +inbound TCP segments and UDP datagrams after they are decapsulated and +decrypted. +If set to 0 and original addresses were configured for corresponding SA +by the IKE daemon, the kernel incrementally recomputes checksums for +inbound TCP segments and UDP datagrams. +If addresses were not configured, the checksums are ignored. +.It Li ipsec.check_policy_history +Enables strict policy checking for inbound packets. +By default, inbound security policies check that packets handled by IPsec +have been decrypted and authenticated. +If this variable is set to a non-zero value, each packet handled by IPsec +is checked against the history of IPsec security associations. +The IPsec security protocol, mode, and SA addresses must match. .El .Pp Variables under the @@ -305,6 +335,7 @@ routines from looking into the IP payloa .Xr ipsec_set_policy 3 , .Xr crypto 4 , .Xr enc 4 , +.Xr if_ipsec 4 , .Xr icmp6 4 , .Xr intro 4 , .Xr ip6 4 , Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/tcp.4 Tue Feb 7 01:33:39 2017 (r313361) @@ -34,7 +34,7 @@ .\" From: @(#)tcp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd Jan 29, 2017 +.Dd February 6, 2017 .Dt TCP 4 .Os .Sh NAME @@ -272,33 +272,27 @@ or the internal send buffer is filled. This option enables the use of MD5 digests (also known as TCP-MD5) on writes to the specified socket. Outgoing traffic is digested; -digests on incoming traffic are verified if the -.Va net.inet.tcp.signature_verify_input -sysctl is nonzero. -The current default behavior for the system is to respond to a system -advertising this option with TCP-MD5; this may change. +digests on incoming traffic are verified. +When this option is enabled on a socket, all inbound and outgoing +TCP segments must be signed with MD5 digests. .Pp One common use for this in a .Fx router deployment is to enable based routers to interwork with Cisco equipment at peering points. Support for this feature conforms to RFC 2385. -Only IPv4 -.Pq Dv AF_INET -sessions are supported. .Pp In order for this option to function correctly, it is necessary for the administrator to add a tcp-md5 key entry to the system's security associations database (SADB) using the .Xr setkey 8 utility. -This entry must have an SPI of 0x1000 and can therefore only be specified -on a per-host basis at this time. +This entry can only be specified on a per-host basis at this time. .Pp -If an SADB entry cannot be found for the destination, the outgoing traffic -will have an invalid digest option prepended, and the following error message -will be visible on the system console: -.Em "tcp_signature_compute: SADB lookup failed for %d.%d.%d.%d" . +If an SADB entry cannot be found for the destination, +the system does not send any outgoing segments and drops any inbound segments. +.Pp +Each dropped segment is taken into account in the TCP protocol statistics. .El .Pp The option level for the Modified: projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 ============================================================================== --- projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/share/man/man4/udp.4 Tue Feb 7 01:33:39 2017 (r313361) @@ -28,7 +28,7 @@ .\" @(#)udp.4 8.1 (Berkeley) 6/5/93 .\" $FreeBSD$ .\" -.Dd June 5, 1993 +.Dd February 6, 2017 .Dt UDP 4 .Os .Sh NAME @@ -99,6 +99,17 @@ transport level may be used with .Tn UDP ; see .Xr ip 4 . +.Tn UDP_ENCAP +socket option may be used at the +.Tn IPPROTO_UDP +level to encapsulate +.Tn ESP +packets in +.Tn UDP . +Only one value is supported for this option: +.Tn UDP_ENCAP_ESPINUDP +from RFC 3948, defined in +.In netinet/udp.h . .Sh MIB VARIABLES The .Nm @@ -158,7 +169,8 @@ exists. .Xr blackhole 4 , .Xr inet 4 , .Xr intro 4 , -.Xr ip 4 +.Xr ip 4 , +.Xr udplite 4 .Sh HISTORY The .Nm Modified: projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c ============================================================================== --- projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_dummy.c Tue Feb 7 01:33:39 2017 (r313361) @@ -82,41 +82,86 @@ DUMMY(mq_timedreceive); DUMMY(mq_notify); DUMMY(mq_getsetattr); DUMMY(kexec_load); +/* linux 2.6.11: */ DUMMY(add_key); DUMMY(request_key); DUMMY(keyctl); +/* linux 2.6.13: */ DUMMY(ioprio_set); DUMMY(ioprio_get); DUMMY(inotify_init); DUMMY(inotify_add_watch); DUMMY(inotify_rm_watch); +/* linux 2.6.16: */ DUMMY(migrate_pages); DUMMY(unshare); +/* linux 2.6.17: */ DUMMY(splice); DUMMY(tee); DUMMY(sync_file_range); DUMMY(vmsplice); +/* linux 2.6.18: */ DUMMY(move_pages); +/* linux 2.6.22: */ DUMMY(signalfd); -DUMMY(timerfd); +DUMMY(timerfd_create); +/* linux 2.6.25: */ DUMMY(timerfd_settime); DUMMY(timerfd_gettime); +/* linux 2.6.27: */ DUMMY(signalfd4); DUMMY(inotify_init1); +/* linux 2.6.30: */ DUMMY(preadv); DUMMY(pwritev); -DUMMY(rt_tsigqueueinfo); +/* linux 2.6.31: */ +DUMMY(rt_tgsigqueueinfo); DUMMY(perf_event_open); +/* linux 2.6.38: */ DUMMY(fanotify_init); DUMMY(fanotify_mark); +/* linux 2.6.39: */ DUMMY(name_to_handle_at); DUMMY(open_by_handle_at); DUMMY(clock_adjtime); +/* linux 3.0: */ DUMMY(setns); +DUMMY(getcpu); +/* linux 3.2: */ DUMMY(process_vm_readv); DUMMY(process_vm_writev); +/* linux 3.5: */ DUMMY(kcmp); +/* linux 3.8: */ DUMMY(finit_module); +DUMMY(sched_setattr); +DUMMY(sched_getattr); +/* linux 3.14: */ +DUMMY(renameat2); +/* linux 3.15: */ +DUMMY(seccomp); +DUMMY(getrandom); +DUMMY(memfd_create); +DUMMY(kexec_file_load); +/* linux 3.18: */ +DUMMY(bpf); +/* linux 3.19: */ +DUMMY(execveat); +/* linux 4.2: */ +DUMMY(userfaultfd); +/* linux 4.3: */ +DUMMY(membarrier); +/* linux 4.4: */ +DUMMY(mlock2); +/* linux 4.5: */ +DUMMY(copy_file_range); +/* linux 4.6: */ +DUMMY(preadv2); +DUMMY(pwritev2); +/* linux 4.8: */ +DUMMY(pkey_mprotect); +DUMMY(pkey_alloc); +DUMMY(pkey_free); #define DUMMY_XATTR(s) \ int \ Modified: projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h ============================================================================== --- projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h Tue Feb 7 01:28:55 2017 (r313360) +++ projects/netbsd-tests-upstream-01-2017/sys/amd64/linux/linux_proto.h Tue Feb 7 01:33:39 2017 (r313361) @@ -3,7 +3,7 @@ * * DO NOT EDIT-- this file is automatically generated. * $FreeBSD$ - * created from FreeBSD: head/sys/amd64/linux/syscalls.master 302515 2016-07-10 08:15:50Z dchagin + * created from FreeBSD: head/sys/amd64/linux/syscalls.master 313284 2017-02-05 14:17:09Z dchagin */ #ifndef _LINUX_SYSPROTO_H_ @@ -1000,7 +1000,7 @@ struct linux_epoll_pwait_args { struct linux_signalfd_args { register_t dummy; }; -struct linux_timerfd_args { +struct linux_timerfd_create_args { register_t dummy; }; struct linux_eventfd_args { @@ -1044,16 +1044,27 @@ struct linux_pipe2_args { char flags_l_[PADL_(l_int)]; l_int flags; char flags_r_[PADR_(l_int)]; }; struct linux_inotify_init1_args { - register_t dummy; + char flags_l_[PADL_(l_int)]; l_int flags; char flags_r_[PADR_(l_int)]; }; struct linux_preadv_args { - register_t dummy; *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702070133.v171XdHq091162>