From owner-freebsd-net@FreeBSD.ORG Tue Apr 19 16:32:00 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EBA56106564A; Tue, 19 Apr 2011 16:32:00 +0000 (UTC) (envelope-from asmrookie@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 953978FC19; Tue, 19 Apr 2011 16:32:00 +0000 (UTC) Received: by yie12 with SMTP id 12so2694642yie.13 for ; Tue, 19 Apr 2011 09:31:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:date:x-google-sender-auth :message-id:subject:from:to:cc:content-type; bh=F9UdAJM9olOY0UEqgKDtscPytOOt/IY7W+yGnuLng2Y=; b=xQse1TdcJNd+814tOc5WsFVaplZID210tohe3fTtZsK/A94HJLEyXcw5zJJbSAWNVg TEz/Vt3B22wOr87O0c+nE2r+N63fwSz4zhdhIl9DZREUGrjB2Yz3Khy4EpQiTuNKWHLp +K5LwKoYsbI6EYTYXFYX1jRSGllyUequ22Fdg= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:date:x-google-sender-auth:message-id:subject :from:to:cc:content-type; b=cSfTxvoilehpm6WddP86yiF5e5fZpjoVXJz0It4oZAJvwqZLU1Hy9QpZRvZykxbKFh SwNmMQoQczQKrMIHTU3sYgO8RRZQqupE5Ql/5s6XWtBxE0xSp48a44v64db9Z0DBfhyQ Z6bdaL7sSqB8rk85//X0zsRmucyH7Uc7fwqWQ= MIME-Version: 1.0 Received: by 10.236.175.2 with SMTP id y2mr4846693yhl.490.1303229327378; Tue, 19 Apr 2011 09:08:47 -0700 (PDT) Sender: asmrookie@gmail.com Received: by 10.236.103.131 with HTTP; Tue, 19 Apr 2011 09:08:47 -0700 (PDT) Date: Tue, 19 Apr 2011 12:08:47 -0400 X-Google-Sender-Auth: Vr8I-Pe4ozMTs1SnwkxoMNNLp4I Message-ID: From: Attilio Rao To: freebsd-net@freebsd.org Content-Type: text/plain; charset=UTF-8 Cc: "Bjoern A. Zeeb" , Ed Maste Subject: [PATCH] Add MD5 signature checking for incoming packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Apr 2011 16:32:01 -0000 The patch at: http://www.freebsd.org/~attilio/Sandvine/STABLE_8/tcp_signature/tcp_signature.diff - Enable the md5 signature checking for incoming packets, when both enabled in the kernel and desired by the socket - Spit out an error when the option TCP_SIGNATURE is enabled and IPSEC option is not (KPI usage problem, leading to just compiler error, in the current code) Some notes: - As suggested by bz@, I named the functions tcp_fields_to_net() and tcp_fields_to_host() just following the NetBSD's names - I add the statistic anyway to the tcpstats in order to avoid ABI breakage between kernel and modules/userland. Anyway it seems that tcpstats is not a member of any structure, so probabilly having them as last step could sitll make it conditional. I'm not entirely sure on what is the desired effect here, so I just included anyway, but I'm ready to change if someone makes a valid point The patch has been already reviewed by emaste and bz and tested for years on SVOS. Please cc' me for answers as I'm not really subscribed to -net@. Thanks, Attilio -- Peace can only be achieved by understanding - A. Einstein