Date: Fri, 17 Dec 1999 03:05:27 +0900 From: Yoshinobu Inoue <shin@nd.net.fujitsu.co.jp> To: freebsd-arch@freebsd.org, cvs-committers@freebsd.org Subject: Re: [Solicite review for KAME 5th patch] Message-ID: <19991217030527N.shin@nd.net.fujitsu.co.jp> In-Reply-To: <19991212223550M.shin@nd.net.fujitsu.co.jp> References: <19991212040532I.shin@nd.net.fujitsu.co.jp> <19991212094142.F32274@daemon.ninth-circle.org> <19991212223550M.shin@nd.net.fujitsu.co.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi, 5th KAME patch is updated, as below. http://paradise.kame.net/v6proxy/diana2/shin/work/freebsd/kernel-ipsec.19991217 Changes from previous version: -IPSEC patch is completed, and small changes are added to dummynet. dummynet seems to be working after this patch, as far as I tried the sample configuration written in 'man dummynet'. -IPV6 FW is temporary removed Important points are (which I noticed), (Sorry for long explanations) -netinet *_input routines prototype is changed, and ipprotosw.h is added for the purpose. This is necessary for chained protocol header support in IPSEC and IPV6. An alternative is to change sys/net/protosw.h, but it affects other protocol stacks. -KAME IPSEC use sending mbuf's m_pkthdr.rcvif to keep a pointer to the socket, and it conflicts with IPFW etc in ip_output(). This is necessary to support IPSEC over socket communications, because their IPSEC related informations are attached to their sockets, and IP layer would like to see it. So I added new flag IP_SOCKINMRCVIF which is passed to ip_output() as one of 'flags' arg's bit. Only when this is set in ip_output()'s 'flags' arg, the sending mbuf's m_pkthdr.rcvif is a pointer to the socket. It is saved into 'so' at the top of ip_output(), and then m_pkthdr.rcvif is NULL cleared. This should be safe, because sending packet doesn't have received interface. An alternative is increasing ip_output() arguments, but ip_output() is called from many place, so it affects much. IP_SOCKINMRCVIF is only need to be specified by transport layer who wants to use IPSEC. Also as this change, now 'flags' info need to be kept over dummynet queue. So I added 'flags' info to the dn_pkt structure. And it is specified as 'flags' arg in ip_output() from dn_move(). Now dn_dst (which was specified via 'flags' arg from dn_move()) is not passed as an argument, but as a member of dn_pkt in 1st mbuf. These changes seems to be working in my enviroment, but please review it if it is best way or not. -sys/netkey is completely replaced to PF_KEY Version 2 based one. So the patches are not human readable. As this change, usr.sbin/keyadmin will become not buildable. Instead, PF_KEY Version 2 based 'setkey' command will be added. And also, please let me commit KAME 4th patches.(IPv6 specific functions in libc/net) Which only affect comming IPv6 related apps, and I think it is most effectively confirmed with those apps. Yoshinobu Inoue To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991217030527N.shin>