Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src remove KAME IPSEC, replaced by FAST_IPSEC
details: https://anonhg.NetBSD.org/src/rev/0e862098b094
branches: trunk
changeset: 778344:0e862098b094
user: drochner <drochner%NetBSD.org@localhost>
date: Thu Mar 22 20:34:37 2012 +0000
description:
remove KAME IPSEC, replaced by FAST_IPSEC
diffstat:
sbin/mount_kernfs/mount_kernfs.8 | 20 +-
share/man/man4/Makefile | 4 +-
share/man/man4/fast_ipsec.4 | 3 +-
share/man/man4/ipsec.4 | 8 +-
share/man/man4/kame_ipsec.4 | 173 -
share/man/man4/options.4 | 17 +-
sys/conf/files | 3 +-
sys/dist/ipf/netinet/ip_fil_netbsd.c | 7 +-
sys/dist/pf/net/if_pfsync.c | 174 +-
sys/dist/pf/net/pf.c | 19 +-
sys/miscfs/kernfs/kernfs.h | 6 +-
sys/miscfs/kernfs/kernfs_subr.c | 63 +-
sys/miscfs/kernfs/kernfs_vnops.c | 382 +-
sys/netinet/in_pcb.c | 19 +-
sys/netinet/in_proto.c | 42 +-
sys/netinet/ip_icmp.c | 11 +-
sys/netinet/ip_input.c | 44 +-
sys/netinet/ip_mroute.c | 9 +-
sys/netinet/ip_output.c | 190 +-
sys/netinet/raw_ip.c | 13 +-
sys/netinet/tcp_input.c | 17 +-
sys/netinet/tcp_output.c | 21 +-
sys/netinet/tcp_subr.c | 11 +-
sys/netinet/tcp_usrreq.c | 8 +-
sys/netinet/udp_usrreq.c | 15 +-
sys/netinet6/ah.h | 109 -
sys/netinet6/ah_aesxcbcmac.c | 186 -
sys/netinet6/ah_aesxcbcmac.h | 43 -
sys/netinet6/ah_core.c | 1545 ------
sys/netinet6/ah_input.c | 1013 ----
sys/netinet6/ah_output.c | 585 --
sys/netinet6/esp.h | 120 -
sys/netinet6/esp_aesctr.c | 459 -
sys/netinet6/esp_aesctr.h | 45 -
sys/netinet6/esp_core.c | 1085 ----
sys/netinet6/esp_input.c | 1003 ----
sys/netinet6/esp_output.c | 735 --
sys/netinet6/esp_rijndael.c | 92 -
sys/netinet6/esp_rijndael.h | 44 -
sys/netinet6/files.ipsec | 27 -
sys/netinet6/icmp6.c | 11 +-
sys/netinet6/in6_pcb.c | 19 +-
sys/netinet6/in6_proto.c | 44 +-
sys/netinet6/ip6_forward.c | 235 +-
sys/netinet6/ip6_input.c | 39 +-
sys/netinet6/ip6_output.c | 200 +-
sys/netinet6/ipcomp.h | 78 -
sys/netinet6/ipcomp_core.c | 336 -
sys/netinet6/ipcomp_input.c | 384 -
sys/netinet6/ipcomp_output.c | 362 -
sys/netinet6/ipsec.c | 3837 ---------------
sys/netinet6/ipsec.h | 430 +-
sys/netinet6/ipsec_private.h | 50 -
sys/netinet6/nd6.c | 12 +-
sys/netinet6/nd6_nbr.c | 8 +-
sys/netinet6/raw_ip6.c | 29 +-
sys/netipsec/files.netipsec | 3 +-
sys/netkey/key.c | 8367 ----------------------------------
sys/netkey/key.h | 97 -
sys/netkey/key_debug.c | 838 ---
sys/netkey/key_debug.h | 88 -
sys/netkey/key_private.h | 46 -
sys/netkey/key_var.h | 84 -
sys/netkey/keydb.c | 251 -
sys/netkey/keydb.h | 180 -
sys/netkey/keysock.c | 475 -
sys/netkey/keysock.h | 62 +-
usr.bin/netstat/Makefile | 4 +-
usr.bin/netstat/fast_ipsec.c | 44 +-
usr.bin/netstat/ipsec.c | 233 -
usr.bin/netstat/main.c | 8 +-
usr.bin/netstat/netstat.h | 7 +-
72 files changed, 119 insertions(+), 25112 deletions(-)
diffs (truncated from 26773 to 300 lines):
diff -r 3bd00e3d6acb -r 0e862098b094 sbin/mount_kernfs/mount_kernfs.8
--- a/sbin/mount_kernfs/mount_kernfs.8 Thu Mar 22 20:01:18 2012 +0000
+++ b/sbin/mount_kernfs/mount_kernfs.8 Thu Mar 22 20:34:37 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: mount_kernfs.8,v 1.16 2005/01/31 05:19:19 erh Exp $
+.\" $NetBSD: mount_kernfs.8,v 1.17 2012/03/22 20:34:37 drochner Exp $
.\"
.\" Copyright (c) 1992, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
@@ -86,20 +86,6 @@
A trailing newline will be stripped from the hostname being written.
.It Pa hz
the frequency of the system clock (decimal ASCII).
-.It Pa ipsecsa
-the directory that contains IPsec security associations (SA) in
-.Dv PF_KEY
-format.
-Filenames are SPI in decimal number.
-The content of files can be inspected by using
-.Xr setkey 8 .
-.It Pa ipsecsp
-the directory that contains IPsec security policies in
-.Dv PF_KEY
-format.
-Filenames are security policy ID in decimal number.
-The content of files can be inspected by using
-.Xr setkey 8 .
.It Pa loadavg
the 1, 5 and 15 minute load average in kernel fixed-point format.
The final integer is the fix-point scaling factor.
@@ -141,7 +127,6 @@
.Sh SEE ALSO
.Xr mount 2 ,
.Xr unmount 2 ,
-.Xr ipsec 4 ,
.Xr fstab 5 ,
.Xr dmesg 8 ,
.Xr mount 8 ,
@@ -154,6 +139,3 @@
.Bx 4.4 .
.Sh BUGS
This filesystem may not be NFS-exported.
-.Pp
-.Xr lkm 4
-version does not support IPsec-related files/directories.
diff -r 3bd00e3d6acb -r 0e862098b094 share/man/man4/Makefile
--- a/share/man/man4/Makefile Thu Mar 22 20:01:18 2012 +0000
+++ b/share/man/man4/Makefile Thu Mar 22 20:34:37 2012 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.581 2012/02/14 17:35:11 plunky Exp $
+# $NetBSD: Makefile,v 1.582 2012/03/22 20:34:38 drochner Exp $
# @(#)Makefile 8.1 (Berkeley) 6/18/93
MAN= aac.4 ac97.4 acardide.4 aceride.4 acphy.4 \
@@ -35,7 +35,7 @@
ioasic.4 ioat.4 iop.4 iophy.4 iopsp.4 ip.4 ipkdb.4 ipmi.4 ipw.4 \
irmce.4 iso.4 isp.4 isv.4 itesio.4 iteide.4 iwi.4 iwn.4 ixg.4 ixpide.4 \
jme.4 jmide.4 joy.4 \
- kame_ipsec.4 kloader.4 kse.4 ksyms.4 kttcp.4 \
+ kloader.4 kse.4 ksyms.4 kttcp.4 \
lc.4 ld.4 lii.4 lo.4 lxtphy.4 \
mainbus.4 makphy.4 mbe.4 mca.4 mcclock.4 md.4 mfb.4 mfi.4 mhzc.4 \
midi.4 mii.4 mk48txx.4 mlx.4 mly.4 mpls.4 mpt.4 mpu.4 mtd.4 \
diff -r 3bd00e3d6acb -r 0e862098b094 share/man/man4/fast_ipsec.4
--- a/share/man/man4/fast_ipsec.4 Thu Mar 22 20:01:18 2012 +0000
+++ b/share/man/man4/fast_ipsec.4 Thu Mar 22 20:34:37 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: fast_ipsec.4,v 1.12 2012/01/23 00:03:08 wiz Exp $
+.\" $NetBSD: fast_ipsec.4,v 1.13 2012/03/22 20:34:38 drochner Exp $
.\" $FreeBSD: fast_ipsec.4,v 1.2 2003/03/03 11:51:30 ru Exp $
.\"
.\" Copyright (c) 2004
@@ -76,7 +76,6 @@
.Sh DIAGNOSTICS
To be added.
.Sh SEE ALSO
-.Xr kame_ipsec 4 ,
.Xr setkey 8 ,
.Xr sysctl 8 ,
.Xr opencrypto 9
diff -r 3bd00e3d6acb -r 0e862098b094 share/man/man4/ipsec.4
--- a/share/man/man4/ipsec.4 Thu Mar 22 20:01:18 2012 +0000
+++ b/share/man/man4/ipsec.4 Thu Mar 22 20:34:37 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: ipsec.4,v 1.37 2012/01/23 00:02:42 wiz Exp $
+.\" $NetBSD: ipsec.4,v 1.38 2012/03/22 20:34:38 drochner Exp $
.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
.\"
.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
@@ -76,11 +76,6 @@
Its specifics and kernel options are describes in the
.Xr fast_ipsec 4
manual page.
-The previous implementation is still supported for a transition
-period.
-See
-.Xr kame_ipsec 4
-for details.
.Ss Kernel interface
.Nm
is controlled by key management engine and policy engine,
@@ -282,7 +277,6 @@
.Xr icmp6 4 ,
.Xr intro 4 ,
.Xr ip6 4 ,
-.Xr kame_ipsec 4 ,
.Xr racoon 8 ,
.Xr setkey 8 ,
.Xr sysctl 8
diff -r 3bd00e3d6acb -r 0e862098b094 share/man/man4/kame_ipsec.4
--- a/share/man/man4/kame_ipsec.4 Thu Mar 22 20:01:18 2012 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,173 +0,0 @@
-.\" $NetBSD: kame_ipsec.4,v 1.3 2012/01/17 08:20:58 wiz Exp $
-.\" $KAME: ipsec.4,v 1.17 2001/06/27 15:25:10 itojun Exp $
-.\"
-.\" Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of the project nor the names of its contributors
-.\" may be used to endorse or promote products derived from this software
-.\" without specific prior written permission.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
-.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-.\" ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
-.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd January 16, 2012
-.Dt KAME_IPSEC 4
-.Os
-.Sh NAME
-.Nm ipsec
-.Nd IP security protocol
-.Sh SYNOPSIS
-.In sys/types.h
-.In netinet/in.h
-.In netinet6/ipsec.h
-.Pp
-.Cd options KAME_IPSEC
-.Cd options IPSEC_ESP
-.Cd options IPSEC_NAT_T
-.Cd options IPSEC_DEBUG
-.Sh DESCRIPTION
-.Nm
-is the first implemtation of IPSEC in
-.Nx .
-It is being replaced by
-.Xr fast_ipsec 4 .
-.Pp
-The following kernel options are available:
-.Bl -ohang
-.It Cd options IPSEC
-Includes support for the
-.Tn IPsec
-protocol.
-.Em IPSEC
-will enable
-secret key management part,
-policy management part,
-.Tn AH
-and
-.Tn IPComp .
-Kernel binary will not be subject to export control in most of countries,
-even if compiled with
-.Em IPSEC .
-For example, it should be okay to export it from the United States of America.
-.Em INET6
-and
-.Em IPSEC
-are orthogonal so you can get IPv4-only kernel with IPsec support,
-IPv4/v6 dual support kernel without IPsec, and so forth.
-This option requires
-.Em INET
-at this moment, but it should not.
-.It Cd options IPSEC_DEBUG
-Enables debugging code in
-.Tn IPsec
-stack.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_ESP
-Includes support for
-.Tn IPsec
-.Tn ESP
-protocol.
-.Em IPSEC_ESP
-will enable source code that is subject to export control in some countries
-.Pq including the United States ,
-and compiled kernel binary will be subject to certain restriction.
-This option assumes
-.Em IPSEC .
-.It Cd options IPSEC_NAT_T
-Includes support for
-.Tn IPsec
-Network Address Translator Traversal (NAT-T), as described in RFCs 3947
-and 3948.
-This feature might be patent-encumbered in some countries.
-This option assumes
-.Em IPSEC
-and
-.Em IPSEC_ESP .
-.El
-.\"
-.Sh SEE ALSO
-.Xr ioctl 2 ,
-.Xr socket 2 ,
-.Xr ipsec_set_policy 3 ,
-.Xr fast_ipsec 4 ,
-.Xr icmp6 4 ,
-.Xr intro 4 ,
-.Xr ip6 4 ,
-.Xr ipsec 4 ,
-.Xr racoon 8 ,
-.Xr setkey 8 ,
-.Xr sysctl 8
-.Sh STANDARDS
-.Rs
-.%A Daniel L. McDonald
-.%A Craig Metz
-.%A Bao G. Phan
-.%T "PF_KEY Key Management API, Version 2"
-.%R RFC
-.%N 2367
-.Re
-.Sh HISTORY
-The implementation described herein appeared in WIDE/KAME IPv6/IPsec stack.
-.Sh BUGS
-The IPsec support is subject to change as the IPsec protocols develop.
-.Pp
-There is no single standard for policy engine API,
-so the policy engine API described herein is just for KAME implementation.
-.Pp
-AH and tunnel mode encapsulation may not work as you might expect.
-If you configure inbound
-.Dq require
-policy against AH tunnel or any IPsec encapsulating policy with AH
-.Po
-like
-.Dq Li esp/tunnel/A-B/use ah/transport/A-B/require
-.Pc ,
-tunneled packets will be rejected.
-This is because we enforce policy check on inner packet on reception,
-and AH authenticates encapsulating
-.Pq outer
-packet, not the encapsulated
-.Pq inner
-packet
-.Po
-so for the receiving kernel there's no sign of authenticity
-.Pc .
-The issue will be solved when we revamp our policy engine to keep all the
-packet decapsulation history.
-.Pp
-Under certain condition,
-truncated result may be raised from the kernel
-against
-.Dv SADB_DUMP
-and
-.Dv SADB_SPDDUMP
-operation on
-.Dv PF_KEY
-socket.
-This occurs if there are too many database entries in the kernel
-and socket buffer for the
-.Dv PF_KEY
-socket is insufficient.
-If you manipulate many IPsec key/policy database entries,
-increase the size of socket buffer or use
-.Xr sysctl 8
-interface.
diff -r 3bd00e3d6acb -r 0e862098b094 share/man/man4/options.4
--- a/share/man/man4/options.4 Thu Mar 22 20:01:18 2012 +0000
+++ b/share/man/man4/options.4 Thu Mar 22 20:34:37 2012 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: options.4,v 1.414 2012/03/21 15:38:32 jakllsch Exp $
+.\" $NetBSD: options.4,v 1.415 2012/03/22 20:34:38 drochner Exp $
.\"
.\" Copyright (c) 1996
.\" Perry E. Metzger. All rights reserved.
@@ -1659,13 +1659,6 @@
(This option is an alias for the
.Cd FAST_IPSEC
option described below.)
-.It Cd options KAME_IPSEC
Home |
Main Index |
Thread Index |
Old Index