Home | History | Annotate | Download | only in net
History log of /src/sys/net/if_ipsec.c
RevisionDateAuthorComments
 1.36  10-Feb-2024  andvar Fix various typos in comments, log messages and documentation.
 1.35  26-Sep-2023  knakahara branches: 1.35.4;
Use unit id instead of if_index to reduce fixed_reqid space.
 1.34  11-Oct-2022  knakahara branches: 1.34.2;
Add sadb_x_policy_flags to inform SP origination.

This extension(struct sadb_x_policy) is *not* defined by RFC2367.

OpenBSD does not have reserved fields in struct sadb_x_policy.
Linux does not use this field yet.
FreeBSD uses this field as "sadb_x_policy_scope"; the value range is
from 0x00 to 0x04.

We use from most significant bit to avoid the above usage.
 1.33  06-Oct-2022  knakahara Fix overflow case detected by clang. Pointed out by wsh@IIJ, thanks.
 1.32  30-Sep-2022  knakahara ipsecif(4) can use fixed SP reqid based on ifindex, that can reduce number of reqid.

If we want to use fixed SP reqid for ipsecif(4), set
net.ipsecif.use_fixed_reqid=1 Default(=0) is the same as before.
net.ipsecif.use_fixed_reqid can be changed only if there is no ipsecif(4) yet.

If we want to change the range of ipseif(4) SP reqid,
set net.ipsecif.reqid_base and net.ipsecif.reqid_last.
These can also be changed only if there is no ipsecif(4) yet.
 1.31  11-Oct-2021  knakahara Make pktq_rps_hash() pluggable for each interface type. Reviewed by gdt@n.o, thorpej@n.o, and riastradh@n.o, thanks.
 1.30  14-Oct-2020  roy ipsecif: Set the link state UP if we have a tunnel, otherwise DOWN.
 1.29  13-Mar-2020  knakahara reduce unnecessary reqid of NAT-T ipsecif(4), suggested by ohishi@IIJ.
 1.28  10-Mar-2020  knakahara Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.

"setkey -x" output is the following.
 1.27  01-Feb-2020  riastradh Fix order in rollback case; switch if_ipsec to atomic_load/store_*.
 1.26  29-Jan-2020  thorpej Adopt <net/if_stats.h>.
 1.25  01-Nov-2019  knakahara branches: 1.25.2;
Make global and per-interface ipsecif(4) pmtu tunable like gif(4).

And make hop limit tunable same as gif(4).

See http://mail-index.netbsd.org/source-changes/2019/10/30/msg110426.html
 1.24  19-Sep-2019  knakahara Avoid having a rtcache directly in a percpu storage for tunnel protocols.

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.
A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing. Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@
 1.23  13-Sep-2019  msaitoh if_flags is neither int nor short. It's unsigned short.
 1.22  25-Jun-2019  msaitoh branches: 1.22.2;
Simplify "LIST_HEAD();" to make the code more understandable.
No functional change.
 1.21  14-Mar-2019  knakahara Fix ipsecif(4) memory leak in some ioctl cases.
 1.20  26-Dec-2018  knakahara Remove unnecessary addresses in PF_KEY message.

MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
 1.19  07-Dec-2018  knakahara ipsecif(4) support input drop packet counter.
 1.18  19-Oct-2018  knakahara Fix panic when doing ioctl to multiple pseudo interfaces. Pointed out by k-goda@IIJ.

XXX pullup-8
 1.17  26-Jun-2018  msaitoh branches: 1.17.2;
Implement the BPF direction filter (BIOC[GS]DIRECTION). It provides backward
compatibility with BIOC[GS]SEESENT ioctl. The userland interface is the same
as FreeBSD.

This change also fixes a bug that the direction is misunderstand on some
environment by passing the direction to bpf_mtap*() instead of checking
m->m_pkthdr.rcvif.
 1.16  29-May-2018  knakahara Reviewd by ohishi@IIJ. Sorry, I jumped the gun and committed.

Fix the following two issues.
- remove extra padding of sizeof(xisr) when adding ipsec policy
- add padding for xpl when adding discard policy
 1.15  29-May-2018  knakahara Fix panic when ipsecif(4) adds discard policy. Pointed out by ohishi@IIJ, thanks.
 1.14  24-May-2018  knakahara ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by ohishi@IIJ, thanks.
 1.13  27-Apr-2018  knakahara Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.

The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex
itself in percpu area. When percpu_cpu_enlarge() run, the address of the
mutex in percpu area becomes different from the address which lockdebug
saved. That can cause "already initialized" false detection.
 1.12  27-Apr-2018  knakahara Fix "how" argument of MGET(). Pointed out by maxv@n.o, thanks.

MGET() does not have M_ZERO flag, so add memset when it is required.
 1.11  06-Apr-2018  knakahara Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.

Here is an example of the operation which causes this problem.
# ifconfig ipsec0 create link0
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
 1.10  06-Apr-2018  knakahara fix ipsecif(4) stack overflow.

XXX pullup-8
 1.9  06-Apr-2018  knakahara fix ipsecif(4) unmatch curlwp_bind.

XXX pullup-8
 1.8  06-Apr-2018  knakahara fix ipsec(4) encap_lock leak.

XXX pullup-8
 1.7  13-Mar-2018  knakahara Fix IPv6 ipsecif(4) ATF regression, sorry.

There must *not* be padding between the src sockaddr and the dst sockaddr
after struct sadb_x_policy.
 1.6  09-Mar-2018  knakahara Functionalize duplicated code. No functional changes.
 1.5  09-Mar-2018  knakahara Fix missing sadb_x_ipsecrequest informations for PF_KEY message.
 1.4  09-Mar-2018  knakahara NAT-T src and dst port in ipsec_variant should be network byte order.
 1.3  31-Jan-2018  mrg branches: 1.3.2; 1.3.4;
apply a little more #ifdef INET/INET6. fixes !INET6 builds.
 1.2  15-Jan-2018  knakahara Fix PR kern/52920. Pointed out by David Binderman, thanks.
 1.1  10-Jan-2018  knakahara add ipsec(4) interface, which is used for route-based VPN.

man and ATF are added later, please see man for details.

reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks.
https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
 1.3.4.8  18-Jan-2019  pgoyette Synch with HEAD
 1.3.4.7  26-Dec-2018  pgoyette Sync with HEAD, resolve a few conflicts
 1.3.4.6  20-Oct-2018  pgoyette Sync with head
 1.3.4.5  28-Jul-2018  pgoyette Sync with HEAD
 1.3.4.4  25-Jun-2018  pgoyette Sync with HEAD
 1.3.4.3  02-May-2018  pgoyette Synch with HEAD
 1.3.4.2  07-Apr-2018  pgoyette Sync with HEAD. 77 conflicts resolved - all of them $NetBSD$
 1.3.4.1  15-Mar-2018  pgoyette Synch with HEAD
 1.3.2.13  13-Mar-2020  martin Pull up following revision(s) (requested by knakahara in ticket #1520):

sys/netipsec/key.c: revision 1.271
sys/net/if_ipsec.c: revision 1.28
sys/net/if_ipsec.c: revision 1.29

Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.

"setkey -x" output is the following.
 1.3.2.12  24-Sep-2019  martin Pull up following revision(s) (requested by knakahara in ticket #1385):

sys/net/if.c 1.461
sys/net/if.h 1.277
sys/net/if_gif.c 1.149
sys/net/if_gif.h 1.33
sys/net/if_ipsec.c 1.19,1.20,1.24
sys/net/if_ipsec.h 1.5
sys/net/if_l2tp.c 1.33,1.36-1.39
sys/net/if_l2tp.h 1.7,1.8
sys/net/route.c 1.220,1.221
sys/net/route.h 1.125
sys/netinet/in_gif.c 1.95
sys/netinet/in_l2tp.c 1.17
sys/netinet/ip_input.c 1.391,1.392
sys/netinet/wqinput.c 1.6
sys/netinet6/in6_gif.c 1.94
sys/netinet6/in6_l2tp.c 1.18
sys/netinet6/ip6_forward.c 1.97
sys/netinet6/ip6_input.c 1.210,1.211
sys/netipsec/ipsec_output.c 1.82,1.83 (patched)
sys/netipsec/ipsecif.c 1.12,1.13,1.15,1.17 (patched)
sys/netipsec/key.c 1.259,1.260

ipsecif(4) support input drop packet counter.

ipsecif(4) should not increment drop counter by errors not related to if_snd. Pointed out by ozaki-r@n.o, thanks.
Remove unnecessary addresses in PF_KEY message.

MOBIKE Extensions for PF_KEY draft-schilcher-mobike-pfkey-extension-01.txt says
 1.3.2.11  15-Mar-2019  martin Pull up following revision(s) (requested by knakahara in ticket #1216):

sys/net/if_ipsec.c: revision 1.21

Fix ipsecif(4) memory leak in some ioctl cases.
 1.3.2.10  21-Oct-2018  martin Pull up following revision(s) (requested by knakahara in ticket #1066):

sys/net/if_vlan.c: revision 1.133
sys/net/if_gif.h: revision 1.32
sys/net/if_ipsec.c: revision 1.18
sys/net/if_ipsec.h: revision 1.4
sys/net/if_gif.c: revision 1.144
sys/net/if_l2tp.h: revision 1.6
sys/net/if_l2tp.c: revision 1.30

Fix panic when doing ioctl to multiple pseudo interfaces. Pointed out by k-goda@IIJ.

XXX pullup-8
 1.3.2.9  07-Jun-2018  martin Pull up following revision(s) (requested by knakahara in ticket #840):

sys/net/if_ipsec.c: revision 1.15,1.16

Fix panic when ipsecif(4) adds discard policy. Pointed out by ohishi@IIJ, thanks.
Reviewd by ohishi@IIJ. Sorry, I jumped the gun and committed.

Fix the following two issues.
- remove extra padding of sizeof(xisr) when adding ipsec policy
- add padding for xpl when adding discard policy
 1.3.2.8  07-Jun-2018  martin Pull up following revision(s) (requested by knakahara in ticket #839):

sys/net/if_ipsec.c: revision 1.14

ipsecif(4) must not set port number to spidx even if NAT-T. Pointed out by ohishi@IIJ, thanks.
 1.3.2.7  17-May-2018  martin Pull up following revision(s) (requested by knakahara in ticket #829):

sys/net/if_l2tp.c: revision 1.24
sys/net/if_ipsec.c: revision 1.13
sys/net/if_gif.h: revision 1.31
sys/netipsec/ipsecif.c: revision 1.8
sys/net/if_gif.c: revision 1.140
sys/netinet6/in6_l2tp.c: revision 1.15
sys/net/if_ipsec.h: revision 1.3
sys/netinet6/in6_gif.c: revision 1.92
sys/net/if_l2tp.h: revision 1.5
sys/netinet/in_l2tp.c: revision 1.13
sys/netinet/in_gif.c: revision 1.93

Fix LOCKDEBUG kernel panic when many(about 200) tunnel interfaces is created.

The tunnel interfaces are gif(4), l2tp(4), and ipsecif(4). They use mutex
itself in percpu area. When percpu_cpu_enlarge() run, the address of the
mutex in percpu area becomes different from the address which lockdebug
saved. That can cause "already initialized" false detection.
 1.3.2.6  17-May-2018  martin Pull up following revision(s) (requested by knakahara in ticket #828):

sys/net/if_ipsec.c: revision 1.12

Fix "how" argument of MGET(). Pointed out by maxv@n.o, thanks.
MGET() does not have M_ZERO flag, so add memset when it is required.
 1.3.2.5  09-Apr-2018  martin Pull up following revision(s) (requested by knakahara in ticket #714):

sys/net/if_ipsec.c: revision 1.8 - 1.11
sys/netipsec/ipsecif.h: revision 1.2
sys/netipsec/ipsecif.c: revision 1.6,1.7

fix ipsec(4) encap_lock leak.

fix ipsecif(4) unmatch curlwp_bind.

fix ipsecif(4) stack overflow.

Add IPv4 ID when the ipsecif(4) packet can be fragmented. Implemented by hsuenaga@IIJ and ohishi@IIJ, thanks.
This modification reduces packet loss of fragmented packets on a
network where reordering occurs.

Alghough this modification has been applied, IPv4 ID is not set for
the packet smaller then IP_MINFRAGSIZE. According to RFC 6864, that
must not cause problems.

Fix unexpected failure when ipsecif(4) over IPv6 is changed port number only.
Here is an example of the operation which causes this problem.
# ifconfig ipsec0 create link0
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4501
# ifconfig ipsec0 tunnel fc00:1001::2,4500 fc00:1001::1,4502
 1.3.2.4  13-Mar-2018  martin Pull up following revision(s) (requested by knakahara in ticket #627):
sys/netipsec/ipsecif.c: revision 1.5
tests/net/if_ipsec/t_ipsec.sh: revision 1.4
sys/net/if_ipsec.c: revision 1.7
Fix IPv6 ipsecif(4) ATF regression, sorry.
There must *not* be padding between the src sockaddr and the dst sockaddr
after struct sadb_x_policy.

Comment out confusing (and incorrect) code and add comment. Pointed out by maxv@n.o, thanks.

Enhance assertion ipsecif(4) ATF to avoid confusing setkey(8) error message.

When setkey(8) says "syntax error at [-E]", it must mean get_if_ipsec_unique()
failed.
 1.3.2.3  13-Mar-2018  martin Pull up following revision(s) (requested by knakahara in ticket #620):
sys/netipsec/ipsecif.c: revision 1.4
sys/net/if_ipsec.c: revision 1.4
sys/net/if_ipsec.c: revision 1.5
sys/net/if_ipsec.c: revision 1.6
NAT-T src and dst port in ipsec_variant should be network byte order.
Fix missing sadb_x_ipsecrequest informations for PF_KEY message.
Functionalize duplicated code. No functional changes.
Fix ipsec(4) I/F esp_frag support.
 1.3.2.2  11-Feb-2018  snj Pull up following revision(s) (requested by ozaki-r in ticket #536):
distrib/sets/lists/base/shl.mi: 1.825
distrib/sets/lists/comp/mi: 1.2168-1.2169
distrib/sets/lists/comp/shl.mi: 1.310
distrib/sets/lists/debug/mi: 1.234
distrib/sets/lists/debug/shl.mi: 1.188
distrib/sets/lists/man/mi: 1.1570
distrib/sets/lists/tests/mi: 1.772
etc/mtree/NetBSD.dist.tests: 1.150
share/man/man4/Makefile: 1.650
share/man/man4/ipsec.4: 1.42-1.43
share/man/man4/ipsecif.4: 1.1-1.5
sys/arch/amd64/conf/ALL: 1.77
sys/arch/amd64/conf/GENERIC: 1.480
sys/conf/files: 1.1191
sys/net/Makefile: 1.34
sys/net/files.net: 1.14
sys/net/if.c: 1.404
sys/net/if.h: 1.248
sys/net/if_gif.c: 1.135
sys/net/if_ipsec.c: 1.1-1.3
sys/net/if_ipsec.h: 1.1
sys/net/if_l2tp.c: 1.16
sys/net/if_types.h: 1.28
sys/netinet/in.c: 1.214
sys/netinet/in.h: 1.103
sys/netinet/in_gif.c: 1.92
sys/netinet/ip_var.h: 1.122
sys/netinet6/in6.c: 1.257
sys/netinet6/in6.h: 1.88
sys/netinet6/in6_gif.c: 1.90
sys/netinet6/ip6_var.h: 1.75
sys/netipsec/Makefile: 1.6
sys/netipsec/files.netipsec: 1.13
sys/netipsec/ipsec.h: 1.62
sys/netipsec/ipsecif.c: 1.1
sys/netipsec/ipsecif.h: 1.1
sys/netipsec/key.c: 1.246-1.247
sys/netipsec/key.h: 1.34
sys/rump/net/Makefile.rumpnetcomp: 1.20
sys/rump/net/lib/libipsec/IPSEC.ioconf: 1.1
sys/rump/net/lib/libipsec/Makefile: 1.1
sys/rump/net/lib/libipsec/ipsec_component.c: 1.1
tests/net/Makefile: 1.34
tests/net/if_ipsec/Makefile: 1.1
tests/net/if_ipsec/t_ipsec.sh: 1.1-1.2
Don't touch an SP without a reference to it
unify processing to check nesting count for some tunnel protocols.
add ipsec(4) interface, which is used for route-based VPN.
man and ATF are added later, please see man for details.
reviewed by christos@n.o, joerg@n.o and ozaki-r@n.o, thanks.
https://mail-index.netbsd.org/tech-net/2017/12/18/msg006557.html
ipsec(4) interface supports rump now.
add ipsec(4) interface ATF.
add ipsec(4) interface man as ipsecif.4.
add ipsec(4) interface to amd64/GENERIC and amd64/ALL configs.
apply in{,6}_tunnel_validate() to gif(4).
Spell IPsec that way. Simplify macro usage. Sort SEE ALSO. Bump
date for previous.
Improve wording and macro use.
Some parts are not clear to me, so someone with knowledge of ipsecif(4)
should improve this some more.
Improve ipsecif.4. Default port ipsec(4) NAT-T is tested now.
pointed out by wiz@n.o and suggested by ozaki-r@n.o, thanks.
Change the prefix of test names to ipsecif_ to distinguish from tests for ipsec(4)
New sentence, new line. Remove empty macro.
Fix PR kern/52920. Pointed out by David Binderman, thanks.
Improve wording, and put a new drawing, from me and Kengo Nakahara.
apply a little more #ifdef INET/INET6. fixes !INET6 builds.
 1.3.2.1  31-Jan-2018  snj file if_ipsec.c was added on branch netbsd-8 on 2018-02-11 21:17:34 +0000
 1.17.2.3  13-Apr-2020  martin Mostly merge changes from HEAD upto 20200411
 1.17.2.2  08-Apr-2020  martin Merge changes from current as of 20200406
 1.17.2.1  10-Jun-2019  christos Sync with HEAD
 1.22.2.2  13-Mar-2020  martin Pull up following revision(s) (requested by knakahara in ticket #780):

sys/netipsec/key.c: revision 1.271
sys/net/if_ipsec.c: revision 1.28
sys/net/if_ipsec.c: revision 1.29

Fix ipsecif(4) SPDADD pfkey message has garbage. Pointed out by ohishi@IIJ.

"setkey -x" output is the following.
 1.22.2.1  24-Sep-2019  martin Pull up following revision(s) (requested by ozaki-r in ticket #238):

sys/netipsec/ipsec_output.c: revision 1.83
sys/net/route.h: revision 1.125
sys/netinet6/ip6_input.c: revision 1.210
sys/netinet6/ip6_input.c: revision 1.211
sys/net/if.c: revision 1.461
sys/net/if_gif.h: revision 1.33
sys/net/route.c: revision 1.220
sys/net/route.c: revision 1.221
sys/net/if.h: revision 1.277
sys/netinet6/ip6_forward.c: revision 1.97
sys/netinet/wqinput.c: revision 1.6
sys/net/if_ipsec.h: revision 1.5
sys/netinet6/in6_l2tp.c: revision 1.18
sys/netinet6/in6_gif.c: revision 1.94
sys/net/if_l2tp.h: revision 1.7
sys/net/if_gif.c: revision 1.149
sys/net/if_l2tp.h: revision 1.8
sys/netinet/in_gif.c: revision 1.95
sys/netinet/in_l2tp.c: revision 1.17
sys/netipsec/ipsecif.c: revision 1.17
sys/net/if_ipsec.c: revision 1.24
sys/net/if_l2tp.c: revision 1.37
sys/netinet/ip_input.c: revision 1.391
sys/net/if_l2tp.c: revision 1.38
sys/netinet/ip_input.c: revision 1.392
sys/net/if_l2tp.c: revision 1.39

Avoid having a rtcache directly in a percpu storage

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing. Address this situation by having
just a pointer to a rtcache in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@

-

wqinput: avoid having struct wqinput_worklist directly in a percpu storage

percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Input handlers of wqinput normally involves sleepable operations so we must
avoid dereferencing a percpu data (struct wqinput_worklist) after executing
an input handler. Address this situation by having just a pointer to the data
in a percpu storage instead.
Reviewed by knakahara@ and yamaguchi@

-

Add missing #include <sys/kmem.h>

-

Divide Tx context of l2tp(4) to improve performance.

It seems l2tp(4) call path is too long for instruction cache. So, dividing
l2tp(4) Tx context improves CPU use efficiency.

After this commit, l2tp(4) throughput gains 10% on my machine(Atom C3000).

-

Apply some missing changes lost on the previous commit

-

Avoid having a rtcache directly in a percpu storage for tunnel protocols.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Using rtcache, i.e., packet processing, typically involves sleepable operations
such as rwlock so we must avoid dereferencing a rtcache that is directly stored
in a percpu storage during packet processing. Address this situation by having
just a pointer to a rtcache in a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@

-

l2tp(4): avoid having struct ifqueue directly in a percpu storage.
percpu(9) has a certain memory storage for each CPU and provides it by the piece
to users. If the storages went short, percpu(9) enlarges them by allocating new
larger memory areas, replacing old ones with them and destroying the old ones.

A percpu storage referenced by a pointer gotten via percpu_getref can be
destroyed by the mechanism after a running thread sleeps even if percpu_putref
has not been called.

Tx processing of l2tp(4) uses normally involves sleepable operations so we
must avoid dereferencing a percpu data (struct ifqueue) after executing Tx
processing. Address this situation by having just a pointer to the data in
a percpu storage instead.

Reviewed by ozaki-r@ and yamaguchi@
 1.25.2.1  29-Feb-2020  ad Sync with head.
 1.34.2.1  02-Oct-2023  martin Pull up following revision(s) (requested by knakahara in ticket #378):

tests/net/if_ipsec/t_ipsec_unnumbered.sh: revision 1.2
sys/net/if_ipsec.c: revision 1.35
sys/netipsec/key.c: revision 1.281

Use kmem_free instead of kmem_intr_free, as key_freesaval() is not called in softint after key.c:r1.223.
E.g. key_freesaval() was called the following call path before SAD MP-ify.
esp_input_cb()
KEY_FREESAV()
key_freesav()
key_delsav()
key_freesaval()
ok'ed by ozaki-r@n.o.

Use unit id instead of if_index to reduce fixed_reqid space.

Update for sys/net/if_ipsec.c:r1.35
 1.35.4.1  16-Nov-2023  thorpej IFQ_CLASSIFY() -> ifq_classify_packet().

RSS XML Feed