| Age | Commit message (Collapse) | Author |
|---|
|
ok miod@ mpi@
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno
|
|
|
|
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
|
statistics sideeffects before. ok lteo naddy
|
|
are are lie, since the software engine emulates hardware offloading
and that is later indistinguishable. so kill the hw cksummed counters.
introduce software checksummed packet counters instead.
tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum.
as before we still have a miscounting bug for inbound with pf on, to be
fixed in the next step.
found by, prodding & ok naddy
|
|
a configured IPv4 address but iterates on its private list instead.
ok deraadt@
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
bridge_tunnelupdate to a more generic name bridge_copyaddr.
No functional change.
|
|
interface. VXLAN is a UDP-based tunnelling protocol for overlaying
virtualized layer 2 networks over layer 3 networks. The implementation
is based on draft-mahalingam-dutt-dcops-vxlan-04 and has been tested
with other implementations in the wild.
put it in deraadt@
|
|
behaves like before and creates the mapping if needed. if 0, lookup only.
looked over by many, ok phessler sthen
|
|
|
|
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
.h files to pull it in, if needed
ok tedu
|
|
|
|
ok beck@, mikeb@
|
|
ok claudio mpi
|
|
This way the configuration order is preserved. Order matters
because MAC address are not unique: vlan interfaces can have
the same MAC as their parent.
Frames destined for the bridge itself are now delivered to
the first-configured interface that matches the MAC instead
of the last-configured. This means that the bridge behavior
does not suddenly change anymore when adding a vlan interface.
ok henning reyk (a while ago)
|
|
reconfiguration with /etc/netstart silent again. (noticed by deraadt)
And do the same for 'addspan'.
ok deraadt
|
|
bridge(4) members that are not configured with stp.
Lots of debug help (and actual find) sthen@
OK sthen@, mpf@
|
|
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
return anything but 0 anyways
From: "Michael W. Bombardieri" <mb at ii dot net>, ok camield
|
|
is really needed, instead of an ethernet header and selector.
ok mikeb henning mpf
|
|
routecache is full and the admin is making it smaller. It then does a
lame attempt at shrinking the routecache, something that a flush or flushall
can do better.
ok henning beck
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
Even though this violates IEEE 802.1D, we'd rather avoid bridging loops
by not getting in the way of STP.
OK henning, camield, reyk
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
the broadcast shortcut codepath is fixed. ok claudio
|
|
with broadcast packets.
|
|
ok claudio krw
|
|
chekcsum. turned out is always recalculates it as long as your kernel does
have pf compiled in, as in, always, since compilation of GENERIC without
pf explodes in about a hundred ways.
so rename bridge_filter -> bridge_ip and always compile it, pf or not,
just make the pf_test calls #if NPF, and sync the ip fuckery code with
ip_output. as a bonus this lets us use the checksum offloading to the NIC
if it is capable of that.
ok claudio dlg sthen
|
|
per the 802.1D-2004 spec. With lots of help and guidance (and some
nagging) from claudio. Tested with net/ladvd port on i386 and amd64.
'be a man' claudio@, ok mpf@
|
|
OK blambert, claudio.
|
|
interface is destroyed while in the bridge. Fixed by using
bridge_delete() which includes the missing bstp_delete() call: Less
code and more consistency. Also fix SIOCBRDGDEL to return an error
if an interface can not be found.
OK claudio, markus.
|
|
bstp_input() always consumes the packet so remove the mbuf handling
dance around it.
|
|
ok claudio@ guenther@
|
|
ok deraadt@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
QinQ-compliant svlan (service VLAN) interfaces are implemented as
a new cloner type, use Ethernet type 0x88a8, and have a dedicated
VLAN tag hash to avoid ID conflicts. vlan(4) interfaces can be
stacked on top of svlan(4).
Originally from reyk@, input from claudio@ and deraadt@
ok claudio@
|
