| Age | Commit message (Collapse) | Author |
|---|
|
per the 802.1D-2004 spec. With lots of help and guidance (and some
nagging) from claudio. Tested with net/ladvd port on i386 and amd64.
'be a man' claudio@, ok mpf@
|
|
OK blambert, claudio.
|
|
interface is destroyed while in the bridge. Fixed by using
bridge_delete() which includes the missing bstp_delete() call: Less
code and more consistency. Also fix SIOCBRDGDEL to return an error
if an interface can not be found.
OK claudio, markus.
|
|
bstp_input() always consumes the packet so remove the mbuf handling
dance around it.
|
|
ok claudio@ guenther@
|
|
ok deraadt@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
QinQ-compliant svlan (service VLAN) interfaces are implemented as
a new cloner type, use Ethernet type 0x88a8, and have a dedicated
VLAN tag hash to avoid ID conflicts. vlan(4) interfaces can be
stacked on top of svlan(4).
Originally from reyk@, input from claudio@ and deraadt@
ok claudio@
|
|
is set whenever we changing the rcvif. It is still not possible to pass traffic
between two vether but works now form outside.
OK deraadt@
|
|
sneaks packets on and off network interfaces in some cases without
calling the interrupt, start, or output functions, and thus must do
these tasks which the drivers cannot do. The gif and vether are
rather special. Someone should re-check gre.
ok claudio
|
|
so that a bridge-etherip-tunnel host can join into the bridge itself.
It is ridiculous that this capability was missing from our network
stack portfolio, considering we have bgp and ospf daemons...
discussed at length with claudio
|
|
also up into the network stack on all interfaces. Multicast addresses are
bound to interfaces and without this local sockets did not see packets that
entered the bridge on a different interface. This should help IPv6.
OK naddy@
|
|
where the tag is stored in the mbuf header.
* Make bridge(4) handle interfaces with and without hardware tag
support and forward packets inbetween.
Help and ok claudio@
|
|
Really just the low-hanging fruit of (hopefully) forthcoming timeout
conversions.
ok art@, krw@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ mpf@
|
|
even the unicast address of the remote carp peer. this especially
helps when the multicast carp advertisements are causing problems in
the network (some crappy switches don't do well with multicast), there
are conflicts with VRRP, or the policy of the network does not allow
multicast (most Internet eXchange points didn't allow carped OpenBGP
routers because of the multicast advertisements).
discussed with many
ok mpf@
|
|
(timeout_add()) anyway.
ok brad claudio
|
|
calls to ifp->if_start to if_start(). these are the obviously right cases
where we can do that, the less obvious ones may follow as theyre figured
out.
deraadt@ said to go for it
|
|
it by reading the queues head pointer. if that pointer is not null
then it takes splnet and dequeues a packet for handling. this is
bad because the ifqueue head is modified at splnet and the sofnet
handlers read it without holding splnet.
this removes that check of the head pointer and simply checks if
the dequeue gave us a packet or not before proceeding.
found while reading mpls code.
discussed with norby@ and henning@
ok mcbride@ henning@
|
|
ok claudio@ krw@ jason@ dlg@
|
|
-remove useless casts
-MALLOC/FREE -> malloc/free
-use M_ZERO where appropriate instead of seperate bzero
feedback & ok krw, hshoexer
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
ok dlg claudio
|
|
|
|
etherip encapsulation; unbreaks remote ipsec bridges; ok claudio;
additional testing Renaud Allard
|
|
OK claudio@ jason@
|
|
makes carp(4) fail-over work over bridge(4). OK michele@ jason@
|
|
|
|
this fix PR 5056
discussed with camield@
OK camield@ claudio@ henning@
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
|
P2P is commonly used in relation to peer to peer networks, PTP is used
in various protocols for layer 2 point to point links (ie., full
duplex ethernet links).
note that the newly added brconfig commands [-]p2p and [-]autop2p will
change to [-]ptp and [-]autoptp.
suggested by Andrew Thompson (thompsa@freebsd.org)
|
|
by Andrew Thompson (thompsa@freebsd.org). The local changes include
adoption to our bridge code, reduced stack usage and many other bits.
If stp is enabled, RSTP will now be used by default.
Thanks for help from Andrew.
This code has been in snaps for while now, commit encouraged by deraadt@
|
|
From: Genadijus Paleckis <lsd@nnt.lt>
but the really bad description of the diff made this way more complicated
then needed. pls plz, when sending in diffs, describe properly what they
do and why!
|
|
|
|
outbound), using a new BIOCSDIRFILT ioctl;
guidance, feedback and ok canacar@
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
|
|
into them, if you are gonna copy it out to userland
some ok dhartmei, some ok tedu
|
|
ok brad@
|
|
address dynamically on this interface after successful association.
this could speed wireless roaming to openbsd accesspoints.
ok jason@, jsg@ can't see anything obectionable
|
|
than a pointer to struct ifnet containing it.
Saves a 448 byte stack allocation in ip_forward which previously faked up
a struct ifnet just for this purpose.
idea ok deraadt millert
|
|
|
|
ok krw@ canacar@
|
|
|
|
ok mickey@ henning@, "looks good" markus@ jason@
|
|
ok pascoe@ mpf@
|
|
matching in the bridge receive path to make CARP operate correctly
on physical interfaces that are participating in a bridge.
ok mcbride@ henning@ dlg@
|
