| Age | Commit message (Collapse) | Author |
|---|
|
Fix an issue reported by Eygene Ryabinkin where packet where dropped by
pf(4) because a vlan(4) interface was picked instead of its underlying
em(4).
While here do some refactoring to avoid code duplication.
Based on a submission from Eygene Ryabinkin <rea at codelabs dot ru>.
ok bluhm@, kn@
|
|
ok dlg@, sthen@, millert@
|
|
|
|
From Eygene Ryabinkin.
|
|
Since `bif' are removed from the interface list before calling smr_barrier()
and the hash queue is cleaned up afterward, it is possible to find an ifidx
with bridge_rtlookup() that won't match to any `bif'.
Fix a panic reported by Hrvoje Popovski, ok visa@
|
|
This removes the KERNEL_LOCK() around the list iteration in bridge_enqueue().
Since the NET_LOCK() isn't protecting any data structure, release it early
in all the code paths coming from the Network Stack to prevent possible
deadlock situations with smr_barrier().
bridge_input() is still KERNEL_LOCK()ed as well as bridge_filterrule().
ok visa@
|
|
OK mpi@
|
|
when multiple interfaces do MAC filtering.
Memory leak reported by Daniel Levai
With and OK mpi@
|
|
caused a hanging "ifconfig bridge0 destroy" and a subsequent uvm
fault.
reported and tested by Hrvoje Popovski; OK visa@
|
|
This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.
Tested by various, ok dlg@, visa@
|
|
conditional timeout_barrier(9).
OK kn@ dlg@
|
|
ok visa@
|
|
|
|
ok visa@
|
|
This will help for future (un)locking.
ok visa@
|
|
inputs & ok visa@
|
|
the timeout handler if the interface is running.
ok claudio@
|
|
|
|
- Do checks that do not access shared data structures first, they don't
need locking and save us some dances.
- Use the common !ETHER_IS_MULTICAST() idiom and move some code that won't
be executed if the bridge(4) is down.
ok bluhm@, visa@
|
|
ok kn@, claudio@, visa@
|
|
ok claudio@, kn@, visa@
|
|
grained locking.
ok visa@, florian@
|
|
- Unify the two hooks by passing the same argument
- Check for nullity before dereferencing `if_bridgeport', this will
matter when we go MP
- Use the same pattern to find a member in the ioctl path
ok bluhm@, visa@
|
|
enough.
ok sthen@, visa@
|
|
Tested by Hrvoje Popovski, inputs and ok visa@
|
|
Wireless drivers call if_enqueue() out of the NET_LOCK() so it cannot
be used to serialize bridge(4) states.
Found by stsp@, ok visa@
|
|
ok visa@
|
|
Tested by Hrvoje Popovski who measured a 30% improvement of forwarded
packets in the best case.
ok visa@
|
|
ok bluhm@, visa@
|
|
this is the same check that's done when adding normal members to
the bridge. it prevents things like gif(4) being added to the bridge,
which in turn prevents panics when shoving ethernet packets down a
layer 3 interface.
reported and tested by jasper@
|
|
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
|
triggered by djm's dhclient on vether on bridge setup
ok djm benno claudio
|
|
Bridge members that are part of the same protected domain, refered by
a number between 1 and 31, cannot talk to each others. This is useful
to isolate VMs or untrusted networks at layer 2.
Members can be part of multiple protected domain making it possible to
create complex protected setups.
ok ccardenas@, claudio@, dlg@, henning@
|
|
Introduce bridge_ourether() and move carp(4)-specific SRPL code inside
carp_ourether().
ok bluhm@
|
|
|
|
allows arp (and rarp) requests and replies to be matched, including matching
based on the source and target host and protocol adresses, and thus control
over arp traffic and learning.
written for medical x-ray machines, but useful in many spread out L2 networks
ok claudio benno
|
|
currently carp uses a struct carp_if to hold an srp list head, which
is accessed by both if_carp in struct ifnet, and via the if input
handlers list.
this gets rid of some indirection by making if_carp itself the list
head, rather than a pointer to the list head via a struct carp_if.
it also makes accessing the list consistent by only using if_carp
to get to it.
ok mpi@
|
|
memory shortage. As it is invoked from a system call, it should
not fail and wait instead.
OK visa@ mpi@
|
|
a DOWN interface.
ok visa@
|
|
When short packets are sent to the bridge with IPsec enabled,
an incorrect error path can be taken which leads to a lookup
of an SPD entry using an uninitialized SPI. Most of the time
this will fail, however there's a chance that an existing SPD
entry corresponds to the provided SPI which leads to use of
another uninitialized variable used to offset the IP or IPv6
header in order to get to the security protocol header.
ESP performs packet length checks and will fail when such
packets will reach it, but AH and IPComp don't have similar
checks and are affected the most.
CID 1452946, 1452957; Severity: Major
OK millert, visa, bluhm
|
|
ok visa@
|
|
All interface ioctl()s are executed with the NET_LOCK() held, which
protects all soft states of the network stack. IPL_NET is only needed
in drivers dealing with hardware and by extension the wireless stack.
|
|
Remove an if condition that cannot happen.
OK mikeb@
|
|
Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.
Input from mpi@, ok bluhm@ mpi@
|
|
rectification.
|
|
only once per packet.
Fix a regression introduced when if_input() started to be called by
every pseudo-driver.
ok claudio@, dlg@
|
|
serialize access to bridge(4) data structures.
ok mikeb@
|
|
recursively.
ok bluhm@
|
|
make "addlocal" an alias to "add" on bridge. addlocal is handled
differently on switch(4).
OK yasuoka@
|
|
each counter is identified by an enum value which correspond to the
original members of the ipstat struct.
ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates.
ipstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the ipstat struct for now.
ok mpi@ mikeb@
|
