| Age | Commit message (Collapse) | Author |
|---|
|
reported and patch tested by Hrvoje Popovski
O.K. bluhm@
|
|
pfsyncioctl() is executed with the NET_LOCK() held which is enough.
ok sashan@
|
|
ok visa@
|
|
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@
|
|
constants.
The consensus is that if both operands are constant, we don't need
mallocarray. Reminded by tedu@
ok deraadt@
|
|
ok deraadt@
|
|
zero the buffers first. All the current objects appear to be safe,
however future changes might introduce structure pads.
Discussed with guenther, ok bluhm
|
|
Fixes a panic observed by douple-p (aka pb@) when destroying the syncdev.
tweak & ok mpi@
|
|
ok florian@
|
|
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@
|
|
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@
|
|
only once per packet.
Fix a regression introduced when if_input() started to be called by
every pseudo-driver.
ok claudio@, dlg@
|
|
splsofnet()/splx() dance.
Tested by Hrvoje Popovski, ok visa@
|
|
them.
ok claudio@
|
|
ok bluhm@
|
|
Prevent pf_socket_lookup() reading uninitialised header buffers on fragments.
OK blum@ sashan@
|
|
just use pd->m. Then pf_test() can also operate on pd.m and set
the *m0 value in the caller just before it returns.
OK sashan@
|
|
pf functions. That means less parameters, more consistency and
later we can call functions that need a pd from pf_route().
OK sashan@
|
|
The current reason is that rtalloc_mpath(9) inside ip_output() might
end up inserting a RTF_CLONED route and that require a write lock.
ok kettenis@, bluhm@
|
|
|
|
|
|
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
|
|
and pretending the output succeeded. Packets are still dropped!
Idea from jsg@ following same change to bridge(4). ok mpi@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
|
OK sthen@
|
|
|
|
OK mpi@
|
|
|
|
collide with the statekey to inp unlinking.
OK sashan@ mpi@
|
|
ok mpi@ uebayasi@
|
|
If interface was specified in the packet only if-bound states
attached to this interface must be purged.
ok mpi, looked at by sasha@
|
|
ifpp - XXX: just for statistics
ifpp is always NULL in all callers so that statistic confirms ifpp is
dying
OK mpi@
|
|
receiving interface in the packet header of every mbuf.
The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.
Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.
Tested by jmatthew@ and krw@, discussed with many.
ok mikeb@, bluhm@, dlg@
|
|
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
|
no real compat issue since we're using spare bytes.
old -> new ends up with set prio (0, 0) equivalent
new -> old is entirely harmless, old ignores the prios.
requested by Alexey Suslikov <alexey.suslikov at gmail>
ok phessler pelikan dlg
|
|
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
|
long live the one true internet.
ok henning mikeb
|
|
Prodded by claudio@ and mikeb@
|
|
Output interface (port) selection for multicast traffic is not done via
route lookups. Instead the output ifp is registred when setsockopt(2)
is called with the IP{V6,}_MULTICAST_IF option. But since there is no
mechanism to invalidate such pointer stored in a pcb when an interface
is destroyed/removed, it might lead your kernel to fault.
Prevent a fault upon resume reported by frantisek holop, thanks!
ok mikeb@, claudio@
|
|
|
|
ok bluhm@ dlg@ florian@ mpi@
|
|
pfsync_sendout. more specifically, move the reset of sc->sc_len to
PFSYNC_MINPKT above ip_output.
this prevents a situation where ipsec via ip_output calls
pfsync_update_tdb for syncing the ipsec flow to a peer, which
accounts for the tdb in the next pfsync packet, before unwinding
back to pfsync_output which resets the accounting we just did.
the next pfsync packet to be sent out will be allocated with a short
length because sc_len is wrong, and the long lists of things (eg,
the tdb) can overwrite memory after the mbuf. this manifests as
incorrect poisoning or xsimpleq entry corruption in mbufs still in
a pool, or random corruption of m->m_next on other mbufs in the
system.
bug found, fix tested, and ok stsp@
|
|
ok miod@ mpi@
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
ever used to pass on uint32 (for ipsec). stop that madness and just pass
the uint32, 0 in all cases but the two that pass the ipsec flowinfo.
ok deraadt reyk guenther
|
|
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
|
Found by LLVM/Clang Static Analyzer.
ok benno@ henning@
|
