summaryrefslogtreecommitdiff
path: root/sys/net/if_pfsync.c
AgeCommit message (Collapse)Author
2016-10-27Pass a struct pf_pdesc to pf_route() like it is done in the otherAlexander Bluhm
pf functions. That means less parameters, more consistency and later we can call functions that need a pd from pf_route(). OK sashan@
2016-10-04Convert timeouts that need a process context to timeout_set_proc(9).Martin Pieuchot
The current reason is that rtalloc_mpath(9) inside ip_output() might end up inserting a RTF_CLONED route and that require a write lock. ok kettenis@, bluhm@
2016-09-27roll back turning RB into RBT until i get better at this process.David Gwynne
2016-09-27move pf from the RB macros to the RBT functions.David Gwynne
2016-09-21Remove recursive splsoftnet() calls, from David Hill.Martin Pieuchot
2016-09-15all pools have their ipl set via pool_setipl, so fold it into pool_init.David Gwynne
the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
2016-08-23pool_setiplDavid Gwynne
2016-04-29Make if_output() return EAFNOSUPPORT instead of just dropping packetsKenneth R Westerback
and pretending the output succeeded. Packets are still dropped! Idea from jsg@ following same change to bridge(4). ok mpi@
2016-03-29- packet must keep reference to statekeyAlexandr Nedvedicky
this is the second attempt to get it in, the first attempt got backed out on Jan 31 2016 the change also contains fixes contributed by Stefan Kempf in earlier iteration. OK srhen@
2016-01-31- m_pkthdr.pf.statekey changes are not ready for 5.9, I must back them outAlexandr Nedvedicky
OK sthen@
2016-01-27white space tweaks. no functional change.David Gwynne
2016-01-26- state keys imported by if_pfsync trip refcnt != ~0 AssertAlexandr Nedvedicky
OK mpi@
2015-12-05remove old lint annotationsTed Unangst
2015-12-03Rename pf_unlink_state() to pf_remove_state() so the name does notAlexander Bluhm
collide with the statekey to inp unlinking. OK sashan@ mpi@
2015-11-10flush the send queue in start routines with IFQ_PURGE.David Gwynne
ok mpi@ uebayasi@
2015-10-30Clean up handling of 'clear states' pfsync packets.Mike Belopuhov
If interface was specified in the packet only if-bound states attached to this interface must be purged. ok mpi, looked at by sasha@
2015-09-11Kill yet another argument to functions in IPv6. This time ip6_output'sClaudio Jeker
ifpp - XXX: just for statistics ifpp is always NULL in all callers so that statistic confirms ifpp is dying OK mpi@
2015-06-16Store a unique ID, an interface index, rather than a pointer to theMartin Pieuchot
receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
2015-03-14Remove some includes include-what-you-use claims don'tJonathan Gray
have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
2015-02-10include the "set prio" values.Henning Brauer
no real compat issue since we're using spare bytes. old -> new ends up with set prio (0, 0) equivalent new -> old is entirely harmless, old ignores the prios. requested by Alexey Suslikov <alexey.suslikov at gmail> ok phessler pelikan dlg
2015-01-24Userland (base & ports) was adapted to always include <netinet/in.h>Theo de Raadt
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
2014-12-19unifdef INET in net code as a precursor to removing the pretend option.Ted Unangst
long live the one true internet. ok henning mikeb
2014-12-17Remove the "multicast_" prefix from the fields a multicast-only struct.Martin Pieuchot
Prodded by claudio@ and mikeb@
2014-12-17Use an interface index instead of a pointer for multicast options.Martin Pieuchot
Output interface (port) selection for multicast traffic is not done via route lookups. Instead the output ifp is registred when setsockopt(2) is called with the IP{V6,}_MULTICAST_IF option. But since there is no mechanism to invalidate such pointer stored in a pcb when an interface is destroyed/removed, it might lead your kernel to fault. Prevent a fault upon resume reported by frantisek holop, thanks! ok mikeb@, claudio@
2014-11-23length argument for some free() calls; ok dougTheo de Raadt
2014-11-06Remove unneeded netinet6/ip6_divert.h include.Lawrence Teo
ok bluhm@ dlg@ florian@ mpi@
2014-10-17reset all the pfsync packet state before calling ip_output inDavid Gwynne
pfsync_sendout. more specifically, move the reset of sc->sc_len to PFSYNC_MINPKT above ip_output. this prevents a situation where ipsec via ip_output calls pfsync_update_tdb for syncing the ipsec flow to a peer, which accounts for the tdb in the next pfsync packet, before unwinding back to pfsync_output which resets the accounting we just did. the next pfsync packet to be sent out will be allocated with a short length because sc_len is wrong, and the long lists of things (eg, the tdb) can overwrite memory after the mbuf. this manifests as incorrect poisoning or xsimpleq entry corruption in mbufs still in a pool, or random corruption of m->m_next on other mbufs in the system. bug found, fix tested, and ok stsp@
2014-09-08remove uneeded route.h includesJonathan Gray
ok miod@ mpi@
2014-07-22Fewer <netinet/in_systm.h> !Martin Pieuchot
2014-07-12add a size argument to free. will be used soon, but for now default to 0.Ted Unangst
after discussions with beck deraadt kettenis.
2014-04-21ip_output() using varargs always struck me as bizarre, esp since it's onlyHenning Brauer
ever used to pass on uint32 (for ipsec). stop that madness and just pass the uint32, 0 in all cases but the two that pass the ipsec flowinfo. ok deraadt reyk guenther
2014-04-14"struct pkthdr" holds a routing table ID, not a routing domain one.Martin Pieuchot
Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
2013-11-18Fix potential null dereference.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok benno@ henning@
2013-11-15inherit the rdomain sc to pkthdrHenning Brauer
from erik at halon dot se, ok benno phessler benno
2013-10-17The header file netinet/in_var.h included netinet6/in6_var.h. ThisAlexander Bluhm
created a bunch of useless dependencies. Remove this implicit inclusion and do an explicit #include <netinet6/in6_var.h> when it is needed. OK mpi@ henning@
2013-08-07states learnt via pfsync from a peer with the same ruleset checksum wereDavid Gwynne
not getting assigned to rules like they should cos pfsync_in_upd() wasnt passing the PFSYNC_SI_CKSUM flag along to pfsync_state_import. found and fixed by pedro
2013-06-20Revert previous and unbreak asr, the new include should be protected.Martin Pieuchot
Reported by naddy@
2013-06-20Allocate the various hook head descriptors as part of the ifnetMartin Pieuchot
structure rather than doing various M_WAITOK allocations during the *attach() functions, we always rely on them anyway. ok mikeb@, uebayasi@
2013-05-10Since pf_state_key_attach can decide to free the provided stateMike Belopuhov
key we need to sync our state key pointers with whatever values the function will pick. Not doing so will produce wrong results if address translation must be applied afterwards and we happen to have a state key collision. Then pf_translate will follow an old pointer and punch in garbage addresses into the packet. Noticed, initial patch and tests by Vitaly Sinilin <vs @ kp4 ! ru> ok tedu, henning
2013-03-28no need for a lot of code to include proc.hTed Unangst
2013-03-26Remove various read-only *maxlen variables and use IFQ_MAXLEN directly.Martin Pieuchot
ok beck@, mikeb@
2012-10-30Use time_uptime for expiration values as time_second can be skewed atFlorian Obser
runtime while time_uptime is monotonic. Prevent underflows in pfsync(4) and pflow(4) by using signed variables. pfsync(4) problem pointed out by camield. Diff originally by dlg, frag and pflow bits by me. feedback dlg man page tweak jmc Various versions of the pflow bits tested by Hrvoje Popovski (hrvoje AT srce DOT hr), thanks! ok benno, henning, dlg
2012-10-09simplify hook_disestablish() handling by always resetting the hook whenMarkus Friedl
the syncdev gets set. this also makes sure we no longer leak hooks on repeatet 'ifconfig syncdev' invocations. ok mikeb@
2012-10-08make sure we don't call hook_disestablish() twice e.g. ifconfig -syncdevMarkus Friedl
followed by ifconfig destroy; ok mikeb
2012-09-20pfsync_cancel_full_update needs to restore carp demotions sinceMike Belopuhov
it's cancelling the bulk update and can leave the machine in a demoted state. bug was noticed by benno, who was kind enough to verify that the fix is working fine. ok mpf, benno
2012-09-20spltdb() was really just #define'd to be splsoftnet(); replace the formerBret Lambert
with the latter no change in md5 checksum of generated files ok claudio@ henning@
2012-09-19update the tdb replay counter endian conversion to 64 bits;Mike Belopuhov
ok camield mpf
2012-07-26rename all_state_flags to state_flags to finish the transitionMike Belopuhov
to the 16 bit flags; reminded by claudio, ok henning
2012-06-30Fix a number of problems introduced by the link state handling commit:Mike Belopuhov
1) demote by 32 on the first bulk update to prevent failovers w/o having a full state table; 2) don't do any demotion adjustments on the link up event and undemote when bulk update finishes (or times out) preventing a race between nodes getting a link state update asynchronously. With phessler; tested by phessler and Kapetanakis Giannis. Thanks! Looked through by henning and dlg. Now the correct version.
2012-06-30backout rev1.185 as it's not what i have intended to commitMike Belopuhov