Age | Commit message (Collapse) | Author |
|
OK henning@
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
ok krw@, mikeb@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
|
|
check for the reference counter.
ok mikeb@, miod@, pelikan@, kettenis@, krw@
|
|
ok claudio@
|
|
to a radix_node struct.
The radix tree pushdown continues.
ok claudio@
|
|
returns radix_node pointers, inside a new rt_mpath_next, which accepts
and returns rtentry pointers, and start using that instead.
ok claudio@
|
|
as functions that modify routing information shouldn't be interruptable by
network traffic.
Also make sure that both of those functions assert that they are called
at softnet. I'm reasonably sure that there shouldn't be any, but if there
is any codepath that was missed, we're going to be here for another 4 days
to deal with any fallout.
While here, move the multitude of "int s" declarations inside ifioctl to
the beginning of the function.
okay claudio@
|
|
|
|
ok blambert@ sthen@ henning@ claudio@
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
testing sthen@
ok sthen@ henning@ dlg@
|
|
|
|
LINK_STATE_IS_UP() does the trick now for all cases.
OK henning@ deraadt@
|
|
leads to corrupted memory; backout to await a better fix
|
|
malloc/bcopy/free, the way He Who Must Not Be Named intended.
"yes please" claudio@
|
|
to an interface any more, the kernel crashed with a null pointer
dereference. This situation could be created by a strange sequence
of route and ifconfig commands.
Now when a cloning route references a stale interface address and
rtrequest1(RTM_RESOLVE) has to create a cloned route, it does a
lookup for a valid interface address with the same ip address. The
new interface address and its interface are used for the new cloned
route and they replace the old ones at the cloning route.
ok claudio@, henning@
|
|
rtsock code can return a more reasonable error to the user.
OK henning
|
|
rn_mpath_capable(). Move code down into the mpath specific block.
Not all routing tables support multipath and therefor priorities.
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
the callback functions. This fixes a problem where dynamic routes in
different tables would not get deleted because the callback was doing
the remove on the wrong table.
OK henning@
|
|
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
only the MPLS bits from a route set rtm_fmask to RTF_MPLS. Additionally check
if the nexthop is modified and in that case always remove the MPLS info since
the path changed. This change makes life in userland a lot easier since the
routing daemons normaly don't know about MPLS and until now they destroyed
MPLS information when issuing RTM_CHANGEs.
OK michele@
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
ok claudio@
|
|
rt_if_linkstate_change() needs to be rerun for this route and the
resulting rt_flags need to copied to the rtm_flags for userland.
Problem found and diagnosed by Doran Mori. OK henning@, jsing@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
`OK' claudio
|
|
the mbuf got leaked when detaching an interface, spotted by theo.
fixed by me, diff refined by theo
eyeballed by claudio@
'go ahead, commit this' by theo@
|
|
the one planned to remove. Do this by going through the dupedkey list
looking for the right ifa. Problem found by and OK dlg, OK henning
|
|
even though adding an already existing routing table is not allowed.
Leak found by blambert@, fix by myself. OK blambert@
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
the rtfree panic seen by some people.
|
|
ok claudio@
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
levels. This will allow for platforms where soft interrupt levels do not
map to real hardware interrupt levels to have soft ipl values overlapping
hard ipl values without breaking spl asserts.
|
|
the backout/disabling of the route link state tracking done a few days ago.
OK deraadt@
|
|
Switch the padding field into a MPLS one in rt_msghdr to store
relevant informations.
OK claudio@ laurent@
|
|
We can now act as edge node and allow ipv4 packets to
enter a Label Switched Path and not just forwarding
MPLS packets.
OK claudio@
|
|
Now it contains just the label as it must be.
This introduces a ugly hack in rtentry that will be removed
as soon as possible.
OK claudio@
|
|
added without an expilict priority. This allows to specify less prefered
interfaces that will only take over if the primary interface loses link.
OK deraadt@
|
|
which are considered down will no be marked ~RTF_UP and so multipath routing
will start to work as expected and not pump 50% of the traffic to nirvana.
Most of the magic happens in rn_mpath_reprio() which fiddles with the
routing table internals. The rest is more straight forward.
get it in deraadt@
|
|
not only over routes of the same prio. This makes it possible to modify
rt_mpath_matchgate() so that if only gateway is specified without a specific
priority it will scan the full list and not only the first routes.
This is also needed for upcoming link state tracking.
|