| Age | Commit message (Collapse) | Author |
|---|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
Adopted from the loop lo0 code.
|
|
broken by ryan in australia
problem found & nagging by sthen
jsg found the fix but failed to apply the cluestick correctly ;)
test & ok sthen
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
is for, it is not very obvious... with ryan and jsing
|
|
walking the ruleset and up until state is fully set up) into pf_pdesc instead
of passing around those 4 seperately all the time, also shrinks the argument
count for a few functions that have/partialy had an insane count of arguments.
kinda preparational since we'll need them elsewhere too, soon
ok ryan jsing
|
|
Reported by Alexander Vladimirov.
|
|
is fired afterwards. Fixes a use after free crash.
|
|
the one used by Cisco. It sends a return gre packet inside a gre packet
to the other side and expects it to return.
OK deraadt, reyk additional testing by sthen
|
|
ok ryan theo reyk
|
|
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
QinQ-compliant svlan (service VLAN) interfaces are implemented as
a new cloner type, use Ethernet type 0x88a8, and have a dedicated
VLAN tag hash to avoid ID conflicts. vlan(4) interfaces can be
stacked on top of svlan(4).
Originally from reyk@, input from claudio@ and deraadt@
ok claudio@
|
|
does no overflow checking and does not set the congestion flag. Protocol
input queues (inet, inet6, ...) should always use IF_INPUT_ENQUEUE().
OK henning@
|
|
ether_output() and later on other L2 output functions use a trick and over-
load the ifp->if_output() function pointer on MPLS enabled interfaces to
go through mpls_output() which will then call the link level output function.
By setting IFXF_MPLS on an interface the output pointers are switched.
This now allows to cleanup the MPLS input and output pathes and fix mpe(4)
so that the MPLS code now actually works for both P and PE systems.
Tested by myself and michele
(A custom kernel with MPLS and mpe enabled is still needed).
|
|
afterwards
diff from gleydson soares
ok claudio@
|
|
only the MPLS bits from a route set rtm_fmask to RTF_MPLS. Additionally check
if the nexthop is modified and in that case always remove the MPLS info since
the path changed. This change makes life in userland a lot easier since the
routing daemons normaly don't know about MPLS and until now they destroyed
MPLS information when issuing RTM_CHANGEs.
OK michele@
|
|
This is needed because pf_state_peer_hton() skips some fields in certain
situations which could result in garbage beeing sent to the other peer.
This seems to fix the pfsync storms seen by stephan@ and so dlg owes me
a whiskey.
OK dlg@, stephan@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
is defined.
|
|
to the new MAC. But subsequently added ports were still being assigned the
old MAC address because it was copied from the wrong place. Give newly added
trunk ports the current MAC of the master port, rather than the saved MAC of
the master port. The saved MAC should only be used to restore the original
MAC address of the interface when it is removed from the trunk.
ok claudio@
|
|
call the interface-specific ioctl handler as well in case the driver
needs to do something special. E.g. if_trunk expects this in order to
update MAC addresses of its trunk ports.
If you now see "Inappropriate ioctl for device" errors after running
"ifconfig $if lladdr random" please let me know. Most likely the ioctl
handler of the driver needs fixing.
ok claudio@, "I only count half an ok for networking" tedu@
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
block as done in other drivers. Based on an old diff by Gleydson Soares.
|
|
link states. Additionally do not up the interface when opening the device.
Resulting in the same behaviour as on real ethernet interfaces.
OK sthen
|
|
the non-line-discipline-specific ioctl handler should be tried.
So changing these to return ENOTTY was wrong.
Noted on misc@ because of resulting pppd log spam (but it didn't break
anything serious): http://marc.info/?l=openbsd-misc&m=127258856501621&w=2
ok sthen@, miod@
|
|
The ones found in gnu/ left out by intention.
ok jmc
|
|
ok henning@
|
|
removed. Extend carp demote logging to also show the reason for
the demote. Return EINVAL instead of ERANGE if a carpdemote request
is out range. Requested from otto.
OK mcbride, henning.
|
|
ioctls, instead of -1 or EINVAL. ENOTTY audit suggested to me by uwe.
ok dlg tedu
|
|
|
|
|
|
and rdomainid are returned. This is necessary to know where L2 information
of a table is stored (which will be needed soon by bgpd).
Also while there change the errno for non-existing routing tables to ENOENT.
'Fine' deraadt@
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
accordingly if one is configured and we're not a router.
Else IPv6 will leak the old MAC address after "ifconfig $if lladdr random".
Based on an initial diff and idea from Theo.
OK deraadt, "makes sense" and help by naddy, silent agreement by claudio
|
|
ok stsp
|
|
ok stsp
|
|
it after the fact.
ok henning@, claudio@
|
|
intended.
ok claudio@, henning@
|
|
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.
Man page help from jmc, testing by weerd, arc4random API hints from djm.
ok deraadt, claudio
|
|
|
|
|
|
Makes IPv6 work with if_vether.
ok deraadt
|
|
|
|
Found out the hard way by Laurent ``bucky'' Lavaud and myself.
Input by claudio@, ok dlg@
|
|
OK michele@
|
|
looked up. can vether get any smaller?
ok deraadt@ claudio@
|
|
ok claudio@
|
|
|
