Age | Commit message (Collapse) | Author |
|
ok visa@
|
|
RTF_LOCAL entries or static ARP entries don't have parents, so the logic
was incorrect. Note that it might be possible to extend the logic to work
with non-cloned L2 entries but the few use cases do not justify the
complexity (yet).
Problem reported & fix tested by Elie Bouttier.
ok bluhm@, visa@, claudio@
|
|
Tested by Hrvoje Popovski who measured a 30% improvement of forwarded
packets in the best case.
ok visa@
|
|
ok bluhm@, visa@
|
|
start locking the socket. An inp can be referenced by the PCB queue
and hashes, by a pf mbuf header, or by a pf state key.
OK visa@
|
|
regression with iked(8).
Reported by Mark Patruck.
|
|
ok claudio@
|
|
crosshairs.
|
|
this change adds a pf_state_lock rw-lock, which protects consistency
of state table in PF. The code delivered in this change is guarded
by 'WITH_PF_LOCK', which is still undefined. People, who are willing
to experiment and want to run it must do two things:
- compile kernel with -DWITH_PF_LOCK
- bump NET_TASKQ from 1 to ... sky is the limit,
(just select some sensible value for number of tasks your
system is able to handle)
OK bluhm@
|
|
so we can let go if_cloners_lock.
OK tb@, claudio@, bluhm@, kn@, henning@
|
|
put the algorithm into a new function m_calchdrlen(). Also set an
uninitialized m_len to 0 in NFS code.
OK claudio@
|
|
rdomain case leading to locking issues and lots of headscratching. turns out
the only case where if_setrdomain could actually create an rdomain and thus
end up with that pattern is the ioctl path.
make if_setrdomain never create an rdomain, return error if it doesn't exist
already, introduce if_createrdomain, and adjust the ioctl path to use it.
ok sashan bluhm claudio
|
|
flight that can possibly match. there is a tiny but existing chance that
a sequence number matches w/ our hash and we'd end up dropping traffic.
unclear whether that has actually happened since the report chain is long :)
report via haesbert via bluhm; ok bluhm
|
|
created. Add a new function m_removehdr() do convert packet header
mbufs within the chain to regular mbufs. Assert that the mbuf at
the beginning of the chain has a packet header.
found by Maxime Villard in NetBSD; from markus@; OK claudio@
|
|
a global limit of 1024 fragments, but it is fine grained to the
region of the packet. Smaller packets may have less fragments.
This costs another 16 bytes of memory per reassembly and devides
the worst case for searching by 8.
requestd by claudio@; OK sashan@ claudio@
|
|
deleted if the rdomain doesn't contain any other interface. turn the rdomain
back into an ordinary, empty rtable in that case.
with this and the previous commits one can get rid of rdomains again without
rebooting, which wasn't possible any more for some time
ok bluhm, input mpi
|
|
nonexistant ones as before. nasty error handling with bluhm, feedback mpi as
well. ok bluhm
|
|
ok bluhm
|
|
Remember 16 entry points based on the fragment offset. Instead of
a worst case of 8196 list traversals we now check a maximum of 512
list entries or 16 array elements.
discussed with claudio@ and sashan@; OK sashan@
|
|
Found by asou at soum.co.jp.
ok claudio mpi akoshibe benno
|
|
|
|
pf(4) reassembly is complete. Instead count the holes that are
created when inserting a fragment. If there are no holes left, the
fragments are continuous.
idea from claudio@; OK claudio@ sashan@
|
|
No functionnal change.
ok deraadt@, bluhm@, visa@
|
|
userland.
Inputs from markus@, ok sthen@
|
|
OK bluhm@, OK mpi@, henning@, jca@
|
|
which isn't aligned to 64 bits.
Based on pointers from Ori Bernstein
Reported by Ryan Keating
ok yasuoka@ deraadt@
|
|
makes output stats look plausible.
reported by jason tubnor
ok deraadt@
|
|
The trunk driver now has a new ioctl (SIOCxTRUNKOPTS), which for now only
has options for LACP:
* Mode - Active or Passive (default Active)
* Timeout - Fast or Slow (default Slow)
* System Priority - 1(high) to 65535(low) (default 32768/0x8000)
* Port Priority - 1(high) to 65535(low) (default 32768/0x8000)
* IFQ Priority - 0 to NUM_QUEUES (default 6)
At the moment, ifconfig only has options for lacpmode and lacptimeout
plumbed as those are the immediate need.
The approach taken for the options was to make them on a "trunk" vs a
"port" as what's typically seen on various NOSes (JunOS, NXOS, etc...)
as it's uncommon for a host to have one link "Passive" and the other
"Active" in a given trunk.
Just like on a NOS, when applying lacpmode or lacptimeout, the settings
are immediately applied to all existing ports in the trunk and to all
future ports brought into the trunk.
Tested by many on a plethora of NIC drivers and switches.
Ok remi@
|
|
with an EPERM, but the target rdomain will still be created.
Move the check for an lo(4)'s if_index/if_rdomain to before the creation of a
nonexisting target routing table.
ok benno@ claudio@ mpi@
|
|
for sockets is non-blocking.
This allows us to G/C SS_NBIO. Having to keep the two flags in sync
in a mp-safe way is complicated.
This change introduce a behavior change in sosplice(), it can now
always block. However this should not matter much due to the socket
lock being taken beforhand.
ok bluhm@, benno@, visa@
|
|
properly. This had caused an panic when the mbuf pointer is updated.
Found by IIJ.
ok dlg
|
|
Due to the missing "void", this
extern void pf_purge_expired_src_nodes();
is no prototype but a declaration. It is enough to suppress the
'implicit declaration' warning but it does not allow the compiler to
check the arguments passed to the calls of the function.
Fix the prototypes and don't pass the waslocked argument anymore. It has
been removed a year ago.
ok sashan henning
|
|
version to in pflow_get_mbuf(),
to match the rest of the file
ok benno@ florian@
|
|
ioctl function after the device has been pulled out. Also accept
this error code in bpf_detachd() to prevent a kernel panic. tcpdump(8)
may run while the interface is detached.
from Moritz Buhl; OK stsp@
|
|
an attribute of an address is changed.
For now it's used when IPv6 duplicate address detection finishes.
With this slaacd(8) can find out if a configured address is not
duplicated without the need to poll.
OK phessler, benno, claudio
|
|
OK mpi@, OK henning@, OK jca@
|
|
magic constant to panic() calls.
ok benno@ henning@ tb@
|
|
|
|
Document that some chips actually could do hardware checksum offload for
encapsulated packets, though that would need special handling in those
drivers.
discussions and ok naddy@
|
|
when we moved most of the functionality into a function. g/c the macro
and just call the function. ok mpi jca
|
|
pf_group_change() - the latter is called by _addmemeber now to update dynaddr.
before this, "set skip on lo", ifconfig lo1 create -> no skip on lo1 until
pf rueset got reloaded. Now lo1 gets the skip flag as intended. This has
caused much confusion with i. e. gif interfaces in the past.
ok benno, very excited ok phessler
|
|
set flags from the group. ok phessler benno
|
|
OK mpi@
|
|
protocol specific ones.
OK mpi@
|
|
Mercury, Bowie, Cash, Motorola and DEC all left us.
Just pf still has a default state table limit of 10000.
Had! Now it's a tiny little bit more, 100k.
lead guitar: me
ok chorus: phessler theo claudio benno
background school girl laughing: bob
|
|
the state was created on this host, i. e. not for those pfsync-imported.
whether pfsync-imported states should be accounted is a seperate discussion,
but as things are, we only increment the counter in pf_create_state(), and
imported states don't excercise that path.
probably fixes the half-open states accounting underflow-wraparounds that
some people have been seeing.
ok sashan
|
|
variables can be delared constant.
OK claudio@ mpi@
|
|
ok benno sashan
|
|
by pf in the packet header. pf_delay_pkt reads the delay value from the packet
header, schedules a timeout and re-queues the packet when the timeout fires.
ok benno sashan
|
|
change to rtsock.c. This simplifies the pfkey code since there is no special
wrapping needed and in general the PRU cases get easier.
OK bluhm@ henning@ mpi@
|