summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2011-01-25pool is properly spelled pl. makes this one fit in netstat column.Ted Unangst
2011-01-22Pf must not scrub packets which will be dropped anyway.Alexander Bluhm
ok henning@ markus@
2011-01-21make mpls compile w/o errors when inet6 is not definedMike Belopuhov
diff from form@ who's too busy drinking vodka with pelmeni to commit this; ok claudio
2011-01-20The reason accounting in pf_reassemble() was not correct. ChangeAlexander Bluhm
pf_reassemble() to return PF_DROP or PF_PASS and *m0 is NULL or the reassembled packet. In case of PF_DROP, the mbuf must be valid, e.g. for logging, and will be freed later. In case the reassembled packet is too big, use the reassembled mbuf for PF_DROP. ok henning@ markus@
2011-01-19Give pf_normalize_ip() the same 3 way semantics as pf_test().Alexander Bluhm
- PF_DROP, the packet is bad, the mbuf still exists and must be freed. - PF_PASS and *m0 is NULL, the packet has been processed, not an error. - PF_PASS and *m0 is not NULL, continue with packet processing. This fixes a potential mbuf use after free. ok henning@ markus@ mpf@
2011-01-18When changing the ifa_broadaddr broadcast address, ifa_update_broadaddr()Alexander Bluhm
copied the pointer to the sockaddr instead of the content of sockaddr_in. As the source of the data resides on the stack, the pointer got invalid later and the kernel crashed. As only addresses with fixed size are used, sa_len bytes of the sockaddr can be coppied. ok krw@ markus@ mpf@ claudio@ henning@
2011-01-12Never include SADB_X_EXT_REMOTE_AUTH (which is either aMike Belopuhov
passphrase or an RSA key) in the reply message. There's nothing that justifies this behavior and PF_KEY RFC prefers to exclude keys and other sensitive material from replies. Discussed with reyk, no objections from deraadt.
2011-01-11for key material that is being being discarded, convert bzero() toTheo de Raadt
explicit_bzero() where required ok markus mikeb
2011-01-11Perform IP options check in pf_test_rule(), before creating state.Ryan Thomas McBride
ok claudio henning dlg miod
2011-01-11delay deferred packets for a maximum of 20ms instead of 100 ticks (whichDavid Gwynne
varies by arch). the 20ms is still up for discussion. ok deraadt@
2011-01-10If pf_test() was called recursively, the global variable pf_hdrsAlexander Bluhm
could be used multiple times for different packets. This happened when pflow(4) was used. Instead of a global variable, store the pf_headers in a local variable on the stack. david@ found the bug, narrowed it down and tested the fix. ok henning@
2011-01-10DPFPRINTF already adds the "pf: ", no need to put it in the errorRyan Thomas McBride
string. ok henning dlg claudio
2011-01-06dst my point to memory inside rt so move the check up before theClaudio Jeker
rtfree(rt). Without this the sp_protocol on RTM_DELETE is garbage and rtsocket user that restrict the AF of the socket (like ospfd) will not see a single one of the RTM_DELETE. OK henning@, dlg@
2011-01-06Minor style nitClaudio Jeker
2011-01-06Put htons() around ip_randomid() for pf scrub random-id to make itAlexander Bluhm
consistent with the network stack. ok mcbride@ henning@
2011-01-06Do not assign m->m_pkthdr.rdomain before m was allocated.Claudio Jeker
Fix for rev 1.37 commit which would crash when slip(4) is used. Problem found the hard way by Henri Kemppainen.
2011-01-05Remove mbuf ptr save dance in pf_test6(). It was a leftover withAlexander Bluhm
misleading comment that did nothing. ok henning@ jsing@
2011-01-04in bpf_movein(), range-check mbuf size against MCLBYTES beforeTheo de Raadt
size_t to int truncation ok claudio
2011-01-03Allow to change vlan options of existing vlan(4)/svlan(4) devices atReyk Floeter
runtime instead of forcing the user to-recreate the interface with the changed options. The code now re-configures the interface instead of returning EBUSY. For example, it is now possible to run "ifconfig vlan1 vlandev em0; ifconfig vlan1 vlandev em1" in a sequence. ok claudio@ deraadt@
2010-12-31Remove dead code from pf_norm.c. The fragment cache is some leftoverAlexander Bluhm
from fragment crop. PFFRAG_NOBUFFER and PFFRAG_DROP are never set. pf_cache_pl and pf_cent_pl have no pool_get. ok henning@
2010-12-31Address comparisson is implemented twice in pf.c. Put this into aAlexander Bluhm
common function pf_addr_compare(). ok henning@
2010-12-24in pf_src_connlimit, the indices to sk->addr were swapped.Henning Brauer
tracked down and diff sent by Robert B Mills <rbmills at sdf.lonestar.org> thanks, very good work! ok claudio
2010-12-21Convert netisr to a normal soft interrupt instead of hanving MD codeClaudio Jeker
for it. This makes the netisr a real C function which will help further development. No noticable performance change on i386 and amd64. With input from kettenis@ and miod@ additional OKs mikeb@ and henning@
2010-12-15Be more careful when copying the pf rule from userland into the kernel.Claudio Jeker
All pointers in the struct need to be cleared and reset. So instead of bcopy the struct and clear some fields start with a clean struct and assign the values that need to be copied. Fixes a local vulnerability but only root can issue the problematic ioctl(). Reported by Jean Sigwald, has been in snaps for a while and OK deraadt@
2010-12-07remove a bunch of unused argumentsJonathan Gray
ok henning@
2010-11-29Let ifa_print_rb() build on INET6-free kernels. Repairs RAMDISK on a fewMiod Vallat
platforms.
2010-11-29use m_pulldown to get a contig view of the pfsync_header instead ofDavid Gwynne
m_pullup. not really a significant change since most rx bufs (which we read pfsync packets from) are a single contig cluster coming off the network, so we rarely hit the case m_pullup was called in.
2010-11-29get rid of struct pfsync_pkt. it was used to store data on the stack toDavid Gwynne
pass to all the submessage handlers, but only the flags part of it was ever used. just pass the flags directly instead.
2010-11-28there's no need to take splsoftnet in the input packet action handlersDavid Gwynne
since theyre only ever called from pfsync_input, which is only called from ipintr, which is only called by softnet.
2010-11-24malloc the temporary struct pppx_if used in pppx_if_find (it's currentlyStuart Henderson
only called from pppx_del_session); lets an amd64 pppx kernel build (otherwise we hit excessive stack use warnings with -Werror). if this ends up being called more frequently in future, then dlg suggests making it static instead. ok claudio@
2010-11-20throw some yields into the pf table code so it doesn't lock up the kernel.Ted Unangst
ok deraadt henning
2010-11-20__attribute__((packed)) -> __packed. The ioprbs.c chunk was commented out, andMiod Vallat
uncommenting it is intentional. ok deraadt@
2010-11-20remove bs_list occurrences. fixes panic on destroy.Federico G. Schwindt
ok from the m guild: mikeb@ miod@ mpf@
2010-11-17make ifa_ifwithaddr use the RB tree for lookups instead of nested listHenning Brauer
walking. make the function shorter, easier and faster with many addresses while still being at least as fast as the old one with a common "on real IP" setup. tested by many, ok claudio sthen dlg krw
2010-11-17add ifa_print_rb(), dumps the RB tree to the console, can be called fromHenning Brauer
ddb>, ok claudio dlg krw sthen
2010-11-17maintain an RB tree of ifaddrs in the system (addresses and broadcast addrs,Henning Brauer
the latter is also the dest addr on P2P interfaces) for faster lookups in the future. walking the linked list of all interfaces in the system to walk the linked list of addresses on each of them isn't particularily fast, especially with many interfaces and addresses. written at n2k10 in australia in january, but had to be backed out. the offenders have been fixed: -ipvshit rtsol code calling these functions in interrupt context (surprised this hasn't caused more havoc) -various places in the stack added empty ifaddr structs, filling them in later -sloppy recycling of ifaddrs in some places finished at j2k10 in japan in september tested by many, ok sthen krw dlg claudio
2010-11-17an extra parameter for in_ifinit, indicating wether the ifaddr passed to itHenning Brauer
is new or an already existing one. for existing ones, call ifa_del first tested by many as part of a larger diff, ok claudio dlg krw sthen
2010-11-17introduce ifa_update_broadaddr to update an ifaddr's broadcast address,Henning Brauer
trivial for the moment, more needed soon tested by many as part of a larger diff, ok sthen claudio dlg krw
2010-11-16If the interface address referenced by a cloning route did not pointAlexander Bluhm
to an interface any more, the kernel crashed with a null pointer dereference. This situation could be created by a strange sequence of route and ifconfig commands. Now when a cloning route references a stale interface address and rtrequest1(RTM_RESOLVE) has to create a cloned route, it does a lookup for a valid interface address with the same ip address. The new interface address and its interface are used for the new cloned route and they replace the old ones at the cloning route. ok claudio@, henning@
2010-11-12avoid pointer arithmetic on void *David Hill
no change in .o ok claudio
2010-11-04Filter out reserved destination MAC addresses (01:80:C2:00:00:0x) asPaul de Weerd
per the 802.1D-2004 spec. With lots of help and guidance (and some nagging) from claudio. Tested with net/ladvd port on i386 and amd64. 'be a man' claudio@, ok mpf@
2010-10-31Remove unused bstp_list and bstp_attach.Marco Pfatschbacher
OK blambert, claudio.
2010-10-29Align to 32-bits instead of sizeof(long) which may be bigger. There is noCan Erkin Acar
practical value of aligning things to 64-bit and waste more space then necessary on some architectures. ok deraadt@
2010-10-28Fix a 'bstp still active' panic that happens if a stp enabledMarco Pfatschbacher
interface is destroyed while in the bridge. Fixed by using bridge_delete() which includes the missing bstp_delete() call: Less code and more consistency. Also fix SIOCBRDGDEL to return an error if an interface can not be found. OK claudio, markus.
2010-10-28Do not send route messages to userland processes that the kernelClaudio Jeker
rejects because of bad encoding. Userland processes trust that the messages on the rtsock are correctly encoded. Moved some checks up to do the suser() check as soon as possible. After discussion with deraadt@, OK deraadt@ and sthen@ (earlier version)
2010-10-28A function that only returns NULL should return void.Claudio Jeker
bstp_input() always consumes the packet so remove the mbuf handling dance around it.
2010-10-25move to static initializers for the ifnet/ifg_head TAILQ'sBret Lambert
fixes a race-based kernel crash under rare circumstances reported and fix tested by chefren att pi daht net ok claudio@ henning@
2010-10-23remove PFR_FLAG_ATOMIC. not used, and doesn't work as advertised.Ted Unangst
ok henning
2010-10-18Revert non-compatible and undocumented bullshit commited by 3 developersTheo de Raadt
who decided to just do it on their own. henning, mcbride, jsing -- shame on you -- if you had shown this diff to just 1 other network developer, the astounding mistake in it would have been noticed. Start practicing inclusionary development instead of going alone. ok claudio
2010-10-17Add quirks support to operating system fingerprinting. tcpdump partJoel Sing
by mcbride@. ok mcbride@ henning@