summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2010-08-22Fix a 16 year old bug in the sorting routine for non-contiguous netmasks.Marco Pfatschbacher
For masks of identical length rn_lexobetter() did not stop on the first non-equal byte. This leads rn_addroute() to not detecting duplicate entries and thus we might create a very long list of masks to check for each node. This can have a huge impact on IPsec performance, where non-contiguous masks are used for the flow lookup. In a setup with 1300 flows we saw 400 duplicate masks and only a third of the expected throughput. Lots of help in narrowing this down from markus@. Improved comments from claudio@. OK markus@, claudio@
2010-08-21an unchecked-for failure of workq_add_task could lead to an mbuf leakBret Lambert
steal a page from dlg@ and embed a workq_task struct directly in the aoe_handler struct so that we won't fail when enqueueing a task while here, create real debugging printfs vice commenting out regular ones, and kill with fire the excessive number of includes ok marco@ tedu@
2010-08-07No "\n" needed at the end of panic() strings.Kenneth R Westerback
Bogus chunks pointed out by matthew@ and miod@. No cookies for marco@ and jasper@. ok deraadt@ miod@ matthew@ jasper@ macro@
2010-08-05In pf_icmp_mapping() the ICMP and ICMPv6 types shared the sameAlexander Bluhm
number space. In fact they are independent and must be handled separately. Fix traceroute via pf by splitting pf_icmp_mapping() into IPv4 and IPv6 sections. ok henning@ mcbride@; tested mcbride@; sure deraadt@
2010-07-31another pair of files which relied on mbuf.h for pool.h; should be the last,Bret Lambert
as the kernel now compiles w/o ``#include <sys/pool.h>'' in mbuf.h; removing that line, though, is for another day, as a userland program (systat, IIRC) fails to build without it there. ok krw@
2010-07-28pfsync_bulk_fail was mucking around with pfsync_softc and sending packetsDavid Gwynne
without holding splsoftnet. this adds the necessary protection. reported by patrick coleman
2010-07-25Add missing braces so a loop will function as intended.Jonathan Gray
ok dlg@
2010-07-20Switch some obvious network stack MAC comparisons from bcmp() toMatthew Dempsky
timingsafe_bcmp(). ok deraadt@; committed over WPA.
2010-07-14The append side of a socketbuffer is not allowed to call sbflush().Claudio Jeker
Learned the hard way. dlg@ confirmed that it is save to just remove them, the desync will still work but the reader needs to dequeue all packets first.
2010-07-14if we produce a lot of rtsock messages it is possible we will hit aDavid Gwynne
condition that prevents us from queuing it, which in turn means that processes listening on the routing socket for changes to the kernel state will get out of sync. currently this is handled by the following comment: /* should notify about lost packet */ this change introduces a new rtsock message called RTM_DESYNC that notifies about lost packets and uses it instead of this comment. when we detect loss we flush all the message in the routing socket and attempt to queue an RTM_DESYNC message instead. to guarantee that we will enqueue DESYNC we keep trying it when an attempt to enqueue or dequeue any messages is made, and in the worst case a timeout tries to guarantee that desync is added to the socket. ive been running this in production for 2 or 3 weeks. tested by sthen@ ok sthen@ claudio@ deraadt@ code written by andrew sallaway at the univeristy of queensland.
2010-07-13- find.fp_wsize *= find.fp_mss, 1;Henning Brauer
+ find.fp_wsize *= find.fp_mss; From: Ed Schouten <ed at FreeBSD.org>
2010-07-09Add support for using IPsec in multiple rdomains.Reyk Floeter
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
2010-07-09Add the rtableid to struct rttimer and therefor make it available toClaudio Jeker
the callback functions. This fixes a problem where dynamic routes in different tables would not get deleted because the callback was doing the remove on the wrong table. OK henning@
2010-07-09When protocol filtering is used on the rtsocket filter only messages thatClaudio Jeker
actually have a protocol/address family set. Messages like RTM_IFINFO or RTM_IFANNOUNCE are family independent and should not be filtered but it is possible to use a ROUTE_MSGFILTER to filter these messages. This allows to reduce the messages sent to AF_INET or AF_INET6 only daemons. OK henning@, deraadt@
2010-07-09instead of saying we're using the all the states in the table whenDavid Gwynne
sending a bulk update, only say we're using the states referenced by the next and last pointers into the table. this means the pf timeout thread can keep trimming states during a bulk update.
2010-07-09-#if 1 || defined(PFSYNC_DEBUG)David Gwynne
+#if defined(PFSYNC_DEBUG)
2010-07-09the current code doesnt detect when its filled a bulk packet so itDavid Gwynne
keeps on building them, which means that it floods the tx ring on the pfsync interface rather than actually sending many packets. this change correctly calculates when we've filled a bulk update packet. many thanks to david@ for making me go chase this. ive been wondering why the state count on my firewalls has had such a discrepency for a long time now.
2010-07-09sending of bulk updates has been very broken since r1.124.David Gwynne
pfsync_bulk_start sets up a bulk transfer by doing this: sc->sc_bulk_next = TAILQ_FIRST(&state_list); sc->sc_bulk_last = sc->sc_bulk_next; and then calls pfsync_bulk_update which loops over state_list like this: st = sc->sc_bulk_next; while (st != sc->sc_bulk_last) { basically bulk updates never got sent. this diff handles jjs problem by not attempting to send a bulk update when the state table is empty and fixed the loop to break at the right times. reported by david@ who's initial tests are positive. reviewed by mcbride@ tested in production at work.
2010-07-09Modified to make sure that pipex_mppe_ouput() keeps the packet 32bitYASUOKA Masahiko
aligned. OK claudio@
2010-07-08Use correct alignment for scrub max-mss. Based on a diff from deraadt.Stuart Henderson
"that looks about right even though the offset calculation is pure horror" claudio@, ok deraadt@
2010-07-08pipex didn't work on output. Fixed following problems:YASUOKA Masahiko
- pipex failed to lookup the radix tree because address and netmask were not initialized. - pipex used wrong place as a ip header because it didn't adjust 32bit address family header that are added at tun_output.
2010-07-03Fix the naming of interfaces and variables for rdomains and rtablesPhilip Guenthe
and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0. Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped. Written by claudio@, criticized^Wcritiqued by me
2010-07-03s/$Id$/$OpenBSD$/YASUOKA Masahiko
2010-07-02m_copyback can fail to allocate memory, but is a void fucntion so gymnasticsBret Lambert
are required to detect that. Change the function to take a wait argument (used in nfs server, but M_NOWAIT everywhere else for now) and to return an error ok claudio@ henning@ krw@
2010-07-02Some functions change the ifp in during ether_input(). This confuses theClaudio Jeker
IFF_PROMISC check that ensures that only local packets make it into the network stack. Check both the original ifp and the new ifp for IFF_PROMISC. Problem identified by Patrick Coleman. OK mcbride@, henning@
2010-07-02remove prototype of okaytoclone, which got removed in 1.117Jonathan Gray
2010-07-01g/c unused param to pf_translateHenning Brauer
2010-07-01Allow to specify an alternative enc(4) interface for an SA. AllReyk Floeter
traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
2010-07-01We have to add enc0 to the "enc" interface group manually on boot.Reyk Floeter
Adopted from the loop lo0 code.
2010-06-30fix route label awesomeness, issue also known as PR6416Henning Brauer
broken by ryan in australia problem found & nagging by sthen jsg found the fix but failed to apply the cluestick correctly ;) test & ok sthen
2010-06-29Replace enc(4) with a new implementation as a cloner device. We stillReyk Floeter
create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
2010-06-28Clean up iterface stats handling:Ryan Thomas McBride
- 'make -Fi' reset ALL the interface statistics can be restricted with -i ifname - 'make -Fa -i ifname' fail (it's meaningless) - get rid of a silly little struct that's only used for one thing ok henning
2010-06-28Add the rtable id as an argument to rn_walktree(). Functions likeClaudio Jeker
rt_if_remove_rtdelete() need to know the table id to be able to correctly remove nodes. Problem found by Andrea Parazzini and analyzed by Martin Pelikán. OK henning@
2010-06-27fix a comment and add a new one to make clear what the mbuf ptr save danceHenning Brauer
is for, it is not very obvious... with ryan and jsing
2010-06-27stuff nsaddr/ndaddr/nsport/ndport (addrs/ports after NAT, used a lot whileHenning Brauer
walking the ruleset and up until state is fully set up) into pf_pdesc instead of passing around those 4 seperately all the time, also shrinks the argument count for a few functions that have/partialy had an insane count of arguments. kinda preparational since we'll need them elsewhere too, soon ok ryan jsing
2010-06-27Fix DIOCCHANGERULE ioctl broken in the remove of the address pools.Ryan Thomas McBride
Reported by Alexander Vladimirov.
2010-06-26timeout_del() the timers before destroying an interface so that no timeoutClaudio Jeker
is fired afterwards. Fixes a use after free crash.
2010-06-26Implement a simple keepalive mechanism in gre(4) that is compatible withClaudio Jeker
the one used by Cisco. It sends a return gre packet inside a gre packet to the other side and expects it to return. OK deraadt, reyk additional testing by sthen
2010-06-26bye bye DLT_OLD_PFLOG & friends. dead since 2003. 7 years oughta be enoughHenning Brauer
ok ryan theo reyk
2010-06-04rt_timer_queue_destroy() did not actually destroy, leading to a potentialBret Lambert
memory leak due to misleading nomenclature. Change it to actually destroy, not just clean, the the rt_timer_queue passed to it and adjust the correct caller accordingly (i.e., no need to free the mem on our own now). As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free cycles, and lets us sneak another bzero -> M_ZERO conversion in. ok claudio@
2010-06-03Add support for 802.1ad-style QinQ nested VLANs.Christian Weisgerber
QinQ-compliant svlan (service VLAN) interfaces are implemented as a new cloner type, use Ethernet type 0x88a8, and have a dedicated VLAN tag hash to avoid ID conflicts. vlan(4) interfaces can be stacked on top of svlan(4). Originally from reyk@, input from claudio@ and deraadt@ ok claudio@
2010-05-31Do not use IF_ENQUEUE() but IF_INPUT_ENQUEUE() instead. The first makroClaudio Jeker
does no overflow checking and does not set the congestion flag. Protocol input queues (inet, inet6, ...) should always use IF_INPUT_ENQUEUE(). OK henning@
2010-05-28Rework the way we handle MPLS in the kernel. Instead of fumbling MPLS intoClaudio Jeker
ether_output() and later on other L2 output functions use a trick and over- load the ifp->if_output() function pointer on MPLS enabled interfaces to go through mpls_output() which will then call the link level output function. By setting IFXF_MPLS on an interface the output pointers are switched. This now allows to cleanup the MPLS input and output pathes and fix mpe(4) so that the MPLS code now actually works for both P and PE systems. Tested by myself and michele (A custom kernel with MPLS and mpe enabled is still needed).
2010-05-24remove bpfdetach() here, because it is called correctly in if_detach()David Gwynne
afterwards diff from gleydson soares ok claudio@
2010-05-19Require RTF_MPLS to be set when a mpls route is added or changed. To removeClaudio Jeker
only the MPLS bits from a route set rtm_fmask to RTF_MPLS. Additionally check if the nexthop is modified and in that case always remove the MPLS info since the path changed. This change makes life in userland a lot easier since the routing daemons normaly don't know about MPLS and until now they destroyed MPLS information when issuing RTM_CHANGEs. OK michele@
2010-05-12bzero() the full compressed update struct before setting the values.Claudio Jeker
This is needed because pf_state_peer_hton() skips some fields in certain situations which could result in garbage beeing sent to the other peer. This seems to fix the pfsync storms seen by stephan@ and so dlg owes me a whiskey. OK dlg@, stephan@
2010-05-11Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()Claudio Jeker
where it is not necessary to guess protocols by looking at the first nibble. in_gif_output() will encapsulate the packet but not send it. Because of etherip support and the way the bridge works a minimal hack is needed in gif_start() to ensure that the bridged packets are encapsulated as well. This actually started with the idea to add MPLS support but that turned out to be not as simple as in the gre(4) case. Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6) OK sthen@
2010-05-11Add support for MPLS in GRE. Fairly trivial and a NOP unless option MPLSClaudio Jeker
is defined.
2010-05-08Upon changing the MAC address of an if_trunk interface, all ports are switchedStefan Sperling
to the new MAC. But subsequently added ports were still being assigned the old MAC address because it was copied from the wrong place. Give newly added trunk ports the current MAC of the master port, rather than the saved MAC of the master port. The saved MAC should only be used to restore the original MAC address of the interface when it is removed from the trunk. ok claudio@
2010-05-08While handling SIOCSIFLLADDR, after adjusting the MAC of the interface,Stefan Sperling
call the interface-specific ioctl handler as well in case the driver needs to do something special. E.g. if_trunk expects this in order to update MAC addresses of its trunk ports. If you now see "Inappropriate ioctl for device" errors after running "ifconfig $if lladdr random" please let me know. Most likely the ioctl handler of the driver needs fixing. ok claudio@, "I only count half an ok for networking" tedu@