Age | Commit message (Collapse) | Author |
|
For masks of identical length rn_lexobetter() did not stop on the
first non-equal byte. This leads rn_addroute() to not detecting
duplicate entries and thus we might create a very long list of masks
to check for each node.
This can have a huge impact on IPsec performance, where non-contiguous
masks are used for the flow lookup. In a setup with 1300 flows we
saw 400 duplicate masks and only a third of the expected throughput.
Lots of help in narrowing this down from markus@.
Improved comments from claudio@.
OK markus@, claudio@
|
|
steal a page from dlg@ and embed a workq_task struct directly in
the aoe_handler struct so that we won't fail when enqueueing a task
while here, create real debugging printfs vice commenting out regular ones,
and kill with fire the excessive number of includes
ok marco@ tedu@
|
|
Bogus chunks pointed out by matthew@ and miod@. No cookies for
marco@ and jasper@.
ok deraadt@ miod@ matthew@ jasper@ macro@
|
|
number space. In fact they are independent and must be handled
separately. Fix traceroute via pf by splitting pf_icmp_mapping()
into IPv4 and IPv6 sections.
ok henning@ mcbride@; tested mcbride@; sure deraadt@
|
|
as the kernel now compiles w/o ``#include <sys/pool.h>'' in mbuf.h; removing
that line, though, is for another day, as a userland program (systat, IIRC)
fails to build without it there.
ok krw@
|
|
without holding splsoftnet. this adds the necessary protection.
reported by patrick coleman
|
|
ok dlg@
|
|
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
|
Learned the hard way. dlg@ confirmed that it is save to just remove them,
the desync will still work but the reader needs to dequeue all packets first.
|
|
condition that prevents us from queuing it, which in turn means that
processes listening on the routing socket for changes to the kernel state
will get out of sync. currently this is handled by the following comment:
/* should notify about lost packet */
this change introduces a new rtsock message called RTM_DESYNC that
notifies about lost packets and uses it instead of this comment.
when we detect loss we flush all the message in the routing socket and
attempt to queue an RTM_DESYNC message instead. to guarantee that we will
enqueue DESYNC we keep trying it when an attempt to enqueue or dequeue
any messages is made, and in the worst case a timeout tries to guarantee
that desync is added to the socket.
ive been running this in production for 2 or 3 weeks.
tested by sthen@
ok sthen@ claudio@ deraadt@
code written by andrew sallaway at the univeristy of queensland.
|
|
+ find.fp_wsize *= find.fp_mss;
From: Ed Schouten <ed at FreeBSD.org>
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
the callback functions. This fixes a problem where dynamic routes in
different tables would not get deleted because the callback was doing
the remove on the wrong table.
OK henning@
|
|
actually have a protocol/address family set. Messages like RTM_IFINFO or
RTM_IFANNOUNCE are family independent and should not be filtered but
it is possible to use a ROUTE_MSGFILTER to filter these messages.
This allows to reduce the messages sent to AF_INET or AF_INET6 only daemons.
OK henning@, deraadt@
|
|
sending a bulk update, only say we're using the states referenced
by the next and last pointers into the table. this means the pf
timeout thread can keep trimming states during a bulk update.
|
|
+#if defined(PFSYNC_DEBUG)
|
|
keeps on building them, which means that it floods the tx ring on
the pfsync interface rather than actually sending many packets.
this change correctly calculates when we've filled a bulk update
packet.
many thanks to david@ for making me go chase this. ive been wondering
why the state count on my firewalls has had such a discrepency for
a long time now.
|
|
pfsync_bulk_start sets up a bulk transfer by doing this:
sc->sc_bulk_next = TAILQ_FIRST(&state_list);
sc->sc_bulk_last = sc->sc_bulk_next;
and then calls pfsync_bulk_update which loops over state_list like
this:
st = sc->sc_bulk_next;
while (st != sc->sc_bulk_last) {
basically bulk updates never got sent.
this diff handles jjs problem by not attempting to send a bulk
update when the state table is empty and fixed the loop to break
at the right times.
reported by david@ who's initial tests are positive.
reviewed by mcbride@
tested in production at work.
|
|
aligned.
OK claudio@
|
|
"that looks about right even though the offset calculation is pure
horror" claudio@, ok deraadt@
|
|
- pipex failed to lookup the radix tree because address and netmask
were not initialized.
- pipex used wrong place as a ip header because it didn't adjust
32bit address family header that are added at tun_output.
|
|
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
|
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
IFF_PROMISC check that ensures that only local packets make it into the
network stack. Check both the original ifp and the new ifp for IFF_PROMISC.
Problem identified by Patrick Coleman.
OK mcbride@, henning@
|
|
|
|
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
Adopted from the loop lo0 code.
|
|
broken by ryan in australia
problem found & nagging by sthen
jsg found the fix but failed to apply the cluestick correctly ;)
test & ok sthen
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
- 'make -Fi' reset ALL the interface statistics
can be restricted with -i ifname
- 'make -Fa -i ifname' fail (it's meaningless)
- get rid of a silly little struct that's only used for one thing
ok henning
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
is for, it is not very obvious... with ryan and jsing
|
|
walking the ruleset and up until state is fully set up) into pf_pdesc instead
of passing around those 4 seperately all the time, also shrinks the argument
count for a few functions that have/partialy had an insane count of arguments.
kinda preparational since we'll need them elsewhere too, soon
ok ryan jsing
|
|
Reported by Alexander Vladimirov.
|
|
is fired afterwards. Fixes a use after free crash.
|
|
the one used by Cisco. It sends a return gre packet inside a gre packet
to the other side and expects it to return.
OK deraadt, reyk additional testing by sthen
|
|
ok ryan theo reyk
|
|
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
QinQ-compliant svlan (service VLAN) interfaces are implemented as
a new cloner type, use Ethernet type 0x88a8, and have a dedicated
VLAN tag hash to avoid ID conflicts. vlan(4) interfaces can be
stacked on top of svlan(4).
Originally from reyk@, input from claudio@ and deraadt@
ok claudio@
|
|
does no overflow checking and does not set the congestion flag. Protocol
input queues (inet, inet6, ...) should always use IF_INPUT_ENQUEUE().
OK henning@
|
|
ether_output() and later on other L2 output functions use a trick and over-
load the ifp->if_output() function pointer on MPLS enabled interfaces to
go through mpls_output() which will then call the link level output function.
By setting IFXF_MPLS on an interface the output pointers are switched.
This now allows to cleanup the MPLS input and output pathes and fix mpe(4)
so that the MPLS code now actually works for both P and PE systems.
Tested by myself and michele
(A custom kernel with MPLS and mpe enabled is still needed).
|
|
afterwards
diff from gleydson soares
ok claudio@
|
|
only the MPLS bits from a route set rtm_fmask to RTF_MPLS. Additionally check
if the nexthop is modified and in that case always remove the MPLS info since
the path changed. This change makes life in userland a lot easier since the
routing daemons normaly don't know about MPLS and until now they destroyed
MPLS information when issuing RTM_CHANGEs.
OK michele@
|
|
This is needed because pf_state_peer_hton() skips some fields in certain
situations which could result in garbage beeing sent to the other peer.
This seems to fix the pfsync storms seen by stephan@ and so dlg owes me
a whiskey.
OK dlg@, stephan@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
is defined.
|
|
to the new MAC. But subsequently added ports were still being assigned the
old MAC address because it was copied from the wrong place. Give newly added
trunk ports the current MAC of the master port, rather than the saved MAC of
the master port. The saved MAC should only be used to restore the original
MAC address of the interface when it is removed from the trunk.
ok claudio@
|
|
call the interface-specific ioctl handler as well in case the driver
needs to do something special. E.g. if_trunk expects this in order to
update MAC addresses of its trunk ports.
If you now see "Inappropriate ioctl for device" errors after running
"ifconfig $if lladdr random" please let me know. Most likely the ioctl
handler of the driver needs fixing.
ok claudio@, "I only count half an ok for networking" tedu@
|