summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2011-05-25Don't do last minute changes to diffs. Revert the argument change toClaudio Jeker
pf_scrub in the rule (no-state) case. Since the action (a) may be NULL for e.g. the implicit pass rule. Should fix the panics seen by other people.
2011-05-24Merge pf_scrub_ip() and pf_scrub_ip6() into a single function. CallClaudio Jeker
pf_scrub with the right arugments in the rule case so that match rules will work as expected. As a benefit allow setting the tos on IPv6 packets as well. OK henning@
2011-05-22Do not pass AF specific information to pf_test_rule() and PFLOG_PACKET()Claudio Jeker
because either the info is already available in struct pd or easy to figure out. Makes pf_test() and pf_test6() even more similar (with the target to remove one of them in the near future). OK henning@
2011-05-20Change 'set skip on <...>' to work with interface groups.Stuart Henderson
Feedback from various people, ok henning@ Previously if an interface type (without number), e.g. "set skip on vlan" or "set skip on em" was used, it would have the undocumented behaviour of matching any interface of that type. Now it will only match an interface which is a member of the named group. This results in some changed behaviour: If you currently use "set skip" with a physical interface type (e.g. "set skip on ix") you will need to add the interface to a group of that name: 'ifconfig ix0 group ix' or add 'group ix' to hostname.ix0. Interfaces cloned at runtime (e.g. lo, trunk, vlan, pppoe, carp, gif, mpe and others) default to being in a group named after the interface type, so for these interfaces there will be no change in behaviour unless you have deliberately changed groups, e.g. 'ifconfig carp456 -group carp'.
2011-05-17exclude link local address from the dynamic interface address poolMike Belopuhov
so that rules like "pass out on vr1 inet6 nat-to (vr1)" won't map to the non routable ipv6 link local address; with suggestions and ok claudio, henning
2011-05-16bring back r1.189, but keep doing the ip csum unconditionally for now untilHenning Brauer
the broadcast shortcut codepath is fixed. ok claudio
2011-05-13Revert the pf->socket linking diff.Owain Ainsworth
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw with xxxterm not sure about pirofti) involving pool corruption while using this commit. krw and todd confirm that this backout fixes the problem. ok blambert@ krw@, todd@ henning@ and kettenis@ Double link between pf states and sockets. Henning has already implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
2011-05-10when undeferring a packet, try to timeout_del first to check if youDavid Gwynne
actually removed it from the timeout wheel before releasing it. if timeout_del returns 0 then you know the timeout is about to run or is already running, meaning it will free itself so you dont have to. this handling is only done for the undefer paths at SOFTNET since it is higher than SOFTCLOCK which timeouts run from. it is possible for a timeout to start running at softclock and get interrupted by softnet. the undefer in process context blocks both these interrupts while it undefers, so it is impossible for the timeout to run and cause the list to be in this inconsistent state.
2011-05-04Collapse m_pullup and m_pullup2 into a single function, as they'reBret Lambert
essentially identical; the only difference being that m_pullup2 is capable of handling mbuf clusters, but called m_pullup for shorter lengths (!). testing dlg@ ok claudio@
2011-04-29Why precompute the route for the gre tunnel when ip_output can doClaudio Jeker
that for you without the nasty side-effects of the precomputation? Fixes strange problems seen on directly connected tunnels and probably behaves a lot better. This still caches to route for subsequent packets. Testing and OK phessler
2011-04-24Double link between pf states and sockets. Henning has alreadyAlexander Bluhm
implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
2011-04-23pf_scrub_ip() does not modify the given mbuf pointer. So don'tAlexander Bluhm
pass a pointer to a pointer to make the code in pf_test() clearer. ok henning@
2011-04-22pf_pooladdr_pl does not exist anymore. Remove its extern declaration.Alexander Bluhm
ok henning@
2011-04-19Fix potential null dereference.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok henning@
2011-04-17in_ifinit() is not prepared to be called from interrupt context so addStefan Sperling
addresses from process context by scheduling a work queue. Fixes an assertwaitok panic. ok henning
2011-04-14knf. remove extra spaces and wrap long lines.David Gwynne
2011-04-13export udpencap state of SA to userland; unbreaks sasyncd(8) with NAT/T.Markus Friedl
ok mikeb@ fries@ mpf@ henning@ dlg@ matthew@
2011-04-12put the accepted socket of a diverted connection into the routing domainMike Belopuhov
of a connection originator. this allows one to query the source rdomain with a SO_RTABLE socket option. figured out with reyk, ok claudio.
2011-04-10Revert Rev. 1.189. The delayed ip checksum calculation causes problemsClaudio Jeker
with broadcast packets.
2011-04-08Fix a 64-bit arithmetic bug I stumbled upon while investigating ourMatthew Dempsky
handling of recursive IPComp payloads. (This code is way old and may go away soon in favor of using sys/lib/libz, but committing anyway as plans aren't finalized yet.) ok deraadt@
2011-04-07Correctly initialize local variables in pf_check_proto_cksum(), even forMiod Vallat
less blessed and non-loved protocols; temporary fix for correctness until the henning tornado rampages this function. "pls commit, ok" henning@
2011-04-07Do not use NULL in integer comparisons. No functional change.Miod Vallat
ok matthew@ tedu@, also eyeballed by at least krw@ oga@ kettenis@ jsg@
2011-04-06Allow PF to filter on the rdomain a packet belongs to. This allows toClaudio Jeker
write rules like "pass in on rdomain 1". Tested by phessler@, OK henning@
2011-04-05in pf_check_proto_cksum, consider packets with the CSUM_OUT flags setHenning Brauer
to be ok. there is no checksum we could verify and for the moment these are locally generated packets anyway. and this really is just the stupid 'stealth bridge detection' countermeasure shit (when you want a "stealth" bridge and explictely ask pf to return RSTs/icmp errors, you need to seek medical help in any case). this is needed so that we eventually can move the in_proto_cksum_out (and its ipvshit counterpart once we get it) calls to after the pf_test calls in the output routines ok dlg fondue-kinda-ok claudio
2011-04-05mechanic rename M_{TCP|UDP}V4_CSUM_OUT -> M_{TCP|UDP}_CSUM_OUTHenning Brauer
ok claudio krw
2011-04-05handle ACK prioritization for v6, ok henning@Stuart Henderson
2011-04-05ditch fastroute, an ipf feature that made its way into pf beforeMike Belopuhov
route-to and friends were introduced making it obsolete. one even has to look it up int the ipf manual to get and idea what it's supposed to do. reuse some kernel bits for the upcoming nat64 stuff. "kill it with fire" from mcbride, "what mcbride said" from mpf, "kill kill kill" and ok henning.
2011-04-04m_copyback is no longer a void function, so start using its error returnBret Lambert
instead of coming at it sideways to detect failure. ok claudio@
2011-04-04de-guttenberg our stack a bitHenning Brauer
we don't need 7 f***ing copies of the same code to do the protocol checksums (or not, depending on hw capabilities). claudio ok
2011-04-04previous commit replaced a malloc(new) with malloc(sizeof(*new)) whichBret Lambert
leads to corrupted memory; backout to await a better fix
2011-04-04Don't do crazy address manipulations when looking up the remote endClaudio Jeker
of the gre(4) tunnel. Instead just us a RT_NOCLONING route lookup and be done with it. Makes gre(4) work between systems in the same LAN. This diff was enough long on tech@ and nobody complained.
2011-04-04and stop special casing the bridge for the ip cksum hardware offloadHenning Brauer
decision here too, just like in ip_output, pointless.
2011-04-04stop fiddling with the ip checksum here too, it is always recalculatedHenning Brauer
in all output pathes anyway. even worse than in the rest of pf, here we ran circles to update the ip cksum every time we flip a tiny bit in the header... pretty sure dlg claudio ok'd it and it is damn obvious anyway
2011-04-04stop using the stupid R_Malloc/Bcopy/Free macros, and just start usingBret Lambert
malloc/bcopy/free, the way He Who Must Not Be Named intended. "yes please" claudio@
2011-04-04there is no point at all in updating the ip checksum. it is alwaysHenning Brauer
recalculated in all output pathes anyway (why did it take us 10 years to notice?). ok claudio definate ok dlg
2011-04-04all I wanted is to make the bridge behave like the real stack wrt the ipHenning Brauer
chekcsum. turned out is always recalculates it as long as your kernel does have pf compiled in, as in, always, since compilation of GENERIC without pf explodes in about a hundred ways. so rename bridge_filter -> bridge_ip and always compile it, pf or not, just make the pf_test calls #if NPF, and sync the ip fuckery code with ip_output. as a bonus this lets us use the checksum offloading to the NIC if it is capable of that. ok claudio dlg sthen
2011-04-03Always reserve space in the routing socket for a desync mbuf. This allowsJoel Sing
a desync to be appended when the socket buffer becomes full, rather than continuall retrying until space becomes available (which may be never). ok claudio@
2011-04-03Don't attempt to enqueue mbufs on sockets marked as SS_CANTRCVMORE, asBret Lambert
was done earlier for routing sockets. ok claudio@
2011-04-02dont let pfsync defer packets for states with NOSYNC set.David Gwynne
2011-04-02add a pipex ioctl that lets you specify a description on pppx interfaces byDavid Gwynne
session id. ok claudio@ yasuoka@ as part of a larger diff code from jonathan matthew
2011-04-02configure the addresses on the pppx interface when its created by npppd soDavid Gwynne
it is immediately functional. ok claudio@ yasuoka@ as part of a larger diff code by jonathan matthew
2011-04-02add the local ip address to the session request ioctl so npppd can tell itDavid Gwynne
to the kernel. ok yasuoka@ claudio@ as part of a larger diff
2011-03-31- use nitems(); no binary changeJasper Lievisse Adriaanse
ok claudio@
2011-03-25Include original rdomain in DIOCNATLOOK. This allows userland proxiesClaudio Jeker
to establish cross rdomain proxy sessions. OK henning@, mpf@
2011-03-24Reassemble IPv6 fragments in pf. In the forward case, pf refragmentsAlexander Bluhm
the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
2011-03-23Extract the address family independent functions from pf fragmentAlexander Bluhm
reassembly code. This makes it possible to reuse them for IPv6. ok claudio@
2011-03-14fixed a use-after-free bug introduced at 1.7 in pipex_mppe_output().YASUOKA Masahiko
ok dlg@ tested by jono
2011-03-14fix typoYASUOKA Masahiko
patch from Gleydson Soares ok dlg@
2011-03-13Add a way to enable/disable Wake On LAN with ifconfig.Stefan Sperling
ok deraadt
2011-03-07Declare the inline function pf_addr_compare() non-static in pfvar.hAlexander Bluhm
to make it reusable by pf fragment reassembly. No functional change. discussed with henning@, claudio@, deraadt@, kettenis@ ok guenther@