summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-11-03rtables are stacked on rdomains (it is possible to have multiple routingClaudio Jeker
tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
2009-11-02s/hz/Hz/ on multiples of the SI unit hertz other than MHz.Igor Sobrado
reminded by STeve Andre.
2009-10-29I missed updating a line for the AF_INET6 route case whenJonathan Gray
splitting things out into a seperate pool. Problem noticed and fix tested by sthen@ ok claudio@
2009-10-28Add a dedicated pf pool for route options as suggested by henning,Jonathan Gray
which unbreaks ie route-to after the recent pf changes. With much help debugging and pointing out of missing bits from claudio@ ok claudio@ "looks good" henning@
2009-10-26Set the rdomain in bpfwrite() to the interface rdomain so that bpf senderClaudio Jeker
like dhcpd/dhclinet can send packets out of interfaces in other rdomains without hitting the check in ether_output(). With and ok phessler@
2009-10-26Replace pool_get() + bzero() with pool_get(..., PR_ZERO).Michael Knudsen
`OK' claudio
2009-10-10fix mbuf leak in rtinit()Dariusz Swiderski
the mbuf got leaked when detaching an interface, spotted by theo. fixed by me, diff refined by theo eyeballed by claudio@ 'go ahead, commit this' by theo@
2009-10-06Redo the route lookup in the output (and IPv6 forwarding) path if theClaudio Jeker
destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
2009-10-06Replace if (af) tests operating as an af blacklist with stricter switchRyan Thomas McBride
statements operating as a whitelist, taking care to allow af 0 (which is the wildcard value in pf rules) diff from Vadim Zhukov ok henning
2009-10-04Add (again) support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
2009-09-28when inserting a state, turn the error that pf_state_insert returnsDavid Gwynne
into something usable by ioctl. makes DIOCADDSTATE on /dev/pf cope when inserting an already existing state.
2009-09-21Properly reference count bpf descriptors when using kqueue.Can Erkin Acar
Reported and fix tested by weerd@, ok claudio@
2009-09-17Remove the comaptibility structures for routing socket version 3.Claudio Jeker
The RTM_VERSION bump is 2 years ago and so there is no need for this. Diff made by tedu@ some time ago but got never commited so I do it now.
2009-09-17Wrap trunk_enqueue() calls in splnet() since sending out lacp packetsClaudio Jeker
starts in a timeout handler which runs at a lower spl. This fixes the problems with lacp trunks where some interfaces suddenly fail for no obvious reason. Problem report and fix tested by Stephan A. Rickauer. OK henning, reyk, mpf
2009-09-17Add an splassert check trunk_enqueue() calling this function at anythingClaudio Jeker
below splnet() is a good recipe for doom. OK henning, reyk, mpf
2009-09-16style: in pf_test_state_other, fix indentation, kill excessive newlines,Henning Brauer
add break in the last case block
2009-09-16fix copy & paste error from almost a year ago (bad ryan)Henning Brauer
PF_ANEQ call in pf_test_state_other in the IPVshit case used AF_INET, found by claudio
2009-09-14Add a way to convert the ifi_link_state to a string without the use ofClaudio Jeker
if_media. This makes link state tracking a lot easier as there is no need to convert if types to if_media types, etc. Additionally this allows us to extend the link states to include states tracked on higher protocol layers. gre(4) keepalives packets, bfd and udld can be implemented without ugly hacks. OK henning, michele, sthen, deraadt
2009-09-09remove inline functions and move some code from the trunk_lacp_input()Reyk Floeter
API function directly to lacp_input() to simplify the code path. ok mpf@
2009-09-08I had not enough oks to commit this diff.Michele Marchetto
Sorry.
2009-09-08Add support for divert sockets. They allow you to:Michele Marchetto
- queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.
2009-09-07de-inline a function which gains absolutely no benefit at all from itTheo de Raadt
ok canacar
2009-09-07Fix static-port, found by jmc@. ok henning@.Stuart Henderson
2009-09-01Clear the IP_DF bit if no-df is enabled, not if it is not enabled.Joel Sing
Issue reported by Matthew Dempsky. Same fix suggested by fgsch@. ok henning@
2009-09-01the diff theo calls me insanae for:Henning Brauer
rewrite of the NAT code, basically. nat and rdr become actions on regular rules, seperate nat/rdr/binat rules do not exist any more. match in on $intf rdr-to 1.2.3.4 match out on $intf nat-to 5.6.7.8 the code is capable of doing nat and rdr in any direction, but we prevent this in pfctl for now, there are implications that need to be documented better. the address rewrite happens inline, subsequent rules will see the already changed addresses. nat / rdr can be applied multiple times as well. match in on $intf rdr-to 1.2.3.4 match in on $intf to 1.2.3.4 rdr-to 5.6.7.8 help and ok dlg sthen claudio, reyk tested too
2009-09-01Make rtinit() cope when there is a more specific route available thenClaudio Jeker
the one planned to remove. Do this by going through the dupedkey list looking for the right ifa. Problem found by and OK dlg, OK henning
2009-08-25Clearly copy the whole, and nothing but the whole, old buffer intoKenneth R Westerback
the resized buffer. From Pawel Jakob Dawidek via Max Laier via Marc Balmer via tech@. As was the previous commit where I didn't mention Pawel. 'should be olright' henning@
2009-08-25Remove support for packet mode of Metricom Ricochet radios.Jonathan Gray
It currently doesn't compile and this is unlikely to change as there are many alternatives now since we no longer live in the early 1990s and Metricom went bankrupt some time ago. ok many @
2009-08-25Fix order of memcpy() arguments so data is copied from src to dest,Kenneth R Westerback
not the other way. At least partial fix for interfaces with >64 aliases. From Max Laier via Marc Balmer. 'seems right' sthen@ ok markus@
2009-08-16remove prototypes of a bunch of functions that had their implementationsJonathan Gray
removed in pfsync v5.
2009-08-12revert my change to m_cluncount which tries to prevent the systemDavid Gwynne
running out of mbufs for rx rings. if the system low watermark is lower than a rx rings low watermark, we'll never send a packet up the stack, we'll always recycle it. found by thib@ on a bge sadface
2009-08-12dlg deferred calling interfaces' if_start routine so we call them less,Henning Brauer
which does pay out, performance wise. one of the conditions to call the interfaces' if_start routine immediately was "send queue is full". on a very busy (hammered) machine this will itroduce too much latency since we spend almost all cpu time in interrupt handlers and softnet, so the softint actually doing the if_start gets called to seldom and the queue full check is what triggers the actual transmit. change the logic to call if's if_start routing immediately when there are at least 8 packets (or in case if maxlen being smaller than 8, maxlen) 8 chose because it shows best performance in my test setup here. ok dlg
2009-08-12if we get dangerously low on clusters during interrupts, we needDavid Gwynne
to free some for use on the rx rings on network cards. this modifies m_cluncount to advise callers when we're in such a situation, and makes them responsible for freeing up the cluster for allocation by MCLGETI later. fixes an awesome lockup with sis(4) henning has been experiencing. this is not the best fix, but it is better than the current situation. yep deraadt@ tested by henning@
2009-08-10At sys_reboot time, bring all the interfaces down so that their xxstopTheo de Raadt
functions are called, which will turn off DMA. Receiving packets into your memory after a system reboot is pretty nasty. This will also mean that the shutdown hooks can go; this solution is smaller. ok henning miod dlg kettenis
2009-08-09Tag packets into correct rdomain in tunwrite(). For L2 traffic this will beClaudio Jeker
done in ether_input() but L3 traffic needs to do it self.
2009-08-02Preserve joined interface groups when tun(4) is switchedMarco Pfatschbacher
between layer 2 and 3 tunneling mode. OK claudio@, markus@
2009-07-31timeout_add -> timeout_add_msecBret Lambert
ok mpf@
2009-07-28Plug a memory leak when calling rtable_add(0) multiple times. Fixing thisClaudio Jeker
even though adding an already existing routing table is not allowed. Leak found by blambert@, fix by myself. OK blambert@
2009-07-28do not leak pf_rule_item_pl items in pf_test_rule() whenHenning Brauer
1) at least one match rule matched the packet and 2) we do not create state found by me while fixing the pool_get problem, ok dlg
2009-07-28check that pool_get actually gives us memory in pf_test_rule.Henning Brauer
introduced by yours truly (no idea how that could happpen), problem found by sthen the hard way, fix by me. ok dlg
2009-07-27tiemout_add -> timeout_add_secBret Lambert
ok claudio@
2009-07-21pf_scrub_ip/ip6 prototypes are already in pfvar.hHenning Brauer
2009-07-19clalloc() can't fail, so there's no need to handle failure cases.Bret Lambert
Change to void function. Also, no need to have global tty stats pointer, so just return it from clalloc, as the caller frees it immediately anyway. ok miod@
2009-07-16Backout rev1.79 of if_vlan.c and rev1.66 of if_trunk.c;Thordur I. Bjornsson
Changes in those revision limited the send queue to one slot. This breaks NFS over vlan(4) has discovered by sthen@. "just plain back it out." deraadt@
2009-07-13Do the same rdomain checking in sppp as we do in the Ethernet case.Claudio Jeker
Encapsulated pppoe packets are moved into the rdomain of the physical interface because it is possible that a pppoe(4) interface is in a different rdomain then the physical interface. OK reyk@
2009-07-13dont initialise ifp->if_snd.ifq_maxlen, and then follow it byDavid Gwynne
IFQ_SET_MAXLEN(&ifp->if_snd, ifqmaxlen). the first was deprecated by the use of IFQ_SET_MAXLEN.
2009-07-13make the send queue one slot long. this forces packets off the virtualDavid Gwynne
interfaces down to the queue on the physical interface immediately. this avoids having the tx mitigation code wasting cpu time dicking around with simply shuffling packets off virtual interface queues and lets it do its job of ammortising the cost of calling a real interfaces start routine. it also prevents an artificial inflation of the physical interfaces queue length where packets could hide on the virtual interfaces queues during softnet before being dumped en masse onto the hardware. this will smooth out the rate at which packets are submitted to the hardware. kjc@ says this has no impact on altq. ya henning@
2009-07-09unsigned -> unsigned intBret Lambert
ok claudio@, henning@
2009-07-08Add the same routing domain assignments and checks into the not so usedClaudio Jeker
protocols as it is currently in if_ethersubr.c. OK reyk@
2009-07-07When adding or changing a MPLS route, add RTF_MPLS flag toMichele Marchetto
routing message. We can then rely on that flag to spot out MPLS routes coming from routing socket. ok claudio@