summaryrefslogtreecommitdiff
path: root/sys/net
AgeCommit message (Collapse)Author
2009-03-23wait an appropriate amount of time before giving up on a bulk update,David Gwynne
rather than giving up after a hardcoded 5 seconds (which is generally much too short an interval for a bulk update). pointed out by david@, eyeballed by mcbride@
2009-03-17we do know how to handle iack. in the rx path at least.David Gwynne
2009-03-15Introduce splsoftassert(), similar to splassert() but for soft interruptMiod Vallat
levels. This will allow for platforms where soft interrupt levels do not map to real hardware interrupt levels to have soft ipl values overlapping hard ipl values without breaking spl asserts.
2009-03-14Some ICMP types that also have icmp_id, pointed out by markus@Ryan Thomas McBride
ok henning markus
2009-03-09Make the DIOCSETIFFLAG, DIOCSETLIMIT, and DIOCSETTIMEOUT ioctlsRyan Thomas McBride
transactional, closing PRs 4941 and 5910. Minor flag day, requires rebuild of userland tools that use struct pfi_kif. ok henning deraadt
2009-03-07Make sure pd2 has a pointer to the icmp header in the payload; fixesRyan Thomas McBride
panic seen with some some icmp types in icmp error message payloads. Reported by david@ and insan.praja@gmail.com
2009-03-05Fix a panic in ether_output() when attempting to send multicast traffic onMichele Marchetto
MPLS enabled kernels. ok claudio@
2009-03-05Stricter state checking for ICMP and ICMPv6 packets: include the ICMP typeRyan Thomas McBride
in one port of the state key, using the type to determine which side should be the id, and which should be the type. Also: - Handle ICMP6 messages which are typically sent to multicast addresses but recieve unicast replies, by doing fallthrough lookups against the correct multicast address. - Clear up some mistaken assumptions in the PF code: - Not all ICMP packets have an icmp_id, so simulate one based on other data if we can, otherwise set it to 0. - Don't modify the icmp id field in NAT unless it's echo - Use the full range of possible id's when NATing icmp6 echoy ok henning marco testing matthieu todd
2009-03-02Make sure rt_gateway is not NULL in rt_mpath_matchgate(). It is possible toClaudio Jeker
hit this case with a root node that comes with no real rtentry attached to it. Problem found by Mischa Diehm, OK henning@
2009-03-01rework serialisation of messages slightly.David Gwynne
- pass a void *, rather than an mbuf and an offset into m_data, the callers can do the math for it. - we need to store the size of the messages these functions will serialise into, so dont get the funcs to return it, just add it on in the caller.
2009-03-01check pfsyncs IFF_RUNNING flag before doing stuff. should save time forDavid Gwynne
people who hate^Wdont use pfsync.
2009-03-01i can't see a reason that we'd need to go to splnet to call ip_output.David Gwynne
this cleans up use of splnet.
2009-02-27Do not check the link state when installing a route. This bit was missing inClaudio Jeker
the backout/disabling of the route link state tracking done a few days ago. OK deraadt@
2009-02-27fix quick reuse of tcp states.Henning Brauer
when we, for a new state, hit an existing tcp state which is in FIN_WAIT_2 on both ends do not fail but insert the new state anyway and unlink the old one afterwards. pimp error message a bit, too. problem found with NAT by viq <viq@viq.ath.cx> ok theo markus
2009-02-27fix mbuf problems and simplify code, well spotted and input byJoerg Goltermann
Alexander Sabourenkov. mbuf logic is based on claudio's recommendation Tested by Alexander Sabourenkov OK: henning@, claudio@ Theo: "In please..."
2009-02-26bulk updates are sent from a timeout which walks over the state tree andDavid Gwynne
modifies the pfsync state queues, however, it didnt prevent interrupts from whacking the same structures. this diff makes the bulk update code take splsoftnet() to prevent the panics ive been suffering all day when a firewall peer was booted. ok deraadt@
2009-02-24restore the parsing of incoming tdb update messages. this was disabledDavid Gwynne
while i was replacing the guts of pfsync, but i forgot to put it back again. this will make ipsec gateway failover work again. tested by sthen@ and david@ ok deraadt@
2009-02-24Disable rt_if_track() for now. This causes the rtfree panic seen in PR6043Claudio Jeker
and I'm currently unable to find the cause of this. Time is running out so workaround it for now. OK deraadt.
2009-02-24request a bulk update when the pfsync if configuration is changed via anDavid Gwynne
ioctl. without this peers would not request a bulk update when they come up, and therefore will not have the full state tree available for use in failover. ok mcbride@ "go for it" deraadt@
2009-02-23dont put pfsync packets on the wire if no syncdev is specified. issuesDavid Gwynne
reported by david@ an earlier version of this was ok mcbride@ ok deraadt@
2009-02-20Ensure that bpf_mtap() is always called at the same interrupt priorityJoel Sing
level within the tun(4) driver. Otherwise we can be interrupted whilst copying a packet into the BPF buffer, leading to a race between bpf_mtap() calls. This can result in corruption within the BPF buffers. Also ensure that we are at IPL_NET when calling ether_input_mbuf(). Fixes PR6073. ok claudio@, canacar@ (for an earlier version of this diff)
2009-02-18bring back the NAT NOP fix, but this time right.Henning Brauer
when we want to pretend pf_get_translation didn't do anything we must get rid of _both_ state keys and reset all 4 sk pointers to NULL and not leave one key behind and have all 4 pointers point to it - that must fail. tested dhill sthen, david agrees, deraadt ok
2009-02-18if a peer requests a state that is marked as NOSYNC, then skip it.David Gwynne
2009-02-18Free authentication data when detaching sppp from interface.Can Erkin Acar
2009-02-17// style comments shouldnt be in the tree.David Gwynne
reminded by deraadt@
2009-02-17assert copyright over the changes i made.David Gwynne
reminded by deraadt@
2009-02-17init the tdb tailq. hopefully this fixes sthens crash.David Gwynne
2009-02-17fix uninitialized variable.Charles Longeau
found by LLVM/Clang Static Analyzer. ok dlg@
2009-02-16allocate the large structures instead of putting them on the stack, andTheo de Raadt
use M_CANWAIT throughout ok sthen canacar claudio
2009-02-16Allow username and password to be up to 255 characters in length.Can Erkin Acar
Tested by many, thanks. Put it in" deraadt@
2009-02-16pfsync v5, mostly written at n2k9, but based on work done at n2k8.David Gwynne
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
2009-02-15Revert previous.Marc Balmer
2009-02-15Fix compilation of kernels that have pf, but not pfsync.Marc Balmer
ok dlg, henning, sthen
2009-02-12revert pf.c r1.629 (which moved to this file) which was causingStuart Henderson
"panic: pool_do_get(pfstatekeypl): free list modified" discussed with many. ok dlg
2009-02-06Remove bogus casts of integer constants SPPPIO[GS]DEFS to caddr_tAlexander Yurchenko
and fix typo while here. ok canacar@
2009-02-03Use our own flags to set the operations and not RTF_PROTOX.Michele Marchetto
Switch the padding field into a MPLS one in rt_msghdr to store relevant informations. OK claudio@ laurent@
2009-01-31u_char is not compatible with default argument promotion type thusAlexander Yurchenko
can't be used with va_start. change it to u_int. ok miod@
2009-01-31No need to invent another _offset, just use the one from param.h.Alexander Yurchenko
As a bonus it eliminates casting from pointer to int. ok miod@ tedu@ millert@
2009-01-31unbreak ! INET6 case by sprinking #ifdef INET6Henning Brauer
noticed by Vladimir Kirillov <proger@uaoug.org.ua>
2009-01-30sync the part copied from ip_output: always initialize IP checksumChristian Weisgerber
to zero for checksum offload; ok henning@
2009-01-30sprinkle splassert(IPL_SOFTNET) around the code that inserts, unlinks, andDavid Gwynne
frees pf states. ok mcbride@
2009-01-29Split the address selection from pools away from pf.c and put it inPierre-Yves Ritschard
pf_lb.c. This will ease the process of adding more selection types without bloatening pf.c even more. ok and a weird death threat, henning@ raised eyebrow, dlg@
2009-01-29move some code around in preparation for future work:Henning Brauer
break out the code that doesn't deal with fragment reassembly and only modifies stuff in the ip header to their own functions. pass them what they need instead of making them get the info from a rule ptr. ok dlg ryan
2009-01-29Fix a crash found by bluhm@ in rn_mpath_reprio(). The rn_mklist handling wasClaudio Jeker
wrong which resulted in a NULL rm_leaf which caussed a NULL deref a bit later. Check against the right route nodes to figure out if the rm_leaf needs to be updated. Tested by bluhm@, OK dlg@
2009-01-28Get rid of the ugly rtentry hack.Michele Marchetto
We can now act as edge node and allow ipv4 packets to enter a Label Switched Path and not just forwarding MPLS packets. OK claudio@
2009-01-28Implement basic routing socket filtering. It is possible to give a list --Claudio Jeker
actually a bitfield -- of routing messages a listener is interested in. This list can be changed with a setsockopt(s, AF_ROUTE, ROUTE_MSGFILTER, ...) call. OK henning@, dlg@
2009-01-27If a packet translation was a NOP, undo separate NAT key andMarco Pfatschbacher
pretend there was no match. This prevents pf_state_insert() to fail with duplicate keys. OK henning@, mcbride@
2009-01-27handle HW VLAN tags being passed down; from BradChristian Weisgerber
2009-01-27include the VLAN priority for hardware tagging, too; ok claudio@Christian Weisgerber
2009-01-27make the hardware/no hardware tag stripping cases consistent and don'tChristian Weisgerber
hash the VLAN priority; ok henning@