| Age | Commit message (Collapse) | Author |
|---|
|
Tested by Hrvoje Popovski, ok bluhm@
|
|
The interface congestion algorithm kills performance at this place,
with the large queues it never triggers.
OK mpi@ claudio@
|
|
kernel that uses it without the #ifdef guard.
OK bluhm
|
|
OK bluhm@
|
|
the inner IP packet into the internet queue. The IPv6 local delivery
code has a loop to deal with header chains. The idea is to use
this loop and avoid the queueing and rescheduling. The IPsec packet
will be processed in a single flow.
Merge the IP deliver loop from both IP versions into a single
ip_deliver() function that can handle both addresss families. This
allows to process an IP in IP header like a normal extension header.
If af != AF_UNSPEC, we are already in a deliver loop and have the
kernel look. Then we can just return the next protocol. Otherwise
we enqueue. The dequeue thread has the kernel lock and starts an
IP delivery loop.
OK mpi@
|
|
IPsec packets without additional enqueueing.
OK mpi@
|
|
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
|
|
error. Make the ip_mforward() return value consistent. Simplify
the caller logic in ipv6_input() like in IPv4.
OK mpi@
|
|
IPv4 & IPv6 dispatch functions outside the KERNEL_LOCK().
We currently rely on the NET_LOCK() serializing access to most global
data structures for that. IP input queues are no longer used in the
forwarding case. They still exist as boundary between the network and
transport layers because TCP/UDP & friends still need the KERNEL_LOCK().
Since we do not want to grab the NET_LOCK() for every packet, the
softnet thread will do it once before processing a batch. That means
the L2 processing path, which is currently running without lock, will
now run with the NET_LOCK().
IPsec isn't ready to run without KERNEL_LOCK(), so the softnet thread
will grab the KERNEL_LOCK() as soon as ``ipsec_in_use'' is set.
Tested by Hrvoje Popovski.
ok visa@, bluhm@, henning@
|
|
ether_input(). Now we use mbuf tags instead of modifying the MAC
address.
ok mpi@
|
|
This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.
Disucssed with bluhm@, ok claudio@
|
|
currently protected by the NET_LOCK().
They are not accessed in the hot path, so protecting them with a
mutex could be an option. However since we're now going to run
with a NET_LOCK() for some time, assert that it is held.
IPsec is not yet ready to run without KERNEL_LOCK(), so assert it
is held, even in the forwarding path.
Tested by sthen@, ok visa@, claudio@, bluhm@
|
|
ifdef IPSEC to fix the clang build when IPSEC is not defined.
ok deraadt@ bluhm@
|
|
as the pr_input functions. Add an assert that IPv4 delivery ends
in IP proto done to assure that IPv4 protocol functions work like
IPv6.
OK mpi@
|
|
and give them better names.
input and OK mikeb@
|
|
in ip6_local() to our IPv6 stack.
OK mikeb@
|
|
ok visa@
|
|
they have been decrypted. That means that all the IP header fields
were checked twice. Also fragment reassembly was tried twice.
At pf incoming packets in tunnel mode appeared twice on the enc0
interface, once as IP-in-IP and once as the inner packet. In the
outgoing path pf only sees the inner packet. Asymmetry is bad for
stateful filtering.
IPv6 shows that IPsec works without that. After decrypting immediately
continue with local delivery. In tunnel mode the IP-in-IP protocol
functions pass the inner header to ip6_input(). In transport mode
only pf_test() has to be called for the enc0 device.
Introduce ip_local() to avoid needless processing and cleaner pf
behavior in IPv4 IPsec.
OK mikeb@
|
|
in ip6_input(). While there avoid an ugly #ifdef in ipv4_input().
OK mikeb@
|
|
|
|
No binary change.
OK mpi@
|
|
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@
|
|
zero the buffers first. All the current objects appear to be safe,
however future changes might introduce structure pads.
Discussed with guenther, ok bluhm
|
|
This makes the API simpler, and is probably more useful than spreading
counters memory other several types, making it harder to track.
Prodded by mpi, ok mpi@ stsp@
|
|
ok dlg@ mpi@
|
|
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@
|
|
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@
|
|
softnet assert failures. It is better to place the lock into
net_sysctl() where all the protocol sysctls are called via pr_sysctl.
As calling sysctl(2) is in the slow path, doing fine grained locking
has no benefit. Many sysctl cases copy out a struct. Having a
lock around that keeps the struct consistent. Put assertions in
the protocol sysctls that need it.
OK mpi@
|
|
domains. This is one step towards supporting to run more than one multicast
socket in different domains at the same time.
ok mpi@
|
|
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.
This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.
Inputs from and ok bluhm@, ok dlg@
|
|
If an incoming packet is directly put into the output path, sending
the icmp error packet is never done. As this is basically forwarding,
calling ip_forward() for such packets does everything that is needed.
OK mikeb@
|
|
This removes multipe recursive splsoftnet()/splx() dances.
|
|
ok claudio@
|
|
suggested by mpi@ and mikeb@
|
|
each counter is identified by an enum value which correspond to the
original members of the ipstat struct.
ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates.
ipstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the ipstat struct for now.
ok mpi@ mikeb@
|
|
options.
Make sure the next hop is directly reachable if IPOPT_SSRR is set.
Input from and ok vgross@
|
|
ok mpi@
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
thank you to everyone who helped reviewed these diffs
ok mpi@
|
|
route because of PMTU.
otto@ reported the issue and helped me tracking it down during more
than one month, he is the man!
mikeb@ figured out the bug was in the forwarding path.
ok mikeb@, deraadt@, claudio@
|
|
OK mpi@ sashan@
|
|
cannot be bound to by non-root users.
Ok millert@ bluhm@
|
|
are now using the returned route for forwarding as well.
This restore the behavior of r1.274 when using mpath entries for
forwarding.
ok visa@, henning@
|
|
possible.
This reduce the number of lookups to 1 for non-multicast traffic when PF
is disable.
Tested by Hrvoje Popovski who confirmed that benchmark numbers are now as
good as with a single cache entry.
ok visa@, bluhm@
|
|
Testing help from Hrvoje Popovski.
ok mikeb@, henning@, claudio@
|
|
when the next packet needs to be forwarded, just like if the route
was invalid.
ok mikeb@, claudio@
|
|
|
|
work in the forwarding path.
Tested by Hrvoje Popovski, ok dlg@
|
|
This brings ip_dooptions() closer to mp-safeness by ensuring that
``ifa'' is dereferenced before calling rtfree(9).
ok mikeb@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
