| Age | Commit message (Collapse) | Author |
|---|
|
|
|
ok claudio@
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).
ok claudio
|
|
confusing because both addresses and broadcast addresses are put
into the tree.
there are two types of local address lookup. the first is when the
socket layer wants a local address, the second is in ip_input when
the kernel is figuring out the packet is for it to process or
forward.
ip_input considers local addresses and broadcast addresses as local,
however, the handling of broadcast addresses is different depending
on whether ip_directedbcast is set. if if ip_directbcast is unset
then a packet coming in on any interface to any of the systems
broadcast addresses is considered local, otherwise the broadcast
packet must exist on the interface it was received on.
the code also needs to consider classful broadcast addresses so we
can continue some legacy applications (eg, netbooting old sparcs
that use rarp and bootparam requests to classful broadcast addresses
as per PR6382). this diff maintains that support, but restricts it
to packets that are broadcast on the link layer (eg, ethernet
broadcasted packets), and it only looks up addresses on the local
interface. we now only support classful broadcast addresses on local
interfaces to avoid weird side effects with packets routed to us.
the ip4 socket layer does lookups for local addresses with a wrapper
around the global address tree that rejects matches against broadcast
addresses. we now no longer support bind sockets to broadcast
addresses, no matter what the value of ip_directedbcast is.
ok henning@
testing (and possibly ok) claudio@
|
|
There is a massive issue with broadcast addrs because ifa_ifwithaddr()
handles them differently then in_iawithaddr().
|
|
the system is a multicast forwarder so move the code into that block
and save a few unneeded m_pullups. Found by dlg a long time ago.
OK dlg@
|
|
classful broadcast so we can still netboot sparc and the like.
compat hack untested, i will deal with the fallout if there is any later
at the same time stop exporting in_iawithaddr, everything but ip_input
should (and now does) use ifa_ifwithaddr directly
ok dlg sthen and agreement from many
|
|
work as you think it does, and the same can easily be achieved using pf
ok claudio dlg sthen theo
|
|
of m_free(). The was no leak before as m_copym() and m_pullup()
are always called with the same length. But it is better to use
the correct function anyway.
ok henning@ mpf@ markus@
|
|
No binary change. OK otto@
|
|
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
|
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
netboot methods using rarp, thus only learning their IP address without
mask. And of course the next step is a broadcast - which goes to the
broadcast address calculated classful. *sigh*. PR6382
instead of storing a second broadcast address per ifaddr as we used to
figure out wether we're dealing with a classful broadcast on the fly. the
math is extremely cheap and all my previous profilings showed that cpu
cycles are basically free, we're constrained by memory access.
excellent analysis by Pascal Lalonde <plalonde at overnet.qc.ca> who also
submitted the PR. claudio ok
|
|
rt_timer_queue_destroy() did not actually destroy, leading to a potential
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
more here either
|
|
subnet of the classful network. at least, not since 1992.
ok mpf dlg bob
|
|
that router vendor doesn't default to classful routing any more, and there
really is no point in having a classful netmask and a subnetmask to split
it. we still do classful guesses on the netmask if it isn't supplied by
userland, but that's about it.
i decided to keep ia_netmask and kill ia_subnetmask which makes this diff
bigish, the classful ia_netmask wasn't really used all that much. the real
changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask.
ok claudio dlg ryan
|
|
ok henning@, claudio@ "I think this should go in"
|
|
a twist; ok millert@ kettenis@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
seems to be causing some kind of memory corruption after several
hours of heavy IPsec traffic. connections start becoming very slow
eventually leading to all IPsec packets being lost. a reboot solves
the issue for several more hours before it appears again.
|
|
#if 1
reasonable
#else
bullshit required by some committee
#endif
are enough. theo ok
|
|
|
|
-m_copydata istead of straight bcopy. noticed by damien
-handle the pretty much impossible case that the packet header grows so
much that MHLEN < 68. i bet this had been the least of our worries, in that
case, but code oughta be correct anyway.
ok theo and dlg
|
|
forwarded packet in case ip_output returns an error and we have to quote
some of it back in an icmp error message.
this implementation done from scratch:
place an mbuf on the stack. copy the pkthdr from the forwarded packet and
the first 68 bytes of payload.
if we need to send an icmp error, just m_copym our mbuf-on-the-stack into
a real one that icmp_error can fuck with and eat as it desires.
ok theo dlg
|
|
some greater care must be taken to ensure the mbuf generated for icmp
errors is a good copy.
|
|
ip_output failed and we had to generate an icmp packet. since ip_output
frees the mbuf we give it, we copied the original into a new mbuf. if
ip_output succeeded, we threw the copy away.
the problem with this is that copying the mbuf is about a third of the cost
of ip_forward.
this diff copies the data we might need onto the stack, and only builds the
mbuf for the icmp error if it actually needs it, ie, if ip_output fails.
this gives a noticable improvement in pps for forwarded traffic.
ok claudio@ markus@ henning@
tested by markus@ and by me in production for several days at work
|
|
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
is pretty expensive, the more the more addresses are configured locally,
since we walk a list. when pf is on and we have a state key pointer,
and that state key is linked to another state key, we know for sure this
is not local. when it has a link to a pcb, it certainly goes to the local
codepath.
on a box with 1000 adresses forwarding 3 times as fast as before. theo ok
|
|
code. In pf rtableid == -1 means don't change the rtableid because
of this rule. So it has to be signed int there. Before the value
is passed from pf to route it is always checked to be >= 0. Change
the type to int in pf and to u_int in netinet and netinet6 to make
the checks work. Otherwise -1 may be used as an array index and
the kernel crashes.
ok henning@
|
|
gets a mac addr for an ip under net.inet.ip.arpqueued.
ok deraadt@
|
|
malloc();
ok henning@ some time ago
|
|
makes transparent proxies much easier; ok beck@, feedback claudio@
|
|
it by reading the queues head pointer. if that pointer is not null
then it takes splnet and dequeues a packet for handling. this is
bad because the ifqueue head is modified at splnet and the sofnet
handlers read it without holding splnet.
this removes that check of the head pointer and simply checks if
the dequeue gave us a packet or not before proceeding.
found while reading mpls code.
discussed with norby@ and henning@
ok mcbride@ henning@
|
|
Instead of using the same IP on multiple interfaces, carp has to be
configured with the new "carpnodes" and "balancing" options.
# ifconfig carp0 carpnodes 1:0,2:100,3:100 balancing ip carpdev sis0 192.168.5.50
Please note, that this is a flag day for anyone using carp balancing.
You'll need to adjust your configuration accordingly.
Addititionally this diff adds IPv6 NDP balancing support.
Tested and OK mcbride@, reyk@.
Manpage help by jmc@.
|
|
provide netstat(1) with data it needs; ok claudio reyk
|
|
change netstat to use them instead of accessing kvm for it. more
protocols will be added later.
discussed with deraadt@ claudio@ gilles@
ok deraadt@
|
|
ok krw@
|
|
and is actually wrong in some cases, since we can enter
functions without taking the lock because the return value
of ipq_lock() isn't checked properly.
However, this needs to be revisited when we start calling
ip_drain() from the pool code when we are running out of
memory, but this isn't done currently.
OK art@, henning@
|
|
MGET* macros were changed to function calls, there wasn't any
need for the pool declarations and the inclusion of pool.h
From: tbert <bret.lambert@gmail.com>
|
|
found by itojun
|
|
boring details:
skip looking for ipsec tags and descending into ip_spd_lookup if there
are no ipsec flows, except in one case in ip_output (spotted by markus)
where we have to if we have a pcb. ip_spd_lookup has the shortcut already,
but there is enough work done before so that skipping that gains us about
5%. ok theo, markus
|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
|
|
This provides a similar functionality as ARP balancing,
but also works for traffic that comes across routers.
IPv6 is supported as well.
The configuration scheme will change as soon we have sth better.
Also add support for changing the MAC address on carp(4)
interfaces. (code from mcbride)
Tested by pyr@ and reyk@
OK mcbride@
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
