| Age | Commit message (Collapse) | Author |
|---|
|
to pass the destination address of the route to clone.
ok markus@, mikeb@
|
|
change.
ok mikeb@, henning@
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
ok bluhm@
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
ok otto
|
|
clunky m_data/m_len dance needed by in_cksum().
Tested on amd64, hppa, i386, loongson, macppc, sgi, and sparc64.
Thanks to blambert@, bluhm@, and henning@ for help and feedback;
abieber@ for testing this diff independently on macppc; krw@ for access
to his hppa, sgi, and sparc64 test systems at t2k13; nick@ for helping
me figure out Ken's hppa so that I can test this diff. :)
ok blambert bluhm henning mikeb
|
|
ok mikeb@, haesbaert@
jajaja miod@
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
ok mikeb@, markus@
|
|
|
|
inside the NPF block. Fixes checksum issues seen on ramdisk kernels.
Initial diff by naddy@, tested and OK by many
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
|
|
While there change IP_RTABLE to SO_RTABLE. IP_RTABLE will die soon.
With and OK guenther@
|
|
don't have a MTU to announce in the icmp need fragment packet.
this fixes PMTU-discovery for TCP over IPsec; ok mpf@, fries@
|
|
no objection from mcbride@ krw@ markus@ deraadt@
|
|
already done for UDP/TCP/ICMP. This fixes a problem where checksumming
would not be computed if you have a bridge with at least one interface
with hardware checksumming and another without.
Discussed with sthen@ and henning@, this is somewhat a temporary fix,
we should not have these special bridge cases in ip_output, as Henning
said, the bridge must behave. But for that to work we need to poke the
bridge harder, this problem has been seen by at least two users at:
http://marc.info/?l=openbsd-misc&m=132391433319512&w=2
http://marc.info/?l=openbsd-misc&m=132234363030132&w=2
I promised to work on a better diff :-).
ok henning@ sthen@ mikeb@
|
|
ok claudio@ henning@ mikeb@
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
level that allows one to retrieve the original routing domain
of UDP datagrams diverted by the pf via "divert-to" with a
recvmsg(2).
ok claudio
|
|
this is not allowed according to Stevens and RFCs 5735 and 1122.
Suggestion to use ENETUNREACH from claudio.
OK phessler@, claudio@
|
|
discussed with and ok claudio
|
|
This fixes the problem of binding sockets to broadcast IPs in other
rdomains.
OK henning@
|
|
ok dlg fondue-kinda-ok claudio
|
|
ok claudio krw
|
|
we don't need 7 f***ing copies of the same code to do the protocol checksums
(or not, depending on hw capabilities). claudio ok
|
|
ok sthen claudio dlg
|
|
currently have, let the call succeede.
Mirrors the same behaviour as setrtable()
OK claudio@
|
|
support by pipex.
OK henning@, "Carry on" blambert@
|
|
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
|
has enough space for all the fragments on it.
this check was snuck in by itojun under an unrelated commit. it broke when
i set the virtual interface send queue depths to 1, which beck had to
special case at n2k10. without this code we avoid these dubious checks
along with another splnet/splx pair, and it should make future work on
manipulating send queues easier.
ive been running this in production since n2k10 (~7months ago).
ok claudio@ henning@ deraadt@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
|
|
queue length of one - i.e. vlans with the forthcoming change from dlg.
this allows fragmented frames to be sent on such an interface, hoping
that the interface underneath copes correctly - A better fix for this
will be forthcoming soon, but this is good enough for now, and will
allow the change for vlans to use an ifq length of 1.
tested by me and dlg@, ok dlg@, claudio@, deraadt@
|
|
so put it in struct process instead of struct proc. While at it,
move the p_emul member inside struct proc so that it gets copied
automatically instead of requiring manual assignment.
ok deraadt@
|
|
kernel stack content instead of proper information; found by Clement LECIGNE
|
|
catch the libc major bump per request from deraadt@
Diff by reyk.
ok guenther@
|
|
localhost DoS everywhere. To help minimize further issues, make the
mbuf != NULL test explicit instead of implicit in a length test.
Suggestions and initial work by mpf@ and miod@
ok henning@, mpf@, claudio@,
|
|
original packet or they will trigger the diagnostic check in the interface
output routines. OK jsg@
|
|
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
