| Age | Commit message (Collapse) | Author |
|---|
|
calls in tcp_input(). When I added this code for socket splicing,
I have missed that they may be called indirectly through functions.
Although not strictly necessary since we have the sosplice thread,
put that flag consistently when we want to prevent that tcp_output()
is called in the middle of tcp_input(). As soisconnected(),
soisdisconnected(), and socantrcvmore() call the wakeup functions
from tcp_input(), set the TF_BLOCKOUTPUT flag around them.
OK visa@
|
|
TCP_FACK was disabled by provos@ in June 1999.
TCP_FACK is an algorithm that decides that when something is lost, all
not SACKed packets until the most forward SACK are lost. It may be a
correct estimate, if network does not reorder packets.
OK visa@ mpi@ mikeb@
|
|
With input from Klemens Nanni, OK visa, mpi, bluhm
|
|
OK deraadt, mpi, visa, job
|
|
Tested by Hrvoje Popovski, ok bluhm@
|
|
buffers.
This is one step towards unlocking TCP input path. Note that all the
functions asserting for the socket lock are not necessarilly MP-safe.
All the fields of 'struct socket' aren't protected.
Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to
tell when a filter needs to lock the underlying data structures. Logic
and name taken from NetBSD.
Tested by Hrvoje Popovski.
ok claudio@, bluhm@, mikeb@
|
|
<netinet/tcp_debug.h>.
The IPv6 variant was always included and the IPv4 version is not
present on all systems.
Most of the offending ports are already fixed, thanks to sthen@!
|
|
in ip6_input(). Do not check that again in the protocol input
functions.
OK mpi@
|
|
change the pointer. Then *mp keeps the invalid pointer and it might
be used. Fix the potential use after free and also reset *mp in
other places to have less dangling pointers to freed mbufs.
OK mpi@ mikeb@
|
|
adjust the comment to match reality (or at least rfc7323) instead.
This brings us back in line with the behavior of Net and Free.
From Lauri Tirkkonen. OK bluhm@
|
|
No binary change.
OK mpi@
|
|
tcp_input().
OK florian@
|
|
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@
|
|
ok mpi@ bluhm@
|
|
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@
|
|
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@
|
|
ok bluhm@, kettenis@
|
|
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.
This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.
Inputs from and ok bluhm@, ok dlg@
|
|
Prodded by and ok bluhm@
|
|
While here keep local definitions local.
ok bluhm@
|
|
|
|
This will allow to have a single lock/unlock dance per timer.
|
|
Found by Chris Jackman, thanks!
|
|
set on the listen socket.
From David Hill; OK vgross@
|
|
the ioff argument to pool_init() is unused and has been for many
years, so this replaces it with an ipl argument. because the ipl
will be set on init we no longer need pool_setipl.
most of these changes have been done with coccinelle using the spatch
below. cocci sucks at formatting code though, so i fixed that by hand.
the manpage and subr_pool.c bits i did myself.
ok tedu@ jmatthew@
@ipl@
expression pp;
expression ipl;
expression s, a, o, f, m, p;
@@
-pool_init(pp, s, a, o, f, m, p);
-pool_setipl(pp, ipl);
+pool_init(pp, s, a, ipl, f, m, p);
|
|
This is another little step towards deprecating 'struct route{,_in6}'.
ok florian@
|
|
swapping between two syn caches for random reseeding anyway, this
feature can be added easily. When the cache is empty, there is an
opportunity to change the hash size. This allows an admin under
SYN flood attack to defend his machine.
Suggested by claudio@; OK jung@ claudio@ jmc@
|
|
This is consistent with the IPV6_UNICAST_HOPS behavior, and is the only
way to allow applications to completely control the TTL of outgoing
packets (else an application could temporariy send packets with the
default TTL, until it sets again IP_TTL ; this is harmful eg for GTSM).
ok bluhm@
|
|
|
|
Useful to implement GTSM support in daemons such as bgpd(8). Diff from
2013 revived by renato@. Input from bluhm@, ok bluhm@ deraadt@
|
|
its value for the SYN+ACK packet. This makes the IPV6_UNICAST_HOPS
socket option usable for incoming TCP connections.
tested by renato@; OK jca@
|
|
was overly complicated. Simplify the code without functional change.
OK jca@
|
|
|
|
attack against our hash function. In this case, switch to the
passive syn cache as soon as possible. It will start with a new
random seed for the hash.
input and OK mpi@
|
|
This is convenient to test the feature and may be useful to defend
against syn flooding in a denial of service condition. It is
consistent to the existing syn cache sysctls. Move some declarations
to tcp_var.h to access the syn cache sets from tcp_sysctl().
OK mpi@
|
|
stack reseeds the hash function every time the cache is empty.
Unfortunatly the attacker can prevent the reseeding by sending
unanswered SYN packes periodically.
Fix this by having an active syn cache that gets new entries and a
passive one that is idling out. When the passive one is empty and
the active one has been used 100000 times, they switch roles and
the hash function is reseeded with new random.
tedu@ agrees; OK mpi@
|
|
This shows how often the hash function is reseeded and the random
bucket distribution changes.
OK mpi@ claudio@
|
|
ok mpi@ millert@
|
|
ok mpi@
|
|
ok henning
|
|
pf_inp_...() lookup, link and unlink functions as an interface.
Locking can be added to them later. Remove the first linking at
the beginning of tcp_input() and udp_input() as it is not necessary.
It will be done later anyway. That code was a relict, from the
time before I had added the second linking.
Input from mikeb@ and sashan@; OK sashan@
|
|
layer will be turned mpsafe. We're not there yet.
Reported by David Hill, ok florian@
|
|
Tested by and ok sthen@, ok visa@
|
|
While here remove unused argument and convert the route check to
rtisvalid(9).
ok bluhm@
|
|
die and ifp->if_mtu is the one true mtu.
Suggested by and OK mpi@
|
|
Appart from the usual inet6 axe murdering exercise to keep you fit, this
allows us to get rid of a lot of layer violation due to the use of per-
ifp variables to store the current hop limit.
Imputs from bluhm@, ok phessler@, florian@, bluhm@
|
|
ifpp - XXX: just for statistics
ifpp is always NULL in all callers so that statistic confirms ifpp is
dying
OK mpi@
|
|
cache hash. That makes it trivial to create syn cache collisions.
Take the full address, xor it with random data and put it into the
hash function.
OK markus@
|
|
OK dlg@
|
|
global variables should also live there.
OK markus@
|
