| Age | Commit message (Collapse) | Author |
|---|
|
- Unicast packets sent to any local address will have their interface
set to loobpack.
- In order to differentiate traffic from interfaces having identical
link-local addresses, provide the scoped addresses to pf(4).
- Update the icmp6 state lookup logic to match scoped MLL addresses.
- Remove a shortcut in ip6_input() that bypasses pf and always look
for an RTF_LOCAL route.
Packets sent to multicast addresses still retain their original
interface due to the fact that local multicast packet delivering
does not use if_output.
This makes ping6 to link-local addresses work even with pf enabled
and "set skip" on loopbacks, reported by Pieter Verberne.
Debugged, analysed and tested with mikeb@.
ok mikeb@, henning@, sthen@
|
|
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
|
kill the macro.
ok mikeb@, henning@
|
|
rely on "struct route" that should die.
ok claudio@
|
|
|
|
after discussions with beck deraadt kettenis.
|
|
ok gcc & md5 (alas, no binary change)
|
|
ok henning@
|
|
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
|
are are lie, since the software engine emulates hardware offloading
and that is later indistinguishable. so kill the hw cksummed counters.
introduce software checksummed packet counters instead.
tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum.
as before we still have a miscounting bug for inbound with pf on, to be
fixed in the next step.
found by, prodding & ok naddy
|
|
into consistent locations; ok henning@
|
|
Always calculate the pseudo-header checksum.
Complete the checksum if hardware offload is not available.
Parts originally from NetBSD; ok henning@
|
|
(unplugged). Even if it makes no sense to keep them around if the
interface is no more, we cannot safely remove them since pcb multicast
options might keep a pointer to them.
Fixes a user after free introduced by the multicast address linking
rewrite and reported by Alexey Suslikov, thanks!
ok claudio@
|
|
consistent with struct ifaddr "ifa" and struct in_ifaddr "ia".
OK mpi@
|
|
stack (factoid: by a bunch of people in my living room), some compatibility
#define's were created to shim incompatible inpcb access methods. There
was an understanding they would eventually be removed. Since they are
error prone, and 1999 is a long time ago, now they die.
ok mikeb claudio mpi
|
|
|
|
Started by claudio@ for IPv4, lots of heavy work by sperreault@
My part started at s2k11, continued at n2k12, g2k12, c2k12 and n2k13.
Lots of help and hints from claudio and bluhm
OK claudio@, bluhm@
|
|
cksum needs to be 0'd before, pf does that now (just like in the tcp/udp
case) and nothing else uses the icmp "offloading" yet.
with & ok bluhm
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
ok bluhm@
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
ok mikeb@, markus@
|
|
|
|
ifatoia6 macros do not check the source type. They just cast
anything. Remove needless casts and do not use those macros if the
source type does not match. Remove duplicate defines.
No binary change. OK kettenis@ krw@
|
|
an interface index and replace all the redondant checks and accesses
to a global array by a call to this function.
With imputs from and ok bluhm@, mikeb@
|
|
dhill.
ok krw@, mikeb@, tedu@ (implicit)
|
|
No binary change.
OK claudio@
|
|
|
|
inside the NPF block. Fixes checksum issues seen on ramdisk kernels.
Initial diff by naddy@, tested and OK by many
|
|
dependent on ipsec.
puzzled how this went by since I did run full mkrs... pbly lost in my forest
of trees :(
report Amit Kulkarni <amitkulz at gmail.com>, fix me, ok kettenis beck krw
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
with and without alignment.
Bug found by Clement Lecigne <clemun AT gmail DOT com>
OK claudio@
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.
from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm
|
|
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
|
|
|
ok mikeb
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ claudio@ krw@
|
|
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.
Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.
man page update forthcoming
ok claudio@
|
|
it reusable by pf.
ok claudio@
|
|
support by pipex.
OK henning@, "Carry on" blambert@
|
|
Bogus chunks pointed out by matthew@ and miod@. No cookies for
marco@ and jasper@.
ok deraadt@ miod@ matthew@ jasper@ macro@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
ok stsp@ henning@ claudio@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
