Age | Commit message (Collapse) | Author |
|
|
|
ok deraadt@, tedu@ (implicit)
|
|
declare them once in their corresponding header file.
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
ok millert@
|
|
ok mikeb@, markus@
|
|
divert(4) sockets.
Recalculation of these checksums is necessary because (1) PF no longer
updates IP checksums as of pf.c rev 1.731, so translated packets that
are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will
have bad IP checksums and will be reinjected with bad IP checksums if
the userspace program doesn't correct the checksums; (2) the userspace
program may modify the packets, which would invalidate the checksums;
and (3) the divert(4) man page states that checksums are supposed to be
recalculated on reinjection.
This diff has been tested on a public webserver serving both IPv4/IPv6
for more than four weeks. It has also been tested on a firewall with
divert-packet and nat-to/rdr-to where it transferred over 60GB of
FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6
userspace programs that intentionally break the IP and protocol
checksums to confirm that recalculation is done correctly on
reinjection. IPv6 extension headers were tested with Scapy.
Thanks to florian@ for testing the original version of the diff with
dnsfilter and Justin Mayes for testing the original version with Snort
inline. Thanks also to todd@ for helping me in my search for the cause
of this bug.
I would especially like to thank blambert@ for reviewing many versions
of this diff, and providing guidance and tons of helpful feedback.
no objections from florian@
help/ok blambert@, ok henning@
|
|
OK markus@
|
|
explicit cast.
OK deraadt@
|
|
instead of 0 for pointers. No binary change.
OK mpi@
|
|
Ok claudio@
|
|
No binary change.
OK claudio@
|
|
three different ways. Use the same code in udp_usrreq() and
rip_usrreq() and rip6_usrreq(). This also fixes a pcb and socket
leak in udp_usrreq() in case soreserve() fails. Put an splsoftassert()
into in_pcballoc() for safety.
OK mpi@
|
|
OK deraadt@ guenther@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
|
|
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@
|
|
ifatoia6 macros do not check the source type. They just cast
anything. Remove needless casts and do not use those macros if the
source type does not match. Remove duplicate defines.
No binary change. OK kettenis@ krw@
|
|
ok beck@, mikeb@
|
|
due to the wrong & in satosin6(&ifa->ifa_addr). The link local
prefix fe80 was not checked within the IPv6 address, but within
some pointers of the interface address struct. The whole loop
around this was also never executed as all IPv6 addresses had already
been purged.
OK sperreault@ mpi@ mikeb@
|
|
ok bluhm@, mikeb@
|
|
|
|
OK mpi@
|
|
an interface index and replace all the redondant checks and accesses
to a global array by a call to this function.
With imputs from and ok bluhm@, mikeb@
|
|
ok sthen@
|
|
dhill.
ok krw@, mikeb@, tedu@ (implicit)
|
|
This is a leftover from the on-link assumption behavior removal,
which has been deprecated by RFC4861 anyway.
ok mikeb@, bluhm@, florian@
|
|
ok mikeb@, miod@
|
|
check for the reference counter.
ok mikeb@, miod@, pelikan@, kettenis@, krw@
|
|
No binary change.
OK claudio@
|
|
the cloning route.
bug report and test Florian Riehm; original fix sperreault@; OK claudio@
|
|
address if the interface is in master state. Disable duplicate
address detection on CARP interfaces as the peer may have the same
addresses.
Test and OK sthen@ florian@ benno@ camield@
|
|
the code relevant for UDP from sosend() and soreceive() into somove().
That allows the kernel to directly transfer the UDP data from one
socket to another.
OK claudio@
|
|
caused an uvm fault. The function in6_purgeaddr() might already
free the prefix before prelist_remove() is called. So call
in6_purgeaddr() for all addresses first and then loop over the
remaining prefixes and call prelist_remove().
OK claudio@
|
|
|
|
|
|
a gruesome union, to block the compiler from placing the struct
incorrectly aligned on stack frames
ok guenther
|
|
|
|
inside the NPF block. Fixes checksum issues seen on ramdisk kernels.
Initial diff by naddy@, tested and OK by many
|
|
dependent on ipsec.
puzzled how this went by since I did run full mkrs... pbly lost in my forest
of trees :(
report Amit Kulkarni <amitkulz at gmail.com>, fix me, ok kettenis beck krw
|
|
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
ok camield sthen claudio, testing by many, thanks!
|
|
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
|
with and without alignment.
Bug found by Clement Lecigne <clemun AT gmail DOT com>
OK claudio@
|
|
of to the bridge itself. This is ok, since an interface can only be part
of one bridge, and the parent bridge is easy to find from the bridgeport.
This way we can get rid of a lot of list walks, improving performance
and shortening the code.
ok henning stsp sthen reyk
|
|
are cleared as well; from hshoexer@, feedback and ok bluhm@, ok claudio@
|
|
with the latter
no change in md5 checksum of generated files
ok claudio@ henning@
|
|
ok deraadt@ miod@
|
|
OK henning@
|
|
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.
from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm
|