Age | Commit message (Collapse) | Author |
|
with the same prefix, neighbor discovery did not work. When comparing
two carp interfaces in in6_ifpprefix(), assume they share the prefix
if they have the same parent.
sure deraadt@
|
|
Verify that the address in the in6_pktinfo structure included
in the control message is unicast and configured on the local
host. Additional checks prevent from using non-routable
addresses and inactive interfaces.
Embed the scope identifier into the link local addresses as
required by the stack. Do not force users to provide valid
interface index in the ipi6_ifindex but look it up in place
if needed.
ok bluhm, waived by deraadt for the release.
|
|
the route to be at the corresponding carp or physical interface or
at an interface belonging to a common bridge. This fixes IPv6
neighbor discovery with carp.
bug report and tested by Florian Fuessl
put it in deraadt@
|
|
Otherwise pf could reroute or redirect such a packet. KAME moved
it in rev 1.189 of their ip6_input.c. This also allows rdr or nat
to ::1 in pf.
bug report and test camield@
ok mikeb@; go for it deraadt@
|
|
which we have a cloning or cloned route. The old check was based
on configured interface addresses, now we use a route lookup. This
allows us to use prefixes for the local network that ospf6d has
added.
ok claudio@
|
|
|
|
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
|
1) Allocating with M_WAITOK, checking for NULL, and calling panic() is
pointless (malloc() will panic if it can't allocate) so remove the check
and the call.
2) Allocating with M_WAITOK, checking for NULL, and then gracefully
handling failure to allocate is pointless. Instead also pass M_CANFAIL
so malloc() doesn't panic so we can actually handle it gracefully.
1) was done using Coccinelle.
Input from oga.
ok miod.
|
|
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
|
Found by LLVM/Clang Static Analyzer.
ok henning@ claudio@ krw@
|
|
Found by LLVM/Clang Static Analyzer.
ok claudio@ henning@
|
|
discussed with and ok claudio
|
|
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
|
Found by LLVM/Clang Static Analyzer.
ok claudio@
|
|
|
|
the caller and the function that the function will not fail to allocate
memory and return a NULL pointer. However, m_dup_pkthdr() violates
this contract, making it possible for functions that pass M_WAITOK to
be surprised in ways that hurt.
Fix this by passing the wait flag all the way down the functions that
actually do the allocation for m_dup_pkthdr() so that we won't be
surprised.
man page update forthcoming
ok claudio@
|
|
functions. OK blambert@
|
|
ok deraadt henning sthen thib (though thib says he can't spell)
|
|
anymore so the allocation in in6_update_ifa() can now wait.
ok deraadt henning
|
|
|
|
ok claudio@
|
|
the packets with the same maximum size. This allows the sender to
determine the optimal fragment size by Path MTU Discovery.
testing sthen@ matthieu@
ok claudio@
|
|
what we do for IPv4. rtsol will turn it back on if -F is used.
After discussion with bluhm@, fgsch@, sthen@ and deraadt@
OK sthen@
|
|
by pf in the forward path. To avoid dropping the unfragmented
packet in ip6_forward(), move the MTU size check behind pf_test6().
ok claudio@
|
|
it reusable by pf.
ok claudio@
|
|
cache as "ndp info overwritten". This makes the behavior similar
to ARP.
ok todd@, deraadt@, henning@, giovanni@, claudio@
|
|
to make it reusable by pf. No functional change.
ok henning@, claudio@
|
|
for the same prefix. Tested by giovanni@, steven@, Dennis den Brok.
ok dlg miod claudio
|
|
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)"
bytes within an mbuf, you must have at least "offset + sizeof(struct
ip6_frag)" bytes space in that mbuf.
Fix from KAME, FreeBSD also has it.
ok claudio@ markus@
|
|
by an if (mcopy). The variable mcopy comes from m_copy() and could
be NULL. Bring this call in line with all the other icmp6_error()
calls.
ok henning@, claudio@, markus@, mpf@
|
|
The data received on the source socket will automatically be sent
on the drain socket. This allows to write relay daemons with zero
data copy.
ok markus@
|
|
OK mikeb@, henning@, deraadt@
|
|
I overlooked that one case in rev. 1.69. Fix from Pedro Martelletto.
OK mcbride, claudio, henning.
|
|
from interrupt context. This results in problems if the process of adding
a new address makes use of pools that use PR_WAITOK (or anything else that
may sleep). To avoid this problem, create a workq task so that the new
IPv6 address is added from within process context.
ok dlg@ henning@
|
|
support by pipex.
OK henning@, "Carry on" blambert@
|
|
Compiles fine without it so remove it.
|
|
Bogus chunks pointed out by matthew@ and miod@. No cookies for
marco@ and jasper@.
ok deraadt@ miod@ matthew@ jasper@ macro@
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
the callback functions. This fixes a problem where dynamic routes in
different tables would not get deleted because the callback was doing
the remove on the wrong table.
OK henning@
|
|
ok stsp@ henning@ claudio@
|
|
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
address. This is necessary when ospf6d has learned a prefix for a
directly connected link which is not configured localy. Now neighbor
discovery is solely based on the cloning route and not on the address
neigborship anymore.
ok claudio@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
over other addresses configured on the same interface.
Facilitates peaceful coexistence of temporary addresses for outgoing
connections and static addresses for incoming connections.
Fix typo in comment while here.
ok claudio@
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
Address Autoconfiguration in IPv6". For those among us who are paranoid
about broadcasting their MAC address to the IPv6 internet.
Man page help from jmc, testing by weerd, arc4random API hints from djm.
ok deraadt, claudio
|