summaryrefslogtreecommitdiff
path: root/sys/netinet6
AgeCommit message (Collapse)Author
2011-08-08If two carp interfaces on the same physical interface had addressesAlexander Bluhm
with the same prefix, neighbor discovery did not work. When comparing two carp interfaces in in6_ifpprefix(), assume they share the prefix if they have the same parent. sure deraadt@
2011-08-07Several fixes for the IPV6_PKTINFO handling with sendmsg(2)Mike Belopuhov
Verify that the address in the in6_pktinfo structure included in the control message is unicast and configured on the local host. Additional checks prevent from using non-routable addresses and inactive interfaces. Embed the scope identifier into the link local addresses as required by the stack. Do not force users to provide valid interface index in the ipi6_ifindex but look it up in place if needed. ok bluhm, waived by deraadt for the release.
2011-08-07When checking wether a prefix belongs to an interface, also allowAlexander Bluhm
the route to be at the corresponding carp or physical interface or at an interface belonging to a common bridge. This fixes IPv6 neighbor discovery with carp. bug report and tested by Florian Fuessl put it in deraadt@
2011-08-04Move the check that ::1 is not allowed from the wire before pf_test().Alexander Bluhm
Otherwise pf could reroute or redirect such a packet. KAME moved it in rev 1.189 of their ip6_input.c. This also allows rdr or nat to ::1 in pf. bug report and test camield@ ok mikeb@; go for it deraadt@
2011-07-26Accept neighbor discovery packets from source IPv6 addresses forAlexander Bluhm
which we have a cloning or cloned route. The old check was based on configured interface addresses, now we use a route lookup. This allows us to use prefixes for the local network that ospf6d has added. ok claudio@
2011-07-06cosnistently use IFQ_SET_MAXLEN, surfaced in a discussion with + ok bluhmHenning Brauer
2011-07-04Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6.Claudio Jeker
The functions were 95% identical anyway. While there use struct pf_addr in struct pf_divert instead of some union which is the same. OK bluhm@ mcbride@ and most probably henning@ as well
2011-06-17M_WAITOK cleanup of two cases:Michael Knudsen
1) Allocating with M_WAITOK, checking for NULL, and calling panic() is pointless (malloc() will panic if it can't allocate) so remove the check and the call. 2) Allocating with M_WAITOK, checking for NULL, and then gracefully handling failure to allocate is pointless. Instead also pass M_CANFAIL so malloc() doesn't panic so we can actually handle it gracefully. 1) was done using Coccinelle. Input from oga. ok miod.
2011-05-13Revert the pf->socket linking diff.Owain Ainsworth
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw with xxxterm not sure about pirofti) involving pool corruption while using this commit. krw and todd confirm that this backout fixes the problem. ok blambert@ krw@, todd@ henning@ and kettenis@ Double link between pf states and sockets. Henning has already implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
2011-05-02Fix potential null dereference.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok henning@ claudio@ krw@
2011-05-02Fix potential null dereference.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok claudio@ henning@
2011-05-02recognize SO_RTABLE socket option at the SOL_SOCKET level;Mike Belopuhov
discussed with and ok claudio
2011-04-24Double link between pf states and sockets. Henning has alreadyAlexander Bluhm
implemented half of it. The additional part is: - The pf state lookup for outgoing packets is optimized by using mbuf->inp->state. - For incomming tcp, udp, raw, raw6 packets the socket lookup always is optimized by using mbuf->state->inp. - All protocols establish the link for incomming packets. - All protocols set the inp in the mbuf for outgoing packets. This allows the linkage beginning with the first packet for outgoing connections. - In case of divert states, delete the state when the socket closes. Otherwise new connections could match on old states instead of being diverted to the listen socket. ok henning@
2011-04-15Remove dead assignment.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok claudio@
2011-04-06comment typoStuart Henderson
2011-04-05Passing M_WAITOK to mbuf functions is supposed to be a contract betweenBret Lambert
the caller and the function that the function will not fail to allocate memory and return a NULL pointer. However, m_dup_pkthdr() violates this contract, making it possible for functions that pass M_WAITOK to be surprised in ways that hurt. Fix this by passing the wait flag all the way down the functions that actually do the allocation for m_dup_pkthdr() so that we won't be surprised. man page update forthcoming ok claudio@
2011-04-04Add the same SS_CANTRCVMORE check as was done in the other inputClaudio Jeker
functions. OK blambert@
2011-04-03fix typos in commentsStefan Sperling
ok deraadt henning sthen thib (though thib says he can't spell)
2011-04-03As of r1.54 of nd6_rtr.c we don't add addresses from interrupt contextStefan Sperling
anymore so the allocation in in6_update_ifa() can now wait. ok deraadt henning
2011-04-03Kill redundant offsetof definitions; ok deraadt henning sthen thibStefan Sperling
2011-03-31- use nitems(); no binary changeJasper Lievisse Adriaanse
ok claudio@
2011-03-24Reassemble IPv6 fragments in pf. In the forward case, pf refragmentsAlexander Bluhm
the packets with the same maximum size. This allows the sender to determine the optimal fragment size by Path MTU Discovery. testing sthen@ matthieu@ ok claudio@
2011-03-23Don't process ICMP6 redirects by default anymore. This is in line withClaudio Jeker
what we do for IPv4. rtsol will turn it back on if -F is used. After discussion with bluhm@, fgsch@, sthen@ and deraadt@ OK sthen@
2011-03-23With pf IPv6 fragment reassembly, a large packet gets refragmentedAlexander Bluhm
by pf in the forward path. To avoid dropping the unfragmented packet in ip6_forward(), move the MTU size check behind pf_test6(). ok claudio@
2011-03-22Extract the new function ip6_fragment() from ip6_output() to makeAlexander Bluhm
it reusable by pf. ok claudio@
2011-03-09Log MAC address changes in the IPv6 neighbor discovery protocolAlexander Bluhm
cache as "ndp info overwritten". This makes the behavior similar to ARP. ok todd@, deraadt@, henning@, giovanni@, claudio@
2011-03-06Extract the new function frag6_deletefraghdr() from frag6_input()Alexander Bluhm
to make it reusable by pf. No functional change. ok henning@, claudio@
2011-02-24Prevent the nd6_addr_add() work queue task from adding multiple addressesStefan Sperling
for the same prefix. Tested by giovanni@, steven@, Dennis den Brok. ok dlg miod claudio
2011-01-13In frag6_input() there was an mbuf length calculation error. IfAlexander Bluhm
you want to move "offset" bytes forward by "sizeof(struct ip6_frag)" bytes within an mbuf, you must have at least "offset + sizeof(struct ip6_frag)" bytes space in that mbuf. Fix from KAME, FreeBSD also has it. ok claudio@ markus@
2011-01-09In ip6_forward() only one call to icmp6_error() was not protectedAlexander Bluhm
by an if (mcopy). The variable mcopy comes from m_copy() and could be NULL. Bring this call in line with all the other icmp6_error() calls. ok henning@, claudio@, markus@, mpf@
2011-01-07Add socket option SO_SPLICE to splice together two TCP sockets.Alexander Bluhm
The data received on the source socket will automatically be sent on the drain socket. This allows to write relay daemons with zero data copy. ok markus@
2010-12-21Remove the no longer used ip6s_exthdrtoolong field.Claudio Jeker
OK mikeb@, henning@, deraadt@
2010-10-07Also call addrhooks for IPv6 addresses with a 128 bit prefixlen.Marco Pfatschbacher
I overlooked that one case in rev. 1.69. Fix from Pedro Martelletto. OK mcbride, claudio, henning.
2010-09-24When processing IPv6 RA messages we may end up adding a new IPv6 addressJoel Sing
from interrupt context. This results in problems if the process of adding a new address makes use of pools that use PR_WAITOK (or anything else that may sleep). To avoid this problem, create a workq task so that the new IPv6 address is added from within process context. ok dlg@ henning@
2010-09-23add a new IP level socket option IP_PIPEX. This option is used for L2TPYASUOKA Masahiko
support by pipex. OK henning@, "Carry on" blambert@
2010-09-09Why ip6_input.c includes netinet/ip_icmp.h is beyond my imagination.Claudio Jeker
Compiles fine without it so remove it.
2010-08-07No "\n" needed at the end of panic() strings.Kenneth R Westerback
Bogus chunks pointed out by matthew@ and miod@. No cookies for marco@ and jasper@. ok deraadt@ miod@ matthew@ jasper@ macro@
2010-07-09Add support for using IPsec in multiple rdomains.Reyk Floeter
This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
2010-07-09Add the rtableid to struct rttimer and therefor make it available toClaudio Jeker
the callback functions. This fixes a problem where dynamic routes in different tables would not get deleted because the callback was doing the remove on the wrong table. OK henning@
2010-07-08remove some unused netinet6 codeJonathan Gray
ok stsp@ henning@ claudio@
2010-07-03Fix the naming of interfaces and variables for rdomains and rtablesPhilip Guenthe
and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0. Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped. Written by claudio@, criticized^Wcritiqued by me
2010-07-01Allow to specify an alternative enc(4) interface for an SA. AllReyk Floeter
traffic for this SA will appear on the specified enc interface instead of enc0 and can be filtered and monitored separately. This will allow to group individual ipsec policies to virtual interfaces and simplifies monitoring and pf filtering with many ipsec policies a lot. This diff includes the following changes: - Store the enc interface unit (default 0) in the TDB of an SA and pass it to the enc_getif() lookup when running the bpf or pf_test() handlers. - Add the pfkey SADB_X_EXT_TAP extension to communicate the encX interface unit for a specified SA between userland and kernel. - Update enc(4) again to use an allocate array instead of the TAILQ to lookup the matching enc interface in enc_getif() quickly. Discussed with many, tested by a few, will need more testing & review. ok deraadt@
2010-06-29Replace enc(4) with a new implementation as a cloner device. We stillReyk Floeter
create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
2010-06-28Add the rtable id as an argument to rn_walktree(). Functions likeClaudio Jeker
rt_if_remove_rtdelete() need to know the table id to be able to correctly remove nodes. Problem found by Andrea Parazzini and analyzed by Martin Pelikán. OK henning@
2010-06-28Allow neighbor discovery for prefixes on interfaces without matchingAlexander Bluhm
address. This is necessary when ospf6d has learned a prefix for a directly connected link which is not configured localy. Now neighbor discovery is solely based on the cloning route and not on the address neigborship anymore. ok claudio@
2010-05-11Massiv cleanup of the gif(4) mess. Move encapsulation into gif_output()Claudio Jeker
where it is not necessary to guess protocols by looking at the first nibble. in_gif_output() will encapsulate the packet but not send it. Because of etherip support and the way the bridge works a minimal hack is needed in gif_start() to ensure that the bridged packets are encapsulated as well. This actually started with the idea to add MPLS support but that turned out to be not as simple as in the gre(4) case. Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6) OK sthen@
2010-05-08During IPv6 source address selection, prefer RFC 4941 temporary addressesStefan Sperling
over other addresses configured on the same interface. Facilitates peaceful coexistence of temporary addresses for outgoing connections and static addresses for incoming connections. Fix typo in comment while here. ok claudio@
2010-05-07Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1Claudio Jeker
accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
2010-04-20remove proc.h include from uvm_map.h. This has far reaching effects, asTed Unangst
sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
2010-04-06Simple implementation of RFC4941, "Privacy Extensions for StatelessStefan Sperling
Address Autoconfiguration in IPv6". For those among us who are paranoid about broadcasting their MAC address to the IPv6 internet. Man page help from jmc, testing by weerd, arc4random API hints from djm. ok deraadt, claudio