summaryrefslogtreecommitdiff
path: root/sys/netinet6
AgeCommit message (Collapse)Author
2010-02-08More destatic and ansification.Joel Sing
ok claudio@ naddy@
2010-02-08More destatic and ansification.Joel Sing
ok claudio@ naddy@
2010-02-08Destatic and ansify.Joel Sing
ok claudio@ naddy@
2010-02-08Destatic and ansify.Joel Sing
ok claudio@ naddy@
2010-01-14Destatic.Joel Sing
ok kettenis@ claudio@ naddy@
2010-01-13instead of fiddling with the per-interface address lists directly inHenning Brauer
many places create a proper API (ifa_add / ifa_del) and use it. ok theo ryan dlg
2010-01-13adding an empty ifaddr struct to the per-interface ifaddr list andHenning Brauer
somewhen later eventually filling the address in is NOT nice. set address first, then insert. ok dlg theo ryan
2010-01-05- properly spell "packet".Jasper Lievisse Adriaanse
2009-12-27- obvious typo in comment, from holger mikolonJasper Lievisse Adriaanse
2009-12-21typo in comment; Holger MikolonStuart Henderson
2009-12-15- instead of rolling a macro that is functional equivalent to nitems(),Jasper Lievisse Adriaanse
just use nitems(). (this leaves NENTS() alone for now) ok deraadt@ krw@
2009-11-25Small cleanup for setsockopt IPSEC6_OUTSA:Marco Pfatschbacher
No need to wrap input validation inside spltdb(). Simplify code by using a break instead of an else-block. OK guenther@
2009-11-20NULL dereference in IPV6_PORTRANGE and IP_IPSEC_*, found by Clement LECIGNE,Philip Guenthe
localhost DoS everywhere. To help minimize further issues, make the mbuf != NULL test explicit instead of implicit in a length test. Suggestions and initial work by mpf@ and miod@ ok henning@, mpf@, claudio@,
2009-11-19avoid overflow since protos > IPPROTO_MAX exist. From FreeBSD withOtto Moerbeek
a twist; ok millert@ kettenis@
2009-11-05IPv6 support for divert sockets.Michele Marchetto
tested by phessler@ pyr@ ok claudio@ "go ahead" deraadt@
2009-11-03rtables are stacked on rdomains (it is possible to have multiple routingClaudio Jeker
tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
2009-10-30Don't do a double free, sys_getsockopt() will take care of freeing theClaudio Jeker
mbuf allocated by the subroutines. OK kettenis@
2009-10-28*NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL,Theo de Raadt
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not sparc64), sh, ...) on OpenBSD 4.3 or older copy of the ipv4 bug, spotted by claudio
2009-10-06Redo the route lookup in the output (and IPv6 forwarding) path if theClaudio Jeker
destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
2009-09-13M_DUP_PKTHDR() define -> m_dup_pkthdr() function to properly dealKenneth R Westerback
with m_tag_copy_chain() failures. Use m_defrag() to eliminate hand rolled defragging of mbufs and some uses of M_DUP_PKTHDR(). Original diff from thib@, claudio@'s feedback integrated by me. Tests kevlo@ claudio@, "reads ok" blambert@ ok thib@ claudio@, "m_defrag() bits ok" kettenis@
2009-07-26no need to cast the return value of m_freem() to voidThordur I. Bjornsson
as its a void function. ok claudio@
2009-06-05Initial support for routing domains. This allows to bind interfaces toClaudio Jeker
alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
2009-06-04allow IPvShit to be turned off completely per-interface.Henning Brauer
ifconfig em0 -inet6 deletes all v6 addresses including link-local and prevents new ones from being added. ifconfig em0 inet6 <addr> re-enables v6, brings the link local back and adds optional <addr> ok theo reyk
2009-05-31Remove _KERNEL goo from kernel files because we're setting _KERNEL correctly.Claudio Jeker
OK deraadt@, miod@
2009-05-18The routing table index rtableid has type unsigned int in the routingAlexander Bluhm
code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
2009-03-15Introduce splsoftassert(), similar to splassert() but for soft interruptMiod Vallat
levels. This will allow for platforms where soft interrupt levels do not map to real hardware interrupt levels to have soft ipl values overlapping hard ipl values without breaking spl asserts.
2009-02-22In icmp6_mtudisc_update make sure that the requested MTU is not less thenClaudio Jeker
the minimal IPv6 MTU minus the size of a frag header (which is needed because of a hack in ip6_output/ip6_setpmtu). Inspired by a similar fix from netbsd. OK markus@, OK deraadt@
2009-02-18Move goto lables to the beginning of the line. Having them indented likeClaudio Jeker
the rest of the switch cases is a good camouflage.
2009-01-30Mark routers internal as uninstalled after deleting the default route.Rainer Giedat
This makes it possible to get a new default route by router advertisement after the old one got deleted (or timed out). Ok henning@, claudio@, mcbride@
2009-01-30"XXX: should this be performed under splnet()?"... Yes, yes it should.Ryan Thomas McBride
Interface configuration causes neighbour discoverery, which runs packets through parts of the stack that require at least splsoftnet(), like pf and pfsync. ok dlg
2008-11-25delay /etc/netstart until IPv6-DAD (dup-address-detection) is completed.Markus Friedl
ok fries, hshoexer, claudio
2008-11-23When accessing cached routes make sure the route is actually still valid.Claudio Jeker
Before accessing a ro_rt make sure the route is either freshly allocated or RTF_UP is set. If not ro_rt should be freed and reallocated or at least no info from the ro_rt should be considered valid. This seems to solve the crashes seen by Felipe Alfaro Solana. some sort of OK dlg@
2008-11-02Remove the M_ANYCAST6 mbuf flag by doing the detection all in ip6_input().Claudio Jeker
M_ANYCAST6 was only used to signal tcp6_input() that it should drop the packet and send back icmp error. This can be done in ip6_input() without the need for a mbuf flag. Gives us back one slot in m_flags for possible future need. Looked at and some input by naddy@ and henning@. OK dlg@
2008-10-22filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4;Markus Friedl
ok bluhm, fries, mpf; fixes pr 4188
2008-10-15Second pass of simple timeout_add -> timeout_add_sec conversionsBret Lambert
This should take care of the simpler ones (i.e., timeout values of integer multiples of hz). ok krw@, art@
2008-10-02Fix PF state key mismatches that occur when callers of icmp6_reflect()Joel Sing
recycle mbufs. Based on an initial diff by henning@, also tested by todd@. ok henning@
2008-10-01If a neighbor solictation isn't from the unspecified address, make sureClaudio Jeker
that the source address matches one of the interfaces address prefixes. From NetBSD, tested by todd@ and naddy@
2008-09-28Clear the PF state key before an IP packet exits a gif(4) tunnel, in orderJoel Sing
to prevent state key mismatches. ok henning@
2008-09-17remove dead stores and newly created unused variables.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok henning@ mpf@
2008-09-12just like v4 icmp, icmp6 recycles mbufs so we need to callHenning Brauer
pf_pkt_addr_changed to clear the recorded pf state information in the hdr claudio ok
2008-09-03Remove dead code: ip6_copypktopts() is not used anywhere.Marco Pfatschbacher
OK deraadt@, henning@
2008-08-08Do not latch the IPSec tdb to the inpcb unconditionally. This hasAlexander Bluhm
been moved to the protocol layer from ip_output at 2002/05/31. The IPv6 part has been forgotten so packets could get encrypted unintentionally. ok hshoexer markus
2008-07-30Call ip6_clearpktopts() on error in copypktopts() instead of freeingCan Erkin Acar
every field individually. ok claudio@ markus@ henning@ deraadt@
2008-07-13Do not specify the gateway on RTM_DELETE -- similar fix was done in the arpClaudio Jeker
code. This fixes in6_ifloop_request warnings seen on carp interfaces. OK henning@, found and tested by david@
2008-06-11ANSIfy to sync with KAME. From Karl Sjodahl <dunceor@gmail.com>.Ryan Thomas McBride
ok todd deraadt naddy bluhm
2008-06-11From KAME, allow adjustable limits on NDP entries and discovered routes.Ryan Thomas McBride
ok mpf naddy
2008-06-09Introduce a facility to generate unpredictable 32 bit numbers withDamien Miller
near maximal (2^32) cycle times. These are useful for network IDs in cases where there are negative consequences to ID prediction and/or reuse. Use the idgen32() functions to generate IPv6 IDs and NFS client/server XIDs. Pseudorandom permutation code in crypto/idgen.c based on public domain skip32.c from Greg Rose. feedback & ok thib@ deraadt@
2008-05-24Remove {tcp/udp}6_usrreq(); Since the normal ones nowThordur I. Bjornsson
take a proc argument, theres no need for these, since they are just wrappers. OK claudio@
2008-05-23Deal with the situation when TCP nfs mounts timeout and processesThordur I. Bjornsson
get hung in nfs_reconnect() because they do not have the proper privilages to bind to a socket, by adding a struct proc * argument to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind) and do the sobind() with proc0 in nfs_connect. OK markus@, blambert@. "go ahead" deraadt@. Fixes an issue reported by bernd@ (Tested by bernd@). Fixes PR5135 too.
2008-05-19SO_BINDANY for ipv6; ok djm@Markus Friedl