| Age | Commit message (Collapse) | Author |
|---|
|
cksum needs to be 0'd before, pf does that now (just like in the tcp/udp
case) and nothing else uses the icmp "offloading" yet.
with & ok bluhm
|
|
Still some important missing pieces, and this is not yet enabled.
OK bluhm@
|
|
type 0 and dropped the packet if it found one. RFC 5095 demands
to handle a routing header type 0 like an unrecognised routing type.
This is enough to protect the own machine.
To protect a network as a firewall, we have pf which does the same
full scan in pf_walk_header6(). As pf is enabled by default, nothing
changes for most users. If you turn off pf on your router, you
should not expect extra protection.
Get rid of the double scanning in ip6_input() and and the older
disabled code in route6_input(). No more special treatment of
routing header type 0 in the IPv6 stack.
OK henning@ mikeb@
|
|
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
interface to not depend on the global list of addresses.
For IPv4 the IP_TO_IA() macro still depends on the global list of
addresses because we want to be sure to grab the first configured
address of an interface, where the records are linked.
Tested by sthen@, ok henning@
|
|
ok claudio@, henning@
|
|
driver when using an AF_INET6 socket without checking for permission.
From Loganaden Velvindron, ok bluhm@
|
|
ok krw@, mikeb@
|
|
it since bluhm@ implemented it in 2012.
From Loganaden Velvindron, ok claudio@
|
|
OSIOCGIFINFO_IN6 anymore. Remove them together with the structs
in6_drlist, in6_oprlist, in6_prlist, in6_ondireq and the kernel
implementation.
OK mikeb@ henning@
|
|
members to 64bit types. Assign new syscall numbers for (almost
all) the syscalls that involve the affected types, including anything
with time_t, timeval, itimerval, timespec, rusage, dirent, stat,
or kevent arguments. Add a d_off member to struct dirent and replace
getdirentries() with getdents(), thus immensely simplifying and
accelerating telldir/seekdir. Build perl with -DBIG_TIME.
Bump the major on every single base library: the compat bits included
here are only good enough to make the transition; the T32 compat
option will be burned as soon as we've reached the new world are
are happy with the snapshots for all architectures.
DANGER: ABI incompatibility. Updating to this kernel requires extra
work or you won't be able to login: install a snapshot instead.
Much assistance in fixing userland issues from deraadt@ and tedu@
and build assistance from todd@ and otto@
|
|
routers, the kernel and ndp use a bunch of expire fields. Before
they were int or u_long, convert expire to time_t in all structs.
Move vltime and pltime to u_int32_t everywhere. Sort struct fields
by size. Struct inet6_ndpr_msghdr is not used at all, so remove
it.
Binary compatibility of rtsold and ndp break with this change as
rtsold uses in6_drlist and ndp uses in6_defrouter and in6_prefix
to interact with the kernel.
OK mpi@
|
|
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
|
ok bluhm@
|
|
No binary change.
OK mikeb@ mpi@
|
|
No binary change.
OK mikeb@ mpi@
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
Reported by naddy@
|
|
structure rather than doing various M_WAITOK allocations during
the *attach() functions, we always rely on them anyway.
ok mikeb@, uebayasi@
|
|
length is always calculated on demand from ia_prefixmask.
OK claudio@ mpi@ henning@
|
|
this case, in6_unlink_ifa() must not complain about a missing prefix.
To avoid a false log message, check the prefixmask when the interface
address gets deleted.
OK mpi@
|
|
complain about a missing prefix for ::1 in in6_unlink_ifa(). Also
log the actual IPv6 address in the error message instead of the
kernel pointer of the interface address.
OK sthen@ mpi@
|
|
ipv4_inpu(), no functional change.
ok bluhm@
|
|
ok otto
|
|
consumed by icmp_input(). As an exception, control packets that
belong to a connection to a local socket must go to pr_ctlinput().
Add a switch over the ICMP type to handle that.
OK markus@ henning@
|
|
OK henning@ markus@
|
|
OK claudio@
|
|
with sin6tosa() or satosin6() inline functions. This allows the
compiler to check the types more strictly.
OK mpi@
|
|
allow the assingment of &sa6_any. But rip6_ctlinput() could not
guarantee that as it casted away the const attribute when it passes
the pointer to in6_pcbnotify(). Replace sockaddr with const
sockaddr_in6 in the in6_pcbnotify() parameters. This reduces the
number of casts. Also adjust in6_pcbhashlookup() to handle the
const attribute correctly.
Input and OK claudio@
|
|
to the driver where uninitialized data will be accessed.
Problem reported by hugh@, OK and input deraadt@, henning@
|
|
|
|
ok deraadt@, tedu@ (implicit)
|
|
declare them once in their corresponding header file.
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
ok millert@
|
|
ok mikeb@, markus@
|
|
divert(4) sockets.
Recalculation of these checksums is necessary because (1) PF no longer
updates IP checksums as of pf.c rev 1.731, so translated packets that
are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will
have bad IP checksums and will be reinjected with bad IP checksums if
the userspace program doesn't correct the checksums; (2) the userspace
program may modify the packets, which would invalidate the checksums;
and (3) the divert(4) man page states that checksums are supposed to be
recalculated on reinjection.
This diff has been tested on a public webserver serving both IPv4/IPv6
for more than four weeks. It has also been tested on a firewall with
divert-packet and nat-to/rdr-to where it transferred over 60GB of
FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6
userspace programs that intentionally break the IP and protocol
checksums to confirm that recalculation is done correctly on
reinjection. IPv6 extension headers were tested with Scapy.
Thanks to florian@ for testing the original version of the diff with
dnsfilter and Justin Mayes for testing the original version with Snort
inline. Thanks also to todd@ for helping me in my search for the cause
of this bug.
I would especially like to thank blambert@ for reviewing many versions
of this diff, and providing guidance and tons of helpful feedback.
no objections from florian@
help/ok blambert@, ok henning@
|
|
OK markus@
|
|
explicit cast.
OK deraadt@
|
|
instead of 0 for pointers. No binary change.
OK mpi@
|
|
Ok claudio@
|
|
No binary change.
OK claudio@
|
|
three different ways. Use the same code in udp_usrreq() and
rip_usrreq() and rip6_usrreq(). This also fixes a pcb and socket
leak in udp_usrreq() in case soreserve() fails. Put an splsoftassert()
into in_pcballoc() for safety.
OK mpi@
|
|
OK deraadt@ guenther@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
|
|
defines into static inline functions. This allows the compiler to
check the source type before casting.
liked by many; OK mpi@ haesbaert@
|
|
ifatoia6 macros do not check the source type. They just cast
anything. Remove needless casts and do not use those macros if the
source type does not match. Remove duplicate defines.
No binary change. OK kettenis@ krw@
|
|
ok beck@, mikeb@
|
