| Age | Commit message (Collapse) | Author |
|---|
|
boring details:
pf used to use an mbuf tag to keep track of route-to etc, altq, tags,
routing table IDs, packets redirected to localhost etc. so each and every
packet going through pf got an mbuf tag. mbuf tags use malloc'd memory,
and that is knda slow.
instead, stuff the information into the mbuf header directly.
bridging soekris with just "pass" as ruleset went from 29 MBit/s to
58 MBit/s with that (before ryan's randomness fix, now it is even betterer)
thanks to chris for the test setup!
ok ryan ryan ckuethe reyk
|
|
headers, regardless of forwarding path. It's the sane thing to do.
ip6_check_rthdr0() function from claudio@
ok deraadt@ claudio@ henning@
|
|
more then 10 headers nested.
OK deraadt@ henning@ mcbride@
|
|
|
|
because turtles are slow but reliable and trustworthy, packets stays
on the net for a long period of time. bigger turtles can stay much longer.
that is the hidden secret reason for the name of KAME project (i'm lying).
j> some IETFers need to be sent to bondage/SM club and spanked/whipped
j> by thousands of dominas and then chopped into million peaces by samurai
j> swords.
t> maybe that is what they actually want, and that is why they
t> fucked RFC1883 and put rosemary's baby into RFC2460.
j> I am king of IETF now, and tomorrow i may become beggar on the IETF venue
j> hotel corridor.
http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf
ok by myself, deraadt@, <samurais at kame.net>
|
|
This provides a similar functionality as ARP balancing,
but also works for traffic that comes across routers.
IPv6 is supported as well.
The configuration scheme will change as soon we have sth better.
Also add support for changing the MAC address on carp(4)
interfaces. (code from mcbride)
Tested by pyr@ and reyk@
OK mcbride@
|
|
|
|
ok kettenis@ cloder@ tom@ henning@
|
|
and passed around but never used. OK mglocker@
|
|
header.
- ipsec_input: fix mistake in IPv6 next-header chasing.
- ipsec_output: look for the position to insert AH more carefully.
- ip6_output: enable use of AH with extension headers.
avoid tunnellinng when source-routing header is present.
ok by deraad, naddy, hshoexer
|
|
|
|
|
|
PR 34994+35333
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
|
we will use rhlen uninitialized). checked with kame
|
|
with interface-local multicast addr in ip6_dst. by jinmei@kame
|
|
|
|
|
|
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.
bump libc shlib minor for function additions.
tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.
|
|
|
|
|
|
|
|
|
|
hook up looking up routes in alternate tables to the packet forwarding path.
alternate routing tables are mintained with route(8), table selection via pf.
mostly hacked on a train ride with ryan some time ago, ok mcbride claudio
|
|
deraadt ok. manpage nit by jmc.
|
|
|
|
(to sync up with more recent IPv6 spec)
ok from: deraadt mcbride
|
|
|
|
|
|
Before a normal user running ifconfig(8) could trigger up to three
address hook calls per interface.
OK mcbride@, henning@
|
|
virtual MAC address is set. Among other things, this makes route6d work
correctly on systems with carp interfaces.
In order to ensure backwards compatibility, we do not include IPv6
link-local addresses in generating the HMAC, but we accept HMACs with AND
without the link-local addresses. They will be added to the HMAC in a future
release.
In short: this change should only affect backwards compatibility for
IPv6 users who are manually adding link-local addresses on carp interfaces.
testing mtu@ todd@
ok mpf@ henning@ deraadt@
|
|
ok mpf@ henning@
|
|
no functional change.
|
|
To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.
To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1
testing norby@
ok claudio@ henning@ hshoexer@
|
|
parameter so they can work on alternate tables. table 0 hardcoded for
many callers yet, that will be adapted step by step.
input + ok claudio norby hshoexer
|
|
|
|
|
|
|
|
|
|
and additionaly make the code part of the MROUTING option. Put it in deraadt@
|
|
|
|
"why are you not committing? into the tree, into the tree!"
and ok tedu@
|
|
cases harmless it is used by the IPv6 code. The result is that bgpd is unable
to assigning link local addresses to the correct interface. OK henning@
Fix for PR 5063.
|
|
ok miod@ hshoexer@
|
|
directly. rather provide a rt_lookup function for regular lookups,
and a rt_gettable for those that need access to the head for some reason.
the latter cases should be revisted later probably so that nothing outside
the routing core code accesses the heads at all...
tested claudio jolan me, ok claudio markus
|
|
|
|
the remainder of the network stack from splimp to splnet.
ok miod@
|
|
|
|
|
|
|
