summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2018-07-23Coverity CID 1470233 complainst that the m != NULL check inAlexander Bluhm
syn_cache_get() is not neccessary. Also make the abort label consistent to resetandabort and free the mbuf there. OK mpi@
2018-07-16Fix for uninitialized variables.Martin Pieuchot
Found by and ok jsg@, ok markus@
2018-07-12Introduce ipsec_output_cb() to merge duplicate code and account forMartin Pieuchot
dropped packets in the output path. While here fix a memory leak when compression is not needed w/ IPcomp. ok markus@
2018-07-11Disambiguate the source of panics in sys/net* by adding __func__Nayden Markatchev
magic constant to panic() calls. ok benno@ henning@ tb@
2018-07-11Retire RTM_LOSING, it no longer makes sense and on busy servers theClaudio Jeker
route socket is flooded with those messages. Instead maek sure that the removal of the dynamic route that can happen is actually also sent to the routing socket. OK mpi@ henning@
2018-07-11rtm_send() the cloned routes because of ICMP mtu changes. Until nowClaudio Jeker
these changes to the routing table have not been visible whereas the RTM_DELETE of those routes have been. Remove this inconsistency. Input and OK mpi@ OK henning@
2018-07-11Convert AH & IPcomp to ipsec_input_cb() and count drops on input.Martin Pieuchot
ok markus@
2018-07-10Introduce new IPsec (per-CPU) statistics and refactor ESP inputMartin Pieuchot
callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
2018-07-10Remove DELAY(1000) from carp_send_arp() / carp_send_na() since it is not clearfriehm
why it was necessary. OK bluhm@ 'ok but watch for fallouts' mpi@
2018-07-05It was possible to leak the control mbuf in raw ip user requestAlexander Bluhm
with sendmsg(2) and MSG_OOB. Sync the code in udp, rip, and rip6_usrreq. Add an inp NULL check in rip6_usrreq for consistency. OK benno@ mpi@
2018-07-04Prevent a mbuf double free by not freeing it along the error-path inanton
rip{6,}_usrreq() since soreceive() will free it. ok bluhm@
2018-06-25Assert that the NET_LOCK() is held when iterating over `ipsec_acquire_head'.Martin Pieuchot
ok visa@ as part of a larger bigger diff
2018-06-14In in_pcballoc() finish the inp initialization before adding it toAlexander Bluhm
the global inpcb queue and hashes. OK visa@ mpi@ as part of a larger diff
2018-06-14Assert that the INP_IPV6 in in6_pcbconnect() is correct. Just callAlexander Bluhm
in_pcbconnect() to avoid the address family maze in syn_cache_get(). input claudio@; OK mpi@
2018-06-14Use mbuf (not cluster) always for t_template of tcpcb.YASUOKA Masahiko
ok bluhm
2018-06-11Fix RAMDISK build by removing an #ifdef INET6 in tcp_trace().Alexander Bluhm
found the hard way by krw@
2018-06-11Do not unlock the KERNEL_LOCK() unconditionally in sounlock().Martin Pieuchot
Instead introduce two flags to deal with global lock recursion. This is necessary until we get per-socket lock. Req. by and ok visa@
2018-06-11Push the KERNEL_LOCK() inside route_input().Martin Pieuchot
ok visa@, tb@
2018-06-11The output from tcp debug sockets was incomplete. After detach tpAlexander Bluhm
was NULL and nothing was traced. So save the old tcpcb and use that to retrieve some information. Note that otb may be freed and must not be dereferenced. Use a heuristic for cases where the address family is in the IP header but not provided in the PCB. OK visa@
2018-06-08The udp control option processing was implemented three times.Alexander Bluhm
Multicast lacked receive destination port. Better use a function and do it all in one place. The pipex chunk does not use the options, so it can happen before. Adding the udp header length to the ip header length was done inconsistently. Do it explicitly when needed. OK mpi@ visa@
2018-06-07The global zero addresses must not change, mark them constant.Alexander Bluhm
OK tb@ visa@
2018-06-06Pass the socket to sounlock(), this prepare the terrain for per-socketMartin Pieuchot
locking. ok visa@, bluhm@
2018-06-04Cleanup IPsec output error handling with consistent goto drop.Alexander Bluhm
from markus@; OK mpi@
2018-06-03Use variable names for rtable and rdomain consistently in the in_pcbAlexander Bluhm
functions. discussed with and OK mpi@ visa@
2018-06-03Rename the incpb table field inpt_hash to inpt_mask as it containsAlexander Bluhm
the hashmask. For the resize calculations it is clearer to use the field inpt_size. OK visa@ mpi@
2018-06-03SIOCSIFNETMASK takes a 'struct ifreq', so use 'ifr' for it and drop theTheo Buehler
now unused 'ifra' from in_ioctl(). Discussed with mpi and visa
2018-06-03Better version of the refactoring attempted in r1.154. Move SIOCSIFADDRTheo Buehler
to its own function and merge the two switches in in_ioctl_change_ifaddr(). Finally: each ioctl has its own case and privilege check. ok visa As an aside, an audit of the ports tree has shown that we should continue to support the legacy ioctls SIOCSIF{,BRD,DST}ADDR, SIOCSIFNETMASK despite the fact that they have been deprecated for the better part of two decades and FreeBSD dropped support 7 years ago. Too many ports still rely on them. Thanks to sthen and visa for their help with that.
2018-06-02Move the declarations of the raw ip and ip6 pcb tables into theAlexander Bluhm
in_pcb.h header file. OK mpi@ visa@
2018-06-02Cleanup the in_pcbnotifymiss diagnostic printfs. Always print theAlexander Bluhm
rdomain. Move the printf to the end of the pcb lookup functions. OK tb@ mpi@ visa@
2018-06-02The function in_pcbrehash() does not modify the pcb table queue.Alexander Bluhm
So in in_pcbresize() the variant without _SAFE of the TAILQ_FOREACH macro is sufficient. OK tb@ mpi@ visa@
2018-05-31zap trailing whitespaceTheo Buehler
2018-05-31Re-commit the correct half of revision 1.154:Theo Buehler
Some more code shuffling to get rid of one switch in in_ioctl(). This way there is one case for each of SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK, starting with a privilege check before any global data is modified. ok visa
2018-05-31Back out previous. The handling of SIOCSIFADDR is now wrong.Theo Buehler
2018-05-31Some more code shuffling to get rid of one switch in each, in_ioctl()Theo Buehler
and in_ioctl_change_ifaddr(). This way there is one case per ioctl starting with a privilege check before any global data is modified. The code paths are now straightforward. Some code duplication between SIOCSIFADDR and SIOCAIFADDR, but that can be addressed later. tested by hrvoje ok visa
2018-05-28Next step in disentangling the switches in in_ioctl(). Split out theTheo Buehler
handling of SIOCAIFADDR, SIOCDIFADDR, SIOCSIFADDR into a separate function, analogously to what was done in in6_ioctl(). tested by hrvoje ok visa
2018-05-25Prepare in_ioctl() for further refactoring with the goal of merging theTheo Buehler
two big switches in this function. Error out early in the default case without grabbing the NET_LOCK() and move SIOCSIFNETMASK a bit up. This will reduce the noise in an upcoming diff. ok visa
2018-05-21All places that call carp_lsdrop() use the interface pointer already.Alexander Bluhm
It does not make sense to call if_get() again, just pass ifp as parameter. Move the IFT_CARP check into the function instead of doing it everywhere. Replace the inverted match variable logic with simple returns. OK mpi@ friehm@
2018-05-19Introduce a tdb_reaper() function to prevent a use-after-free when aMartin Pieuchot
timeout is blocking on the NET_LOCK(). Issue reported by Harald Dunkel, ok visa@, bluhm@
2018-05-16Fix kernel builds without IPSEC.Reyk Floeter
OK mikeb@
2018-05-14When checking the IPsec enable sysctls, ipsec_common_input() hadAlexander Bluhm
switches for protocol and address family. Move this code to the specific functions from where the common function is called. As a consequence the raw ip input functions can never be called from udp_input() anymore. If IPsec is disabled, the functions ah6_input(), esp6_input(), and ipcomp6_input() do not start processing the header chain. The raw ip input functions are called with the mbuf and offset pointers from the protocol walking loop which is the usual behavior. OK mpi@ markus@
2018-05-14When walking the IPv6 header chain in IPsec output, check that theAlexander Bluhm
next extension header is within the packet length. Also check at the end that the IPv4 headers are not longer than the packet. reported by Maxime Villard; from markus@ via NetBSD; OK mpi@
2018-05-12Cleanup IPsec common input error handling with consistent goto drop.Alexander Bluhm
from markus@; OK mpi@
2018-05-12Cleanup IPsec IPComp error handling with consistent goto drop.Alexander Bluhm
from markus@; OK mpi@
2018-05-10TCP debug sockets still had code for old TCP timers that wereAlexander Bluhm
implemented as slow and fast protocol user requests. Replace that with a proper timer debug implementation. OK visa@
2018-05-09Cleanup IPsec ESP error handling with consistent goto drop.Alexander Bluhm
with and OK markus@
2018-05-09Cleanup IPsec AH error handling with consistent goto drop.Alexander Bluhm
with and OK markus@; input mpi@
2018-05-08Historically there were slow and fast tcp timeouts. That is whyAlexander Bluhm
the delack timer had a different implementation. Use the same mechanism for all TCP timer. OK mpi@ visa@
2018-05-02Do not assume that mbufs within a chain do not have M_PKTHDR set.Alexander Bluhm
This could happen during fragment reassembly. Better check if we are dealing with the first mbuf of the chain. m_adj() changes the length of the mbuf, obviously. So when using this length to calulate the amount of adjustment, do not calculate it again after m_adj() with wrong input. Use a temporary variable to save the value. from Maxime Villard, NetBSD; OK markus@ claudio@
2018-05-02Split out the handling of SIOCGIF* into a new function, in_ioctl_get(),Theo Buehler
that only needs the read lock. ok visa, mpi
2018-04-30Reduce the scope of the NET_LOCK() in in_control(). Two functions wereTheo Buehler
protected: mrt_ioctl() and in_ioctl(). The former has no other callers and only needs a read lock. The latter will need refactoring to reduce the lock's scope further. In a first step, establish a single exit point and protect most of the function body with the NET_LOCK() while removing the NET_LOCK() from a handful of callers. suggested by & ok mpi, ok visa