summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2007-03-18Add IP load balancing support for carp(4).Marco Pfatschbacher
This provides a similar functionality as ARP balancing, but also works for traffic that comes across routers. IPv6 is supported as well. The configuration scheme will change as soon we have sth better. Also add support for changing the MAC address on carp(4) interfaces. (code from mcbride) Tested by pyr@ and reyk@ OK mcbride@
2007-03-16remove message that printsTheo de Raadt
arplookup: unable to enter address for xxx.xxx.xxx.xxx because it is absolutely useless in a modern world with cable modems which leak arp packets over IP netblock zones; Anyone who used this as a diagnostic for real problems has other tools to use; from discussion with kitella, ok claudio
2007-02-22Remove TCP ports 760 and 761 from DEFBADDYNAMICPORTS_TCP; they areTodd C. Miller
not used with Heimdal. Add UDP port 749 to DEFBADDYNAMICPORTS_UDP for consistency with DEFBADDYNAMICPORTS_TCP. We retain some Kerberos 4 ports for people running Heimdal in Kerberos 4 compat mode. OK deraadt@ beck@
2007-02-20Fix the bpf hook in etherip_input() by using the right address family andClaudio Jeker
moving the m_adj() down to prevent so that the ethernet header is preserved. This fixes tcpdump on bridged gif(4) interfaces. OK mglocker@
2007-02-15Simplify even more by reducing shared code in #if NBRIDGE and default case.Claudio Jeker
OK mglocker@
2007-02-14Consistently spell FALLTHROUGH to appease lint.Jonathan Gray
ok kettenis@ cloder@ tom@ henning@
2007-02-13whitespace fixJun-ichiro itojun Hagino
2007-02-10Cleanup, kill dead code and unused arguments. Mostly stuff that is computedClaudio Jeker
and passed around but never used. OK mglocker@
2007-02-08- AH: when computing crypto checksum for output, massage source-routingJun-ichiro itojun Hagino
header. - ipsec_input: fix mistake in IPv6 next-header chasing. - ipsec_output: look for the position to insert AH more carefully. - ip6_output: enable use of AH with extension headers. avoid tunnellinng when source-routing header is present. ok by deraad, naddy, hshoexer
2007-02-01correct rfc; from Kris KatterjohnJason McIntyre
2007-01-18allow kernels with TCP_SIGNATURE (aka tcp md5sig), but without IPSEC toHenning Brauer
compile and work. need to register pfkey whenever tcp md5 or ipsec is defined, and the various ipsec encapsulations only if ipsec is defined. ok theo
2007-01-03Remove two "unused" mbuf tag functions and kill the superfluous argumentClaudio Jeker
to the m_tag_delete_chain() function. m_tag_free() and m_tag_unlink() are only used by m_tag_delete() and I see no need to have these functions around. m_tag_delete_chain() has a second argument to specifiy a starting point from where the chain should be deleted. This feature is never used and is more complex because it is not possible to remove a SLIST element without doing a list walk. Instead use SLIST_FIRST() and SLIST_REMOVE_HEAD() to remove all items from the list. OK dhartmei@
2007-01-02move local network route to real interface instead of carp interface; from mpf@Markus Friedl
2006-12-28check if ifqueue has anything queued before doing the dance ofTheo de Raadt
splnet/IF_DEQUEUE/splx; ok various people
2006-12-19TDBF_USEDTUNNEL flag manipulation was inside #ifdef INET. it appliesJun-ichiro itojun Hagino
to INET6 too, so move it outside. markus ok
2006-12-15make enc(4) count; ok markus@ henning@ deraadt@Otto Moerbeek
2006-12-13use IN6_IS_SCOPE_EMBED to check kernel-internal form addressesJun-ichiro itojun Hagino
(s6_addr16[1] filled) ok dhartmei
2006-12-11allow RST with th_seq incremented (seen from windows tcp clients); ok dhartmeiMarkus Friedl
2006-12-09switch IPv6 advanced API from RFC2292 to RFC3542 (2292 is superseded by 3542).Jun-ichiro itojun Hagino
the kernel still handles RFC2292 set/getsockopts, so that compiled binary has no trouble running. userland sees RFC3542 symbols only on header file so new code has to use RFC3542 API. bump libc shlib minor for function additions. tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.
2006-12-05make the syncache code respect (inherit) the ttl from the listening socketHenning Brauer
when sending the synack response. ok markus
2006-12-05do not install pmtu routes for transport mode SAs, as they do notMarkus Friedl
the dest IP; PMTU debugging support; ok hshoexer
2006-12-01rangecheck ttl on IP_TTL, collected dust in my treeHenning Brauer
2006-11-27make use of multiple routing tables.Henning Brauer
hook up looking up routes in alternate tables to the packet forwarding path. alternate routing tables are mintained with route(8), table selection via pf. mostly hacked on a train ride with ryan some time ago, ok mcbride claudio
2006-11-27The current implementation to handle control options is broken as soon asClaudio Jeker
SO_REUSEADDR and multicast/broadcast comes into play. Model the ip_savecontrol handling after the rip_input version which works. Problem found by Simon Kelley. OK henning@ michele@
2006-11-25Remove unneeded branch, no need to check if opts is != NULL just set it toClaudio Jeker
NULL in any case.
2006-11-24add support to tag ipsec traffic belonging to specific IKE-initiatedReyk Floeter
phase 2 traffic. this allows policy-based filtering of encrypted and unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and isakmpd.conf(5) for details and examples. this is work in progress and still needs some testing and feedback, but it is safe to put it in now. ok hshoexer@
2006-11-16in carp_attach, create the "carp" interface group, so that it is alwaysHenning Brauer
and early in the boot process existant. needed by the rc scripts for carp demotion on the "carp" group. this used to work because pfsync0 was always there and member of said group; it has been broken on pfsync-less kernels for quite some time. ok mpf mcbride
2006-10-31do not re-generate the timestamp modulation offset for SYN-ACK retransmits;Markus Friedl
this unbreaks TCP for high RTT (~3s); ok mcbride@
2006-10-11implement IP_MINTTL socket option fo tcp socketsHenning Brauer
This is for RFC3682 aka the TTL security hack - sender sets TTL to 255, receiver checks no router on the way (or, no more than expected) reduced the TTL. carp uses that technique already. modeled after FreeBSD implementation. ok claudio djm deraadt
2006-10-11implement IP_RECVTTL socket option.Henning Brauer
when set on raw or udp sockets, userland receives the incoming packet's TTL as ancillary data (cmsg shitz). modeled after the FreeBSD implementation. ok claudio djm deraadt
2006-09-26udp port 664 is sometimes also stolen on the wire by ipmi/asf balony.Theo de Raadt
Did these vendors really really really not think? Absolute morons.
2006-09-21ugly trailing ws; from bret dot lambert at gmailOtto Moerbeek
2006-08-31Automatically add a IPv6 link-local address to carp interfaces when theRyan Thomas McBride
virtual MAC address is set. Among other things, this makes route6d work correctly on systems with carp interfaces. In order to ensure backwards compatibility, we do not include IPv6 link-local addresses in generating the HMAC, but we accept HMACs with AND without the link-local addresses. They will be added to the HMAC in a future release. In short: this change should only affect backwards compatibility for IPv6 users who are manually adding link-local addresses on carp interfaces. testing mtu@ todd@ ok mpf@ henning@ deraadt@
2006-08-28Make carp see all IPv6 address additions and remove dead code in carp_ioctl()Ryan Thomas McBride
ok mpf@ henning@
2006-08-21Answer ARP queries also for addresses on carp interfaces, if carpsMarco Pfatschbacher
physical interface shares a bridge with the interface that received it. Patch based on a version from camield@ Fixes PR 5178. OK mcbride@
2006-08-16Send out a second delayed gratuitous ARP request afterMarco Pfatschbacher
we've won the MASTER election. This seems to be necessary w/ some wacky L3 switches, that only learn by looking at ARP packets. Fixes PR 5148. OK mcbride@
2006-07-18get rid of arc network support. we have no users of it so this is deadDavid Gwynne
code. however, it is still cluttering up the kernel namespace a bit. it is better gone. ok claudio@
2006-07-17Call ip_savecontrol() in the multicast codepath of udp_input() similar toClaudio Jeker
the INET6 code. With this it is possible to use e.g. IP_RECVIF to get the incomming interface. SOCK_RAW is not affected by this. Problem found and fixed by Michele 'mydecay' Marchetto. OK markus@
2006-07-06u_quad_t -> u_int64_tBrad Smith
no functional change.
2006-06-30htonq() is not used, at allTheo de Raadt
2006-06-28No need to add function prototypes twice to a header file.Claudio Jeker
2006-06-18Whitespace, oops.Christopher Pascoe
2006-06-18Add support for equal-cost multipath IP.Christopher Pascoe
To minimise path disruptions, this implements recommendations made in RFC2992 - the hash-threshold mechanism to select paths based on source/destination IP address pairs, and inserts multipath routes in the middle of the route table. To enable multipath distribution, use: sysctl net.inet.ip.multipath=1 and/or: sysctl net.inet6.ip6.multipath=1 testing norby@ ok claudio@ henning@ hshoexer@
2006-06-17unbreak; from theoHenning Brauer
2006-06-16adjust functions dealing with the routing table to take a table ID asHenning Brauer
parameter so they can work on alternate tables. table 0 hardcoded for many callers yet, that will be adapted step by step. input + ok claudio norby hshoexer
2006-06-15Make number of varargs passed to ip_output match reality.Christopher Pascoe
henning@ claudio@ ok
2006-06-15Change cast of last vararg to ip_output to match what ip_output expects,Christopher Pascoe
for clarity. henning@ claudio@ ok
2006-06-15Make number of varargs passed to ip_output match reality.Christopher Pascoe
henning@ claudio@ ok
2006-06-06Put mrouting enable flag inside the right ifdef. If you change filesTheo de Raadt
here, make sure they compile with or without IPSEC, you morons!
2006-06-02Introduce attributes to interface groups.Marco Pfatschbacher
As a first user, move the global carp(4) demotion counter into the interface group. Thus we have the possibility to define which carp interfaces are demoted together. Put the demotion counter into the reserved field of the carp header. With this, we can have carp act smarter if multiple errors occur. It now always takes over other carp peers, that are advertising with a higher demote count. As a side effect, we can also have group failovers without the need of running in preempt mode. The protocol change does not break compability with older implementations. Collaborative work with mcbride@ OK mcbride@, henning@