summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2008-09-28Ansify function declarations for gif(4).Joel Sing
ok claudio@
2008-09-28Clear the PF state key before an IP packet exits a gif(4) tunnel, in orderJoel Sing
to prevent state key mismatches. ok henning@
2008-09-16remove another dead store.Charles Longeau
spotted by markus@ ok henning@ mpf@
2008-09-15remove dead stores and newly created unused variables.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok mpf@ looks good mk@ ok henning@
2008-09-10Convert timeout_add() calls using multiples of hz to timeout_add_sec()Bret Lambert
Really just the low-hanging fruit of (hopefully) forthcoming timeout conversions. ok art@, krw@
2008-09-10icmp_reflect reuses mbufs. call pf_pkt_addr_changed to clear the stateHenning Brauer
key stuff.
2008-09-09The pf state to pcb linking code change didn't account for theMarco Pfatschbacher
TIME_WAIT socket recycling code to redo the pcb lookup w/out resetting the inp pointer. Therefore we used the stale pcb, which leads us to reply with a RST to SYNs received on TIME_WAIT sockets. Also move the findpcb label below the pf pcb cache lookup, to avoid using a stale pcb when the caching code gets activated. OK markus@, henning@
2008-09-03do not set the pkthdr mbuf state key pointer to the state key saved in theHenning Brauer
pcb. the state key ptr in the pcb is the one that had to be used by pf outbound. but by convention the state key pointer in the pkthdr is the one used INbound, so pf follows its reverse pointer to find the sk to use, and since a reverse doesn't exist for locally terminated connections the reverse pointer is null and thus the whole game a noop. note that this only affects packets FROM local udp/tcp sockets, for the other direction everything works as expected.
2008-09-03Prevent a possible overflow when the sum of all demotion countersMarco Pfatschbacher
gets bigger than 255. OK henning@
2008-08-26we need to call pf_pkt_addr_changed here too. found by davidHenning Brauer
2008-08-26call pf_pkt_addr_changed instead of manually clearing the pf state key ptrHenning Brauer
2008-08-21Assign the ip and ip6 pointers in ipsp_process_packet() only if aAlexander Bluhm
header of the matching address family is available. Especially do not read ip->ip_off from an IPv6 packet header. ok markus
2008-07-29when detaching pcbs, also free the v6 output options so that we do notTheo de Raadt
leak kernel memory for every closed v6 descriptor with certain options set ok otto jsing todd claudio
2008-07-24ipsec is glued into the stack in a very weird way, violating all kindsHenning Brauer
of expected semantics. thus, for return packets coming out of an ipsec tunnel, we need to clear the pf state key pointer in the mbuf header to prevent a state for encapsulated traffic to be linked to the decapsulated traffic one. problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some time to understand what the hell was going on. ok ryan
2008-07-22Assign the struct size to sin6_len instead of sin6_family.Alexander Bluhm
ok hshoexer claudio mpf henning
2008-07-16link udp pcbs to pf states, same as done for tcp alreadyHenning Brauer
ok markus, also tested david sthen
2008-07-10add X11 ports to default TCP baddynamic listDamien Miller
2008-07-09expand the net.inet.(tcp|udp).baddynamic dynamic source portDamien Miller
skipping bitmasks to cover the entire 65536 port space - previously they covered 512-1024 only. sysctl needs to be updated to cope with this change; please "make includes" before rebuilding it. feedback millert@ ok millert@ deraadt@ markus@
2008-07-03link pf state keys to tcp pcbs and vice versa.Henning Brauer
when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
2008-06-28no EOL between tcpsig and sack headers; ok jsing, frantzenMarkus Friedl
2008-06-26First pass at removing clauses 3 and 4 from NetBSD licenses.Ray Lai
Not sure what's more surprising: how long it took for NetBSD to catch up to the rest of the BSDs (including UCB), or the amount of code that NetBSD has claimed for itself without attributing to the actual authors. OK deraadt@
2008-06-14make easier to read, found during a bug hunt earlierTodd T. Fries
ok bluhm@
2008-06-14Include "faith.h" in order to get NFAITH. Also clean up NFAITH conditionalsJoel Sing
whilst we're here. ok henning@ deraadt@
2008-06-14add carppeer; an option to specify a different multicast address orReyk Floeter
even the unicast address of the remote carp peer. this especially helps when the multicast carp advertisements are causing problems in the network (some crappy switches don't do well with multicast), there are conflicts with VRRP, or the policy of the network does not allow multicast (most Internet eXchange points didn't allow carped OpenBGP routers because of the multicast advertisements). discussed with many ok mpf@
2008-06-14ANSIfy function definitions.Joel Sing
ok markus@
2008-06-14Include "pf.h" so we get NPF.Joel Sing
ok reyk@
2008-06-13Do not log carp state transitions from or to INIT by default.Marco Pfatschbacher
Reduces the amount of dmesg noise. Tested and OK mcbride@
2008-06-12Remove some crazy #if mess.Joel Sing
ok markus@ henning@
2008-06-12ANSIfy function definitions.Joel Sing
ok markus@ mcbride@ henning@ deraadt@
2008-06-12Fix type difference between function prototype and implementation.Joel Sing
According to millert@ this would have been promoted from a short to an int anyway, since K&R C cannot pass variables that are smaller than an int. ok deraadt@ millert@
2008-06-110 -> PR_NOWAIT (which is defined as 0) in pool_getBret Lambert
as an aid to readability ok and thinko-catching henning@
2008-06-11fix an old typo that prevented outer ipv6 headers from being corrected,Can Erkin Acar
also fix the correction amount. This was only really visible on tcpdump, as a "truncated-ip6 - 48 bytes missing" warning. The inner packet made it into the stack just fine, minus a few sanity checks. reported by and debuged together with and ok todd@
2008-06-10encapsulating v4 in v6 IPSec should not be so fun,Todd T. Fries
do not process v4 headers as v6, 255 TTL + icmp (0x01) = ff01:: suddenly, eww! debugged with bluhm@, verified by grunk@, ok markus@
2008-06-09rename arc4random_bytes => arc4random_buf to match libc's nicer name;Damien Miller
ok deraadt@
2008-06-08When adding PMTU related routes to the table inherit the priority form theClaudio Jeker
parent instead of using RTP_DEFAULT. OK henning@
2008-06-08alloc ipq's for fragment reassembly from a pool instead of usingThordur I. Bjornsson
malloc(); ok henning@ some time ago
2008-06-06we must not hardcode the route priority in arplookup, it does notHenning Brauer
just insert arp entries. the inserted routes will have the right priority no matter what, most times cloned. problem found by Joerg Goltermann <jg@osn.de>, fix by his colleague Armin Wolgermann <aw@osn.de>, ok claudio
2008-06-04adderss -> addressMiod Vallat
2008-05-24Remove {tcp/udp}6_usrreq(); Since the normal ones nowThordur I. Bjornsson
take a proc argument, theres no need for these, since they are just wrappers. OK claudio@
2008-05-23Deal with the situation when TCP nfs mounts timeout and processesThordur I. Bjornsson
get hung in nfs_reconnect() because they do not have the proper privilages to bind to a socket, by adding a struct proc * argument to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind) and do the sobind() with proc0 in nfs_connect. OK markus@, blambert@. "go ahead" deraadt@. Fixes an issue reported by bernd@ (Tested by bernd@). Fixes PR5135 too.
2008-05-19Unbreak builds for kernels that have atm interfaces. Found the hard way byClaudio Jeker
Theo on an alpha ramdisk. OK deraadt@
2008-05-15divert for ipv6; ok henning, pyrMarkus Friedl
2008-05-11Try harder to avoid corrupting the mbuf pool. Stuff any mbuf chain inKenneth R Westerback
ln_hold or la_hold into temporary storage and null ln_hold or la_hold before manually processing the mbuf chain. Discard the mbuf chain if it is put back in the hold area. ok claudio@ markus@
2008-05-09more rtrequest() to rtrequest1() replacement.Claudio Jeker
OK henning@
2008-05-09arp entries in the routing table should have priority RTF_CONNECTEDHenning Brauer
ok claudio theo
2008-05-09should check for null pointers; from henning@Markus Friedl
2008-05-09IP_RECVDSTPORT, allows you to get the destination port of UDP datagramsMarkus Friedl
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@
2008-05-09Add SO_BINDANY socket option from BSD/OS.Markus Friedl
The option allows a socket to be bound to addresses which are not local to the machine. In order to receive packets for these addresses SO_BINDANY needs to be combined with matching outgoing pf(4) divert rules, see pf.conf(5). ok beck@
2008-05-09divert packets to local socket without modifying the ip header;Markus Friedl
makes transparent proxies much easier; ok beck@, feedback claudio@
2008-05-07Implement routing priorities. Every route inserted has a priority assignedClaudio Jeker
and the one route with the lowest number wins. This will be used by the routing daemons to resolve the synchronisations issue in case of conflicts. The nasty bits of this are in the multipath code. If no priority is specified the kernel will choose an appropriate priority. Looked at by a few people at n2k8 code is much older