summaryrefslogtreecommitdiff
path: root/sys/netinet
AgeCommit message (Collapse)Author
2009-05-18The routing table index rtableid has type unsigned int in the routingAlexander Bluhm
code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
2009-03-15Introduce splsoftassert(), similar to splassert() but for soft interruptMiod Vallat
levels. This will allow for platforms where soft interrupt levels do not map to real hardware interrupt levels to have soft ipl values overlapping hard ipl values without breaking spl asserts.
2009-02-16pfsync v5, mostly written at n2k9, but based on work done at n2k8.David Gwynne
WARNING: THIS BREAKS COMPATIBILITY WITH THE PREVIOUS VERSION OF PFSYNC this is a new variant of the protocol and a large reworking of the pfsync code to address some performance issues. the single largest benefit comes from having multiple pfsync messages of different types handled in a single packet. pfsyncs handling of pf states is highly optimised now, along with packet parsing and construction. huggz for beck@ for testing. huge thanks to mcbride@ for his help during development and for finding all the bugs during the initial tests. thanks to peter sutton for letting me get credit for this work. ok beck@ mcbride@ "good." deraadt@
2009-01-30When don't-fragment packets need to get fragemnted some code tries toClaudio Jeker
update the route specific MTU from the interface (because it could have changed in between). This only makes sense if we actually have a valid route but e.g. multicast traffic does no route lookup and so there is no route at all and we don't need to update anything. Hit by dlg@'s pfsync rewrite which already found 3 other bugs in the network stack and slowly makes us wonder how it worked in the first place. OK mcbride@ dlg@
2009-01-29Always zero the IP checksum field for packets and packet fragmentsChristian Weisgerber
being passed down if using HW checksum offload. From Brad, inspired by NetBSD/FreeBSD. ok markus@
2009-01-27In IPsec acquire mode, if the flow was configured for the "any"Alexander Bluhm
network 0.0.0.0/0 or ::/0, the SA was established for the IP address in the packet instead of the network in the flow. That means the SA was not negotiated for the network 0.0.0.0 with mask 0 but for the remote IP with mask 255.255.255.255. This SA did not match the flow and did not work. To differentiate between general flows that are used to trigger specific host-to-host SAs and flows for matching network SAs, the if condition only uses the ipo->ipo_dst field now. For a flow without peer, an SA must be negotiated for each host-to-host combination. Otherwise, if a peer exists at the flow, the kernel acquires one SA for the whole network. tested by todd@, ok hshoexer@, angelos@, todd@
2008-12-24Fix two mbuf leaks in arpresolve. The first one happens on IFF_NOARPClaudio Jeker
interfaces and is probably never hit. The other one happens when the number of packets on the arp hold queue is exceeded. If arpresolve() returns NULL the mbuf must be on the hold queue or freed. Fixes the mbuf leak seen by dlg@. Found with dlg@'s insane mbuf leak diff. OK dlg@
2008-12-24report the number of packets that arp resolution is holding onto until itDavid Gwynne
gets a mac addr for an ip under net.inet.ip.arpqueued. ok deraadt@
2008-11-26call pf_pkt_addr_changed() when we do encapsulateHenning Brauer
fixes v6-over-v4 gifs wrt pf chatter about state linking mismatches ok jsing claudio, tested by Ant La Porte <ant at ukbsd.org>
2008-11-08fix macros up so they use the do { } while (/* CONSTCOND */ 0) idiomDavid Gwynne
ok deraadt@ otto@
2008-11-02Remove the M_ANYCAST6 mbuf flag by doing the detection all in ip6_input().Claudio Jeker
M_ANYCAST6 was only used to signal tcp6_input() that it should drop the packet and send back icmp error. This can be done in ip6_input() without the need for a mbuf flag. Gives us back one slot in m_flags for possible future need. Looked at and some input by naddy@ and henning@. OK dlg@
2008-10-31Be way more strict in the number of packets allowed to be queued in theClaudio Jeker
arp layer. With a lot of input from deraadt@. OK dlg@, looks good gollo@ + deraadt@
2008-10-30Arpresolve could loose few packets during resolving an ethernetJoerg Goltermann
address. This cvs commit introduces a queue that buffers a small burst of packets and resending the packets in correct order when the ethernet address is resolved. Code written by Armin Wolfermann <aw@osn.de>. OK: claudio@ henning@
2008-10-28Do not keep retrying to send advertisements if there isMarco Pfatschbacher
no carpdev configured. I don't see how we can run into this at all, but let's leave this test for a a little extra safety. OK henning@
2008-10-23use the correct idiom for NFOO things which come from "foo.h" filesTheo de Raadt
ok dlg
2008-10-22#if INET => #ifdef INETMarco Pfatschbacher
#if INET6 => #ifdef INET6
2008-10-22filter ipv6 ipsec packets on enc0 (in and out), similar to ipv4;Markus Friedl
ok bluhm, fries, mpf; fixes pr 4188
2008-10-16Kill M_HASFCS, it is not used in OpenBSD. If a ethernet chip returns theClaudio Jeker
checksum in the packet it should be trimmed away by the driver and not by driver independent code. OK brad@
2008-10-13disable the pcb linking for udp for the moment since there is some weirdHenning Brauer
bug with IPv6 in some circumstances. we'll find it one day... lots of debugging dhill
2008-10-10back out previous change. Another panic, not as frequent, andDavid Hill
definitely not at will.
2008-10-10Comment out statekey code to stop 'panic: soreceive 3', whichDavid Hill
happens with IPv6 TCP traffic, until a better fix is found. patch from henning@ proded by deraadt@
2008-09-28Ansify function declarations for gif(4).Joel Sing
ok claudio@
2008-09-28Clear the PF state key before an IP packet exits a gif(4) tunnel, in orderJoel Sing
to prevent state key mismatches. ok henning@
2008-09-16remove another dead store.Charles Longeau
spotted by markus@ ok henning@ mpf@
2008-09-15remove dead stores and newly created unused variables.Charles Longeau
Found by LLVM/Clang Static Analyzer. ok mpf@ looks good mk@ ok henning@
2008-09-10Convert timeout_add() calls using multiples of hz to timeout_add_sec()Bret Lambert
Really just the low-hanging fruit of (hopefully) forthcoming timeout conversions. ok art@, krw@
2008-09-10icmp_reflect reuses mbufs. call pf_pkt_addr_changed to clear the stateHenning Brauer
key stuff.
2008-09-09The pf state to pcb linking code change didn't account for theMarco Pfatschbacher
TIME_WAIT socket recycling code to redo the pcb lookup w/out resetting the inp pointer. Therefore we used the stale pcb, which leads us to reply with a RST to SYNs received on TIME_WAIT sockets. Also move the findpcb label below the pf pcb cache lookup, to avoid using a stale pcb when the caching code gets activated. OK markus@, henning@
2008-09-03do not set the pkthdr mbuf state key pointer to the state key saved in theHenning Brauer
pcb. the state key ptr in the pcb is the one that had to be used by pf outbound. but by convention the state key pointer in the pkthdr is the one used INbound, so pf follows its reverse pointer to find the sk to use, and since a reverse doesn't exist for locally terminated connections the reverse pointer is null and thus the whole game a noop. note that this only affects packets FROM local udp/tcp sockets, for the other direction everything works as expected.
2008-09-03Prevent a possible overflow when the sum of all demotion countersMarco Pfatschbacher
gets bigger than 255. OK henning@
2008-08-26we need to call pf_pkt_addr_changed here too. found by davidHenning Brauer
2008-08-26call pf_pkt_addr_changed instead of manually clearing the pf state key ptrHenning Brauer
2008-08-21Assign the ip and ip6 pointers in ipsp_process_packet() only if aAlexander Bluhm
header of the matching address family is available. Especially do not read ip->ip_off from an IPv6 packet header. ok markus
2008-07-29when detaching pcbs, also free the v6 output options so that we do notTheo de Raadt
leak kernel memory for every closed v6 descriptor with certain options set ok otto jsing todd claudio
2008-07-24ipsec is glued into the stack in a very weird way, violating all kindsHenning Brauer
of expected semantics. thus, for return packets coming out of an ipsec tunnel, we need to clear the pf state key pointer in the mbuf header to prevent a state for encapsulated traffic to be linked to the decapsulated traffic one. problem noticed by Oleg Safiullin <form@pdp-11.org.ru>, took me some time to understand what the hell was going on. ok ryan
2008-07-22Assign the struct size to sin6_len instead of sin6_family.Alexander Bluhm
ok hshoexer claudio mpf henning
2008-07-16link udp pcbs to pf states, same as done for tcp alreadyHenning Brauer
ok markus, also tested david sthen
2008-07-10add X11 ports to default TCP baddynamic listDamien Miller
2008-07-09expand the net.inet.(tcp|udp).baddynamic dynamic source portDamien Miller
skipping bitmasks to cover the entire 65536 port space - previously they covered 512-1024 only. sysctl needs to be updated to cope with this change; please "make includes" before rebuilding it. feedback millert@ ok millert@ deraadt@ markus@
2008-07-03link pf state keys to tcp pcbs and vice versa.Henning Brauer
when we first do a pcb lookup and we have a pointer to a pf state key in the mbuf header, store the state key pointer in the pcb and a pointer to the pcb we just found in the state key. when either the state key or the pcb is removed, clear the pointers. on subsequent packets inbound we can skip the pcb lookup and just use the pointer from the state key. on subsequent packets outbound we can skip the state key lookup and use the pointer from the pcb. about 8% speedup with 100 concurrent tcp sessions, should help much more with more tcp sessions. ok markus ryan
2008-06-28no EOL between tcpsig and sack headers; ok jsing, frantzenMarkus Friedl
2008-06-26First pass at removing clauses 3 and 4 from NetBSD licenses.Ray Lai
Not sure what's more surprising: how long it took for NetBSD to catch up to the rest of the BSDs (including UCB), or the amount of code that NetBSD has claimed for itself without attributing to the actual authors. OK deraadt@
2008-06-14make easier to read, found during a bug hunt earlierTodd T. Fries
ok bluhm@
2008-06-14Include "faith.h" in order to get NFAITH. Also clean up NFAITH conditionalsJoel Sing
whilst we're here. ok henning@ deraadt@
2008-06-14add carppeer; an option to specify a different multicast address orReyk Floeter
even the unicast address of the remote carp peer. this especially helps when the multicast carp advertisements are causing problems in the network (some crappy switches don't do well with multicast), there are conflicts with VRRP, or the policy of the network does not allow multicast (most Internet eXchange points didn't allow carped OpenBGP routers because of the multicast advertisements). discussed with many ok mpf@
2008-06-14ANSIfy function definitions.Joel Sing
ok markus@
2008-06-14Include "pf.h" so we get NPF.Joel Sing
ok reyk@
2008-06-13Do not log carp state transitions from or to INIT by default.Marco Pfatschbacher
Reduces the amount of dmesg noise. Tested and OK mcbride@
2008-06-12Remove some crazy #if mess.Joel Sing
ok markus@ henning@
2008-06-12ANSIfy function definitions.Joel Sing
ok markus@ mcbride@ henning@ deraadt@