Age | Commit message (Collapse) | Author |
|
in the mbuf my be improperly aligned. Whenever a function is
reinjecting packets from low level output functions into high level
output functions (like ip_output) it must be guaranteed that the
mbuf data is properliy aligned.
OK blambert@, deraadt@
|
|
hiding everything but the TCP_* options unless __BSD_VISIBLE. While
we're here, change the structure to use u_int32_t instead of u_int
to cut-off the types discussion.
ok tedu@, mikeb@
|
|
No binary change.
ok claudio@ henning@
|
|
of the variable nmax from int to u_long as the socket buffer sizes
it operates on are also u_long.
ok claudio@
|
|
There's not much use for the declassified cipher from the 80's
with a questionable license these days. According to the FIPS
drafts, Skipjack reaches its EOL in December 2010.
The libc portion will be removed after the ports hackathon.
djm and thib agree, no objections from deraadt
Thanks to jsg for digging up FIPS drafts.
|
|
currently have, let the call succeede.
Mirrors the same behaviour as setrtable()
OK claudio@
|
|
socket from the information we have in the syncache. Also bzero() the
tcpcb that is passed to tcp_dooptions() just to be sure.
|
|
A session must stick to the rscale factor sent out in the SYN packet.
Remove the bogus tcp_rscale() call which is done after a full established
session is returned from the syncache.
|
|
reason to reduce the amount of ACKs sent and delayed ACKs have a very bad
interaction with the large MTU of lo(4) and the fairly small socketbuffer
size. In collaboration with andre@freebsd.
OK deraadt@
|
|
Reminded by naddy@
|
|
OK djm@ claudio@ dlg@
|
|
|
|
We can use IPv6 address as outer header of L2TP.
Kernel ABI is changed. You must update npppd.
OK @claudio, yasuoka@, dlg@
|
|
Send buffer is scaled by not accounting unacknowledged on the wire
data against the buffer limit. Receive buffer scaling is done similar
to FreeBSD -- measure the delay * bandwith product and base the
buffer on that. The problem is that our RTT measurment is coarse
so it overshoots on low delay links. This does not matter that much
since the recvbuffer is almost always empty.
Add a back pressure mechanism to control the amount of memory
assigned to socketbuffers that kicks in when 80% of the cluster
pool is used.
Increases the download speed from 300kB/s to 4.4MB/s on ftp.eu.openbsd.org.
Based on work by markus@ and djm@.
OK dlg@, henning@, put it in deraadt@
|
|
with an offset equal to the actual data length.
ok henning blambert
|
|
support by pipex.
OK henning@, "Carry on" blambert@
|
|
RFC 4106 and 4543.
Authentication hash key is set to be the same as an encryption key.
The length that is specified for the authentication hash descriptor
denotes the the length of Additional Authentication Data (AAD).
The encryption transformation descriptor length denotes the length
of the payload (to be encrypted and authenticated).
ENCR_NULL_AUTH_AES_GMAC treats all input as AAD, thus the encryption
length is set to zero.
This also fixes padding for stream ciphers, so that payload will
be 4-byte aligned.
|
|
allows other users (like MPLS) use this function instead of rolling a own
version. Implement icmp_do_exthdr() to attach an RFC 4884 extension header
to an ICMP error produced by icmp_do_error().
"best to get it in." deraadt@
|
|
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
|
OK: claudio@, bob@, sthen@, thib@
|
|
be more explicit and force it in dst.
OK deraadt@, mcbride@
|
|
|
|
has enough space for all the fragments on it.
this check was snuck in by itojun under an unrelated commit. it broke when
i set the virtual interface send queue depths to 1, which beck had to
special case at n2k10. without this code we avoid these dubious checks
along with another splnet/splx pair, and it should make future work on
manipulating send queues easier.
ive been running this in production since n2k10 (~7months ago).
ok claudio@ henning@ deraadt@
|
|
family checks before calling ifatoia/ifatoia6.
ok deraadt@, dlg@, mcbride@
|
|
|
|
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
|
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
|
the callback functions. This fixes a problem where dynamic routes in
different tables would not get deleted because the callback was doing
the remove on the wrong table.
OK henning@
|
|
like time exceeded messages. This will allow to add additional information
to those messges like the incomming MPLS label.
OK deraadt@, dhill@
|
|
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
|
an 8 year old bug exposed by recent uvm changes
ok thib@ tedu@ deraadt@
|
|
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
|
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
|
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
|
rt_if_remove_rtdelete() need to know the table id to be able to correctly
remove nodes.
Problem found by Andrea Parazzini and analyzed by Martin Pelikán.
OK henning@
|
|
the one used by Cisco. It sends a return gre packet inside a gre packet
to the other side and expects it to return.
OK deraadt, reyk additional testing by sthen
|
|
netboot methods using rarp, thus only learning their IP address without
mask. And of course the next step is a broadcast - which goes to the
broadcast address calculated classful. *sigh*. PR6382
instead of storing a second broadcast address per ifaddr as we used to
figure out wether we're dealing with a classful broadcast on the fly. the
math is extremely cheap and all my previous profilings showed that cpu
cycles are basically free, we're constrained by memory access.
excellent analysis by Pascal Lalonde <plalonde at overnet.qc.ca> who also
submitted the PR. claudio ok
|
|
connect() calls. Our network stack does not allow any v4 mapped addresses
so there is no need to allow them in connect(). Found after discussion with
Henning. OK deraadt@
|
|
rt_timer_queue_destroy() did not actually destroy, leading to a potential
memory leak due to misleading nomenclature. Change it to actually destroy,
not just clean, the the rt_timer_queue passed to it and adjust the correct
caller accordingly (i.e., no need to free the mem on our own now).
As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free
cycles, and lets us sneak another bzero -> M_ZERO conversion in.
ok claudio@
|
|
aligned, otherwise we lose on strict alignment architecture. Should fix
problems with gcc4 compiled bsd.rd's that people see on sparc64.
ok millert@, beck@, jsing@
|
|
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
OK sthen@
|
|
is defined.
|
|
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
|
removed. Extend carp demote logging to also show the reason for
the demote. Return EINVAL instead of ERANGE if a carpdemote request
is out range. Requested from otto.
OK mcbride, henning.
|
|
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
|
|
|
|
faith 1", noticed by Andris Kadar. ok kettenis@ beck@
|
|
ok claudio@ "approved" deraadt@
|