| Age | Commit message (Collapse) | Author |
|---|
|
ok bluhm@
|
|
ifdef ENCDEBUG to make sure we don't use them elsewhere.
|
|
our addresses to reuse arplookup() and do only one list iteration.
Looks ok to claudio@, ok mikeb@
|
|
a flag. Rename the variable inpl_flags in tcp_input() to inpl_reverse
like in udp_input(). No binary change.
OK mikeb@
|
|
under some circumstances repair broken checksums on the way.
ok ryan naddy mikeb
.
redo most of the protocol (tcp/udp/...) checksum handling
-assume we have hardware checksum offloading. stop mucking with the
checksum in most of the stack
-stop checksum mucking in pf, just set a "needs checksumming" flag if needed
-in all output pathes, very late, if we figure out the outbound interface
doesn't have hw cksum offloading, do the cksum in software. this especially
makes the bridge path behave like a regular output path
-little special casing for bridge still required until the broadcast path
loses its disgusting shortcut hacks, but at least it's in one place now
and not all over the stack
in6_proto_cksum_out mostly written by krw@
started at k2k11 in iceland more than 1.5 years ago - yes it took that
long, this stuff is everything but easy.
this happens to fix the infamous pf rdr bug that made us turn off proto
cksum offloading on almost all interface drivers.
|
|
Jeff Ross and later by myself, both on remote systems..
|
|
structure is zeroed out before use. From David Hill <dhill at
mindcry ! org>; ok blambert claudio henning
|
|
Reported by naddy@
|
|
structure rather than doing various M_WAITOK allocations during
the *attach() functions, we always rely on them anyway.
ok mikeb@, uebayasi@
|
|
iterating once we found a matching address.
ok mpf@, yasuoka@, henning@
|
|
ok bluhm@, mikeb@
|
|
in4_cksum() instead of in_cksum(). This gets rid of the clunky
m_data/m_len dance, which was described as "disgusting" in the original
comments. :)
Tested on a small MPLS test network (since icmp_do_exthdr() is currently
only used by MPLS code, specifically mpls_do_error()).
ok bluhm henning mikeb
|
|
unify some return statements while here.
ok bluhm@, henning@
|
|
ok otto
|
|
dropped by IPsec security policy.
input from and ok mikeb
|
|
consumed by icmp_input(). As an exception, control packets that
belong to a connection to a local socket must go to pr_ctlinput().
Add a switch over the ICMP type to handle that.
OK markus@ henning@
|
|
clunky m_data/m_len dance needed by in_cksum().
Tested on amd64, hppa, i386, loongson, macppc, sgi, and sparc64.
Thanks to blambert@, bluhm@, and henning@ for help and feedback;
abieber@ for testing this diff independently on macppc; krw@ for access
to his hppa, sgi, and sparc64 test systems at t2k13; nick@ for helping
me figure out Ken's hppa so that I can test this diff. :)
ok blambert bluhm henning mikeb
|
|
|
|
was only done when a packet traveled up the stack from pf to
tcp_input(). Now also link the state and inpcb when the packet is
going down from tcp_output() to pf. As a consequence, divert-reply
states where the initial SYN does not get an answer, can be handled
more correctly.
This change is part of a larger diff that has been backed out in
2011. Bring the feature back in small steps to see when bad things
start to happen.
OK henning deraadt
|
|
into one block.
OK mpi@
|
|
even more of the kernel
fix formatting ugliness, whitespace only, obviously a copy & pasto
ok ryan
|
|
one so that we can use the real MAC address for carp(4) like an example
following.
ifconfig carp0 carpdev REALIF lladdr <real interface's lladdr>
ok reyk mcbride
|
|
|
|
OK claudio@
|
|
splsoftassert(IPL_SOFTNET) at the start of in_pcbdetach().
From David Hill
|
|
From FreeBSD via UMEZAWA Takeshi
ok bluhm@
|
|
unconditionally for SIOCSIFADDR.
ok bluhm@, henning@
|
|
allow the assingment of &sa6_any. But rip6_ctlinput() could not
guarantee that as it casted away the const attribute when it passes
the pointer to in6_pcbnotify(). Replace sockaddr with const
sockaddr_in6 in the in6_pcbnotify() parameters. This reduces the
number of casts. Also adjust in6_pcbhashlookup() to handle the
const attribute correctly.
Input and OK claudio@
|
|
|
|
|
|
address configured on the interface just like SIOCSIFBRDADDR does.
This prevent the global IPv4 address list and the per-interface list
to be out of sync until one of SIOCAIFADDR or SIOCSIFADDR ioctl(2)
is issued.
ok mikeb@, sthen@
|
|
gobals used only in this file and explain that the printf/debug
variable must be settable by ddb.
ok henning@, sthen@
|
|
ok deraadt@, tedu@ (implicit)
|
|
ok mikeb@, haesbaert@
jajaja miod@
|
|
declare them once in their corresponding header file.
|
|
ok krw@, mikeb@
|
|
viariables.
ok mikeb@
|
|
sysctl declarations, move variables and functions used in only
one place in their corresponding file. No functional change.
No objection from markus@, ok mikeb@
|
|
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
|
ok mikeb@, markus@
|
|
divert(4) sockets.
Recalculation of these checksums is necessary because (1) PF no longer
updates IP checksums as of pf.c rev 1.731, so translated packets that
are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will
have bad IP checksums and will be reinjected with bad IP checksums if
the userspace program doesn't correct the checksums; (2) the userspace
program may modify the packets, which would invalidate the checksums;
and (3) the divert(4) man page states that checksums are supposed to be
recalculated on reinjection.
This diff has been tested on a public webserver serving both IPv4/IPv6
for more than four weeks. It has also been tested on a firewall with
divert-packet and nat-to/rdr-to where it transferred over 60GB of
FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6
userspace programs that intentionally break the IP and protocol
checksums to confirm that recalculation is done correctly on
reinjection. IPv6 extension headers were tested with Scapy.
Thanks to florian@ for testing the original version of the diff with
dnsfilter and Justin Mayes for testing the original version with Snort
inline. Thanks also to todd@ for helping me in my search for the cause
of this bug.
I would especially like to thank blambert@ for reviewing many versions
of this diff, and providing guidance and tons of helpful feedback.
no objections from florian@
help/ok blambert@, ok henning@
|
|
into one block.
OK mpi@
|
|
instead of 0 for pointers. No binary change.
OK mpi@
|
|
three different ways. Use the same code in udp_usrreq() and
rip_usrreq() and rip6_usrreq(). This also fixes a pcb and socket
leak in udp_usrreq() in case soreserve() fails. Put an splsoftassert()
into in_pcballoc() for safety.
OK mpi@
|
|
reach the socket that the user has specified in pf.conf.
OK reyk@
|
|
OK deraadt@ guenther@
|
|
avoid ugly casts.
OK krw@ tedu@
|
|
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
|
.h files to pull it in, if needed
ok tedu
|
|
|
