| Age | Commit message (Collapse) | Author |
|---|
|
is not intended and will behave unexpectedly if the address is
already used in another domain. It did not work anyway, as the PCB
ended in the wrong hash bucket after changing the rtable. Fail
with EBUSY if the socket is already bound and rehash the PCB if its
rtable changes.
input claudio@; OK mpi@
|
|
Since the rtalloc(9) rewrite no route lookup is done in this function so
there's no need for a destination or a rtable ID.
|
|
Testing help from Hrvoje Popovski.
ok mikeb@, henning@, claudio@
|
|
restoring pre-1.190 behaviour. ok millert@ mpi@
|
|
when the next packet needs to be forwarded, just like if the route
was invalid.
ok mikeb@, claudio@
|
|
|
|
work in the forwarding path.
Tested by Hrvoje Popovski, ok dlg@
|
|
This brings ip_dooptions() closer to mp-safeness by ensuring that
``ifa'' is dereferenced before calling rtfree(9).
ok mikeb@
|
|
|
|
Found by David Hill <dhill@mindcry.org> with clang.
|
|
|
|
ok mpi@
|
|
to get rid of the now useless foreign address and ports parameters.
ok mpi@
|
|
INPLOOKUP_IPV6 when applicable. Bug introduced in revision 1.197 by
yours truly.
Ok bluhm@
|
|
Kill old comments while at it.
Ok mpi@ bluhm@
|
|
as needed.
Ok bluhm@
|
|
attack against our hash function. In this case, switch to the
passive syn cache as soon as possible. It will start with a new
random seed for the hash.
input and OK mpi@
|
|
Since mpath is not enabled in RAMDISK, proxy ARP won't work there either.
ok bluhm@
|
|
This is convenient to test the feature and may be useful to defend
against syn flooding in a denial of service condition. It is
consistent to the existing syn cache sysctls. Move some declarations
to tcp_var.h to access the syn cache sets from tcp_sysctl().
OK mpi@
|
|
this is the second attempt to get it in, the first
attempt got backed out on Jan 31 2016
the change also contains fixes contributed by Stefan Kempf
in earlier iteration.
OK srhen@
|
|
stack reseeds the hash function every time the cache is empty.
Unfortunatly the attacker can prevent the reseeding by sending
unanswered SYN packes periodically.
Fix this by having an active syn cache that gets new entries and a
passive one that is idling out. When the passive one is empty and
the active one has been used 100000 times, they switch roles and
the hash function is reseeded with new random.
tedu@ agrees; OK mpi@
|
|
From Florian Riehm, ok bluhm@
|
|
ok bluhm@
|
|
in6_pcbbind() into in_pcbbind().
Ok jca@ mpi@
|
|
ok jca@
|
|
checking for source availability in udp6_output(); This time with
all the files.
Ok jca@ bluhm@
|
|
This shows how often the hash function is reseeded and the random
bucket distribution changes.
OK mpi@ claudio@
|
|
ok mpi@ and tweaks from sthen@
|
|
ok mpi@
|
|
|
|
ok mpi@ millert@
|
|
This restore the previous behavior without looking at the reference
counter of route entries.
Static entries might not have a cloning route to re-create them and
when their timer expires they were completly gone as found the hardway
by matthieu@.
ok matthieu@
|
|
We don't expect inbound packets to come to PF with statekey attached.
- I've also found missing call to pf_pkt_addr_changed() at various
places, which needs to get fixed to prevent KASSERT() from firing.
OK mpi@, sthen@
|
|
|
|
construct an IPv6 packet instead of an IPv4.
Diff from Patrick Wildt <patrick at blueri ! se> with input from
bluhm@; ok mpi, bluhm
|
|
if a physical interface receives a multicast/broadcast packet and
has carp interfaces on it, that packet needs to be copied for
reception by each of those carp interfaces.
previously it was using m_copym2, but that doesn't respect the
alignment of the source packet. this meant the ip header in the
copies were aligned incorrectly for the network stack, which breaks
strict alignment archs.
m_dup_pkt lets carp specify that the payload needs an ETHER_ALIGN
adjustment, so the ip header inside will be aligned correctly.
reported and tested by anthony eden who hit this on armv7
i reproduced the problem on sparc64 and verified the fix on amd64
and sparc64
ok mpi@ mikeb@ deraadt@
|
|
This removes the only use of ETOOMANYREFS in our code, making intro(2)
match reality. No software out there explicitely checks for ETOOMANYREFS
in multicast code.
Discussed with millert@ and mpi@ (who suggested using ENOBUFS)
|
|
OK sthen@
|
|
OK mpi@ dlg@ sthen@
|
|
ok mpi@
|
|
ok mpi@
|
|
an interface joined a specific multicast group.
ok phessler@, visa@, dlg@
|
|
we can get the same info from the arp pool:
# vmstat -m | grep -e ^arp -e ^Name
Name Size Requests Fail InUse Pgreq Pgrel Npage Hiwat Minpg Maxpg Idle
arp 56 84 0 6 1 0 1 1 0 8 0
Requests and InUse end up being the same:
# pstat -d d arp_allocated
arp_allocated at 0xffffffff81942084: 84
# pstat -d d arp_inuse
arp_inuse at 0xffffffff81942098: 6
ok bluhm@ claudio@ mpi@
|
|
when an ARP resolution has been done.
Should hopefully fix the "receive 1" panic reported by benno@ on bugs@.
ok claudio@, phessler@, benno@, bluhm@
|
|
ok mikeb@, bluhm@
|
|
Problem reported by and diff tested by Fabian Raetz, thanks!
ok benno@, bluhm@
|
|
Packets of types ARP and REVARP are now processed in the softnet task,
directly from ether_input() and without holding the KERNEL_LOCK.
Tested by many, ok dlg@
|
|
This is needed in order to fully unlock ARP processing with carp(4)
interfaces as found the hardway by sthen@.
ok sthen@, dlg@
|
|
regression observed on avahi.
ok benno@
|
|
ok mpi
|
