Age | Commit message (Collapse) | Author |
|
ok gnezdo@
|
|
The sending machine is doing zero window probes, but is not sending
any more data although the other machine announced that it has space
again. The header prediction code did not update snd_wl2. If there
was a sequence number wrap, the send window update block is not
reached.
Update snd_wl2 when receiving predicted ACKs and and update snd_wl1
and rcv_up for predicted pure data.
from FreeBSD; OK sashan@ claudio@
|
|
|
|
Panic reported by Hrvoje Popovski.
|
|
'tdb_data' struct became unused and was removed.
ok bluhm@
|
|
task queues were unlimited and could overflow during havy traffic.
Even if we still use hardware drivers that sleep, softnet task
instead of soft interrupt can handle this now. Without queues net
lock is inherited and kernel lock is only needed once per packet.
This results in less lock contention and faster IPsec.
Also protect tdb drop counters with net lock and avoid a leak in
crypto dispatch error handling.
intense testing Hrvoje Popovski; OK mpi@
|
|
strict. ICMP error packets generated by pf were not passed
immediately, but could be blocked. Preserve PF_TAG_GENERATED flag
in icmp_reflect() and icmp6_reflect().
reported by sf@; OK patrick@ kn@
|
|
previous commit.
|
|
should not happen, but always check error conditions. tq is never
NULL, remove the check. tdb->tdb_odrops++ is not MP safe, but will
be addressed separately in ipsec_output_cb().
OK mvs@
|
|
error path. This fixes use-after-free issue. Also fix debug message
mistype pointed by bluhm@ in error path.
ok millert@ bluhm@
|
|
destruction instead of using per-entity timeout. This fixes the races
between ipsp_ids_insert(), ipsp_ids_free() and ipsp_ids_timeout().
ipsp_ids_insert() can't stop ipsp_ids_timeout() timeout handler which is
already running and awaiting netlock to be released, so reused `ids' will
be silently removed in this case.
ipsp_ids_free() can't determine is ipsp_ids_timeout() timeout handler
running because timeout_del(9) called by ipsp_ids_insert() clears it's
triggered state. So ipsp_ids_timeout() could be scheduled to run twice in
this case.
Also hrvoje@ reported about ipsec(4) throughput increased with this diff
so it seems we caught significant count of ipsp_ids_insert() races.
tests and feedback by hrvoje@
ok bluhm@
|
|
counter than after decryption. This could result in "esp_input_cb:
authentication failed for packet in SA" errors. As we run crypto
operations async, thousands of packets are stored in the crypto
task. During the queueing the replay counter of the tdb can change.
Then the higher 32 bits may increment although the lower 32 bits
did not wrap.
checkreplaywindow() must be called twice per packet with the same
replay counter. Store the value in struct tdb_crypto while dangling
in the task queue and doing crypto operations.
tested by Hrvoje Popovski; joint work with tobhe@
|
|
OK tobhe@
|
|
route and was not there before. This should prevent a recursion
in path MTU discovery with TCP over IPsec.
reported and tested Matthias Schmidt; tested and OK tobhe@
|
|
ok tobhe@
|
|
and map data read only.
OK deraadt@ mvs@ mpi@
|
|
doing that in runtime within ipsp_acquire_sa().
ok bluhm@
|
|
produced ugly output. Move the function name and the newline into
the DPRINTF macro. This simplifies the debug statements.
OK tobhe@
|
|
constant. Then they are mapped as read only.
OK deraadt@ dlg@
|
|
because smr_read sections don't play well with sleeping locks in pf(4).
OK bluhm@
|
|
|
|
calling tcp_output() if the TCP maximum segment size changes. But
that did not work, as the new value was compared before tcp_mss()
had a chance to modify it. Move the comparison and change it from
not equal to greater than. It makes only sense to resend a packet
immediately if it becomes smaller and is more likely to fit.
OK sashan@ tobhe@
|
|
Thankfully clang elided the code in an almost harmless way (at least on
amd64 GENERIC.MP). Spotted by chance when building kernels
with -Wno-error=uninitialized.
ok dlg@ sashan@ bluhm@
|
|
is protected by kernel lock. There were crashes in swcr_authenc()
when it was accessing swcr_sessions. As a quick fix, protect all
calls from network stack to crypto with kernel lock. This also
covers the rekeying case that is called from pfkey via tdb_init().
OK mvs@
|
|
if a bridge checks the ip header before the network stack, then we
can remember it was ok when the bridge checks it so the ip stack
doesnt have to.
ok claudio@ mvs@
|
|
this will allow these checks to be reused by bridge (where they're
currently duplicated), veb, and tpmr.
ok bluhm@ sashan@
|
|
are constant. Having more const makes MP review easier. More
pointers are mapped read-only in the kernel image.
OK deraadt@ mvs@
|
|
PACKET_TAG_IPSEC_FLOWINFO to specify the IPsec flow.
ok mvs
|
|
`ps_rtableid' as atomic. This allows us to unlock setrtable(2).
ok claudio@ mpi@
|
|
in runtime within pfkeyv2_send(). Also set it's interrupt protection
level to IPL_SOFTNET.
ok bluhm@ mpi@
|
|
functions are sysctl_int() and sysctl_rdint(). This brings us back
the 4.4BSD implementation. Then sysctl_int_bounded() builds the
magic for range checks on top. sysctl_bounded_arr() is a wrapper
around it to support multiple variables.
Introduce macros that describe the meaning of the magic boundary
values. Use these macros in obvious places.
input and OK gnezdo@ mvs@
|
|
mbuf list to if_output().
OK sashan@ mvs@
|
|
The global list of ARP llinfo is protected by net lock. This is
not sufficent when we switch to shared netlock. Add a mutex for
insertion and removal when net lock is not exclusive. This is
needed if we want run IP output on multiple CPU.
Put an assertion for shared net lock into arp_rtrequest.
input mvs@; OK sashan@
|
|
contins a mutex. Update la_hold_total with atomic operations.
OK sashan@
|
|
arp_rtrequest() in parallel. Move initialization to arpinit()
function.
OK kettenis@ mvs@
|
|
in the arp queue. So the sysctl net.inet.ip.arpqueued must be read
only. In if_ether.c include the header with the declaration of
la_hold_total to ensure that the definition matches.
OK mvs@
|
|
This is a backout of rev 1.366 which turned this feature off.
Although sending less ACKs makes TCP faster if the CPU is busy with
processing packets, there are corner cases where TCP gets slower.
Especially OpenBSD 6.8 and older has a maxbust limitiation that
scales badly if the other side sends too few ACKs. Also regress
test relayd run-args-http-slow-consumer.pl uses strange socket
buffer sizes that triggers slow performance with the new algorithm.
For OpenBSD 6.9 release switch back to 6.8 delayed ACK behavior.
discussed with deraadt@ benno@ claudio@ jan@
|
|
icmp_send() must update IP header length if IP optaions are appended.
Such packet also has to be dispatched with IP_RAWOUTPUT flags.
Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com
OK bluhm@
|
|
this ensures more stuff is copied, in particular the flowid
information. this is also how v6 does it, which makes things more
consistent.
ok bluhm@
|
|
ok gnezdo@ semarie@ mpi@
|
|
pass the uint64_t that ether_input has already converted from a
real ethernet address into carp_input so it can use it without
having to do its own conversion.
tested by hrvoje popovski
tested by me on amd64 and sparc64
ok patrick@ jmatthew@
|
|
tested on amd64 and sparc64.
|
|
simplify the handling of the fragment list. Now the functions
ip_fragment() and ip6_fragment() always consume the mbuf. They
free the mbuf and mbuf list in case of an error and take care about
the counter. Adjust the code a bit to make v4 and v6 look similar.
Fixes a potential mbuf leak when pf_route6() called pf_refragment6()
and it failed. Now the mbuf is always freed by ip6_fragment().
OK dlg@ mvs@
|
|
the main bits are ether_addr_to_e64 and ether_e64_to addr for loading
an ethernet address into a uin64_t and visa versa. there's also
some macros for testing if an address in a uint64_t is multicast,
broadcast, anyaddr, or if it's an 802.1q reserved multicast group
address.
the reason for this functionality is once you have an ethernet
address as a uint64_t, operations like compares, bit tests, and
so on are fast and easy.
tested on amd64 and sparc64
|
|
the first cut of this diff was made with coccinelle using this spatch:
@rule@
type caddr_t;
expression m, off, len, cp;
@@
-m_copydata(m, off, len, (caddr_t)cp)
+m_copydata(m, off, len, cp)
i had fix it's opinionated idea of formatting by hand though, so
i'm not sure it was worth it.
ok deraadt@ bluhm@
|
|
ok patrick@ bluhm@
|
|
the new chain. This fixes a potential memory leak in ip_output().
Also simplify a bunch of "goto done".
OK kn@ mvs@
|
|
ok deraadt@ dlg@
|
|
Technically the whole point of the stoeplitz API is that it's symmetric,
meaning that the order of addresses and ports doesn't matter and will produce
the same hash value.
Coverity CID 1501717
ok dlg@
|
|
could get stuck in an endless recursion during TCP path MTU discovery.
Create a dynamic host route in ip_output() that can be used by
tcp_mtudisc() to store the MTU.
Reported by Peter Mueller and Sebastian Sturm
OK claudio@
|