| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
the guts of this are in the etherbridge code which i added for
veb and used in bpe. there's a bit of boilerplate to make sure that
the addresses used for the endpoints will work with the tunnel
addresses that have been configured, but it's not too bad.
again, this is hard to use because ifconfig doesnt (yet) know how
to put ethernet addresses into the "add address" ioctl.
these ioctls could be used for things like evpn via bgpd though.
not sure if that's interesting to anyone though. it would probably
be more useful on vxlan interfaces.
|
| |
|
|
| |
ok mpi@
|
| | |
|
| |
|
|
|
|
|
| |
the guts of this are in the etherbridge code which i just added for
veb, so this code is very minimal. it's hard to use though cos
ifconfig doesnt (yet) know how to put ethernet addresses into the
"add address" ioctl.
|
| | |
|
| |
|
|
|
| |
after their current names so that the config-dump mode finds and uses
the current names. Spotted by Phil Pennock.
|
| | |
|
| | |
|
| |
|
|
|
| |
HostbasedAcceptedAlgorithms and HostKeyAlgorithms;
prompted by Jakub Jelen
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
ok patrick@ bluhm@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Apple M1 SoCs.
ok patrick@
|
| | |
|
| |
|
|
|
|
|
|
| |
While here, zap a few ARGUSED linter comments.
Compile-tested by deraadt@.
ok deraadt@
|
| |
|
|
|
|
|
|
|
| |
switch_clone_destroy(). This fixes netlock assertion within underlay
ifpromisc(). The problem was reported by hrvoje@ [1].
"why not" by deraadt@
1. https://marc.info/?l=openbsd-bugs&m=161338077403538&w=2
|
| |
|
|
| |
ok millert@
|
| |
|
|
| |
ok claudio
|
| |
|
|
|
|
| |
mkdir was moved to the main process there is no need for access to .
in the rsync process.
OK job@ deraadt@
|
| | |
|
| | |
|
| |
|
|
|
|
| |
the new chain. This fixes a potential memory leak in ip_output().
Also simplify a bunch of "goto done".
OK kn@ mvs@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this modification, because of the volatile qualifier, the
compiler does not produce four `` = 0 '' assignments, but code
equivalent to:
*(volatile uint32_t *)INT_ST_MASK3 = 0;
*(volatile uint32_t *)INT_ST_MASK2 =
*(volatile uint32_t *)INT_ST_MASK3;
*(volatile uint32_t *)INT_ST_MASK1 =
*(volatile uint32_t *)INT_ST_MASK2;
*(volatile uint32_t *)INT_ST_MASK0 =
*(volatile uint32_t *)INT_ST_MASK1;
Anders Gavare reported to Miod Vallat, and he gave me a diff.
|
| | |
|
| |
|
|
|
| |
ipsec code is written, but is disabled, so the ipsec words here are
still commented out for now.
|
| |
|
|
| |
ok deraadt@ dlg@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
i found the Transparent Network Security Policy Enforcement paper
by angelos and jason was useful for understanding the background
and why you'd want to do this.
the implementation is a little bit different to the bridge one
because i've tweaked the order that pf and ipsec processing happens,
depending on which direction the packet is going over the bridge.
bridge always runs ipsec processing before pf, no matter which
direction the packet is going. packets going into veb, pf runs first
and then ipsec input processing is allowed to happen. in the outgoing
direction ipsec happens first and then pf. pf runs before ipsec in
the inbound direction so pf can apply policy to ipsec encapsulated
packets before they hit pf. this allows you to apply policy to both
the encrypted and unencrypted packets in both directions.
the code is disabled for now. this is mostly because i want veb(4)
to have a good chance at operating outside the netlock, and i'm
pretty sure the ipsec stack isn't ready for that yet. the other
reason why it's disabled is getting a test setup is effort, but i
want to sleep.
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
| |
Reduce differences with NetBSD and prepare for `uobj' locking.
No functionnal change. ok chris@, kettenis@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
using the ipv6 next protocol header probably doesnt work. it also
probably doesnt matter cos i'm not sure anyone uses this feature in
bridge. or maybe there isn't anyone who uses ipv6. both are plausible
options.
hahaha^Wok patrick@
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The timecounter struct is large and I think it may change in the
future. Changing it later will be easier if we use C99-style
initialization for all timecounter structs. It also makes reading the
code a bit easier.
For reasons I cannot explain, switching to C99-style initialization
sometimes changes the hash of the resulting object file, even though
the resulting struct should be the same. So there is a binary change
here, but only sometimes. No behavior should change in either case.
I can't compile-test this everywhere but I have been staring at the
diff for days now and I'm relatively confident this will not break
compilation. Fingers crossed.
ok gnezdo@
|
| |
|
|
|
|
| |
im considering converting ethernet addresses into uint64_ts to make
comparisons (and masking) easier. im trialling it here, and it
doesn't seem like the worst.
|
| |
|
|
| |
ok jmatthew@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
my intention is to replace bridge(4), but the way it works is
different enough from from bridge that a name change is justified
to distinguish them. it also makes it easier to commit it to the
tree and work on it in parallel to bridge, and allows a window of
migration.
the main difference between veb(4) and bridge(4) is how they use
interfaces as ports. veb takes over interfaces completely and only
uses them to receive and transmit ethernet packets. bridge also use
each interface as a port to the ethernet segment it's connected to,
but also tries to continue supporting the use of the interface as
a way to talk to the network stack on the local system. supporting
the use of interfaces for both external and local communication is
where most of my confusion with bridge comes from, both when i'm
trying to operate it and also understand the code. changing this
semantic is where most of the simplification in veb comes from
compared to bridge.
because veb takes over interfaces, the ethernet network set up on
a veb is isolated from the host network stack. by default veb does
not interact with pf or the ip (and mpls) stacks. to enable pf for
ip frames going over veb ports link1 on the veb interface must be
set. to have the stack interact with a veb network, vport interfaces
must be created and added as ports to a veb.
the vport interface driver is provided as part of veb, and is handled
specially by veb. veb usually prevents the use of ports by the stack
for sending an receiving packets, but that's why vports exist, so
veb has special handling for them.
veb already supports a lot of the other features that bridge has,
including bridge rules and protected domains, but i got tired of
working out of the tree and stopped implementing them. the main
outstanding features is better address table management, the
blocknonip flag on ports, transparent ipsec interception, and
spanning tree. i may not bother with spanning tree unless someone
tells me that they actually use it.
the core ethernet learning bridge functionality is provided by the
etherbridge code that was factored out of nvgre and bpe. veb is
already (a lot) faster than bridge, and is better prepared to operate
in parallel on multiple CPUs concurrently.
thanks to hrvoje popovski for testing some earlier versions of this.
discussed with many
ok patrick@ jmatthew@
|
| | |
|
| |
|
|
| |
and exit if ExitOnForwardFailure is set; bz3264
|
| |
|
|
| |
ok kettenis@ pirofti@
|
| |
|
|
| |
ok krw@
|
| |
|
|
| |
From miod@
|
| | |
|
| |
|
|
| |
functions. config_setpfkey() is always called with id PROC_IKEV2.
|
jsg
dlg
deraadt
dtucker
djm
tb
tobhe
lum
kettenis
cheloha
mvs
claudio
bluhm
aoyama
mpi