summaryrefslogtreecommitdiffstats
path: root/sys/net (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Enable support for ASN1_DN ipsec identifiers.phessler2020-11-052-3/+10
| | | | | | | Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
* Replace wrong cast with satosin.denis2020-11-051-5/+3
| | | | Advised by bluhm@
* Use sysctl_int_bounded in bpf_sysctlgnezdo2020-11-041-21/+5
| | | | | | Unlike the other cases of sysctl_bounded_arr this one uses a dynamic limit. OK millert@
* replace the nvgre node when the endpoint ip changes.dlg2020-11-031-2/+2
| | | | | | | this helps nvgre follow things like carp masters changing on the inside of the virtual network. "makes sense" jmatthew@
* release the correct lock in noise_remote_begin_session()jasper2020-10-311-1/+1
| | | | | | fixes a "noise_keypair: lock not held" panic observed by Caspar Sc hutijser from Jason A. Donenfeld
* Add feature to force the selection of source IP addressdenis2020-10-296-13/+161
| | | | | | | Based/previous work on an idea from deraadt@ Input from claudio@, djm@, deraadt@, sthen@ OK deraadt@
* - missing NET_UNLOCK() in pf_ioctl.c error pathsashan2020-10-221-1/+2
| | | | | | Reported-by: syzbot+b9af9c29ed1a6dabda25@syzkaller.appspotmail.com OK anton@
* Provide dummy definitions for NET_LOCK() and PF_LOCK() when compiling thiskettenis2020-10-211-1/+6
| | | | | | file as part of tcpdump(8). Unbreaks the tree. ok deraadt@
* - fixing fatal typos fp vs fp_prealloc.sashan2020-10-211-3/+3
| | | | OK mpi
* Prevent NULL dereference introduced in previous.mpi2020-10-211-3/+5
| | | | | Used a different variable to not shadow `entry' allocated before grabbing the lock.
* - move NET_LOCK() further down in pf_ioctl.c. Also move memory allocationssashan2020-10-212-78/+275
| | | | | | outside of NET_LOCK()/PF_LOCK() scope in easy spots. OK kn@
* replace a MAXPATHLEN that slipped back in with PATH_MAX so userland won'tnaddy2020-10-141-2/+2
| | | | | have to pull in <sys/param.h> ok kn@ sashan@ deraadt@
* fix indentanton2020-10-041-2/+2
|
* Introduce `if_cloners_lock' rwlock and use it to serializemvs2020-10-031-5/+20
| | | | | | | | | | | | | | | | | | | | | if_clone_{create,destroy}(). This fixes the races described below. if_clone_{create,destroy}() are kernel locked, but since they touch various sleep points introduced by rwlocks and M_WAITOK allocations, without serialization they can intersect due to race condition. The avoided races are: 1. While performing if_clone_create(), concurrent thread which performing if_clone_create() can attach `ifp' with the same `if_xname' and made inconsistent `if_list' where all attached interfaces linked. 2. While performing if_clone_create(), concurrent thread which performing if_clone_destroy() can kill this incomplete `ifp'. 3. While performing if_clone_destroy(), concurrent thread which performing if_clone_destroy() can kill this dying `ifp'. ok claudio@ kn@ mpi@ sashan@
* relax check for valid onrdomain range. onrdomain is -1 if the value isclaudio2020-10-021-2/+3
| | | | | | unused by the rule. So skip the rest of the check in that case. Fixes rulest loading for semarie@ OK semarie@
* rdomain IDs do not need to exist for "on rdomain N" to workkn2020-10-011-5/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | Unlike "... rtable N", pf.conf(5)'s "on rdomain N" does not alter packet state and will always work no matter if rdomain N currently exists or not, i.e. the rule "pass on rdomain 42" will simply match (and pass) packets if rdomain 42 exists, and it will simply not match (neither pass nor block) packets if 42 does not exist. There's no need to reload the ruleset whenever routing domains are created or deleted, which can already be observed now by creating an rdomain, loading rules referencing it and deleting the same rdomain immediately afterwards: pf will continue to work as expected. Relax both pfctl(8)'s parser check as well as pf(4)'s copyin routine to accept any valid routing domain ID without expecting it to exist at the time of ruleset creation - this lifts the requirement to create rdomains before referencing them in pf.conf while keeping pf behaviour unchanged. Prompted by yasuoka's recent pfctl parse.y r1.702 commit requiring an rtable to exist upon ruleset creation. Discussed with claudio and bluhm at k2k20. Feedback sashan OK sashan yasouka claudio
* fix indentationjsg2020-10-011-2/+2
|
* We have no if_attachtail() function so remove the declaration.mvs2020-09-301-2/+1
| | | | ok deraadt@ claudio@
* Fix declaration of `routedomain'. It's not external here.mvs2020-09-231-2/+2
| | | | "Correct" by deraadt@
* Document locks which protect `rtpcb' struct members.mvs2020-09-221-8/+13
| | | | ok mpi@
* Set `if_snd' queue maximum length to 1. This enforces calls ofmvs2020-09-201-5/+7
| | | | | | | | | pppx_if_qstart() and pppac_qstart() with netlock held. Otherwise we can't be sure about netlock status while performing these handlers. Problem reported by Glen Faustino. ok yasuoka@
* Start documenting locks for struct pppoe_softc memberskn2020-09-131-20/+26
| | | | | | | | Pretty much all members are under the net lock, some are proctected by both net and kernel lock, e.g. the start routine is called with KERNEL_LOCK(). OK mpi
* Keep port interface UP on removalkn2020-09-121-5/+1
| | | | | | | There is no reason to change flags on member interfaces when removing them, aggr(4) does not pull its members down either. OK florian bluhm
* Add sizes to free() callskn2020-09-121-9/+15
| | | | | | These are the last ones in if_pppoe.c and if_spppsubr.c. OK beck
* zap nasty whitespacetb2020-09-011-3/+3
|
* Fix a leak due to a missing free on m_defrag(m, M_NOWAIT) failure.tb2020-09-011-2/+8
| | | | | Reported by Maxime Villard, fix from Matt Dunwoodie after feeedback from claudio who is fine with either of the two suggested fixes going in.
* Don't include "net/netisr.h" header. It's not needed here.mvs2020-08-302-4/+2
| | | | ok yasuoka@
* pppac(4) uses per cpu counters for collect `ifnet' statistics, but inmvs2020-08-302-7/+6
| | | | | | | | | | pipex(4) layer this `ifnet' still uses `if_data'. Also pppx(4) doesn't use per cpu counters but `if_data'. Add per cpu counters to pppx(4) and pipex(4). This finishes interface statistics collecting mess. ok yasuoka@
* Make sure not to pass NULL to explicit_bzero().tobhe2020-08-281-2/+3
| | | | | | Fixes CID 1496732. ok patrick@
* Add missing #if's to fix build without bpf(4).mvs2020-08-285-7/+23
| | | | ok deraadt@
* Use p2p_rtrequest()kn2020-08-271-1/+2
| | | | | | | | | | | Although technically a point-to-multipoint interface, point-to-point semantics apply/fit when installing local routes, e.g. configuring IPv6 addresses on it. This is to fix SIOCGNBRINFO_IN6 and thus ndp(8). Report and diff from Matt Dunwoodie <ncon at noconroy dot net>, thanks! OK tobhe
* Make pipex(4) more common for pppac(4) and pppx(4). Replaceyasuoka2020-08-274-362/+182
| | | | | | | | | | pipex_iface of struct pipex_session with owner_sc which refers the owner device. This makes ioctl commands for pppac or pppx device simpler. PIPEX{S,G}MODE became dummy since both pppac and pppx is always used with pipex. Also move some pppac specific things to the pppac part on if_pppx.c. suggestions from mvs, ok mvs
* Rehash main ruleset after rule expirationkn2020-08-241-12/+9
| | | | | | | | | | | | | | | | When "once" rules expire, they are removed from the active ruleset, hence the main ruleset needs to be rehashed iff itself contains once rules. After the previous commit, pf_setup_pfsync_matching() became much simpler but its name even less accurate; simplify it further and rename it to pf_calc_chksum() while here. Admins using "once" rules in combination with pfsync(4) are hopefully aware of this caveat (self-changing rulesets) already, but now the checksum in "pfctl -v -s info" actually indicates out-of-sync rulesets and is no longer misleading. OK sashan
* Remove ptr_array from struct pf_rulesetkn2020-08-243-25/+10
| | | | | | | | | | | | | | | | | | | Each ruleset's rules are stored in a TAILQ called "ptr" with "rcount" representing the number of rules in the ruleset; "ptr_array" points to an array of the same length. "ptr" is backed by pool_get(9) and may change in size as "expired" rules get removed from the ruleset - see "once" in pf.conf(5). "ptr_array" is allocated momentarily through mallocarray(9) and gets filled with the TAILQ entries, so that the sole user pfsync(4) can access the list of rules by index to pick the n-th rule during state insertion. Remove "ptr_array" and make pfsync iterate over the TAILQ instead to get the matching rule's index. This simplifies both code and data structures and avoids duplicate memory management. OK sashan
* Add sizes to free() callskn2020-08-221-21/+23
| | | | | | | | | | | | Simply reuse struct size or buffer length variables for free() the very same way they are used with malloc(), often within the same scope and/or only a few lines above. This leaves only a few selected free() calls with size zero in due to the fact that there is currently no variable to keep track of name and secret string lengths. OK mvs
* Leave default ifq_maxlen handling to ifq_init()kn2020-08-2119-40/+19
| | | | | | | | | | | | Most clonable interface drivers (except bridge, enc, loop, pppx, switch, trunk and vlan) initialise the send queue's length to IFQ_MAXLEN during *_clone_create() even though ifq_init(), which is eventually called through if_attach(), does the same. Remove all early "ifq_set_maxlen(&ifq->if_snd, IFQ_MAXLEN);" lines to leave it to ifq_init() and have clonable drivers a tad more in sync. OK mvs
* Add sizes to free(9) callskn2020-08-211-14/+21
| | | | | | | | There are either length variables tracking the allocated buffer or strings allocated by their length, reuse the same idiom each time when freeing. Reminder from Peter J. Philipp to account for NUL bytes in strings as well OK mvs
* Allow SIOCSWGDPID and SIOCSWGMAXFLOW ioctls for non-rootkn2020-08-191-3/+1
| | | | | | | | | | | | | | | | | ifconfig(8) detects switch(4) through its unique SIOCSWGDPID ioctl(2) and further does another switch specific ioctl for the default output regardless of configuration and/or members. But since these two ioctls are limited to root, running ifconfig as unprivileged user makes switch interfaces partially appear as bridge devices because the detection fails, e.g. STP parameters are shown instead of datapath id and flow parameters. ifioctl() limits a list of set/write ioctls to root, but these two read-only ioctls seem to have been listed by mistake, so remove them to omit the root check and fix "ifconfig switch" output for unprivileged users. Feedback from dlg
* Zap LOOPALIVECNTkn2020-08-141-2/+1
| | | | | | Unused since r1.138 from 2015: "remove cisco hdlc code from sppp(4)". OK mpi
* Set `IFXF_MPSAFE' bit to pppx(4) related `ifnet'. This moves pppx(4)mvs2020-08-141-15/+9
| | | | | | | packets output out of KERNEL_LOCK. pppx(4) and pipex(4) are ready to this. ok yasuoka@ mpi@
* Add a ROUTE_FLAGFILTER socket option for routing sockets, allowingjmatthew2020-08-132-5/+22
| | | | | | | | filtering out messages for routes with flags matching any bit in a mask. This allows routing daemons to opt out of receiving messages for L2 and broadcast route entries, which they currently discard. ok dlg@ sthen@ deraadt@
* Use rtm_miss() rather than the simpler rtm_send() to send route deletejmatthew2020-08-131-2/+8
| | | | | | | | messages, and save the route flags before deleting the route. For L2 route entries, the RTF_LLINFO flag is cleared during deletion, so saving the flags beforehand means they're correct in the routing socket message. ok mpi@
* Remove interface statistics update for outgoing packets. We shouldn'tmvs2020-08-122-13/+2
| | | | | | count them because `if_snd' does this. ok yasuoka@
* Run start routing without KERNEL_LOCK()kn2020-08-111-6/+6
| | | | | | pfsyncstart() does not require the big lock, make it use the ifq API. OK mvs
* Set `IFXF_MPSAFE' bit to pppac(4) related `ifnet'. This moves pppac(4)mvs2020-08-101-14/+11
| | | | | | | packets output out of KERNEL_LOCK. pppac(4) and pipex(4) are ready to this. ok yasuoka@
* vether(4) is pretty dummy. It contains nothing requires to be protected.mvs2020-08-091-10/+7
| | | | | | | So set `IFXF_MPSAFE' bit. This allows to discard outgoing packets without kernel lock. ok kn@
* pfkey_get may allocate more memory than is needed to hold the SAtobhe2020-08-072-14/+18
| | | | | | information. Make sure to only copy out actually used memory. ok patrick@
* Allow pf(4) to divert packets from bridge(4) to local socket.bluhm2020-08-061-1/+23
| | | | joint work markus@ patrick@ bluhm@
* Remove defines for `netisr' bits which are not used anymore.mvs2020-08-061-5/+1
| | | | ok mpi@
* Use PFKEYV2_LIFETIME_CURRENT instead of magic number.tobhe2020-08-051-2/+2
| | | | ok patrick@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.