| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
previously the gif code would patch the tos field and not recalc
the cksum, which would cause ip input code to drop the packet due
to a cksum failure. the ipip code patched ip_tos and unconditionally
recalculated the cksum, making it correct, but also wiping out any
errors that may have been present before the recalculation. updating
the cksum rather than replacing it lets cksum failures still fire.
ip_tos_patch() is provided in the ecn code since it's because of ecn
propagation that we need to update the tos field. internally it
works like pf_patch_8 and pf_cksum_fixup, but since pf is optional
it rolls its own code. procter may fix that in the future...
ok claudio@
|
|
|
|
|
|
| |
userland.
Inputs from markus@, ok sthen@
|
|
|
|
|
|
| |
Exposes per-CPU counters to real parrallelism.
ok visa@, bluhm@, jca@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the inner IP packet into the internet queue. The IPv6 local delivery
code has a loop to deal with header chains. The idea is to use
this loop and avoid the queueing and rescheduling. The IPsec packet
will be processed in a single flow.
Merge the IP deliver loop from both IP versions into a single
ip_deliver() function that can handle both addresss families. This
allows to process an IP in IP header like a normal extension header.
If af != AF_UNSPEC, we are already in a deliver loop and have the
kernel look. Then we can just return the next protocol. Otherwise
we enqueue. The dequeue thread has the kernel lock and starts an
IP delivery loop.
OK mpi@
|
|
|
|
|
|
| |
to ipip_input_if() and always pass the ifp. Only dump the packet
to bpf if we are called with a gif(4) interface.
OK mpi@
|
|
|
|
|
|
|
| |
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
|
|
|
|
|
|
| |
in ipip_input_gif(). This prevents a use-after-free if there is a
bug in the IP input functions.
OK mpi@
|
|
|
|
|
|
|
| |
This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.
Disucssed with bluhm@, ok claudio@
|
|
|
|
|
| |
upcoming diffs, no functional change.
OK mpi@
|
|
|
|
|
|
|
|
|
|
| |
and outer header. Reset values depending on the the mbuf when the
mbuf is adjusted. Check the length of the inner IP header with the
correct size in case of IPv6. Check the IPv4 header size including
IP options. For the IPIP statistics the inner header length has
to be subtracted from the packet size as the outer header has already
been stripped off.
OK mpi@
|
|
|
|
|
| |
address family passed to ipip_input().
OK mpi@
|
|
|
|
|
|
|
|
|
|
| |
packets. This is the IP in IP protocol input function, so call it
ipip_input(). Rename the existing ipip_input() to ipip_input_gif()
as it is the input function used by the gif interface. Pass the
address family to make it consistent with pr_input. Use __func__
in debug print and panic messages. Move all ipip prototypes to the
ip_ipip.h header file.
OK dhill@ mpi@
|
|
|
|
|
| |
the function declaration of ipe4_input() and avoid a wrong cast.
OK mikeb@ dhill@
|
|
|
|
|
|
|
| |
change the pointer. Then *mp keeps the invalid pointer and it might
be used. Fix the potential use after free and also reset *mp in
other places to have less dangling pointers to freed mbufs.
OK mpi@ mikeb@
|
|
|
|
|
|
|
| |
inline function instead of casting it to sockaddr. While there,
use inline instead of __inline for all these conversions. Some
struct sockaddr casts can be avoided completely.
OK dhill@ mpi@
|
|
|
|
|
| |
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@
|
|
|
|
|
|
| |
zero the buffers first. All the current objects appear to be safe,
however future changes might introduce structure pads.
Discussed with guenther, ok bluhm
|
|
|
|
| |
ok bluhm@ dhill@ mpi@
|
|
|
|
|
|
|
| |
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@
|
|
|
|
|
|
| |
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@
|
|
|
|
| |
ok mpi@ millert@
|
|
|
|
| |
ok mpi@
|
|
|
|
|
|
|
|
|
| |
In all but two calls NULL is passed and in the other 2 cases the ifp
is only used to maybe feed it to in6_selecthlim() to select the hoplimit
for the link. Since in6_embedscope() only works on link-local addresses
it does not matter what hop limit we select since the destination is
directly reachable.
OK florian@ mpi@
|
|
|
|
| |
ok mpi@
|
|
|
|
|
|
| |
of interfaces.
ok bluhm@
|
|
|
|
| |
From David Hill; OK mpi@
|
|
|
|
| |
ok guenther@, henning@
|
|
|
|
| |
ok stsp mpi
|
|
|
|
| |
ok mpi
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
receiving interface in the packet header of every mbuf.
The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.
Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.
Tested by jmatthew@ and krw@, discussed with many.
ok mikeb@, bluhm@, dlg@
|
|
|
|
| |
ok krw@ miod@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with niqueues.
this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places
by flipping all these input queues at once i can keep the currently
common code common.
testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@
|
|
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
|
|
|
| |
ok mikeb@, krw@, bluhm@, tedu@
|
|
|
|
| |
ok mpi@ kspillner@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
|
|
|
|
|
| |
global variables to in6.h.
ok deraadt@
|
|
|
|
|
|
| |
global variables to in.h.
ok mikeb@, deraadt@
|
|
|
|
|
|
|
| |
created a bunch of useless dependencies. Remove this implicit
inclusion and do an explicit #include <netinet6/in6_var.h> when it
is needed.
OK mpi@ henning@
|
|
|
|
|
|
|
|
|
|
|
| |
- ipip_input() recalculate the IP header checksum if the tos bits
are changed after decapsulation. Otherwise these packets are
dropped later in the stack.
- ip_ecn_egress(): do not drop packets for IPsec if the outter
packet of a Tunnel has the ECN-CE bit set (Congestion Experienced)
and the inner packet does not indicate support ECN.
- remove unused ip6_ecn_ingress(), ip6_ecn_egress() code
ok mikeb@
|
|
|
|
|
|
|
|
|
|
|
| |
where it is not necessary to guess protocols by looking at the first nibble.
in_gif_output() will encapsulate the packet but not send it. Because of
etherip support and the way the bridge works a minimal hack is needed in
gif_start() to ensure that the bridged packets are encapsulated as well.
This actually started with the idea to add MPLS support but that turned out
to be not as simple as in the gre(4) case.
Tested by myself (IP, IPv6, etherip, MPLS), sthen@ (IP, IPv6), naddy (IPv6)
OK sthen@
|
|
|
|
|
|
| |
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
|
|
|
|
|
| |
Found by LLVM/Clang Static Analyzer.
ok krw@ henning@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
|
|
|
|
|
|
|
|
| |
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
|
|
|
|
| |
fixes v6-over-v4 gifs wrt pf chatter about state linking mismatches
ok jsing claudio, tested by Ant La Porte <ant at ukbsd.org>
|
|
|
|
|
| |
do not process v4 headers as v6, 255 TTL + icmp (0x01) = ff01:: suddenly, eww!
debugged with bluhm@, verified by grunk@, ok markus@
|
|
|
|
| |
provide netstat(1) with data it needs; ok claudio reyk
|