summaryrefslogtreecommitdiffstats
path: root/sys/netinet/ip_output.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Replace enc(4) with a new implementation as a cloner device. We stillreyk2010-06-291-3/+6
| | | | | | | | | | create enc0 by default, but it is possible to add additional enc interfaces. This will be used later to allow alternative encs per policy or to have an enc per rdomain when IPsec becomes rdomain-aware. manpage bits ok jmc@ input from henning@ deraadt@ toby@ naddy@ ok henning@ claudio@
* Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1claudio2010-05-071-9/+12
| | | | | | | | accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
* Double and in comment.claudio2010-01-131-2/+2
|
* Allow the queueing of multiple fragments on virtual interfaces with abeck2010-01-121-2/+6
| | | | | | | | | | | queue length of one - i.e. vlans with the forthcoming change from dlg. this allows fragmented frames to be sent on such an interface, hoping that the interface underneath copes correctly - A better fix for this will be forthcoming soon, but this is good enough for now, and will allow the change for vlans to use an ifq length of 1. tested by me and dlg@, ok dlg@, claudio@, deraadt@
* The process's rdomain should be, well, per-process and not per-rthread,guenther2009-12-231-2/+3
| | | | | | | | so put it in struct process instead of struct proc. While at it, move the p_emul member inside struct proc so that it gets copied automatically instead of requiring manual assignment. ok deraadt@
* Two cases of IPSEC getsockopt() returning two bytes of uninitialializedderaadt2009-12-111-1/+3
| | | | kernel stack content instead of proper information; found by Clement LECIGNE
* Add setrdomain() and getrdomain() system calls. Committing now toguenther2009-11-271-2/+7
| | | | | | | | catch the libc major bump per request from deraadt@ Diff by reyk. ok guenther@
* NULL dereference in IPV6_PORTRANGE and IP_IPSEC_*, found by Clement LECIGNE,guenther2009-11-201-2/+2
| | | | | | | localhost DoS everywhere. To help minimize further issues, make the mbuf != NULL test explicit instead of implicit in a length test. Suggestions and initial work by mpf@ and miod@ ok henning@, mpf@, claudio@,
* Packets generated by ip_fragment() need to inherit the rdomain from theclaudio2009-11-131-2/+3
| | | | | original packet or they will trigger the diagnostic check in the interface output routines. OK jsg@
* rtables are stacked on rdomains (it is possible to have multiple routingclaudio2009-11-031-2/+3
| | | | | | | | | | | | | | tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
* *NULL store in IP_AUTH_LEVEL, IP_ESP_TRANS_LEVEL, IP_ESP_NETWORK_LEVEL,deraadt2009-10-281-1/+2
| | | | | | | IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not sparc64), sh, ...) on OpenBSD 4.3 or older ok claudio
* Redo the route lookup in the output (and IPv6 forwarding) path if theclaudio2009-10-061-2/+23
| | | | | | | | | | | | | | | | | | | | | | destination of a packet was changed by pf. This allows for some evil games with rdr-to or nat-to but is mostly needed for better rdomain/rtable support. This is a first step and more work and cleanup is needed. Here a list of what works and what does not (needs a patched pfctl): pass out rdr-to: from local rdr-to local addr works (if state tracking on lo0 is done) from remote rdr-to local addr does NOT work from local rdr-to remote works from remote rdr-to remote works pass in nat-to: from remote nat-to local addr does NOT work from remote nat-to non-local addr works non-local is an IP that is routed to the FW but is not assigned on the FW. The non working cases need some magic to correctly rewrite the incomming packet since the rewriting would happen outbound which is too late. "time to get it in" deraadt@
* Initial support for routing domains. This allows to bind interfaces toclaudio2009-06-051-25/+52
| | | | | | | | | alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
* When don't-fragment packets need to get fragemnted some code tries toclaudio2009-01-301-2/+3
| | | | | | | | | | update the route specific MTU from the interface (because it could have changed in between). This only makes sense if we actually have a valid route but e.g. multicast traffic does no route lookup and so there is no route at all and we don't need to update anything. Hit by dlg@'s pfsync rewrite which already found 3 other bugs in the network stack and slowly makes us wonder how it worked in the first place. OK mcbride@ dlg@
* Always zero the IP checksum field for packets and packet fragmentsnaddy2009-01-291-10/+7
| | | | | being passed down if using HW checksum offload. From Brad, inspired by NetBSD/FreeBSD. ok markus@
* IP_RECVDSTPORT, allows you to get the destination port of UDP datagramsmarkus2008-05-091-1/+9
| | | | for pf(4) diverted packets; based on patch by Scot Loach; ok beck@
* MALLOC/FREE -> malloc/freechl2007-10-291-7/+6
| | | | ok krw@
* allow 4095 instead of 20 multicast group memberships per socket (you needmarkus2007-09-181-7/+39
| | | | | | one entry for each multicast group and interface combination). this allows you to run OSPF with more than 10 interfaces. adapted from freebsd; ok claudio, henning, mpf
* Remove inm_ifp from struct in_multi -- caching struct ifnet is dangerousclaudio2007-07-201-3/+3
| | | | | | | because interfaces may disappear without notice causing use after free bugs. Instead use the inm_ia->ia_ifp as a hint, struct in_ifaddr correctly tracks removals of interfaces and invalidates ia_ifp in such cases. looks good henning@ markus@
* no need to declare extern ipsec_in_use, we get it via ip_ipsp.hhenning2007-05-301-2/+1
| | | | found by itojun
* gain another 5+% in ip forwarding performance.henning2007-05-291-4/+9
| | | | | | | | | boring details: skip looking for ipsec tags and descending into ip_spd_lookup if there are no ipsec flows, except in one case in ip_output (spotted by markus) where we have to if we have a pcb. ip_spd_lookup has the shortcut already, but there is enough work done before so that skipping that gains us about 5%. ok theo, markus
* -staticdlg2007-05-271-5/+5
| | | | ok reyk@
* do not install pmtu routes for transport mode SAs, as they do notmarkus2006-12-051-2/+11
| | | | the dest IP; PMTU debugging support; ok hshoexer
* rangecheck ttl on IP_TTL, collected dust in my treehenning2006-12-011-2/+5
|
* implement IP_MINTTL socket option fo tcp socketshenning2006-10-111-1/+13
| | | | | | | | This is for RFC3682 aka the TTL security hack - sender sets TTL to 255, receiver checks no router on the way (or, no more than expected) reduced the TTL. carp uses that technique already. modeled after FreeBSD implementation. ok claudio djm deraadt
* implement IP_RECVTTL socket option.henning2006-10-111-1/+10
| | | | | | when set on raw or udp sockets, userland receives the incoming packet's TTL as ancillary data (cmsg shitz). modeled after the FreeBSD implementation. ok claudio djm deraadt
* Add support for equal-cost multipath IP.pascoe2006-06-181-3/+3
| | | | | | | | | | | | | | To minimise path disruptions, this implements recommendations made in RFC2992 - the hash-threshold mechanism to select paths based on source/destination IP address pairs, and inserts multipath routes in the middle of the route table. To enable multipath distribution, use: sysctl net.inet.ip.multipath=1 and/or: sysctl net.inet6.ip6.multipath=1 testing norby@ ok claudio@ henning@ hshoexer@
* Put mrouting enable flag inside the right ifdef. If you change filesderaadt2006-06-061-2/+5
| | | | here, make sure they compile with or without IPSEC, you morons!
* Make savecontrol functions more generic and use them now for raw IP too.claudio2006-05-291-1/+9
| | | | | Additionally add the IP_RECVIF option which returns the interface a packet was received on. OK markus@ norby@
* rename jumbo mtu to if_hardmtu; ok brad reykderaadt2006-05-261-4/+8
|
* Use more queue macros rather than doing it by hand; ok otto@ krw@miod2006-03-051-4/+2
|
* revert unrelated change that snuck into the last commit.brad2006-03-051-2/+2
|
* With the exception of two other small uncommited diffs this movesbrad2006-03-041-2/+2
| | | | | | the remainder of the network stack from splimp to splnet. ok miod@
* Add multicast routing to GENERIC.norby2005-10-051-3/+5
| | | | | | | | | | It is now possible to enable multicast routing in the kernel with the sysctl option net.inet.ip.mforwarding=1 Based on intial work by msf@ help claudio@ ok claudio@ deraadt@
* getsockopt(): allocate a mbuf cluster for large ipsec credentialsmarkus2005-06-101-2/+20
| | | | fixes kernel panic from pr 4252; Stefan Miltchev; ok deraadt@
* Experimental support for opportunitic use of jumbograms where only some hostsmcbride2005-05-271-1/+5
| | | | | | | | | | | | | | on the local network support them. This adds a new socket option, SO_JUMBO, and a new route flag, RTF_JUMBO. If _both_ the socket option is set and the route for the host has RTF_JUMBO set, ip_output will fragment the packet to the largest possible size for the link, ignoring the card's MTU. The semantics of this feature will be evolving rapidly; talk to us if you intend to use it. ok deraadt@ marius@
* csum -> csum_flagsbrad2005-04-251-16/+16
| | | | ok krw@ canacar@
* restrict forwarding to ipsec processed traffic of ip.forwarding==2markus2005-01-041-1/+11
| | | | ok deraadt, henning, fgsch, mcbride
* Add some (ifp != NULL) checks to ip_fragment() so it can be used even if theremcbride2004-11-101-10/+14
| | | | | | | | | is no struct ifnet associated with the outgoing interface of the packet. Necessary for upcoming Protocol Independent Multicast support. From Pavlin Radoslavov ok henning@ djm@ markus@
* Pull the plug on source-based routing until remaining bugs are eradicated.cedric2004-06-221-32/+9
| | | | | No need to reconfig kernel or rebuild userland stuff. requested deraadt@, help beck@
* First step towards more sane time handling in the kernel -- this changestholo2004-06-211-2/+2
| | | | | | | | things such that code that only need a second-resolution uptime or wall time, and used to get that from time.tv_secs or mono_time.tv_secs now get this from separate time_t globals time_second and time_uptime. ok art@ niklas@ nordin@
* Get rid of pf_test_eh() wrapper.mcbride2004-06-211-3/+3
| | | | ok cedric@ henning@
* don't leak ipsec pmtu routes; with mpf@markus2004-06-211-1/+5
|
* extend routing table to be able to match and route packets based oncedric2004-06-061-9/+32
| | | | | | | | their *source* IP address in addition to their destination address. routing table "destination" now contains a "struct sockaddr_rtin" for IPv4 instead of a "struct sockaddr_in". the routing socket has been extended in a backward-compatible way. todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
* fix size argument to ovbcopy() in ip_pcbopts(), found by Andrei Iltchenkodhartmei2004-05-181-2/+2
| | | | (FreeBSD PR 66386), ok markus@, otto@
* make return-rst work on pure bridges. ok dhartmei@ henning@ mcbride@cedric2004-04-281-2/+11
|
* plug mbuf leak (ip_fragment() always free mbuf on error). tested by cedric,itojun2004-02-101-7/+37
| | | | dhartmei ok
* the previous change caused invalid checksums in some cases (rdr),dhartmei2003-11-061-24/+17
| | | | back it out temporarily, ok cedric@
* There is no point in checking NIC capabilities before calling pf_test(),cedric2003-11-031-17/+24
| | | | | | since pf_test() can drop the packet or route it through another NIC. ok dhartmei@ mcbride@ comment requested by markus@
* correct endian handling of ip->ip_off.itojun2003-10-021-4/+5
| | | | | | do not try to send incomplete fragments on ENOBUFS case (behavior change from 4.4bsd). dhartmei ok
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.