| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
ok sthen claudio dlg
|
| |
|
|
|
|
|
|
| |
currently have, let the call succeede.
Mirrors the same behaviour as setrtable()
OK claudio@
|
| |
|
|
|
| |
support by pipex.
OK henning@, "Carry on" blambert@
|
| |
|
|
|
|
|
|
| |
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
has enough space for all the fragments on it.
this check was snuck in by itojun under an unrelated commit. it broke when
i set the virtual interface send queue depths to 1, which beck had to
special case at n2k10. without this code we avoid these dubious checks
along with another splnet/splx pair, and it should make future work on
manipulating send queues easier.
ive been running this in production since n2k10 (~7months ago).
ok claudio@ henning@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
| |
|
|
|
|
|
|
|
| |
are required to detect that.
Change the function to take a wait argument (used in nfs server, but
M_NOWAIT everywhere else for now) and to return an error
ok claudio@ henning@ krw@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
traffic for this SA will appear on the specified enc interface instead
of enc0 and can be filtered and monitored separately. This will allow
to group individual ipsec policies to virtual interfaces and
simplifies monitoring and pf filtering with many ipsec policies a lot.
This diff includes the following changes:
- Store the enc interface unit (default 0) in the TDB of an SA and pass
it to the enc_getif() lookup when running the bpf or pf_test() handlers.
- Add the pfkey SADB_X_EXT_TAP extension to communicate the encX
interface unit for a specified SA between userland and kernel.
- Update enc(4) again to use an allocate array instead of the TAILQ to
lookup the matching enc interface in enc_getif() quickly.
Discussed with many, tested by a few, will need more testing & review.
ok deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
create enc0 by default, but it is possible to add additional enc
interfaces. This will be used later to allow alternative encs per
policy or to have an enc per rdomain when IPsec becomes rdomain-aware.
manpage bits ok jmc@
input from henning@ deraadt@ toby@ naddy@
ok henning@ claudio@
|
| |
|
|
|
|
|
|
| |
accept flags for report and nocloning. Move the rtableid into struct route
(with a minor twist for now) and make a few more codepathes rdomain aware.
Appart from the pf.c and route.c bits the diff is mostly mechanical.
More to come...
OK michele, henning
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
queue length of one - i.e. vlans with the forthcoming change from dlg.
this allows fragmented frames to be sent on such an interface, hoping
that the interface underneath copes correctly - A better fix for this
will be forthcoming soon, but this is good enough for now, and will
allow the change for vlans to use an ifq length of 1.
tested by me and dlg@, ok dlg@, claudio@, deraadt@
|
| |
|
|
|
|
|
|
| |
so put it in struct process instead of struct proc. While at it,
move the p_emul member inside struct proc so that it gets copied
automatically instead of requiring manual assignment.
ok deraadt@
|
| |
|
|
| |
kernel stack content instead of proper information; found by Clement LECIGNE
|
| |
|
|
|
|
|
|
| |
catch the libc major bump per request from deraadt@
Diff by reyk.
ok guenther@
|
| |
|
|
|
|
|
| |
localhost DoS everywhere. To help minimize further issues, make the
mbuf != NULL test explicit instead of implicit in a length test.
Suggestions and initial work by mpf@ and miod@
ok henning@, mpf@, claudio@,
|
| |
|
|
|
| |
original packet or they will trigger the diagnostic check in the interface
output routines. OK jsg@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
| |
|
|
|
|
|
| |
IP_IPCOMP_LEVEL found by Clement LECIGNE, localhost root exploitable on
userland/kernel shared vm machines (ie. i386, amd64, arm, sparc (but not
sparc64), sh, ...) on OpenBSD 4.3 or older
ok claudio
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
destination of a packet was changed by pf. This allows for some evil
games with rdr-to or nat-to but is mostly needed for better rdomain/rtable
support. This is a first step and more work and cleanup is needed.
Here a list of what works and what does not (needs a patched pfctl):
pass out rdr-to:
from local rdr-to local addr works (if state tracking on lo0 is done)
from remote rdr-to local addr does NOT work
from local rdr-to remote works
from remote rdr-to remote works
pass in nat-to:
from remote nat-to local addr does NOT work
from remote nat-to non-local addr works
non-local is an IP that is routed to the FW but is not assigned on the FW.
The non working cases need some magic to correctly rewrite the incomming
packet since the rewriting would happen outbound which is too late.
"time to get it in" deraadt@
|
| |
|
|
|
|
|
|
|
| |
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
| |
|
|
|
|
|
|
|
|
| |
update the route specific MTU from the interface (because it could have
changed in between). This only makes sense if we actually have a valid
route but e.g. multicast traffic does no route lookup and so there is no
route at all and we don't need to update anything.
Hit by dlg@'s pfsync rewrite which already found 3 other bugs in the network
stack and slowly makes us wonder how it worked in the first place.
OK mcbride@ dlg@
|
| |
|
|
|
| |
being passed down if using HW checksum offload.
From Brad, inspired by NetBSD/FreeBSD. ok markus@
|
| |
|
|
| |
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@
|
| |
|
|
| |
ok krw@
|
| |
|
|
|
|
| |
one entry for each multicast group and interface combination). this allows
you to run OSPF with more than 10 interfaces.
adapted from freebsd; ok claudio, henning, mpf
|
| |
|
|
|
|
|
| |
because interfaces may disappear without notice causing use after free bugs.
Instead use the inm_ia->ia_ifp as a hint, struct in_ifaddr correctly tracks
removals of interfaces and invalidates ia_ifp in such cases.
looks good henning@ markus@
|
| |
|
|
| |
found by itojun
|
| |
|
|
|
|
|
|
|
| |
boring details:
skip looking for ipsec tags and descending into ip_spd_lookup if there
are no ipsec flows, except in one case in ip_output (spotted by markus)
where we have to if we have a pcb. ip_spd_lookup has the shortcut already,
but there is enough work done before so that skipping that gains us about
5%. ok theo, markus
|
| |
|
|
| |
ok reyk@
|
| |
|
|
| |
the dest IP; PMTU debugging support; ok hshoexer
|
| | |
|
| |
|
|
|
|
|
|
| |
This is for RFC3682 aka the TTL security hack - sender sets TTL to 255,
receiver checks no router on the way (or, no more than expected) reduced
the TTL. carp uses that technique already.
modeled after FreeBSD implementation.
ok claudio djm deraadt
|
| |
|
|
|
|
| |
when set on raw or udp sockets, userland receives the incoming packet's TTL
as ancillary data (cmsg shitz). modeled after the FreeBSD implementation.
ok claudio djm deraadt
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
To minimise path disruptions, this implements recommendations made in RFC2992 -
the hash-threshold mechanism to select paths based on source/destination IP
address pairs, and inserts multipath routes in the middle of the route table.
To enable multipath distribution, use:
sysctl net.inet.ip.multipath=1
and/or:
sysctl net.inet6.ip6.multipath=1
testing norby@
ok claudio@ henning@ hshoexer@
|
| |
|
|
| |
here, make sure they compile with or without IPSEC, you morons!
|
| |
|
|
|
| |
Additionally add the IP_RECVIF option which returns the interface a packet
was received on. OK markus@ norby@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
the remainder of the network stack from splimp to splnet.
ok miod@
|
| |
|
|
|
|
|
|
|
|
| |
It is now possible to enable multicast routing in the kernel with
the sysctl option net.inet.ip.mforwarding=1
Based on intial work by msf@
help claudio@
ok claudio@ deraadt@
|
| |
|
|
| |
fixes kernel panic from pr 4252; Stefan Miltchev; ok deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
on the local network support them.
This adds a new socket option, SO_JUMBO, and a new route flag,
RTF_JUMBO. If _both_ the socket option is set and the route for the host
has RTF_JUMBO set, ip_output will fragment the packet to the largest
possible size for the link, ignoring the card's MTU.
The semantics of this feature will be evolving rapidly; talk to us
if you intend to use it.
ok deraadt@ marius@
|
| |
|
|
| |
ok krw@ canacar@
|
| |
|
|
| |
ok deraadt, henning, fgsch, mcbride
|
| |
|
|
|
|
|
|
|
| |
is no struct ifnet associated with the outgoing interface of the packet.
Necessary for upcoming Protocol Independent Multicast support.
From Pavlin Radoslavov
ok henning@ djm@ markus@
|
| |
|
|
|
| |
No need to reconfig kernel or rebuild userland stuff.
requested deraadt@, help beck@
|
| |
|
|
|
|
|
|
| |
things such that code that only need a second-resolution uptime or wall
time, and used to get that from time.tv_secs or mono_time.tv_secs now get
this from separate time_t globals time_second and time_uptime.
ok art@ niklas@ nordin@
|
henning
phessler
yasuoka
claudio
dlg
reyk
guenther
blambert
beck
deraadt
naddy
markus
chl
pascoe
miod
brad
norby
mcbride
cedric
tholo