| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
could get stuck in an endless recursion during TCP path MTU discovery.
Create a dynamic host route in ip_output() that can be used by
tcp_mtudisc() to store the MTU.
Reported by Peter Mueller and Sebastian Sturm
OK claudio@
|
| |
|
|
|
|
|
|
| |
offloading. The checksum must be calculated in software. Use the
same condition in ether_resolve() to send the broadcast packet back
to the stack and in in_ifcap_cksum() to force software checksumming.
This fixes regress/sys/kern/sosplice/loop.
OK procter@
|
| |
|
|
|
|
|
| |
kernel make sure that the rdomain of that interface is the same as
the rdomain of the inpcb.
Problem spotted and fix tested by semarie@
OK bluhm@ mvs@
|
| |
|
|
|
|
|
| |
short TCP segments or fragments encapsulated in ESP instead of
fragmented ESP packets. Pass the don't fragment flag down along
the stack so that dynamic routes with MTU are created eventually.
with and OK markus@; OK tobhe@
|
| |
|
|
|
|
|
|
| |
struct ip_mreq or a struct ip_mreqn. Using struct ip_mreqn allows to
pass a interface index instead of specifying the multicast interface
via its IP address. This is also the API implemented by Linux and
FreeBSD and should help porting software.
OK bluhm@ phessler@ robert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
code is copied from IPv4 and adapted. Some things are changed in
v4 to make it look similar.
- ip6_forward increases the noroute error counter, do that in
ip_forward, too.
- Pass more specific sockaddr_in6 to icmp6_mtudisc_clone().
- IPv6 may also use reject routes for IPsec PMTU clones.
- To pass a route_in6 to ip6_output_ipsec_send() introduce one in
ip6_forward(). That is the same what IPv4 does. Note
that dst and sin6 switch roles.
- Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send()
to make code similar.
- Implement dynamic IPv6 IPsec PMTU routes.
OK tobhe@
|
| |
|
|
|
|
|
| |
struct ip_mreqn allows to use the interface index to select the
interface for multicast packets which makes it possible to use
this with unnumbered interfaces.
OK dlg@ robert@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject
routes. Otherwise TCP would clone these routes for PMTU discovery.
They will not work, even after dynamic routing has found a better
route than the reject route.
With IPsec the use case is different. First you need a route, but
then the flow handles the packet without routing. Usually this
route should be a reject route to avoid sending unencrypted traffic
if the flow is missing. But IPsec needs this route for PMTU
discovery, so use it for that.
OK claudio@ tobhe@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
time_second(9) and time_uptime(9) are widely used in the kernel to
quickly get the system UTC or system uptime as a time_t. However,
time_t is 64-bit everywhere, so it is not generally safe to use them
on 32-bit platforms: you have a split-read problem if your hardware
cannot perform atomic 64-bit reads.
This patch replaces time_second(9) with gettime(9), a safer successor
interface, throughout the kernel. Similarly, time_uptime(9) is replaced
with getuptime(9).
There is a performance cost on 32-bit platforms in exchange for
eliminating the split-read problem: instead of two register reads you
now have a lockless read loop to pull the values from the timehands.
This is really not *too* bad in the grand scheme of things, but
compared to what we were doing before it is several times slower.
There is no performance cost on 64-bit (__LP64__) platforms.
With input from visa@, dlg@, and tedu@.
Several bugs squashed by visa@.
ok kettenis@
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
| |
ok semarie@, visa@
|
| |
|
|
|
|
|
|
| |
This redefines the ifp <-> bridge relationship. No lock can be
currently used across the multiples contexts where the bridge has
tentacles to protect a pointer, use an interface index.
Tested by various, ok dlg@, visa@
|
| |
|
|
|
|
| |
the mbuf to the next word length as it is required by the standard. Also use
the correct offset from the input mbuf.
OK visa@, input & OK bluhm@
|
| | |
|
| |
|
|
|
| |
of fiddling with the user supplied mbuf and then copy it at the end.
OK visa@
|
| |
|
|
|
|
| |
a lot easier to read. The if can simply return the error and so the else
branch is no longer needed.
Input and OK dhill@
|
| |
|
|
|
|
|
|
| |
passed to ip_pcbopts could be a cluster and so the size check is all wrong.
found by Greg Steuck; OK bluhm@
Reported-by: syzbot+c2543ae6b6692a5843e3@syzkaller.appspotmail.com
eVS: ----------------------------------------------------------------------
|
| |
|
|
|
|
| |
userland.
Inputs from markus@, ok sthen@
|
| |
|
|
|
|
|
|
| |
dropped packets in the output path.
While here fix a memory leak when compression is not needed w/ IPcomp.
ok markus@
|
| |
|
|
|
|
| |
IPv4 we do the same and there are races that triggers it. Increment
the statistics counter for both.
from markus@; OK mpi@
|
| |
|
|
|
|
|
| |
The account flag `ASU' will no longer be set but that makes suser()
mpsafe since it no longer mess with a per-process field.
No objection from millert@, ok tedu@, bluhm@
|
| |
|
|
|
|
|
| |
forwarding. It should never match and would cause MP locking
problems. While there remove an useless ifp parameter from
ip_output_ipsec_send().
from markus@; OK visa@ sashan@
|
| |
|
|
|
|
|
|
|
| |
is set.
Accesses to IPsec global data structure are now serialized by the
NET_LOCK().
Tested by many, ok visa@, bluhm@
|
| |
|
|
|
|
|
| |
setting IP options.
Issue reported by Kapetanakis Giannis
OK mpi@
|
| |
|
|
|
|
| |
all the callers to call m_freem(9).
Support from deraadt@ and tedu@, ok visa@, bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
currently protected by the NET_LOCK().
They are not accessed in the hot path, so protecting them with a
mutex could be an option. However since we're now going to run
with a NET_LOCK() for some time, assert that it is held.
IPsec is not yet ready to run without KERNEL_LOCK(), so assert it
is held, even in the forwarding path.
Tested by sthen@, ok visa@, claudio@, bluhm@
|
| |
|
|
|
| |
No binary change.
OK mpi@
|
| |
|
|
|
|
|
|
|
| |
constants.
The consensus is that if both operands are constant, we don't need
mallocarray. Reminded by tedu@
ok deraadt@
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
| |
ok mpi@ bluhm@
|
| |
|
|
|
|
|
|
| |
the netlock held. This also changes the prototypes of the *ctloutput
functions to take an mbuf instead of an mbuf pointer.
help, guidance from bluhm@ and mpi@
ok bluhm@
|
| |
|
|
| |
ok bluhm@, kettenis@
|
| |
|
|
|
|
|
| |
domains. This is one step towards supporting to run more than one multicast
socket in different domains at the same time.
ok mpi@
|
| |
|
|
|
|
|
|
|
|
|
| |
of the network stack that are not yet ready to be executed in parallel or
where new sleeping points are not possible.
This first pass replace all the entry points leading to ip_output(). This
is done to not introduce new sleeping points when trying to acquire ART's
write lock, needed when a new L2 entry is created via the RT_RESOLVE.
Inputs from and ok bluhm@, ok dlg@
|
| |
|
|
|
|
| |
blocks have been merged in r1.292.
ok claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
each counter is identified by an enum value which correspond to the
original members of the udpstat struct.
udpstat_inc(udps_foo) replaces udpstat.udps_foo++ for the actual
updates. udpstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the udpstat struct for
now.
ok mpi@ mikeb@ deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In order to stop abusing lo0 for all rdomains, a new loopback interface
will be created every time a rdomain is created. The unit number will
be the same as the rdomain, i.e. lo1 will be attached to rdomain 1.
If this loopback interface is already in use it wont be possible to create
the corresponding rdomain.
In order to know which lo(4) interface is attached to a rdomain, its index
is stored in the rtable/rdomain map.
This is a long overdue since the introduction of rtable/rdomain. It also
fixes a recent regression due to resetting the rdomain of an incoming
packet reported by semarie@, Andreas Bartelt and Nils Frohberg.
ok claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
each counter is identified by an enum value which correspond to the
original members of the ipstat struct.
ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates.
ipstat_inc is a thin wrapper around counters_inc.
counters are still returned to userland via the ipstat struct for now.
ok mpi@ mikeb@
|
| |
|
|
|
|
|
|
|
|
|
| |
A race can happen if a task, like the watchog, sleeps too long keeping
an ifp reference while the interface is detached. In this case a TCP
timer will try to send packets with a cached route. Since the ifp is
being detached if_get(9) returns NULL.
Found the hardway by awolk@.
ok bluhm@
|
| |
|
|
| |
ok mpi@ visa@
|
| |
|
|
|
|
|
|
| |
IP_TTL can be reset by passing -1, IP_MINTTL can be reset by passing 0.
This is consistent with what Linux does and
IPV6_UNICAST_HOPS/IPV6_MINHOPCOUNT.
ok bluhm@
|
| |
|
|
|
|
|
|
|
|
|
| |
instead of EHOSTUNREACH. On the latter, ip_forward can generate undesired
icmp errors - either pf generates those itself (block return), or there
shouldn't be any.
Bizarrely enough, ip_forward has EACCES handling with a comment specifically
pointing to packets blocked by pf, but the code in ip_output used EHOSTUNREACH
from day #1 on.
found & analyzed by Kristof Provost <kp at FreeBSD>, discussed at BSDcan
ok mpi millert
|
| |
|
|
|
|
| |
packet.
ok visa@, stsp@, sthen@
|
| |
|
|
| |
Ok phessler@, henning@
|
| |
|
|
|
|
|
|
|
| |
is not intended and will behave unexpectedly if the address is
already used in another domain. It did not work anyway, as the PCB
ended in the wrong hash bucket after changing the rtable. Fail
with EBUSY if the socket is already bound and rehash the PCB if its
rtable changes.
input claudio@; OK mpi@
|
| | |
|
| |
|
|
|
|
| |
work in the forwarding path.
Tested by Hrvoje Popovski, ok dlg@
|
| |
|
|
|
|
|
|
| |
This removes the only use of ETOOMANYREFS in our code, making intro(2)
match reality. No software out there explicitely checks for ETOOMANYREFS
in multicast code.
Discussed with millert@ and mpi@ (who suggested using ENOBUFS)
|
| |
|
|
|
|
| |
an interface joined a specific multicast group.
ok phessler@, visa@, dlg@
|
| |
|
|
| |
ok mikeb@, bluhm@
|
bluhm
claudio
cheloha
tobhe
mpi
visa
dhill
jca
rzalamena
dlg
henning
vgross