| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
rdomain now and are therefor rdomain save.
OK mpi@
|
| |
|
|
|
|
|
|
|
|
| |
ipsec_{input,output}_cb() so that in the case of sending or receiving a bogus
mbuf (NULL) we don't end up trying to dereference the TDB, while being an
uninitialized pointer, to increase the drops.
Coverity IDs 1473312, 1473313 and 1473317.
OK mpi@ visa@
|
| |
|
|
|
|
| |
userland.
Inputs from markus@, ok sthen@
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
|
|
|
|
|
| |
callbacks to be able to count dropped packet.
Having more generic statistics will help troubleshooting problems
with specific tunnels. Per-TDB counters are coming once all the
refactoring bits are in.
ok markus@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
switches for protocol and address family. Move this code to the
specific functions from where the common function is called.
As a consequence the raw ip input functions can never be called
from udp_input() anymore. If IPsec is disabled, the functions
ah6_input(), esp6_input(), and ipcomp6_input() do not start processing
the header chain. The raw ip input functions are called with the
mbuf and offset pointers from the protocol walking loop which is
the usual behavior.
OK mpi@ markus@
|
| |
|
|
| |
from markus@; OK mpi@
|
| |
|
|
|
|
| |
pr_input handlers without KERNEL_LOCK().
ok visa@
|
| |
|
|
| |
ok bluhm@, visa@
|
| |
|
|
| |
OK bluhm@, mpi@
|
| |
|
|
| |
ok kettenis@, dhill@, visa@, jca@
|
| |
|
|
|
|
| |
Exposes per-CPU counters to real parrallelism.
ok visa@, bluhm@, jca@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the inner IP packet into the internet queue. The IPv6 local delivery
code has a loop to deal with header chains. The idea is to use
this loop and avoid the queueing and rescheduling. The IPsec packet
will be processed in a single flow.
Merge the IP deliver loop from both IP versions into a single
ip_deliver() function that can handle both addresss families. This
allows to process an IP in IP header like a normal extension header.
If af != AF_UNSPEC, we are already in a deliver loop and have the
kernel look. Then we can just return the next protocol. Otherwise
we enqueue. The dequeue thread has the kernel lock and starts an
IP delivery loop.
OK mpi@
|
| |
|
|
|
|
|
| |
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
|
| |
|
|
|
|
|
| |
as the pr_input functions. Add an assert that IPv4 delivery ends
in IP proto done to assure that IPv4 protocol functions work like
IPv6.
OK mpi@
|
| |
|
|
|
| |
and give them better names.
input and OK mikeb@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
they have been decrypted. That means that all the IP header fields
were checked twice. Also fragment reassembly was tried twice.
At pf incoming packets in tunnel mode appeared twice on the enc0
interface, once as IP-in-IP and once as the inner packet. In the
outgoing path pf only sees the inner packet. Asymmetry is bad for
stateful filtering.
IPv6 shows that IPsec works without that. After decrypting immediately
continue with local delivery. In tunnel mode the IP-in-IP protocol
functions pass the inner header to ip6_input(). In transport mode
only pf_test() has to be called for the enc0 device.
Introduce ip_local() to avoid needless processing and cleaner pf
behavior in IPv4 IPsec.
OK mikeb@
|
| |
|
|
|
|
|
| |
early if the IPsec security protocol is unknown. ipsec_common_input()
and ipsec_common_input_cb() can only be called with the IP protocols
ESP, AH, or IPComp. Everything else is a programming mistake.
OK claudio@
|
| |
|
|
|
|
|
|
| |
decrypted packets in the input path were not checked with pf. So
with stateful filtering on enc0, direction aware protocols like
ping or TCP did not pass. Add an explicit pf_test() in
ipsec_common_input_cb() for IPv6 transport mode to fix this.
OK mikeb@
|
| |
|
|
|
| |
kernel. It was only used in IPsec sources. No binary change
OK deraadt@
|
| |
|
|
|
| |
allows to simplify code used for both IPv4 and IPv6.
OK mikeb@ deraadt@
|
| |
|
|
|
|
|
| |
properly aligned and sockaddr_union fields, or with memcpy when
the memory doesn't overlap.
OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
forwarding path.
Rename ip6_ours() in ip6_local() as this function dispatches packets
to the upper layer.
Introduce ip6_ours() and get rid of 'goto hbhcheck'. This function
will be later used to enqueue local packets.
As a bonus this reduces differences with IPv4.
Inputs and ok bluhm@
|
| |
|
|
|
|
| |
it in ipsec_common_input_cb() instead. The code that was copied
to ah6_input_cb() is now in ip6_ours() so we can call it directly.
OK mpi@
|
| |
|
|
|
|
| |
asynchronous callbacks. Make the IPsec functions void, there is
already a counter in the error path.
OK mpi@
|
| |
|
|
|
|
|
|
|
| |
Try to follow the existing examples. Some notes:
- don't implement counters_dec() yet, which could be used in two
similar chunks of code. Let's see if there are more users first.
- stop incrementing IPv6-specific mbuf stats, IPv4 has no equivalent.
Input from mpi@, ok bluhm@ mpi@
|
| |
|
|
|
|
|
| |
to get rid of struct ip6protosw and some wrapper functions. It is
more consistent to have less different structures. The divert_input
functions cannot be called anyway, so remove them.
OK visa@ mpi@
|
| |
|
|
|
|
| |
IPv4 pr_ctlinput functions did return a void pointer that was always
NULL and never used. Make all functions void like in the IPv6 case.
OK mpi@
|
| |
|
|
|
|
| |
make the variable parameters of the protocol input functions fixed.
Also add the proto to make it similar to IPv6.
OK mpi@ guenther@ millert@
|
| |
|
|
| |
ok benno@
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok visa@
|
| |
|
|
|
|
| |
the relevant counters.
Ok mikeb@
|
| |
|
|
|
| |
the 3rd argument of in6_recoverscope() and make it return void.
OK dlg@ mikeb@
|
| |
|
|
|
|
|
|
| |
We do not export those per-ifp statistics and they will soon all die.
"We're putting inet6 on a diet" claudio@
ok dlg@, mikeb@, claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
receiving interface in the packet header of every mbuf.
The interface pointer should now be retrieved when necessary with
if_get(). If a NULL pointer is returned by if_get(), the interface
has probably been destroy/removed and the mbuf should be freed.
Such mechanism will simplify garbage collection of mbufs and limit
problems with dangling ifp pointers.
Tested by jmatthew@ and krw@, discussed with many.
ok mikeb@, bluhm@, dlg@
|
| | |
|
| |
|
|
| |
ok krw@ miod@
|
| |
|
|
| |
No objection from reyk@, OK markus, hshoexer
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
with niqueues.
this change is so big because there's a lot of code that takes
pointers to different input queues (eg, ether_input picks between
ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through
to code to enqueue packets against the pointer. if i changed only
one of the input queues id have to add sepearate code paths, one
for ifqueues and one for niqueues in each of these places
by flipping all these input queues at once i can keep the currently
common code common.
testing by mpi@ sthen@ and rafael zalamena
ok mpi@ sthen@ claudio@ henning@
|
| |
|
|
| |
ok markus, hshoexer
|
| |
|
|
|
|
| |
before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be
cleaned up next. Some sockaddr_union steps make it into here as well.
ok naddy
|
| |
|
|
|
| |
long live the one true internet.
ok henning mikeb
|
| |
|
|
| |
ok mikeb@, krw@, bluhm@, tedu@
|
| |
|
|
| |
ok deraadt@ tedu@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the various bpf_mtap_* are very similiar, they differ in what (and to some
extent how) they prepend something, and what copy function they pass to
bpf_catchpacket.
use an internal _bpf_mtap as "backend" for bpf_mtap and friends.
extend bpf_mtap_hdr so that it covers all common cases:
if dlen is 0, nothing gets prepended.
copy function can be given, if NULL the default bpf_mcopy is used.
adjust the existing bpf_mtap_hdr users to pass a NULL ptr for the copy fn.
re-implement bpf_mtap_af as simple wrapper for bpf_mtap_hdr.
re-implement bpf_mtap_ether using bpf_map_hdr
re-implement bpf_mtap_pflog as trivial bpf_mtap_hdr wrapper
ok bluhm benno
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid the confusion by using an appropriate name for the variable.
Note that since routing domain IDs are a subset of the set of routing
table IDs, the following idiom is correct:
rtableid = rdomain
But to get the routing domain ID corresponding to a given routing table
ID, you must call rtable_l2(9).
claudio@ likes it, ok mikeb@
|
| | |
|
claudio
mestre
mpi
bluhm
visa
dhill
jca
vgross
mikeb
jsg
dlg
deraadt
tedu
krw
henning