| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
for localhost connections. discussed with deraadt@
|
| |
|
|
|
|
|
|
| |
use the routing table there's no future for an option that wants to
bypass it. This option has never been implemented for IPv6 anyway,
so let's just remove the IPv4 bits that you weren't aware of.
Tested by florian@, man pages inputs from jmc@, ok benno@
|
| |
|
|
|
|
|
| |
in the base. Ports fixes to follow shortly for the two ports (gkrellm
and net-snmp) affected.
ok zhuk@ millert@
|
| |
|
|
|
|
|
| |
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
| |
|
|
|
| |
instead of 0 for pointers. No binary change.
OK mpi@
|
| |
|
|
|
|
|
|
| |
three different ways. Use the same code in udp_usrreq() and
rip_usrreq() and rip6_usrreq(). This also fixes a pcb and socket
leak in udp_usrreq() in case soreserve() fails. Put an splsoftassert()
into in_pcballoc() for safety.
OK mpi@
|
| |
|
|
| |
OK deraadt@ guenther@
|
| |
|
|
|
|
| |
which packets (as in direction) of the traffic will be diverted
through the divert socket.
ok claudio@, henning@
|
| |
|
|
| |
no objection from mcbride@ krw@ markus@ deraadt@
|
| |
|
|
|
|
| |
1.54.
ok claudio@ sosososo henning@
|
| |
|
|
|
|
| |
The functions were 95% identical anyway. While there use struct pf_addr
in struct pf_divert instead of some union which is the same.
OK bluhm@ mcbride@ and most probably henning@ as well
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
| |
This fixes the problem of binding sockets to broadcast IPs in other
rdomains.
OK henning@
|
| |
|
|
|
|
| |
local network boradcast. While there kill some leftover AF_IMPLINK
checks.
OK henning@, sthen@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
confusing because both addresses and broadcast addresses are put
into the tree.
there are two types of local address lookup. the first is when the
socket layer wants a local address, the second is in ip_input when
the kernel is figuring out the packet is for it to process or
forward.
ip_input considers local addresses and broadcast addresses as local,
however, the handling of broadcast addresses is different depending
on whether ip_directedbcast is set. if if ip_directbcast is unset
then a packet coming in on any interface to any of the systems
broadcast addresses is considered local, otherwise the broadcast
packet must exist on the interface it was received on.
the code also needs to consider classful broadcast addresses so we
can continue some legacy applications (eg, netbooting old sparcs
that use rarp and bootparam requests to classful broadcast addresses
as per PR6382). this diff maintains that support, but restricts it
to packets that are broadcast on the link layer (eg, ethernet
broadcasted packets), and it only looks up addresses on the local
interface. we now only support classful broadcast addresses on local
interfaces to avoid weird side effects with packets routed to us.
the ip4 socket layer does lookups for local addresses with a wrapper
around the global address tree that rejects matches against broadcast
addresses. we now no longer support bind sockets to broadcast
addresses, no matter what the value of ip_directedbcast is.
ok henning@
testing (and possibly ok) claudio@
|
| |
|
|
|
| |
There is a massive issue with broadcast addrs because ifa_ifwithaddr()
handles them differently then in_iawithaddr().
|
| |
|
|
|
|
| |
the latter is now much faster and the former becomes a wrapper + compat hacks
around the latter in a bit.
ok dlg sthen and "ah hai" from various in various bars here
|
| |
|
|
|
|
| |
was done earlier for routing sockets.
ok claudio@
|
| |
|
|
|
|
|
|
| |
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
| |
|
|
|
|
|
|
|
| |
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
| |
|
|
| |
ok dlg
|
| |
|
|
| |
ok reyk@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.
OK markus@, blambert@.
"go ahead" deraadt@.
Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.
|
| |
|
|
|
|
|
|
|
| |
The option allows a socket to be bound to addresses which are not
local to the machine. In order to receive packets for these addresses
SO_BINDANY needs to be combined with matching outgoing pf(4) divert
rules, see pf.conf(5).
ok beck@
|
| |
|
|
| |
makes transparent proxies much easier; ok beck@, feedback claudio@
|
| |
|
|
|
|
|
|
|
| |
get a timestamp of when the datagram was accepted (by udp(4), for
example) rather than having to take a timestamp with gettimeofday(2)
when recv(2) returns - possibly several hundreds of microseconds later.
May be of use to those interested in precision network timing schemes
or QoS for media applications. Tested on alpha, amd64, i386 and sparc64.
manpage suggestions from jmc, ok deraadt
|
| |
|
|
| |
NULL in any case.
|
| |
|
|
|
| |
Additionally add the IP_RECVIF option which returns the interface a packet
was received on. OK markus@ norby@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
on the local network support them.
This adds a new socket option, SO_JUMBO, and a new route flag,
RTF_JUMBO. If _both_ the socket option is set and the route for the host
has RTF_JUMBO set, ip_output will fragment the packet to the largest
possible size for the link, ignoring the card's MTU.
The semantics of this feature will be evolving rapidly; talk to us
if you intend to use it.
ok deraadt@ marius@
|
| |
|
|
|
|
|
|
| |
Information: http://netweb.usc.edu/pim/
From Pavlin Radoslavov <pavlin@icir.org>
ok deraadt@ brad@
|
| |
|
|
|
| |
From: "Esben Norby (ST/LMD)" <esben.norby@ericsson.com>
ok hshoexer markus millert
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- sync ip_mroute.c with NetBSD
- import some FreeBSD changes to MFC entry handling
- set im->im_vif correctly when sending IGMPMSG_WRONGVIF
- increment mrtstat.mrts_upcalls correctly
- return error from get_sg_cnt() if there is no matching forwarding entry
ok henning@ brad@ naddy@
|
| | |
|
| | |
|
| |
|
|
| |
(please test, especially PF portion)
|
| |
|
|
| |
rescinded 22 July 1999. Proofed by myself and Theo.
|
| |
|
|
| |
xx_usrreq. henning ok
|
| | |
|
| | |
|
| |
|
|
| |
the ANSI way.
|
| |
|
|
|
|
| |
Instead of using HTONS macro in some places, use htons directly in the
struct member and save us a few bytes.
Fix comment.
|
| | |
|
| | |
|
| | |
|
| | |
|
sthen
mpi
krw
bluhm
benno
dlg
yasuoka
claudio
oga
henning
blambert
guenther
deraadt
jsing
thib
markus
ckuethe
miod
mcbride
itojun
millert
fgsch
angelos