| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
of incoming IPv4 packets with the SSRR or LSRR header option in
a m_tag rather than in a single static entry.
Use a new m_tag type, PACKET_TAG_SRCROUTE, for this and bump
PACKET_TAG_MAXSIZE accordingly.
Adapted from FreeBSD r135274 with inputs from bluhm@.
ok bluhm@, mikeb@
|
| |
|
|
|
|
|
|
| |
of the IPL_NET. pf_test should be no longer called under IPL_NET as
well. The problem became evident after the related issue was brought
up by David Hill <dhill at mindcry ! org>.
With input from and OK mpi. Tested by David and me.
|
| |
|
|
|
|
| |
a flag. Rename the variable inpl_flags in tcp_input() to inpl_reverse
like in udp_input(). No binary change.
OK mikeb@
|
| |
|
|
|
| |
structure is zeroed out before use. From David Hill <dhill at
mindcry ! org>; ok blambert claudio henning
|
| |
|
|
|
|
| |
dropped by IPsec security policy.
input from and ok mikeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
was only done when a packet traveled up the stack from pf to
tcp_input(). Now also link the state and inpcb when the packet is
going down from tcp_output() to pf. As a consequence, divert-reply
states where the initial SYN does not get an answer, can be handled
more correctly.
This change is part of a larger diff that has been backed out in
2011. Bring the feature back in small steps to see when bad things
start to happen.
OK henning deraadt
|
| |
|
|
|
| |
into one block.
OK mpi@
|
| |
|
|
|
|
|
| |
move them to the corresponding header with an appropriate comment if
necessary.
ok guenther@
|
| |
|
|
|
| |
instead of 0 for pointers. No binary change.
OK mpi@
|
| |
|
|
|
| |
avoid ugly casts.
OK krw@ tedu@
|
| |
|
|
|
| |
slipped by on i386, but the zaurus doesn't automagically pick it up.
spotted by patrick
|
| |
|
|
|
|
| |
dhill.
ok krw@, mikeb@, tedu@ (implicit)
|
| |
|
|
|
|
|
|
|
| |
the pointer to the statekey in the mbuf.
When an UDP socket is spliced, pf would use this key during ip_output()
although the packet went through two sockets in the meantime. Reset
the mbuf's statekey in tcp_input() and udp_input() to eliminate the
pointer to pf lingering in the socket buffers.
OK claudio@
|
| |
|
|
| |
ok claudio
|
| |
|
|
|
|
|
| |
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
| |
|
|
|
|
| |
draft-ietf-tcpm-initcwnd. net.inet.tcp.rfc3390 defaults to 2 now which
uses the 10*MSS, setting it back to 1 brings back the old default of 4*MSS.
OK sperreault@, henning@, sthen@, markus@
|
| |
|
|
|
|
| |
IPv6.
ok claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
|
|
|
| |
are dropped and when normal program flow occurs.
Change error return value of syn_cache_add() from 0 to -1 in order
to clearly communicate intent.
ok claudio@
|
| |
|
|
|
|
|
|
| |
regardless of the rdomain the packet was received on. Explicitly
pass the rdomain to the tcp_respond() monstrosity to compensate
for said monstricism which led to this behavior.
ok claudio@
|
| |
|
|
|
|
| |
This fixes the problem of binding sockets to broadcast IPs in other
rdomains.
OK henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
| |
|
|
|
| |
of a connection originator. this allows one to query the source rdomain
with a SO_RTABLE socket option. figured out with reyk, ok claudio.
|
| |
|
|
|
|
| |
testing tcp flags.
ok henning@ claudio@
|
| |
|
|
|
|
| |
on amd64
ok claudio@
|
| |
|
|
|
|
|
|
| |
in order to skip most of the reassembly logic and try to flush
available tcp segments to the socket, just split it off into its
own function and use it where appropriate.
ok claudio@ henning@
|
| |
|
|
|
|
| |
no change in .o md5
"ok gcc" claudio@
|
| |
|
|
|
|
|
| |
The data received on the source socket will automatically be sent
on the drain socket. This allows to write relay daemons with zero
data copy.
ok markus@
|
| |
|
|
|
| |
socket from the information we have in the syncache. Also bzero() the
tcpcb that is passed to tcp_dooptions() just to be sure.
|
| |
|
|
|
|
| |
A session must stick to the rscale factor sent out in the SYN packet.
Remove the bogus tcp_rscale() call which is done after a full established
session is returned from the syncache.
|
| |
|
|
|
|
|
| |
reason to reduce the amount of ACKs sent and delayed ACKs have a very bad
interaction with the large MTU of lo(4) and the fairly small socketbuffer
size. In collaboration with andre@freebsd.
OK deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Send buffer is scaled by not accounting unacknowledged on the wire
data against the buffer limit. Receive buffer scaling is done similar
to FreeBSD -- measure the delay * bandwith product and base the
buffer on that. The problem is that our RTT measurment is coarse
so it overshoots on low delay links. This does not matter that much
since the recvbuffer is almost always empty.
Add a back pressure mechanism to control the amount of memory
assigned to socketbuffers that kicks in when 80% of the cluster
pool is used.
Increases the download speed from 300kB/s to 4.4MB/s on ftp.eu.openbsd.org.
Based on work by markus@ and djm@.
OK dlg@, henning@, put it in deraadt@
|
| |
|
|
|
|
| |
timingsafe_bcmp().
ok deraadt@; committed over WPA.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
| |
|
|
| |
faith 1", noticed by Andris Kadar. ok kettenis@ beck@
|
| |
|
|
|
|
| |
With input from oga@ and krw@
ok oga@ krw@ thib@ markus@ mk@
|
| |
|
|
|
|
|
|
| |
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
| |
|
|
| |
no binary change; ok grunk@
|
| |
|
|
|
|
|
| |
therefore. Inherit the rdomain through the syncache.
There are some interactions that need some more work (ctlinput) so this
can be improved but is good enough for now.
OK markus@
|
| |
|
|
|
|
|
|
|
| |
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
| |
|
|
| |
checksum offload over IPv6; ok deraadt@
|
| |
|
|
|
|
|
| |
M_ANYCAST6 was only used to signal tcp6_input() that it should drop the
packet and send back icmp error. This can be done in ip6_input() without
the need for a mbuf flag. Gives us back one slot in m_flags for possible
future need. Looked at and some input by naddy@ and henning@. OK dlg@
|
| |
|
|
| |
definitely not at will.
|
| |
|
|
|
|
|
| |
happens with IPv6 TCP traffic, until a better fix is found.
patch from henning@
proded by deraadt@
|
| |
|
|
|
|
|
|
|
| |
TIME_WAIT socket recycling code to redo the pcb lookup w/out
resetting the inp pointer. Therefore we used the stale pcb,
which leads us to reply with a RST to SYNs received on TIME_WAIT
sockets. Also move the findpcb label below the pf pcb cache lookup,
to avoid using a stale pcb when the caching code gets activated.
OK markus@, henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
when we first do a pcb lookup and we have a pointer to a pf state key
in the mbuf header, store the state key pointer in the pcb and a pointer
to the pcb we just found in the state key. when either the state key
or the pcb is removed, clear the pointers.
on subsequent packets inbound we can skip the pcb lookup and just use the
pointer from the state key.
on subsequent packets outbound we can skip the state key lookup and use
the pointer from the pcb.
about 8% speedup with 100 concurrent tcp sessions, should help much more
with more tcp sessions.
ok markus ryan
|
| |
|
|
|
|
| |
whilst we're here.
ok henning@ deraadt@
|
| |
|
|
| |
ok markus@ henning@
|
mpi
mikeb
bluhm
yasuoka
tedu
henning
markus
claudio
haesbaert
oga
blambert
matthew
reyk
guenther
sthen
chl
naddy
dhill
mpf
jsing