| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
avoid ugly casts.
OK krw@ tedu@
|
| |
|
|
|
|
| |
dhill.
ok krw@, mikeb@, tedu@ (implicit)
|
| |
|
|
|
|
|
|
| |
spliced and routed to loopback. The content of the pf header in
the mbuf was keeping the divert information on its way. Reinitialize
the whole packet header of the mbuf and remove the mbuf tags when
the packet gets spliced.
OK claudio@ markus@
|
| |
|
|
|
|
|
|
|
| |
the pointer to the statekey in the mbuf.
When an UDP socket is spliced, pf would use this key during ip_output()
although the packet went through two sockets in the meantime. Reset
the mbuf's statekey in tcp_input() and udp_input() to eliminate the
pointer to pf lingering in the socket buffers.
OK claudio@
|
| |
|
|
| |
ok yasuoka@
|
| |
|
|
|
|
|
|
| |
(= before divert) destination port of a UDP packet. The way to use
this option is same as IP_RECVDSTPORT.
from UMEZAWA Takeshi
tweaks from jmc; ok henning bluhm
|
| |
|
|
|
|
| |
L2TP packets.
ok markus henning
|
| |
|
|
|
|
|
| |
can use this to select the IPsec tunnel for sending L2TP packets.
this fixes Windows (always binding to 1701) and Android clients
(negotiating wildcard flows); feedback mpf@ and yasuoka@;
ok henning@ and yasuoka@; ok jmc@ for the manpage
|
| |
|
|
|
|
|
|
|
| |
It could not use the destination address properly, so it failed to
find the pipex session. This bug caused LCP keepalive failures on some
clients.
found and tested by sebastia@ and mxb at alumni.chalmers.se.
ok sthen
|
| |
|
|
| |
no objection from mcbride@ krw@ markus@ deraadt@
|
| |
|
|
|
|
|
|
| |
`net.pipex.enable' to enable PIPEX. By default, pipex is disabled
and it will not process packets from wire. Update man pages and
update HOWTO_PIPEX_NPPPD.txt for testers.
discussed with dlg@, ok deraadt@ mcbride@ claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
at least krw@, pirofti@ and todd@ have been seeing panics (todd and krw
with xxxterm not sure about pirofti) involving pool corruption while
using this commit.
krw and todd confirm that this backout fixes the problem.
ok blambert@ krw@, todd@ henning@ and kettenis@
Double link between pf states and sockets. Henning has
already implemented half of it. The additional part is: -
The pf state lookup for outgoing packets is optimized by
using mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket
lookup always is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet
for outgoing connections.
- In case of divert states, delete the state when the socket
closes. Otherwise new connections could match on old
states instead of being diverted to the listen socket.
ok henning@
|
| |
|
|
|
|
|
|
| |
essentially identical; the only difference being that m_pullup2 is
capable of handling mbuf clusters, but called m_pullup for shorter
lengths (!).
testing dlg@ ok claudio@
|
| |
|
|
|
|
| |
This fixes the problem of binding sockets to broadcast IPs in other
rdomains.
OK henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
implemented half of it. The additional part is:
- The pf state lookup for outgoing packets is optimized by using
mbuf->inp->state.
- For incomming tcp, udp, raw, raw6 packets the socket lookup always
is optimized by using mbuf->state->inp.
- All protocols establish the link for incomming packets.
- All protocols set the inp in the mbuf for outgoing packets.
This allows the linkage beginning with the first packet for
outgoing connections.
- In case of divert states, delete the state when the socket closes.
Otherwise new connections could match on old states instead of
being diverted to the listen socket.
ok henning@
|
| |
|
|
| |
ok claudio krw
|
| |
|
|
|
|
| |
was done earlier for routing sockets.
ok claudio@
|
| |
|
|
|
|
|
|
| |
We can use IPv6 address as outer header of L2TP.
Kernel ABI is changed. You must update npppd.
OK @claudio, yasuoka@, dlg@
|
| |
|
|
|
|
|
|
| |
ip_forward() to know the difference between blocked packets and those that
can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should
be sent. In the other callers of ip_output() change the error back to
EHOSTUNREACH since userland may not expect EACCES on a sendto().
OK henning@, markus@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to run isakmpd/iked/ipsecctl in multiple rdomains
independently (with "route exec"); the kernel will pickup the rdomain
from the process context of the pfkey socket and load the flows and
SAs into the matching rdomain encap routing table. The network stack
also needs to pass the rdomain to the ipsec stack to lookup the
correct rdomain that belongs to an interface/mbuf/... You can now run
individual IPsec configs per rdomain or create IPsec VPNs between
multiple rdomains on the same machine ;). Note that a primary enc(4)
in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1.
Test by some people, mostly on existing "rdomain 0" setups. Was in
snaps for some days and people didn't complain.
ok claudio@ naddy@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
and make it possible to bind sockets (including listening sockets!)
to rtables and not just rdomains. This changes the name of the
system calls, socket option, and ioctl. After building with this
you should remove the files /usr/share/man/cat2/[gs]etrdomain.0.
Since this removes the existing [gs]etrdomain() system calls, the
libc major is bumped.
Written by claudio@, criticized^Wcritiqued by me
|
| |
|
|
|
|
| |
sysctl.h was reliant on this particular include, and many drivers included
sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed.
ok deraadt
|
| |
|
|
| |
faith 1", noticed by Andris Kadar. ok kettenis@ beck@
|
| |
|
|
|
|
|
|
| |
needed so that the route and inp lookups done in TCP and UDP know where
to look. Additionally in_pcbnotifyall() and tcp_respond() got a rdomain
argument as well for similar reasons. With this tcp seems to be now
fully rdomain save and no longer leaks single packets into the main domain.
Looks good markus@, henning@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
tables on top of a rdomain) but until now our code was a crazy mix so that
it was impossible to correctly use rtables in that case. Additionally pf(4)
only knows about rtables and not about rdomains. This is especially bad when
tracking (possibly conflicting) states in various domains.
This diff fixes all or most of these issues. It adds a lookup function to
get the rdomain id based on a rtable id. Makes pf understand rdomains and
allows pf to move packets between rdomains (it is similar to NAT).
Because pf states now track the rdomain id as well it is necessary to modify
the pfsync wire format. So old and new systems will not sync up.
A lot of help by dlg@, tested by sthen@, jsg@ and probably more
OK dlg@, mpf@, deraadt@
|
| | |
|
| |
|
|
|
|
|
|
|
| |
alternate routing table and separate them from other interfaces in distinct
routing tables. The same network can now be used in any doamin at the same
time without causing conflicts.
This diff is mostly mechanical and adds the necessary rdomain checks accross
net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6.
input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
|
| |
|
|
| |
checksum offload over IPv6; ok deraadt@
|
| |
|
|
| |
ok claudio@
|
| |
|
|
|
| |
bug with IPv6 in some circumstances. we'll find it one day...
lots of debugging dhill
|
| |
|
|
|
|
|
|
|
|
| |
pcb. the state key ptr in the pcb is the one that had to be used by pf
outbound. but by convention the state key pointer in the pkthdr is the one
used INbound, so pf follows its reverse pointer to find the sk to use,
and since a reverse doesn't exist for locally terminated connections the
reverse pointer is null and thus the whole game a noop.
note that this only affects packets FROM local udp/tcp sockets, for the
other direction everything works as expected.
|
| |
|
|
| |
ok markus, also tested david sthen
|
| |
|
|
|
|
| |
whilst we're here.
ok henning@ deraadt@
|
| |
|
|
| |
ok markus@
|
| |
|
|
|
|
|
| |
take a proc argument, theres no need for these, since
they are just wrappers.
OK claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
get hung in nfs_reconnect() because they do not have the proper
privilages to bind to a socket, by adding a struct proc * argument
to sobind() (and the *_usrreq() routines, and finally in{6}_pcbbind)
and do the sobind() with proc0 in nfs_connect.
OK markus@, blambert@.
"go ahead" deraadt@.
Fixes an issue reported by bernd@ (Tested by bernd@).
Fixes PR5135 too.
|
| | |
|
| |
|
|
| |
for pf(4) diverted packets; based on patch by Scot Loach; ok beck@
|
| |
|
|
| |
makes transparent proxies much easier; ok beck@, feedback claudio@
|
| |
|
|
|
|
|
|
|
| |
get a timestamp of when the datagram was accepted (by udp(4), for
example) rather than having to take a timestamp with gettimeofday(2)
when recv(2) returns - possibly several hundreds of microseconds later.
May be of use to those interested in precision network timing schemes
or QoS for media applications. Tested on alpha, amd64, i386 and sparc64.
manpage suggestions from jmc, ok deraadt
|
| |
|
|
|
|
|
|
| |
change netstat to use them instead of accessing kvm for it. more
protocols will be added later.
discussed with deraadt@ claudio@ gilles@
ok deraadt@
|
| |
|
|
|
|
| |
not get build. the code looks at flags that used to be in mbuf tags, now
they are in the mbuf header, so we can check them unconditionally.
problem spotted by Daniel Roethlisberger <daniel@roe.ch>, ok ryan markus
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
the kernel still handles RFC2292 set/getsockopts, so that compiled binary
has no trouble running. userland sees RFC3542 symbols only on header file
so new code has to use RFC3542 API.
bump libc shlib minor for function additions.
tested on i386/amd64 by jmc, i386 by brad. checked by deraadt.
|
| |
|
|
|
|
| |
SO_REUSEADDR and multicast/broadcast comes into play. Model the ip_savecontrol
handling after the rip_input version which works.
Problem found by Simon Kelley. OK henning@ michele@
|
| |
|
|
|
|
| |
the INET6 code. With this it is possible to use e.g. IP_RECVIF to get the
incomming interface. SOCK_RAW is not affected by this.
Problem found and fixed by Michele 'mydecay' Marchetto. OK markus@
|
| |
|
|
| |
henning@ claudio@ ok
|
| |
|
|
|
| |
Additionally add the IP_RECVIF option which returns the interface a packet
was received on. OK markus@ norby@
|
| |
|
|
|
|
|
|
| |
need to save/restore it.
- inp->inp_laddr should be set _before_ calling pcb_disconnect().
otherwise pcb_disconnect() calls pcb_rehash() with the old laddr.
[ currently this is not a problem since the hash ignores laddr ]
tested by pedro
|
| |
|
|
| |
OK markus@, "looks good" hshoexer@
|
bluhm
mpi
markus
yasuoka
dlg
oga
blambert
claudio
henning
hsuenaga
reyk
guenther
tedu
sthen
naddy
jsing
thib
ckuethe
itojun
pascoe
mpf