| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
i feel like i should add IFT_L3IPVLAN here so mgre(4) can take
advantage of this too.
from Matt Dunwoodie and Jason A. Donenfeld
ok deraadt@
|
| |
|
|
| |
ok mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
this follows what's been done for detach and link state hooks, and
makes handling of hooks generally more robust.
address hooks are a bit different to detach/link state hooks in
that there's only a few things that register hooks (carp, pf, vxlan),
but a lot of places to run the hooks (lots of ipv4 and ipv6 address
configuration).
an address hook cookie was in struct pfi_kif, which is part of the
pf abi. rather than break pfctl -sI, this maintains the void * used
for the cookie and uses it to store a task, which is then used as
intended with the new api.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for IPv6 link local addresses.
Some hosting and VM providers route customer IPv6 prefixes to link
local addresses derived from ethernet MAC addresses (RFC 2464). This
leads to hard to debug IPv6 connectivity problems and is probably not
worth the effort.
RFC 7721 lists 4 weaknesses:
3.1. Correlation of Activities over Time & 3.2. Location Tracking
These are still possible with RFC 7217 addresses for an adversary
connected to the same layer 2 network (think conference wifi). Since
the link local prefix stays the same (fe80::/64) the link local
addresses do not change between different networks.
An adversary on the same layer 2 network can probably track ethernet
MAC addresses via different means, too.
3.3. Address Scanning & 3.4. Device-Specific Vulnerability Exploitation
These now become possible, however, as noted above a layer 2 adversary
was probably able to do this via different means.
People concerned with these weaknesses are advised to use
ifconfig lladdr random.
OK benno
input & OK kn
|
| |
|
|
|
|
|
|
|
|
|
|
| |
this allows mpls interfaces (mpe, mpw) to pass the rdomain they
wish the local label to be in, rather than have it implicitly forced
to 0 by these functions. right now they'll pass 0, but it will soon
be possible to have them rx packets in other rdomains.
previously the functions used ifp->if_rdomain for the rdomain.
everything other than mpls still passes ifp->if_rdomain.
ok mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
MPLS interfaces (ab)use rt_ifa_add for adding the local MPLS label
that they listen on for incoming packets, while every other use of
rt_ifa_add is for adding addresses on local interfaces. MPLS does
this cos the addresses involved are in basically the same shape as
ones used for setting up local addresses.
It is appropriate for interfaces to want RTF_MPATH on local addresses,
but in the MPLS case it means you can have multiple local things
listening on the same label, which doesn't actually work. mpe in
particular keeps track of in use labels to it can handle collisions,
however, mpw does not. It is currently possible to have multiple
mpw interfaces on the same local label, and sharing the same label
as mpe or possible normal forwarding labels.
Moving the RTF_MPATH flag out of rt_ifa_add means all the callers
that still want it need to pass it themselves. The mpe and mpw
callers are left alone without the flag, and will now get EEXIST
from rt_ifa_add when a label is already in use.
ok (and a huge amount of patience and help) mpi@
claudio@ is ok with the idea, but saw a much much earlier solution
to the problem
|
| |
|
|
|
|
|
|
| |
Benno removed code to answer ICMP queries over 4 years ago.
Aham Brahmasmi (aham.brahmasmi AT gmx.com) points out
that we still joined the group though.
OK sthen, bluhm, kn
|
| |
|
|
| |
Reported by and ok sthen@
|
| |
|
|
|
|
|
|
|
|
| |
failes and then later on a in in6_get_ifid() a layer 2 address is
"borrowed" from from another interface.
Do the "borrowing" in in6_get_soii_ifid(), too so that semantically
opaque interface identifiers work for these kind of interfaces, too.
OK phessler, benno
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
tries to "borrow" one from another interface.
But then it checks if the U bit is set int the generated EUI64
address and rejects it.
On the other hand for interfaces that do have a layer 2 address this
check is skipped, so relax it for the "borrowing" case, too.
With this one gets stable link local addresses on e.g. gre(4)
interfaces on certain virtualisation environments depending which mac
addresses get picked for the vio(4) interfaces while previously we
would end up with a random IP on every reboot.
Reported by Aaron A. Glenn via phessler.
OK phessler, benno
|
| |
|
|
| |
OK deraadt@ florian@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
slaacd(8).
RFC 7217 states (section 5, page 9):
| The Interface Identifier is finally obtained by taking as many
| bits from the RID value (computed in the previous step) as
| necessary, starting from the least significant bit.
Problem in slaacd pointed out by semarie@.
OK sthen, phessler
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Interface Identifiers with IPv6 Stateless Address Autoconfiguration."
"An IPv6 address configured using this method is stable within each
subnet, but the corresponding Interface Identifier changes when the
host moves from one network to another. This method is meant to be an
alternative to generating Interface Identifiers based on hardware
addresses."
OK naddy, sthen
|
| |
|
|
|
|
|
|
|
|
|
| |
get_last_resort_ifid() function because eww.
Also if your system is so constraint that you end up in
in6_get_rand_ifid() you don't deserve a random ifid that stays
stable over reboots.
Simplify code a bit since get_ifid() can no longer fail. It couldn't
fail before either because that code path was #if 0'ed.
While here sprinkle in some in6_ prefixes, pointed out by stsp.
OK stsp
|
| |
|
|
|
|
|
|
|
| |
shall all be cleansed.
Remove sending of router solicitations and processing of router
advertisements from the kernel. It's handled by slaacd(8) these days.
Input & OK bluhm@, mpi@
|
| |
|
|
| |
ok visa@
|
| |
|
|
| |
ok visa@
|
| |
|
|
|
|
| |
send traffic to link-local addresses without default route.
Fix a regression reported by Michael Lechtermann, ok stsp@, sthen@
|
| |
|
|
|
|
|
|
|
| |
are not used anymore. This has to be done before any interface
fields become invalid.
As the route delete request cannot call if_get() anymore, pass down
the interface. Split rtrequest_delete() into a separate function
that may take an existing inteface.
OK mpi@
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
|
|
| |
Instead of casts they check wether the incoming object has the
expected type. So introduce satosdl() and sdltosa() in the kernel.
OK mpi@
|
| |
|
|
|
|
| |
stop passing it in every rt_ifa_add(9) calls.
ok claudio@
|
| |
|
|
|
|
|
|
| |
::1 configured before fe80::1.
(lo0:0) in pf should resolve to 127.0.0.1 ::1.
reported by and ok mikeb@
|
| |
|
|
|
|
|
|
| |
Previously loopback connected routes were managed via the global list
of prefixes, which mean that systems with AUTOCONF'd addresses did not
see them in the routing table.
This also makes inet6 route creation coherent with inet.
|
| |
|
|
|
|
|
|
|
| |
AUTOCONF'd addresses.
This prevent the kernel from removing connected (/64) routes as soon as
it configures an AUTOCONF'd address based on a RA.
Tested by sebastia@, ok sthen@
|
| |
|
|
|
|
|
|
|
| |
IN6_IFF_NODAD pseudo-flag not being set.
This was just a flag for spaghetti code that should not exist in the
first place.
Tested by sebastia@, ok sthen@
|
| | |
|
| |
|
|
|
|
| |
structures into a function.
ok florian@
|
| |
|
|
| |
Tweak and ok florian@
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
interface.
Fix a use after free introduced in r1.98 of netinet6/in6.c and recently
exposed by a crazy pool/malloc damage finder being currently refined by
dlg@ and deraadt@.
ok mikeb@, henning@
|
| |
|
|
|
|
|
| |
have any direct symbols used. Tested for indirect use by compiling
amd64/i386/sparc64 kernels.
ok tedu@ deraadt@
|
| |
|
|
|
|
| |
This unify some code and notify userland for free.
blambert@ agrees, ok bluhm@
|
| |
|
|
| |
email.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
interfaces.
When the kernel automagically configures IPv6 addresses on loopback
interfaces, start by assigning a link-local address and then try to
assign "::1".
Only the first configured loopback interface per rdomain can have the
"::1" address. But even if other loopback interfaces failed to get
this address, because it is already taken, give them a chance to have
a link-local address.
While here change in6_ifattach() to return an error value and remove
duplicated code.
Fix a regression introduced by the NOINET6 flag removal.
ok henning@, stsp@, florian@, benno@
|
| |
|
|
|
|
| |
get userland notification for free.
ok blambert@, bluhm@
|
| |
|
|
|
|
|
| |
reflect that IPv6 link-local addresses are no longer automagically
configured the first time an interface is brought up.
ok henning@, stsp@
|
| |
|
|
|
| |
Otherwise clean up code will never run.
OK mpi@, benno@, henning@
|
| |
|
|
|
|
|
|
|
|
|
| |
was enabled by default. Add AFATTACH/AFDETACH ioctls which enable/disable
an address family for an interface (currently used for IPv6 only).
New kernel needs new ifconfig for IPv6 configuration (address assignment
still works with old ifconfig making this easy to cross over).
Committing on behalf of henning@ who is currently lebensmittelvergiftet.
ok stsp, benno, mpi
|
| | |
|
| |
|
|
|
|
| |
interfaces with an IPv6 address.
ok henning@, mikeb@, deraadt@
|
| |
|
|
| |
ok miod@
|
| |
|
|
| |
to include that than rdnvar.h. ok deraadt dlg
|
| |
|
|
|
|
| |
functionnality instead of a mix of enable/disable.
ok bluhm@, jca@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
processing of router advertisements was already in the kernel.
With this rtsol{,d}(8) is no longer necessary.
The kernel starts sending solicitations with
# ifconfig $IF inet6 autoconf
or
inet6 autoconf
in /etc/hostname.$IF.
input stsp@
much help & OK mpi@
tweaks & OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
address will be created when the vhid (and MAC) is set. Depending on
the order of the configuration the interface can end up with a ipv6
address, but no v6 link-local and no working neigbor discovery.
Removing this case statement will result in the link-local address
being configured by "ifconfig up" if the inet6 address was configured
before. If you are using inet6 on carp, put an "up" at the end of your
hostname.if. I will work on a better solution at g2k14.
ok henning, mpi
|
| |
|
|
|
|
|
|
|
|
|
|
| |
an interface. Two other operations are performed when issuing a
SIOCDIFADDR{_IN6,} ioctl: call the address hook and the per-driver
ioctl function.
Since carp(4) relies on an address hook to recalculate its hash, make
sure to call this hook when IFXF_NOINET6 is set or when the rdomain is
changed.
ok henning@, mikeb@
|
| | |
|
| |
|
|
|
|
| |
address from the per-ifp list.
Found the hard way by weerd@, florian@ and stsp@, ok florian@
|
florian
dlg
tobhe
mpi
dhill
bluhm
krw
jsg
stsp
tedu
benno