summaryrefslogtreecommitdiffstats
path: root/sys/netinet6 (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Clear AUTOCONF6TEMP flag when we detach inet6.florian2021-03-151-3/+3
|
* spellingjsg2021-03-1010-26/+26
| | | | ok gnezdo@ semarie@ mpi@
* We no longer "accept" RAs in the kernel, delete misleading comment.florian2021-03-081-2/+1
|
* Refactor ip_fragment() and ip6_fragment(). Use a mbuf list tobluhm2021-03-013-77/+74
| | | | | | | | | | simplify the handling of the fragment list. Now the functions ip_fragment() and ip6_fragment() always consume the mbuf. They free the mbuf and mbuf list in case of an error and take care about the counter. Adjust the code a bit to make v4 and v6 look similar. Fixes a potential mbuf leak when pf_route6() called pf_refragment6() and it failed. Now the mbuf is always freed by ip6_fragment(). OK dlg@ mvs@
* we don't have to cast to caddr_t when calling m_copydata anymore.dlg2021-02-251-9/+9
| | | | | | | | | | | | | | | | the first cut of this diff was made with coccinelle using this spatch: @rule@ type caddr_t; expression m, off, len, cp; @@ -m_copydata(m, off, len, (caddr_t)cp) +m_copydata(m, off, len, cp) i had fix it's opinionated idea of formatting by hand though, so i'm not sure it was worth it. ok deraadt@ bluhm@
* Use NULL instead of 0 in `m_nextpkt' assignment.mvs2021-02-231-3/+3
| | | | ok deraadt@ dlg@
* Swap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().patrick2021-02-111-3/+3
| | | | | | | | | Technically the whole point of the stoeplitz API is that it's symmetric, meaning that the order of addresses and ports doesn't matter and will produce the same hash value. Coverity CID 1501717 ok dlg@
* As done for the AF_INET multicast case, ensure that passed interfaceclaudio2021-02-021-3/+5
| | | | | via index is actually in the right rdomain for the socket. OK bluhm@ mvs@
* KNF, move { up to if () statementclaudio2021-02-021-3/+2
|
* Fix path MTU discovery for ESP tunneled in IPv6. We always wantbluhm2021-02-011-1/+8
| | | | | | | short TCP segments or fragments encapsulated in ESP instead of fragmented ESP packets. Pass the don't fragment flag down along the stack so that dynamic routes with MTU are created eventually. with and OK markus@; OK tobhe@
* Fix white spaces and wrap long lines.bluhm2021-02-011-41/+38
|
* if stoeplitz is enabled, use it to provide a flowid for tcp packets.dlg2021-01-251-1/+10
| | | | | | | | | | | | | | drivers that implement rss and multiple rings depend on the symmetric toeplitz code, and use it to generate a key that decides with rx ring a packet lands on. if the toeplitz code is enabled, this diff has the pcb and tcp layer use the toeplitz code to generate a flowid for packets they send, which in turn is used to pick a tx ring. because the nic and the stack use the same key, the tx and rx sides end up with the same hash/flowid. at the very least this means that the same rx and tx queue pair on a particular nic are used for both sides of the connection. as the stack becomes more parallel, it will also help keep both sides of the tcp connection processing in the one place.
* Create a path MTU host route for IPsec over IPv6. Basically thebluhm2021-01-114-27/+104
| | | | | | | | | | | | | | | | code is copied from IPv4 and adapted. Some things are changed in v4 to make it look similar. - ip6_forward increases the noroute error counter, do that in ip_forward, too. - Pass more specific sockaddr_in6 to icmp6_mtudisc_clone(). - IPv6 may also use reject routes for IPsec PMTU clones. - To pass a route_in6 to ip6_output_ipsec_send() introduce one in ip6_forward(). That is the same what IPv4 does. Note that dst and sin6 switch roles. - Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send() to make code similar. - Implement dynamic IPv6 IPsec PMTU routes. OK tobhe@
* Mark a layer 2 address as expired by setting the length to 0 when theflorian2021-01-061-1/+3
| | | | | | | | | associated IPv6 NDP entry is invalidated. Otherwise we end up with an INCOMPLETE entry that can't be updated to STALE and REACHABLE by neighbor advertisements and thus interrupting communication. This is the same as arpinvalidate() for IPv4. Guidance bluhm & claudio, fix proposed by claudio OK claudio
* For a while the kerrnel reports EACCES to userland if pf blocks abluhm2020-12-221-3/+3
| | | | | | packet. IPv6 still had the old EHOSTUNREACH code. Use the same errno for dropped IPv6 packets as in IPv4. OK kn@ phessler@ claudio@ florian@ sashan@
* fix typo in log message: inteface -> interfacetb2020-11-261-2/+2
| | | | ok florian
* Replace sysctl_rdint with sysctl_bounded_args entries in net.inet*gnezdo2020-11-161-6/+9
|
* Remove the cases folded into sysctl_bounded_args but left behindgnezdo2020-11-161-13/+1
| | | | divert_sysctl and divert6_sysctl get a tiny bit slimmer.
* Rework source IP address setting.denis2020-11-071-4/+3
| | | | | | | | - Move most of the processing out of rtable.c (reasonnable tb@, ok bluhm@) - Remove memory allocation, store pointer to existing ifaddr - Fix tunnel interface handling looks fine mpi@
* Replace wrong cast with satosin.denis2020-11-051-3/+2
| | | | Advised by bluhm@
* Add feature to force the selection of source IP addressdenis2020-10-291-1/+24
| | | | | | | Based/previous work on an idea from deraadt@ Input from claudio@, djm@, deraadt@, sthen@ OK deraadt@
* When generating the ICMP6 response to an IPv6 packet, the kernelbluhm2020-10-281-8/+9
| | | | | | | could use mbuf memory after freeing it. If m_pullup() allocates a new mbuf, the caller uses the old pointer. found and reported by Maxime Villard, thanks OK claudio@ markus@ denis@
* Convert icmp6_sysct to sysctl_bounded_argsgnezdo2020-09-011-4/+15
| | | | The best-guessed limits will be tested by trial.
* Convert ip6_sysctl to sysctl_bounded_argsgnezdo2020-08-242-62/+22
| | | | Tighter limits and OK by sashan
* Convert divert*_sysctl to sysctl_bounded_argsgnezdo2020-08-242-12/+9
| | | | OK sashan
* No longer prevent TCP connections to IPv6 anycast addresses.florian2020-08-081-3/+1
| | | | | | | | | | | | | | | | | | | | RFC 4291 dropped this requirement from RFC 3513: o An anycast address must not be used as the source address of an IPv6 packet. And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly concluded that TCP connections must be prevented. The draft also states: The proposed method MUST be removed when one of the following events happens in the future: o Restriction imposed on IPv6 anycast address is loosened, so that anycast address can be placed into source address field of the IPv6 header[...] OK jca
* The IPv6 source address selection rewrite had one (known) differenceflorian2020-08-071-2/+33
| | | | | | | | | | | | | | | | | | | | to the previous behavior: In case of a tie the new implementation would keep the current best address while the old implementation replaced the best address. Since IPv6 addresses are stored in a TAILQ this meant that the rewrite would use the "oldest" address while the previous behavior was to use the "newest". RFC 6724 section 5 has no opinion which one is better and leaves the tie break up to implementers. naddy found out the hard way that this breaks his IPv6 connectivity in case of flash renumbering events when the link on his cpe flaps and a new prefix is used since we would always pick an old address. While we could pick the newest address in a tie break this feels too much like an implementation detail, a solution much more in the spirit of IPv6 is to pick the address with the highest preferred lifetime (or valid lifetime in case of another tie). very patient testing naddy@
* Validate input given to ioctl(SIOCAIFADDR_IN6) like NetBSD already does.anton2020-08-041-1/+7
| | | | | | | | | | | | | | | | | | | | | | | | Fixes a bunch of panics reported by syzkaller. ok florian@ Reported-by: syzbot+02f2e07964a89ab65ea4@syzkaller.appspotmail.com Reported-by: syzbot+c26b058a499ce38f689f@syzkaller.appspotmail.com Reported-by: syzbot+62af76d8cb7c09ac017c@syzkaller.appspotmail.com Reported-by: syzbot+d70144b3ae2ec068e318@syzkaller.appspotmail.com Reported-by: syzbot+3c87ca9873bfd0492f5c@syzkaller.appspotmail.com Reported-by: syzbot+323549177062adb80f84@syzkaller.appspotmail.com Reported-by: syzbot+e745c1c29d960337ce14@syzkaller.appspotmail.com Reported-by: syzbot+91da988a445013baf925@syzkaller.appspotmail.com Reported-by: syzbot+747cbcbbed6318542061@syzkaller.appspotmail.com Reported-by: syzbot+ca5efa23e00130bc8000@syzkaller.appspotmail.com Reported-by: syzbot+731ab8c9a0342ace4189@syzkaller.appspotmail.com Reported-by: syzbot+6c80b815a0ff8f09be69@syzkaller.appspotmail.com Reported-by: syzbot+7939d2c4bc9a5dfa707a@syzkaller.appspotmail.com Reported-by: syzbot+e893fb0259640a314d06@syzkaller.appspotmail.com Reported-by: syzbot+b6a3447070ae8ffcb125@syzkaller.appspotmail.com Reported-by: syzbot+23c0824b688f28c79c1b@syzkaller.appspotmail.com Reported-by: syzbot+6cc72412d8ddcf87f8a1@syzkaller.appspotmail.com
* Add missing rtable(4) check in rip6_input()kn2020-08-021-1/+5
| | | | | | | | | | | | | | | | Copied over from sys/netinet/raw_ip.c:rip_input() where it appeared with initial support for multiple routing tables. This enforces separation between multiple raw sockets in different routing tables, i.e. one must not see packets from the other if the rtable differs. Observed with ping6(8)'s "-v" showing all ICMPv6 packets on its raw socket including those produced by another ping6 with "-V1". florian reported IPv6 route advertisments in one routing table appearing on raw sockets in other routing tables as well. OK claudio florian
* Move range check inside sysctl_int_arrgnezdo2020-08-013-28/+18
| | | | | | | Range violations are now consistently reported as EOPNOTSUPP. Previously they were mixed with ENOPROTOOPT. OK kn@
* Rewrite IPv6 source address selection in terms of the 8 rules given inflorian2020-07-281-153/+52
| | | | | | | RFC 6724 section 5. This simplifies the code considerably while extensive testing shows no change in behaviour. It is time to volunteer some more testers. OK denis@ some time ago.
* Copy the right value to fix getsockopt(2) for SO_RTABLE and IPV6_PIPEXkn2020-07-171-3/+3
| | | | | | | | | | | | r1.146 "Enable IPv6 routing domain support" adapted the mtod() line from the IPV6_PIPEX case which was bogus since introduction in r1.118. Issue found by florian, who came up with the same partial diff for SO_RTABLE while working on rdomain aware slaacd(8). Taken from sys/netinet/ip_output.c which does it correctly. OK florian millert
* Rename IN6_IFF_PRIVACY to IN6_IFF_TEMPORARY.florian2020-07-032-9/+9
| | | | | | | | This is the name the other BSDs use for this, there is no reason to be different, the IPv6 RFCs call these addresses temporary, and some software in ports wants to use this as well. Most recently pointed out for firefox by landry. OK claudio, sthen
* Fix two places where carp backup state is misspelled in comments.benno2020-06-301-4/+4
| | | | ok claudio@
* kernel: use gettime(9)/getuptime(9) in lieu of time_second(9)/time_uptime(9)cheloha2020-06-246-35/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | time_second(9) and time_uptime(9) are widely used in the kernel to quickly get the system UTC or system uptime as a time_t. However, time_t is 64-bit everywhere, so it is not generally safe to use them on 32-bit platforms: you have a split-read problem if your hardware cannot perform atomic 64-bit reads. This patch replaces time_second(9) with gettime(9), a safer successor interface, throughout the kernel. Similarly, time_uptime(9) is replaced with getuptime(9). There is a performance cost on 32-bit platforms in exchange for eliminating the split-read problem: instead of two register reads you now have a lockless read loop to pull the values from the timehands. This is really not *too* bad in the grand scheme of things, but compared to what we were doing before it is several times slower. There is no performance cost on 64-bit (__LP64__) platforms. With input from visa@, dlg@, and tedu@. Several bugs squashed by visa@. ok kettenis@
* Don't pass a pointer to an uninitialized variable as plenp tokrw2020-06-221-4/+4
| | | | | | | | | | | | ip6_hopopts(). The value is tested and non-zero values could cause a packet to be discarded. Initialize the pointed at variable to 0, tweaking variable names and associated comments. COVERITY 1453098 ok deraadt@ mpi@
* wireguard can do ipv6, but doesnt do link local addresses.dlg2020-06-211-1/+8
| | | | | | | | | i feel like i should add IFT_L3IPVLAN here so mgre(4) can take advantage of this too. from Matt Dunwoodie and Jason A. Donenfeld ok deraadt@
* Document the various flavors of NET_LOCK() and rename the reader version.mpi2020-05-273-14/+14
| | | | | | | | | | Since our last concurrency mistake only ioctl(2) ans sysctl(2) code path take the reader lock. This is mostly for documentation purpose as long as the softnet thread is converted back to use a read lock. dlg@ said that comments should be good enough. ok sashan@
* Do sanity checks in ip6_pullexthdr() preventing a panic in m_copydata(9).mpi2020-05-061-1/+7
| | | | | | | | | | | | An invalid/corrupted hop6 option in rip6_input()/ip6_savecontrol() could lead m_copydata(9)s' check to trigger a panic. Fix from maxv@NetBSD where the problem was also reported by syzkaller. Reported-by: syzbot+3b07b3511b4ceb8bf1e2@syzkaller.appspotmail.com Reported-by: syzbot+7ee0eb2691d507fcad2e@syzkaller.appspotmail.com ok sashan@, dlg@, claudio@, deraadt@
* Assert that ND6 timer is never set for RTF_LOCAL routes.mpi2020-04-221-1/+2
| | | | | | | | | | | Such routes have a valid link-local entry that should not be overwritten. The current assert in the timeout routine doesn't give enough information to know where the bug is, if there is still one. This should play better with syzkaller. ok claudio@, visa@ as part of a larger diff
* Never update the ND entry (cache) corresponding to a RTF_LOCAL route.mpi2020-04-221-9/+3
| | | | | | | | | Such route correspond to a locally configured address and the ND6 subsystem expect its link-local address to be always present. Fix an issue reported by Julian Brost. ok claudio@, visa@
* Stop processing packets under non-exclusive (read) netlock.mpi2020-04-121-3/+3
| | | | | | | | | | | | Prevent concurrency in the socket layer which is not ready for that. Two recent data corruptions in pfsync(4) and the socket layer pointed out that, at least, tun(4) was incorrectly using NET_RUNLOCK(). Until we find a way in software to avoid future mistakes and to make sure that only the softnet thread and some ioctls are safe to use a read version of the lock, put everything back to the exclusive version. ok stsp@, visa@
* Move ND6_PRIV_* constants from nd6.h to slaacd the only place whereflorian2020-03-281-6/+1
| | | | | | | | | they are used. Nobody in the wider eco system uses these. While here reduce temporary address valid lifetime to 2 days as per draft-ietf-6man-rfc4941bis. This should considerably reduce the amount of addresses configured on an interface - a common complaint. Original diff from Fernando Gont (fernando AT gont.com.ar), thanks! Ports tree scanning by sthen@
* Use strlcpy instead of strncpy to ensure results are NUL terminated.tobhe2020-03-171-3/+3
| | | | ok mpi@
* Guard SIOCDELMULTI if_ioctl calls with KERNEL_LOCK() where the call isvisa2020-03-152-2/+6
| | | | | | | | | | made from socket close path. Most device drivers are not MP-safe yet, and the closing of AF_INET and AF_INET6 sockets is no longer under the kernel lock. This fixes a panic seen by jcs@. OK mpi@
* The loopback check in ip6_input_if() was needless. The ::1 destinationbluhm2019-12-301-7/+1
| | | | | | | | address is in the routing table and will be identified as any other local address. There is no reason to handle ::1 source address special. Better use the generic IPv6 input path. Kame has removed the special code in their revision 1.189 commit. OK sashan@
* fix broken tree. sorry for inconveniences.sashan2019-12-231-3/+3
|
* rdr-to with loopback destination should work even thoughsashan2019-12-231-2/+3
| | | | | | IP forwarding is disabled. Issue reported by Daniel Jakots (danj@) OK bluhm@
* Make sure packet destination address matches interface address,sashan2019-12-082-2/+29
| | | | | | | | | where such packet is bound to. This check is enforced if and only IP forwarding is disabled. Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@ OK bluhm@, claudio@, tobhe@
* add __func__ to panic() and printf() calls in sys/netinet6/*nayden2019-11-298-32/+32
| | | | ok benno@ mortimer@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.