| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
With input from Klemens Nanni, OK visa, mpi, bluhm
|
| |
|
|
| |
if_attach() enforces it is properly defined.
|
| |
|
|
| |
ok florian@, claudio@, bluhm@
|
| |
|
|
| |
OK deraadt, mpi, visa, job
|
| |
|
|
| |
ok florian@, claudio@, visa@, bluhm@
|
| |
|
|
|
|
|
|
|
|
| |
off the mbuf properties with m_resethdr(). It is a new packet,
especially M_LOOP indicating that it was running through lo(4)
should be cleared. Use the ph_loopcnt to prevent looping at the
upper end of the stack. Although not strictly necessary in icmp
reflect, it is a good idea to increase and check the counter here,
like in socket splicing.
OK mpi@ sashan@
|
| |
|
|
|
|
|
|
| |
while packets where being passed to IPsec tasks.
Found the hardway by Hrvoje Popovski.
ok phessler@, claudio@
|
| |
|
|
|
|
|
|
|
|
| |
Put more NET_ASSERT_LOCK() and document which globals it protects.
Add a mutex for pfkeyv2 globals.
Convert ipsp_delete_acquire() to timeout_set_proc().
Tested by Hrvoje Popovski, ok bluhm@ visa@
|
| | |
|
| |
|
|
|
|
| |
Exposes per-CPU counters to real parrallelism.
ok visa@, bluhm@, jca@
|
| |
|
|
|
| |
divert-packet. Bring back the loop over the global list to find
the divert socket.
|
| |
|
|
|
|
|
|
| |
It used a loop over the global list divbtable that would be hard
to make MP safe. The port net/dnsfilter does not work without this,
it should be converted to divert-to. Neither other ports nor base
use this filter feature.
ports checked by sthen@; OK mpi@ benno@
|
| |
|
|
|
|
|
| |
setting IP options.
Issue reported by Kapetanakis Giannis
OK mpi@
|
| |
|
|
|
| |
This is a common idiom when a list element has been found.
OK visa@ mpi@
|
| |
|
|
|
|
|
|
| |
route lookup to make it MP safe. Only set the mbuf header fields
that are needed. Validate the name input. Also use the same
variables in IPv4 and IPv6 functions and avoid unneccessary
initialization.
OK mpi@
|
| |
|
|
|
|
| |
lookup to make it MP safe. Only set the mbuf header fields that
are needed. Validate the name input.
OK mpi@
|
| |
|
|
|
|
| |
Not all of them need the NET_LOCK().
ok bluhm@
|
| |
|
|
|
|
|
| |
ip_local(), ip_slowtimo() and ip_drain() run without KERNEL_LOCK()
and NET_LOCK().
Input and OK mpi@, bluhm@
|
| |
|
|
|
|
| |
list traversal with LIST_FOREACH_SAFE().
OK bluhm@, mpi@
|
| |
|
|
|
|
| |
all the callers to call m_freem(9).
Support from deraadt@ and tedu@, ok visa@, bluhm@
|
| |
|
|
|
|
| |
Problem reported and fix tested by Hrvoje Popovski.
ok bluhm@, visa@
|
| |
|
|
|
|
| |
Especially in tcp_usrreq() connect detect the correct address family
based on the inp_flags instead of the sa_family user input.
OK mpi@
|
| |
|
|
| |
Tested by Hrvoje Popovski, ok bluhm@
|
| |
|
|
|
|
|
| |
in common checks for unix, inet, inet6 instead of partial checks
here and there. Some checks are already done at a higher layer,
but better be paranoid with user input.
OK claudio@ millert@
|
| |
|
|
|
|
|
|
| |
retransmit timeout. Do not run path MTU discovery on local routes
as we never want that on loopback. For permanent ARP or ND entries
disable path MTU discovery as they use the same rt_expire field.
This prevents that permanent routes and entries disappear.
bug analysis friehm@; OK mpi@
|
| | |
|
| |
|
|
|
| |
We know when pltime or vltime decrease to zero. Run nd6_expire then.
Input & OK mpi, bluhm
|
| |
|
|
|
|
| |
The interface congestion algorithm kills performance at this place,
with the large queues it never triggers.
OK mpi@ claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
of src/dst ip/port is unique for TCP. But if the socket is not
bound, the automatic bind by connect happens after the check. If
the socket has the SO_REUSEADDR flag, in_pcbbind() may select an
existing local port. Then we had two colliding TCP PCBs. This
resulted in a packet storm of ACK packets on loopback. The softnet
task was constantly holding the netlock and has a high priority,
so the system hung.
Do the in_pcbhashlookup() again after in_pcbbind(). This creates
sporadic "connect: Address already in use" errors instead of a hang.
bug report and testing Olivier Antoine; OK mpi@
|
| |
|
|
|
| |
kernel that uses it without the #ifdef guard.
OK bluhm
|
| |
|
|
|
|
|
| |
ICMP6_DST_UNREACH_NOTNEIGHBOR is ICMP6_DST_UNREACH_BEYONDSCOPE (RFC
1885 was obsoleted).
sthen grepped the ports sources to make sure nothing uses it.
OK millert, jca
|
| |
|
|
|
|
| |
Prompted by a bugreport by naddy that IPv6 autoconfiguration is broken
in the installer.
OK mpi, "go for it" deraadt
|
| |
|
|
|
|
| |
rtdeletemsg().
ok bluhm@
|
| |
|
|
|
|
|
|
| |
In the forwarding path, pf_test() is executed w/o KERNEL_LOCK() and
in case of divert end up calling sowakup(). However selwakup() and
csignal() are not yet ready to be executed w/o KERNEL_LOCK().
ok bluhm@
|
| |
|
|
|
|
|
|
| |
introduces a forward decl for socket. turns out the affected file doesn't
need ip_var.h, so remove it. then move the decl to the bottom to prevent
the problem from recurring.
bug report by Nick Briggs
ok mpi
|
| |
|
|
|
|
|
| |
With this we can also get rid of in6_prefix and in6_defrouter. They
are meaningless, the kernel no longer tracks this information.
Pointed out by & OK mpi
|
| |
|
|
| |
OK bluhm@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
the inner IP packet into the internet queue. The IPv6 local delivery
code has a loop to deal with header chains. The idea is to use
this loop and avoid the queueing and rescheduling. The IPsec packet
will be processed in a single flow.
Merge the IP deliver loop from both IP versions into a single
ip_deliver() function that can handle both addresss families. This
allows to process an IP in IP header like a normal extension header.
If af != AF_UNSPEC, we are already in a deliver loop and have the
kernel look. Then we can just return the next protocol. Otherwise
we enqueue. The dequeue thread has the kernel lock and starts an
IP delivery loop.
OK mpi@
|
| |
|
|
|
| |
IPsec packets without additional enqueueing.
OK mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
buffers.
This is one step towards unlocking TCP input path. Note that all the
functions asserting for the socket lock are not necessarilly MP-safe.
All the fields of 'struct socket' aren't protected.
Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to
tell when a filter needs to lock the underlying data structures. Logic
and name taken from NetBSD.
Tested by Hrvoje Popovski.
ok claudio@, bluhm@, mikeb@
|
| |
|
|
|
|
|
| |
a TDB from the hash table without actually free()ing it. That way we
can modify the TDB and then put it back in using puttdb().
ok claudio@
|
| | |
|
| |
|
|
|
|
| |
to ipip_input_if() and always pass the ifp. Only dump the packet
to bpf if we are called with a gif(4) interface.
OK mpi@
|
| |
|
|
|
|
|
| |
bugs could easily result in use-after-free or double free. Introduce
m_freemp() which automatically resets the pointer before freeing
it. So we have less dangling pointers in the kernel.
OK krw@ mpi@ claudio@
|
| |
|
|
|
|
| |
error. Make the ip_mforward() return value consistent. Simplify
the caller logic in ipv6_input() like in IPv4.
OK mpi@
|
| |
|
|
|
|
| |
in ipip_input_gif(). This prevents a use-after-free if there is a
bug in the IP input functions.
OK mpi@
|
| |
|
|
|
|
|
|
|
| |
try to remove a route from the table if it is and invalid cache.
This is a step towards decoupling code dealing with userland and kernel
inserted routes.
ok bluhm@
|
| |
|
|
|
|
|
|
|
|
|
| |
aren't protected by the NET_LOCK().
While here change lock assertions in rt_{set,put}gwroute(), the NET_LOCK()
is enough.
Tested by Hrvoje Popovski.
ok jmatthew@, claudio@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv4 & IPv6 dispatch functions outside the KERNEL_LOCK().
We currently rely on the NET_LOCK() serializing access to most global
data structures for that. IP input queues are no longer used in the
forwarding case. They still exist as boundary between the network and
transport layers because TCP/UDP & friends still need the KERNEL_LOCK().
Since we do not want to grab the NET_LOCK() for every packet, the
softnet thread will do it once before processing a batch. That means
the L2 processing path, which is currently running without lock, will
now run with the NET_LOCK().
IPsec isn't ready to run without KERNEL_LOCK(), so the softnet thread
will grab the KERNEL_LOCK() as soon as ``ipsec_in_use'' is set.
Tested by Hrvoje Popovski.
ok visa@, bluhm@, henning@
|
| | |
|
mikeb
mpi
bluhm
visa
tj
florian
tedu
patrick
tom
deraadt