| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
headers, check all lengths before accessing the values.
found by Maxime Villard; from NetBSD; with and OK markus@; OK patrick@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
A NULL dereference can happen since processing protocol layer is
deffered to a second task. In other words the NET_LOCK() is released
then regrabbed between ip_input() and carp_proto_input().
The same workaround is already in use in carp_output() due to deffered
processing in case of IPsec.
The real fix is to make carp(4) MP-safe and use if_get(9) there, any
taker?
Found & fix tested by Hrvoje Popovski.
|
| |
|
|
|
|
|
|
|
|
|
| |
it could run immediately and was not synchronized with the TCP
timeouts, although that was the intension when it was introduced
in revision 1.85. Convert the reaper to an ordinary TCP timeout
so it is scheduled on the same timeout thread after all timeouts
have finished. A net lock is not necessary as the process calling
tcp_close() will not access the tcpcb after arming the reaper
timeout.
OK mikeb@
|
| |
|
|
|
|
| |
calling tcp_close(), tcp_drop(), and tcp_disconnect(). Then no
freed memory can be used after closing a TCP connection.
OK mikeb@ mpi@
|
| |
|
|
|
| |
prints the ATTACH action for TCP debugging socketes correctly.
OK bluhm@
|
| |
|
|
|
| |
Mark the string variables with TCP debugging names as constant.
OK mpi@
|
| |
|
|
|
|
| |
got lost with the pr_detach conversion. While there, remove some
dead code.
OK mpi@
|
| |
|
|
|
|
| |
of IFF* flags.
inputs from jmc@, ok bluhm@, visa@
|
| |
|
|
|
|
| |
ARP or ND timeout could delete local routes. Put an assert into
arptfree() and nd6_free() so this cannot happen again.
OK mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
if_deactivate looked for carp parent interfaces and called carp_ifdetach
to have children interfaces unplug themselves. this diff has the
carp interfaces register detach hooks on the parent instead. the
effect is the same, but using the standard every other interface
uses.
while im here i shuffle the order the hooks carp_set_ifp are
estabilshed so it will fail if they arent allocated.
ok visa@ mpi@
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
ip_carp.c r1.322 removed the ability to receive carp protocol packets
on !IFT_CARP interfaces. however, carppeers cause the carp protocol
packets to be directed to a unicast address on another interface,
which definitely is not mapped back to a carp interface.
this brings back the ability to get carp packets on parent interfaces.
it is a bit different to a backout because it only allows carp
parents to be ethernet interfaces.
mpi@ told me carp regress tests were failing.
|
| |
|
|
|
|
|
|
| |
previously the driver only cared that a carp interface wasnt configured
as a carpdev. because the code only really works on ethernet, it makes
sense to restrict it.
ok visa@ mpi@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
currently carp uses a struct carp_if to hold an srp list head, which
is accessed by both if_carp in struct ifnet, and via the if input
handlers list.
this gets rid of some indirection by making if_carp itself the list
head, rather than a pointer to the list head via a struct carp_if.
it also makes accessing the list consistent by only using if_carp
to get to it.
ok mpi@
|
| |
|
|
|
|
|
|
|
| |
carp6_proto_input_if only handles packets "received" on real carp
interfaces, which the ethernet stack goes to a lot of trouble to
provide. since carp assumes ethernet, carp_proto_input_if can assume
the packets will come in right too.
ok mpi@
|
| |
|
|
|
|
| |
memory shortage. As it is invoked from a system call, it should
not fail and wait instead.
OK visa@ mpi@
|
| |
|
|
|
|
| |
be atomically read from any context.
ok bluhm@, visa@
|
| |
|
|
|
|
|
|
|
|
|
| |
this makes it like all our other protocol family input functions.
mpls_input always looks up the interface the mbuf was received on,
but it's always called by code that already has a reference to that
interface anyway. the result of this is a few less if_get/if_put
calls.
ok mpi@ bluhm@ visa@ claudio@
|
| |
|
|
|
| |
or other states more consistent.
OK visa@ sashan@ on a previous version
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
state as diverted. This is necessary for IP input to accept the
packet as ours. But it must not be used to match the ICMP packet
to a raw socket. Clear the PF_TAG_DIVERTED mbuf pf flag for the
special ICMP and ICMP6 packets in icmp_input_if() and icmp6_input().
The m_tag_delete_chain() caused an inconsistent PF_TAG_DIVERTED
mbuf pf flag and PACKET_TAG_PF_DIVERT mbuf tag which triggered an
assert in rip_input(). Deleting all mbuf tags can have undesired
side effects and is not necessary anymore since icmp_reflect() calls
m_resethdr(). Do not touch the mbuf tags and adjust the mbuf pf
flags for the correct behavior of rip_input() and rip6_input().
reported by Chris Eidem, James Turner, vicviq, Scott Vanderbilt
OK mpi@
|
| |
|
|
|
|
|
|
|
| |
The initialization of a secret SHA256 context for generating TCP
initial sequence numbers is moved out of tcp_set_iss_tsm used to
set up ISN for new connections and into tcp_init, sparing the
need for a global flag.
OK deraadt, visa, mpi
|
| |
|
|
|
|
|
|
| |
is set, pf_find_divert() cannot fail so put an assert there.
Explicitly check all possible divert types, panic in the default
case. For raw sockets call pf_find_divert() before of the socket
loop. Divert reply should not match on TCP or UDP listen sockets.
OK sashan@ visa@
|
| | |
|
| |
|
|
|
|
|
|
| |
security check prevents that the user accidentally configures
redirect where a divert-to would be appropriate. Instead of spreading
the logic into tcp and udp input, check the flag during PCB listen
lookup. This also reduces parameters of in_pcblookup_listen().
OK visa@
|
| |
|
|
| |
OK florian@
|
| |
|
|
|
|
|
|
|
|
| |
divert-to or divert-reply was active. If the address was also set,
it meant divert-to. Divert packet used a separate structure. This
is confusing and makes it hard to add new features. It is better
to have a divert type that explicitly says what is configured.
Adapt the pf rule struct in kernel and pfctl, no functional change.
Note that kernel and pfctl have to be updated together.
OK sashan@
|
| |
|
|
|
|
| |
mp-safe.
ok bluhm@, visa@
|
| |
|
|
|
|
|
| |
They have the same functionnality since friehm@ cleaned up
balancing code.
ok florian@, visa@, patrick@, bluhm@, jmatthew@
|
| |
|
|
|
|
|
| |
forwarding. It should never match and would cause MP locking
problems. While there remove an useless ifp parameter from
ip_output_ipsec_send().
from markus@; OK visa@ sashan@
|
| |
|
|
|
|
|
|
|
|
| |
to make it symmetric to the addrhook establish which is being done in
carp_clone_create(). This fixes the issue that carp does not recognize
address changes on the carp after an interface has detached, which could
cause issues like carp not recovering or even panics. Unfortunately
there are more bugs lurking in carp.
ok bluhm@
|
| |
|
|
| |
ok bluhm@
|
| |
|
|
|
|
| |
This will allows us to get rid of the list.
ok visa@
|
| |
|
|
|
|
| |
pr_input handlers without KERNEL_LOCK().
ok visa@
|
| |
|
|
| |
ok visa@ mpi@
|
| |
|
|
| |
ok visa@ mpi@
|
| |
|
|
| |
ok visa@ mpi@
|
| |
|
|
|
| |
While here, drop the declaration in headers, since the variable is used
in a single file. ok visa@ mpi@
|
| |
|
|
|
| |
Those functions only handle MPLS-in-IP packets, it makes little sense to
count those as ethernet-in-IP. ok visa@ mpi@
|
| |
|
|
|
| |
As a result, ip_ether.c now only deals with MPLS-in-IP. The next
commits will move & rename stuff to make this clear. ok visa@ mpi@
|
| |
|
|
|
|
|
|
|
| |
gif(4) now depends on etherip(4) but this is a temporary drawback: we
can get rid of etherip_init(), called from the protocol switch, and
ip_ether.c should stop using etherip counters once it is clear that this
file doesn't handle ethernet-in-IP any more.
ok visa@ as part of a larger diff, ok mpi@
|
| |
|
|
| |
ok visa@ as part of a larger diff, ok mpi@
|
| |
|
|
|
|
|
| |
One step needed to completely remove ethernet-in-IP support from gif(4).
No functional changes.
ok visa@ as part of a larger diff, ok mpi@
|
| | |
|
| |
|
|
| |
ok bluhm@, visa@
|
| |
|
|
|
|
|
|
| |
This will be used to first allow read-only ioctl(2) to be executed while
the softnet taskq is running. Then it will allows us to execute multiple
softnet taskq in parallel.
Tested by Hrvoje Popovski, ok kettenis@, sashan@, visa@, tb@
|
| |
|
|
| |
Input and OK jca@, OK florian@
|
| |
|
|
|
|
|
|
|
|
|
| |
calls in tcp_input(). When I added this code for socket splicing,
I have missed that they may be called indirectly through functions.
Although not strictly necessary since we have the sosplice thread,
put that flag consistently when we want to prevent that tcp_output()
is called in the middle of tcp_input(). As soisconnected(),
soisdisconnected(), and socantrcvmore() call the wakeup functions
from tcp_input(), set the TF_BLOCKOUTPUT flag around them.
OK visa@
|
| |
|
|
| |
OK bluhm@, mpi@
|
| |
|
|
|
|
| |
This is a preliminary step for using percpu counters with the data.
OK mpi@
|
| | |
|
bluhm
mpi
dlg
mikeb
nayden
patrick
jca
visa