summaryrefslogtreecommitdiffstats
path: root/sys/netinet (follow)
Commit message (Collapse)AuthorAgeFilesLines
* [ICMP] IP options lead to malformed replysashan2021-03-304-9/+53
| | | | | | | | | icmp_send() must update IP header length if IP optaions are appended. Such packet also has to be dispatched with IP_RAWOUTPUT flags. Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com OK bluhm@
* use m_dup_pkthdr in ip_fragment to copy pkthdr info to fragments.dlg2021-03-201-5/+3
| | | | | | | | this ensures more stuff is copied, in particular the flowid information. this is also how v6 does it, which makes things more consistent. ok bluhm@
* spellingjsg2021-03-1010-23/+23
| | | | ok gnezdo@ semarie@ mpi@
* use uint64_t ethernet addresses for compares in carp.dlg2021-03-072-15/+14
| | | | | | | | | | pass the uint64_t that ether_input has already converted from a real ethernet address into carp_input so it can use it without having to do its own conversion. tested by hrvoje popovski tested by me on amd64 and sparc64 ok patrick@ jmatthew@
* pass the uint64_t dst ethernet address from ether_input to bridges.dlg2021-03-051-2/+3
| | | | tested on amd64 and sparc64.
* Refactor ip_fragment() and ip6_fragment(). Use a mbuf list tobluhm2021-03-012-44/+40
| | | | | | | | | | simplify the handling of the fragment list. Now the functions ip_fragment() and ip6_fragment() always consume the mbuf. They free the mbuf and mbuf list in case of an error and take care about the counter. Adjust the code a bit to make v4 and v6 look similar. Fixes a potential mbuf leak when pf_route6() called pf_refragment6() and it failed. Now the mbuf is always freed by ip6_fragment(). OK dlg@ mvs@
* add some helpers for working with ethernet addresses as uint64_tdlg2021-02-261-1/+22
| | | | | | | | | | | | | | the main bits are ether_addr_to_e64 and ether_e64_to addr for loading an ethernet address into a uin64_t and visa versa. there's also some macros for testing if an address in a uint64_t is multicast, broadcast, anyaddr, or if it's an 802.1q reserved multicast group address. the reason for this functionality is once you have an ethernet address as a uint64_t, operations like compares, bit tests, and so on are fast and easy. tested on amd64 and sparc64
* we don't have to cast to caddr_t when calling m_copydata anymore.dlg2021-02-254-19/+17
| | | | | | | | | | | | | | | | the first cut of this diff was made with coccinelle using this spatch: @rule@ type caddr_t; expression m, off, len, cp; @@ -m_copydata(m, off, len, (caddr_t)cp) +m_copydata(m, off, len, cp) i had fix it's opinionated idea of formatting by hand though, so i'm not sure it was worth it. ok deraadt@ bluhm@
* Use pool to allocate tdbs.tobhe2021-02-231-3/+12
| | | | ok patrick@ bluhm@
* As ip_insertoptions() may prepend a mbuf, "goto bad" has to freebluhm2021-02-231-19/+11
| | | | | | the new chain. This fixes a potential memory leak in ip_output(). Also simplify a bunch of "goto done". OK kn@ mvs@
* Use NULL instead of 0 in `m_nextpkt' assignment.mvs2021-02-231-2/+2
| | | | ok deraadt@ dlg@
* Swap faddr/laddr and fport/lport arguments in call to stoeplitz_ipXport().patrick2021-02-111-3/+3
| | | | | | | | | Technically the whole point of the stoeplitz API is that it's symmetric, meaning that the order of addresses and ports doesn't matter and will produce the same hash value. Coverity CID 1501717 ok dlg@
* If pf changes the routing table when sending packets, the kernelbluhm2021-02-101-2/+15
| | | | | | | | could get stuck in an endless recursion during TCP path MTU discovery. Create a dynamic host route in ip_output() that can be used by tcp_mtudisc() to store the MTU. Reported by Peter Mueller and Sebastian Sturm OK claudio@
* Remove maxburst feature from tcp_outputjan2021-02-082-6/+3
| | | | OK bluhm@, claudio@, deraadt@
* Start refcounting interface groups with 1. if_creategroup() returnsbluhm2021-02-081-5/+2
| | | | | | | a new object that is already refcounted, so carp attach does not reach into internal structures. Add kasserts to detect counter overflow or underflow. OK mvs@
* Simplex interface sends packet back without hardware checksumbluhm2021-02-061-13/+28
| | | | | | | | offloading. The checksum must be calculated in software. Use the same condition in ether_resolve() to send the broadcast packet back to the stack and in in_ifcap_cksum() to force software checksumming. This fixes regress/sys/kern/sosplice/loop. OK procter@
* Turns off the direct ACK on every other segmentjan2021-02-031-5/+4
| | | | | | | | | | | | The kernel uses a huge amount of processing time for sending ACKs to the sender on the receiving interface. After receiving a data segment, we send out two ACKs. The first one in tcp_input() direct after receiving. The second ACK is send out, after the userland or the sosplice task read some data out of the socket buffer. Thus, we save some processing time and improve network performance. Longer tested by sthen@ OK claudio@
* If IP_MULTICAST_IF or IP_ADD_MEMBERSHIP pass a interface index to theclaudio2021-02-021-3/+6
| | | | | | | kernel make sure that the rdomain of that interface is the same as the rdomain of the inpcb. Problem spotted and fix tested by semarie@ OK bluhm@ mvs@
* Fix path MTU discovery for ESP tunneled in IPv6. We always wantbluhm2021-02-011-1/+4
| | | | | | | short TCP segments or fragments encapsulated in ESP instead of fragmented ESP packets. Pass the don't fragment flag down along the stack so that dynamic routes with MTU are created eventually. with and OK markus@; OK tobhe@
* Drop tcp_trace() from SMALL_KERNEL builds to make room on amd64 floppyvisa2021-01-281-1/+11
| | | | OK deraadt@
* if stoeplitz is enabled, use it to provide a flowid for tcp packets.dlg2021-01-253-3/+19
| | | | | | | | | | | | | | drivers that implement rss and multiple rings depend on the symmetric toeplitz code, and use it to generate a key that decides with rx ring a packet lands on. if the toeplitz code is enabled, this diff has the pcb and tcp layer use the toeplitz code to generate a flowid for packets they send, which in turn is used to pick a tx ring. because the nic and the stack use the same key, the tx and rx sides end up with the same hash/flowid. at the very least this means that the same rx and tx queue pair on a particular nic are used for both sides of the connection. as the stack becomes more parallel, it will also help keep both sides of the tcp connection processing in the one place.
* carp(4): convert ifunit() to if_unit(9)mvs2021-01-211-3/+6
| | | | ok dlg@ bluhm@
* add IPPROTO_SCTP, ok claudio@sthen2021-01-181-1/+2
|
* Extend IP_MULTICAST_IF to take either an address (struct in_addr), aclaudio2021-01-161-3/+32
| | | | | | | | struct ip_mreq or a struct ip_mreqn. Using struct ip_mreqn allows to pass a interface index instead of specifying the multicast interface via its IP address. This is also the API implemented by Linux and FreeBSD and should help porting software. OK bluhm@ phessler@ robert@
* As documented in sysctl(2) net.inet.ip.forwarding can be 2.bluhm2021-01-151-3/+3
| | | | | Relax input validation and use integer comparison. OK kn@ mvs@ sthen@
* Create a path MTU host route for IPsec over IPv6. Basically thebluhm2021-01-113-5/+7
| | | | | | | | | | | | | | | | code is copied from IPv4 and adapted. Some things are changed in v4 to make it look similar. - ip6_forward increases the noroute error counter, do that in ip_forward, too. - Pass more specific sockaddr_in6 to icmp6_mtudisc_clone(). - IPv6 may also use reject routes for IPsec PMTU clones. - To pass a route_in6 to ip6_output_ipsec_send() introduce one in ip6_forward(). That is the same what IPv4 does. Note that dst and sin6 switch roles. - Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send() to make code similar. - Implement dynamic IPv6 IPsec PMTU routes. OK tobhe@
* Enforce range with sysctl_int_bounded in ipip_sysctlgnezdo2021-01-091-2/+3
| | | | OK millert@
* Enforce range with sysctl_int_bounded in tcp_sysctlgnezdo2021-01-091-18/+15
| | | | | | | One case uses the explicit range from the code and the other was inferred from reading the usage. OK millert@
* Extend IP_ADD_MEMBERSHIP to also support struct ip_mreqn.claudio2021-01-072-64/+87
| | | | | | | struct ip_mreqn allows to use the interface index to select the interface for multicast packets which makes it possible to use this with unnumbered interfaces. OK dlg@ robert@
* - fix use after free, when packet gets dropped.sashan2021-01-041-5/+3
| | | | | | patch submitted by Ralf Horstmann from ackstorm.de OK dlg@
* Accept reject and blackhole routes for IPsec PMTU discovery.bluhm2020-12-204-10/+13
| | | | | | | | | | | | | | | Since revision 1.87 of ip_icmp.c icmp_mtudisc_clone() ignored reject routes. Otherwise TCP would clone these routes for PMTU discovery. They will not work, even after dynamic routing has found a better route than the reject route. With IPsec the use case is different. First you need a route, but then the flow handles the packet without routing. Usually this route should be a reject route to avoid sending unencrypted traffic if the flow is missing. But IPsec needs this route for PMTU discovery, so use it for that. OK claudio@ tobhe@
* Make sure the first packet of an SA has sequence number 1 (as described intobhe2020-12-182-9/+11
| | | | | | | RFC 4302 and RFC 4303). It seems this was changed by accident when support for 64 bit sequence numbers was added. ok bluhm@ patrick@
* Use ESP sequence number as IV for AES-CTR, AES-GCM and Chacha20.tobhe2020-12-161-2/+10
| | | | | | | This eliminates the risk for IV reuse because of random collisions and increases performance a little. ok patrick@ markus@
* Replace sysctl_rdint with sysctl_bounded_args entries in net.inet*gnezdo2020-11-162-8/+11
|
* Remove the cases folded into sysctl_bounded_args but left behindgnezdo2020-11-161-13/+1
| | | | divert_sysctl and divert6_sysctl get a tiny bit slimmer.
* Rework source IP address setting.denis2020-11-071-4/+3
| | | | | | | | - Move most of the processing out of rtable.c (reasonnable tb@, ok bluhm@) - Remove memory allocation, store pointer to existing ifaddr - Fix tunnel interface handling looks fine mpi@
* Enable support for ASN1_DN ipsec identifiers.phessler2020-11-051-1/+2
| | | | | | | Tested with multiple Window 10 Pro (ver 2004) clients, and OpenBSD+iked as the server. OK tobhe@ sthen@ kn@
* Replace wrong cast with satosin.denis2020-11-051-3/+2
| | | | Advised by bluhm@
* Move TCPCTL_ALWAYS_KEEPALIVE into tcpctl_varsgnezdo2020-11-021-8/+2
| | | | OK deraadt
* Add feature to force the selection of source IP addressdenis2020-10-291-1/+25
| | | | | | | Based/previous work on an idea from deraadt@ Input from claudio@, djm@, deraadt@, sthen@ OK deraadt@
* When generating the ICMP6 response to an IPv6 packet, the kernelbluhm2020-10-281-2/+2
| | | | | | | could use mbuf memory after freeing it. If m_pullup() allocates a new mbuf, the caller uses the old pointer. found and reported by Maxime Villard, thanks OK claudio@ markus@ denis@
* whitespacetobhe2020-09-221-3/+3
|
* Convert *_sysctl in ipsec_input.c to sysctl_bounded_arrgnezdo2020-09-015-63/+37
| | | | The best-guessed limits will be tested by trial.
* Convert icmp6_sysct to sysctl_bounded_argsgnezdo2020-09-011-23/+1
| | | | The best-guessed limits will be tested by trial.
* Convert divert*_sysctl to sysctl_bounded_argsgnezdo2020-08-242-12/+9
| | | | OK sashan
* Convert icmp_sysctl to sysctl_bounded_argsgnezdo2020-08-222-16/+12
| | | | ... these all look fine, derradt@
* Convert ip_sysctl to sysctl_bounded_argsgnezdo2020-08-222-49/+20
|
* Convert udp_sysctl to sysctl_bounded_argsgnezdo2020-08-222-15/+9
|
* Style fixups from hurried commitsgnezdo2020-08-181-6/+6
| | | | | | Thanks kettenis@ for pointing out. ok kettenis@
* Convert tcp_sysctl to sysctl_bounded_argsgnezdo2020-08-182-61/+19
| | | | | | | This introduces bounds checks for many net.inet.tcp sysctl variables. Folded some fitting cases into the framework: tcp_do_sack, tcp_do_ecn. ok derradt@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.