Up to [local] / src / sys / net
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.11 / (download) - annotate - [select for diffs], Tue Mar 19 03:49:11 2024 UTC (2 months, 2 weeks ago) by dlg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.10: +2 -2 lines
Diff to previous 1.10 (colored)
count if_enqueue/ifq_enqueue errors as oqdrops. this helps narrow down where some "output failures" on sec interfaces occur. based on discussion with jason tubnor
Revision 1.10 / (download) - annotate - [select for diffs], Wed Jan 24 00:17:01 2024 UTC (4 months, 1 week ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.9: +9 -1 lines
Diff to previous 1.9 (colored)
tag packets going out a sec interface to prevent route/encap loops. sec(4) was already looking for this mbuf tag so it could drop packets that had already been sent out on the same interface, but i forgot the code that adds the tag. this was reported by jason tubnor who experienced spins/lockups when using sec and a physical interface was disconnected. rather than being a locking problem like we initially assumed, it turned out that unplugging a physical interface caused a route for ipsec encapsulated traffic to go out over sec(4), causing the packet to loop in the stack. the fix was also tested and verified by jason. sorry for taking so long to look at it.
Revision 1.9 / (download) - annotate - [select for diffs], Sat Dec 23 10:52:54 2023 UTC (5 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.8: +2 -1 lines
Diff to previous 1.8 (colored)
Backout always allocate per-CPU statistics counters for network interface descriptor. It panics during attach of em(4) device at boot.
Revision 1.8 / (download) - annotate - [select for diffs], Fri Dec 22 23:01:50 2023 UTC (5 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.7: +1 -2 lines
Diff to previous 1.7 (colored)
Always allocate per-CPU statistics counters for network interface descriptor. We have the mess in network interface statistics. Only pseudo drivers do per-CPU counters allocation, all other network devices use the old `if_data'. The network stack partially uses per-CPU counters and partially use `if_data', but the protection is inconsistent: some times counters accessed with exclusive netlock, some times with shared netlock, some times with kernel lock, but without netlock, some times with another locks. To make network interfaces statistics more consistent, always allocate per-CPU counters at interface attachment time and use it instead of `if_data'. At this step only move counters allocation to the if_attach() internals. The `if_data' removal will be performed with the following diffs to make review and tests easier. ok bluhm
Revision 1.7 / (download) - annotate - [select for diffs], Tue Aug 15 09:46:30 2023 UTC (9 months, 2 weeks ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.6: +11 -1 lines
Diff to previous 1.6 (colored)
scrub the mbuf flowid for packets going out a sec interface. maybe ipsec should do this for all packets it encapsulates. tested by hrvoje
Revision 1.6 / (download) - annotate - [select for diffs], Tue Aug 15 02:31:07 2023 UTC (9 months, 2 weeks ago) by dlg
Branch: MAIN
Changes since 1.5: +7 -1 lines
Diff to previous 1.5 (colored)
sec_start needs to show bpf the packets going out. from and ok goda@ requested by many
Revision 1.5 / (download) - annotate - [select for diffs], Fri Aug 11 02:34:56 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.4: +10 -6 lines
Diff to previous 1.4 (colored)
better support queuing (hfsc) on sec(4)
Revision 1.4 / (download) - annotate - [select for diffs], Wed Aug 9 02:08:14 2023 UTC (9 months, 3 weeks ago) by jsg
Branch: MAIN
Changes since 1.3: +3 -18 lines
Diff to previous 1.3 (colored)
remove some uneeded includes ok dlg@
Revision 1.3 / (download) - annotate - [select for diffs], Tue Aug 8 10:19:15 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.2: +6 -1 lines
Diff to previous 1.2 (colored)
if sec is being destroyed, prevent it from being brought up again.
Revision 1.2 / (download) - annotate - [select for diffs], Tue Aug 8 10:14:29 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
Changes since 1.1: +27 -5 lines
Diff to previous 1.1 (colored)
try to avoid a deadlock between sec_down and sec_send. sec_send runs in the systq (because it calls ipsec stuff which uses crypto, which is not mpsafe) and takes the net lock (because ipsec output calls ip_output and other stuff). sec_down is called with NET_LOCK held and tries to run a barrier for send task. if the send task is running but is waiting for the net lock while sec_down is holding the net lock while waiting for the task to finish, we're deadlocked. this copies the sc_up thing from pfsync, which hopefuly avoids this. pointed out by mvs@
Revision 1.1 / (download) - annotate - [select for diffs], Mon Aug 7 01:57:33 2023 UTC (9 months, 3 weeks ago) by dlg
Branch: MAIN
add sec(4) to support route based ipsec vpns. ipsec security associations (SAs, aka tdbs inside the kernel) can now specify that they're to be used with an interface (using TDBF_IFACE) rather than the ipsec security policy database. sec(4) is the driver providing that interface. the name is specifically chosen to not be ipsec(4) because that's already taken by the manpage for the ipsec stack generally. sec(4) is short, easy to type and pronounce, and kind of sounds like ipsec anyway. the names for this type of interface in other platforms seems to be universally terrible and too generic, so i didn't want to copy any of those either. sec(4) can be considered equivalent to gif(4) protected by ipsec, and on the wire it actually looks the same. sec(4) exists to better support how security associations for route-based ipsec VPNs are negotiated and to avoid SPD entries for them. the code is a little green, but i'm putting it in now so it can be hacked on in the tree. support from many including markus@ tobhe@ claudio@ sthen@ patrick@ now is a good time deraadt@