![[BACK]](/icons/back.gif){kind=icon}
Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.95 / (download) - annotate - [select for diffs], Tue Mar 5 09:45:13 2024 UTC (3 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5,
HEAD
Changes since 1.94: +14 -14 lines
Diff to previous 1.94 (colored)
Validate IPv4 packet options in divert output. When sending raw packets over divert socket, IP options were not validated. Fragment code tries to copy them and crashes. Raw IP output has a similar feature, but uses rip_chkhdr() to prevent invalid packets from userland. Call this funtion also from divert_output() for strict user input validation. Reported-by: syzbot+b1ba3a2a8ef13e5b4698@syzkaller.appspotmail.com OK dlg@ deraadt@ mvs@
Revision 1.94 / (download) - annotate - [select for diffs], Sun Feb 11 18:14:26 2024 UTC (3 months, 4 weeks ago) by mvs
Branch: MAIN
Changes since 1.93: +4 -4 lines
Diff to previous 1.93 (colored)
Use `sb_mtx' instead of `inp_mtx' in receive path for inet sockets. In soreceve(), we only touch `so_rcv' socket buffer, which has it's own `sb_mtx' mutex(9) for protection. So, we can avoid solock() in this path - it's enough to hold `sb_mtx' in soreceive() and around corresponding sbappend*(). But not right now :) This time we use shared netlock for some inet sockets in the soreceive() path. To protect `so_rcv' buffer we use `inp_mtx' mutex(9) and the pru_lock() to acquire this mutex(9) in socket layer. But the `inp_mtx' mutex belongs to the PCB. We initialize socket before PCB, tcp(4) sockets could exist without PCB, so use `sb_mtx' mutex(9) to protect sockbuf stuff. This diff mechanically replaces `inp_mtx' by `sb_mtx' in the receive path. Only for sockets which already use `inp_mtx'. All other sockets left as is. They will be converted later. Since the `sb_mtx' is optional, the new SB_MTXLOCK flag introduced. If this flag is set on `sb_flags', the `sb_mtx' mutex(9) should be taken. New sb_mtx_lock() and sb_mtx_unlock() was introduced to hide this check. They are temporary and will be replaced by mtx_enter() when all this area will be converted to `sb_mtx' mutex(9). Also, the new sbmtxassertlocked() function introduced to throw corresponding assertion for SB_MTXLOCK marked buffers. This time only sbappendaddr() calls it. This function is also temporary and will be replaced by MTX_ASSERT_LOCKED() later. ok bluhm
Revision 1.93 / (download) - annotate - [select for diffs], Sat Feb 3 22:50:09 2024 UTC (4 months ago) by mvs
Branch: MAIN
Changes since 1.92: +10 -1 lines
Diff to previous 1.92 (colored)
Rework socket buffers locking for shared netlock.
Shared netlock is not sufficient to call so{r,w}wakeup(). The following
sowakeup() modifies `sb_flags' and knote(9) stuff. Unfortunately, we
can't call so{r,w}wakeup() with `inp_mtx' mutex(9) because sowakeup()
also calls pgsigio() which grabs kernel lock.
However, `so*_filtops' callbacks only perform read-only access to the
socket stuff, so it is enough to hold shared netlock only, but the klist
stuff needs to be protected.
This diff introduces `sb_mtx' mutex(9) to protect sockbuf. This time
`sb_mtx' used to protect only `sb_flags' and `sb_klist'.
Now we have soassertlocked_readonly() and soassertlocked(). The first
one is happy if only shared netlock is held, meanwhile the second wants
`so_lock' or pru_lock() be held together with shared netlock.
To keep soassertlocked*() assertions soft, we need to know mutex(9)
state, so new mtx_owned() macro was introduces. Also, the new optional
(*pru_locked)() handler brings the state of pru_lock().
Tests and ok from bluhm.
Revision 1.92 / (download) - annotate - [select for diffs], Sat Sep 16 09:33:27 2023 UTC (8 months, 3 weeks ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.91: +2 -2 lines
Diff to previous 1.91 (colored)
Allow counters_read(9) to take an optional scratch buffer. Using a scratch buffer makes it possible to take a consistent snapshot of per-CPU counters without having to allocate memory. Makes ddb(4) show uvmexp command work in OOM situations. ok kn@, mvs@, cheloha@
Revision 1.91 / (download) - annotate - [select for diffs], Sat May 13 13:35:17 2023 UTC (12 months, 4 weeks ago) by bluhm
Branch: MAIN
Changes since 1.90: +3 -10 lines
Diff to previous 1.90 (colored)
Instead of implementing IPv4 header checksum creation everywhere, introduce in_hdr_cksum_out(). It is used like in_proto_cksum_out(). OK claudio@
Revision 1.90 / (download) - annotate - [select for diffs], Tue Apr 4 10:12:03 2023 UTC (14 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.89: +14 -1 lines
Diff to previous 1.89 (colored)
When sending IP packets to userland with divert-packet rules, the checksum may be wrong. Locally generated packets diverted by pf out rules may have no checksum due to to hardware offloading. Calculate the checksum in that case. OK mvs@ sashan@
Revision 1.89 / (download) - annotate - [select for diffs], Mon Oct 17 14:49:02 2022 UTC (19 months, 3 weeks ago) by mvs
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.88: +1 -15 lines
Diff to previous 1.88 (colored)
Change pru_abort() return type to the type of void and make pru_abort() optional. We have no interest on pru_abort() return value. We call it only from soabort() which is dummy pru_abort() wrapper and has no return value. Only the connection oriented sockets need to implement (*pru_abort)() handler. Such sockets are tcp(4) and unix(4) sockets, so remove existing code for all others, it doesn't called. ok guenther@
Revision 1.88 / (download) - annotate - [select for diffs], Mon Oct 3 16:43:52 2022 UTC (20 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.87: +3 -3 lines
Diff to previous 1.87 (colored)
System calls should not fail due to temporary memory shortage in malloc(9) or pool_get(9). Pass down a wait flag to pru_attach(). During syscall socket(2) it is ok to wait, this logic was missing for internet pcb. Pfkey and route sockets were already waiting. sonewconn() must not wait when called during TCP 3-way handshake. This logic has been preserved. Unix domain stream socket connect(2) can wait until the other side has created the socket to accept. OK mvs@
Revision 1.87 / (download) - annotate - [select for diffs], Mon Sep 5 14:56:09 2022 UTC (21 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.86: +21 -1 lines
Diff to previous 1.86 (colored)
Use shared netlock in soreceive(). The UDP and IP divert layer provide locking of the PCB. If that is possible, use shared instead of exclusive netlock in soreceive(). The PCB mutex provides a per socket lock against multiple soreceive() running in parallel. Release and regrab both locks in sosleep_nsec(). OK mvs@
Revision 1.86 / (download) - annotate - [select for diffs], Sat Sep 3 22:43:38 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.85: +2 -41 lines
Diff to previous 1.85 (colored)
Move PRU_PEERADDR request to (*pru_peeraddr)().
Introduce in{,6}_peeraddr() and use them for inet and inet6 sockets,
except tcp(4) case.
Also remove *_usrreq() handlers.
ok bluhm@
Revision 1.85 / (download) - annotate - [select for diffs], Sat Sep 3 18:48:50 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.84: +2 -5 lines
Diff to previous 1.84 (colored)
Move PRU_SOCKADDR request to (*pru_sockaddr)()
Introduce in{,6}_sockaddr() functions, and use them for all except tcp(4)
inet sockets. For tcp(4) sockets use tcp_sockaddr() to keep debug ability.
The key management and route domain sockets returns EINVAL error for
PRU_SOCKADDR request, so keep this behaviour for a while instead of make
pru_sockaddr handler optional and return EOPNOTSUPP.
ok bluhm@
Revision 1.84 / (download) - annotate - [select for diffs], Fri Sep 2 13:12:32 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.83: +2 -6 lines
Diff to previous 1.83 (colored)
Move PRU_CONTROL request to (*pru_control)().
The 'proc *' arg is not used for PRU_CONTROL request, so remove it from
pru_control() wrapper.
Split out {tcp,udp}6_usrreqs from {tcp,udp}_usrreqs and use them for
inet6 case.
ok guenther@ bluhm@
Revision 1.83 / (download) - annotate - [select for diffs], Thu Sep 1 18:21:23 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.82: +1 -2 lines
Diff to previous 1.82 (colored)
Move PRU_CONNECT2 request to (*pru_connect2)(). ok bluhm@
Revision 1.82 / (download) - annotate - [select for diffs], Wed Aug 31 21:23:02 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.81: +1 -2 lines
Diff to previous 1.81 (colored)
Move PRU_SENDOOB request to (*pru_sendoob)(). PRU_SENDOOB request always consumes passed `top' and `control' mbufs. To avoid dummy m_freem(9) handlers for all protocols release passed mbufs in the pru_sendoob() EOPNOTSUPP error path. Also fix `control' mbuf(9) leak in the tcp(4) PRU_SENDOOB error path. ok bluhm@
Revision 1.81 / (download) - annotate - [select for diffs], Mon Aug 29 08:08:17 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.80: +1 -2 lines
Diff to previous 1.80 (colored)
Move PRU_RCVOOB request to (*pru_rcvoob)(). ok bluhm@
Revision 1.80 / (download) - annotate - [select for diffs], Sun Aug 28 21:35:12 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.79: +1 -4 lines
Diff to previous 1.79 (colored)
Move PRU_SENSE request to (*pru_sense)(). ok bluhm@
Revision 1.79 / (download) - annotate - [select for diffs], Sun Aug 28 18:44:16 2022 UTC (21 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.78: +15 -6 lines
Diff to previous 1.78 (colored)
Move PRU_ABORT request to (*pru_abort)(). We abort only the sockets which are linked to `so_q' or `so_q0' queues of listening socket. Such sockets have no corresponding file descriptor and are not accessed from userland, so PRU_ABORT used to destroy them on listening socket destruction. Currently all our sockets support PRU_ABORT request, but actually it required only for tcp(4) and unix(4) sockets, so i should be optional. However, they will be removed with separate diff, and this time PRU_ABORT requests were converted as is. Also, the socket should be destroyed on PRU_ABORT request, but route and key management sockets leave it alive. This was also converted as is, because this wrong code never called. ok bluhm@
Revision 1.78 / (download) - annotate - [select for diffs], Sat Aug 27 20:28:01 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.77: +12 -4 lines
Diff to previous 1.77 (colored)
Move PRU_SEND request to (*pru_send)(). The former PRU_SEND error path of gre_usrreq() had `control' mbuf(9) leak. It was fixed in new gre_send(). The former pfkeyv2_send() was renamed to pfkeyv2_dosend(). ok bluhm@
Revision 1.77 / (download) - annotate - [select for diffs], Fri Aug 26 16:17:39 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.76: +1 -2 lines
Diff to previous 1.76 (colored)
Move PRU_RCVD request to (*pru_rcvd)(). ok bluhm@
Revision 1.76 / (download) - annotate - [select for diffs], Mon Aug 22 21:18:48 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.75: +10 -5 lines
Diff to previous 1.75 (colored)
Move PRU_SHUTDOWN request to (*pru_shutdown)(). ok bluhm@
Revision 1.75 / (download) - annotate - [select for diffs], Mon Aug 22 13:23:07 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.74: +1 -2 lines
Diff to previous 1.74 (colored)
Move PRU_DISCONNECT request to (*pru_disconnect). ok bluhm@
Revision 1.74 / (download) - annotate - [select for diffs], Mon Aug 22 08:08:46 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.73: +1 -2 lines
Diff to previous 1.73 (colored)
Move PRU_ACCEPT request to (*pru_accept)(). ok bluhm@
Revision 1.73 / (download) - annotate - [select for diffs], Sun Aug 21 22:45:55 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.72: +1 -2 lines
Diff to previous 1.72 (colored)
Move PRU_CONNECT request to (*pru_connect)() handler. ok bluhm@
Revision 1.72 / (download) - annotate - [select for diffs], Sun Aug 21 17:30:21 2022 UTC (21 months, 2 weeks ago) by mvs
Branch: MAIN
Changes since 1.71: +1 -2 lines
Diff to previous 1.71 (colored)
Move PRU_LISTEN request to (*pru_listen)() handler. ok bluhm@
Revision 1.71 / (download) - annotate - [select for diffs], Sun Aug 21 11:44:54 2022 UTC (21 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.70: +5 -12 lines
Diff to previous 1.70 (colored)
Introduce a mutex per inpcb to serialize access to socket receive buffer. Later it may be used to protect more of the PCB or socket. In divert input replace the kernel lock with this mutex. OK mvs@
Revision 1.70 / (download) - annotate - [select for diffs], Sat Aug 20 23:48:58 2022 UTC (21 months, 3 weeks ago) by mvs
Branch: MAIN
Changes since 1.69: +11 -5 lines
Diff to previous 1.69 (colored)
Move PRU_BIND request to (*pru_bind)() handler. For the protocols which don't support request, leave handler NULL. Do the NULL check within corresponding pru_() wrapper and return EOPNOTSUPP in such case. This will be done for all upcoming user request handlers. ok bluhm@ guenther@
Revision 1.69 / (download) - annotate - [select for diffs], Mon Aug 15 09:11:39 2022 UTC (21 months, 3 weeks ago) by mvs
Branch: MAIN
Changes since 1.68: +7 -1 lines
Diff to previous 1.68 (colored)
Introduce 'pr_usrreqs' structure and move existing user-protocol handlers into it. We want to split existing (*pr_usrreq)() to multiple short handlers for each PRU_ request as it was already done for PRU_ATTACH and PRU_DETACH. This is the preparation step, (*pr_usrreq)() split will be done with the following diffs. Based on reverted diff from guenther@. ok bluhm@
Revision 1.68 / (download) - annotate - [select for diffs], Mon May 9 19:33:46 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.67: +10 -2 lines
Diff to previous 1.67 (colored)
Protect sbappendaddr() in divert_packet() with kernel lock. With divert-packet rules pf calls directly from IP layer to protocol layer. As the former has only shared net lock, additional protection against parallel access is needed. Kernel lock is a temporary workaround until the socket layer is MP safe. discussed with kettenis@ mvs@
Revision 1.67 / (download) - annotate - [select for diffs], Thu May 5 16:44:22 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.66: +38 -34 lines
Diff to previous 1.66 (colored)
Clean up divert_packet(). Function does not return error, make it void. Introduce mutex and refcounting for inp like in the other PCB functions. OK sashan@
Revision 1.66 / (download) - annotate - [select for diffs], Fri Feb 25 23:51:03 2022 UTC (2 years, 3 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.65: +6 -10 lines
Diff to previous 1.65 (colored)
Reported-by: syzbot+1b5b209ce506db4d411d@syzkaller.appspotmail.com Revert the pr_usrreqs move: syzkaller found a NULL pointer deref and I won't be available to monitor for followup issues for a bit
Revision 1.65 / (download) - annotate - [select for diffs], Fri Feb 25 08:36:01 2022 UTC (2 years, 3 months ago) by guenther
Branch: MAIN
Changes since 1.64: +10 -6 lines
Diff to previous 1.64 (colored)
Move pr_attach and pr_detach to a new structure pr_usrreqs that can then be shared among protosw structures, following the same basic direction as NetBSD and FreeBSD for this. Split PRU_CONTROL out of pr_usrreq into pru_control, giving it the proper prototype to eliminate the previously necessary casts. ok mvs@ bluhm@
Revision 1.64 / (download) - annotate - [select for diffs], Mon Nov 16 06:38:20 2020 UTC (3 years, 6 months ago) by gnezdo
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0,
OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.63: +1 -13 lines
Diff to previous 1.63 (colored)
Remove the cases folded into sysctl_bounded_args but left behind divert_sysctl and divert6_sysctl get a tiny bit slimmer.
Revision 1.63 / (download) - annotate - [select for diffs], Mon Aug 24 16:00:31 2020 UTC (3 years, 9 months ago) by gnezdo
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.62: +8 -4 lines
Diff to previous 1.62 (colored)
Convert divert*_sysctl to sysctl_bounded_args OK sashan
Revision 1.62 / (download) - annotate - [select for diffs], Sat Aug 1 23:41:55 2020 UTC (3 years, 10 months ago) by gnezdo
Branch: MAIN
Changes since 1.61: +6 -10 lines
Diff to previous 1.61 (colored)
Move range check inside sysctl_int_arr Range violations are now consistently reported as EOPNOTSUPP. Previously they were mixed with ENOPROTOOPT. OK kn@
Revision 1.61 / (download) - annotate - [select for diffs], Mon Feb 4 21:40:52 2019 UTC (5 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7,
OPENBSD_6_6_BASE,
OPENBSD_6_6,
OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.60: +8 -8 lines
Diff to previous 1.60 (colored)
Avoid an mbuf double free in the oob soreceive() path. In the usrreq functions move the mbuf m_freem() logic to the release block instead of distributing it over the switch statement. Then the goto release in the initial check, whether the pcb still exists, will not free the mbuf for the PRU_RCVD, PRU_RVCOOB, PRU_SENSE command. OK claudio@ mpi@ visa@ Reported-by: syzbot+8e7997d4036ae523c79c@syzkaller.appspotmail.com
Revision 1.60 / (download) - annotate - [select for diffs], Sat Nov 10 18:40:34 2018 UTC (5 years, 7 months ago) by bluhm
Branch: MAIN
Changes since 1.59: +1 -3 lines
Diff to previous 1.59 (colored)
Do not translate the EACCES error from pf(4) to EHOSTUNREACH anymore. It also translated a documented send(2) EACCES case erroneously. This was too much magic and always prone to errors. from Jan Klemkow; man page jmc@; OK claudio@
Revision 1.59 / (download) - annotate - [select for diffs], Thu Oct 4 17:33:41 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.58: +1 -3 lines
Diff to previous 1.58 (colored)
Revert the inpcb table mutex commit. It triggers a witness panic in raw IP delivery and UDP broadcast loops. There inpcbtable_mtx is held and sorwakeup() is called within the loop. As sowakeup() grabs the kernel lock, we have a lock ordering problem. found by Hrvoje Popovski; OK deraadt@ mpi@
Revision 1.58 / (download) - annotate - [select for diffs], Thu Sep 20 18:59:10 2018 UTC (5 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.57: +3 -1 lines
Diff to previous 1.57 (colored)
As a step towards per inpcb or socket locks, remove the net lock for netstat -a. Introduce a global mutex that protects the tables and hashes for the internet PCBs. To detect detached PCB, set its inp_socket field to NULL. This has to be protected by a per PCB mutex. The protocol pointer has to be protected by the mutex as netstat uses it. Always take the kernel lock in in_pcbnotifyall() and in6_pcbnotify() before the table mutex to avoid lock ordering problems in the notify functions. OK visa@
Revision 1.57 / (download) - annotate - [select for diffs], Tue Apr 24 15:40:55 2018 UTC (6 years, 1 month ago) by pirofti
Branch: MAIN
Changes since 1.56: +4 -3 lines
Diff to previous 1.56 (colored)
Push NET_LOCK down in the default ifioctl case. For the PRU_CONTROL bit the NET_LOCK surrounds in[6]_control() and on the ENOTSUPP case we guard the driver if_ioctl functions. OK mpi@
Revision 1.56 / (download) - annotate - [select for diffs], Thu Nov 2 14:01:18 2017 UTC (6 years, 7 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.55: +15 -5 lines
Diff to previous 1.55 (colored)
Move PRU_DETACH out of pr_usrreq into per proto pr_detach functions to pave way for more fine grained locking. Suggested by, comments & OK mpi
Revision 1.55 / (download) - annotate - [select for diffs], Mon Oct 9 08:35:38 2017 UTC (6 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.54: +19 -7 lines
Diff to previous 1.54 (colored)
Reduces the scope of the NET_LOCK() in sysctl(2) path. Exposes per-CPU counters to real parrallelism. ok visa@, bluhm@, jca@
Revision 1.54 / (download) - annotate - [select for diffs], Fri Oct 6 22:08:30 2017 UTC (6 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.53: +6 -1 lines
Diff to previous 1.53 (colored)
Unfortunately I removed too much in my previous commit and broke divert-packet. Bring back the loop over the global list to find the divert socket.
Revision 1.53 / (download) - annotate - [select for diffs], Fri Oct 6 21:14:55 2017 UTC (6 years, 8 months ago) by bluhm
Branch: MAIN
Changes since 1.52: +1 -13 lines
Diff to previous 1.52 (colored)
Kill the divert-packet socket option IP_DIVERTFL to filter packets. It used a loop over the global list divbtable that would be hard to make MP safe. The port net/dnsfilter does not work without this, it should be converted to divert-to. Neither other ports nor base use this filter feature. ports checked by sthen@; OK mpi@ benno@
Revision 1.52 / (download) - annotate - [select for diffs], Wed Sep 6 11:43:04 2017 UTC (6 years, 9 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.51: +3 -6 lines
Diff to previous 1.51 (colored)
Replace the call to ifa_ifwithaddr() in divert6_output() with a route lookup to make it MP safe. Only set the mbuf header fields that are needed. Validate the name input. Also use the same variables in IPv4 and IPv6 functions and avoid unneccessary initialization. OK mpi@
Revision 1.51 / (download) - annotate - [select for diffs], Wed Sep 6 00:05:02 2017 UTC (6 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.50: +21 -17 lines
Diff to previous 1.50 (colored)
Replace the call to ifa_ifwithaddr() in divert_output() with a route lookup to make it MP safe. Only set the mbuf header fields that are needed. Validate the name input. OK mpi@
Revision 1.50 / (download) - annotate - [select for diffs], Tue Sep 5 07:59:11 2017 UTC (6 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
Replace NET_ASSERT_LOCKED() by soassertlocked() in *_usrreq(). Not all of them need the NET_LOCK(). ok bluhm@
Revision 1.49 / (download) - annotate - [select for diffs], Thu Jul 27 12:04:42 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.48: +5 -2 lines
Diff to previous 1.48 (colored)
Grab the KERNEL_LOCK() before calling sorwakeup(). In the forwarding path, pf_test() is executed w/o KERNEL_LOCK() and in case of divert end up calling sowakup(). However selwakup() and csignal() are not yet ready to be executed w/o KERNEL_LOCK(). ok bluhm@
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jun 26 09:32:32 2017 UTC (6 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)
Assert that the corresponding socket is locked when manipulating socket buffers. This is one step towards unlocking TCP input path. Note that all the functions asserting for the socket lock are not necessarilly MP-safe. All the fields of 'struct socket' aren't protected. Introduce a new kernel-only kqueue hint, NOTE_SUBMIT, to be able to tell when a filter needs to lock the underlying data structures. Logic and name taken from NetBSD. Tested by Hrvoje Popovski. ok claudio@, bluhm@, mikeb@
Revision 1.47 / (download) - annotate - [select for diffs], Tue May 30 07:50:37 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.46: +4 -2 lines
Diff to previous 1.46 (colored)
Introduce ipv{4,6}_input(), two wrappers around IP queues.
This will help transitionning to an un-KERNEL_LOCK()ed IP
forwarding path.
Disucssed with bluhm@, ok claudio@
Revision 1.46 / (download) - annotate - [select for diffs], Wed Apr 5 13:35:18 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.45: +2 -2 lines
Diff to previous 1.45 (colored)
When building counter memory in preparation to copy to userland, always zero the buffers first. All the current objects appear to be safe, however future changes might introduce structure pads. Discussed with guenther, ok bluhm
Revision 1.45 / (download) - annotate - [select for diffs], Mon Mar 13 20:18:21 2017 UTC (7 years, 3 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.44: +24 -21 lines
Diff to previous 1.44 (colored)
Move PRU_ATTACH out of the pr_usrreq functions into pr_attach. Attach is quite a different thing to the other PRU functions and this should make locking a bit simpler. This also removes the ugly hack on how proto was passed to the attach function. OK bluhm@ and mpi@ on a previous version
Revision 1.44 / (download) - annotate - [select for diffs], Thu Feb 9 15:32:56 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
Changes since 1.43: +30 -13 lines
Diff to previous 1.43 (colored)
percpu counters for divert(4) stats ok dlg@
Revision 1.43 / (download) - annotate - [select for diffs], Sun Jan 29 19:58:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.42: +1 -7 lines
Diff to previous 1.42 (colored)
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
Revision 1.42 / (download) - annotate - [select for diffs], Wed Jan 25 17:34:31 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
Revision 1.41 / (download) - annotate - [select for diffs], Mon Dec 19 08:36:49 2016 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)
Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts of the network stack that are not yet ready to be executed in parallel or where new sleeping points are not possible. This first pass replace all the entry points leading to ip_output(). This is done to not introduce new sleeping points when trying to acquire ART's write lock, needed when a new L2 entry is created via the RT_RESOLVE. Inputs from and ok bluhm@, ok dlg@
Revision 1.40 / (download) - annotate - [select for diffs], Mon Nov 21 09:09:06 2016 UTC (7 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.39: +5 -18 lines
Diff to previous 1.39 (colored)
Enforce that pr_usrreq functions are called at IPL_SOFTNET. This will allow us to keep locking simple as soon as we trade splsoftnet() for a rwlock. ok bluhm@, claudio@
Revision 1.39 / (download) - annotate - [select for diffs], Mon Mar 7 18:44:00 2016 UTC (8 years, 3 months ago) by naddy
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)
Sync no-argument function declaration and definition by adding (void). ok mpi@ millert@
Revision 1.38 / (download) - annotate - [select for diffs], Wed Sep 9 20:15:52 2015 UTC (8 years, 9 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.37: +2 -1 lines
Diff to previous 1.37 (colored)
if_put after if_get ok mpi@
Revision 1.37 / (download) - annotate - [select for diffs], Tue Sep 1 21:24:04 2015 UTC (8 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.36: +2 -3 lines
Diff to previous 1.36 (colored)
Replace sockaddr casts with the proper satosin(), ... calls. From David Hill; OK mpi@; tested kspillner@; tweaks bluhm@
Revision 1.36 / (download) - annotate - [select for diffs], Fri Aug 14 18:07:28 2015 UTC (8 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)
Replace sockaddr casts with the proper satosin() or satosin6() calls. From David Hill; OK mpi@
Revision 1.35 / (download) - annotate - [select for diffs], Wed Jul 15 22:16:42 2015 UTC (8 years, 10 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.34: +4 -8 lines
Diff to previous 1.34 (colored)
m_freem() can handle NULL, do not check for this condition beforehands. ok stsp mpi
Revision 1.34 / (download) - annotate - [select for diffs], Tue Jun 16 11:09:40 2015 UTC (8 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.33: +8 -4 lines
Diff to previous 1.33 (colored)
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
Revision 1.33 / (download) - annotate - [select for diffs], Fri Apr 10 13:58:20 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.32: +3 -9 lines
Diff to previous 1.32 (colored)
replace the use of ifqueues for most input queues serviced by netisr with niqueues. this change is so big because there's a lot of code that takes pointers to different input queues (eg, ether_input picks between ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through to code to enqueue packets against the pointer. if i changed only one of the input queues id have to add sepearate code paths, one for ifqueues and one for niqueues in each of these places by flipping all these input queues at once i can keep the currently common code common. testing by mpi@ sthen@ and rafael zalamena ok mpi@ sthen@ claudio@ henning@
Revision 1.32 / (download) - annotate - [select for diffs], Sat Jan 24 00:29:06 2015 UTC (9 years, 4 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.31: +4 -2 lines
Diff to previous 1.31 (colored)
Userland (base & ports) was adapted to always include <netinet/in.h> before <net/pfvar.h> or <net/if_pflog.h>. The kernel files can be cleaned up next. Some sockaddr_union steps make it into here as well. ok naddy
Revision 1.31 / (download) - annotate - [select for diffs], Fri Dec 5 15:50:04 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.30: +2 -1 lines
Diff to previous 1.30 (colored)
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>. ok mikeb@, krw@, bluhm@, tedu@
Revision 1.30 / (download) - annotate - [select for diffs], Mon Sep 8 06:24:13 2014 UTC (9 years, 9 months ago) by jsg
Branch: MAIN
Changes since 1.29: +1 -2 lines
Diff to previous 1.29 (colored)
remove uneeded route.h includes ok miod@ mpi@
Revision 1.29 / (download) - annotate - [select for diffs], Sun Aug 10 03:26:20 2014 UTC (9 years, 10 months ago) by lteo
Branch: MAIN
Changes since 1.28: +2 -2 lines
Diff to previous 1.28 (colored)
Fix the length check for reinjected ICMP packets: sizeof(struct icmp) is 28 but an ICMP packet can be as small as 8 bytes (e.g. an ICMP echo request packet with no payload), so check against ICMP_MINLEN instead. Prior to this fix, divert(4) would erroneously discard valid ICMP packets that are shorter than 20 bytes. ICMPv6 is not affected, so this change applies to ICMP over IPv4 only. ok florian@ henning@
Revision 1.28 / (download) - annotate - [select for diffs], Sun Aug 10 03:24:51 2014 UTC (9 years, 10 months ago) by lteo
Branch: MAIN
Changes since 1.27: +6 -6 lines
Diff to previous 1.27 (colored)
Rename p_hdrlen to min_hdrlen to better reflect its purpose. No object file change ok florian@ henning@
Revision 1.27 / (download) - annotate - [select for diffs], Tue Jul 22 11:06:10 2014 UTC (9 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.26: +1 -2 lines
Diff to previous 1.26 (colored)
Fewer <netinet/in_systm.h> !
Revision 1.26 / (download) - annotate - [select for diffs], Sat Jul 12 19:05:45 2014 UTC (9 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.25: +5 -8 lines
Diff to previous 1.25 (colored)
Remove the redundant csum_flag variable and just set the checksum flag in the pkthdr directly. ok henning@
Revision 1.25 / (download) - annotate - [select for diffs], Sat Jul 12 19:04:29 2014 UTC (9 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.24: +1 -4 lines
Diff to previous 1.24 (colored)
Protocol checksums have been recalculated on reinjection for a while now, so there is no need to calculate them before sending them to userspace. ok henning@
Revision 1.24 / (download) - annotate - [select for diffs], Sat Jul 12 03:27:00 2014 UTC (9 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.23: +22 -28 lines
Diff to previous 1.23 (colored)
Implement checksum offload for divert(4): simply set the checksum flag and let the stack take care of the checksums for reinjected outbound packets. Reinjected inbound packets will continue to have their checksums calculated manually but we can now take advantage of in_proto_cksum_out and in6_proto_cksum_out to streamline the way their checksums are done. help from florian@ and henning@, feedback from naddy@ ok florian@ henning@
Revision 1.23 / (download) - annotate - [select for diffs], Thu Jul 10 03:17:59 2014 UTC (9 years, 11 months ago) by lteo
Branch: MAIN
Changes since 1.22: +3 -11 lines
Diff to previous 1.22 (colored)
Simplify the way divert(4) sends packets to userspace: Instead of unnecessarily allocating an mbuf tag to store the divert port, just pass the divert port directly to divert_packet() or divert6_packet() as an argument. includes a style fix pointed out by bluhm@ ok bluhm@ henning@ reyk@
Revision 1.22 / (download) - annotate - [select for diffs], Wed Apr 23 14:43:14 2014 UTC (10 years, 1 month ago) by florian
Branch: MAIN
Changes since 1.21: +7 -14 lines
Diff to previous 1.21 (colored)
No need for vargs here.
While there move declaration of divert{,6}_output() to .c as it's a
private function. Also switch first two args to make it more like
similar functions (both suggested by mpi@).
Input/OK mpi@, OK lteo@
Revision 1.21 / (download) - annotate - [select for diffs], Mon Apr 21 12:22:26 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.20: +1 -1 lines
Diff to previous 1.20 (colored)
ip_output() using varargs always struck me as bizarre, esp since it's only ever used to pass on uint32 (for ipsec). stop that madness and just pass the uint32, 0 in all cases but the two that pass the ipsec flowinfo. ok deraadt reyk guenther
Revision 1.20 / (download) - annotate - [select for diffs], Mon Apr 14 09:06:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.19: +3 -3 lines
Diff to previous 1.19 (colored)
"struct pkthdr" holds a routing table ID, not a routing domain one. Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
Revision 1.19 / (download) - annotate - [select for diffs], Mon Apr 7 10:04:17 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.18: +3 -5 lines
Diff to previous 1.18 (colored)
Retire kernel support for SO_DONTROUTE, this time without breaking localhost connections. The plan is to always use the routing table for addresses and routes resolutions, so there is no future for an option that wants to bypass it. This option has never been implemented for IPv6 anyway, so let's just remove the IPv4 bits that you weren't aware of. Tested a least by lteo@, guenther@ and chrisz@, ok mikeb@, benno@
Revision 1.18 / (download) - annotate - [select for diffs], Fri Mar 28 08:33:51 2014 UTC (10 years, 2 months ago) by sthen
Branch: MAIN
Changes since 1.17: +4 -2 lines
Diff to previous 1.17 (colored)
revert "Retire kernel support for SO_DONTROUTE" diff, which does bad things for localhost connections. discussed with deraadt@
Revision 1.17 / (download) - annotate - [select for diffs], Thu Mar 27 13:27:28 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.16: +3 -5 lines
Diff to previous 1.16 (colored)
Retire kernel support for SO_DONTROUTE, since the plan is to always use the routing table there's no future for an option that wants to bypass it. This option has never been implemented for IPv6 anyway, so let's just remove the IPv4 bits that you weren't aware of. Tested by florian@, man pages inputs from jmc@, ok benno@
Revision 1.16 / (download) - annotate - [select for diffs], Thu Jan 9 06:29:06 2014 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)
bzero/bcmp -> memset/memcmp. ok matthew
Revision 1.15 / (download) - annotate - [select for diffs], Fri Dec 20 02:04:08 2013 UTC (10 years, 5 months ago) by krw
Branch: MAIN
Changes since 1.14: +3 -3 lines
Diff to previous 1.14 (colored)
Switch inpt_queue from CIRCLEQ to TAILQ. Thus ending use of CIRCLEQ in the base. Ports fixes to follow shortly for the two ports (gkrellm and net-snmp) affected. ok zhuk@ millert@
Revision 1.14 / (download) - annotate - [select for diffs], Fri Nov 15 16:46:15 2013 UTC (10 years, 6 months ago) by lteo
Branch: MAIN
Changes since 1.13: +5 -5 lines
Diff to previous 1.13 (colored)
Rename the struct pf_divert variable in divert_packet() and divert6_packet() from "pd" to "divert" to match the rest of the source. I think "pd" was not a good name for a struct pf_divert because "pd" usually refers to a pf_pdesc. No object file change. OK benno@ bluhm@ henning@
Revision 1.13 / (download) - annotate - [select for diffs], Mon Apr 8 15:32:23 2013 UTC (11 years, 2 months ago) by lteo
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.12: +70 -5 lines
Diff to previous 1.12 (colored)
Recalculate the IP and protocol checksums of packets (re)injected via divert(4) sockets. Recalculation of these checksums is necessary because (1) PF no longer updates IP checksums as of pf.c rev 1.731, so translated packets that are diverted to userspace (e.g. divert-packet with nat-to/rdr-to) will have bad IP checksums and will be reinjected with bad IP checksums if the userspace program doesn't correct the checksums; (2) the userspace program may modify the packets, which would invalidate the checksums; and (3) the divert(4) man page states that checksums are supposed to be recalculated on reinjection. This diff has been tested on a public webserver serving both IPv4/IPv6 for more than four weeks. It has also been tested on a firewall with divert-packet and nat-to/rdr-to where it transferred over 60GB of FTP/HTTP/HTTPS/SSH/DNS/ICMP/ICMPv6 data correctly, using IPv4/IPv6 userspace programs that intentionally break the IP and protocol checksums to confirm that recalculation is done correctly on reinjection. IPv6 extension headers were tested with Scapy. Thanks to florian@ for testing the original version of the diff with dnsfilter and Justin Mayes for testing the original version with Snort inline. Thanks also to todd@ for helping me in my search for the cause of this bug. I would especially like to thank blambert@ for reviewing many versions of this diff, and providing guidance and tons of helpful feedback. no objections from florian@ help/ok blambert@, ok henning@
Revision 1.12 / (download) - annotate - [select for diffs], Tue Apr 2 18:27:47 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
Use macros sotoinpcb() and intotcpcb() instead of casts. Use NULL instead of 0 for pointers. No binary change. OK mpi@
Revision 1.11 / (download) - annotate - [select for diffs], Thu Mar 28 16:45:16 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.10: +1 -2 lines
Diff to previous 1.10 (colored)
no need for a lot of code to include proc.h
Revision 1.10 / (download) - annotate - [select for diffs], Sun Oct 21 13:06:03 2012 UTC (11 years, 7 months ago) by benno
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.9: +20 -10 lines
Diff to previous 1.9 (colored)
Add the IP_DIVERTFL socket option on divert(4) sockets to control which packets (as in direction) of the traffic will be diverted through the divert socket. ok claudio@, henning@
Revision 1.9 / (download) - annotate - [select for diffs], Fri Jul 13 16:27:30 2012 UTC (11 years, 11 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.8: +4 -1 lines
Diff to previous 1.8 (colored)
3 line diff to fix divert using connections from local system. OK henning@
Revision 1.8 / (download) - annotate - [select for diffs], Wed Sep 8 08:34:42 2010 UTC (13 years, 9 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.7: +3 -1 lines
Diff to previous 1.7 (colored)
Return EACCES when pf_test() blocks a packet in ip_output(). This allows ip_forward() to know the difference between blocked packets and those that can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should be sent. In the other callers of ip_output() change the error back to EHOSTUNREACH since userland may not expect EACCES on a sendto(). OK henning@, markus@
Revision 1.7 / (download) - annotate - [select for diffs], Sat Jul 3 04:44:51 2010 UTC (13 years, 11 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Fix the naming of interfaces and variables for rdomains and rtables and make it possible to bind sockets (including listening sockets!) to rtables and not just rdomains. This changes the name of the system calls, socket option, and ioctl. After building with this you should remove the files /usr/share/man/cat2/[gs]etrdomain.0. Since this removes the existing [gs]etrdomain() system calls, the libc major is bumped. Written by claudio@, criticized^Wcritiqued by me
Revision 1.6 / (download) - annotate - [select for diffs], Tue Apr 20 22:05:43 2010 UTC (14 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)
remove proc.h include from uvm_map.h. This has far reaching effects, as sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
Revision 1.5 / (download) - annotate - [select for diffs], Tue Mar 9 12:36:12 2010 UTC (14 years, 3 months ago) by jsing
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.4: +2 -2 lines
Diff to previous 1.4 (colored)
Use correct routing domain when doing address lookups. ok claudio@ "approved" deraadt@
Revision 1.4 / (download) - annotate - [select for diffs], Mon Mar 8 14:18:07 2010 UTC (14 years, 3 months ago) by jsing
Branch: MAIN
Changes since 1.3: +4 -1 lines
Diff to previous 1.3 (colored)
Use properly initialised sockaddr_in/sockaddr_in6 struct when performing address lookups. Found whilst investigating address lookup failures. ok michele@
Revision 1.3 / (download) - annotate - [select for diffs], Sun Oct 4 16:08:37 2009 UTC (14 years, 8 months ago) by michele
Branch: MAIN
Changes since 1.2: +28 -14 lines
Diff to previous 1.2 (colored)
Add (again) support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 1 A lot of discussion have happened since my last commit that resulted in many changes and improvements. I would *really* like to thank everyone who took part in the discussion especially canacar@ who spotted out which are the limitations of this approach. OpenBSD divert(4) is meant to be compatible with software running on top of FreeBSD's divert sockets even though they are pretty different and will become even more with time. discusses with many, but mainly reyk@ canacar@ deraadt@ dlg@ claudio@ beck@ tested by reyk@ and myself ok reyk@ claudio@ beck@ manpage help and ok by jmc@
Revision 1.2, Tue Sep 8 17:52:17 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Changes since 1.1: +1 -1 lines
FILE REMOVED
I had not enough oks to commit this diff. Sorry.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Sep 8 17:00:41 2009 UTC (14 years, 9 months ago) by michele
Branch: MAIN
Add support for divert sockets. They allow you to: - queue packets from pf(4) to a userspace application - reinject packets from the application into the kernel stack. The divert socket can be bound to a special "divert port" and will receive every packet diverted to that port by pf(4). The pf syntax is pretty simple, e.g.: pass on em0 inet proto tcp from any to any port 80 divert-packet port 8000 test, bugfix and ok by reyk@ manpage help and ok by jmc@ no objections from many others.