Up to [local] / src / sys / netinet
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.395 / (download) - annotate - [select for diffs], Fri Jun 7 18:24:16 2024 UTC (3 days, 22 hours ago) by bluhm
Branch: MAIN
CVS Tags: HEAD
Changes since 1.394: +31 -25 lines
Diff to previous 1.394 (colored)
Read IP forwarding variables only once. Do not assume that ip_forwarding and ip_directedbcast cannot change while processing one packet. Read it once and pass down its value with a flag. This is necessary for unlocking the sysctl path. There are a few places where a consistent value does not really matter, they are unchanged. Use a proper ip_ prefix for the global variable. OK claudio@
Revision 1.394 / (download) - annotate - [select for diffs], Wed May 8 13:01:30 2024 UTC (4 weeks, 6 days ago) by bluhm
Branch: MAIN
Changes since 1.393: +2 -1 lines
Diff to previous 1.393 (colored)
Fix route leak in ip input. In previous commit when refactoring the route cache, a rtfree() has been forgotten. For each forwarded packet the reference counter of the route entry was increased. This eventually leads to an integer overflow and triggers kassert. reported by and OK jan@
Revision 1.393 / (download) - annotate - [select for diffs], Tue Apr 16 12:56:39 2024 UTC (8 weeks ago) by bluhm
Branch: MAIN
Changes since 1.392: +28 -35 lines
Diff to previous 1.392 (colored)
Use route cache function in IP input. Instaed of passing a struct rtentry from ip_input() to ip_forward() and then embed it into a struct route for ip_output(), start with struct route and pass it along. Then the route cache is used consistently. Also the route cache hit and missed counters should reflect reality after this commit. There is a small difference in the code. in_ouraddr() checks for NULL and not rtisvalid(). Previous discussion showed that the route RTF_UP flag should only be considered for multipath routing. Otherwise it does not mean anything. Especially the local and broadcast check in in_ouraddr() should not be affected by interface link status. When doing cache lookups, route must be valid, but after rtalloc_mpath() lookup, use any route that route_mpath() returns. OK claudio@
Revision 1.392 / (download) - annotate - [select for diffs], Sun Apr 14 20:46:27 2024 UTC (8 weeks, 1 day ago) by bluhm
Branch: MAIN
Changes since 1.391: +78 -24 lines
Diff to previous 1.391 (colored)
Run raw IP input in parallel. Running raw IPv4 input with shared net lock in parallel is less complex than UDP. Especially there is no socket splicing. New ip_deliver() may run with shared or exclusive net lock. The last parameter indicates the mode. If is is running with shared netlock and encounters a protocol that needs exclusive lock, the packet is queued. Old ip_ours() always queued the packet. Now it calls ip_deliver() with shared net lock, and if that cannot handle the packet completely, the packet is queued and later processed with exclusive net lock. In case of an IPv6 header chain, that switches from shared to exclusive processing, the next protocol and mbuf offset are stored in a mbuf tag. OK mvs@
Revision 1.391 / (download) - annotate - [select for diffs], Wed Feb 28 10:57:20 2024 UTC (3 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_5_BASE,
OPENBSD_7_5
Changes since 1.390: +17 -14 lines
Diff to previous 1.390 (colored)
Cleanup IP input, forward, output. Before changing the routing code, get IPv4 and IPv6 input, forward, and output in a similar shape. Remove inconsistencies. OK claudio@
Revision 1.390 / (download) - annotate - [select for diffs], Thu Feb 22 14:25:58 2024 UTC (3 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.389: +12 -4 lines
Diff to previous 1.389 (colored)
Make the route cache aware of multipath routing. Pass source address to route_cache() and store it in struct route. Cached multipath routes are only valid if source address matches. If sysctl multipath changes, increase route generation number. OK claudio@
Revision 1.389 / (download) - annotate - [select for diffs], Tue Feb 13 12:22:09 2024 UTC (3 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.388: +2 -2 lines
Diff to previous 1.388 (colored)
Merge struct route and struct route_in6. Use a common struct route for both inet and inet6. Unfortunately struct sockaddr is shorter than sockaddr_in6, so netinet/in.h has to be exposed from net/route.h. Struct route has to be bsd visible for userland as netstat kvm code inspects inp_route. Internet PCB and TCP SYN cache can use a plain struct route now. All specific sockaddr types for inet and inet6 are embeded there. OK claudio@
Revision 1.388 / (download) - annotate - [select for diffs], Wed Jan 31 14:56:42 2024 UTC (4 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.387: +5 -11 lines
Diff to previous 1.387 (colored)
Add route generation number to route cache. The outgoing route is cached at the inpcb. This cache was only invalidated when the socket closes or if the route gets invalid. More specific routes were not detected. Especially with dynamic routing protocols, sockets must be closed and reopened to use the correct route. Running ping during a route change shows the problem. To solve this, add a route generation number that is updated whenever the routing table changes. The lookup in struct route is put into the route_cache() function. If the generation number is too old, the cached route gets discarded. Implement route_cache() for ip_output() and ip_forward() first. IPv6 and more places will follow. OK claudio@
Revision 1.387 / (download) - annotate - [select for diffs], Sat Sep 16 09:33:27 2023 UTC (8 months, 3 weeks ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_7_4_BASE,
OPENBSD_7_4
Changes since 1.386: +2 -2 lines
Diff to previous 1.386 (colored)
Allow counters_read(9) to take an optional scratch buffer. Using a scratch buffer makes it possible to take a consistent snapshot of per-CPU counters without having to allocate memory. Makes ddb(4) show uvmexp command work in OOM situations. ok kn@, mvs@, cheloha@
Revision 1.386 / (download) - annotate - [select for diffs], Wed Sep 6 11:09:43 2023 UTC (9 months ago) by bluhm
Branch: MAIN
Changes since 1.385: +3 -3 lines
Diff to previous 1.385 (colored)
Use shared net lock for ip_send() and ip6_send(). When called with NULL options, ip_output() and ip6_output() are MP safe. Convert exclusive to shared net lock in send dispatch. OK mpi@
Revision 1.385 / (download) - annotate - [select for diffs], Thu May 18 09:59:43 2023 UTC (12 months, 3 weeks ago) by mvs
Branch: MAIN
Changes since 1.384: +3 -6 lines
Diff to previous 1.384 (colored)
Revert ip_sysctl() unlocking. Lock order issue was triggered in UVM layer.
Revision 1.384 / (download) - annotate - [select for diffs], Tue May 16 19:36:00 2023 UTC (12 months, 3 weeks ago) by mvs
Branch: MAIN
Changes since 1.383: +6 -3 lines
Diff to previous 1.383 (colored)
Introduce temporary PR_MPSYSCTL flag to mark (*pr_sysctl)() handler MP safe. We have may of them, so use flag instead of pushing kernel lock within. Unlock ip_sysctl(). Still take kernel lock within IPCTL_MRTSTATS case. It looks like `mrtstat' protection is inconsistent, so keep locking as it was. Since `mrtstat' are counters, it make sense to rework them into per CPU counters with separate diffs. Feedback and ok from bluhm@
Revision 1.383 / (download) - annotate - [select for diffs], Wed Apr 5 21:51:47 2023 UTC (14 months ago) by bluhm
Branch: MAIN
Changes since 1.382: +3 -2 lines
Diff to previous 1.382 (colored)
ARP has a sysctl to show the number of packets waiting for an arp response. Implement analog sysctl net.inet6.icmp6.nd6_queued for ND6 to reduce places where mbufs can hide within the kernel. Atomic operations operate on unsigned int. Make the type of total hold queue length consistent. Use atomic load to read the value for the sysctl. This clarifies why no lock around sysctl_rdint() is needed. OK mvs@ kn@
Revision 1.382 / (download) - annotate - [select for diffs], Wed Mar 8 23:17:02 2023 UTC (15 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_3_BASE,
OPENBSD_7_3
Changes since 1.381: +5 -1 lines
Diff to previous 1.381 (colored)
An invalid source routing IP option could overwrite kernel memory by using a bad option length. This bug is only reachable if both pf IP option check is disabled and IP source routing is enabled. reported by @fuzzingrf Erg Noor OK claudio@ deraadt@
Revision 1.381 / (download) - annotate - [select for diffs], Mon Aug 29 14:43:56 2022 UTC (21 months, 1 week ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_7_2_BASE,
OPENBSD_7_2
Changes since 1.380: +1 -13 lines
Diff to previous 1.380 (colored)
Do not calculate the output protocol checksum in the IP input path. This logic was introduced in 2013 when pf checksum fixup was temporarily removed. After restoring the pf bahavior in 2016, it should not be necessary anymore. OK claudio@
Revision 1.380 / (download) - annotate - [select for diffs], Sun Aug 21 14:15:55 2022 UTC (21 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.379: +10 -28 lines
Diff to previous 1.379 (colored)
Remove ip_local() and ip6_local(). After moving the IPv4 fragment reassembly and IPv6 hob-by-hob header chain processing out of ip_local() and ip6_local(), they are almost empty stubs. The check for local deliver loop in ip_ours() and ip6_ours() is sufficient. Recover mbuf offset and next protocol directly in ipintr() and ip6intr(). OK mvs@
Revision 1.379 / (download) - annotate - [select for diffs], Mon Aug 15 16:15:36 2022 UTC (21 months, 3 weeks ago) by bluhm
Branch: MAIN
Changes since 1.378: +7 -5 lines
Diff to previous 1.378 (colored)
Run IPv6 hop-by-hop options processing in parallel. The ip6_hbhchcheck() code is MP safe and moves from ip6_local() to ip6_ours(). If there are any options, store the chain offset and next protocol in a mbuf tag. When dequeuing without tag, it is a regular IPv6 header. As mbuf tags degrade performance, use them only if a hop-by-hop header is present. Such packets are rare and pf drops them by default. OK mvs@
Revision 1.378 / (download) - annotate - [select for diffs], Fri Aug 12 14:49:15 2022 UTC (21 months, 4 weeks ago) by bluhm
Branch: MAIN
Changes since 1.377: +7 -3 lines
Diff to previous 1.377 (colored)
There are some places in ip and ip6 input where operations fail due to out of memory. Use a generic idropped counter for those. OK mvs@
Revision 1.377 / (download) - annotate - [select for diffs], Sat Aug 6 15:57:59 2022 UTC (22 months ago) by bluhm
Branch: MAIN
Changes since 1.376: +5 -4 lines
Diff to previous 1.376 (colored)
Clean up the netlock macros. Merge NET_RLOCK_IN_SOFTNET and NET_RLOCK_IN_IOCTL, which have the same implementation. The R and W are hard to see, call the new macro NET_LOCK_SHARED. Rename the opposite assertion from NET_ASSERT_WLOCKED to NET_ASSERT_LOCKED_EXCLUSIVE. Update some outdated comments about net locking. OK mpi@ mvs@
Revision 1.376 / (download) - annotate - [select for diffs], Thu Aug 4 18:05:09 2022 UTC (22 months, 1 week ago) by bluhm
Branch: MAIN
Changes since 1.375: +3 -2 lines
Diff to previous 1.375 (colored)
Use 16 bit variable to store more fragment flag. This avoids loss of significant bits on big endian machines. Bug has been introduced in previous commit by removing the =! 0 check. OK mvs@
Revision 1.375 / (download) - annotate - [select for diffs], Thu Jul 28 22:05:39 2022 UTC (22 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.374: +20 -19 lines
Diff to previous 1.374 (colored)
Checking the fragment flags of an incoming IP packet does not need the mutex for the fragment list. Move this code before the critical section. Use ISSET() to make clear which flags are checked. OK mvs@
Revision 1.374 / (download) - annotate - [select for diffs], Mon Jul 25 23:19:34 2022 UTC (22 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.373: +39 -17 lines
Diff to previous 1.373 (colored)
The IPv4 reassembly code is MP safe, so we can run it in parallel. Note that ip_ours() runs with shared netlock, while ip_local() has exclusive netlock after queuing. Move existing the code into function ip_fragcheck() and call it from ip_ours(). OK mvs@
Revision 1.373 / (download) - annotate - [select for diffs], Sun Jul 24 22:38:25 2022 UTC (22 months, 2 weeks ago) by bluhm
Branch: MAIN
Changes since 1.372: +3 -3 lines
Diff to previous 1.372 (colored)
Fix assertion for write netlock in rip6_input(). ip6_input() has shared net lock. ip_deliver() needs exclusive net lock. Instead of calling ip_deliver() directly, use ip6_ours() to queue the packet. Move the write lock assertion into ip_deliver() to catch such bugs earlier. The assertion was only triggered with IPv6 multicast forwarding or router alert hop by hop option. Found by regress test. OK kn@ mvs@
Revision 1.372 / (download) - annotate - [select for diffs], Wed Jun 29 09:01:48 2022 UTC (23 months, 1 week ago) by mvs
Branch: MAIN
Changes since 1.371: +3 -2 lines
Diff to previous 1.371 (colored)
Nullify `ipsecflowinfo' when mbuf(9) has no ipsec flowinfo data. Otherwise we use `ipsecflowinfo' obtained from previous packet. ok claudio@
Revision 1.371 / (download) - annotate - [select for diffs], Thu May 5 13:57:40 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.370: +4 -4 lines
Diff to previous 1.370 (colored)
Use static objects for struct rttimer_queue instead of dynamically allocate them. Currently there are 6 rttimer_queues and not many more will follow. So change rt_timer_queue_create() to rt_timer_queue_init() which now takes a struct rttimer_queue * as argument which will be initialized. Since this changes the gloabl vars from pointer to struct adjust other callers as well. OK bluhm@
Revision 1.370 / (download) - annotate - [select for diffs], Wed May 4 16:52:10 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.369: +5 -10 lines
Diff to previous 1.369 (colored)
Move rttimer callback function from the rttimer itself to rttimer_queue. All users use the same callback per queue so that makes sense. Also replace rt_timer_queue_destroy() with rt_timer_queue_flush(). OK bluhm@
Revision 1.369 / (download) - annotate - [select for diffs], Thu Apr 28 17:27:14 2022 UTC (2 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.368: +4 -5 lines
Diff to previous 1.368 (colored)
In the multicast router code don't allocate a rt timer queue for each rdomain. The rttimer API is rtable/rdomain aware and so there is no need to have so many queues. Also init the two queues (one for IPv4 and one for IPv6) early on. This will allow the rttable code to become simpler. OK bluhm@
Revision 1.368 / (download) - annotate - [select for diffs], Thu Apr 28 16:56:39 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.367: +46 -3 lines
Diff to previous 1.367 (colored)
Decouple IP input and forwarding from protocol input. This allows to have parallel IP processing while the upper layers are still not MP safe. Introduce ip_ours() that enqueues the packets and ipintr() that dequeues and processes them with an exclusive netlock. Note that we still have only one softnet task. Running IP processing on multiple CPU will be the next step. lots of testing Hrvoje Popovski; OK sashan@
Revision 1.367 / (download) - annotate - [select for diffs], Wed Apr 20 09:38:26 2022 UTC (2 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.366: +11 -17 lines
Diff to previous 1.366 (colored)
Route timeout was a mixture of int, u_int and long. Use type int for timeout, add sysctl bounds checking between 0 and max int, and use time_t for absolute times. Some code assumes that the route timeout queue can be NULL and at some places this was checked. Better make sure that all queues always exist. The pool_get for struct rttimer_queue is only called from initialization and from syscall, so PR_WAITOK is possible. Keep the special hack when ip_mtudisc is set to 0. Destroy the queue and generate an empty one. If redirect timeout is 0, it should not time out. Check the value in IPv6 to make the behavior like IPv4. Sysctl net.inet6.icmp6.redirtimeout had no effect as the queue timeout was not modified. Make icmp6_sysctl() look like icmp_sysctl(). OK claudio@
Revision 1.366 / (download) - annotate - [select for diffs], Tue Feb 22 01:35:40 2022 UTC (2 years, 3 months ago) by guenther
Branch: MAIN
CVS Tags: OPENBSD_7_1_BASE,
OPENBSD_7_1
Changes since 1.365: +1 -2 lines
Diff to previous 1.365 (colored)
Delete unnecessary #includes of <netinet6/ip6protosw.h>: some never needed it and some no longer need it after moving the externs from there to <sys/protosw.h> ok jsg@
Revision 1.365 / (download) - annotate - [select for diffs], Tue Jan 25 04:04:40 2022 UTC (2 years, 4 months ago) by gnezdo
Branch: MAIN
Changes since 1.364: +2 -7 lines
Diff to previous 1.364 (colored)
Capture a repeated pattern into sysctl_securelevel_int function A few variables in the kernel are only writeable before securelevel is raised. It makes sense to handle them with less code. OK sthen@ bluhm@
Revision 1.364 / (download) - annotate - [select for diffs], Mon Nov 22 13:47:10 2021 UTC (2 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.363: +16 -18 lines
Diff to previous 1.363 (colored)
Copy code from ip_forward() to ip6_forward() to fix Path MTU discovery in IPsec IPv6 tunnel. Implement sending ICMP6 packet too big messages. Also implement the pf error case in ip6_forward(). While there, do some cleanup and make the IPv4 and IPv6 code look similar. OK tobhe@
Revision 1.363 / (download) - annotate - [select for diffs], Mon Jun 21 22:09:14 2021 UTC (2 years, 11 months ago) by jca
Branch: MAIN
CVS Tags: OPENBSD_7_0_BASE,
OPENBSD_7_0
Changes since 1.362: +5 -2 lines
Diff to previous 1.362 (colored)
Fix uninitialized variables introduced in rev 1.361 Thankfully clang elided the code in an almost harmless way (at least on amd64 GENERIC.MP). Spotted by chance when building kernels with -Wno-error=uninitialized. ok dlg@ sashan@ bluhm@
Revision 1.362 / (download) - annotate - [select for diffs], Thu Jun 3 01:55:52 2021 UTC (3 years ago) by dlg
Branch: MAIN
Changes since 1.361: +5 -3 lines
Diff to previous 1.361 (colored)
remember if the ipv4 header checksum is ok. if a bridge checks the ip header before the network stack, then we can remember it was ok when the bridge checks it so the ip stack doesnt have to. ok claudio@ mvs@
Revision 1.361 / (download) - annotate - [select for diffs], Wed Jun 2 00:09:57 2021 UTC (3 years ago) by dlg
Branch: MAIN
Changes since 1.360: +38 -17 lines
Diff to previous 1.360 (colored)
factor out the code that does basic sanity checks on ipv4 headers. this will allow these checks to be reused by bridge (where they're currently duplicated), veb, and tpmr. ok bluhm@ sashan@
Revision 1.360 / (download) - annotate - [select for diffs], Sat May 15 08:07:20 2021 UTC (3 years ago) by yasuoka
Branch: MAIN
Changes since 1.359: +9 -2 lines
Diff to previous 1.359 (colored)
Fix IPsec NAT-T to work with pipex(4). Introduce a new packet tag PACKET_TAG_IPSEC_FLOWINFO to specify the IPsec flow. ok mvs
Revision 1.359 / (download) - annotate - [select for diffs], Fri Apr 30 13:52:48 2021 UTC (3 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.358: +2 -2 lines
Diff to previous 1.358 (colored)
Rearrange the implementation of bounded sysctl. The primitive functions are sysctl_int() and sysctl_rdint(). This brings us back the 4.4BSD implementation. Then sysctl_int_bounded() builds the magic for range checks on top. sysctl_bounded_arr() is a wrapper around it to support multiple variables. Introduce macros that describe the meaning of the magic boundary values. Use these macros in obvious places. input and OK gnezdo@ mvs@
Revision 1.358 / (download) - annotate - [select for diffs], Fri Apr 23 21:55:36 2021 UTC (3 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.357: +2 -1 lines
Diff to previous 1.357 (colored)
Setting variable arpinit_done is not MP save if we want to execute arp_rtrequest() in parallel. Move initialization to arpinit() function. OK kettenis@ mvs@
Revision 1.357 / (download) - annotate - [select for diffs], Fri Apr 23 21:47:32 2021 UTC (3 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.356: +3 -2 lines
Diff to previous 1.356 (colored)
The variable la_hold_total contains the number of packets currently in the arp queue. So the sysctl net.inet.ip.arpqueued must be read only. In if_ether.c include the header with the declaration of la_hold_total to ensure that the definition matches. OK mvs@
Revision 1.356 / (download) - annotate - [select for diffs], Tue Mar 30 08:37:10 2021 UTC (3 years, 2 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_6_9_BASE,
OPENBSD_6_9
Changes since 1.355: +28 -3 lines
Diff to previous 1.355 (colored)
[ICMP] IP options lead to malformed reply icmp_send() must update IP header length if IP optaions are appended. Such packet also has to be dispatched with IP_RAWOUTPUT flags. Bug reported and fix co-designed by Dominik Schreilechner _at_ siemens _dot_ com OK bluhm@
Revision 1.355 / (download) - annotate - [select for diffs], Wed Mar 10 10:21:48 2021 UTC (3 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.354: +2 -2 lines
Diff to previous 1.354 (colored)
spelling ok gnezdo@ semarie@ mpi@
Revision 1.354 / (download) - annotate - [select for diffs], Fri Jan 15 15:18:12 2021 UTC (3 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.353: +3 -3 lines
Diff to previous 1.353 (colored)
As documented in sysctl(2) net.inet.ip.forwarding can be 2. Relax input validation and use integer comparison. OK kn@ mvs@ sthen@
Revision 1.353 / (download) - annotate - [select for diffs], Mon Jan 11 13:28:53 2021 UTC (3 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.352: +3 -2 lines
Diff to previous 1.352 (colored)
Create a path MTU host route for IPsec over IPv6. Basically the code is copied from IPv4 and adapted. Some things are changed in v4 to make it look similar. - ip6_forward increases the noroute error counter, do that in ip_forward, too. - Pass more specific sockaddr_in6 to icmp6_mtudisc_clone(). - IPv6 may also use reject routes for IPsec PMTU clones. - To pass a route_in6 to ip6_output_ipsec_send() introduce one in ip6_forward(). That is the same what IPv4 does. Note that dst and sin6 switch roles. - Copy comments from ip_output_ipsec_send() to ip6_output_ipsec_send() to make code similar. - Implement dynamic IPv6 IPsec PMTU routes. OK tobhe@
Revision 1.352 / (download) - annotate - [select for diffs], Mon Nov 16 06:44:38 2020 UTC (3 years, 6 months ago) by gnezdo
Branch: MAIN
Changes since 1.351: +8 -4 lines
Diff to previous 1.351 (colored)
Replace sysctl_rdint with sysctl_bounded_args entries in net.inet*
Revision 1.351 / (download) - annotate - [select for diffs], Sat Aug 22 17:55:30 2020 UTC (3 years, 9 months ago) by gnezdo
Branch: MAIN
CVS Tags: OPENBSD_6_8_BASE,
OPENBSD_6_8
Changes since 1.350: +19 -4 lines
Diff to previous 1.350 (colored)
Convert ip_sysctl to sysctl_bounded_args
Revision 1.350 / (download) - annotate - [select for diffs], Sat Aug 8 07:42:31 2020 UTC (3 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.349: +1 -15 lines
Diff to previous 1.349 (colored)
No longer prevent TCP connections to IPv6 anycast addresses. RFC 4291 dropped this requirement from RFC 3513: o An anycast address must not be used as the source address of an IPv6 packet. And from that requirement draft-itojun-ipv6-tcp-to-anycast rightly concluded that TCP connections must be prevented. The draft also states: The proposed method MUST be removed when one of the following events happens in the future: o Restriction imposed on IPv6 anycast address is loosened, so that anycast address can be placed into source address field of the IPv6 header[...] OK jca
Revision 1.349 / (download) - annotate - [select for diffs], Sat Aug 1 23:41:55 2020 UTC (3 years, 10 months ago) by gnezdo
Branch: MAIN
Changes since 1.348: +6 -9 lines
Diff to previous 1.348 (colored)
Move range check inside sysctl_int_arr Range violations are now consistently reported as EOPNOTSUPP. Previously they were mixed with ENOPROTOOPT. OK kn@
Revision 1.348 / (download) - annotate - [select for diffs], Sun Apr 12 11:56:52 2020 UTC (4 years, 2 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_7_BASE,
OPENBSD_6_7
Changes since 1.347: +3 -3 lines
Diff to previous 1.347 (colored)
Stop processing packets under non-exclusive (read) netlock. Prevent concurrency in the socket layer which is not ready for that. Two recent data corruptions in pfsync(4) and the socket layer pointed out that, at least, tun(4) was incorrectly using NET_RUNLOCK(). Until we find a way in software to avoid future mistakes and to make sure that only the softnet thread and some ioctls are safe to use a read version of the lock, put everything back to the exclusive version. ok stsp@, visa@
Revision 1.347 / (download) - annotate - [select for diffs], Mon Dec 23 22:33:57 2019 UTC (4 years, 5 months ago) by sashan
Branch: MAIN
Changes since 1.346: +3 -2 lines
Diff to previous 1.346 (colored)
rdr-to with loopback destination should work even though IP forwarding is disabled. Issue reported by Daniel Jakots (danj@) OK bluhm@
Revision 1.346 / (download) - annotate - [select for diffs], Mon Dec 9 06:48:52 2019 UTC (4 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.345: +2 -2 lines
Diff to previous 1.345 (colored)
always pull in if_types.h, to unbreak ramdisks
Revision 1.345 / (download) - annotate - [select for diffs], Sun Dec 8 11:08:22 2019 UTC (4 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.344: +26 -2 lines
Diff to previous 1.344 (colored)
Make sure packet destination address matches interface address, where such packet is bound to. This check is enforced if and only IP forwarding is disabled. Change discussed with bluhm@, claudio@, deraadt@, markus@, tobhe@ OK bluhm@, claudio@, tobhe@
Revision 1.344 / (download) - annotate - [select for diffs], Tue Aug 6 22:57:54 2019 UTC (4 years, 10 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_6_BASE,
OPENBSD_6_6
Changes since 1.343: +3 -44 lines
Diff to previous 1.343 (colored)
When we needed the kernel lock for local IP packet delivery, mpi@ introduced a queue to grab the lock for multiple packets. Now we have only netlock for both IP and protocol input. So the queue is not necessary anymore. It just switches CPU and decreases performance. So remove the inet and inet6 ip queue for local packets. To get TCP running on loopback, we have to queue once between TCP input and output of the two sockets. So use the loopback queue in looutput() unconditionally. OK visa@
Revision 1.343 / (download) - annotate - [select for diffs], Mon Jun 10 23:48:21 2019 UTC (5 years ago) by dlg
Branch: MAIN
Changes since 1.342: +2 -2 lines
Diff to previous 1.342 (colored)
use m_microtime instead of microtime for SO_TIMESTAMP socketopt handling drivers can set ph_timestamp when packets are received by the hardware, which should be more accurate and cheaper than getting the clock when the packet is queued on the socket.
Revision 1.342 / (download) - annotate - [select for diffs], Sat Oct 13 18:36:01 2018 UTC (5 years, 7 months ago) by florian
Branch: MAIN
CVS Tags: OPENBSD_6_5_BASE,
OPENBSD_6_5
Changes since 1.341: +8 -2 lines
Diff to previous 1.341 (colored)
Expose net.inet.ip.arpq.drops to help debug what's going on when a lot of packets are being dropped but non of the other counters are increasing. From Daniel Hokka Zakrisson (daniel AT hozac DOT com), thanks! OK florian, phessler
Revision 1.341 / (download) - annotate - [select for diffs], Tue Sep 11 21:04:03 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_4_BASE,
OPENBSD_6_4
Changes since 1.340: +2 -2 lines
Diff to previous 1.340 (colored)
Convert inetctlerrmap to u_char like inet6ctlerrmap. That is also what FreeBSD does. Remove old #if 0 version of inet6ctlerrmap. OK mpi@
Revision 1.340 / (download) - annotate - [select for diffs], Mon Sep 10 16:14:07 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.339: +2 -9 lines
Diff to previous 1.339 (colored)
Instead of calculating the mbuf packet header length here and there, put the algorithm into a new function m_calchdrlen(). Also set an uninitialized m_len to 0 in NFS code. OK claudio@
Revision 1.339 / (download) - annotate - [select for diffs], Mon Sep 10 12:47:02 2018 UTC (5 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.338: +5 -3 lines
Diff to previous 1.338 (colored)
During fragment reassembly, mbuf chains with packet headers were created. Add a new function m_removehdr() do convert packet header mbufs within the chain to regular mbufs. Assert that the mbuf at the beginning of the chain has a packet header. found by Maxime Villard in NetBSD; from markus@; OK claudio@
Revision 1.338 / (download) - annotate - [select for diffs], Tue Jul 10 11:34:12 2018 UTC (5 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.337: +2 -1 lines
Diff to previous 1.337 (colored)
Introduce new IPsec (per-CPU) statistics and refactor ESP input callbacks to be able to count dropped packet. Having more generic statistics will help troubleshooting problems with specific tunnels. Per-TDB counters are coming once all the refactoring bits are in. ok markus@
Revision 1.337 / (download) - annotate - [select for diffs], Mon May 21 15:52:22 2018 UTC (6 years ago) by bluhm
Branch: MAIN
Changes since 1.336: +6 -6 lines
Diff to previous 1.336 (colored)
All places that call carp_lsdrop() use the interface pointer already. It does not make sense to call if_get() again, just pass ifp as parameter. Move the IFT_CARP check into the function instead of doing it everywhere. Replace the inverted match variable logic with simple returns. OK mpi@ friehm@
Revision 1.336 / (download) - annotate - [select for diffs], Fri Dec 29 17:05:25 2017 UTC (6 years, 5 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_3_BASE,
OPENBSD_6_3
Changes since 1.335: +2 -2 lines
Diff to previous 1.335 (colored)
Make the functions which link the pf state keys to mbufs, inpcbs, or other states more consistent. OK visa@ sashan@ on a previous version
Revision 1.335 / (download) - annotate - [select for diffs], Mon Dec 4 13:40:34 2017 UTC (6 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.334: +7 -4 lines
Diff to previous 1.334 (colored)
Make divert lookup similar for all socket types. If PF_TAG_DIVERTED is set, pf_find_divert() cannot fail so put an assert there. Explicitly check all possible divert types, panic in the default case. For raw sockets call pf_find_divert() before of the socket loop. Divert reply should not match on TCP or UDP listen sockets. OK sashan@ visa@
Revision 1.334 / (download) - annotate - [select for diffs], Thu Nov 23 13:45:46 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.333: +3 -5 lines
Diff to previous 1.333 (colored)
Constify protocol tables and remove an assert now that ip_deliver() is mp-safe. ok bluhm@, visa@
Revision 1.333 / (download) - annotate - [select for diffs], Mon Nov 20 10:35:24 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.332: +2 -2 lines
Diff to previous 1.332 (colored)
Sprinkle some NET_ASSERT_LOCKED(), const and co to prepare running pr_input handlers without KERNEL_LOCK(). ok visa@
Revision 1.332 / (download) - annotate - [select for diffs], Tue Nov 14 09:30:17 2017 UTC (6 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.331: +17 -38 lines
Diff to previous 1.331 (colored)
Introduce ipsec_sysctl() and move IPsec tunables where they belong. ok bluhm@, visa@
Revision 1.331 / (download) - annotate - [select for diffs], Fri Nov 10 08:55:49 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.330: +3 -3 lines
Diff to previous 1.330 (colored)
Introduce a reader version of the NET_LOCK(). This will be used to first allow read-only ioctl(2) to be executed while the softnet taskq is running. Then it will allows us to execute multiple softnet taskq in parallel. Tested by Hrvoje Popovski, ok kettenis@, sashan@, visa@, tb@
Revision 1.330 / (download) - annotate - [select for diffs], Wed Nov 8 16:29:20 2017 UTC (6 years, 7 months ago) by visa
Branch: MAIN
Changes since 1.329: +5 -1 lines
Diff to previous 1.329 (colored)
Make {ah,esp,ipcomp}stat use percpu counters. OK bluhm@, mpi@
Revision 1.329 / (download) - annotate - [select for diffs], Sun Nov 5 13:19:59 2017 UTC (6 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.328: +1 -15 lines
Diff to previous 1.328 (colored)
Finish off pr_drain functions, they haven't been used since 2006. OK mpi
Revision 1.328 / (download) - annotate - [select for diffs], Wed Nov 1 06:35:38 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.327: +2 -2 lines
Diff to previous 1.327 (colored)
Fix typo in previous resulting in a NULL dereference.
Revision 1.327 / (download) - annotate - [select for diffs], Tue Oct 31 22:05:12 2017 UTC (6 years, 7 months ago) by sashan
Branch: MAIN
Changes since 1.326: +2 -2 lines
Diff to previous 1.326 (colored)
- add one more softnet taskq NOTE: code still runs with single softnet task. change definition of SOFTNET_TASKS in net/if.c, if you want to have more than one softnet task OK mpi@, OK phessler@
Revision 1.326 / (download) - annotate - [select for diffs], Sun Oct 29 14:58:39 2017 UTC (6 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.325: +1 -3 lines
Diff to previous 1.325 (colored)
This doesn't need the NET_LOCK, everything is protected by a mutex. OK mpi, visa
Revision 1.325 / (download) - annotate - [select for diffs], Sun Oct 29 14:56:36 2017 UTC (6 years, 7 months ago) by florian
Branch: MAIN
Changes since 1.324: +3 -1 lines
Diff to previous 1.324 (colored)
Move NET_{,UN}LOCK into individual slowtimo functions. Direction suggested by mpi OK mpi, visa
Revision 1.324 / (download) - annotate - [select for diffs], Thu Oct 26 15:13:40 2017 UTC (6 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.323: +1 -27 lines
Diff to previous 1.323 (colored)
Stop grabbing the KERNEL_LOCK() in network tasks when `ipsec_in_use' is set. Accesses to IPsec global data structure are now serialized by the NET_LOCK(). Tested by many, ok visa@, bluhm@
Revision 1.323 / (download) - annotate - [select for diffs], Mon Oct 9 08:35:38 2017 UTC (6 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.322: +40 -20 lines
Diff to previous 1.322 (colored)
Reduces the scope of the NET_LOCK() in sysctl(2) path. Exposes per-CPU counters to real parrallelism. ok visa@, bluhm@, jca@
Revision 1.322 / (download) - annotate - [select for diffs], Thu Sep 7 10:54:49 2017 UTC (6 years, 9 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_6_2_BASE,
OPENBSD_6_2
Changes since 1.321: +4 -5 lines
Diff to previous 1.321 (colored)
Replace a goto found in the ipq foreach loop with a simple break. This is a common idiom when a list element has been found. OK visa@ mpi@
Revision 1.321 / (download) - annotate - [select for diffs], Tue Sep 5 00:58:16 2017 UTC (6 years, 9 months ago) by visa
Branch: MAIN
Changes since 1.320: +24 -10 lines
Diff to previous 1.320 (colored)
Serialize access to IP reassembly queue with a mutex. This lets ip_local(), ip_slowtimo() and ip_drain() run without KERNEL_LOCK() and NET_LOCK(). Input and OK mpi@, bluhm@
Revision 1.320 / (download) - annotate - [select for diffs], Fri Sep 1 15:38:12 2017 UTC (6 years, 9 months ago) by visa
Branch: MAIN
Changes since 1.319: +5 -7 lines
Diff to previous 1.319 (colored)
Simplify list traversal in ip_freef(), and replace a hand-rolled list traversal with LIST_FOREACH_SAFE(). OK bluhm@, mpi@
Revision 1.319 / (download) - annotate - [select for diffs], Tue Aug 22 15:02:34 2017 UTC (6 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.318: +5 -2 lines
Diff to previous 1.318 (colored)
Prevent a race against ipsec_in_use. Problem reported and fix tested by Hrvoje Popovski. ok bluhm@, visa@
Revision 1.318 / (download) - annotate - [select for diffs], Fri Aug 11 21:24:20 2017 UTC (6 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.317: +3 -4 lines
Diff to previous 1.317 (colored)
Remove NET_LOCK()'s argument. Tested by Hrvoje Popovski, ok bluhm@
Revision 1.317 / (download) - annotate - [select for diffs], Tue Aug 8 12:23:56 2017 UTC (6 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.316: +2 -2 lines
Diff to previous 1.316 (colored)
Increase the limit of the IP protocol queues from 256 to 2048 mbufs. The interface congestion algorithm kills performance at this place, with the large queues it never triggers. OK mpi@ claudio@
Revision 1.316 / (download) - annotate - [select for diffs], Fri Aug 4 14:24:05 2017 UTC (6 years, 10 months ago) by florian
Branch: MAIN
Changes since 1.315: +2 -3 lines
Diff to previous 1.315 (colored)
We do have SO_TIMESTAMP since some time and there is other code in the kernel that uses it without the #ifdef guard. OK bluhm
Revision 1.315 / (download) - annotate - [select for diffs], Wed Jul 5 14:47:58 2017 UTC (6 years, 11 months ago) by visa
Branch: MAIN
Changes since 1.314: +1 -3 lines
Diff to previous 1.314 (colored)
Fix RAMDISK build. OK bluhm@
Revision 1.314 / (download) - annotate - [select for diffs], Wed Jul 5 11:34:10 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.313: +107 -15 lines
Diff to previous 1.313 (colored)
The IP in IP input function strips the outer header and reinserts the inner IP packet into the internet queue. The IPv6 local delivery code has a loop to deal with header chains. The idea is to use this loop and avoid the queueing and rescheduling. The IPsec packet will be processed in a single flow. Merge the IP deliver loop from both IP versions into a single ip_deliver() function that can handle both addresss families. This allows to process an IP in IP header like a normal extension header. If af != AF_UNSPEC, we are already in a deliver loop and have the kernel look. Then we can just return the next protocol. Otherwise we enqueue. The dequeue thread has the kernel lock and starts an IP delivery loop. OK mpi@
Revision 1.313 / (download) - annotate - [select for diffs], Mon Jun 26 19:06:12 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.312: +64 -39 lines
Diff to previous 1.312 (colored)
Convert ip_input() to a pr_input style function. Goal is to process IPsec packets without additional enqueueing. OK mpi@
Revision 1.312 / (download) - annotate - [select for diffs], Mon Jun 19 17:58:49 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.311: +2 -2 lines
Diff to previous 1.311 (colored)
When dealing with mbuf pointers passed down as function parameters, bugs could easily result in use-after-free or double free. Introduce m_freemp() which automatically resets the pointer before freeing it. So we have less dangling pointers in the kernel. OK krw@ mpi@ claudio@
Revision 1.311 / (download) - annotate - [select for diffs], Mon Jun 19 17:00:16 2017 UTC (6 years, 11 months ago) by bluhm
Branch: MAIN
Changes since 1.310: +4 -4 lines
Diff to previous 1.310 (colored)
The IP multicast forward functions return an errno, call the variable error. Make the ip_mforward() return value consistent. Simplify the caller logic in ipv6_input() like in IPv4. OK mpi@
Revision 1.310 / (download) - annotate - [select for diffs], Wed May 31 05:59:09 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.309: +38 -19 lines
Diff to previous 1.309 (colored)
Move IPv4 & IPv6 incoming/forwarding path, PIPEX ppp processing and IPv4 & IPv6 dispatch functions outside the KERNEL_LOCK(). We currently rely on the NET_LOCK() serializing access to most global data structures for that. IP input queues are no longer used in the forwarding case. They still exist as boundary between the network and transport layers because TCP/UDP & friends still need the KERNEL_LOCK(). Since we do not want to grab the NET_LOCK() for every packet, the softnet thread will do it once before processing a batch. That means the L2 processing path, which is currently running without lock, will now run with the NET_LOCK(). IPsec isn't ready to run without KERNEL_LOCK(), so the softnet thread will grab the KERNEL_LOCK() as soon as ``ipsec_in_use'' is set. Tested by Hrvoje Popovski. ok visa@, bluhm@, henning@
Revision 1.309 / (download) - annotate - [select for diffs], Tue May 30 12:09:27 2017 UTC (7 years ago) by friehm
Branch: MAIN
Changes since 1.308: +5 -4 lines
Diff to previous 1.308 (colored)
Carp balancing ip does not work since there is a mac filter in ether_input(). Now we use mbuf tags instead of modifying the MAC address. ok mpi@
Revision 1.308 / (download) - annotate - [select for diffs], Tue May 30 07:50:37 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.307: +9 -3 lines
Diff to previous 1.307 (colored)
Introduce ipv{4,6}_input(), two wrappers around IP queues. This will help transitionning to an un-KERNEL_LOCK()ed IP forwarding path. Disucssed with bluhm@, ok claudio@
Revision 1.307 / (download) - annotate - [select for diffs], Mon May 29 14:36:22 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.306: +4 -5 lines
Diff to previous 1.306 (colored)
Per-interface list of addresses, both multicast and unicast, are currently protected by the NET_LOCK(). They are not accessed in the hot path, so protecting them with a mutex could be an option. However since we're now going to run with a NET_LOCK() for some time, assert that it is held. IPsec is not yet ready to run without KERNEL_LOCK(), so assert it is held, even in the forwarding path. Tested by sthen@, ok visa@, claudio@, bluhm@
Revision 1.306 / (download) - annotate - [select for diffs], Sun May 28 12:22:54 2017 UTC (7 years ago) by jsg
Branch: MAIN
Changes since 1.305: +3 -1 lines
Diff to previous 1.305 (colored)
clang warns on unused labels. Place a recently introduced label under ifdef IPSEC to fix the clang build when IPSEC is not defined. ok deraadt@ bluhm@
Revision 1.305 / (download) - annotate - [select for diffs], Sun May 28 09:25:51 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.304: +11 -8 lines
Diff to previous 1.304 (colored)
Rename ip_local() to ip_deliver() and give it the same parameters as the pr_input functions. Add an assert that IPv4 delivery ends in IP proto done to assure that IPv4 protocol functions work like IPv6. OK mpi@
Revision 1.304 / (download) - annotate - [select for diffs], Mon May 22 22:23:11 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.303: +3 -100 lines
Diff to previous 1.303 (colored)
Move IPsec forward and local policy check functions to ipsec_input.c and give them better names. input and OK mikeb@
Revision 1.303 / (download) - annotate - [select for diffs], Mon May 22 20:04:12 2017 UTC (7 years ago) by bluhm
Branch: MAIN
Changes since 1.302: +17 -12 lines
Diff to previous 1.302 (colored)
Use the IPsec policy check from IPv4 also when doing local delivery in ip6_local() to our IPv6 stack. OK mikeb@
Revision 1.302 / (download) - annotate - [select for diffs], Tue May 16 12:24:01 2017 UTC (7 years ago) by mpi
Branch: MAIN
Changes since 1.301: +2 -2 lines
Diff to previous 1.301 (colored)
Replace remaining splsoftassert(IPL_SOFTNET) by NET_ASSERT_LOCKED(). ok visa@
Revision 1.301 / (download) - annotate - [select for diffs], Fri May 12 23:05:58 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.300: +19 -10 lines
Diff to previous 1.300 (colored)
IPsec packets were passed through ip_input() a second time after they have been decrypted. That means that all the IP header fields were checked twice. Also fragment reassembly was tried twice. At pf incoming packets in tunnel mode appeared twice on the enc0 interface, once as IP-in-IP and once as the inner packet. In the outgoing path pf only sees the inner packet. Asymmetry is bad for stateful filtering. IPv6 shows that IPsec works without that. After decrypting immediately continue with local delivery. In tunnel mode the IP-in-IP protocol functions pass the inner header to ip6_input(). In transport mode only pf_test() has to be called for the enc0 device. Introduce ip_local() to avoid needless processing and cleaner pf behavior in IPv4 IPsec. OK mikeb@
Revision 1.300 / (download) - annotate - [select for diffs], Fri May 12 14:04:09 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.299: +8 -9 lines
Diff to previous 1.299 (colored)
Use the IPsec policy check from ipv4_input() also when forwarding in ip6_input(). While there avoid an ugly #ifdef in ipv4_input(). OK mikeb@
Revision 1.299 / (download) - annotate - [select for diffs], Thu May 11 11:36:20 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.298: +12 -11 lines
Diff to previous 1.298 (colored)
Fix white spaces and wrap long line. No binary change.
Revision 1.298 / (download) - annotate - [select for diffs], Wed Apr 19 15:21:54 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.297: +3 -3 lines
Diff to previous 1.297 (colored)
Use the rt_rmx defines that hide the struct rt_kmetrics indirection. No binary change. OK mpi@
Revision 1.297 / (download) - annotate - [select for diffs], Fri Apr 14 20:46:31 2017 UTC (7 years, 1 month ago) by bluhm
Branch: MAIN
Changes since 1.296: +2 -2 lines
Diff to previous 1.296 (colored)
Pass down the address family through the pr_input calls. This allows to simplify code used for both IPv4 and IPv6. OK mikeb@ deraadt@
Revision 1.296 / (download) - annotate - [select for diffs], Wed Apr 5 13:35:18 2017 UTC (7 years, 2 months ago) by deraadt
Branch: MAIN
Changes since 1.295: +2 -2 lines
Diff to previous 1.295 (colored)
When building counter memory in preparation to copy to userland, always zero the buffers first. All the current objects appear to be safe, however future changes might introduce structure pads. Discussed with guenther, ok bluhm
Revision 1.295 / (download) - annotate - [select for diffs], Sun Feb 5 16:23:38 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
CVS Tags: OPENBSD_6_1_BASE,
OPENBSD_6_1
Changes since 1.294: +2 -2 lines
Diff to previous 1.294 (colored)
Always allocate counters memory using type M_COUNTERS. This makes the API simpler, and is probably more useful than spreading counters memory other several types, making it harder to track. Prodded by mpi, ok mpi@ stsp@
Revision 1.294 / (download) - annotate - [select for diffs], Tue Jan 31 10:24:41 2017 UTC (7 years, 4 months ago) by jca
Branch: MAIN
Changes since 1.293: +2 -2 lines
Diff to previous 1.293 (colored)
Use CTASSERT instead of KASSERT for a few sysctl that use the counters API ok dlg@ mpi@
Revision 1.293 / (download) - annotate - [select for diffs], Sun Jan 29 19:58:47 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.292: +2 -2 lines
Diff to previous 1.292 (colored)
Change the IPv4 pr_input function to the way IPv6 is implemented, to get rid of struct ip6protosw and some wrapper functions. It is more consistent to have less different structures. The divert_input functions cannot be called anyway, so remove them. OK visa@ mpi@
Revision 1.292 / (download) - annotate - [select for diffs], Wed Jan 25 17:34:31 2017 UTC (7 years, 4 months ago) by bluhm
Branch: MAIN
Changes since 1.291: +2 -2 lines
Diff to previous 1.291 (colored)
Since raw_input() and route_input() are gone from pr_input, we can make the variable parameters of the protocol input functions fixed. Also add the proto to make it similar to IPv6. OK mpi@ guenther@ millert@
Revision 1.291 / (download) - annotate - [select for diffs], Tue Dec 20 18:33:43 2016 UTC (7 years, 5 months ago) by bluhm
Branch: MAIN
Changes since 1.290: +5 -8 lines
Diff to previous 1.290 (colored)
A NET_LOCK() was is missing in tcp_sysctl() which shows up as spl softnet assert failures. It is better to place the lock into net_sysctl() where all the protocol sysctls are called via pr_sysctl. As calling sysctl(2) is in the slow path, doing fine grained locking has no benefit. Many sysctl cases copy out a struct. Having a lock around that keeps the struct consistent. Put assertions in the protocol sysctls that need it. OK mpi@
Revision 1.290 / (download) - annotate - [select for diffs], Mon Dec 19 09:22:24 2016 UTC (7 years, 5 months ago) by rzalamena
Branch: MAIN
Changes since 1.289: +2 -2 lines
Diff to previous 1.289 (colored)
Extend the multicast sockets and multicast hash table support to multiple domains. This is one step towards supporting to run more than one multicast socket in different domains at the same time. ok mpi@
Revision 1.289 / (download) - annotate - [select for diffs], Mon Dec 19 08:36:49 2016 UTC (7 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.288: +10 -7 lines
Diff to previous 1.288 (colored)
Introduce the NET_LOCK() a rwlock used to serialize accesses to the parts of the network stack that are not yet ready to be executed in parallel or where new sleeping points are not possible. This first pass replace all the entry points leading to ip_output(). This is done to not introduce new sleeping points when trying to acquire ART's write lock, needed when a new L2 entry is created via the RT_RESOLVE. Inputs from and ok bluhm@, ok dlg@
Revision 1.288 / (download) - annotate - [select for diffs], Mon Nov 28 23:15:31 2016 UTC (7 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.287: +1 -2 lines
Diff to previous 1.287 (colored)
Path MTU discovery and traceroute did not always work with pf af-to. If an incoming packet is directly put into the output path, sending the icmp error packet is never done. As this is basically forwarding, calling ip_forward() for such packets does everything that is needed. OK mikeb@
Revision 1.287 / (download) - annotate - [select for diffs], Mon Nov 28 11:12:45 2016 UTC (7 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.286: +3 -3 lines
Diff to previous 1.286 (colored)
Assert that every slow/fast timeout routine is called at IPL_SOFTNET. This removes multipe recursive splsoftnet()/splx() dances.
Revision 1.286 / (download) - annotate - [select for diffs], Wed Nov 23 10:04:31 2016 UTC (7 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.285: +7 -7 lines
Diff to previous 1.285 (colored)
Keep checks for local delivery close to in_ouraddr(). ok claudio@
Revision 1.285 / (download) - annotate - [select for diffs], Mon Nov 14 04:27:03 2016 UTC (7 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.284: +2 -2 lines
Diff to previous 1.284 (colored)
use M_COUNTERS to allocate counters. suggested by mpi@ and mikeb@
Revision 1.284 / (download) - annotate - [select for diffs], Mon Nov 14 03:51:53 2016 UTC (7 years, 6 months ago) by dlg
Branch: MAIN
Changes since 1.283: +63 -42 lines
Diff to previous 1.283 (colored)
turn ipstat into a set of percpu counters. each counter is identified by an enum value which correspond to the original members of the ipstat struct. ipstat_inc(ips_foo) replaces ipstat.ips_foo++ for the actual updates. ipstat_inc is a thin wrapper around counters_inc. counters are still returned to userland via the ipstat struct for now. ok mpi@ mikeb@
Revision 1.283 / (download) - annotate - [select for diffs], Tue Nov 8 10:45:08 2016 UTC (7 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.282: +13 -30 lines
Diff to previous 1.282 (colored)
Only use the routing table for source address selection when processing IP options. Make sure the next hop is directly reachable if IPOPT_SSRR is set. Input from and ok vgross@
Revision 1.282 / (download) - annotate - [select for diffs], Thu Sep 22 10:12:25 2016 UTC (7 years, 8 months ago) by jsg
Branch: MAIN
Changes since 1.281: +7 -5 lines
Diff to previous 1.281 (colored)
Fix indentation. No binary change. ok mpi@
Revision 1.281 / (download) - annotate - [select for diffs], Thu Sep 15 02:00:18 2016 UTC (7 years, 8 months ago) by dlg
Branch: MAIN
Changes since 1.280: +5 -5 lines
Diff to previous 1.280 (colored)
all pools have their ipl set via pool_setipl, so fold it into pool_init. the ioff argument to pool_init() is unused and has been for many years, so this replaces it with an ipl argument. because the ipl will be set on init we no longer need pool_setipl. most of these changes have been done with coccinelle using the spatch below. cocci sucks at formatting code though, so i fixed that by hand. the manpage and subr_pool.c bits i did myself. ok tedu@ jmatthew@ @ipl@ expression pp; expression ipl; expression s, a, o, f, m, p; @@ -pool_init(pp, s, a, o, f, m, p); -pool_setipl(pp, ipl); +pool_init(pp, s, a, ipl, f, m, p);
Revision 1.280 / (download) - annotate - [select for diffs], Tue Sep 6 00:04:15 2016 UTC (7 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.279: +3 -1 lines
Diff to previous 1.279 (colored)
pool_setipl for various netinet and netinet6 bits thank you to everyone who helped reviewed these diffs ok mpi@
Revision 1.279 / (download) - annotate - [select for diffs], Fri Jul 22 07:39:06 2016 UTC (7 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_6_0_BASE,
OPENBSD_6_0
Changes since 1.278: +2 -1 lines
Diff to previous 1.278 (colored)
Fix a double rtfree(9) triggered when IPSEC inserts a more specific route because of PMTU. otto@ reported the issue and helped me tracking it down during more than one month, he is the man! mikeb@ figured out the bug was in the forwarding path. ok mikeb@, deraadt@, claudio@
Revision 1.278 / (download) - annotate - [select for diffs], Mon Jul 18 13:17:44 2016 UTC (7 years, 10 months ago) by bluhm
Branch: MAIN
Changes since 1.277: +9 -13 lines
Diff to previous 1.277 (colored)
Hide pf internals by moving code from in_ouraddr() to pf_ouraddr(). OK mpi@ sashan@
Revision 1.277 / (download) - annotate - [select for diffs], Sat Jun 18 10:36:13 2016 UTC (7 years, 11 months ago) by vgross
Branch: MAIN
Changes since 1.276: +10 -1 lines
Diff to previous 1.276 (colored)
Add net.inet.{tcp,udp}.rootonly sysctl, to mark which ports cannot be bound to by non-root users. Ok millert@ bluhm@
Revision 1.276 / (download) - annotate - [select for diffs], Sat May 7 09:56:39 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.275: +3 -2 lines
Diff to previous 1.275 (colored)
Use rtalloc_mpath() when checking for local route entries because we are now using the returned route for forwarding as well. This restore the behavior of r1.274 when using mpath entries for forwarding. ok visa@, henning@
Revision 1.275 / (download) - annotate - [select for diffs], Tue May 3 12:19:13 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.274: +29 -23 lines
Diff to previous 1.274 (colored)
Make ip_forward() use the route entry fetched in in_ouraddr() when it is possible. This reduce the number of lookups to 1 for non-multicast traffic when PF is disable. Tested by Hrvoje Popovski who confirmed that benchmark numbers are now as good as with a single cache entry. ok visa@, bluhm@
Revision 1.274 / (download) - annotate - [select for diffs], Mon Apr 25 12:33:48 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.273: +19 -33 lines
Diff to previous 1.273 (colored)
Remove the single cache route for forwarding. Testing help from Hrvoje Popovski. ok mikeb@, henning@, claudio@
Revision 1.273 / (download) - annotate - [select for diffs], Tue Apr 19 08:23:13 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.272: +5 -15 lines
Diff to previous 1.272 (colored)
Instead of freeing a cached RTF_MPATH route after using it, free it when the next packet needs to be forwarded, just like if the route was invalid. ok mikeb@, claudio@
Revision 1.272 / (download) - annotate - [select for diffs], Mon Apr 18 12:10:34 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.271: +5 -2 lines
Diff to previous 1.271 (colored)
Unbreak RAMDISK, found by deraadt@
Revision 1.271 / (download) - annotate - [select for diffs], Mon Apr 18 06:43:51 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.270: +9 -5 lines
Diff to previous 1.270 (colored)
Put a KERNEL_LOCK/UNLOCK dance around sections that still need some work in the forwarding path. Tested by Hrvoje Popovski, ok dlg@
Revision 1.270 / (download) - annotate - [select for diffs], Fri Apr 15 11:18:40 2016 UTC (8 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.269: +30 -43 lines
Diff to previous 1.269 (colored)
Kill in_rtaddr() and use rtalloc(9) directly in ip_dooptions(). This brings ip_dooptions() closer to mp-safeness by ensuring that ``ifa'' is dereferenced before calling rtfree(9). ok mikeb@
Revision 1.269 / (download) - annotate - [select for diffs], Tue Mar 29 10:34:42 2016 UTC (8 years, 2 months ago) by sashan
Branch: MAIN
Changes since 1.268: +4 -1 lines
Diff to previous 1.268 (colored)
- packet must keep reference to statekey this is the second attempt to get it in, the first attempt got backed out on Jan 31 2016 the change also contains fixes contributed by Stefan Kempf in earlier iteration. OK srhen@
Revision 1.268 / (download) - annotate - [select for diffs], Sun Jan 31 00:18:07 2016 UTC (8 years, 4 months ago) by sashan
Branch: MAIN
CVS Tags: OPENBSD_5_9_BASE,
OPENBSD_5_9
Changes since 1.267: +1 -4 lines
Diff to previous 1.267 (colored)
- m_pkthdr.pf.statekey changes are not ready for 5.9, I must back them out OK sthen@
Revision 1.267 / (download) - annotate - [select for diffs], Mon Jan 25 18:49:57 2016 UTC (8 years, 4 months ago) by sashan
Branch: MAIN
Changes since 1.266: +4 -1 lines
Diff to previous 1.266 (colored)
- plugging massive pf_state_key leak OK mpi@ dlg@ sthen@
Revision 1.266 / (download) - annotate - [select for diffs], Thu Jan 21 11:23:48 2016 UTC (8 years, 4 months ago) by mpi
Branch: MAIN
Changes since 1.265: +2 -5 lines
Diff to previous 1.265 (colored)
Introduce in{,6}_hasmulti(), two functions to check in the hot path if an interface joined a specific multicast group. ok phessler@, visa@, dlg@
Revision 1.265 / (download) - annotate - [select for diffs], Thu Dec 3 21:11:53 2015 UTC (8 years, 6 months ago) by sashan
Branch: MAIN
Changes since 1.264: +32 -1 lines
Diff to previous 1.264 (colored)
ip_send()/ip6_send() allow PF to send response packet in ipsoftnet task. this avoids current recursion to pf_test() function. the change also switches icmp_error()/icmp6_error() to use ip_send()/ip6_send() so they are safe for PF. The idea comes from Markus Friedl. bluhm, mikeb and mpi helped me a lot to get it into shape. OK bluhm@, mpi@
Revision 1.264 / (download) - annotate - [select for diffs], Thu Dec 3 15:12:59 2015 UTC (8 years, 6 months ago) by markus
Branch: MAIN
Changes since 1.263: +101 -91 lines
Diff to previous 1.263 (colored)
factor out ip_input_ipsec_{fwd,ours}_check(); ok mpi@
Revision 1.263 / (download) - annotate - [select for diffs], Wed Dec 2 13:29:26 2015 UTC (8 years, 6 months ago) by claudio
Branch: MAIN
Changes since 1.262: +2 -2 lines
Diff to previous 1.262 (colored)
Kill the RT_REPORT flag to rtalloc() and stop sending RTM_MISS messages for failed route lookups. This is something that was maybe useful in the 90is but in this modern times it is just annoying and nothing expect it anyway. OK mpi@, sthen@
Revision 1.262 / (download) - annotate - [select for diffs], Mon Nov 23 15:54:45 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.261: +9 -3 lines
Diff to previous 1.261 (colored)
Use if_get() rather than rt_ifp. ok sashan@
Revision 1.261 / (download) - annotate - [select for diffs], Sat Nov 14 15:40:40 2015 UTC (8 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.260: +7 -2 lines
Diff to previous 1.260 (colored)
Grab the KERNEL_LOCK around ip_mforward(), in preparation for unlocking ip_input(). Note that ipmforwarding is not enabled by default. ok deraadt@, phessler@
Revision 1.260 / (download) - annotate - [select for diffs], Tue Oct 27 12:06:37 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.259: +26 -24 lines
Diff to previous 1.259 (colored)
Rewrite in_ouraddr() to not use ``rt_ifa'' since it is not obvious that the lifetime of an ``ifa'' is tied to a route entry, so it might no longer be valid after calling rtfree(9). While here put a KERNEL_LOCK() around the per-ifp address list iteration. ok bluhm@
Revision 1.259 / (download) - annotate - [select for diffs], Mon Oct 26 15:49:13 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.258: +2 -2 lines
Diff to previous 1.258 (colored)
Use rt_ifidx rather than rt_ifp. ok bluhm@
Revision 1.258 / (download) - annotate - [select for diffs], Mon Oct 19 11:59:26 2015 UTC (8 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.257: +2 -3 lines
Diff to previous 1.257 (colored)
Remove superfluous NULL checks. ifa are refcounted to ensure that rt_ifa is always valid.
Revision 1.257 / (download) - annotate - [select for diffs], Tue Oct 13 10:29:16 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.256: +4 -8 lines
Diff to previous 1.256 (colored)
Make use of rtisvalid(9) to check if local route entries match existing configured addressses. ok mikeb@
Revision 1.256 / (download) - annotate - [select for diffs], Fri Sep 25 09:51:20 2015 UTC (8 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.255: +2 -2 lines
Diff to previous 1.255 (colored)
Ensure that RTF_LOCAL route entries always stay UP. Local route entries, being now attached to their corresponding interface, are susceptible to be brought DOWN when a link state change occurs. When this happens locally configured addresses are no longer reachable. So keep the previous (original) behavior by forcing such route entries to always be UP. ok sthen@, claudio@
Revision 1.255 / (download) - annotate - [select for diffs], Fri Sep 11 19:34:20 2015 UTC (8 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.254: +2 -1 lines
Diff to previous 1.254 (colored)
if_put after if_get in ip_savecontrol ok mpi@
Revision 1.254 / (download) - annotate - [select for diffs], Fri Sep 11 10:06:52 2015 UTC (8 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.253: +13 -10 lines
Diff to previous 1.253 (colored)
if_put after if_get. ok claudio@
Revision 1.253 / (download) - annotate - [select for diffs], Wed Aug 19 15:30:25 2015 UTC (8 years, 9 months ago) by bluhm
Branch: MAIN
Changes since 1.252: +4 -2 lines
Diff to previous 1.252 (colored)
An interface address without interface pointer could cause an uvm_fault in in_ouraddr(). Do not use a stale local address from the routing table. OK mpi@
Revision 1.252 / (download) - annotate - [select for diffs], Thu Jul 16 21:14:21 2015 UTC (8 years, 10 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_8_BASE,
OPENBSD_5_8
Changes since 1.251: +2 -2 lines
Diff to previous 1.251 (colored)
Kill IP_ROUTETOETHER. This pseudo-option is a hack to support return-rst on bridge(4). It passes Ethernet information via a "struct route" through ip_output(). "struct route" is slowly dying... ok claudio@, benno@
Revision 1.251 / (download) - annotate - [select for diffs], Tue Jun 16 11:09:40 2015 UTC (8 years, 11 months ago) by mpi
Branch: MAIN
Changes since 1.250: +5 -3 lines
Diff to previous 1.250 (colored)
Store a unique ID, an interface index, rather than a pointer to the receiving interface in the packet header of every mbuf. The interface pointer should now be retrieved when necessary with if_get(). If a NULL pointer is returned by if_get(), the interface has probably been destroy/removed and the mbuf should be freed. Such mechanism will simplify garbage collection of mbufs and limit problems with dangling ifp pointers. Tested by jmatthew@ and krw@, discussed with many. ok mikeb@, bluhm@, dlg@
Revision 1.250 / (download) - annotate - [select for diffs], Sun Jun 7 01:25:27 2015 UTC (9 years ago) by krw
Branch: MAIN
Changes since 1.249: +9 -9 lines
Diff to previous 1.249 (colored)
Replace a bunch of == 0 with == NULL in pointer tests. Nuke some annoying trailing, leading and embedded whitespace. No change to .o files. ok deraadt@
Revision 1.249 / (download) - annotate - [select for diffs], Wed May 13 10:42:46 2015 UTC (9 years, 1 month ago) by jsg
Branch: MAIN
Changes since 1.248: +2 -2 lines
Diff to previous 1.248 (colored)
test mbuf pointers against NULL not 0 ok krw@ miod@
Revision 1.248 / (download) - annotate - [select for diffs], Fri Apr 10 13:58:20 2015 UTC (9 years, 2 months ago) by dlg
Branch: MAIN
Changes since 1.247: +9 -15 lines
Diff to previous 1.247 (colored)
replace the use of ifqueues for most input queues serviced by netisr with niqueues. this change is so big because there's a lot of code that takes pointers to different input queues (eg, ether_input picks between ipv4, ipv6, pppoe, arp, and mpls input queues) and falls through to code to enqueue packets against the pointer. if i changed only one of the input queues id have to add sepearate code paths, one for ifqueues and one for niqueues in each of these places by flipping all these input queues at once i can keep the currently common code common. testing by mpi@ sthen@ and rafael zalamena ok mpi@ sthen@ claudio@ henning@
Revision 1.247 / (download) - annotate - [select for diffs], Sat Mar 14 03:38:52 2015 UTC (9 years, 3 months ago) by jsg
Branch: MAIN
Changes since 1.246: +1 -2 lines
Diff to previous 1.246 (colored)
Remove some includes include-what-you-use claims don't have any direct symbols used. Tested for indirect use by compiling amd64/i386/sparc64 kernels. ok tedu@ deraadt@
Revision 1.246 / (download) - annotate - [select for diffs], Mon Feb 9 12:18:19 2015 UTC (9 years, 4 months ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_5_7_BASE,
OPENBSD_5_7
Changes since 1.245: +14 -6 lines
Diff to previous 1.245 (colored)
Implement 2 sysctl to retrieve the multicast forwarding cache (mfc) and the virtual interface table (vif). Will be used by netstat soon. Looked over by guenther@
Revision 1.245 / (download) - annotate - [select for diffs], Sun Feb 8 04:14:47 2015 UTC (9 years, 4 months ago) by claudio
Branch: MAIN
Changes since 1.244: +3 -7 lines
Diff to previous 1.244 (colored)
Just use sysctl_rdstruct() to read out some structs. Only difference to current code is that you can no longer call this with a NULL oldlenp which does not make any sense. OK phessler, henning Behaviour change pointed out by miod@
Revision 1.244 / (download) - annotate - [select for diffs], Mon Jan 12 13:51:45 2015 UTC (9 years, 5 months ago) by mpi
Branch: MAIN
Changes since 1.243: +1 -3 lines
Diff to previous 1.243 (colored)
Kill the global list of IPv4 addresses. ok claudio@, mikeb@, bluhm@
Revision 1.243 / (download) - annotate - [select for diffs], Fri Dec 5 15:50:04 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.242: +2 -1 lines
Diff to previous 1.242 (colored)
Explicitly include <net/if_var.h> instead of pulling it in <net/if.h>. ok mikeb@, krw@, bluhm@, tedu@
Revision 1.242 / (download) - annotate - [select for diffs], Thu Nov 20 11:05:19 2014 UTC (9 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.241: +9 -1 lines
Diff to previous 1.241 (colored)
In TCP and UDP layers do not (ab)use the receiving interface to check for a multicast/broadcast destination address. These checks have already been done in the Ethernet and IP layers and the mbuf(9) should contain all the required information at this point. But since we cannot trust this spaghetti stack, be paranoid and make sure to set the flags in the IP input routines. Use explicit comments, requested by deraadt@. ok claudio@
Revision 1.241 / (download) - annotate - [select for diffs], Wed Nov 5 14:03:02 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.240: +1 -18 lines
Diff to previous 1.240 (colored)
Kill in_iawithaddr() and use ifa_ifwithaddr() directly. Note that ifa_ifwithaddr() might return a broadcast address, so if you don't want one make sure to filter them out. ok mikeb@
Revision 1.240 / (download) - annotate - [select for diffs], Tue Nov 4 15:24:40 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.239: +3 -5 lines
Diff to previous 1.239 (colored)
Remove "pl" suffix on pool names. ok dlg@, uebayasi@, mikeb@
Revision 1.239 / (download) - annotate - [select for diffs], Sat Nov 1 21:40:38 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.238: +4 -4 lines
Diff to previous 1.238 (colored)
Rename rtalloc1() into rtalloc(9) and convert its flags to only enable functionnality instead of a mix of enable/disable. ok bluhm@, jca@
Revision 1.238 / (download) - annotate - [select for diffs], Tue Oct 14 09:52:26 2014 UTC (9 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.237: +10 -10 lines
Diff to previous 1.237 (colored)
Use rtfree() instead of RTFREE(), NULLify some free'd route pointers and kill the macro. ok mikeb@, henning@
Revision 1.237 / (download) - annotate - [select for diffs], Tue Sep 30 08:21:21 2014 UTC (9 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.236: +9 -3 lines
Diff to previous 1.236 (colored)
Use the routing table instead of the RB-tree for address lookups in in_ouraddr(). The lookup done in the forwarding case will hopefully be merged with this one in the future. ok kspillner@, bluhm@, claudio@
Revision 1.236 / (download) - annotate - [select for diffs], Sat Sep 27 12:26:16 2014 UTC (9 years, 8 months ago) by mpi
Branch: MAIN
Changes since 1.235: +3 -2 lines
Diff to previous 1.235 (colored)
Kill rtalloc() and update rtalloc1() and rtalloc_mpath() to no longer rely on "struct route" that should die. ok claudio@
Revision 1.235 / (download) - annotate - [select for diffs], Sun Jul 13 13:57:56 2014 UTC (9 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.234: +8 -8 lines
Diff to previous 1.234 (colored)
Stop using old n_time, n_long and n_short types in netinet headers. ok deraadt@, naddy@
Revision 1.234 / (download) - annotate - [select for diffs], Wed Jun 4 12:20:00 2014 UTC (10 years ago) by mpi
Branch: MAIN
Changes since 1.233: +19 -6 lines
Diff to previous 1.233 (colored)
Stop using a global variable to do address lookups. ok blambert@, mikeb@
Revision 1.233 / (download) - annotate - [select for diffs], Sat May 10 12:30:27 2014 UTC (10 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.232: +4 -4 lines
Diff to previous 1.232 (colored)
Fix a few bad indents
Revision 1.232 / (download) - annotate - [select for diffs], Wed May 7 08:26:38 2014 UTC (10 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.231: +1 -7 lines
Diff to previous 1.231 (colored)
Remove the last hacks concerning the global list of IPv4 addresses in the source address selection logic. These hacks were only relevant for the NFS diskless boot code in order to pick the local broadcast address of the only configured interface. So, be explicit and set this address directly. Tested by florian@, ok henning@, beck@, chrisz@
Revision 1.231 / (download) - annotate - [select for diffs], Mon Apr 21 12:22:26 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.230: +2 -2 lines
Diff to previous 1.230 (colored)
ip_output() using varargs always struck me as bizarre, esp since it's only ever used to pass on uint32 (for ipsec). stop that madness and just pass the uint32, 0 in all cases but the two that pass the ipsec flowinfo. ok deraadt reyk guenther
Revision 1.230 / (download) - annotate - [select for diffs], Mon Apr 21 11:10:54 2014 UTC (10 years, 1 month ago) by henning
Branch: MAIN
Changes since 1.229: +2 -2 lines
Diff to previous 1.229 (colored)
we'll do fine without casting NULL to struct foo * / void * ok gcc & md5 (alas, no binary change)
Revision 1.229 / (download) - annotate - [select for diffs], Mon Apr 14 09:06:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.228: +12 -12 lines
Diff to previous 1.228 (colored)
"struct pkthdr" holds a routing table ID, not a routing domain one. Avoid the confusion by using an appropriate name for the variable. Note that since routing domain IDs are a subset of the set of routing table IDs, the following idiom is correct: rtableid = rdomain But to get the routing domain ID corresponding to a given routing table ID, you must call rtable_l2(9). claudio@ likes it, ok mikeb@
Revision 1.228 / (download) - annotate - [select for diffs], Thu Mar 27 10:44:23 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.227: +29 -26 lines
Diff to previous 1.227 (colored)
Stop dereferencing the ifp pointer present in the packet header all over the input path since it is going to die. Should be no functional change. ok mikeb@, lteo@, benno@
Revision 1.227 / (download) - annotate - [select for diffs], Fri Mar 21 10:44:42 2014 UTC (10 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.226: +2 -2 lines
Diff to previous 1.226 (colored)
rt_timer* spring cleanup. Rename and document rt_timer_count() into rt_timer_queue_count() to be consistent with the other functions. Remove unused argument from rt_timer_queue_destroy(), clean the definitions and finally use the same order in NAME and DESCRIPTION as requested by jmc@. ok henning@
Revision 1.226 / (download) - annotate - [select for diffs], Fri Jan 24 18:54:58 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5
Changes since 1.225: +1 -3 lines
Diff to previous 1.225 (colored)
clearing the _CSUM_IN_OK flags is now utterly pointless, was only done for statistics sideeffects before. ok lteo naddy
Revision 1.225 / (download) - annotate - [select for diffs], Thu Jan 23 23:51:29 2014 UTC (10 years, 4 months ago) by henning
Branch: MAIN
Changes since 1.224: +3 -4 lines
Diff to previous 1.224 (colored)
since the cksum rewrite the counters for hardware checksummed packets are are lie, since the software engine emulates hardware offloading and that is later indistinguishable. so kill the hw cksummed counters. introduce software checksummed packet counters instead. tcp/udp handles ip & ipvshit, ip cksum covered, 6 has no ip layer cksum. as before we still have a miscounting bug for inbound with pf on, to be fixed in the next step. found by, prodding & ok naddy
Revision 1.224 / (download) - annotate - [select for diffs], Thu Jan 9 06:29:06 2014 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.223: +6 -6 lines
Diff to previous 1.223 (colored)
bzero/bcmp -> memset/memcmp. ok matthew
Revision 1.223 / (download) - annotate - [select for diffs], Tue Dec 31 03:24:44 2013 UTC (10 years, 5 months ago) by tedu
Branch: MAIN
Changes since 1.222: +17 -17 lines
Diff to previous 1.222 (colored)
bcopy -> memcpy. reviewed with one fix from matthew
Revision 1.222 / (download) - annotate - [select for diffs], Wed Nov 27 08:34:39 2013 UTC (10 years, 6 months ago) by mpi
Branch: MAIN
Changes since 1.221: +3 -3 lines
Diff to previous 1.221 (colored)
Let's call a rtableid a rtableid. ok mikeb@, henning@, claudio@
Revision 1.221 / (download) - annotate - [select for diffs], Sun Nov 17 10:07:32 2013 UTC (10 years, 6 months ago) by bluhm
Branch: MAIN
Changes since 1.220: +4 -7 lines
Diff to previous 1.220 (colored)
Instead of stripping the IP options manually in icmp_reflect(), just call ip_stripoptions(). Remove an unneeded parameter and adjust the ip length in ip_stripoptions(). from FreeBSD; OK deraadt@ henninh@ lteo@
Revision 1.220 / (download) - annotate - [select for diffs], Mon Nov 11 09:15:34 2013 UTC (10 years, 7 months ago) by mpi
Branch: MAIN
Changes since 1.219: +1 -14 lines
Diff to previous 1.219 (colored)
Replace most of our formating functions to convert IPv4/6 addresses from network to presentation format to inet_ntop(). The few remaining functions will be soon converted. ok mikeb@, deraadt@ and moral support from henning@
Revision 1.219 / (download) - annotate - [select for diffs], Wed Oct 23 19:09:28 2013 UTC (10 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.218: +1 -34 lines
Diff to previous 1.218 (colored)
remove the ipprintfs debug stuff; if you are debugging at this level, you probably write your own chunks as need be. ok mpi claudio
Revision 1.218 / (download) - annotate - [select for diffs], Mon Oct 21 12:27:12 2013 UTC (10 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.217: +1 -3 lines
Diff to previous 1.217 (colored)
There are gasps of shock! Add a pmtu delay sysctl BUTTON for netinet6, making the code the same as netinet4 along the way. ok bluhm phessler
Revision 1.217 / (download) - annotate - [select for diffs], Wed Aug 21 09:02:12 2013 UTC (10 years, 9 months ago) by mpi
Branch: MAIN
Changes since 1.216: +11 -6 lines
Diff to previous 1.216 (colored)
When checking for classful broadcast addresses, iterate over the list from the interface on which the packet was received on instead of filtering the global list. ok bluhm@, henning@
Revision 1.216 / (download) - annotate - [select for diffs], Tue Aug 13 09:52:53 2013 UTC (10 years, 10 months ago) by mpi
Branch: MAIN
Changes since 1.215: +55 -37 lines
Diff to previous 1.215 (colored)
When net.inet.ip.sourceroute is enable, store the source route of incoming IPv4 packets with the SSRR or LSRR header option in a m_tag rather than in a single static entry. Use a new m_tag type, PACKET_TAG_SRCROUTE, for this and bump PACKET_TAG_MAXSIZE accordingly. Adapted from FreeBSD r135274 with inputs from bluhm@. ok bluhm@, mikeb@
Revision 1.215 / (download) - annotate - [select for diffs], Wed Jul 31 15:41:51 2013 UTC (10 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.214: +3 -7 lines
Diff to previous 1.214 (colored)
Move bridge_broadcast and subsequently all IPsec SPD lookup code out of the IPL_NET. pf_test should be no longer called under IPL_NET as well. The problem became evident after the related issue was brought up by David Hill <dhill at mindcry ! org>. With input from and OK mpi. Tested by David and me.
Revision 1.214 / (download) - annotate - [select for diffs], Thu Jul 4 08:22:19 2013 UTC (10 years, 11 months ago) by mpi
Branch: MAIN
CVS Tags: OPENBSD_5_4_BASE,
OPENBSD_5_4
Changes since 1.213: +2 -51 lines
Diff to previous 1.213 (colored)
Rewrite the function used to determine if we do proxy ARP for one of our addresses to reuse arplookup() and do only one list iteration. Looks ok to claudio@, ok mikeb@
Revision 1.213 / (download) - annotate - [select for diffs], Wed Jun 26 09:12:40 2013 UTC (10 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.212: +4 -1 lines
Diff to previous 1.212 (colored)
put the cksum diff back, of course with the bug fixed where we could under some circumstances repair broken checksums on the way. ok ryan naddy mikeb . redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers.
Revision 1.212 / (download) - annotate - [select for diffs], Thu Jun 13 12:15:52 2013 UTC (11 years ago) by mpi
Branch: MAIN
Changes since 1.211: +49 -24 lines
Diff to previous 1.211 (colored)
Move the local delivery code from ipv4_input() into its own function and unify some return statements while here. ok bluhm@, henning@
Revision 1.211 / (download) - annotate - [select for diffs], Fri May 17 09:04:30 2013 UTC (11 years ago) by mpi
Branch: MAIN
Changes since 1.210: +1 -4 lines
Diff to previous 1.210 (colored)
Move an extern declaration into its corresponding header file.
Revision 1.210 / (download) - annotate - [select for diffs], Wed Apr 24 10:17:08 2013 UTC (11 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.209: +1 -4 lines
Diff to previous 1.209 (colored)
Instead of having various extern declarations for protocol variables, declare them once in their corresponding header file.
Revision 1.209 / (download) - annotate - [select for diffs], Wed Apr 17 14:19:32 2013 UTC (11 years, 1 month ago) by mpi
Branch: MAIN
Changes since 1.208: +10 -12 lines
Diff to previous 1.208 (colored)
Replace some casts by ifatoia() and sintosa(). ok krw@, mikeb@
Revision 1.208 / (download) - annotate - [select for diffs], Wed Apr 10 08:50:59 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.207: +1 -8 lines
Diff to previous 1.207 (colored)
Remove various external variable declaration from sources files and move them to the corresponding header with an appropriate comment if necessary. ok guenther@
Revision 1.207 / (download) - annotate - [select for diffs], Tue Apr 9 08:35:38 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.206: +1 -6 lines
Diff to previous 1.206 (colored)
Remove read-only ipsec variables and directly use defines instead. ok mikeb@, markus@
Revision 1.206 / (download) - annotate - [select for diffs], Fri Mar 29 13:16:14 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.205: +2 -2 lines
Diff to previous 1.205 (colored)
Declare struct pf_state_key in the mbuf and in_pcb header files to avoid ugly casts. OK krw@ tedu@
Revision 1.205 / (download) - annotate - [select for diffs], Thu Mar 28 16:45:16 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.204: +1 -2 lines
Diff to previous 1.204 (colored)
no need for a lot of code to include proc.h
Revision 1.204 / (download) - annotate - [select for diffs], Thu Mar 28 12:06:55 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.203: +4 -5 lines
Diff to previous 1.203 (colored)
Replace some casts to struct in_ifaddr pointer by ifatoia() or NULL. ok millert@, haesbaert@, bluhm@
Revision 1.203 / (download) - annotate - [select for diffs], Thu Mar 28 00:32:11 2013 UTC (11 years, 2 months ago) by bluhm
Branch: MAIN
Changes since 1.202: +2 -2 lines
Diff to previous 1.202 (colored)
Unfortunately the satosin, sintosa, ifatoia, satosin6, sin6tosa, ifatoia6 macros do not check the source type. They just cast anything. Remove needless casts and do not use those macros if the source type does not match. Remove duplicate defines. No binary change. OK kettenis@ krw@
Revision 1.202 / (download) - annotate - [select for diffs], Tue Mar 26 13:19:26 2013 UTC (11 years, 2 months ago) by mpi
Branch: MAIN
Changes since 1.201: +2 -3 lines
Diff to previous 1.201 (colored)
Remove various read-only *maxlen variables and use IFQ_MAXLEN directly. ok beck@, mikeb@
Revision 1.201 / (download) - annotate - [select for diffs], Fri Mar 22 01:41:12 2013 UTC (11 years, 2 months ago) by tedu
Branch: MAIN
Changes since 1.200: +7 -8 lines
Diff to previous 1.200 (colored)
simple replacement of LIST_END with NULL. ok mpi
Revision 1.200 / (download) - annotate - [select for diffs], Tue Nov 6 12:32:42 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.199: +1 -4 lines
Diff to previous 1.199 (colored)
backout csum diff for the moment, requested by theo
Revision 1.199 / (download) - annotate - [select for diffs], Thu Nov 1 07:55:56 2012 UTC (11 years, 7 months ago) by henning
Branch: MAIN
Changes since 1.198: +3 -0 lines
Diff to previous 1.198 (colored)
redo most of the protocol (tcp/udp/...) checksum handling -assume we have hardware checksum offloading. stop mucking with the checksum in most of the stack -stop checksum mucking in pf, just set a "needs checksumming" flag if needed -in all output pathes, very late, if we figure out the outbound interface doesn't have hw cksum offloading, do the cksum in software. this especially makes the bridge path behave like a regular output path -little special casing for bridge still required until the broadcast path loses its disgusting shortcut hacks, but at least it's in one place now and not all over the stack in6_proto_cksum_out mostly written by krw@ started at k2k11 in iceland more than 1.5 years ago - yes it took that long, this stuff is everything but easy. this happens to fix the infamous pf rdr bug that made us turn off proto cksum offloading on almost all interface drivers. ok camield sthen claudio, testing by many, thanks!
Revision 1.198 / (download) - annotate - [select for diffs], Tue Sep 18 12:35:51 2012 UTC (11 years, 8 months ago) by blambert
Branch: MAIN
Changes since 1.197: +8 -3 lines
Diff to previous 1.197 (colored)
sysctl calls shouldn't clobber route timers without spl protection the spl call in the icmp case may be too aggressive, but better safe than sorry ok claudio@
Revision 1.197 / (download) - annotate - [select for diffs], Tue Aug 7 17:54:20 2012 UTC (11 years, 10 months ago) by mikeb
Branch: MAIN
Changes since 1.196: +22 -13 lines
Diff to previous 1.196 (colored)
Store the data used to generate an ICMP error message on a stack instead of allocating a new mbuf. This is a third or fourth attempt to incorporate a change like this meaning a handful of people have lost their hair trying to make it work, namely dlg@, henning@, deraadt@, and thib@. Unfortunately the fixed version was never put back which is exceptionally unfortunate since the impact on performance is huge: it nearly doubles the forwarding performance on selected hardware in simple setups. So after being beaten in test and production environments on several architectures it's ready to be put back again. We're doing it early in the release cycle so that it will receive a good test exposure. ok derradt, henning
Revision 1.196 / (download) - annotate - [select for diffs], Mon Jul 16 18:05:36 2012 UTC (11 years, 10 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2
Changes since 1.195: +3 -3 lines
Diff to previous 1.195 (colored)
add IP_IPSECFLOWINFO option to sendmsg() and recvmsg(), so npppd(4) can use this to select the IPsec tunnel for sending L2TP packets. this fixes Windows (always binding to 1701) and Android clients (negotiating wildcard flows); feedback mpf@ and yasuoka@; ok henning@ and yasuoka@; ok jmc@ for the manpage
Revision 1.195 / (download) - annotate - [select for diffs], Wed Jul 6 02:42:28 2011 UTC (12 years, 11 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0
Changes since 1.194: +2 -2 lines
Diff to previous 1.194 (colored)
cosnistently use IFQ_SET_MAXLEN, surfaced in a discussion with + ok bluhm
Revision 1.194 / (download) - annotate - [select for diffs], Tue Jul 5 21:40:38 2011 UTC (12 years, 11 months ago) by dhill
Branch: MAIN
Changes since 1.193: +16 -33 lines
Diff to previous 1.193 (colored)
ansify ok claudio@
Revision 1.193 / (download) - annotate - [select for diffs], Mon Jul 4 06:54:49 2011 UTC (12 years, 11 months ago) by claudio
Branch: MAIN
Changes since 1.192: +2 -2 lines
Diff to previous 1.192 (colored)
Bye bye pf_test6(). Only one pf_test function for both IPv4 and v6. The functions were 95% identical anyway. While there use struct pf_addr in struct pf_divert instead of some union which is the same. OK bluhm@ mcbride@ and most probably henning@ as well
Revision 1.192 / (download) - annotate - [select for diffs], Wed Jun 15 09:11:01 2011 UTC (13 years ago) by mikeb
Branch: MAIN
Changes since 1.191: +16 -1 lines
Diff to previous 1.191 (colored)
Add IP_RECVRTABLE socket option to be used with a IPPROTO_IP level that allows one to retrieve the original routing domain of UDP datagrams diverted by the pf via "divert-to" with a recvmsg(2). ok claudio
Revision 1.191 / (download) - annotate - [select for diffs], Tue Apr 19 03:47:29 2011 UTC (13 years, 1 month ago) by dlg
Branch: MAIN
Changes since 1.190: +85 -39 lines
Diff to previous 1.190 (colored)
reintroduce using the RB tree for local address lookups. this is confusing because both addresses and broadcast addresses are put into the tree. there are two types of local address lookup. the first is when the socket layer wants a local address, the second is in ip_input when the kernel is figuring out the packet is for it to process or forward. ip_input considers local addresses and broadcast addresses as local, however, the handling of broadcast addresses is different depending on whether ip_directedbcast is set. if if ip_directbcast is unset then a packet coming in on any interface to any of the systems broadcast addresses is considered local, otherwise the broadcast packet must exist on the interface it was received on. the code also needs to consider classful broadcast addresses so we can continue some legacy applications (eg, netbooting old sparcs that use rarp and bootparam requests to classful broadcast addresses as per PR6382). this diff maintains that support, but restricts it to packets that are broadcast on the link layer (eg, ethernet broadcasted packets), and it only looks up addresses on the local interface. we now only support classful broadcast addresses on local interfaces to avoid weird side effects with packets routed to us. the ip4 socket layer does lookups for local addresses with a wrapper around the global address tree that rejects matches against broadcast addresses. we now no longer support bind sockets to broadcast addresses, no matter what the value of ip_directedbcast is. ok henning@ testing (and possibly ok) claudio@
Revision 1.190 / (download) - annotate - [select for diffs], Thu Apr 14 08:15:26 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.189: +20 -25 lines
Diff to previous 1.189 (colored)
Backout the in_iawithaddr() -> ifa_ifwithaddr() change. There is a massive issue with broadcast addrs because ifa_ifwithaddr() handles them differently then in_iawithaddr().
Revision 1.189 / (download) - annotate - [select for diffs], Mon Apr 4 16:51:15 2011 UTC (13 years, 2 months ago) by claudio
Branch: MAIN
Changes since 1.188: +8 -8 lines
Diff to previous 1.188 (colored)
The forced IP header pullup in the multicast case is only needed when the system is a multicast forwarder so move the code into that block and save a few unneeded m_pullups. Found by dlg a long time ago. OK dlg@
Revision 1.188 / (download) - annotate - [select for diffs], Mon Apr 4 13:30:03 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.187: +25 -20 lines
Diff to previous 1.187 (colored)
make in_iawithaddr a wrapper for ifa_ifwithaddr plus a hack for old ancient classful broadcast so we can still netboot sparc and the like. compat hack untested, i will deal with the fallout if there is any later at the same time stop exporting in_iawithaddr, everything but ip_input should (and now does) use ifa_ifwithaddr directly ok dlg sthen and agreement from many
Revision 1.187 / (download) - annotate - [select for diffs], Sat Apr 2 14:38:09 2011 UTC (13 years, 2 months ago) by henning
Branch: MAIN
Changes since 1.186: +2 -5 lines
Diff to previous 1.186 (colored)
rmeove the link1 hack, it is in the way, it is only half-baked and doesn't work as you think it does, and the same can easily be achieved using pf ok claudio dlg sthen theo
Revision 1.186 / (download) - annotate - [select for diffs], Fri Feb 11 12:16:30 2011 UTC (13 years, 4 months ago) by bluhm
Branch: MAIN
CVS Tags: OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.185: +2 -2 lines
Diff to previous 1.185 (colored)
In ip_forward() free the mbuf chain mcopy with m_freem() instead of m_free(). The was no leak before as m_copym() and m_pullup() are always called with the same length. But it is better to use the correct function anyway. ok henning@ mpf@ markus@
Revision 1.185 / (download) - annotate - [select for diffs], Thu Feb 3 17:29:16 2011 UTC (13 years, 4 months ago) by millert
Branch: MAIN
Changes since 1.184: +2 -2 lines
Diff to previous 1.184 (colored)
ip_ttl is u_int8_t, not u_char so adjust sizeof for consistency. No binary change. OK otto@
Revision 1.184 / (download) - annotate - [select for diffs], Wed Sep 8 08:34:42 2010 UTC (13 years, 9 months ago) by claudio
Branch: MAIN
Changes since 1.183: +7 -1 lines
Diff to previous 1.183 (colored)
Return EACCES when pf_test() blocks a packet in ip_output(). This allows ip_forward() to know the difference between blocked packets and those that can't be forwarded (EHOSTUNREACH). Only in the latter case an ICMP should be sent. In the other callers of ip_output() change the error back to EHOSTUNREACH since userland may not expect EACCES on a sendto(). OK henning@, markus@
Revision 1.183 / (download) - annotate - [select for diffs], Fri Aug 20 02:48:31 2010 UTC (13 years, 9 months ago) by dlg
Branch: MAIN
Changes since 1.182: +2 -2 lines
Diff to previous 1.182 (colored)
white space fix
Revision 1.182 / (download) - annotate - [select for diffs], Fri Jul 9 16:58:06 2010 UTC (13 years, 11 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8
Changes since 1.181: +5 -3 lines
Diff to previous 1.181 (colored)
Add support for using IPsec in multiple rdomains. This allows to run isakmpd/iked/ipsecctl in multiple rdomains independently (with "route exec"); the kernel will pickup the rdomain from the process context of the pfkey socket and load the flows and SAs into the matching rdomain encap routing table. The network stack also needs to pass the rdomain to the ipsec stack to lookup the correct rdomain that belongs to an interface/mbuf/... You can now run individual IPsec configs per rdomain or create IPsec VPNs between multiple rdomains on the same machine ;). Note that a primary enc(4) in addition to enc0 interface is required per rdomain, eg. enc1 rdomain 1. Test by some people, mostly on existing "rdomain 0" setups. Was in snaps for some days and people didn't complain. ok claudio@ naddy@
Revision 1.181 / (download) - annotate - [select for diffs], Mon Jun 7 13:26:35 2010 UTC (14 years ago) by henning
Branch: MAIN
Changes since 1.180: +5 -2 lines
Diff to previous 1.180 (colored)
unfortunately classful routing isn't 100% dead, mostly thanks to ancient netboot methods using rarp, thus only learning their IP address without mask. And of course the next step is a broadcast - which goes to the broadcast address calculated classful. *sigh*. PR6382 instead of storing a second broadcast address per ifaddr as we used to figure out wether we're dealing with a classful broadcast on the fly. the math is extremely cheap and all my previous profilings showed that cpu cycles are basically free, we're constrained by memory access. excellent analysis by Pascal Lalonde <plalonde at overnet.qc.ca> who also submitted the PR. claudio ok
Revision 1.180 / (download) - annotate - [select for diffs], Fri Jun 4 11:35:43 2010 UTC (14 years ago) by blambert
Branch: MAIN
Changes since 1.179: +1 -2 lines
Diff to previous 1.179 (colored)
Missed this file in previous commit; previous commit message was: rt_timer_queue_destroy() did not actually destroy, leading to a potential memory leak due to misleading nomenclature. Change it to actually destroy, not just clean, the the rt_timer_queue passed to it and adjust the correct caller accordingly (i.e., no need to free the mem on our own now). As a bonus, this gets rid of one of the ridiculous R_Malloc/Bzero/Free cycles, and lets us sneak another bzero -> M_ZERO conversion in. ok claudio@
Revision 1.179 / (download) - annotate - [select for diffs], Fri May 7 13:33:17 2010 UTC (14 years, 1 month ago) by claudio
Branch: MAIN
Changes since 1.178: +5 -6 lines
Diff to previous 1.178 (colored)
Start cleaning up the mess called rtalloc*. Kill rtalloc2, make rtalloc1 accept flags for report and nocloning. Move the rtableid into struct route (with a minor twist for now) and make a few more codepathes rdomain aware. Appart from the pf.c and route.c bits the diff is mostly mechanical. More to come... OK michele, henning
Revision 1.178 / (download) - annotate - [select for diffs], Tue Apr 20 22:05:43 2010 UTC (14 years, 1 month ago) by tedu
Branch: MAIN
Changes since 1.177: +2 -1 lines
Diff to previous 1.177 (colored)
remove proc.h include from uvm_map.h. This has far reaching effects, as sysctl.h was reliant on this particular include, and many drivers included sysctl.h unnecessarily. remove sysctl.h or add proc.h as needed. ok deraadt
Revision 1.177 / (download) - annotate - [select for diffs], Wed Jan 13 10:31:17 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_7_BASE,
OPENBSD_4_7
Changes since 1.176: +2 -7 lines
Diff to previous 1.176 (colored)
no point in looking for the old "all host bits zero" broadcast address any more here either
Revision 1.176 / (download) - annotate - [select for diffs], Wed Jan 13 07:05:28 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.175: +1 -2 lines
Diff to previous 1.175 (colored)
we don't need broadcast for the classful network AND broadcast for the subnet of the classful network. at least, not since 1992. ok mpf dlg bob
Revision 1.175 / (download) - annotate - [select for diffs], Wed Jan 13 01:26:28 2010 UTC (14 years, 5 months ago) by henning
Branch: MAIN
Changes since 1.174: +4 -5 lines
Diff to previous 1.174 (colored)
let's admit it's not 1992 any more. CIDR is around for a long time, even that router vendor doesn't default to classful routing any more, and there really is no point in having a classful netmask and a subnetmask to split it. we still do classful guesses on the netmask if it isn't supplied by userland, but that's about it. i decided to keep ia_netmask and kill ia_subnetmask which makes this diff bigish, the classful ia_netmask wasn't really used all that much. the real changes are in in.c, the rest is mostly s/ia_subnetmask/ia_netmask. ok claudio dlg ryan
Revision 1.174 / (download) - annotate - [select for diffs], Mon Dec 7 08:19:37 2009 UTC (14 years, 6 months ago) by gollo
Branch: MAIN
Changes since 1.173: +2 -2 lines
Diff to previous 1.173 (colored)
do not forward and drop packets with M_MCAST flag set in ip_forward() ok henning@, claudio@ "I think this should go in"
Revision 1.173 / (download) - annotate - [select for diffs], Thu Nov 19 22:07:17 2009 UTC (14 years, 6 months ago) by otto
Branch: MAIN
Changes since 1.172: +3 -2 lines
Diff to previous 1.172 (colored)
avoid overflow since protos > IPPROTO_MAX exist. From FreeBSD with a twist; ok millert@ kettenis@
Revision 1.172 / (download) - annotate - [select for diffs], Tue Nov 3 10:59:04 2009 UTC (14 years, 7 months ago) by claudio
Branch: MAIN
Changes since 1.171: +5 -7 lines
Diff to previous 1.171 (colored)
rtables are stacked on rdomains (it is possible to have multiple routing tables on top of a rdomain) but until now our code was a crazy mix so that it was impossible to correctly use rtables in that case. Additionally pf(4) only knows about rtables and not about rdomains. This is especially bad when tracking (possibly conflicting) states in various domains. This diff fixes all or most of these issues. It adds a lookup function to get the rdomain id based on a rtable id. Makes pf understand rdomains and allows pf to move packets between rdomains (it is similar to NAT). Because pf states now track the rdomain id as well it is necessary to modify the pfsync wire format. So old and new systems will not sync up. A lot of help by dlg@, tested by sthen@, jsg@ and probably more OK dlg@, mpf@, deraadt@
Revision 1.171 / (download) - annotate - [select for diffs], Sun Aug 23 20:06:25 2009 UTC (14 years, 9 months ago) by david
Branch: MAIN
Changes since 1.170: +10 -13 lines
Diff to previous 1.170 (colored)
revert the icmp error diff again (r1.167-1.169) seems to be causing some kind of memory corruption after several hours of heavy IPsec traffic. connections start becoming very slow eventually leading to all IPsec packets being lost. a reboot solves the issue for several more hours before it appears again.
Revision 1.170 / (download) - annotate - [select for diffs], Mon Aug 10 15:29:34 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.169: +1 -7 lines
Diff to previous 1.169 (colored)
7 years of #if 1 reasonable #else bullshit required by some committee #endif are enough. theo ok
Revision 1.169 / (download) - annotate - [select for diffs], Mon Aug 10 15:26:33 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.168: +2 -2 lines
Diff to previous 1.168 (colored)
we need to null mcopy, gotos bite. theo and i both missed them, theo ok
Revision 1.168 / (download) - annotate - [select for diffs], Mon Aug 10 13:20:08 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.167: +3 -3 lines
Diff to previous 1.167 (colored)
fix previous: -m_copydata istead of straight bcopy. noticed by damien -handle the pretty much impossible case that the packet header grows so much that MHLEN < 68. i bet this had been the least of our worries, in that case, but code oughta be correct anyway. ok theo and dlg
Revision 1.167 / (download) - annotate - [select for diffs], Mon Aug 10 11:48:02 2009 UTC (14 years, 10 months ago) by henning
Branch: MAIN
Changes since 1.166: +13 -10 lines
Diff to previous 1.166 (colored)
this is basically a fixed version of r1.165, avoid m_copym of each and every forwarded packet in case ip_output returns an error and we have to quote some of it back in an icmp error message. this implementation done from scratch: place an mbuf on the stack. copy the pkthdr from the forwarded packet and the first 68 bytes of payload. if we need to send an icmp error, just m_copym our mbuf-on-the-stack into a real one that icmp_error can fuck with and eat as it desires. ok theo dlg
Revision 1.166 / (download) - annotate - [select for diffs], Tue Jul 28 14:01:50 2009 UTC (14 years, 10 months ago) by dlg
Branch: MAIN
Changes since 1.165: +19 -31 lines
Diff to previous 1.165 (colored)
revert the avoidance of the mbuf copy for the icmp errors (r1.165) some greater care must be taken to ensure the mbuf generated for icmp errors is a good copy.
Revision 1.165 / (download) - annotate - [select for diffs], Fri Jul 24 12:30:05 2009 UTC (14 years, 10 months ago) by dlg
Branch: MAIN
Changes since 1.164: +30 -18 lines
Diff to previous 1.164 (colored)
for every packet we forwarded, we copied the first 68 bytes of it in case ip_output failed and we had to generate an icmp packet. since ip_output frees the mbuf we give it, we copied the original into a new mbuf. if ip_output succeeded, we threw the copy away. the problem with this is that copying the mbuf is about a third of the cost of ip_forward. this diff copies the data we might need onto the stack, and only builds the mbuf for the icmp error if it actually needs it, ie, if ip_output fails. this gives a noticable improvement in pps for forwarded traffic. ok claudio@ markus@ henning@ tested by markus@ and by me in production for several days at work
Revision 1.164 / (download) - annotate - [select for diffs], Fri Jun 5 00:05:22 2009 UTC (15 years ago) by claudio
Branch: MAIN
CVS Tags: OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.163: +39 -25 lines
Diff to previous 1.163 (colored)
Initial support for routing domains. This allows to bind interfaces to alternate routing table and separate them from other interfaces in distinct routing tables. The same network can now be used in any doamin at the same time without causing conflicts. This diff is mostly mechanical and adds the necessary rdomain checks accross net and netinet. L2 and IPv4 are mostly covered still missing pf and IPv6. input and tested by jsg@, phessler@ and reyk@. "put it in" deraadt@
Revision 1.163 / (download) - annotate - [select for diffs], Thu Jun 4 05:02:25 2009 UTC (15 years ago) by henning
Branch: MAIN
Changes since 1.162: +17 -7 lines
Diff to previous 1.162 (colored)
the decision on wether a packet is to be delivered locally or forwarded is pretty expensive, the more the more addresses are configured locally, since we walk a list. when pf is on and we have a state key pointer, and that state key is linked to another state key, we know for sure this is not local. when it has a link to a pcb, it certainly goes to the local codepath. on a box with 1000 adresses forwarding 3 times as fast as before. theo ok
Revision 1.162 / (download) - annotate - [select for diffs], Mon May 18 20:37:13 2009 UTC (15 years ago) by bluhm
Branch: MAIN
Changes since 1.161: +4 -3 lines
Diff to previous 1.161 (colored)
The routing table index rtableid has type unsigned int in the routing code. In pf rtableid == -1 means don't change the rtableid because of this rule. So it has to be signed int there. Before the value is passed from pf to route it is always checked to be >= 0. Change the type to int in pf and to u_int in netinet and netinet6 to make the checks work. Otherwise -1 may be used as an array index and the kernel crashes. ok henning@
Revision 1.161 / (download) - annotate - [select for diffs], Wed Dec 24 07:41:59 2008 UTC (15 years, 5 months ago) by dlg
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5
Changes since 1.160: +1 -0 lines
Diff to previous 1.160 (colored)
report the number of packets that arp resolution is holding onto until it gets a mac addr for an ip under net.inet.ip.arpqueued. ok deraadt@
Revision 1.160 / (download) - annotate - [select for diffs], Sun Jun 8 13:58:09 2008 UTC (16 years ago) by thib
Branch: MAIN
CVS Tags: OPENBSD_4_4_BASE,
OPENBSD_4_4
Changes since 1.159: +8 -5 lines
Diff to previous 1.159 (colored)
alloc ipq's for fragment reassembly from a pool instead of using malloc(); ok henning@ some time ago
Revision 1.159 / (download) - annotate - [select for diffs], Fri May 9 02:44:54 2008 UTC (16 years, 1 month ago) by markus
Branch: MAIN
Changes since 1.158: +4 -1 lines
Diff to previous 1.158 (colored)
divert packets to local socket without modifying the ip header; makes transparent proxies much easier; ok beck@, feedback claudio@
Revision 1.158 / (download) - annotate - [select for diffs], Thu Apr 24 11:36:38 2008 UTC (16 years, 1 month ago) by dlg
Branch: MAIN
Changes since 1.157: +3 -3 lines
Diff to previous 1.157 (colored)
the softnet intr handlers check if the input queue has packets on it by reading the queues head pointer. if that pointer is not null then it takes splnet and dequeues a packet for handling. this is bad because the ifqueue head is modified at splnet and the sofnet handlers read it without holding splnet. this removes that check of the head pointer and simply checks if the dequeue gave us a packet or not before proceeding. found while reading mpls code. discussed with norby@ and henning@ ok mcbride@ henning@
Revision 1.157 / (download) - annotate - [select for diffs], Tue Feb 5 22:57:31 2008 UTC (16 years, 4 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.156: +5 -9 lines
Diff to previous 1.156 (colored)
Move carp load balancing (ARP/IP) to a simpler configuration scheme. Instead of using the same IP on multiple interfaces, carp has to be configured with the new "carpnodes" and "balancing" options. # ifconfig carp0 carpnodes 1:0,2:100,3:100 balancing ip carpdev sis0 192.168.5.50 Please note, that this is a flag day for anyone using carp balancing. You'll need to adjust your configuration accordingly. Addititionally this diff adds IPv6 NDP balancing support. Tested and OK mcbride@, reyk@. Manpage help by jmc@.
Revision 1.156 / (download) - annotate - [select for diffs], Fri Dec 14 18:33:41 2007 UTC (16 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.155: +24 -1 lines
Diff to previous 1.155 (colored)
add sysctl entry points into various network layers, in particular to provide netstat(1) with data it needs; ok claudio reyk
Revision 1.155 / (download) - annotate - [select for diffs], Thu Dec 13 20:00:53 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.154: +6 -1 lines
Diff to previous 1.154 (colored)
implement sysctls to report IP, TCP, UDP, and ICMP statistics and change netstat to use them instead of accessing kvm for it. more protocols will be added later. discussed with deraadt@ claudio@ gilles@ ok deraadt@
Revision 1.154 / (download) - annotate - [select for diffs], Mon Oct 29 16:19:23 2007 UTC (16 years, 7 months ago) by chl
Branch: MAIN
Changes since 1.153: +4 -5 lines
Diff to previous 1.153 (colored)
MALLOC/FREE -> malloc/free ok krw@
Revision 1.153 / (download) - annotate - [select for diffs], Mon Sep 10 23:05:39 2007 UTC (16 years, 9 months ago) by thib
Branch: MAIN
Changes since 1.152: +1 -44 lines
Diff to previous 1.152 (colored)
Remove the ipq locking, it isn't strictly needed right now and is actually wrong in some cases, since we can enter functions without taking the lock because the return value of ipq_lock() isn't checked properly. However, this needs to be revisited when we start calling ip_drain() from the pool code when we are running out of memory, but this isn't done currently. OK art@, henning@
Revision 1.152 / (download) - annotate - [select for diffs], Sat Sep 1 18:49:28 2007 UTC (16 years, 9 months ago) by henning
Branch: MAIN
Changes since 1.151: +2 -1 lines
Diff to previous 1.151 (colored)
since the MGET* macros were changed to function calls, there wasn't any need for the pool declarations and the inclusion of pool.h From: tbert <bret.lambert@gmail.com>
Revision 1.151 / (download) - annotate - [select for diffs], Wed May 30 04:46:45 2007 UTC (17 years ago) by henning
Branch: MAIN
CVS Tags: OPENBSD_4_2_BASE,
OPENBSD_4_2
Changes since 1.150: +1 -4 lines
Diff to previous 1.150 (colored)
no need to declare extern ipsec_in_use, we get it via ip_ipsp.h found by itojun
Revision 1.150 / (download) - annotate - [select for diffs], Tue May 29 17:46:24 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.149: +12 -4 lines
Diff to previous 1.149 (colored)
gain another 5+% in ip forwarding performance. boring details: skip looking for ipsec tags and descending into ip_spd_lookup if there are no ipsec flows, except in one case in ip_output (spotted by markus) where we have to if we have a pcb. ip_spd_lookup has the shortcut already, but there is enough work done before so that skipping that gains us about 5%. ok theo, markus
Revision 1.149 / (download) - annotate - [select for diffs], Mon May 28 17:16:39 2007 UTC (17 years ago) by henning
Branch: MAIN
Changes since 1.148: +2 -6 lines
Diff to previous 1.148 (colored)
double pf performance. boring details: pf used to use an mbuf tag to keep track of route-to etc, altq, tags, routing table IDs, packets redirected to localhost etc. so each and every packet going through pf got an mbuf tag. mbuf tags use malloc'd memory, and that is knda slow. instead, stuff the information into the mbuf header directly. bridging soekris with just "pass" as ruleset went from 29 MBit/s to 58 MBit/s with that (before ryan's randomness fix, now it is even betterer) thanks to chris for the test setup! ok ryan ryan ckuethe reyk
Revision 1.148 / (download) - annotate - [select for diffs], Sun May 27 20:14:15 2007 UTC (17 years ago) by dlg
Branch: MAIN
Changes since 1.147: +4 -4 lines
Diff to previous 1.147 (colored)
-static on appropriate functions
Revision 1.147 / (download) - annotate - [select for diffs], Sun Mar 18 23:23:17 2007 UTC (17 years, 2 months ago) by mpf
Branch: MAIN
Changes since 1.146: +24 -1 lines
Diff to previous 1.146 (colored)
Add IP load balancing support for carp(4). This provides a similar functionality as ARP balancing, but also works for traffic that comes across routers. IPv6 is supported as well. The configuration scheme will change as soon we have sth better. Also add support for changing the MAC address on carp(4) interfaces. (code from mcbride) Tested by pyr@ and reyk@ OK mcbride@
Revision 1.146 / (download) - annotate - [select for diffs], Thu Dec 28 20:06:10 2006 UTC (17 years, 5 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_4_1_BASE,
OPENBSD_4_1
Changes since 1.145: +2 -2 lines
Diff to previous 1.145 (colored)
check if ifqueue has anything queued before doing the dance of splnet/IF_DEQUEUE/splx; ok various people
Revision 1.145 / (download) - annotate - [select for diffs], Mon Nov 27 12:27:45 2006 UTC (17 years, 6 months ago) by henning
Branch: MAIN
Changes since 1.144: +15 -4 lines
Diff to previous 1.144 (colored)
make use of multiple routing tables. hook up looking up routes in alternate tables to the packet forwarding path. alternate routing tables are mintained with route(8), table selection via pf. mostly hacked on a train ride with ryan some time ago, ok mcbride claudio
Revision 1.144 / (download) - annotate - [select for diffs], Wed Oct 11 09:29:20 2006 UTC (17 years, 8 months ago) by henning
Branch: MAIN
Changes since 1.143: +7 -1 lines
Diff to previous 1.143 (colored)
implement IP_RECVTTL socket option. when set on raw or udp sockets, userland receives the incoming packet's TTL as ancillary data (cmsg shitz). modeled after the FreeBSD implementation. ok claudio djm deraadt
Revision 1.143 / (download) - annotate - [select for diffs], Sun Jun 18 12:03:19 2006 UTC (17 years, 11 months ago) by pascoe
Branch: MAIN
CVS Tags: OPENBSD_4_0_BASE,
OPENBSD_4_0
Changes since 1.142: +2 -2 lines
Diff to previous 1.142 (colored)
Whitespace, oops.
Revision 1.142 / (download) - annotate - [select for diffs], Sun Jun 18 11:47:45 2006 UTC (17 years, 11 months ago) by pascoe
Branch: MAIN
Changes since 1.141: +21 -11 lines
Diff to previous 1.141 (colored)
Add support for equal-cost multipath IP. To minimise path disruptions, this implements recommendations made in RFC2992 - the hash-threshold mechanism to select paths based on source/destination IP address pairs, and inserts multipath routes in the middle of the route table. To enable multipath distribution, use: sysctl net.inet.ip.multipath=1 and/or: sysctl net.inet6.ip6.multipath=1 testing norby@ ok claudio@ henning@ hshoexer@
Revision 1.141 / (download) - annotate - [select for diffs], Fri Jun 16 16:49:40 2006 UTC (17 years, 11 months ago) by henning
Branch: MAIN
Changes since 1.140: +2 -2 lines
Diff to previous 1.140 (colored)
adjust functions dealing with the routing table to take a table ID as parameter so they can work on alternate tables. table 0 hardcoded for many callers yet, that will be adapted step by step. input + ok claudio norby hshoexer
Revision 1.140 / (download) - annotate - [select for diffs], Thu Jun 15 10:08:34 2006 UTC (18 years ago) by pascoe
Branch: MAIN
Changes since 1.139: +3 -3 lines
Diff to previous 1.139 (colored)
Make number of varargs passed to ip_output match reality. henning@ claudio@ ok
Revision 1.139 / (download) - annotate - [select for diffs], Mon May 29 20:42:27 2006 UTC (18 years ago) by claudio
Branch: MAIN
Changes since 1.138: +63 -1 lines
Diff to previous 1.138 (colored)
Make savecontrol functions more generic and use them now for raw IP too. Additionally add the IP_RECVIF option which returns the interface a packet was received on. OK markus@ norby@
Revision 1.138 / (download) - annotate - [select for diffs], Sun Mar 5 21:48:56 2006 UTC (18 years, 3 months ago) by miod
Branch: MAIN
Changes since 1.137: +24 -24 lines
Diff to previous 1.137 (colored)
Use more queue macros rather than doing it by hand; ok otto@ krw@
Revision 1.131.2.1 / (download) - annotate - [select for diffs], Sun Mar 5 03:08:25 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_8
Changes since 1.131: +3 -3 lines
Diff to previous 1.131 (colored) next main 1.132 (colored)
MFC: Fix by mpf@ m_pullup the same amount we copied, not just the IP header. Any pf(4) translation that modifies more than IP addresses, was happening on the shared mbuf cluster. Thus we were sending icmp errors with corrupted payload. ok mpf@ markus@ dhartmei@
Revision 1.125.2.2 / (download) - annotate - [select for diffs], Sun Mar 5 03:04:01 2006 UTC (18 years, 3 months ago) by brad
Branch: OPENBSD_3_7
Changes since 1.125.2.1: +3 -3 lines
Diff to previous 1.125.2.1 (colored) to branchpoint 1.125 (colored) next main 1.126 (colored)
MFC: Fix by mpf@ m_pullup the same amount we copied, not just the IP header. Any pf(4) translation that modifies more than IP addresses, was happening on the shared mbuf cluster. Thus we were sending icmp errors with corrupted payload. ok mpf@ markus@ dhartmei@
Revision 1.137 / (download) - annotate - [select for diffs], Sat Mar 4 22:40:16 2006 UTC (18 years, 3 months ago) by brad
Branch: MAIN
Changes since 1.136: +2 -2 lines
Diff to previous 1.136 (colored)
With the exception of two other small uncommited diffs this moves the remainder of the network stack from splimp to splnet. ok miod@
Revision 1.136 / (download) - annotate - [select for diffs], Tue Jan 3 14:53:50 2006 UTC (18 years, 5 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_3_9_BASE,
OPENBSD_3_9
Changes since 1.135: +3 -3 lines
Diff to previous 1.135 (colored)
m_pullup the same amount we copied, not just the IP header. Any pf(4) translation that modifies more than IP addresses, was happening on the shared mbuf cluster. Thus we were sending icmp errors with corrupted payload. OK dhartmei@, markus@
Revision 1.135 / (download) - annotate - [select for diffs], Sun Nov 20 19:25:16 2005 UTC (18 years, 6 months ago) by brad
Branch: MAIN
Changes since 1.134: +4 -3 lines
Diff to previous 1.134 (colored)
splimp -> splvm. mbuf allocation here. ok henning@
Revision 1.134 / (download) - annotate - [select for diffs], Wed Oct 5 17:32:22 2005 UTC (18 years, 8 months ago) by norby
Branch: MAIN
Changes since 1.133: +3 -3 lines
Diff to previous 1.133 (colored)
Add multicast routing to GENERIC. It is now possible to enable multicast routing in the kernel with the sysctl option net.inet.ip.mforwarding=1 Based on intial work by msf@ help claudio@ ok claudio@ deraadt@
Revision 1.133 / (download) - annotate - [select for diffs], Mon Sep 19 01:48:05 2005 UTC (18 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.132: +2 -2 lines
Diff to previous 1.132 (colored)
typo
Revision 1.132 / (download) - annotate - [select for diffs], Mon Sep 19 01:47:42 2005 UTC (18 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.131: +2 -2 lines
Diff to previous 1.131 (colored)
Fix initialisation of baddynamicports.udp, busted since 1997, wow. found by leonardo@iken.com.br
Revision 1.131 / (download) - annotate - [select for diffs], Thu Aug 11 12:55:31 2005 UTC (18 years, 10 months ago) by mpf
Branch: MAIN
CVS Tags: OPENBSD_3_8_BASE
Branch point for: OPENBSD_3_8
Changes since 1.130: +4 -2 lines
Diff to previous 1.130 (colored)
New counter for not joined IPv4 multicast groups. Don't count link local scope multicast as not forwardable. This stops ips_cantforward growing on carp(4) networks. tested and ok mcbride@, ok markus@.
Revision 1.130 / (download) - annotate - [select for diffs], Sun Jul 31 03:30:55 2005 UTC (18 years, 10 months ago) by pascoe
Branch: MAIN
Changes since 1.129: +8 -18 lines
Diff to previous 1.129 (colored)
Change the API for icmp_do_error so that it takes the mtu directly, rather than a pointer to struct ifnet containing it. Saves a 448 byte stack allocation in ip_forward which previously faked up a struct ifnet just for this purpose. idea ok deraadt millert
Revision 1.129 / (download) - annotate - [select for diffs], Wed Jun 15 07:24:05 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.128: +1 -8 lines
Diff to previous 1.128 (colored)
remove from "attempted source route ..." message; ok deraadt, mpf, henning, millert
Revision 1.125.2.1 / (download) - annotate - [select for diffs], Tue Jun 14 02:10:33 2005 UTC (19 years ago) by brad
Branch: OPENBSD_3_7
Changes since 1.125: +3 -1 lines
Diff to previous 1.125 (colored)
MFC: Fix by markus@ make sure the IP packet contains a full struct ip_timestamp from art ok deraadt@ markus@
Revision 1.122.2.1 / (download) - annotate - [select for diffs], Tue Jun 14 01:49:24 2005 UTC (19 years ago) by brad
Branch: OPENBSD_3_6
Changes since 1.122: +3 -1 lines
Diff to previous 1.122 (colored) next main 1.123 (colored)
MFC: Fix by markus@ make sure the IP packet contains a full struct ip_timestamp from art ok deraadt@ markus@
Revision 1.128 / (download) - annotate - [select for diffs], Fri Jun 10 15:56:01 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.127: +3 -1 lines
Diff to previous 1.127 (colored)
make sure the IP packet contains a full struct ip_timestamp from art; ok deraadt, claudio, henning
Revision 1.127 / (download) - annotate - [select for diffs], Tue May 24 04:20:25 2005 UTC (19 years ago) by markus
Branch: MAIN
Changes since 1.126: +6 -3 lines
Diff to previous 1.126 (colored)
add net.inet.ip.ifq for monitoring and changing ifqueue; similar to netbsd ok henning
Revision 1.126 / (download) - annotate - [select for diffs], Mon Apr 25 17:55:51 2005 UTC (19 years, 1 month ago) by brad
Branch: MAIN
Changes since 1.125: +4 -4 lines
Diff to previous 1.125 (colored)
csum -> csum_flags ok krw@ canacar@
Revision 1.125 / (download) - annotate - [select for diffs], Thu Jan 20 15:00:13 2005 UTC (19 years, 4 months ago) by markus
Branch: MAIN
CVS Tags: OPENBSD_3_7_BASE
Branch point for: OPENBSD_3_7
Changes since 1.124: +7 -3 lines
Diff to previous 1.124 (colored)
expire ipforward_rt cache in ip_slowtimeo; fixes pr 1697; ok claudio
Revision 1.124 / (download) - annotate - [select for diffs], Mon Oct 18 07:41:28 2004 UTC (19 years, 7 months ago) by otto
Branch: MAIN
Changes since 1.123: +3 -2 lines
Diff to previous 1.123 (colored)
Do not embed an ip header with a decremented ttl into an icmp message. Wait with the decrement until after the copy is done. Resolves checksum mismatches on the embedded header, as reported by tcpdump. ok markus@ itojun@
Revision 1.123 / (download) - annotate - [select for diffs], Thu Sep 23 17:38:10 2004 UTC (19 years, 8 months ago) by brad
Branch: MAIN
Changes since 1.122: +7 -26 lines
Diff to previous 1.122 (colored)
remove some more compile time overrides, use the sysctl's. ok markus@
Revision 1.122 / (download) - annotate - [select for diffs], Sat Jul 31 21:27:31 2004 UTC (19 years, 10 months ago) by brad
Branch: MAIN
CVS Tags: OPENBSD_3_6_BASE
Branch point for: OPENBSD_3_6
Changes since 1.121: +2 -9 lines
Diff to previous 1.121 (colored)
remove GATEWAY and IPFORWARDING option knobs, use the sysctl. ok mcbride@ miod@ deraadt@
Revision 1.121 / (download) - annotate - [select for diffs], Tue Jun 22 07:35:20 2004 UTC (19 years, 11 months ago) by cedric
Branch: MAIN
Changes since 1.120: +17 -22 lines
Diff to previous 1.120 (colored)
Pull the plug on source-based routing until remaining bugs are eradicated. No need to reconfig kernel or rebuild userland stuff. requested deraadt@, help beck@
Revision 1.120 / (download) - annotate - [select for diffs], Mon Jun 21 19:26:01 2004 UTC (19 years, 11 months ago) by mcbride
Branch: MAIN
Changes since 1.119: +2 -2 lines
Diff to previous 1.119 (colored)
Get rid of pf_test_eh() wrapper. ok cedric@ henning@
Revision 1.48.2.13 / (download) - annotate - [select for diffs], Mon Jun 7 20:41:39 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.48.2.12: +21 -16 lines
Diff to previous 1.48.2.12 (colored) to branchpoint 1.48 (colored) next main 1.49 (colored)
sync to head
Revision 1.119 / (download) - annotate - [select for diffs], Sun Jun 6 16:49:09 2004 UTC (20 years ago) by cedric
Branch: MAIN
CVS Tags: SMP_SYNC_B,
SMP_SYNC_A
Changes since 1.118: +22 -17 lines
Diff to previous 1.118 (colored)
extend routing table to be able to match and route packets based on their *source* IP address in addition to their destination address. routing table "destination" now contains a "struct sockaddr_rtin" for IPv4 instead of a "struct sockaddr_in". the routing socket has been extended in a backward-compatible way. todo: PMTU enhancements, IPv6. ok deraadt@ mcbride@
Revision 1.48.2.12 / (download) - annotate - [select for diffs], Sat Jun 5 23:11:25 2004 UTC (20 years ago) by niklas
Branch: SMP
Changes since 1.48.2.11: +9 -64 lines
Diff to previous 1.48.2.11 (colored) to branchpoint 1.48 (colored)
Merge with the trunk
Revision 1.118 / (download) - annotate - [select for diffs], Mon Mar 15 09:45:31 2004 UTC (20 years, 3 months ago) by tedu
Branch: MAIN
CVS Tags: OPENBSD_3_5_BASE,
OPENBSD_3_5
Changes since 1.117: +4 -4 lines
Diff to previous 1.117 (colored)
strncpy -> strlcpy. ok markus@ "(this is even unused crap, i think)" from Patrick Latifi
Revision 1.48.2.11 / (download) - annotate - [select for diffs], Thu Feb 19 10:57:24 2004 UTC (20 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.48.2.10: +64 -58 lines
Diff to previous 1.48.2.10 (colored) to branchpoint 1.48 (colored)
Merge of current from two weeks agointo the SMP branch
Revision 1.117 / (download) - annotate - [select for diffs], Sun Feb 15 11:16:08 2004 UTC (20 years, 4 months ago) by markus
Branch: MAIN
Changes since 1.116: +6 -61 lines
Diff to previous 1.116 (colored)
switch to sysctl_int_arr(); ok itojun, henning, miod, deraadt
Revision 1.116 / (download) - annotate - [select for diffs], Fri Feb 13 01:29:46 2004 UTC (20 years, 4 months ago) by brad
Branch: MAIN
Changes since 1.115: +2 -2 lines
Diff to previous 1.115 (colored)
typo, lenght -> length
Revision 1.115 / (download) - annotate - [select for diffs], Wed Dec 10 07:22:43 2003 UTC (20 years, 6 months ago) by itojun
Branch: MAIN
Changes since 1.114: +24 -24 lines
Diff to previous 1.114 (colored)
de-register. deraadt ok
Revision 1.114 / (download) - annotate - [select for diffs], Tue Jul 29 03:21:57 2003 UTC (20 years, 10 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_3_4_BASE,
OPENBSD_3_4
Changes since 1.113: +2 -1 lines
Diff to previous 1.113 (colored)
fixup ip_len back to wire format after reass.
Revision 1.113 / (download) - annotate - [select for diffs], Wed Jul 9 22:03:16 2003 UTC (20 years, 11 months ago) by itojun
Branch: MAIN
Changes since 1.112: +40 -35 lines
Diff to previous 1.112 (colored)
do not flip ip_len/ip_off in netinet stack. deraadt ok. (please test, especially PF portion)
Revision 1.48.2.10 / (download) - annotate - [select for diffs], Sat Jun 7 11:06:08 2003 UTC (21 years ago) by ho
Branch: SMP
Changes since 1.48.2.9: +2 -6 lines
Diff to previous 1.48.2.9 (colored) to branchpoint 1.48 (colored)
Sync SMP branch to -current
Revision 1.112 / (download) - annotate - [select for diffs], Mon Jun 2 23:28:14 2003 UTC (21 years ago) by millert
Branch: MAIN
Changes since 1.111: +2 -6 lines
Diff to previous 1.111 (colored)
Remove the advertising clause in the UCB license which Berkeley rescinded 22 July 1999. Proofed by myself and Theo.
Revision 1.96.2.4 / (download) - annotate - [select for diffs], Mon May 19 22:40:40 2003 UTC (21 years ago) by tedu
Branch: UBC
Changes since 1.96.2.3: +11 -10 lines
Diff to previous 1.96.2.3 (colored) to branchpoint 1.96 (colored) next main 1.97 (colored)
sync
Revision 1.48.2.9 / (download) - annotate - [select for diffs], Tue May 13 19:36:17 2003 UTC (21 years, 1 month ago) by ho
Branch: SMP
Changes since 1.48.2.8: +5 -3 lines
Diff to previous 1.48.2.8 (colored) to branchpoint 1.48 (colored)
Sync the SMP branch to -current. This includes moving to ELF.
Revision 1.111 / (download) - annotate - [select for diffs], Sat May 3 21:16:30 2003 UTC (21 years, 1 month ago) by deraadt
Branch: MAIN
CVS Tags: UBC_SYNC_A
Changes since 1.110: +5 -3 lines
Diff to previous 1.110 (colored)
string fixes; tedu ok
Revision 1.48.2.8 / (download) - annotate - [select for diffs], Fri Mar 28 00:06:54 2003 UTC (21 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.48.2.7: +58 -25 lines
Diff to previous 1.48.2.7 (colored) to branchpoint 1.48 (colored)
Sync the SMP branch with 3.3
Revision 1.110 / (download) - annotate - [select for diffs], Wed Feb 12 14:41:07 2003 UTC (21 years, 4 months ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_3_3_BASE,
OPENBSD_3_3
Changes since 1.109: +3 -1 lines
Diff to previous 1.109 (colored)
Remove commons; inspired by netbsd.
Revision 1.109 / (download) - annotate - [select for diffs], Tue Feb 11 21:08:04 2003 UTC (21 years, 4 months ago) by cedric
Branch: MAIN
Changes since 1.108: +5 -2 lines
Diff to previous 1.108 (colored)
No ICMP redirect when PF nat code redirect the packet on the LAN. ok dhartmei@
Revision 1.108 / (download) - annotate - [select for diffs], Tue Jan 7 09:00:34 2003 UTC (21 years, 5 months ago) by kjc
Branch: MAIN
Changes since 1.107: +1 -7 lines
Diff to previous 1.107 (colored)
remove the altq classifier code which is replaced by pf and no longer used. ok henning@, deraadt@
Revision 1.96.2.3 / (download) - annotate - [select for diffs], Tue Oct 29 00:36:47 2002 UTC (21 years, 7 months ago) by art
Branch: UBC
Changes since 1.96.2.2: +13 -13 lines
Diff to previous 1.96.2.2 (colored) to branchpoint 1.96 (colored)
sync to -current
Revision 1.107 / (download) - annotate - [select for diffs], Wed Sep 4 19:04:38 2002 UTC (21 years, 9 months ago) by dhartmei
Branch: MAIN
CVS Tags: UBC_SYNC_B,
OPENBSD_3_2_BASE,
OPENBSD_3_2
Changes since 1.106: +1 -3 lines
Diff to previous 1.106 (colored)
Ghosts from the past (fixed 1.65, reverted 1.66) rediscovered by Henric Jungheim. ok deraadt@
Revision 1.106 / (download) - annotate - [select for diffs], Wed Aug 28 15:43:03 2002 UTC (21 years, 9 months ago) by pefo
Branch: MAIN
Changes since 1.105: +2 -2 lines
Diff to previous 1.105 (colored)
Fix a problem where passing NULL as a pointer with varargs does not promote NULL to full 64 bits on a 64 bit address system. Soultion is to add a (void *) cast before NULL. This makes a 64 bit MIPS kernel work and will probably help future 64 bit ports as well. OK from art@
Revision 1.105 / (download) - annotate - [select for diffs], Wed Jul 3 21:19:08 2002 UTC (21 years, 11 months ago) by miod
Branch: MAIN
Changes since 1.104: +3 -1 lines
Diff to previous 1.104 (colored)
Change all variables definitions (int foo) in sys/sys/*.h to variable declarations (extern int foo), and compensate in the appropriate locations.
Revision 1.96.2.2 / (download) - annotate - [select for diffs], Tue Jun 11 03:31:36 2002 UTC (22 years ago) by art
Branch: UBC
Changes since 1.96.2.1: +56 -10 lines
Diff to previous 1.96.2.1 (colored) to branchpoint 1.96 (colored)
Sync UBC branch to -current
Revision 1.104 / (download) - annotate - [select for diffs], Sun Jun 9 16:26:10 2002 UTC (22 years ago) by itojun
Branch: MAIN
Changes since 1.103: +11 -11 lines
Diff to previous 1.103 (colored)
whitespace
Revision 1.103 / (download) - annotate - [select for diffs], Fri Jun 7 23:50:10 2002 UTC (22 years ago) by jasoni
Branch: MAIN
Changes since 1.102: +2 -2 lines
Diff to previous 1.102 (colored)
use TAILQ_FOREACH macro; ok angelos
Revision 1.102 / (download) - annotate - [select for diffs], Thu May 16 14:10:51 2002 UTC (22 years, 1 month ago) by kjc
Branch: MAIN
Changes since 1.101: +18 -1 lines
Diff to previous 1.101 (colored)
bring in ECN support from KAME. it consists of - ECN support in TCP - tunnel-egress and fragment reassembly rules in layer-3 not to lose congestion info at tunnel-egress and fragment reassembly to enable ECN in TCP, build a kernel with TCP_ECN, and then, turn it on by "sysctl -w net.inet.tcp.ecn=1". ok deraadt@
Revision 1.101 / (download) - annotate - [select for diffs], Wed Apr 24 01:05:12 2002 UTC (22 years, 1 month ago) by angelos
Branch: MAIN
Changes since 1.100: +23 -6 lines
Diff to previous 1.100 (colored)
Update IPsec-related comments.
Revision 1.48.2.7 / (download) - annotate - [select for diffs], Thu Mar 28 14:56:45 2002 UTC (22 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.48.2.6: +3 -3 lines
Diff to previous 1.48.2.6 (colored) to branchpoint 1.48 (colored)
Merge in -current from roughly a week ago
Revision 1.100 / (download) - annotate - [select for diffs], Thu Mar 14 01:27:11 2002 UTC (22 years, 3 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_3_1_BASE,
OPENBSD_3_1
Changes since 1.99: +4 -4 lines
Diff to previous 1.99 (colored)
First round of __P removal in sys
Revision 1.48.2.6 / (download) - annotate - [select for diffs], Wed Mar 6 02:15:07 2002 UTC (22 years, 3 months ago) by niklas
Branch: SMP
Changes since 1.48.2.5: +15 -9 lines
Diff to previous 1.48.2.5 (colored) to branchpoint 1.48 (colored)
Merge in trunk
Revision 1.99 / (download) - annotate - [select for diffs], Fri Feb 22 02:49:06 2002 UTC (22 years, 3 months ago) by itojun
Branch: MAIN
Changes since 1.98: +13 -1 lines
Diff to previous 1.98 (colored)
do not transmit ICMP source quench. from kjc/kame
Revision 1.96.2.1 / (download) - annotate - [select for diffs], Thu Jan 31 22:55:45 2002 UTC (22 years, 4 months ago) by niklas
Branch: UBC
Changes since 1.96: +3 -6 lines
Diff to previous 1.96 (colored)
Merge in -current, builds on i386, otherwise untested
Revision 1.98 / (download) - annotate - [select for diffs], Fri Jan 25 15:50:23 2002 UTC (22 years, 4 months ago) by art
Branch: MAIN
Changes since 1.97: +2 -5 lines
Diff to previous 1.97 (colored)
Add a drain hook to each pool. This hook is called in three cases. 1. When a pool hit the hard limit. Just before bailing out/sleeping. 2. When an allocator fails to allocate memory (with PR_NOWAIT). 3. Just before trying to reclaim some page in pool_reclaim. The function called form the hook should try to free some items to the pool if possible. Convert m_reclaim hooks that were embedded in MCLGET, MGET and MGETHDR into a pool drain hook (making the code much cleaner).
Revision 1.97 / (download) - annotate - [select for diffs], Wed Jan 23 00:39:48 2002 UTC (22 years, 4 months ago) by art
Branch: MAIN
Changes since 1.96: +2 -2 lines
Diff to previous 1.96 (colored)
Pool deals fairly well with physical memory shortage, but it doesn't deal well (not at all) with shortages of the vm_map where the pages are mapped (usually kmem_map). Try to deal with it: - group all information the backend allocator for a pool in a separate struct. The pool will only have a pointer to that struct. - change the pool_init API to reflect that. - link all pools allocating from the same allocator on a linked list. - Since an allocator is responsible to wait for physical memory it will only fail (waitok) when it runs out of its backing vm_map, carefully drain pools using the same allocator so that va space is freed. (see comments in code for caveats and details). - change pool_reclaim to return if it actually succeeded to free some memory, use that information to make draining easier and more efficient. - get rid of PR_URGENT, noone uses it.
Revision 1.96 / (download) - annotate - [select for diffs], Mon Dec 10 12:05:40 2001 UTC (22 years, 6 months ago) by ho
Branch: MAIN
CVS Tags: UBC_BASE
Branch point for: UBC
Changes since 1.95: +2 -2 lines
Diff to previous 1.95 (colored)
No need to m_freem(m) if m is already NULL. dhartmei@ ok.
Revision 1.95 / (download) - annotate - [select for diffs], Thu Dec 6 02:12:52 2001 UTC (22 years, 6 months ago) by itojun
Branch: MAIN
Changes since 1.94: +1 -4 lines
Diff to previous 1.94 (colored)
remove #if 0'ed portion (for KAME IPSEC - not needed)
Revision 1.48.2.5 / (download) - annotate - [select for diffs], Wed Dec 5 01:02:40 2001 UTC (22 years, 6 months ago) by niklas
Branch: SMP
Changes since 1.48.2.4: +3 -1 lines
Diff to previous 1.48.2.4 (colored) to branchpoint 1.48 (colored)
Merge in -current
Revision 1.94 / (download) - annotate - [select for diffs], Mon Nov 26 16:50:26 2001 UTC (22 years, 6 months ago) by jasoni
Branch: MAIN
Changes since 1.93: +3 -1 lines
Diff to previous 1.93 (colored)
add fastroute options similar to what is found in ipf ok dhartmei@, frantzen@
Revision 1.48.2.4 / (download) - annotate - [select for diffs], Wed Oct 31 03:29:03 2001 UTC (22 years, 7 months ago) by nate
Branch: SMP
Changes since 1.48.2.3: +31 -19 lines
Diff to previous 1.48.2.3 (colored) to branchpoint 1.48 (colored)
Sync the SMP branch to something just after 3.0
Revision 1.93 / (download) - annotate - [select for diffs], Tue Sep 18 15:24:32 2001 UTC (22 years, 8 months ago) by aaron
Branch: MAIN
CVS Tags: OPENBSD_3_0_BASE,
OPENBSD_3_0
Changes since 1.92: +2 -1 lines
Diff to previous 1.92 (colored)
Avoid memory leak when disabling PMTU, rt_timer_queue_destroy() expects the caller to free the structure.
Revision 1.92 / (download) - annotate - [select for diffs], Tue Jul 17 20:34:50 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.91: +5 -5 lines
Diff to previous 1.91 (colored)
split ip normalization out into a separate file, okay dhartmei@
Revision 1.91 / (download) - annotate - [select for diffs], Mon Jul 16 22:11:04 2001 UTC (22 years, 11 months ago) by fgsch
Branch: MAIN
Changes since 1.90: +13 -14 lines
Diff to previous 1.90 (colored)
Move altq after pf; suggested by aaron@, kjc@ ok.
Revision 1.90 / (download) - annotate - [select for diffs], Thu Jul 5 16:45:54 2001 UTC (22 years, 11 months ago) by jjbg
Branch: MAIN
Changes since 1.89: +14 -2 lines
Diff to previous 1.89 (colored)
IPComp support. angelos@ ok.
Revision 1.48.2.3 / (download) - annotate - [select for diffs], Wed Jul 4 10:54:49 2001 UTC (22 years, 11 months ago) by niklas
Branch: SMP
Changes since 1.48.2.2: +105 -155 lines
Diff to previous 1.48.2.2 (colored) to branchpoint 1.48 (colored)
Merge in -current from two days ago in the SMP branch. As usual with merges, they do not indicate progress, so do not hold your breath for working SMP, and do not mail me and ask about the state of it. It has not changed. There is work ongoing, but very, very slowly. The commit is done in parts as to not lock up the tree in too big chunks at a time.
Revision 1.89 / (download) - annotate - [select for diffs], Thu Jun 28 21:53:42 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.88: +8 -3 lines
Diff to previous 1.88 (colored)
first stab at packet normalization. includes full ip reassembly. okay dhartmei@, dugsong@
Revision 1.88 / (download) - annotate - [select for diffs], Wed Jun 27 05:50:07 2001 UTC (22 years, 11 months ago) by kjc
Branch: MAIN
Changes since 1.87: +7 -1 lines
Diff to previous 1.87 (colored)
ALTQ base modifications to the kernel. - ALTQ introduces a set of new queue macros that coexist with the traditional IF_XXX macros. - "struct ifaltq" replaces "struct ifqueue" in "struct ifnet". - assign cdev major 74 for i386 and 54 for alpha as ALTQ control interface.
Revision 1.87 / (download) - annotate - [select for diffs], Tue Jun 26 18:17:54 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.86: +3 -7 lines
Diff to previous 1.86 (colored)
no longer pass around **m
Revision 1.86 / (download) - annotate - [select for diffs], Mon Jun 25 08:05:24 2001 UTC (22 years, 11 months ago) by art
Branch: MAIN
Changes since 1.85: +3 -1 lines
Diff to previous 1.85 (colored)
Build without IPSEC.
Revision 1.85 / (download) - annotate - [select for diffs], Sun Jun 24 23:42:40 2001 UTC (22 years, 11 months ago) by mickey
Branch: MAIN
Changes since 1.84: +8 -2 lines
Diff to previous 1.84 (colored)
make it compile w/o pf
Revision 1.84 / (download) - annotate - [select for diffs], Sun Jun 24 19:48:58 2001 UTC (22 years, 11 months ago) by kjell
Branch: MAIN
Changes since 1.83: +12 -1 lines
Diff to previous 1.83 (colored)
Initial import of pf, an all-new ipf-compatable packet filter. Insane amounts of work done my dhartmei. Great work!
Revision 1.83 / (download) - annotate - [select for diffs], Sun Jun 24 18:24:56 2001 UTC (22 years, 11 months ago) by provos
Branch: MAIN
Changes since 1.82: +13 -50 lines
Diff to previous 1.82 (colored)
take mtu from routing table
Revision 1.82 / (download) - annotate - [select for diffs], Sat Jun 23 18:54:44 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.81: +9 -6 lines
Diff to previous 1.81 (colored)
Clear the checksum flags after verification. Also, don't count checksum errors as hardware checksum packets as well.
Revision 1.81 / (download) - annotate - [select for diffs], Sat Jun 23 18:45:29 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.80: +3 -2 lines
Diff to previous 1.80 (colored)
Count input packets hardware-checksummed.
Revision 1.80 / (download) - annotate - [select for diffs], Sat Jun 23 16:15:56 2001 UTC (22 years, 11 months ago) by fgsch
Branch: MAIN
Changes since 1.79: +1 -6 lines
Diff to previous 1.79 (colored)
Remove unneeded ip_id convertions. Instead of using HTONS macro in some places, use htons directly in the struct member and save us a few bytes. Fix comment.
Revision 1.79 / (download) - annotate - [select for diffs], Sat Jun 23 05:55:40 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.78: +3 -1 lines
Diff to previous 1.78 (colored)
Count input/output hardware-checksummed IP packets.
Revision 1.78 / (download) - annotate - [select for diffs], Sat Jun 23 03:39:03 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.77: +3 -1 lines
Diff to previous 1.77 (colored)
Clear IPv4 input checksum OK flag after verification.
Revision 1.77 / (download) - annotate - [select for diffs], Sat Jun 23 02:27:09 2001 UTC (22 years, 11 months ago) by angelos
Branch: MAIN
Changes since 1.76: +7 -4 lines
Diff to previous 1.76 (colored)
TCP, UDP, IPv4 input hardware checksumming processing; also IPv4 output hardware checksumming. Not tested yet, but should be done tonight. Remain to be solved: interactions with bridge, TCP/UDP output checksumming, interactions of TCP/UDP checksumming with routing changes.
Revision 1.76 / (download) - annotate - [select for diffs], Tue Jun 19 00:48:23 2001 UTC (22 years, 11 months ago) by deraadt
Branch: MAIN
Changes since 1.75: +2 -1 lines
Diff to previous 1.75 (colored)
mop up after angelos
Revision 1.75 / (download) - annotate - [select for diffs], Fri Jun 8 03:53:46 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.74: +1 -15 lines
Diff to previous 1.74 (colored)
Cut down on include files.
Revision 1.74 / (download) - annotate - [select for diffs], Fri Jun 1 19:53:33 2001 UTC (23 years ago) by provos
Branch: MAIN
Changes since 1.73: +13 -8 lines
Diff to previous 1.73 (colored)
use pool allocation for ip fragement queue, from netbsd, okay angelos@, itojun@
Revision 1.73 / (download) - annotate - [select for diffs], Wed May 30 02:12:31 2001 UTC (23 years ago) by deraadt
Branch: MAIN
Changes since 1.72: +1 -22 lines
Diff to previous 1.72 (colored)
Remove ipf. Darren Reed has interpreted his (old, new, whichever) licence in a way that makes ipf not free according to the rules we established over 5 years ago, at www.openbsd.org/goals.html (and those same basic rules govern the other *BSD projects too). Specifically, Darren says that modified versions are not permitted. But software which OpenBSD uses and redistributes must be free to all (be they people or companies), for any purpose they wish to use it, including modification, use, peeing on, or even integration into baby mulching machines or atomic bombs to be dropped on Australia. Furthermore, we know of a number of companies using ipf with modification like us, who are now in the same situation, and we hope that some of them will work with us to fill this gap that now exists in OpenBSD (temporarily, we hope).
Revision 1.72 / (download) - annotate - [select for diffs], Sun May 27 00:39:26 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.71: +3 -3 lines
Diff to previous 1.71 (colored)
Use the new IPsec tags.
Revision 1.71 / (download) - annotate - [select for diffs], Sun May 20 19:19:57 2001 UTC (23 years ago) by fgsch
Branch: MAIN
Changes since 1.70: +4 -23 lines
Diff to previous 1.70 (colored)
Remove varargs from ipv4_input; cmetz@ deraadt@ ok.
Revision 1.70 / (download) - annotate - [select for diffs], Sun May 20 08:35:11 2001 UTC (23 years ago) by angelos
Branch: MAIN
Changes since 1.69: +15 -14 lines
Diff to previous 1.69 (colored)
Use packet tags instead of tdbi.
Revision 1.69 / (download) - annotate - [select for diffs], Wed May 16 06:38:25 2001 UTC (23 years, 1 month ago) by fgsch
Branch: MAIN
Changes since 1.68: +2 -2 lines
Diff to previous 1.68 (colored)
Don't clobber ip_sum; ip_output always sets this to 0 before calling in_cksum so it's not needed here; itojun@ ok. This makes the ip_sum available in ipfilter.
Revision 1.48.2.2 / (download) - annotate - [select for diffs], Mon May 14 22:40:11 2001 UTC (23 years, 1 month ago) by niklas
Branch: SMP
Changes since 1.48.2.1: +195 -39 lines
Diff to previous 1.48.2.1 (colored) to branchpoint 1.48 (colored)
merge in approximately 2.9 into SMP branch
Revision 1.68 / (download) - annotate - [select for diffs], Fri May 11 17:20:11 2001 UTC (23 years, 1 month ago) by aaron
Branch: MAIN
Changes since 1.67: +5 -5 lines
Diff to previous 1.67 (colored)
Check m_pullup() and m_pullup2() return for NULL, not 0; itojun@ ok
Revision 1.67 / (download) - annotate - [select for diffs], Tue May 1 09:55:49 2001 UTC (23 years, 1 month ago) by provos
Branch: MAIN
Changes since 1.66: +26 -24 lines
Diff to previous 1.66 (colored)
get rid of dtom(), okay itojun@ angelos@ mickey@ millert@
Revision 1.66 / (download) - annotate - [select for diffs], Wed Mar 28 20:03:03 2001 UTC (23 years, 2 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_9_BASE,
OPENBSD_2_9
Changes since 1.65: +7 -79 lines
Diff to previous 1.65 (colored)
Allow tdbi's to appear in mbufs throughout the stack; this allows security properties of the packets to be pushed up to the application (not done yet). Eventually, this will be turned into a packet attributes framework. Make sure tdbi's are free'd/cleared properly whenever drivers (or NFS) does weird things with mbufs.
Revision 1.65 / (download) - annotate - [select for diffs], Sun Mar 25 05:51:31 2001 UTC (23 years, 2 months ago) by csapuntz
Branch: MAIN
Changes since 1.64: +13 -8 lines
Diff to previous 1.64 (colored)
A couple minor fixes to prevent use after free. Thanks to dawson and team for finding these. Ok angelos@
Revision 1.64 / (download) - annotate - [select for diffs], Sun Mar 18 07:09:49 2001 UTC (23 years, 3 months ago) by provos
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)
enable pmtu by default
Revision 1.63 / (download) - annotate - [select for diffs], Sat Mar 3 01:09:28 2001 UTC (23 years, 3 months ago) by itojun
Branch: MAIN
Changes since 1.62: +4 -1 lines
Diff to previous 1.62 (colored)
on parse error of timestamp option, set parameter error offset correctly.
Revision 1.62 / (download) - annotate - [select for diffs], Sat Mar 3 01:00:19 2001 UTC (23 years, 3 months ago) by itojun
Branch: MAIN
Changes since 1.61: +11 -1 lines
Diff to previous 1.61 (colored)
drop packets with 127.0.0.0/8 in header field, if the packet is from outside. under RFC1122 sender rule 127.0.0.8 must not appear on the wire. count incidents by ipstat.ips_badaddr. sync with kame
Revision 1.60.2.1 / (download) - annotate - [select for diffs], Mon Dec 11 04:34:06 2000 UTC (23 years, 6 months ago) by jason
Branch: OPENBSD_2_8
Changes since 1.60: +8 -1 lines
Diff to previous 1.60 (colored) next main 1.61 (colored)
Pull in patch from current: Fix (angelos): Fix fastroute-related panic, fixes PR 1541 (cas@trans-nt.com)
Revision 1.61 / (download) - annotate - [select for diffs], Sun Dec 3 19:56:20 2000 UTC (23 years, 6 months ago) by angelos
Branch: MAIN
Changes since 1.60: +8 -1 lines
Diff to previous 1.60 (colored)
Fix fastroute-related panic, fixes PR 1541 (cas@trans-nt.com)
Revision 1.60 / (download) - annotate - [select for diffs], Fri Oct 13 02:01:10 2000 UTC (23 years, 8 months ago) by itojun
Branch: MAIN
CVS Tags: OPENBSD_2_8_BASE
Branch point for: OPENBSD_2_8
Changes since 1.59: +5 -2 lines
Diff to previous 1.59 (colored)
make sure we don't share external mbuf between m and mcopy, in ip_forward(). NetBSD PR 11201.
Revision 1.55.2.2 / (download) - annotate - [select for diffs], Sat Oct 7 05:43:15 2000 UTC (23 years, 8 months ago) by jason
Branch: OPENBSD_2_7
Changes since 1.55.2.1: +4 -3 lines
Diff to previous 1.55.2.1 (colored) to branchpoint 1.55 (colored) next main 1.56 (colored)
Pull in patch from current: Fix (mickey): fix my bug dating back to february the 14th of 1998, when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok.
Revision 1.59 / (download) - annotate - [select for diffs], Fri Sep 22 01:40:56 2000 UTC (23 years, 8 months ago) by mickey
Branch: MAIN
Changes since 1.58: +4 -3 lines
Diff to previous 1.58 (colored)
fix my bug dating back to february the 14th of 1998, when those wildcard interfaces came up, which were usefull at the times. on the other hand here it is, one cannot bind to the broadcast address, and angelos says ok.
Revision 1.58 / (download) - annotate - [select for diffs], Tue Sep 19 03:20:58 2000 UTC (23 years, 8 months ago) by angelos
Branch: MAIN
Changes since 1.57: +166 -8 lines
Diff to previous 1.57 (colored)
Lots and lots of changes.
Revision 1.57 / (download) - annotate - [select for diffs], Mon Sep 18 22:06:37 2000 UTC (23 years, 8 months ago) by provos
Branch: MAIN
Changes since 1.56: +34 -1 lines
Diff to previous 1.56 (colored)
Path MTU discovery based on NetBSD but with the decision to use the DF flag delayed to ip_output(). That halves the code and reduces most of the route lookups. okay deraadt@
Revision 1.55.2.1 / (download) - annotate - [select for diffs], Mon May 29 18:24:03 2000 UTC (24 years ago) by jason
Branch: OPENBSD_2_7
Changes since 1.55: +10 -2 lines
Diff to previous 1.55 (colored)
Pull in patch from current: Errata: Parse IPv4 options more carefully. It is not yet clear if this can even be used to crash the machine remote or locally. Fix (itojun): parse IPv4 options more carefully. make boundary checks against every steps (including option type/length field - there were no checks, seems to me 4.4BSD bug)
Revision 1.56 / (download) - annotate - [select for diffs], Mon May 15 11:07:33 2000 UTC (24 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.55: +10 -2 lines
Diff to previous 1.55 (colored)
parse IPv4 options more carefully. make boundary checks against every steps (including option type/length field - there were no checks, seems to me 4.4BSD bug)
Revision 1.55 / (download) - annotate - [select for diffs], Wed May 10 03:22:39 2000 UTC (24 years, 1 month ago) by jason
Branch: MAIN
CVS Tags: OPENBSD_2_7_BASE
Branch point for: OPENBSD_2_7
Changes since 1.54: +16 -16 lines
Diff to previous 1.54 (colored)
make sure ip_timestamp is aligned correctly
Revision 1.54 / (download) - annotate - [select for diffs], Sat May 6 17:55:08 2000 UTC (24 years, 1 month ago) by itojun
Branch: MAIN
Changes since 1.53: +3 -3 lines
Diff to previous 1.53 (colored)
avoid underflow on unsigned value arithmetic (when optlen < 4). 2nd half of NetBSD Security Advisory 2000-002.
Revision 1.53 / (download) - annotate - [select for diffs], Sat May 6 01:47:05 2000 UTC (24 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.52: +5 -5 lines
Diff to previous 1.52 (colored)
avoid unaligned access in timestamp; http://www.newhackcity.net/advisories/20000504a_0.txt; checked by provos and itojun
Revision 1.52 / (download) - annotate - [select for diffs], Sun Apr 9 17:43:02 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.51: +1 -3 lines
Diff to previous 1.51 (colored)
Pass ip_off and ip_len in the correct byte order to icmp_error(); this should fix the crash problems with isic, reported last week.
Revision 1.51 / (download) - annotate - [select for diffs], Tue Apr 4 13:43:02 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.50: +4 -2 lines
Diff to previous 1.50 (colored)
Verbiage fix.
Revision 1.50 / (download) - annotate - [select for diffs], Mon Mar 27 07:26:45 2000 UTC (24 years, 2 months ago) by angelos
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)
As I threatened a while ago, ingress IPsec ACL-checking is turned on by default. Read the ipsecadm(8) man page for more details on how to specify ingress filters with manual keying. isakmpd has been doing this for a while now.
Revision 1.48.2.1 / (download) - annotate - [select for diffs], Fri Mar 24 09:09:36 2000 UTC (24 years, 2 months ago) by niklas
Branch: SMP
Changes since 1.48: +1 -3 lines
Diff to previous 1.48 (colored)
Sync with -current
Revision 1.49 / (download) - annotate - [select for diffs], Fri Mar 3 13:09:28 2000 UTC (24 years, 3 months ago) by itojun
Branch: MAIN
Changes since 1.48: +1 -3 lines
Diff to previous 1.48 (colored)
remove WIDE's experimental ip reass code, mistakingly merged in partially. NetBSD PR: 9412 Fix from: ho@crt.se
Revision 1.48 / (download) - annotate - [select for diffs], Mon Jan 10 06:59:22 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
CVS Tags: SMP_BASE
Branch point for: SMP
Changes since 1.47: +49 -1 lines
Diff to previous 1.47 (colored)
Add 10 new ipsec-related sysctl variables...they are currently under net.inet.ip; perhaps they should be moved under net.inet.ipsec or some such.
Revision 1.47 / (download) - annotate - [select for diffs], Mon Jan 10 04:30:52 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.46: +5 -1 lines
Diff to previous 1.46 (colored)
Add net.inet.ip.ipsec-invalid-life, default value 60 seconds; the amount of time embryonic SAs will be kept before they have to be initialized by key management (this only affects automated key management).
Revision 1.46 / (download) - annotate - [select for diffs], Sun Jan 9 22:30:37 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.45: +3 -4 lines
Diff to previous 1.45 (colored)
Rename newly-introduced variable to better reflect use.
Revision 1.45 / (download) - annotate - [select for diffs], Sun Jan 9 22:17:57 2000 UTC (24 years, 5 months ago) by angelos
Branch: MAIN
Changes since 1.44: +5 -1 lines
Diff to previous 1.44 (colored)
Add a sysctl for IPsec ingress access control (better explanation on a follow-up commit).
Revision 1.44 / (download) - annotate - [select for diffs], Wed Dec 8 06:50:20 1999 UTC (24 years, 6 months ago) by itojun
Branch: MAIN
CVS Tags: kame_19991208
Changes since 1.43: +59 -2 lines
Diff to previous 1.43 (colored)
bring in KAME IPv6 code, dated 19991208. replaces NRL IPv6 layer. reuses NRL pcb layer. no IPsec-on-v6 support. see sys/netinet6/{TODO,IMPLEMENTATION} for more details. GENERIC configuration should work fine as before. GENERIC.v6 works fine as well, but you'll need KAME userland tools to play with IPv6 (will be bringed into soon).
Revision 1.43 / (download) - annotate - [select for diffs], Mon Nov 29 16:22:29 1999 UTC (24 years, 6 months ago) by ho
Branch: MAIN
Changes since 1.42: +5 -2 lines
Diff to previous 1.42 (colored)
Make sure M_BCAST is set for IP broadcasts, even if the packet came in as an ethernet unicast. (cmetz@, niklas@ ok.)
Revision 1.42 / (download) - annotate - [select for diffs], Sat Sep 25 06:35:48 1999 UTC (24 years, 8 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_6_BASE,
OPENBSD_2_6
Changes since 1.41: +1 -2 lines
Diff to previous 1.41 (colored)
line not needed
Revision 1.41 / (download) - annotate - [select for diffs], Thu Sep 23 07:20:35 1999 UTC (24 years, 8 months ago) by deraadt
Branch: MAIN
Changes since 1.40: +1 -7 lines
Diff to previous 1.40 (colored)
fix same-interface-out-as-in and packet gets corrupted bug noted by james@oaktree.co.uk by re-working icmp embedded-packet code so that ip_forward() m_copy()-aliased packet can be forwarded to ip_output and icmp_error() safely, because no packet tweaking is needed before calling icmp_error()
Revision 1.40 / (download) - annotate - [select for diffs], Fri Apr 23 15:18:03 1999 UTC (25 years, 1 month ago) by provos
Branch: MAIN
Changes since 1.39: +4 -2 lines
Diff to previous 1.39 (colored)
dont accept packets with the destination address of a down interface; proff@netbsd.org.
Revision 1.39 / (download) - annotate - [select for diffs], Mon Apr 12 03:17:09 1999 UTC (25 years, 2 months ago) by deraadt
Branch: MAIN
CVS Tags: OPENBSD_2_5_BASE,
OPENBSD_2_5
Changes since 1.38: +4 -1 lines
Diff to previous 1.38 (colored)
move encdebug to a useful place
Revision 1.38 / (download) - annotate - [select for diffs], Sun Apr 11 19:41:38 1999 UTC (25 years, 2 months ago) by niklas
Branch: MAIN
Changes since 1.37: +4 -1 lines
Diff to previous 1.37 (colored)
Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default. If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
Revision 1.37 / (download) - annotate - [select for diffs], Sun Feb 21 04:01:46 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.36: +64 -36 lines
Diff to previous 1.36 (colored)
split ipintr() to create new ipv4_input() for tunnels; NRL
Revision 1.36 / (download) - annotate - [select for diffs], Fri Feb 19 19:50:43 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.35: +49 -3 lines
Diff to previous 1.35 (colored)
ipq locking
Revision 1.35 / (download) - annotate - [select for diffs], Wed Feb 17 23:51:12 1999 UTC (25 years, 3 months ago) by deraadt
Branch: MAIN
Changes since 1.34: +51 -20 lines
Diff to previous 1.34 (colored)
add fragment flood protection; configureable using sysctl ip.maxqueue
Revision 1.34 / (download) - annotate - [select for diffs], Mon Dec 28 23:54:57 1998 UTC (25 years, 5 months ago) by deraadt
Branch: MAIN
Changes since 1.33: +12 -1 lines
Diff to previous 1.33 (colored)
ensure the ip packet embedded inside an icmp packet has correct ip_len, ip_off, ip_id. for udp, also correct uh_sum. ip_sum is still set to 0; (all this debugged using nmap)
Revision 1.33 / (download) - annotate - [select for diffs], Sat Dec 26 12:35:11 1998 UTC (25 years, 5 months ago) by provos
Branch: MAIN
Changes since 1.32: +1 -2 lines
Diff to previous 1.32 (colored)
make ip_id random but ensure that ids dont repeat for some period.
Revision 1.32 / (download) - annotate - [select for diffs], Fri Nov 13 22:24:17 1998 UTC (25 years, 7 months ago) by provos
Branch: MAIN
Changes since 1.31: +3 -2 lines
Diff to previous 1.31 (colored)
Recompute ip header length after packet has been reassembled, and also use the actual header length for m_pullup, pointed out by jdb@es2.net and guido@freebsd.org.
Revision 1.31 / (download) - annotate - [select for diffs], Mon May 18 21:10:49 1998 UTC (26 years, 1 month ago) by provos
Branch: MAIN
CVS Tags: OPENBSD_2_4_BASE,
OPENBSD_2_4
Changes since 1.30: +6 -5 lines
Diff to previous 1.30 (colored)
first step to the setsockopt/getsockopt interface as described in draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
Revision 1.30 / (download) - annotate - [select for diffs], Sat Feb 14 18:50:36 1998 UTC (26 years, 4 months ago) by mickey
Branch: MAIN
CVS Tags: OPENBSD_2_3_BASE,
OPENBSD_2_3
Changes since 1.29: +35 -19 lines
Diff to previous 1.29 (colored)
wildcard ifaces; finally, after HE said it's ok
Revision 1.29 / (download) - annotate - [select for diffs], Tue Feb 3 21:11:08 1998 UTC (26 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.28: +13 -14 lines
Diff to previous 1.28 (colored)
bail out for sourcerouted packets earlier, also do not forward sourcerouted packets ever if ipforwarding is off; tqbf@secnet.com
Revision 1.28 / (download) - annotate - [select for diffs], Sun Feb 1 21:46:02 1998 UTC (26 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.27: +18 -34 lines
Diff to previous 1.27 (colored)
undo wildcard loopback stuff; it was not checked by other developers
Revision 1.27 / (download) - annotate - [select for diffs], Sun Feb 1 18:09:23 1998 UTC (26 years, 4 months ago) by mickey
Branch: MAIN
Changes since 1.26: +35 -19 lines
Diff to previous 1.26 (colored)
support wildcard loopbacks. that is, setting up lo1 like: ifconfig lo1 inet 192.168.1.1 netmask 255.255.255.0 link1 would force it to act like all the addresses from net 192.168.1 were added to the interface. todo: man lo
Revision 1.26 / (download) - annotate - [select for diffs], Sat Aug 9 23:36:29 1997 UTC (26 years, 10 months ago) by millert
Branch: MAIN
CVS Tags: OPENBSD_2_2_BASE,
OPENBSD_2_2
Changes since 1.25: +11 -1 lines
Diff to previous 1.25 (colored)
The list of tcp/udp ports not to allocate dynamically is now a bitmask configurable via sysctl([38]). The default values have not changed. If one wants to change the list it should be done early on in /etc/rc.
Revision 1.25 / (download) - annotate - [select for diffs], Fri Feb 28 03:44:53 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
CVS Tags: OPENBSD_2_1_BASE,
OPENBSD_2_1
Changes since 1.24: +5 -1 lines
Diff to previous 1.24 (colored)
IPsec socket API hooks are in.
Revision 1.24 / (download) - annotate - [select for diffs], Sat Feb 22 13:25:28 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.23: +16 -4 lines
Diff to previous 1.23 (colored)
Fixed problem in ip_weadvertise().
Revision 1.23 / (download) - annotate - [select for diffs], Sat Feb 22 05:56:48 1997 UTC (27 years, 3 months ago) by angelos
Branch: MAIN
Changes since 1.22: +39 -2 lines
Diff to previous 1.22 (colored)
ICMP redirects will not be sent if we do proxy arp pointing to ourselves.
Revision 1.22 / (download) - annotate - [select for diffs], Thu Feb 13 16:26:58 1997 UTC (27 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.21: +4 -4 lines
Diff to previous 1.21 (colored)
off-by-one-slot for IP timestamp option data inserts, PR#103, andreas.gunnarsson@emw.ericsson.se
Revision 1.21 / (download) - annotate - [select for diffs], Tue Feb 11 18:04:03 1997 UTC (27 years, 4 months ago) by deraadt
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)
ensure ipt->ipt_ptr is right; pr#96, andreas.gunnarsson@emw.ericsson.se
Revision 1.20 / (download) - annotate - [select for diffs], Sun Jan 26 01:23:43 1997 UTC (27 years, 4 months ago) by tholo
Branch: MAIN
Changes since 1.19: +8 -2 lines
Diff to previous 1.19 (colored)
Make ip_len and ip_off unsigned values; don't transmit or accept packets larger than the maximum IP packet size. From NetBSD.
Revision 1.19 / (download) - annotate - [select for diffs], Sun Oct 27 00:47:33 1996 UTC (27 years, 7 months ago) by deraadt
Branch: MAIN
Changes since 1.18: +1 -13 lines
Diff to previous 1.18 (colored)
record route is not a problem; thanks bitblt
Revision 1.18 / (download) - annotate - [select for diffs], Fri Oct 18 03:04:54 1996 UTC (27 years, 8 months ago) by tholo
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)
Do not run IP defragmentation routines unneccecarily; NetBSD PR# 2772
Revision 1.17 / (download) - annotate - [select for diffs], Mon Sep 2 18:14:19 1996 UTC (27 years, 9 months ago) by dm
Branch: MAIN
CVS Tags: OPENBSD_2_0_BASE,
OPENBSD_2_0
Changes since 1.16: +3 -1 lines
Diff to previous 1.16 (colored)
Don't drain the protocol queues at interrupt level.
Revision 1.16 / (download) - annotate - [select for diffs], Wed Aug 14 07:50:13 1996 UTC (27 years, 10 months ago) by deraadt
Branch: MAIN
Changes since 1.15: +3 -3 lines
Diff to previous 1.15 (colored)
ipaddrs are int; like many other things found after spotting a similar netbsd commit...
Revision 1.15 / (download) - annotate - [select for diffs], Fri Aug 2 18:21:00 1996 UTC (27 years, 10 months ago) by tholo
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)
Allow viewing of net.inet.ip.sourceroute in secure mode
Revision 1.14 / (download) - annotate - [select for diffs], Mon Jul 29 02:34:30 1996 UTC (27 years, 10 months ago) by downsj
Branch: MAIN
Changes since 1.13: +19 -1 lines
Diff to previous 1.13 (colored)
From FreeBSD (with slightly different sysctl names): "... Allow the user to nominate one of three ranges of port numbers as candidates for selecting a local address to replace a zero port number. The ranges are selected via a setsockopt(s, IPPROTO_IP, IP_PORTRANGE, &arg) call. The three ranges are: default, high (to bypass firewalls) and low (to get a port below 1024). The default and high port ranges are sysctl settable under sysctl net.inet.ip.portrange.* [net.inet.ip.portfirst, net.inet.ip.portlast, net.inet.ip.porthifirst, and net.inet.ip.porthilast currently in OpenBSD.] This code also fixes a potential deadlock if the system accidently ran out of local port addresses. It'd drop into an infinite while loop. The secure port selection (for root) should reduce overheads and increase reliability of rlogin/rlogind/rsh/rshd if they are modified to take advantage of it."
Revision 1.13 / (download) - annotate - [select for diffs], Thu Jul 18 05:01:04 1996 UTC (27 years, 11 months ago) by dm
Branch: MAIN
Changes since 1.12: +3 -3 lines
Diff to previous 1.12 (colored)
ipfilter 3.1.0
Revision 1.12 / (download) - annotate - [select for diffs], Tue May 7 15:20:25 1996 UTC (28 years, 1 month ago) by mickey
Branch: MAIN
Changes since 1.11: +2 -2 lines
Diff to previous 1.11 (colored)
from NetBSD PR#2296: Laine Stump: some icmp destination unreachable packets contain garbage.
Revision 1.11 / (download) - annotate - [select for diffs], Sun Apr 21 22:29:00 1996 UTC (28 years, 1 month ago) by deraadt
Branch: MAIN
Changes since 1.10: +5 -5 lines
Diff to previous 1.10 (colored)
partial sync with netbsd 960418, more to come
Revision 1.10 / (download) - annotate - [select for diffs], Sat Mar 9 21:30:22 1996 UTC (28 years, 3 months ago) by dm
Branch: MAIN
Changes since 1.9: +20 -1 lines
Diff to previous 1.9 (colored)
restored IP filtering
Revision 1.9 / (download) - annotate - [select for diffs], Sun Mar 3 22:30:37 1996 UTC (28 years, 3 months ago) by niklas
Branch: MAIN
Changes since 1.8: +53 -35 lines
Diff to previous 1.8 (colored)
From NetBSD: 960217 merge
Revision 1.8 / (download) - annotate - [select for diffs], Thu Jan 25 05:41:44 1996 UTC (28 years, 4 months ago) by dm
Branch: MAIN
Changes since 1.7: +8 -11 lines
Diff to previous 1.7 (colored)
IP filter 3.0.1
Revision 1.7 / (download) - annotate - [select for diffs], Sun Jan 7 02:34:03 1996 UTC (28 years, 5 months ago) by dm
Branch: MAIN
Changes since 1.6: +19 -0 lines
Diff to previous 1.6 (colored)
from beurton@fnet.fr: Darren Reed's IP filter
Revision 1.6 / (download) - annotate - [select for diffs], Thu Dec 14 12:37:58 1995 UTC (28 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.5: +31 -2 lines
Diff to previous 1.5 (colored)
re-add my source routing stuff (geeezzz)
Revision 1.5 / (download) - annotate - [select for diffs], Thu Dec 14 06:50:40 1995 UTC (28 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.4: +97 -138 lines
Diff to previous 1.4 (colored)
from netbsd: make netinet work on systems where pointers and longs are 64 bits (like the alpha). Biggest problem: IP headers were overlayed with structure which included pointers, and which therefore didn't overlay properly on 64-bit machines. Solution: instead of threading pointers through IP header overlays, add a "queue element" structure to do the threading, and point it at the ip headers.
Revision 1.4 / (download) - annotate - [select for diffs], Tue Nov 28 22:42:57 1995 UTC (28 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.3: +22 -8 lines
Diff to previous 1.3 (colored)
add inet_ntoa() to the kernel. use it to log nicer messages. idea from freebsd
Revision 1.3 / (download) - annotate - [select for diffs], Tue Nov 28 01:22:56 1995 UTC (28 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.2: +3 -7 lines
Diff to previous 1.2 (colored)
log source route attempts when source routing is disabled
Revision 1.2 / (download) - annotate - [select for diffs], Sun Nov 26 23:40:18 1995 UTC (28 years, 6 months ago) by deraadt
Branch: MAIN
Changes since 1.1: +20 -1 lines
Diff to previous 1.1 (colored)
add sysctl net.inet.ip.sourceroute option; default to 0. copied from freebsd
Revision 1.1.1.1 / (download) - annotate - [select for diffs] (vendor branch), Wed Oct 18 08:53:11 1995 UTC (28 years, 8 months ago) by deraadt
CVS Tags: netbsd_1_1
Changes since 1.1: +0 -0 lines
Diff to previous 1.1 (colored)
initial import of NetBSD tree
Revision 1.1 / (download) - annotate - [select for diffs], Wed Oct 18 08:53:11 1995 UTC (28 years, 8 months ago) by deraadt
Branch: MAIN
Initial revision