| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
inpcb parameter to ip_output and ip6_output to allow the IPsec code to
locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version
Notes:
svn path=/stable/4/; revision=109753
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
more in sync with what is in -current, so that mainteinance and
bugfix of the two trees is not a nightmare.
THERE IS NO FUNCTIONAL OR EXTERNAL API CHANGE IN THIS COMMIT
You should not need to recompile any userland code.
In (some) more detail, this commit does the following:
* remove a number of static variables from the ip stack that were
used to support DIVERT, IPFIREWALL_FORWARD and stateful rules/
dynamic pipes. These are replaced with packet annotations, much
in the same (ugly for someone, but it is extremely fast and easy
to extend) way used for ages to support dummynet annotations.
On passing, fix a bug in the handling of divert for fragmented packets.
* as part of the removal of static variables, change the (internal)
interface of ip_fw_chk() to use a single structure to hold arguments.
Adapt clients of the above (ip_input, ip_output, bridge, ether_output,
ether_demux) to use the new interface.
* remove some unused variables.
* remove some of the __P() macros from some of the files involved
Because of the NO FUNCTIONAL CHANGE you don't get the following features
which are in -current:
* ipfw on layer-2 packets. All the hooks and the code are there,
but the controlling variable
net.link.ether.ipfw: 0
is readonly because i am only 99% confident on how the old ipfw
handles these frames. Just edit if_ethersubr.c to make the
variable RW if you want this feature. I might commit this in
due time if there is interest.
these frames. Just edit if_ethersubr.c to make it RW if you want this
feature. I might commit this in due time if there is interest.
* ipfw2, the new, faster and more flexible firewall code.
The code has hooks to make use of ipfw2, and I will make patches
available to use it (it is basically 3 files, netinet/ip_fw2.[ch],
sbin/ipfw/ipfw2.c, plus one-line changes in conf/options,
conf/files and sbin/ipfw/Makefile, plus libalias patches).
Notes:
svn path=/stable/4/; revision=99646
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
making pcbs available to the outside world. otherwise, we will see
inpcb without ipsec security policy attached (-> panic() in ipsec.c).
sys/netinet/in_pcb.c: 1.86
sys/netinet/ip_divert.c: 1.50
sys/netinet/raw_ip.c: 1.80
sys/netinet/tcp_usrreq.c: 1.65
sys/netinet/udp_usrreq.c: 1.93
sys/netinet6/raw_ip6.c: 1.12
sys/netinet6/udp6_usrreq.c: 1.16
Notes:
svn path=/stable/4/; revision=80549
|
| |
|
|
| |
Notes:
svn path=/stable/4/; revision=73137
|
| |
|
|
| |
Notes:
svn path=/stable/4/; revision=65261
|
| |
|
|
| |
Notes:
svn path=/stable/4/; revision=64727
|
| |
|
|
|
|
|
|
|
| |
is enabled.
Confirmed by: Eugene M. Kim <ab@astralblue.com>
Notes:
svn path=/head/; revision=55601
|
| |
|
|
|
|
|
|
|
|
|
| |
pr_input() routines prototype is also changed to support IPSEC and IPV6
chained protocol headers.
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project
Notes:
svn path=/head/; revision=55009
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Implement 'ipfw tee' (finally)
- Divert packets by calling new function divert_packet() directly instead
of going through protosw[].
- Replace kludgey global variable 'ip_divert_port' with a function parameter
to divert_packet()
- Replace kludgey global variable 'frag_divert_port' with a function parameter
to ip_reass()
- style(9) fixes
Reviewed by: julian, green
Notes:
svn path=/head/; revision=54175
|
| |
|
|
| |
Notes:
svn path=/head/; revision=50477
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1:
s/suser/suser_xxx/
2:
Add new function: suser(struct proc *), prototyped in <sys/proc.h>.
3:
s/suser_xxx(\([a-zA-Z0-9_]*\)->p_ucred, \&\1->p_acflag)/suser(\1)/
The remaining suser_xxx() calls will be scrutinized and dealt with
later.
There may be some unneeded #include <sys/cred.h>, but they are left
as an exercise for Bruce.
More changes to the suser() API will come along with the "jail" code.
Notes:
svn path=/head/; revision=46112
|
| |
|
|
| |
Notes:
svn path=/head/; revision=43764
|
| |
|
|
|
|
|
|
|
| |
Divert was not feeding clean data to ifa_ifwithaddr() so it was
giving bad results.
Submitted by: kseel <kseel@utcorp.com>, Ruslan Ermilov <ru@ucb.crimea.ua>
Notes:
svn path=/head/; revision=43763
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
for possible buffer overflow problems. Replaced most sprintf()'s
with snprintf(); for others cases, added terminating NUL bytes where
appropriate, replaced constants like "16" with sizeof(), etc.
These changes include several bug fixes, but most changes are for
maintainability's sake. Any instance where it wasn't "immediately
obvious" that a buffer overflow could not occur was made safer.
Reviewed by: Bruce Evans <bde@zeta.org.au>
Reviewed by: Matthew Dillon <dillon@apollo.backplane.com>
Reviewed by: Mike Spengler <mks@networkcs.com>
Notes:
svn path=/head/; revision=41514
|
| |
|
|
| |
Notes:
svn path=/head/; revision=37433
|
| |
|
|
| |
Notes:
svn path=/head/; revision=37334
|
| |
|
|
|
|
|
|
| |
WRT diversion reinjection. No-one has been bitten by the new behaviour
that I know of.
Notes:
svn path=/head/; revision=37332
|
| |
|
|
| |
Notes:
svn path=/head/; revision=36906
|
| |
|
|
|
|
|
|
| |
had a recv interface and allow that state to be available
after re-injection for further tests.
Notes:
svn path=/head/; revision=36903
|
| |
|
|
| |
Notes:
svn path=/head/; revision=36708
|
| |
|
|
|
|
|
| |
(should make the ipfw lkm work again)
Notes:
svn path=/head/; revision=36707
|
| |
|
|
|
|
|
|
|
|
|
|
| |
so that the new behaviour is now default.
Solves the "infinite loop in diversion" problem when more than one diversion
is active.
Man page changes follow.
The new code is in -stable as the NON default option.
Notes:
svn path=/head/; revision=36678
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this change, Accidental recursion protection was done by
the diverted daemon feeding back the divert port number it got
the packet on, as the port number on a sendto(). IPFW knew not to
redivert a packet to this port (again). Processing of the ruleset
started at the beginning again, skipping that divert port.
The new semantic (which is how we should have done it the first time)
is that the port number in the sendto() is the rule number AFTER which
processing should restart, and on a recvfrom(), the port number is the
rule number which caused the diversion. This is much more flexible,
and also more intuitive. If the user uses the same sockaddr received
when resending, processing resumes at the rule number following that
that caused the diversion. The user can however select to resume rule
processing at any rule. (0 is restart at the beginning)
To enable the new code use
option IPFW_DIVERT_RESTART
This should become the default as soon as people have looked at it a bit
Notes:
svn path=/head/; revision=36369
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
passed to the user process for incoming packets. When the sockaddr_in
is passed back to the divert socket later, use thi sas the primary
interface lookup and only revert to the IP address when the name fails.
This solves a long standing bug with divert sockets:
When two interfaces had the same address (P2P for example) the interface
"assigned" to the reinjected packet was sometimes incorect.
Probably we should define a "sockaddr_div" to officially hold this
extended information in teh same manner as sockaddr_dl.
Notes:
svn path=/head/; revision=36364
|
| |
|
|
|
|
|
|
| |
and not from the PCB which HAPPENS to contain the same number most
of the time, but not always.
Notes:
svn path=/head/; revision=36363
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define a parameter which indicates the maximum number of sockets in a
system, and use this to size the zone allocators used for sockets and
for certain PCBs.
Convert PF_LOCAL PCB structures to be type-stable and add a version number.
Define an external format for infomation about socket structures and use
it in several places.
Define a mechanism to get all PF_LOCAL and PF_INET PCB lists through
sysctl(3) without blocking network interrupts for an unreasonable
length of time. This probably still has some bugs and/or race
conditions, but it seems to work well enough on my machines.
It is now possible for `netstat' to get almost all of its information
via the sysctl(3) interface rather than reading kmem (changes to follow).
Notes:
svn path=/head/; revision=36079
|
| |
|
|
| |
Notes:
svn path=/head/; revision=34923
|
| |
|
|
|
|
|
|
|
|
|
| |
its own zone; this is used particularly by TCP which allocates both inpcb and
tcpcb in a single allocation. (Some hackery ensures that the tcpcb is
reasonably aligned.) Also keep track of the number of pcbs of each type
allocated, and keep a generation count (instance version number) for future
use.
Notes:
svn path=/head/; revision=34881
|
| |
|
|
| |
Notes:
svn path=/head/; revision=33134
|
| |
|
|
| |
Notes:
svn path=/head/; revision=33108
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a hashed port list. In the new scheme, in_pcblookup() goes away and is
replaced by a new routine, in_pcblookup_local() for doing the local port
check. Note that this implementation is space inefficient in that the PCB
struct is now too large to fit into 128 bytes. I might deal with this in the
future by using the new zone allocator, but I wanted these changes to be
extensively tested in their current form first.
Also:
1) Fixed off-by-one errors in the port lookup loops in in_pcbbind().
2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash()
to do the initialial hash insertion.
3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability.
4) Added a new routine, in_pcbremlists() to remove the PCB from the various
hash lists.
5) Added/deleted comments where appropriate.
6) Removed unnecessary splnet() locking. In general, the PCB functions should
be called at splnet()...there are unfortunately a few exceptions, however.
7) Reorganized a few structs for better cache line behavior.
8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in
the future, however.
These changes have been tested on wcarchive for more than a month. In tests
done here, connection establishment overhead is reduced by more than 50
times, thus getting rid of one of the major networking scalability problems.
Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a
large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult.
WARNING: Anything that knows about inpcb and tcpcb structs will have to be
recompiled; at the very least, this includes netstat(1).
Notes:
svn path=/head/; revision=32821
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This will not make any of object files that LINT create change; there
might be differences with INET disabled, but hardly anything compiled
before without INET anyway. Now the 'obvious' things will give a
proper error if compiled without inet - ipx_ip, ipfw, tcp_debug. The
only thing that _should_ work (but can't be made to compile reasonably
easily) is sppp :-(
This commit move struct arpcom from <netinet/if_ether.h> to
<net/if_arp.h>.
Notes:
svn path=/head/; revision=32350
|
| |
|
|
|
|
|
|
| |
any instability problems, but it was wrong nonetheless and will be
required in an upcoming round of PCB changes.
Notes:
svn path=/head/; revision=31838
|
| |
|
|
| |
Notes:
svn path=/head/; revision=29366
|
| |
|
|
| |
Notes:
svn path=/head/; revision=29327
|
| |
|
|
| |
Notes:
svn path=/head/; revision=27845
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
these are quite extensive additions to the ipfw code.
they include a change to the API because the old method was
broken, but the user view is kept the same.
The new code allows a particular match to skip forward to a particular
line number, so that blocks of rules can be
used without checking all the intervening rules.
There are also many more ways of rejecting
connections especially TCP related, and
many many more ...
see the man page for a complete description.
Notes:
svn path=/head/; revision=26359
|
| |
|
|
|
|
|
| |
comments on it being outside.
Notes:
svn path=/head/; revision=26345
|
| |
|
|
|
|
|
| |
Submitted by: Åge Røbekk <aagero@aage.priv.no>
Notes:
svn path=/head/; revision=26147
|
| |
|
|
|
|
|
|
|
| |
switch. I needed 'LINT' to compile for other reasons so I kinda got the
blood on my hands. Note: I don't know how to test this, I don't know if
it works correctly.
Notes:
svn path=/head/; revision=26096
|
| |
|
|
|
|
|
|
|
|
|
| |
cache lines. Removed the struct ip proto since only a couple of chars
were actually being used in it. Changed the order of compares in the
PCB hash lookup to take advantage of partial cache line fills (on PPro).
Discussed-with: wollman
Notes:
svn path=/head/; revision=24570
|
| |
|
|
|
|
|
|
|
|
|
| |
the quality of the hash distribution. This does not fix a problem dealing
with poor distribution when using lots of IP aliases and listening
on the same port on every one of them...some other day perhaps; fixing
that requires significant code changes.
The use of xor was inspired by David S. Miller <davem@jenolan.rutgers.edu>
Notes:
svn path=/head/; revision=23324
|
| |
|
|
|
|
|
| |
ready for it yet.
Notes:
svn path=/head/; revision=22975
|
| |
|
|
| |
Notes:
svn path=/head/; revision=22952
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
set it in the first place, independent of whether sin->sin_port
is set.
The result is that diverted packets that are being forwarded
will be diverted once and only once on the way in (ip_input())
and again, once and only once on the way out (ip_output()) -
twice in total. ICMP packets that don't contain a port will
now also be diverted.
Notes:
svn path=/head/; revision=22212
|
| |
|
|
|
|
|
|
|
|
|
| |
This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.
Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.
Notes:
svn path=/head/; revision=21673
|
| |
|
|
|
|
|
|
|
| |
to TAILQs. Fix places which referenced these for no good reason
that I can see (the references remain, but were fixed to compile
again; they are still questionable).
Notes:
svn path=/head/; revision=20407
|
|
|
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.
Notes:
svn path=/head/; revision=17072
|
