| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I have some patches which make ip_mroute and ip6_mroute multi-FIB-aware.
This enables running per-FIB routing daemons, each of which has a
separate routing socket.
Several places in the network stack check whether multicast routing is
configured by checking whether the multicast routing socket is non-NULL.
This doesn't directly translate in my proposed scheme, as each FIB would
have its own socket. I'd like to modify the ip(6)_mroute code to store
all state, including the socket, in a per-FIB structure. So, take a
step towards that and 1) hide the socket, 2) add a boolean flag which
indicates whether a multicast router is registered.
Reviewed by: pouria, zlei, glebius, adrian
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D55236
|
| |
|
|
|
| |
MFC after: 1 week
Reported by: Ian FREISLICH <ianfreislich@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deal with the mifi >= nummifs case early so that we can de-indent the
rest of the code. This also ensures that the debug log (compiled out by
default) doesn't perform an out-of-bounds access.
Remove a bogus NULL test in an inner loop while here.
No functional change intended.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D55059
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ip_mroute and ip6_mroute modules hook into the network stack via
several function pointers. Declarations for these pointers are
scattered around several headers. Put them all in the same place,
ip(6)_mroute.h.
No functional change intended.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D55058
|
| |
|
|
|
|
|
|
|
|
|
| |
This change switches to using RFC 7217 algorithm as the default to
generate SLAAC addresses for IPv6 interfaces configured with
accept_rtadv.
Reviewed by: pouria, glebius, zlei
Approved by: zlei
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D55138
|
| |
|
|
|
|
|
|
| |
Reported by: pouria
Reviewed by: pouria, ziaee, glebius
Approved by: glebius
Fixes: 31ec8b6407fdd5a87d70265762457c67ce618283
Differential Revision: https://reviews.freebsd.org/D55136
|
| |
|
|
|
|
|
|
|
|
| |
ifnets already track if_allmulti() calls in the if_amcount field. That
field is older than the comment, so I'm not exactly sure what the intent
was; let's just remove it.
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
| |
No functional change intended.
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
| |
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is more natural and corresponds more closely to the v4 multicast
routing code. No functional change intended.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54983
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- The v6 socket option and ioctl handlers had no privilege checks at
all. The socket options, I believe, can only be reached via a raw
socket, but a jailed root user with a raw socket shouldn't be able to
configure multicast routing in a non-VNET jail. The ioctls can only
be used to fetch stats.
- Delete a bogus comment in X_mrt_ioctl(), one can issue multicast
routing ioctls against any socket. Note that the call path is
soo_ioctl()->rtioctl_fib()->mrt_ioctl().
I think all of the mroute privilege checks should be done within the
ip(6)_mroute code, but let's first make the v4 and v6 modules
consistent.
Reviewed by: glebius
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54982
|
| |
|
|
|
|
|
|
| |
No functional change intended.
MFC after: 1 week
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
| |
No functional change intended.
MFC after: 2 weeks
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously connect() or sendto() to INADDR_ANY or IN6ADDR_ANY reached
some socket bound to some host interface address. Although this was
intentional it was an artifact of a different era, and is not desirable
now.
In 417b35a97b76 markj added support to disallow connect() to INADDR_ANY
and IN6ADDR_ANY. Connections to INADDR_ANY were disabled by default in
cd240957d7ba. Follow suit with IN6ADDR_ANY.
Reviewed by: glebius, markj, zlei
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54306
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Jumbo Payload option was intended to allow the deployment of IPv6 on
networks with a link MTU in excess of 65,735 octets.
Speaking to one of the authors of RFC2675 the networks which motivated
the Jumbo Payload option no longer exist.
FreeBSD does not currently support any links with this capacity and
discussion when this change was first proposed suggested that the loop
back interface had to be patched to test implementation.
As there are no known devices that can carry Jumbo Payloads remove
support.
Reviewed by: glebius, teuxen, kp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D19960
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is expected to fix the old in6_selecthlim() panics. The nature of
the panic is that a packet sending thread will obtain the struct ifnet
pointer locklessly and then pick the if_inet6 pointer from it and
dereference it. While the struct ifnet is freed via epoch_call(9), the
struct in6_ifextra until this change was not. For the forwarded packets,
or locally originated non-TCP packets we were probably safe due to the old
if_dead trick. But locally originated TCP packets may dereference
in6_ifextra via direct call into in6_selecthlim() from the tcp_output(),
before ip6_output().
NB: hypothetically a similar problem also applies to IPv4's if_inet pointer,
but there are no known panics, yet.
PR: 279653
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54728
|
| |
|
|
|
|
|
| |
In mld_domifdetach() don't search the global list.
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54727
|
| |
|
|
|
| |
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54726
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using struct nd_ifinfo for that, because it is an API struct for
SIOCGIFINFO_IN6. The functional changes are isolated to the protocol
attach and detach: in6_ifarrival(), nd6_ifattach(), in6_ifdeparture(),
nd6_ifdetach(), as well as to the nd6_ioctl(), nd6_ra_input(),
nd6_slowtimo() and in6_ifmtu().
The dad_failures member was just renamed to match the rest. The M_IP6NDP
malloc(9) type declaration moved to files that actually use it.
The rest of the changes are mechanical substitution of double pointer
dereference via ND_IFINFO() to a single pointer dereference. This was
achieved with a sed(1) script:
s/ND_IFINFO\(([a-z0-9>_.-]+)\)->(flags|linkmtu|basereachable|reachable|retrans|chlim)/\1->if_inet6->nd_\2/g
s/nd_chlim/nd_curhoplimit/g
Reviewed by: tuexen, madpilot
Differential Revision: https://reviews.freebsd.org/D54725
|
| |
|
|
|
|
|
|
|
| |
There should be no functional change. If there are any performance
concerns with a function call, with the future changes, that would move
ND6 bits into in6_ifextra, this function would be easily inline-able.
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54724
|
| |
|
|
|
| |
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54723
|
| |
|
|
|
|
|
|
|
|
|
|
| |
There is no functional change here, but we'd like to emphasize that the
nd_ifinfo structure is not a actually a kernel ND6 software context,
despite being actively used like this way, but an API/ABI structure for
ioctl(2). This should prevent from a ABI breakages like in 31ec8b6407fd.
This also is a step towards stopping using it as a kernel software
context.
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D54722
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a jumbo payload option is added, the length of the mbuf chain is
increased by 8 but the actual hop-by-hop extension header with the
jumbo playload option is only inserted in the packet if there are
other options. Therefore, adjust optlen to reflect the actual size
of IPv6 extension headers including the hop-by-hop extension header
containing the jumbo payload option.
Reported by: syzbot+73fe316271df473230eb@syzkaller.appspotmail.com
Reviewed by: markj, Timo Voelker
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54394
|
| |
|
|
|
|
| |
This ioctl has been marked as "old" starting with the original KAME export
over 20 years ago and has been hidden under #ifdef _KERNEL since. There
is no software that uses it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When one uses SIOCAIFADDR_IN6 to add a v6 address, it's possible to set
the preferred and valid lifetimes of the address. If the address
already exists, this ioctl will recalculate and update the expiry times
based on the provided timestamps.
When adding a new address, the lifetimes are inherited by the prefix as
well, but only if we create a new prefix. If the prefix already exists,
as it will in the case where an address is being updated rather than
being added, we do not touch the prefix lifetimes at all. This means
that the original address lifetime still applies to the route associated
with that prefix, so when the prefix expires, the route goes away.
This behaviour doesn't make a lot of sense: if the admin updates an
address lifetime, we should ensure that the prefix lifetime is updated
too. Make that change, ensuring that we do not shorten the prefix
lifetime, as the prefix might be shared among multiple interface
addresses.
Add a regression test.
Co-authored by: Franco Fichtner <franco@opnsense.org>
Reviewed by: pouria, zlei, ae
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54562
|
| |
|
|
|
|
|
|
|
|
|
| |
Tidy up a bunch of places that have the same duplicated logic. Simplify
callers of in6_init_prefix_ltimes(). No functional change intended.
Reviewed by: pouria, zlei, tuexen, glebius
MFC after: 2 weeks
Sponsored by: OPNsense
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D54561
|
| |
|
|
|
|
|
|
| |
LINT-NOVIMAGE fails to build due to a missing eventhandler.h include
which in hte VIMAGE case is likely leaked through some other header.
Add the #include to unbreak the build.
Fixes: 0d469d23715d6 (net: attach IPv4 and IPv6 stacks to an ...)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change retires two historic relics: the if_afdata[] array and the
dom_ifattach/dom_ifdetach methods.
The if_afdata[] array is a relic of the era, when there was expectation
that many transport protocols will coexist with IP, e.g. IPX or NetAtalk.
The array hasn't had any members except AF_INET and AF_INET6 for over a
decade already. This change removes the array and just leaves two pointer
fields: if_inet and if_inet6.
The dom_ifattach/dom_ifdetach predates the EVENTHANDLER(9) framework and
was a good enough method to initialize protocol contexts back then. Today
there is no good reason to treat IPv4 and IPv6 stacks differently to other
protocols/features that attach and detach from an interface.
The locking of if_afdata[] is a relic of SMPng times, when the system
startup and the interface attach was even more convoluted than before this
change, and we also had unloadable protocols that used a field in
if_afdata[]. Note that IPv4 and IPv6 are not unloadable.
Note that this change removes NET_EPOCH_WAIT() from the interface detach
sequence. This may surface several new races associated with interface
removal. I failed to hit any with consecutive test suite runs, though.
The expected general race scenario is that while struct ifnet is freed
with proper epoch_call(9) itself, some structures hanging off ifnet are
freed with direct free(9). The proper fix is either make if_foo point at
some static "dead" structure providing SMP visibility of this store, or
free those structure with epoch_call(9). All of these cases are planned
to be found and resolved during 16.0-CURRENT lifetime.
Reviewed by: zlei, gallatin, melifaro
Differential Revision: https://reviews.freebsd.org/D54089
|
| |
|
|
| |
Differential Revision: https://reviews.freebsd.org/D54063
|
| |
|
|
|
|
|
|
|
| |
Add struct mtx to struct lltable and stop using IF_AFDATA_LOCK, that
was created for a completely different purpose. No functional change
intended.
Reviewed by: zlei, melifaro
Differential Revision: https://reviews.freebsd.org/D54086
|
| |
|
|
|
|
|
| |
It is not clear what exactly this function is locking against. Seems
like just use some generic interface lock. The IF_AFDATA_LOCK goes
away soon together with if_afdata[], so put at least something in its
place. Note that this code is dead anyway (#ifdef EXPERIMENTAL).
|
| |
|
|
|
|
|
| |
It is not clear what exactly this function is locking against. Seems
like just use some generic interface lock. The IF_AFDATA_LOCK goes
away soon together with if_afdata[], so put at least something in its
place.
|
| |
|
|
|
|
| |
It is a remnant of a network stack design that was supposed to support
multiple network protocols. Today it is clear that we are left with IPv4
and IPv6 only. Only IPv6 may have an MTU different to the interface MTU.
|
| | |
|
| |
|
|
|
|
|
|
| |
These were for $FreeBSD$ that was removed a while ago, but these
includes didn't get swept up in that. Remove them all now.
Sponsored by: Netflix
MFC After: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
| |
We use the fact that all NICs that support hashing are using the
same hash algorithm and hash key to enable symmetic hashing in
TCP, where a software version of the same hash is used to
establish hashes on outgoing connections.
Sponsored by: Netflix
Reviewed by: adrian, zlei (both early version)
Differential Revision: https://reviews.freebsd.org/D53089
|
| |
|
|
|
|
|
| |
No functional change intended, suggested by glebius.
Reviewed by: rscheff, zlei, tuexen
Differential Revision: https://reviews.freebsd.org/D53739
|
| |
|
|
|
|
|
|
|
|
| |
After commit 530c2c30b0c7 we need to set flags to ensure that hop-by-hop
and hop limit options are included.
PR: 290407
Reviewed by: zlei, markj
MFC after: 3 days
Fixes: 530c2c30b0c7 ("ip6_output: Reduce cache misses on pktopts")
|
| |
|
|
| |
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Save prefix length in unused field in6_ifaddr->ia_plen, then on remove
check if an address has 128 prefix length, and if so, we don't need to
complain that there is none of related prefixes.
Reviewed by: kp
Obtained from: Yandex LLC
MFC after: 1 week
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D52952
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace counter(9) usage with more lightweight atomic(9) in the
code handling RFC 7217 SLAAC address generation.
Also, use `u_int` types with this. Leaving `dad_failures` local to
`in6_get_stableifid()` as a `uint64_t` to avoid changing the generated
addresses from previous code; this also gives some headroom for
future changes.
While here, moved some `#include` lines to adhere to style(9).
Reviewed by: glebius, jhibbits, jtl, zlei
Approved by: glebius, jtl, zlei
Differential Revision: https://reviews.freebsd.org/D52731
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* use ND_NA_FLAG_ROUTER flag in carp_send_na() when we work as router.
* use in6addr_any as destination address for nd6_na_output(), then it
will use ipv6-all-nodes multicast address.
* add in6_selectsrc_nbr() function that accepts additional argument
ip6_moptions. Use this function from ND6 code to avoid cases when
nd6_na_output/nd6_ns_output can not find source address for
multicast destinations.
* add some comments from RFC2461 for better understanding.
* use tlladdr argument as flags and use ND6_NA_OPT_LLA when we need
to add target link-layer address option, and ND6_NA_CARP_MASTER when
we know that target address is CARP master. Then we can prepare
correct CARP's mac address if target address is CARP master.
* move blocks of code where multicast options is initialized and
use it when destination address is multicast.
Reviewed by: kp
Obtained from: Yandex LLC
MFC after: 2 weeks
Sponsored by: Yandex LLC
Differential Revision: https://reviews.freebsd.org/D52825
|
| |
|
|
|
|
|
|
|
| |
The routine allocates the wrong size and then passes it to in6_get_ifid.
At the same time it violates invariants by issuing malloc with M_WAITOK
while within net epoch section.
Sponsored by: Rubicon Communications, LLC ("Netgate")
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit 31ec8b6407fdd5a87d70265762457c67ce618283 added a `dad_failures`
variable to `struct nd_ifinfo`, which broke the netowrking ABI.
This commit fixes it by moving such variable to `struct in6_ifextra`
which is not a public interface, while `struct nd_ifinfo` is back
in its original state.
Thanks to kib, markj and glebious for their help and suggestions
in solving this problem.
Reported by: "Herbert J. Skuhra" <herbert@gojira.at>
Tested by: "Herbert J. Skuhra" <herbert@gojira.at>
Approved by: glebius
Fixes: 31ec8b6407fdd5a87d70265762457c67ce618283
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement RFC 7217 (A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Autoconfiguration
(SLAAC)) in our IPv6 stack.
A new ifconfig `stableaddr` flag is added to enable the feature on
interfaces, which defaults to on or off for new interfaces based
on the sysctl `net.inet6.ip6.use_stableaddr` (off by default, so
this commit causes no change in behavior with default settings).
The algorithm follows the RFC in its logic, using SHA256-HMAC as
the algorithm to derive addresses so as to provide code that can
be leveraged by future implentations of RFC 8981, leveraging the
`hostuuid` as the secret.
The source of the hostidentifier can be configured using the sysctl
`net.inet6.ip6.stableaddr_netifsource`, while the number of retries
generating a new address in case of collision can be configured
using the `net.inet6.ip6.stableaddr_maxretries` sysctl (default 3).
Documentation about all these flags is added to the ifconfig(8) man
page.
Reviewed by: cognet, glebius, hrs
Tested by: zarychtam@plan-b.pwste.edu.pl
Approved by: cognet, glebius
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D49681
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, the macros used '>' instead of '>=' when comparing elapsed
time against the preferred and valid lifetimes. This caused any deprecated
address to become usable again for one extra second after receiving each
Router Advertisement. In that short window, the address could be
selected as a source for outgoing connections.
Update the checks to use '>=' so that addresses are deprecated or
invalid when their lifetime expires.
PR: 289177
Reported by: Dmitry Nexus <fbsd.4f6a at nexus tel>
Reviewed by: zlei
Submitted by: Marek Zarychta
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52323
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for obtaining timestamps from IPv6 packets using the
SO_BINTIME socket option, bringing it in parity with IPv4 behavior.
Enable testing the SO_BINTIME option in the relevant (manual) regression
test.
PR: 289423
Reviewed by: markj
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D52504
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
in6_ifadd() asserts that an interface has an existing LL address with a /64
prefix from which to extract the ifid for SLAAC address selection (even though
the comments suggest that an ifid will be generated if one does not exist). This
is adequate for most generic cases, however to support PPP links with /128 LL
addresses we must be able to fall back on another source for the ifid since we
cannot assume the /128 LL has a unique ifid in the lower 64 bits.
To do this, the static function get_ifid() in in6_ifattach.c is renamed to
non-static in6_get_ifid(), and this is used in lieu of a proper /64 LL address
to attempt to obtain a valid ifid.
Reviewed by kp
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51778
|
| |
|
|
|
|
|
|
|
|
|
| |
When adding an interface with an IP address to a bridge, or assigning an
IP address to an interface which is in a bridge, and member_ifaddrs=1,
print a warning so users are informed this is deprecated. Also add
"(deprecated)" to the sysctl description.
MFC after: 9 hours
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D52335
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
While diagnosing PR 279653 and PR 285129, I observed that thread may
write to freed memory but the system does not crash. This hides the
real problem. A clear NULL pointer derefence is much better than writing
to freed memory.
PR: 279653
PR: 285129
Reviewed by: glebius
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D49444
|
