1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-17 10:26:15 +00:00
Commit Graph

2668 Commits

Author SHA1 Message Date
Randall Stewart
44b7479ba2 - Macroizes the V6ONLY flag check.
- Added a short time wait (not used yet) constant
- Corrected the type of the crc32c table (it was
  unsigned long and really is a uint32_t
- Got rid of the user of MHeaders until they
  are truely needed by lower layers.
- Fixed an initialization problem in the readq structure
  (ordering was off).
- Found yet another collision bug when the random number
  generator returns two numbers on one side (during a collision)
  that are the same. Also added some tracking of cookies
  that will go away when we know that we have the last collision
  bug gone.
- Fixed an init bug for book_size_scale, that was causing
  Early FR code to run when it should not.
- Fixed a flight size tracking bug that was associated with
  Early FR but due to above bug also effected all FR's
- Fixed it so Max Burst also will apply to Fast Retransmit.
- Fixed a bug in the temporary logging code that allowed a
  static log array overflow
- hashinit_flags is now used.
- Two last mcopym's were converted to the macro sctp_m_copym that
  has always been used by all other places
- macro sctp_m_copym was converted to upper case.
- We now validate sinfo_flags on input (we did not before).
- Fixed a bug that prevented a user from sending data and immediately
  shuting down with one send operation.
- Moved to use hashdestroy instead of free() in our macros.
- Fixed an init problem in our timed_wait vtag where we
  did not fully initialize our time-wait blocks.
- Timer stops were re-positioned.
- A pcb cleanup method was added, however this probably will
  not be used in BSD.. unless we make module loadable protocols
- I think this fixes the mysterious timer bug.. it was a
  ordering of locks problem in the way we did timers. It
  now conforms to the timeout(9) manual (except for the
  _drain part, we had to do this a different way due
  to locks).
- Fixed error return code so we get either CONNREUSED or CONNRESET
  depending on where one is in progression
- Purged an unused clone macro.
- Fixed a read erro code issue where we were NOT getting the proper
  error when the connection was reset.
- Purged an unused clone macro.
- Fixed a read erro code issue where we were NOT getting the proper
  error when the connection was reset.
Approved by:	gnn
2007-01-15 15:12:10 +00:00
Maxim Konovalov
95ebcabed8 o Increment requests counter right before send out an ARP query actually.
Otherwise the code could lead to the spurious EHOSTDOWN errors.

PR:		kern/107807
Submitted by:	Dmitrij Tejblum
MFC after:	1 month
2007-01-14 18:44:17 +00:00
Warner Losh
0befead1e0 Marking this as __packed was needed to get the alignment and offset of
members right.  However, it also said it was aligned(1), which meant
that gcc generated really bad code.  Mark this as aligned(4).  This
makes things a little faster on arm (a couple percent), but also saves
about 30k on the size of the kernel for arm.

I talked about doing this with bde, but didn't check with him before
the commit, so I'm hesitant say 'reviewed by: bde'.
2007-01-12 07:23:31 +00:00
Julian Elischer
7e170af886 Remove two lines that somehow snuck back in after testing.
ip is now an argument to the function ipfw_log()
2007-01-09 21:03:07 +00:00
Maxim Konovalov
8b5b885047 o One more typo in the comment.
PR:		kern/107609
Submitted by:	Dr. Markus Waldeck
2007-01-06 13:12:24 +00:00
Paolo Pisati
3d2fff0d3d Prevent adding a rule with a nat action in case IPFIREWALL_NAT was not defined.
Reviewed: luigi
2007-01-05 12:15:31 +00:00
Paolo Pisati
61c0e134f5 Wrap ipfw nat support in a new kernel config option named
"IPFIREWALL_NAT": this way nat is turned off by default and
POLA is preserved.

Reviewed by: rwatson
2007-01-03 11:12:54 +00:00
Julian Elischer
3b62120e87 Remove a bunch of dependencies in the IP header being the first thing in the
mbuf. First moves toward being able to cope better with having layer 2 (or
other encapsulation data) before the IP header in the packet being examined.
More commits to come to round out this functionality. This commit should
have no practical effect but clears the way for what is coming.
Revirewed by: luigi, yar
MFC After: 2 weeks
2007-01-02 19:57:31 +00:00
Warner Losh
6796a2d434 Fix typo in comment.
Submitted by: remko
2007-01-01 00:35:34 +00:00
Warner Losh
74eb3236c7 Add comment about udp checksums being off in BSD 4.2 compatibility mode.
Submitted by: Dr. Markus Waldeck
PR: kern/106657
2006-12-31 21:34:53 +00:00
John Baldwin
54e3607de6 Whitespace fix and remove an extra cast. 2006-12-30 17:53:28 +00:00
Paolo Pisati
ff2f6fe80f Summer of Code 2005: improve libalias - part 2 of 2
With the second (and last) part of my previous Summer of Code work, we get:

-ipfw's in kernel nat

-redirect_* and LSNAT support

General information about nat syntax and some examples are available
in the ipfw (8) man page. The redirect and LSNAT syntax are identical
to natd, so please refer to natd (8) man page.

To enable in kernel nat in rc.conf, two options were added:

o firewall_nat_enable: equivalent to natd_enable

o firewall_nat_interface: equivalent to natd_interface

Remember to set net.inet.ip.fw.one_pass to 0, if you want the packet
to continue being checked by the firewall ruleset after being
(de)aliased.

NOTA BENE: due to some problems with libalias architecture, in kernel
nat won't work with TSO enabled nic, thus you have to disable TSO via
ifconfig (ifconfig foo0 -tso).

Approved by: glebius (mentor)
2006-12-29 21:59:17 +00:00
Randall Stewart
139bc87fda a) macro-ization of all mbuf and random number
access plus timers. This makes the code
   more portable and able to change out the
   mbuf or timer system used more easily ;-)
b) removal of all use of pkt-hdr's until only
   the places we need them (before ip_output routines).
c) remove a bunch of code not needed due to <b> aka
   worrying about pkthdr's :-)
d) There was one last reorder problem it looks where
   if a restart occur's and we release and relock (at
   the point where we setup our alias vtag) we would
   end up possibly getting the wrong TSN in place. The
   code that fixed the TSN's just needed to be shifted
   around BEFORE the release of the lock.. also code that
   set the state (since this also could contribute).
Approved by:	gnn
2006-12-29 20:21:42 +00:00
John Baldwin
08651e1f24 Some whitespace nits and remove a few casts. 2006-12-29 14:58:18 +00:00
Paolo Pisati
ccd57eea11 o made in kernel libalias mpsafe
o fixed a comment
o made in kernel libalias a bit less verbose (disabled automatic
  logging everytime a new link is added or deleted)

Approved by: glebius (mentor)
2006-12-15 12:50:06 +00:00
Randall Stewart
a5d547add3 1) Fixes on a number of different collision case LOR's.
2) Fix all "magic numbers" to be constants.
3) A collision case that would generate two associations to
   the same peer due to a missing lock is fixed.
4) Added tracking of where timers are stopped.
Approved by:	gnn
2006-12-14 17:02:55 +00:00
Christian S.J. Peron
826cef3d75 Fix LOR between the syncache and inpcb locks when MAC is present in the
kernel.  This LOR snuck in with some of the recent syncache changes.  To
fix this, the inpcb handling was changed:

- Hang a MAC label off the syncache object
- When the syncache entry is initially created, we pickup the PCB lock
  is held because we extract information from it while initializing the
  syncache entry.  While we do this, copy the MAC label associated with
  the PCB and use it for the syncache entry.
- When the packet is transmitted, copy the label from the syncache entry
  to the mbuf so it can be processed by security policies which analyze
  mbuf labels.

This change required that the MAC framework be extended to support the
label copy operations from the PCB to the syncache entry, and then from
the syncache entry to the mbuf.

These functions really should be referencing the syncache structure instead
of the label.  However, due to some of the complexities associated with
exposing this syncache structure we operate directly on it's label pointer.
This should be OK since we aren't making any access control decisions within
this code directly, we are merely allocating and copying label storage so
we can properly initialize mbuf labels for any packets the syncache code
might create.

This also has a nice side effect of caching.  Prior to this change, the
PCB would be looked up/locked for each packet transmitted.  Now the label
is cached at the time the syncache entry is initialized.

Submitted by:	andre [1]
Discussed with:	rwatson

[1] andre submitted the tcp_syncache.c changes
2006-12-13 06:00:57 +00:00
Bjoern A. Zeeb
7d32aa0cc9 In ip6_sprintf no longer use and return one of eight static buffers
for printing/logging ipv6 addresses.
The caller now has to hand in a sufficiently large buffer as first
argument.

This is the "+ one more change" missed in the original commit.

Noticed by:	tinderbox
Pointy hat to:	me (#1)
2006-12-12 17:44:46 +00:00
Bjoern A. Zeeb
1d54aa3ba9 MFp4: 92972, 98913 + one more change
In ip6_sprintf no longer use and return one of eight static buffers
for printing/logging ipv6 addresses.
The caller now has to hand in a sufficiently large buffer as first
argument.
2006-12-12 12:17:58 +00:00
Bruce M Simpson
3dbee59bd4 Back out revision 1.264.
Fixing the IP accounting issue, if we plan to do so, needs to be better
thought out; the 'fix' introduces a hash lookup and a possible kernel panic.

Reported by:	Mark Tinguely
2006-12-10 13:44:00 +00:00
Robert Watson
ece4c06484 Improve style(9) conformance of igmp.c. 2006-12-04 00:41:48 +00:00
Warner Losh
850adc0cd7 Make sure that carp_header is 36 bytes long 2006-12-01 18:37:41 +00:00
Paolo Pisati
5910c1c1b9 Make libalias.conf parsing a bit smarter.
This closes PR kern/106112.

While here, add mbuf's #includes i forgot in the previous commit.

Approved by: gleb
2006-12-01 16:34:53 +00:00
Paolo Pisati
e876228edc Remove m_megapullup from ng_nat and put it under libalias.
Approved by: gleb
2006-12-01 16:27:11 +00:00
Robert Watson
e3fd5ffdf1 Consistently use #ifdef INET6 rather than mixing and matching with
#if defined(INET6).

Don't comment the end of short #ifdef blocks.

Comment cleanup.

Line wrap.
2006-11-30 10:54:54 +00:00
Sam Leffler
21367f630d Change error codes returned by protocol operations when an inpcb is
marked INP_DROPPED or INP_TIMEWAIT:
o return ECONNRESET instead of EINVAL for close, disconnect, shutdown,
  rcvd, rcvoob, and send operations
o return ECONNABORTED instead of EINVAL for accept

These changes should reduce confusion in applications since EINVAL is
normally interpreted to mean an invalid file descriptor.  This change
does not conflict with POSIX or other standards I checked. The return
of EINVAL has always been possible but rare; it's become more common
with recent changes to the socket/inpcb handling and with finer-grained
locking and preemption.

Note: there are other instances of EINVAL for this state that were
      left unchanged; they should be reviewed.

Reviewed by:	rwatson, andre, ru
MFC after:	1 month
2006-11-22 17:16:54 +00:00
Bjoern A. Zeeb
89e7e7e32a Add SCTP as a known upper layer protocol over v6.
We are not yet aware of the protocol internals but this way
SCTP traffic over v6 will not be discarded.

Reported by: Peter Lei via rrs
Tested by:   Peter Lei <peterlei cisco.com>
2006-11-13 19:07:32 +00:00
Randall Stewart
7f34832b95 In a true restart case, the send_lock was
not being aquired. This meant that when we cleanup
the outbound we may have one in transit to be
added with the old sequence number. This is bad
since then we loose a message :(

Also the report_outbound needed to have the right
lock when its called which it did not.. I added
the lock with of course a flag since we want to
have the lock before we call it in the restart
case.

This also fixed the FIX ME case where, in the cookie
collision case, we mark for retransmit any that
were bundled with the cookie that was dropped.
This also means changes to the output routine
so we can assure getting the COOKIE-ACK sent
BEFORE we retransmit the Data.

Approved by:	gnn
2006-11-11 22:44:12 +00:00
Randall Stewart
6a91f103b6 Turns out we would reset the TSN seq counter during
a colliding INIT. This if fine except when we have
data outstanding... we basically reset it to the
previous value it was.. so then we end up assigning
the same TSN to two different data chunks.
This patch:

1) Finds a missing lock for when we change the stream
   numbers during COOKIE and INIT-ACK processing.. we
   were NOT locking the send_buffer.. which COULD cause
   problems (found by inspection looking for <2>)

2) Fixes a case during a colliding INIT where we incorrectly
   reset the sending Sequence thus in some cases duplicately
   assigning a TSN.

3) Additional enhancments to logging so we can see strm/tsn in
   the receiver AND new tracking to watch what the sender
   is doing with TSN and STRM seq's.

Approved by:	gnn
2006-11-11 15:59:01 +00:00
Randall Stewart
de0e935b29 This patch fixes a LOR that happens during INIT-ACK collision.
We were calling select_a_tag() inside sctp_send_initate_ack().
During collision cases we have a stcb and thus a SCTP_LOCK. When
we call select_a_tag it (below it) locks the INFO lock. We now
1) pre-select the nonce-tie-tags in sctputil.c during setup of
   a tcb.
2) In the other case where we have to select tags, we unlock after
   incr the ref cnt (so assoc won't go away0 and then do the
   tag selection followed by a relock and decr the refcnt.
Approved by:	gnn
2006-11-10 13:34:55 +00:00
Randall Stewart
08598d7067 Fixes an issue with handling of stream reset. When a
reset comes in we need to calculate the length and
therefore the number of listed streams (if any) based
on the TLV type. Otherwise if we get a retran we could
in theory panic by sending a notification to a user with
a incorrect list and thus no memory listing the streams.
Found in IOS by devtest :-)
Approved by:	gnn
2006-11-09 21:01:07 +00:00
Randall Stewart
03b0b02163 -Fixes first of all the getcred on IPv6 and V4. The
copy's were incorrect and so was the locking.
-A bug was also found that would create a race and
 panic when an abort arrived on a socket being read
 from.
-Also fix the reader to get MSG_TRUNC when a partial
 delivery is aborted.
-Also addresses a couple of coverity caught error path
 memory leaks and a couple of other valid complaints
Approved by:	gnn
2006-11-08 00:21:13 +00:00
Joe Marcus Clarke
1bc3d4c1d1 Fix TFTP NAT support by making sure the appropriate fingerprinting checks
are done.

Reviewed by:	piso
2006-11-07 21:06:48 +00:00
Robert Watson
b96fbb37da Convert three new suser(9) calls introduced between when the priv(9)
patch was prepared and committed to priv(9) calls.  Add XXX comments
as, in each case, the semantics appear to differ from the TCP/UDP
versions of the calls with respect to jail, and because cr_canseecred()
is not used to validate the query.

Obtained from:	TrustedBSD Project
2006-11-06 14:54:06 +00:00
Randall Stewart
f4ad963c9f This changes tracks down the EEOR->NonEEOR mode failure
to wakeup on close of the sender. It basically moves
the return (when the asoc has a reader/writer) further
down and gets the wakeup and assoc appending (of the
PD-API event) moved up before the return.  It also
moves the flag set right before the return so we can
assure only once adding the PD-API events.

Approved by:	gnn
2006-11-06 14:34:21 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Ruslan Ermilov
9274ba8a1f Revert previous commit, and instead make the expression in rev. 1.2
match the style of this file.

OK'ed by:	rrs
2006-11-05 14:36:59 +00:00
Randall Stewart
50cec91936 Tons of fixes to get all the 64bit issues removed.
This also moves two 16 bit int's to become 32 bit
values so we do not have to use atomic_add_16.
Most of the changes are %p, casts and other various
nasty's that were in the orignal code base. With this
commit my machine will now do a build universe.. however
I as yet have not tested on a 64bit machine .. it may not work :-(
2006-11-05 13:25:18 +00:00
Ruslan Ermilov
11acae799a Fix pointer arithmetic to be 64-bit friendly. 2006-11-04 08:45:50 +00:00
Ruslan Ermilov
e349e6b8a0 Remove bogus casts that Randall for some reason didn't borrow
from my supplied patch.
2006-11-04 08:19:01 +00:00
John Birrell
5051417909 Remove a bogus cast in an attempt to fix the tinderbox builds on
lots of arches.
2006-11-04 05:39:39 +00:00
Randall Stewart
562a89b562 More 64 bit pointer fun.
%p changed in multiple prints
the mtod() was also fixed.
2006-11-03 23:04:34 +00:00
Randall Stewart
249820a7d8 Fix two of the 64bit errors on the printfs. 2006-11-03 21:19:54 +00:00
Randall Stewart
cef8ad061a Somehow I missed this one. The sys/cdef.h was out
of order with respect to the FSBID..
2006-11-03 19:48:56 +00:00
Randall Stewart
73932c69b6 Opps... in my fix up of all the $FreeBSD:$-> $FreeBSD$ I
inserted a few to the new files.. but I falied to
add the #include <sys/cdef.h>

Which causes a compile error.. sorry about that... got it
now :-)

Approved by:gnn
2006-11-03 17:21:53 +00:00
Randall Stewart
f8829a4a40 Ok, here it is, we finally add SCTP to current. Note that this
work is not just mine, but it is also the works of Peter Lei
and Michael Tuexen. They both are my two key other developers
working on the project.. and they need ata-boy's too:
****
peterlei@cisco.com
tuexen@fh-muenster.de
****
I did do a make sysent which updated the
syscall's and sysproto.. I hope that is correct... without
it you don't build since we have new syscalls for SCTP :-0

So go out and look at the NOTES, add
option SCTP (make sure inet and inet6 are present too)
and play with SCTP.

I will see about comitting some test tools I have after I
figure out where I should place them. I also have a
lib (libsctp.a) that adds some of the missing socketapi
functions that I need to put into lib's.. I will talk
to George about this :-)

There may still be some 64 bit issues in here, none of
us have a 64 bit processor to test with yet.. Michael
may have a MAC but thats another beast too..

If you have a mac and want to use SCTP contact Michael
he maintains a web site with a loadable module with
this code :-)

Reviewed by:	gnn
Approved by:	gnn
2006-11-03 15:23:16 +00:00
Oleg Bulyzhin
35da9180dc - Use non-recursive mutex. MTX_RECURSE is unnecessary since rev. 1.70
- Pay respect to net.isr.direct: use netisr_dispatch() instead of ip_input()

Reviewed by:	glebius, rwatson

- purge_flow_set():
    - Do not leak memory while purging queues which are not bound to pipe.
    - style(9) cleanup

MFC after:	2 months
2006-10-29 12:09:24 +00:00
Oleg Bulyzhin
c2df509a1d - Convert
net.inet.ip.dummynet.curr_time
	net.inet.ip.dummynet.searches
	net.inet.ip.dummynet.search_steps
  to SYSCTL_LONG nodes. It will prevent frequent wrap around on 64bit archs.

- Implement simple mechanics for dummynet(4) internal time correction.
  Under certain circumstances (system high load, dummynet lock contention, etc)
  dummynet's tick counter can be significantly slower than it should be.
  (I've observed up to 25% difference on one of my production servers).
  Since this counter used for packet scheduling, it's accuracy is vital for
  precise bandwidth limitation.

  Introduce new sysctl nodes:
  net.inet.ip.dummynet.
    tick_lost		- number of ticks coalesced by taskqueue thread.
    tick_adjustment	- number of time corrections done.
    tick_diff		- adjusted vs non-adjusted tick counter difference
    tick_delta		- last vs 'standard' tick differnece (usec).
    tick_delta_sum	- accumulated (and not corrected yet) time
  			  difference (usec).

Reviewed by:	glebius
MFC after:	2 month
2006-10-27 13:05:37 +00:00
Oleg Bulyzhin
b2b05096fd Use separate thread for servicing dummynet(4).
Utilize taskqueue(9) API.

Submitted by:	glebius
MFC after:	2 month
2006-10-27 11:16:58 +00:00
Oleg Bulyzhin
c447b19f6e style(9) cleanup.
MFC after:	2 month
2006-10-27 10:52:32 +00:00