#
259065 |
|
07-Dec-2013 |
gjb |
- Copy stable/10 (r259064) to releng/10.0 as part of the 10.0-RELEASE cycle. - Update __FreeBSD_version [1] - Set branch name to -RC1
[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so start releng/10.0 at '100' so the branch is started with a value ending in zero.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
253769 |
|
29-Jul-2013 |
ae |
Fix a possible NULL-pointer dereference on the pfsync(4) reconfiguration.
Reported by: Eugene M. Zheganin
|
#
250518 |
|
11-May-2013 |
glebius |
Invalid creatorid is always EINVAL, not only when we are in verbose mode.
|
#
250313 |
|
06-May-2013 |
glebius |
Improve KASSERT() message.
|
#
249925 |
|
26-Apr-2013 |
glebius |
Add const qualifier to the dst parameter of the ifnet if_output method.
|
#
248207 |
|
12-Mar-2013 |
glebius |
Functions m_getm2() and m_get2() have different order of arguments, and that can drive someone crazy. While m_get2() is young and not documented yet, change its order of arguments to match m_getm2().
Sorry for churn, but better now than later.
|
#
246822 |
|
15-Feb-2013 |
glebius |
Finish the r244185. This fixes ever growing counter of pfsync bad length packets, which was actually harmless.
Note that peers with different version of head/ may grow this counter, but it is harmless - all pfsync data is processed.
Reported & tested by: Anton Yuzhaninov <citrin citrin.ru> Sponsored by: Nginx, Inc
|
#
244769 |
|
28-Dec-2012 |
glebius |
In netpfil/pf: - Add my copyright to files I've touched a lot this year. - Add dash in front of all copyright notices according to style(9). - Move $OpenBSD$ down below copyright notices. - Remove extra line between cdefs.h and __FBSDID.
|
#
244202 |
|
14-Dec-2012 |
glebius |
Fix VIMAGE build broken in r244185.
Submitted by: Nikolai Lifanov <lifanov mail.lifanov.com>
|
#
244185 |
|
13-Dec-2012 |
glebius |
Merge rev. 1.119 from OpenBSD:
date: 2009/03/31 01:21:29; author: dlg; state: Exp; lines: +9 -16 ...
this also firms up some of the input parsing so it handles short frames a bit better.
This actually fixes reading beyond mbuf data area in pfsync_input(), that may happen at certain pfsync datagrams.
|
#
244113 |
|
11-Dec-2012 |
glebius |
Merge 1.127 from OpenBSD, that closes a regression from 1.125 (merged as r242694): do better detection of when we have a better version of the tcp sequence windows than our peer.
this resolves the last of the pfsync traffic storm issues ive been able to produce, and therefore makes it possible to do usable active-active statuful firewalls with pf.
|
#
243940 |
|
06-Dec-2012 |
glebius |
Remove extra PFSYNC_LOCK() in pfsync_bulk_update() which lead to lock recursion.
Reported by: Ian FREISLICH <ianf cloudseed.co.za>
|
#
243939 |
|
06-Dec-2012 |
glebius |
Revert erroneous r242693. A state may have PFTM_UNLINKED being on the PFSYNC_S_DEL queue of pfsync.
|
#
242694 |
|
07-Nov-2012 |
glebius |
Merge rev. 1.125 from OpenBSD: date: 2009/06/12 02:03:51; author: dlg; state: Exp; lines: +59 -69 rewrite the way states from pfsync are merged into the local state tree and the conditions on which pfsync will notify its peers on a stale update.
each side (ie, the sending and receiving side) of the state update is compared separately. any side that is further along than the local state tree is merged. if any side is further along in the local state table, an update is sent out telling the peers about it.
|
#
242693 |
|
07-Nov-2012 |
glebius |
It may happen that pfsync holds the last reference on a state. In this case keys had already been freed. If encountering such state, then just release last reference.
Not sure this can happen as a runtime race, but can be reproduced by the following scenario:
- enable pfsync - disable pfsync - wait some time - enable pfsync
|
#
241913 |
|
22-Oct-2012 |
glebius |
Switch the entire IPv4 stack to keep the IP packet header in network byte order. Any host byte order processing is done in local variables and host byte order values are never[1] written to a packet.
After this change a packet processed by the stack isn't modified at all[2] except for TTL.
After this change a network stack hacker doesn't need to scratch his head trying to figure out what is the byte order at the given place in the stack.
[1] One exception still remains. The raw sockets convert host byte order before pass a packet to an application. Probably this would remain for ages for compatibility.
[2] The ip_input() still subtructs header len from ip->ip_len, but this is planned to be fixed soon.
Reviewed by: luigi, Maxim Dounin <mdounin mdounin.ru> Tested by: ray, Olivier Cochard-Labbe <olivier cochard.me>
|
#
241610 |
|
16-Oct-2012 |
glebius |
Make the "struct if_clone" opaque to users of the cloning API. Users now use function calls:
if_clone_simple() if_clone_advanced()
to initialize a cloner, instead of macros that initialize if_clone structure.
Discussed with: brooks, bz, 1 year ago
|
#
241394 |
|
10-Oct-2012 |
kevlo |
Revert previous commit...
Pointyhat to: kevlo (myself)
|
#
241370 |
|
09-Oct-2012 |
kevlo |
Prefer NULL over 0 for pointers
|
#
241131 |
|
02-Oct-2012 |
glebius |
To reduce volume of pfsync traffic: - Scan request update queue to prevent doubles. - Do not push undersized daragram in pfsync_update_request().
|
#
241057 |
|
29-Sep-2012 |
glebius |
Clear and re-setup all function pointers that glue pf(4) and pfsync(4) together whenever the pfsync0 is brought down or up respectively.
|
#
241056 |
|
29-Sep-2012 |
glebius |
Simplify send out queue code: - Write method of a queue now is void,length of item is taken as queue property. - Write methods don't need to know about mbud, supply just buf to them. - No need for safe queue iterator in pfsync_sendout().
Obtained from: OpenBSD
|
#
240836 |
|
22-Sep-2012 |
glebius |
EBUSY is a better reply for refusing to unload pf(4) or pfsync(4).
Submitted by: pluknet
|
#
240494 |
|
14-Sep-2012 |
glebius |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match.
Discussed with: bz, luigi
|
#
240233 |
|
08-Sep-2012 |
glebius |
Merge the projects/pf/head branch, that was worked on for last six months, into head. The most significant achievements in the new code:
o Fine grained locking, thus much better performance. o Fixes to many problems in pf, that were specific to FreeBSD port.
New code doesn't have that many ifdefs and much less OpenBSDisms, thus is more attractive to our developers.
Those interested in details, can browse through SVN log of the projects/pf/head branch. And for reference, here is exact list of revisions merged:
r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330, r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656, r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782, r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868, r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223, r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456, r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505, r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168, r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230, r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398, r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548, r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672, r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169, r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442, r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522, r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661, r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.
I'd like to thank people who participated in early testing:
Tested by: Florian Smeets <flo freebsd.org> Tested by: Chekaluk Vitaly <artemrts ukr.net> Tested by: Ben Wilber <ben desync.com> Tested by: Ian FREISLICH <ianf cloudseed.co.za>
|
#
233917 |
|
05-Apr-2012 |
ae |
Fix VIMAGE build.
|
#
233874 |
|
04-Apr-2012 |
glebius |
Merge from OpenBSD: revision 1.173 date: 2011/11/09 12:36:03; author: camield; state: Exp; lines: +11 -12 State expire time is a baseline time ("last active") for expiry calculations, and does _not_ denote the time when to expire. So it should never be added to (set into the future).
Try to reconstruct it with an educated guess on state import and just set it to the current time on state updates.
This fixes a problem on pfsync listeners where the expiry time could be double the expected value and cause a lot more states to linger.
|
#
233846 |
|
03-Apr-2012 |
glebius |
Since pf 4.5 import pf(4) has a mechanism to defer forwarding a packet, that creates state, until pfsync(4) peer acks state addition (or 10 msec timeout passes).
This is needed for active-active CARP configurations, which are poorly supported in FreeBSD and arguably a good idea at all.
Unfortunately by the time of import this feature in OpenBSD was turned on, and did not have a switch to turn it off. This leaked to FreeBSD.
This change make it possible to turn this feature off via ioctl() and turns it off by default.
Obtained from: OpenBSD
|
#
232685 |
|
08-Mar-2012 |
glebius |
Merge from OpenBSD:
revision 1.146 date: 2010/05/12 08:11:11; author: claudio; state: Exp; lines: +2 -3 bzero() the full compressed update struct before setting the values. This is needed because pf_state_peer_hton() skips some fields in certain situations which could result in garbage beeing sent to the other peer. This seems to fix the pfsync storms seen by stephan@ and so dlg owes me a whiskey.
I didn't see any storms, but this definitely fixes a useless memory allocation on the receiving side, due to non zero scrub_flags field in a pfsync_state_peer structure.
|
#
230265 |
|
17-Jan-2012 |
glebius |
Allocate our mbuf with m_get2().
|
#
229976 |
|
11-Jan-2012 |
glebius |
Redo r226660: - Define schednetisr() to swi_sched. - In the swi handler check if there is some data prepared, and if true, then call pfsync_sendout(), however tell it not to schedule swi again. - Since now we don't obtain the pfsync lock in the swi handler, don't use ifqueue mutex to synchronize queue access.
|
#
229964 |
|
11-Jan-2012 |
glebius |
Fix some spacing in code under __FreeBSD__.
|
#
229963 |
|
11-Jan-2012 |
glebius |
Add necessary locking in pfsync_in_ureq().
|
#
229962 |
|
11-Jan-2012 |
glebius |
Move PF_LOCK_ASSERT() under __FreeBSD__.
|
#
229961 |
|
11-Jan-2012 |
glebius |
Merge from OpenBSD: revision 1.128 date: 2009/08/16 13:01:57; author: jsg; state: Exp; lines: +1 -5 remove prototypes of a bunch of functions that had their implementations removed in pfsync v5.
|
#
229857 |
|
09-Jan-2012 |
glebius |
Can't pass MSIZE to m_cljget(), an mbuf can't be attached as external storage to another mbuf.
|
#
229853 |
|
09-Jan-2012 |
glebius |
Backout of backout: we need SI_SUB_PROTO_DOMAIN for pfsync, since it needs existing inetdomain on startup.
|
#
229852 |
|
09-Jan-2012 |
glebius |
Revert sub argument of MODULE_DECLARE back to r226532.
Noticed by: bz
|
#
229851 |
|
09-Jan-2012 |
glebius |
In FreeBSD we determine presence of pfsync(4) at run-time, not at compile time, so define NPFSYNC to 1 always. While here, remove unused defines.
|
#
229850 |
|
09-Jan-2012 |
glebius |
Bunch of fixes to pfsync(4) module load/unload:
o Make the pfsync.ko actually usable. Before this change loading it didn't register protosw, so was a nop. However, a module /boot/kernel did confused users. o Rewrite the way we are joining multicast group: - Move multicast initialization/destruction to separate functions. - Don't allocate memory if we aren't going to join a multicast group. - Use modern API for joining/leaving multicast group. - Now the utterly wrong pfsync_ifdetach() isn't needed. o Move module initialization from SYSINIT(9) to moduledata_t method. o Refuse to unload module, unless asked forcibly. o Improve a bit some FreeBSD porting code: - Use separate malloc type. - Simplify swi sheduling.
This change is probably wrong from VIMAGE viewpoint, however pfsync wasn't VIMAGE-correct before this change, too.
Glanced at by: bz
|
#
229777 |
|
07-Jan-2012 |
glebius |
Merge from OpenBSD: revision 1.170 date: 2011/10/30 23:04:38; author: mikeb; state: Exp; lines: +6 -7 Allow setting big MTU values on the pfsync interface but not larger than the syncdev MTU. Prompted by the discussion with and tested by Maxim Bourmistrov; ok dlg, mpf
Consistently use sc_ifp->if_mtu in the MTU check throughout the module. This backs out r228813.
|
#
229773 |
|
07-Jan-2012 |
glebius |
Fix indentation.
|
#
228855 |
|
23-Dec-2011 |
pluknet |
Fix LINT-VIMAGE build after r228814: use virtualized pf_pool_limits.
|
#
228816 |
|
22-Dec-2011 |
glebius |
Merge from OpenBSD: revision 1.122 date: 2009/05/13 01:01:34; author: dlg; state: Exp; lines: +6 -4 only keep track of the number of updates on tcp connections. state sync on all the other protocols is simply pushing the timeouts along which has a resolution of 1 second, so it isnt going to be hurt by pfsync taking up to a second to send it over.
keep track of updates on tcp still though, their windows need constant attention.
|
#
228815 |
|
22-Dec-2011 |
glebius |
Merge from OpenBSD: revision 1.120 date: 2009/04/04 13:09:29; author: dlg; state: Exp; lines: +5 -5 use time_uptime instead of time_second internally. time_uptime isnt affected by adjusting the clock.
revision 1.175 date: 2011/11/25 12:52:10; author: dlg; state: Exp; lines: +3 -3 use time_uptime to set state creation values as time_second can be skewed at runtime by things like date(1) and ntpd. time_uptime is monotonic and therefore more useful to compare against.
|
#
228814 |
|
22-Dec-2011 |
glebius |
Merge couple more fixes from OpenBSD to bulk processing:
revision 1.118 date: 2009/03/23 06:19:59; author: dlg; state: Exp; lines: +8 -6 wait an appropriate amount of time before giving up on a bulk update, rather than giving up after a hardcoded 5 seconds (which is generally much too short an interval for a bulk update). pointed out by david@, eyeballed by mcbride@
revision 1.171 date: 2011/10/31 22:02:52; author: mikeb; state: Exp; lines: +2 -1 Don't forget to cancel bulk update failure timeout when destroying an interface. Problem report and fix from Erik Lax, thanks!
Start a brief note of revisions merged from OpenBSD.
|
#
228813 |
|
22-Dec-2011 |
glebius |
We really mean MTU of the real interface here, not of our pseudo.
|
#
228811 |
|
22-Dec-2011 |
glebius |
In FreeBSD we always have bpf(4) API, either real or stub. No need in detecting presense of 'device bpf'.
|
#
228736 |
|
20-Dec-2011 |
glebius |
Restore a feature that was present in 5.x and 6.x, and was cleared in 7.x, 8.x and 9.x with pf(4) imports: pfsync(4) should suppress CARP preemption, while it is running its bulk update.
However, reimplement the feature in more elegant manner, that is partially inspired by newer OpenBSD:
- Rename term "suppression" to "demotion", to match with OpenBSD. - Keep a global demotion factor, that can be raised by several conditions, for now these are: - interface goes down - carp(4) has problems with ip_output() or ip6_output() - pfsync performs bulk update - Unlike in OpenBSD the demotion factor isn't a counter, but is actual value added to advskew. The adjustment values for particular error conditions are also configurable, and their defaults are maximum advskew value, so a single failure bumps demotion to maximum. This is for POLA compatibility, and should satisfy most users. - Demotion factor is a writable sysctl, so user can do foot shooting, if he desires to.
|
#
228732 |
|
20-Dec-2011 |
glebius |
- Cover pfsync callouts deletion with PF_LOCK(). - Cover setting up interface between pf and pfsync with PF_LOCK().
|
#
226831 |
|
27-Oct-2011 |
glebius |
Utilize new IF_DEQUEUE_ALL(ifq, m) macro in pfsyncintr() to reduce contention on ifqueue lock.
|
#
226663 |
|
23-Oct-2011 |
glebius |
Merge several fixes to bulk update processing from OpenBSD. Merged revisions: 1.148, 1.149, 1.150. This makes number of states on master/slave to be of a sane value.
|
#
226662 |
|
23-Oct-2011 |
glebius |
Fix indentation, no code changed.
|
#
226661 |
|
23-Oct-2011 |
glebius |
- Fix a bad typo (FreeBSD specific) in pfsync_bulk_update(). Instead of scheduling next run pfsync_bulk_update(), pfsync_bulk_fail() was scheduled. This lead to instant 100% state leak after first bulk update request. - After above fix, it appeared that pfsync_bulk_update() lacks locking. To fix this, sc_bulk_tmo callout was converted to an mtx one. Eventually, all pf/pfsync callouts should be converted to mtx version, since it isn't possible to stop or drain a non-mtx callout without risk of race. - Add comment that callout_stop() in pfsync_clone_destroy() lacks locking. Since pfsync0 can't be destroyed (yet), let it be here.
|
#
226660 |
|
23-Oct-2011 |
glebius |
Fix from r226623 is not sufficient to close all races in pfsync(4).
The root of problem is re-locking at the end of pfsync_sendout(). Several functions are calling pfsync_sendout() holding pointers to pf data on stack, and these functions expect this data to be consistent.
To fix this, the following approach was taken:
- The pfsync_sendout() doesn't call ip_output() directly, but enqueues the mbuf on sc->sc_ifp's interfaces queue, that is currently unused. Then pfsync netisr is scheduled. PF_LOCK isn't dropped in pfsync_sendout(). - The netisr runs through queue and ip_output()s packets on it.
Apart from fixing race, this also decouples stack, fixing potential issues, that may happen, when sending pfsync(4) packets on input path.
Reviewed by: eri (a quick review)
|
#
226656 |
|
23-Oct-2011 |
glebius |
Absense of M_WAITOK in malloc flags for UMA doesn't equals presense of M_NOWAIT. Specify M_NOWAIT explicitly.
This fixes sleeping with PF_LOCK().
|
#
226623 |
|
21-Oct-2011 |
glebius |
Fix a race: we should update sc_len before dropping the pf lock, otherwise a number of packets can be queued on sc, while we are in ip_output(), and then we wipe the accumulated sc_len. On next pfsync_sendout() that would lead to writing beyond our mbuf cluster.
|
#
226609 |
|
21-Oct-2011 |
glebius |
In FreeBSD ip_output() expects ip_len and ip_off in host byte order
PR: kern/159029
|
#
226544 |
|
19-Oct-2011 |
bz |
Fix recursive pf locking leading to panics. Splatter PF_LOCK_ASSERT()s to document where we are expecting to be called with a lock held to more easily catch unnoticed code paths. This does not neccessarily improve locking in pfsync, it just tries to avoid the panics reported.
PR: kern/159390, kern/158873 Submitted by: pluknet (at least something that partly resembles my patch ignoring other cleanup, which I only saw too late on the 2nd PR) MFC After: 3 days
|
#
226535 |
|
19-Oct-2011 |
bz |
Adjust the PF_ASSERT() macro to what we usually use in the network stack: PF_LOCK_ASSERT() and PF_UNLOCK_ASSERT().
MFC after: 3 days
|
#
226532 |
|
19-Oct-2011 |
bz |
Pseudo interfaces should go at SI_SUB_PSEUDO. However at least pfsync also depends on pf to be initialized already so pf goes at FIRST and the interfaces go at ANY. Then the (VNET_)SYSINIT startups for pf stays at SI_SUB_PROTO_BEGIN and for pfsync we move to the later SI_SUB_PROTO_IF.
This is not ideal either but at least an order that should work for the moment and can be re-fined with the VIMAGE merge, once this will actually work with more than one network stack.
MFC after: 3 days
|
#
226531 |
|
19-Oct-2011 |
bz |
Fix an obvious locking bug where we would lock again rather than unlock.
MFC after: 3 days
|
#
224936 |
|
17-Aug-2011 |
pluknet |
Fix build failure without BPF.
Reported by: deeptech71 at gmail dot com Approved by: re (kib)
|
#
223637 |
|
28-Jun-2011 |
bz |
Update packet filter (pf) code to OpenBSD 4.5.
You need to update userland (world and ports) tools to be in sync with the kernel.
Submitted by: mlaier Submitted by: eri
|
#
200930 |
|
23-Dec-2009 |
delphij |
Adapt OpenBSD pf's "sloopy" TCP state machine which is useful for Direct Server Return mode, where not all packets would be visible to the load balancer or gateway.
This commit should be reverted when we merge future pf versions. The benefit it would provide is that this version does not break any existing public interface and thus won't be a problem if we want to MFC it to earlier FreeBSD releases.
Discussed with: mlaier Obtained from: OpenBSD Sponsored by: iXsystems, Inc. MFC after: 1 month
|
#
191148 |
|
16-Apr-2009 |
kmacy |
Change if_output to take a struct route as its fourth argument in order to allow passing a cached struct llentry * down to L2
Reviewed by: rwatson
|
#
171637 |
|
28-Jul-2007 |
rwatson |
Replace references to NET_CALLOUT_MPSAFE with CALLOUT_MPSAFE, and remove definition of NET_CALLOUT_MPSAFE, which is no longer required now that debug.mpsafenet has been removed.
The once over: bz Approved by: re (kensmith)
|
#
171168 |
|
03-Jul-2007 |
mlaier |
Commit resolved import of OpenBSD 4.1 pf from perforce.
Approved by: re (kensmith)
|
#
168700 |
|
13-Apr-2007 |
bms |
In member interface detach event handler, do not attempt to free state which has already been freed by in_ifdetach(). With this cumulative change, the removal of a member interface will not cause a panic in pfsync(4).
Requested by: yar PR: 86848
|
#
167710 |
|
19-Mar-2007 |
bms |
Teach pfsync(4) that its member interfaces may go away.
This change partially resolves the issue in the PR. Further architectural fixes, in the form of reference counting, are needed.
PR: 86848 Reviewed by: yar MFC after: 1 month
|
#
165632 |
|
29-Dec-2006 |
jhb |
Various bpf(4) related fixes to catch places up to the new bpf(4) semantics. - Stop testing bpf pointers for NULL. In some cases use bpf_peers_present() and then call the function directly inside the conditional block instead of the macro. - For places where the entire conditional block is the macro, remove the test and make the macro unconditional. - Use BPF_MTAP() in if_pfsync on FreeBSD instead of an expanded version of the old semantics.
Reviewed by: csjp (older version)
|
#
164033 |
|
06-Nov-2006 |
rwatson |
Sweep kernel replacing suser(9) calls with priv(9) calls, assigning specific privilege names to a broad range of privileges. These may require some future tweaking.
Sponsored by: nCircle Network Security, Inc. Obtained from: TrustedBSD Project Discussed on: arch@ Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri, Alex Lyashkov <umka at sevcity dot net>, Skip Ford <skip dot ford at verizon dot net>, Antoine Brodin <antoine dot brodin at laposte dot net>
|
#
160195 |
|
09-Jul-2006 |
sam |
Revise network interface cloning to take an optional opaque parameter that can specify configuration parameters: o rev cloner api's to add optional parameter block o add SIOCCREATE2 that accepts parameter data o rev vlan support to use new api (maintain old code)
Reviewed by: arch@
|
#
160164 |
|
07-Jul-2006 |
mlaier |
Make in-kernel multicast protocols for pfsync and carp work after enabling dynamic resizing of multicast membership array.
Reported and testing by: Maxim Konovalov, Scott Ullrich Reminded by: thompsa MFC after: 2 weeks
|
#
159656 |
|
16-Jun-2006 |
mlaier |
Fix pfsync w/o carp compilation.
Submitted by: yar
|
#
159603 |
|
14-Jun-2006 |
mlaier |
Fix byteorder of syncpeer and make it actually work.
Submitted by: glebius MFC after: 1 week
|
#
153110 |
|
05-Dec-2005 |
ru |
Fix -Wundef warnings found when compiling i386 LINT, GENERIC and custom kernels.
|
#
152209 |
|
08-Nov-2005 |
thompsa |
Move the cloned interface list management in to if_clone. For some drivers the softc lists and associated mutex are now unused so these have been removed.
Calling if_clone_detach() will now destroy all the cloned interfaces for the driver and in most cases is all thats needed to unload.
Idea by: brooks Reviewed by: brooks
|
#
151266 |
|
12-Oct-2005 |
thompsa |
Change the reference counting to count the number of cloned interfaces for each cloner. This ensures that ifc->ifc_units is not prematurely freed in if_clone_detach() before the clones are destroyed, resulting in memory modified after free. This could be triggered with if_vlan.
Assert that all cloners have been destroyed when freeing the memory.
Change all simple cloners to destroy their clones with ifc_simple_destroy() on module unload so the reference count is properly updated. This also cleans up the interface destroy routines and allows future optimisation.
Discussed with: brooks, pjd, -current Reviewed by: brooks
|
#
149982 |
|
11-Sep-2005 |
mlaier |
Stop leaking a lock. This used to cause a propagate_priority() page fault when setting syncdev and syncpeer.
Reported by: Dominic Marks
|
#
148891 |
|
09-Aug-2005 |
mlaier |
Wrap the new world order in __FreeBSD__ to ease future imports.
|
#
148887 |
|
09-Aug-2005 |
rwatson |
Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and IFF_DRV_RUNNING, as well as the move from ifnet.if_flags to ifnet.if_drv_flags. Device drivers are now responsible for synchronizing access to these flags, as they are in if_drv_flags. This helps prevent races between the network stack and device driver in maintaining the interface flags field.
Many __FreeBSD__ and __FreeBSD_version checks maintained and continued; some less so.
Reviewed by: pjd, bz MFC after: 7 days
|
#
148015 |
|
14-Jul-2005 |
mlaier |
Export pfsyncstats via sysctl "net.inet.pfsync" in order to print them with netstat (seperate commit).
Requested by: glebius MFC after: 1 week
|
#
147614 |
|
26-Jun-2005 |
mlaier |
Properly initialize ifq_maxlen for the defered send queue and make it actually work. Also use the right semantics for IF_HANDOFF to get correct stats.
Reported and tested by: Sascha Luck <sascha at c4inet dot net> Approved by: re (blanket)
|
#
147321 |
|
12-Jun-2005 |
mlaier |
Mark pf callouts as NET_MPSAFE.
Requested by: yongari (serveral times) Approved by: re (blanket) MFC after: 1 week
|
#
147261 |
|
10-Jun-2005 |
mlaier |
Defer ip_output of pfsync updates to an independent callout thread instead of just dropping the lock around the ip_output call. This used to cause corrupted state tree walks for some call-paths.
In a second stage all callouts will be marked MPSAFE according to the setting of mpsafenet.
Reported and tested by: Matthew Grooms <mgrooms at seton dot org> MFC after: 3 days X-MFC after: Marking callouts MPSAFE + 1 week
|
#
147256 |
|
10-Jun-2005 |
brooks |
Stop embedding struct ifnet at the top of driver softcs. Instead the struct ifnet or the layer 2 common structure it was embedded in have been replaced with a struct ifnet pointer to be filled by a call to the new function, if_alloc(). The layer 2 common structure is also allocated via if_alloc() based on the interface type. It is hung off the new struct ifnet member, if_l2com.
This change removes the size of these structures from the kernel ABI and will allow us to better manage them as interfaces come and go.
Other changes of note: - Struct arpcom is no longer referenced in normal interface code. Instead the Ethernet address is accessed via the IFP2ENADDR() macro. To enforce this ac_enaddr has been renamed to _ac_enaddr. - The second argument to ether_ifattach is now always the mac address from driver private storage rather than sometimes being ac_enaddr.
Reviewed by: sobomax, sam
|
#
145836 |
|
03-May-2005 |
mlaier |
Resolve conflicts created during the import of pf 3.7 Some features are missing and will be implemented in a second step. This is functional as is.
Tested by: freebsd-pf, pfsense.org Obtained from: OpenBSD X-MFC after: never (breaks API/ABI)
|
#
141584 |
|
09-Feb-2005 |
mlaier |
Access softc embedded struct ifnet via function macro to make it easier to untangle struct ifnet and softc/arpcom in the future.
Requested by: brooks
|
#
138666 |
|
10-Dec-2004 |
mlaier |
Compile pfsync w/o bpf.
Noticed by: "Jayel Villamin" <jarthel operamail com>
|
#
135196 |
|
14-Sep-2004 |
mlaier |
Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is save to call if_attachdomain from if_attach() (as done for if_loop.c). We will now end up with a properly initialized if_afdata array and the nd6 callout will no longer try to deref a NULL pointer.
Still this is a temp workaround and the locking for if_afdata should be revisited at a later point.
Requested by: rwatson Discussed with and tested by: yongari (a while ago) PR: kern/70393 MFC after: 5 days
|
#
133720 |
|
14-Aug-2004 |
dwmalone |
Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD have already done this, so I have styled the patch on their work:
1) introduce a ip_newid() static inline function that checks the sysctl and then decides if it should return a sequential or random IP ID.
2) named the sysctl net.inet.ip.random_id
3) IPv6 flow IDs and fragment IDs are now always random. Flow IDs and frag IDs are significantly less common in the IPv6 world (ie. rarely generated per-packet), so there should be smaller performance concerns.
The sysctl defaults to 0 (sequential IP IDs).
Reviewed by: andre, silby, mlaier, ume Based on: NetBSD MFC after: 2 months
|
#
132767 |
|
28-Jul-2004 |
kan |
Initialize s variable early to shut up GCC warnings. Do not declare inline functions without body as this is useless in general and generates a warning with GCC 3.4.x.
Glanced over by: dhartmei
|
#
130933 |
|
22-Jun-2004 |
brooks |
Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch]. - Locked struct if_clone. [1] - Add a per-cloner match function rather then simply matching names of the form <name><unit> and <name>. - Use the match function to allow creation of <interface>.<tag> vlan interfaces. The old way is preserved unchanged! - Also the match function to allow creation of stf(4) interfaces named stf0, stf, or 6to4. This is the only major user visible change in that "ifconfig stf" creates the interface stf rather then stf0 and does not print "stf0" to stdout. - Allow destroy functions to fail so they can refuse to delete interfaces. Currently, we forbid the deletion of interfaces which were created in the init function, particularly lo0, pflog0, and pfsync0. In the case of lo0 this was a panic implementation so it does not count as a user visiable change. :-) - Since most interfaces do not need the new functionality, an family of wrapper functions, ifc_simple_*(), were created to wrap old style cloner functions. - The IF_CLONE_INITIALIZER macro is replaced with a new incompatible IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE instead.
Submitted by: Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1] Reviewed by: andre, mlaier Discussed on: net
|
#
130613 |
|
16-Jun-2004 |
mlaier |
Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings: - Atomic commits of ruleset changes (reduce the chance of ending up in an inconsistent state). - A 30% reduction in the size of state table entries. - Source-tracking (limit number of clients and states per client). - Sticky-address (the flexibility of round-robin with the benefits of source-hash). - Significant improvements to interface handling. - and many more ...
|
#
130475 |
|
14-Jun-2004 |
mlaier |
Remove some more leftover from the old pfaltq_module hack to allow for kernels w/ pf, but w/o altq.
Reported-by: Xin LI
|
#
129907 |
|
31-May-2004 |
mlaier |
"Get rid of the nested include of <sys/module.h> from <sys/kernel.h>" or better do no longer depend on it.
Requested-by: phk Approved-by: bms(mentor)
|
#
128209 |
|
13-Apr-2004 |
brooks |
Staticize <if>_clone_{create,destroy} functions.
Reviewed by: mlaier
|
#
127145 |
|
17-Mar-2004 |
mlaier |
Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdef
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the hooks in the kernel this was missed during the merge from the port.
Noticed by: Amir S. (for the HOOK_HACK part) Approved by: bms(mentor)
|
#
126812 |
|
10-Mar-2004 |
mlaier |
Remove `$Name$' leftovers from the port version reporting.
Noticed by: Craig Rodrigues Approved by: bms(mentor)
|
#
126261 |
|
26-Feb-2004 |
mlaier |
Bring diff from the security/pf port. This has code been tested as a port for a long time and is run in production use. This is the code present in portversion 2.03 with some additional tweaks.
The rather extensive diff accounts for: - locking (to enable pf to work with a giant-free netstack) - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off - conversion from pool(9) to zone(9) - api differences etc.
Approved by: bms(mentor) (in general)
|
#
126259 |
|
26-Feb-2004 |
mlaier |
This commit was generated by cvs2svn to compensate for changes in r126258, which included commits to RCS files with non-trunk default branches.
|
#
126258 |
|
26-Feb-2004 |
mlaier |
Vendor import of OpenBSD's packet filter (pf) as of OpenBSD 3.4
Approved by: bms(mentor), core (in general)
|