- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Use getnameinfo(3) instead of gethostbyaddr(3) or inet_ntop(3).

- Fill sin6_scope_id from in6p.sin6_addr.s6_addr[2]. struct inpcb has
struct in6_addr for the endpoint addresses, so sin6_scope_id must be filled.

Remove the large part of struct ipsecstat. Only few fields of this
structure is used, but they already have equal fields in the struct
newipsecstat, that was introduced with FAST_IPSEC and then was merged
together with old ipsecstat structure.

This fixes kernel stack overflow on some architectures after migration
ipsecstat to PCPU counters.

Reported by: Taku YAMAMOTO, Maciej Milewski

Sweep unused nlist entries.

Sponsored by: Nginx, Inc.

Introduce new structure sfstat for collecting sendfile's statistics
and remove corresponding fields from struct mbstat. Use PCPU counters
and SFSTAT_INC() macro for update these statistics.

Discussed with: glebius

Add -F fibnum option to specify an FIB number for -r flag.

Migrate structs ahstat, espstat, ipcompstat, ipipstat, pfkeystat,
ipsec4stat, ipsec6stat to PCPU counters.

Migrate struct carpstats to PCPU counters.

Migrate structs ip6stat, icmp6stat and rip6stat to PCPU counters.

Migrate structs arpstat, icmpstat, mrtstat, pimstat and udpstat to PCPU
counters.

Use new macros to implement ipstat and tcpstat using PCPU counters.
Change interface of kread_counters() similar ot kread() in the netstat(1).

Prepare network statistics structures for migration to PCPU counters.
Use uint64_t as type for all fields of structures.

Changed structures: ahstat, arpstat, espstat, icmp6_ifstat, icmp6stat,
in6_ifstat, ip6stat, ipcompstat, ipipstat, ipsecstat, mrt6stat, mrtstat,
pfkeystat, pim6stat, pimstat, rip6stat, udpstat.

Discussed with: arch@

Replace hardcoded numbers. Also use interface-local scope name instead
of node-local.

Use kvm_counter_u64_fetch() to fix obtaining ipstat and tcpstat from
kernel core files.

Sponsored by: Nginx, Inc.

Merge from projects/counters: TCP/IP stats.

Convert 'struct ipstat' and 'struct tcpstat' to counter(9).

This speeds up IP forwarding at extreme packet rates, and
makes accounting more precise.

Sponsored by: Nginx, Inc.

Add forgotten .El

MFC with: r248112

Document netstat -Q flags meaning.

MFC after: 1 week

WARNS=6 compliance

Use pluralies() for "entry"/"entries".

Fill sin6_scope_id in sockaddr_in6 before passing it from the kernel to
userland via routing socket or sysctl. This eliminates the following
KAME-specific sin6_scope_id handling routine from each userland utility:

sin6.sin6_scope_id = ntohs(*(u_int16_t *)&sin6.sin6_addr.s6_addr[2]);

This behavior can be controlled by net.inet6.ip6.deembed_scopeid. This is
set to 1 by default (sin6_scope_id will be filled in the kernel).

Reviewed by: bz

Show the number of times we block waiting for mbufs.

Machines can stall out because mbufs are low, however sometimes we won't
see "requests denied", instead we see user land processes or kernel threads
blocking waiting for mbufs because they set M_WAIT. These consumers do not
see errors, only stalling.

Unfortunately until now, netstat did not export this information
so you could have experienced an mbuf shortage and have no way of
seeing it unless you happen to run netstat at the exact time of the
shortage and see "in use" = "max".

By exporting the number of times processes are blocked, we can
effectively see how often non-interrupt context threads are effectively
"denied".

MFC after: 2 weeks

Remove unused variable. Newer versions of gcc care.

Submitted by: Sascha Wildner <saw@online.de>
Approved by: cperciva
MFC after: 3 days

Merge the projects/pf/head branch, that was worked on for last six months,
into head. The most significant achievements in the new code:

o Fine grained locking, thus much better performance.
o Fixes to many problems in pf, that were specific to FreeBSD port.

New code doesn't have that many ifdefs and much less OpenBSDisms, thus
is more attractive to our developers.

Those interested in details, can browse through SVN log of the
projects/pf/head branch. And for reference, here is exact list of
revisions merged:

r232043, r232044, r232062, r232148, r232149, r232150, r232298, r232330,
r232332, r232340, r232386, r232390, r232391, r232605, r232655, r232656,
r232661, r232662, r232663, r232664, r232673, r232691, r233309, r233782,
r233829, r233830, r233834, r233835, r233836, r233865, r233866, r233868,
r233873, r234056, r234096, r234100, r234108, r234175, r234187, r234223,
r234271, r234272, r234282, r234307, r234309, r234382, r234384, r234456,
r234486, r234606, r234640, r234641, r234642, r234644, r234651, r235505,
r235506, r235535, r235605, r235606, r235826, r235991, r235993, r236168,
r236173, r236179, r236180, r236181, r236186, r236223, r236227, r236230,
r236252, r236254, r236298, r236299, r236300, r236301, r236397, r236398,
r236399, r236499, r236512, r236513, r236525, r236526, r236545, r236548,
r236553, r236554, r236556, r236557, r236561, r236570, r236630, r236672,
r236673, r236679, r236706, r236710, r236718, r237154, r237155, r237169,
r237314, r237363, r237364, r237368, r237369, r237376, r237440, r237442,
r237751, r237783, r237784, r237785, r237788, r237791, r238421, r238522,
r238523, r238524, r238525, r239173, r239186, r239644, r239652, r239661,
r239773, r240125, r240130, r240131, r240136, r240186, r240196, r240212.

I'd like to thank people who participated in early testing:

Tested by: Florian Smeets <flo freebsd.org>
Tested by: Chekaluk Vitaly <artemrts ukr.net>
Tested by: Ben Wilber <ben desync.com>
Tested by: Ian FREISLICH <ianf cloudseed.co.za>

Allow netstat to be build if INET is not defined in the kernel.
Thanks to Garrett Cooper for reporting the issue.

MFC after: 3 days
X-MFC: 238501

- Updated TOE support in the kernel.

- Stateful TCP offload drivers for Terminator 3 and 4 (T3 and T4) ASICs.
These are available as t3_tom and t4_tom modules that augment cxgb(4)
and cxgbe(4) respectively. The cxgb/cxgbe drivers continue to work as
usual with or without these extra features.

- iWARP driver for Terminator 3 ASIC (kernel verbs). T4 iWARP in the
works and will follow soon.

Build-tested with make universe.

30s overview
============
What interfaces support TCP offload? Look for TOE4 and/or TOE6 in the
capabilities of an interface:
# ifconfig -m | grep TOE

Enable/disable TCP offload on an interface (just like any other ifnet
capability):
# ifconfig cxgbe0 toe
# ifconfig cxgbe0 -toe

Which connections are offloaded? Look for toe4 and/or toe6 in the
output of netstat and sockstat:
# netstat -np tcp | grep toe
# sockstat -46c | grep toe

Reviewed by: bz, gnn
Sponsored by: Chelsio communications.
MFC after: ~3 months (after 9.1, and after ensuring MFC is feasible)

Eliminate an unused parameter of static method igmp_stats_live_old().

MFC after: 1 month

With pf 4.5 import the name of pfsync stats sysctl has changed, thus
'netstat -sp pfsync' got broken. Fix this.

After r232745, which makes sure __bswap16(), ntohs() and htons() return
__uint16_t, we can partially undo r228668.

Note the remark "Work around a clang false positive with format string
warnings and ntohs macros (see LLVM PR 11313)" was actually incorrect.

Before r232745, on some arches, the ntohs() macros did in fact return
int, not uint16_t, so clang was right in warning about the %hu format
string.

MFC after: 2 weeks

Define several extra macros in bsd.sys.mk and sys/conf/kern.pre.mk, to
get rid of testing explicitly for clang (using ${CC:T:Mclang}) in
individual Makefiles.

Instead, use the following extra macros, for use with clang:
- NO_WERROR.clang (disables -Werror)
- NO_WCAST_ALIGN.clang (disables -Wcast-align)
- NO_WFORMAT.clang (disables -Wformat and friends)
- CLANG_NO_IAS (disables integrated assembler)
- CLANG_OPT_SMALL (adds flags for extra small size optimizations)

As a side effect, this enables setting CC/CXX/CPP in src.conf instead of
make.conf! For clang, use the following:

CC=clang
CXX=clang++
CPP=clang-cpp

MFC after: 2 weeks

Merge multi-FIB IPv6 support from projects/multi-fibv6/head/:

Extend the so far IPv4-only support for multiple routing tables (FIBs)
introduced in r178888 to IPv6 providing feature parity.

This includes an extended rtalloc(9) KPI for IPv6, the necessary
adjustments to the network stack, and user land support as in netstat.

Sponsored by: Cisco Systems, Inc.
Reviewed by: melifaro (basically)
MFC after: 10 days

Don't print a warning when using netstat to print
SCTP statistics when there is not SCTP in the kernel.
This problem was reported by Sean Mahood.

MFC after: 1 week.

In ng_socket(4) expose less kernel internals to userland. This commit
breaks ABI, but makes probability of ABI breakage in future less.

Fix warning when compiling with gcc46:
error: variable 'ifnetfound' set but not used

Approved by: dim
MFC after: 3 days

Replace index() and rindex() calls with strchr() and strrchr().

The index() and rindex() functions were marked LEGACY in the 2001
revision of POSIX and were subsequently removed from the 2008 revision.
The strchr() and strrchr() functions are part of the C standard.

This makes the source code a lot more consistent, as most of these C
files also call into other str*() routines. In fact, about a dozen
already perform strchr() calls.

Spelling fixes for usr.bin/

o Convert IPv6 read-only stats sysctls to the read-write ones.
o Teach netstat(1) -z to reset these stats sysctls.

PR: bin/153206
Reviewed by: glebuis
Sponsored by: NGINX, Inc.
MFC after: 1 month

Revert r228650, and work around the clang false positive with printf
formats in usr.bin/netstat/atalk.c by conditionally adding NO_WFORMAT to
the Makefile instead.

MFC after: 1 week

In usr.bin/netstat/atalk.c, work around a clang false positive with
printf format warnings and conditional operators.

MFC after: 1 week

Fix the following bugs related to the SCTP support of netstat:
* Correctly handle -a.
* -A isn't supported.
* Show all closed 1-to-1 and 1-to-many style sockets.
* Show all listening 1-to-many style sockets.
* Use consistent formatting for -W.

PR: 150642
Approved by: re@
MFC after: 4 weeks.

Truncate link addresses like it is done for any
other address type.

MFC after: 4 weeks

Teach netstat(1) about the new global netisr policy sysctl,
net.isr.dispatch, and about per-protocol dispatch policies.

MFC after: 3 weeks
Reviewed by: bz
Sponsored by: Juniper Networks, Inc.

Fixed sockets display somewhat (-L, -T, -x, -Lx, with and without -A).
(I didn't try to fix negative TCP timers with -x.)

MFC after: 3 days

- Merge in OFED 1.5.3 from projects/ofed/head

Fix typo.

While printing out the WSID and CPU ID only the first time it appears for
each workstream, rather than on every protocol, is prettier, it makes
machine-parsing of netstat -Q output a lot harder. Repeat the information
and hope that the user forgives us slightly dense formatting.

MFC after: 3 days
Reported by: bz
Sponsored by: Juniper Networks

Fix off-by-one whitespace error in netstat -Q workstream listing.

Reported by: bz
MFC after: 3 days
Sponsored by: Juniper Networks

- Hide the internal scope address representation of the KAME IPv6
stack from the output of `netstat -ani'.
- The node-local multicast address in the output of `netstat -rn'
should be handled as well.

Spotted by: Bernd Walter <ticso__at__cicely7.cicely.de>

Remove the advertising clause from UCB copyrighted files in usr.bin. This
is in accordance with the information provided at
ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change

Also add $FreeBSD$ to a few files to keep svn happy.

Discussed with: imp, rwatson

Fix typo.

Restore the (state) and \n printout when not using -T.

Pointed out by: brucec@
MFC after: 3 weeks

When netstat was run with -i/-I and -w1 to produce running counters, the idrop
field printed an absolute value rather than the delta from the last value

Approved by: emaste (mentor)
MFC after: 1 week

Add new, per connection, statistics for TCP, including:
Retransmitted Packets
Zero Window Advertisements
Out of Order Receives

These statistics are available via the -T argument to
netstat(1).
MFC after: 2 weeks

Remove superfluous cast in usr.bin/netstat/sctp.c.

Found by: clang
Submitted by: Norberto Lopes, nlopes dot ml at gmail dot com
Approved by: rpaulo (mentor)

Show hostcache statistics.

Submitted by: Maxim Dounin

Remove more extraneous ;s.

Now fix functionality of 'netstat -f netgraph' that hasn't worked
starting from netgraph import in 1999.

netstat(8) used pointer to node as node address, oops. That didn't
work, we need the node ID in brackets to successfully address a node.
We can't look into ng_node, due to inability to include netgraph/netgraph.h
in userland code. So let the node make a hint for a userland, storing
the node ID in its private data.

MFC after: 2 weeks

Prefer vocabulary of 'Current' and 'Limit' to 'Value' and 'Maximum' in
netstat -Q.

MFC after: 6 days
Sponsored by: Juniper Networks

Teach netstat -Q to work with -N and -M by adding libkvm versions of data
query routines. This code is necessarily more fragile in the presence of
kernel changes than querying the kernel via sysctl (the default), but
useful when investigating crashes or live kernel state via firewire.

MFC after: 1 week
Sponsored by: Juniper Networks

Update date on netstat(1) for -Q.

Suggested by: bz
MFC after: 1 week

Teach netstat(1) to print out netisr statistics when given the -Q argument.
Currently supports only reporting on live systems via sysctl, kmem support
needs to be edded.

MFC after: 1 week
Sponsored by: Juniper Networks

Add a new option, -q howmany, which when used in conjuction with -w,
exits netstat after _howmany_ outputs.

Requested by: thomasa
Reviewed by: freebsd-net (bms, old version in early 2007)
MFC after: 1 month

Revert most part of 200420 as requested, as more review and polish is
needed.

Remove unneeded header includes from usr.bin/ except contributed code.

Tested with: make universe

Remove -t from the manpage and usage.

Unbreak user space after if_timer/if_watchdog removal in r199975.

Tested by: glebius

Add more statistics variables for IPcomp.

Try to version the struct in a backward compatible way.
People asked for the versioning of the stats structs in general before.

MFC after: 5 days

Add the possibility to show informations about dropped packets on the
input path when showing informations about the interfaces.

Obtained from: Sandvine Incorporated
Reviewed by: emaste
Sponsored by: Sandvine Incorporated
MFC: 2 weeks

Print routing statistics as unsigned short rather than unsigned int,
otherwise sign extension leads to unlikely values when in the negative
range of the signed short structure fields that hold the statistics.
The type used to hold routing statistics is arguably also incorrect.

MFC after: 3 days

netstat(1) support for UNIX SOCK_SEQPACKET sockets -- changes were required
only for the kvm case, as we supported SOCK_SEQPACKET via sysctl already.

Sponsored by: Google
MFC after: 3 months

In netstat -x, do not try to print out tcp timer status for udp sockets.

Add the ability to see TCP timers via netstat -x. This can be a useful
feature when you have a seemingly stuck socket and want to figure
out why it has not been closed yet.

No plans to MFC this, as it changes the netstat sysctl ABI.

Reviewed by: andre, rwatson, Eric Van Gyzen

Add ARP statistics to the kernel and netstat.

New counters now exist for:
requests sent
replies sent
requests received
replies received
packets received
total packets dropped due to no ARP entry
entrys timed out
Duplicate IPs seen

The new statistics are seen in the netstat command
when it is given the -s command line switch.

MFC after: 2 weeks
In collaboration with: bz

Add manual page links to advertise procstat(1) a little better.

Approved by: re (kib)

Implement the -z (zero counters) option for the various bpf counters.
Add necessary changes to the kernel for this (basically introduce a
bpf_zero_counters() function). As well, update the man page.

MFC after: 1 month
Discussed with: rwatson

Convert the two dimensional array to be malloced and introduce
an accessor function to get the correct rnh pointer back.

Update netstat to get the correct pointer using kvm_read()
as well.

This not only fixes the ABI problem depending on the kernel
option but also permits the tunable to overwrite the kernel
option at boot time up to MAXFIBS, enlarging the number of
FIBs without having to recompile. So people could just use
GENERIC now.

Reviewed by: julian, rwatson, zec
X-MFC: not possible

Add MLDv2 statistic IDs to netstat for IPv6 stack.

Bracket struct mfc and struct rtdetq with #ifdef _KERNEL.
Match the bracketing in netstat.
Since the cleanup of MROUTING, ports have broken because they
expect to include <netinet/ip_mroute.h> without including
<sys/queue.h>. Fix breakage at source.

The real fix, of course, is to fix the MROUTING APIs by blowing them
away and replacing them with something else...

Fix size_t merge-o.

Introduce a number of changes to the MROUTING code.
This is purely a forwarding plane cleanup; no control plane
code is involved.

Summary:
* Split IPv4 and IPv6 MROUTING support. The static compile-time
kernel option remains the same, however, the modules may now
be built for IPv4 and IPv6 separately as ip_mroute_mod and
ip6_mroute_mod.
* Clean up the IPv4 multicast forwarding code to use BSD queue
and hash table constructs. Don't build our own timer abstractions
when ratecheck() and timevalclear() etc will do.
* Expose the multicast forwarding cache (MFC) and virtual interface
table (VIF) as sysctls, to reduce netstat's dependence on libkvm
for this information for running kernels.
* bandwidth meters however still require libkvm.
* Make the MFC hash table size a boot/load-time tunable ULONG,
net.inet.ip.mfchashsize (defaults to 256).
* Remove unused members from struct vif and struct mfc.
* Kill RSVP support, as no current RSVP implementation uses it.
These stubs could be moved to raw_ip.c.
* Don't share locks or initialization between IPv4 and IPv6.
* Don't use a static struct route_in6 in ip6_mroute.c.
The v6 code is still using a cached struct route_in6, this is
moved to mif6 for the time being.
* More cleanup remains to be merged from ip_mroute.c to ip6_mroute.c.

v4 path tested using ports/net/mcast-tools.
v6 changes are mostly mechanical locking and *have not* been tested.
As these changes partially break some kernel ABIs, they will not
be MFCed. There is a lot more work to be done here.

Reviewed by: Pavlin Radoslavov

Correct a number of evolved problems with inp_vflag and inp_flags:
certain flags that should have been in inp_flags ended up in inp_vflag,
meaning that they were inconsistently locked, and in one case,
interpreted. Move the following flags from inp_vflag to gaps in the
inp_flags space (and clean up the inp_flags constants to make gaps
more obvious to future takers):

INP_TIMEWAIT
INP_SOCKREF
INP_ONESBCAST
INP_DROPPED

Some aspects of this change have no effect on kernel ABI at all, as these
are UDP/TCP/IP-internal uses; however, netstat and sockstat detect
INP_TIMEWAIT when listing TCP sockets, so any MFC will need to take this
into account.

MFC after: 1 week (or after dependencies are MFC'd)
Reviewed by: bz

Merge IGMPv3 and Source-Specific Multicast (SSM) to the FreeBSD
IPv4 stack.

Diffs are minimized against p4.
PCS has been used for some protocol verification, more widespread
testing of recorded sources in Group-and-Source queries is needed.
sizeof(struct igmpstat) has changed.

__FreeBSD_version is bumped to 800070.

Now that ifmcstat(8) does not suck, retire host-mode netstat -g.
This change will not be back-ported.

Remove the single global unlocked route cache ip6_forward_rt
from the inet6 stack along with statistics and make sure we
properly free the rt in all cases.

While the current situation is not better performance wise it
prevents panics seen more often these days.
After more inet6 and ipsec cleanup we should be able to improve
the situation again passing the rt to ip6_forward directly.

Leave the ip6_forward_rt entry in struct vinet6 but mark it
for removal.

PR: kern/128247, kern/131038
MFC after: 25 days
Committed from: Bugathon #6
Tested by: Denis Ahrens <denis@h3q.com> (different initial version)

o Respect -ss flags (suppress zero counters) for icmp6 "histogram
of error messages" section.

Submitted by: naddy
MFC after: 1 week

Fix usage() with SYNOPSIS.

Fix markup and spelling.

Fix crash with "netstat -m -N foo".

PR: bin/124724
MFC after: 3 days

o With -L flag show unix sockets listen queues stats. It is useful
to know number of not accepted connections for monitoring purposes.

PR: bin/128871
Submitted by: Anton Yuzhaninov
MFC after: 1 month

o Fix grammar.

PR: bin/129938
Submitted by: Bruce Cran

This main goals of this project are:
1. separating L2 tables (ARP, NDP) from the L3 routing tables
2. removing as much locking dependencies among these layers as
possible to allow for some parallelism in the search operations
3. simplify the logic in the routing code,

The most notable end result is the obsolescent of the route
cloning (RTF_CLONING) concept, which translated into code reduction
in both IPv4 ARP and IPv6 NDP related modules, and size reduction in
struct rtentry{}. The change in design obsoletes the semantics of
RTF_CLONING, RTF_WASCLONE and RTF_LLINFO routing flags. The userland
applications such as "arp" and "ndp" have been modified to reflect
those changes. The output from "netstat -r" shows only the routing
entries.

Quite a few developers have contributed to this project in the
past: Glebius Smirnoff, Luigi Rizzo, Alessandro Cerri, and
Andre Oppermann. And most recently:

- Kip Macy revised the locking code completely, thus completing
the last piece of the puzzle, Kip has also been conducting
active functional testing
- Sam Leffler has helped me improving/refactoring the code, and
provided valuable reviews
- Julian Elischer setup the perforce tree for me and has helped
me maintaining that branch before the svn conversion

Fix a printing problem when using the -L flag to netstat caused
by adding the -x flag earlier.

Submitted by: Anton Yuzhaninov
MFC after: 3 days

Use strlcpy() when we mean it.

add new build knobs and jigger some existing controls to improve
control over the result of buildworld and installworld; this especially
helps packaging systems such as nanobsd

Reviewed by: various (posted to arch)
MFC after: 1 month

Minimize changes CURRENT<->releng7.

Add ECN stats.

Fix build

Update the kernel to count the number of mbufs and clusters
(all types) used per socket buffer.

Add support to netstat to print out all of the socket buffer
statistics.

Update the netstat manual page to describe the new -x flag
which gives the extended output.

Reviewed by: rwatson, julian

Fix build.

Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)

Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.

From my notes:

-----

One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.

Constraints:
------------

I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.

One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".

One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.

This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.

Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.

To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.

The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.

The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.

In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.

One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).

You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.

This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.

Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.

Packets fall into one of a number of classes.

1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..

setfib -3 ping target.example.com # will use fib 3 for ping.

It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.

2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)

3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).

4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.

5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.

6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.

Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)

In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.

In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.

Early testing experience:
-------------------------

Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.

For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.

Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.

ipfw has grown 2 new keywords:

setfib N ip from anay to any
count ip from any to any fib N

In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.

SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.

Where to next:
--------------------

After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.

Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.

My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.

When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.

Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.

This work was sponsored by Ironport Systems/Cisco

PR:
Reviewed by: several including rwatson, bz and mlair (parts each)
Approved by:
Obtained from: Ironport systems/Cisco
MFC after:
Security:

Fixes typo's in sctp.c

Catch netstat up for the new bpf stats structures. Print 64 bit values
properly.

Sponsored by: Seccuris Inc
MFC after: 4 months

Change .8s port name restriction to .15s.
This change corresponds to inet.c 1.13.

MFC after: 1 week

Make netstat -rn more resilient to having the routing table change out from
under it while running. Note that this is still not perfect:
- Try to do something intelligent if kvm_read() fails to read a routing
table structure such as an rtentry, radix_node, or ifnet.
- Don't follow left and right node pointers in radix_nodes unless
RNF_ACTIVE is set in rn_flags. This avoids walking through freed
radix_nodes.

MFC after: 1 week

Change another argument and a variable both related to netname() to
be also 32-bit on all archs.

MFC after: 3 days

Fix netname() [1] and routename() on big-endian LP64 archs.

Submitted by: Yuri Pankov [1]
MFC after: 3 days

Add IFT_BRIDGE to the Ethernet section so l2 addresses are formatted correctly.

PR: bin/119542
Submitted by: Niki Denev

quiet compiler complaint about unused parameters

Make a few messages more consistant with the others.

more style(9)

style(9)
+ kread is not a boolean, so check it as such
+ fix $FreeBSD$ Ids
+ denote copyrights with /*-
+ misc whitespace changes.

Fix printing of the number of syncache entries added.

These are the things that the tinderbox has problems with because it
doesn't use the default CFLAGS which contain -fno-strict-aliasing.

Until the code is cleaned up, just add -fno-strict-aliasing to the
CFLAGS of these for the tinderboxes' sake, allowing the rest of the
tree to have -Werror enabled again.

Fix incorrect string formats for netstat/s

PR: 117175
Obtained from: Weongyo Jeong (weongyo.jeong@gmail.com)
MFC after: 1 week

- Netstat warning removal for 64 bit aware platforms.
Approved by: re@freebsd.org (B Mah)

- Fix typo in netstat's display of Nagle algorithm - refer to the RFC.

Submitted by: bruce@cran.org.uk
Approved by: re@freebsd.org (Bruce Mah)

Make tcpstates[] static, and make sure TCPSTATES is defined before
<netinet/tcp_fsm.h> is included into any compilation unit that needs
tcpstates[]. Also remove incorrect extern declarations and TCPDEBUG
conditionals. This allows kernels both with and without TCPDEBUG to
build, and unbreaks the tinderbox.

Approved by: re (rwatson)

Bah, fix a cosmetic nit and remove a debugging aid missed in the previous
fixes for netstat -M.

Pointy hat to: jhb
Approved by: re (kensmith)

Restore netstat -M functionality for most statistics on core dumps. In
general, when support was added to netstat for fetching data using sysctl,
no provision was left for fetching equivalent data from a core dump, and
in fact, netstat would _always_ fetch data from the live kernel using
sysctl even when -M was specified resulting in the user believing they
were getting data from coredumps when they actually weren't. Some specific
changes:
- Add a global 'live' variable that is true if netstat is running against
the live kernel and false if -M has been specified.
- Stop abusing the sysctl flag in the protocol tables to hold the protocol
number. Instead, the protocol is now its own field in the tables, and
it is passed as a separate parameter to the PCB and stat routines rather
than overloading the KVM offset parameter.
- Don't run PCB or stats functions who don't have a namelist offset if we
are being run against a crash dump (!live).
- For the inet and unix PCB routines, we generate the same buffer from KVM
that the sysctl usually generates complete with the header and trailer.
- Don't run bpf stats for !live (before it would just silently always run
live).
- kread() no longer trashes memory when opening the buffer if there is an
error on open and the passed in buffer is smaller than _POSIX2_LINE_MAX.
- The multicast routing code doesn't fallback to kvm on live kernels if
the sysctl fails. Keeping this made the code rather hairy, and netstat
is already tied to the kernel ABI anyway (even when using sysctl's since
things like xinpcb contain an inpcb) so any kernels this is run against
that have the multicast routing stuff should have the sysctls.
- Don't try to dig around in the kernel linker in the netgraph PCB routine
for core dumps.

Other notes:
- sctp's PCB routine only works on live kernels, it looked rather
complicated to generate all the same stuff via KVM. Someone can always
add it later if desired though.
- Fix the ipsec removal bug where N_xxx for IPSEC stats weren't renumbered.
- Use sysctlbyname() everywhere rather than hardcoded mib values.

MFC after: 1 week
Approved by: re (rwatson)

Commit IPv6 support for FAST_IPSEC to the tree.
This commit includes all remaining changes for the time being including
user space updates.

Submitted by: bz
Approved by: re

o style(9) nit.
o shorten explainations which are over 80 columns in console.
o group rows
o clean up and change explanations a little bit.
Obtained from: weongyo.jeong@gmail.com

- Forced commit to update who actually did this code (I forgot
the obtained from in the original line)
Obtained from: Weongyo Jeong (weongyo.jeong@gmail.com)

sctp_process_inpcb() wants an offset parameter in size_t,
so define it as what it is expected. This fixes WARNS=3
without NO_WERROR build.

Import rewrite of IPv4 socket multicast layer to support source-specific
and protocol-independent host mode multicast. The code is written to
accomodate IPv6, IGMPv3 and MLDv2 with only a little additional work.

This change only pertains to FreeBSD's use as a multicast end-station and
does not concern multicast routing; for an IGMPv3/MLDv2 router
implementation, consider the XORP project.

The work is based on Wilbert de Graaf's IGMPv3 code drop for FreeBSD 4.6,
which is available at: http://www.kloosterhof.com/wilbert/igmpv3.html

Summary
* IPv4 multicast socket processing is now moved out of ip_output.c
into a new module, in_mcast.c.
* The in_mcast.c module implements the IPv4 legacy any-source API in
terms of the protocol-independent source-specific API.
* Source filters are lazy allocated as the common case does not use them.
They are part of per inpcb state and are covered by the inpcb lock.
* struct ip_mreqn is now supported to allow applications to specify
multicast joins by interface index in the legacy IPv4 any-source API.
* In UDP, an incoming multicast datagram only requires that the source
port matches the 4-tuple if the socket was already bound by source port.
An unbound socket SHOULD be able to receive multicasts sent from an
ephemeral source port.
* The UDP socket multicast filter mode defaults to exclusive, that is,
sources present in the per-socket list will be blocked from delivery.
* The RFC 3678 userland functions have been added to libc: setsourcefilter,
getsourcefilter, setipv4sourcefilter, getipv4sourcefilter.
* Definitions for IGMPv3 are merged but not yet used.
* struct sockaddr_storage is now referenced from <netinet/in.h>. It
is therefore defined there if not already declared in the same way
as for the C99 types.
* The RFC 1724 hack (specify 0.0.0.0/8 addresses to IP_MULTICAST_IF
which are then interpreted as interface indexes) is now deprecated.
* A patch for the Rhyolite.com routed in the FreeBSD base system
is available in the -net archives. This only affects individuals
running RIPv1 or RIPv2 via point-to-point and/or unnumbered interfaces.
* Make IPv6 detach path similar to IPv4's in code flow; functionally same.
* Bump __FreeBSD_version to 700048; see UPDATING.

This work was financially supported by another FreeBSD committer.

Obtained from: p4://bms_netdev
Submitted by: Wilbert de Graaf (original work)
Reviewed by: rwatson (locking), silence from fenner,
net@ (but with encouragement)

Backout mess mistakenly committed with manpage update.

Document SCTP support.

Adds support for SCTP.

'netstat -A -p tcp' doesn't print the Socket but the Tcpcb pointer in the
first column.

o Fill the list of icmp types; make its size depend on ICMP_MAXTYPE.
o Print "unknown ICMP" instead of "(null)" if we don't have a description for a icmp type.

Based on code

Submitted by: Christoph Weber-Fahr
PR: misc/112126
MFC after: 2 weeks

Mark netstat -g host-mode output as deprecated.

MFC after: 2 weeks

Fixing NO_INET6 build as addr2ascii() has been nuked in previous commit.

stub call to addr2ascii().

Noticed by: brooks

Nuke ascii2addr() and addr2ascii(). They have no consumers anywhere
in FreeBSD, and originated from INRIA IPv6.

Stub out netstat reference to addr2ascii() I mistakenly introduced.
Update misleading man page sections.

Merge NetBSD's getnameinfo() AF_LINK extensions for a portable way to
print link-layer addresses given a sockaddr_dl(), minus the IEEE 1394
bits which don't map directly to our code.

Obtained from: NetBSD (getnameinfo.c)
Discussed on: current (March 2006)

Fixed some style bugs (whitespace lossage for removal of __P(()), and
lots of naming and typing errors involving `interval').

Use a periodic itimer instead of repeated calls to alarm() in
sidewaysintpr(). This increases the accuracy of the per-interval
counts when they are interpreted as rates. Repeated calls to alarm(n)
give an average interval that is about 2 ticks larger than n and has
a large variance. Periodic itimers normally get the average almost
right but have similarly large variance (due to scheduling delays).

Statistics utilities should use clock_gettime() to determine the
actual interval, but it is still useful to maximize the accuracy of
the interval, especially for cases like netstat -w where counts are
displayed so the program cannot hide the inaccuracy in a rate
conversion.

Reap FIN_WAIT_2 connections marked SOCANTRCVMORE faster. This mitigate
potential issues where the peer does not close, potentially leaving
thousands of connections in FIN_WAIT_2. This is controlled by a new sysctl
fast_finwait2_recycle, which is disabled by default.

Reviewed by: gnn, silby.

Add three new ioctl(2) commands for bpf(4).

- BIOCGDIRECTION and BIOCSDIRECTION get or set the setting determining
whether incoming, outgoing, or all packets on the interface should be
returned by BPF. Set to BPF_D_IN to see only incoming packets on the
interface. Set to BPF_D_INOUT to see packets originating locally and
remotely on the interface. Set to BPF_D_OUT to see only outgoing
packets on the interface. This setting is initialized to BPF_D_INOUT
by default. BIOCGSEESENT and BIOCSSEESENT are obsoleted by these but
kept for backward compatibility.

- BIOCFEEDBACK sets packet feedback mode. This allows injected packets
to be fed back as input to the interface when output via the interface is
successful. When BPF_D_INOUT direction is set, injected outgoing packet
is not returned by BPF to avoid duplication. This flag is initialized to
zero by default.

Note that libpcap has been modified to support BPF_D_OUT direction for
pcap_setdirection(3) and PCAP_D_OUT direction is functional now.

Reviewed by: rwatson

Use sysctl(2), not kvm(3), to read IPv6 multicast information from
the running system.
Use the name 'IPv6 Forwarding Table', not 'IPv6 Routing Table', to be
consistent with what the code actually does and is.

Use the names 'IPv4' and 'Forwarding Table' in program output, not
'Routing Table', to be consistent with what the code actually does and is.

Add comments about where netstat is using KVM to read things which
should really be available via sysctl for a running system.

Update host-mode multicast group information output.
Display IPv4 and IPv6 memberships separately.
Obey the MK_INET6_SUPPORT flag.
Display link-layer memberships.
Use addr2ascii() to correctly print non-IEEE 802 sockaddr_dl instances.
Eliminate redundant switch..case blocks.
Update copyright.
Misc style changes.

MFC after: 3 weeks

Change wording of warnings when there is no ip_mroute.ko module
loaded into the system.
Change wording of comments to reflect the fact we should unconditionally
use KVM if the -M option is used to specify a core file.
Add comments to document the fact that IPv6 multicast forwarding
information display still relies on KVM for gathering information.

Retire most of the classful network behaviour of netstat -r output, for IPv4.

Without -n, we now only print a "network name" without the prefix length
under the following conditions:
1) the network address and mask matches a classful network prefix;
2) getnetbyaddr(3) returns a network name for this network address.

With -n, we unconditionally print the full unabbreviated CIDR network
prefix in the form "a.b.c.d/p". 0.0.0.0/0 is still printed as "default".

This change is in preparation for changes such as equal-cost multipath, and
to more generally assist operational deployment of FreeBSD as a modern IPv4
router. There are currently no plans to backport this change.

Discussed on: freebsd-net

Don't shadow globals.

Found by: WARNS=6
MFC after: 3 days

We should return the name in cp, not printf it.

Found by: WARNS=6
MFC after: 3 days

Don't always print a space character in show_stat(), since a space
shouldn't be printed after the last column. This restores the
formatting to 79 columns.

Nits.

Submitted by: ru

Push removal of mrouted down to the rest of the tree.

Markup fixes.

Export tcps_rcvmemdrop available in 'struct tcpstat' with netstat(1).

Requested by: Tomasz Pilat <tomasz.pilat (at) axelspringer.pl>
Approved by: andre

- Achieve WARNS=3 by using sparse initializers or avoiding initializers at all.
- Fix a nlist initialization: it should be terminated by a NULL entry.
- Constify.
- Catch an unused parameter.

Tested on: i386 amd64 ia64

Achieve WARNS=2 by using uintmax_t to pass around 64-bit quantities,
including to printf(). Using uintmax_t is also robust to further
extensions in both the C language and the bitwidth of kernel counters.

Tested on: i386 amd64 ia64

Both fields of struct timeval are of a non-basic type,
so we should cast them to a type printf() knows about.

Avoid useless work: Do not build inet6.c if INET6 support is off.
This also avoids pretending that netstat includes inet6.c in the
output from ident(1).

Not having ipv6 in your kernel is not an error and should not be reported.
MFC after: 1 week

Since kernel & userland use different timebase and netstat is reading kernel
memory directly, we should do timebase conversion for route lifetime.

Approved by: glebius (mentor)

Reimplementation of world/kernel build options. For details, see:

http://lists.freebsd.org/pipermail/freebsd-current/2006-March/061725.html

The src.conf(5) manpage is to follow in a few days.

Brought to you by: imp, jhb, kris, phk, ru (all bugs are mine)

Improved description for packet zone statistics.

Sponsored by: TCP/IP Optimization Fundraise 2005
MFC after: 3 days

Print statistics on mbuf+clusters in packet zone.

Sponsored by: TCP/IP Optimization Fundraise 2005
MFC after: 3 days

Print statistics on jumbo mbuf clusters.

Sponsored by: TCP/IP Optimization Fundraise 2005
MFC after: 3 days

Sort sfbuf allocation counters with other sfbuf information.

MFC after: 3 days

Un-#if 0 the printing of allocation failure counts for mbufs, clusters,
and packets in netstat -m.

MFC after: 3 days

Add support for printing IPSEC protocol stats if the kernel was compiled
with FAST_IPSEC rather than the KAME IPSEC stack.

Note that the output of "netstat -s -p ipsec" differs depending on which
stack is compiled into the kernel since they each keep different stats.
This delta also adds the "esp", "ah", and "ipcomp" protocol stats, which
are also available when the kernel is compiled with the FAST_IPSEC stack
(e.g. "netstat -s -p esp").

Submitted by: Matt Titus <titus at nttmcl dot com>
MFC after: 3 days

Provide some basic documentation explaining what the bpf(4) flags are
supposed to mean. Also, add an external references for bpf now that we
reference flags from that man page.

Remove two lines of debugging output that accidentally snuck into the
commit to fix up kvm support for netstat -m.

-mdoc sweep.

Modify netstat -mb to use libmemstat when accessing a core dump or live
kernel memory and not using sysctl. Previously, libmemstat was used
only for the live kernel via sysctl paths.

This results in netstat output becoming both more consistent between
core dumps and the live kernel, and also more information in the core
dump case than previously (i.e., mbuf cache information).

Statistics relating to sfbufs still rely on a kvm descriptor as they
are not currently exposed via libmemstat. netstat -m operating on a
core is still unable to print certain sfbuf stats available on the live
kernel.

MFC after: 1 week

Align output.

Fix obvious copy'n'paste-O in rev.1.36 While here nit style.

PR: bin/87783
Submitted by: Mats Palmgren
MFC after: 1 week

Remove bridge(4) from the tree. if_bridge(4) is a full functional
replacement and has additional features which make it superior.

Discussed on: -arch
Reviewed by: thompsa
X-MFC-after: never (RELENG_6 as transition period)

- Print space character in show_stat(). Remove a lot of priuntf(" ").
- Utilize show_stat() in sidewaysintpr() loop. This makes periodic
statistics to honor -h flag.

Use is '-' to imply that the flag is not set, rather than '.'.

Print a warning if we fail to retrieve the process name for any reason.

If there are'nt any bpf descriptors to process than dont bother attempting to
retrieve statistic information for them.

Pointed out by: Pawel Worach < pawel.worach at gmail.com >

Free the bpf descriptor array after we are done with it. This probably isnt
that critical as the program exits after this point anyway, but this may
not always be the case.

Update usage to reflect the new option.

Pointed out by: ru

Merge bpfstat's functionality into the netstat(1) utility. This adds
a -B option which causes bpf peers to be printed. This option can be
used in conjunction with -I if information about specific interfaces
is desired. This is similar to what NetBSD added to their version of
netstat.

$ netstat -B
Pid Netif Flags Recv Drop Match Sblen Hblen Command
1137 lo0 p--s-- 0 0 0 0 0 tcpdump
205 sis0 -ifs-l 37331 0 1 0 0 dhclient
$

$ netstat -I lo0 -B
Pid Netif Flags Recv Drop Match Sblen Hblen Command
1174 lo0 p--s-- 0 0 0 0 0 tcpdump
$

-Add bpf.c which stores all the code for retrieving and parsing bpf
related statistics.
-Modify main.c to add support for the -B option and hook it into the
program logic.
-Add bpf.c to the build.
-Document this new functionality in the man page and bump the revision
date.
-Add prototype for bpf_stats function.

List -W as one of the meaningful options to the -i (interfaces)
display of netstat(1).

MFC after: 3 days

Bail if interface is misspelled instead of falling out into the
"all interfaces" mode. (Only works with -w, but still better
than nothing.)

Add a new switch -h for interface stats mode, which prints all interface
statistics in human readable form.

In collaboration with: vsevolod
Reviewed by: cperciva

Don't include -lipx twice.

Make IPX support depend on NO_IPX

Since libmemstat(3) now supports its own error management mechanism,
use that instead of trying to use errno, in order to produce a
sensible error message.

MFC after: 1 day

Modify "netstat -mb" to use libmemstat(3) when acting on a live system,
with a number of positive benefits:

- Start using UMA(9) statistics for mbufs and clusters, which avoids
using the mbuf allocator statistics which suffer from races under
load on SMP. This should eliminate "negative" mbuf counts in
netstat -mb.

- We are now able to track cached (free) mbufs and clusters and count
it towards memory allocated by the network stack.

- We are now also able to track memory allocated to mbuf tags since
libmemstat(3) can also query malloc(9). We don't print this except
as part of the total (for now - #if 0).

- We are now able to track mbuf/cluster/packet allocation failures,
although they are not currently printed (#if 0).

- Don't print out sfbuf statistics when running on a kernel core, as
currently that code is able only to query sysctl for statistics.

MFC after: 1 week

Print newly exported pfsync statistics with netstat(8).

Requested by: glebius
MFC after: 1 week

NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.

Silence a warning on systems without carp(4).

Add limits on the number of elements in the sack scoreboard both
per-connection and globally. This eliminates potential DoS attacks
where SACK scoreboard elements tie up too much memory.

Submitted by: Raja Mukerji (raja at moselle dot com).
Reviewed by: Mohan Srinivasan (mohans at yahoo-inc dot com).

Add CARP (Common Address Redundancy Protocol), which allows multiple
hosts to share an IP address, providing high availability and load
balancing.

Original work on CARP done by Michael Shalayeff, with many
additions by Marco Pfatschbacher and Ryan McBride.

FreeBSD port done solely by Max Laier.

Patch by: mlaier
Obtained from: OpenBSD (mickey, mcbride)

According to style.Makefile(5):
WARNS?= should appear before CFLAGS

Reviewed by: ru

Make sure that we don't define INET6 when NO_INET6 is defined.
Without this change, when running netstat with a kernel without
INET6 built in, you will get a complain at the end of "netstat -s"
output.

X-MFC: NO_INET6 was called "NOINET6" on RELENG_5

evise use of queue(9) macros for netipx when used from userspace:
LIST_FOREACH() is difficult to use correctly, so don't try to.

Apply a simplifying patch submitted by rik to the IPX support in
netstat(1):

- Make previously unnecessarily global variables local.
- Use LIST_FOREACH() in preference to manual iteration.
- Restore a sanity check through slightly incestuous use of queue macro
knowledge.

Submitted by: rik

Update netstat(1) for recent conversion of netipx to queue(9) from
home-brew linked lists. Read in the ipxpcb_list structure first in
order to find the first pcb pointer. Then follow the chain as
before, only the termination condition is a NULL next pointer
rather than a next pointer equal to the original offset.

For variables that are only checked with defined(), don't provide
any fake value.

-c flag (cache stats) was killed in rev. 1.68. Fix getopt(3) and
usage() accordingly.

Submitted by: Pawel Worach

Print link level address on vlan interfaces using ether_ntoa(), to make
output on bare ethernet and vlan interfaces the same.

PR: bin/69674
Submitted by: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl>
Reviewed by: ru
Approved by: julian (mentor)
MFC after: 1 week

Use the length modifier 'll' instead of 'q' to print long longs.

Add __FBSDID. Replace local variable sin by sockin to not conflict with sin(3).
Use warnx() instead of warn() when error message is not of any interest. Add
prototypes.

Add SACK statistics to netstat.

Make netstat(1) more closely follow documented behaviour. If a TCP
socket in LISTEN state happens to be bound to an interface, it will
show up in netstat(1) output even without the -a switch.

As the definition of "sockets used by server processes" is a
difficult one to qualify with regards to UDP, do not change the
output behaviour for UDP sockets.

PR: bin/26359

Add missing dot and newline in a message.

Submitted by: Igor Sysoev <is (at) rambler-co.ru>
MFC after: 3 days

Bring in mbuma to replace mballoc.

mbuma is an Mbuf & Cluster allocator built on top of a number of
extensions to the UMA framework, all included herein.

Extensions to UMA worth noting:
- Better layering between slab <-> zone caches; introduce
Keg structure which splits off slab cache away from the
zone structure and allows multiple zones to be stacked
on top of a single Keg (single type of slab cache);
perhaps we should look into defining a subset API on
top of the Keg for special use by malloc(9),
for example.
- UMA_ZONE_REFCNT zones can now be added, and reference
counters automagically allocated for them within the end
of the associated slab structures. uma_find_refcnt()
does a kextract to fetch the slab struct reference from
the underlying page, and lookup the corresponding refcnt.

mbuma things worth noting:
- integrates mbuf & cluster allocations with extended UMA
and provides caches for commonly-allocated items; defines
several zones (two primary, one secondary) and two kegs.
- change up certain code paths that always used to do:
m_get() + m_clget() to instead just use m_getcl() and
try to take advantage of the newly defined secondary
Packet zone.
- netstat(1) and systat(1) quickly hacked up to do basic
stat reporting but additional stats work needs to be
done once some other details within UMA have been taken
care of and it becomes clearer to how stats will work
within the modified framework.

From the user perspective, one implication is that the
NMBCLUSTERS compile-time option is no longer used. The
maximum number of clusters is still capped off according
to maxusers, but it can be made unlimited by setting
the kern.ipc.nmbclusters boot-time tunable to zero.
Work should be done to write an appropriate sysctl
handler allowing dynamic tuning of kern.ipc.nmbclusters
at runtime.

Additional things worth noting/known issues (READ):
- One report of 'ips' (ServeRAID) driver acting really
slow in conjunction with mbuma. Need more data.
Latest report is that ips is equally sucking with
and without mbuma.
- Giant leak in NFS code sometimes occurs, can't
reproduce but currently analyzing; brueffer is
able to reproduce but THIS IS NOT an mbuma-specific
problem and currently occurs even WITHOUT mbuma.
- Issues in network locking: there is at least one
code path in the rip code where one or more locks
are acquired and we end up in m_prepend() with
M_WAITOK, which causes WITNESS to whine from within
UMA. Current temporary solution: force all UMA
allocations to be M_NOWAIT from within UMA for now
to avoid deadlocks unless WITNESS is defined and we
can determine with certainty that we're not holding
any locks when we're M_WAITOK.
- I've seen at least one weird socketbuffer empty-but-
mbuf-still-attached panic. I don't believe this
to be related to mbuma but please keep your eyes
open, turn on debugging, and capture crash dumps.

This change removes more code than it adds.

A paper is available detailing the change and considering
various performance issues, it was presented at BSDCan2004:
http://www.unixdaemons.com/~bmilekic/netbuf_bmilekic.pdf
Please read the paper for Future Work and implementation
details, as well as credits.

Testing and Debugging:
rwatson,
brueffer,
Ketrien I. Saihr-Kesenchedra,
...
Reviewed by: Lots of people (for different parts)

Bumped document date.
Fixed the grammar nit.

Output style nit.

Add the bad reset statistic (corresponds to tcp_input.c rev 1.235)

Replace ROUNDUP/ADVANCE with SA_SIZE

Show link-level multicast packet counters with the -a option.

Fixed alignment of multicast addresses when printing that got
broken in previous revision.

Sort SRCS in Makefile and document -g option additions.

Nudged by: ru

Output style: Get rid of an unnecessary newline.

Teach netstat(1) how to print the multicast group memberships present
within the running system.

Sponsored by: Ralf the Wonder Llama

More cleanups:

- 0 should have been -1 in previous commit (just to stay consistent),
- Spell null pointers as NULL, not 0,
- Fixed the comment about pr_usesysctl to not confuse it with boolean.

Pointed by: bde

NULL -> 0.

Do not print a warning about net.inet.pim.stats if errno is
ENOENT, because that means we do not have PIM in the kernel.

Submitted by: hmp
MFC after: 1 week

Fixed misspellings of 0 as NULL.

printed statistics about source address selection rules.

Obtained from: KAME

stops program if kvm_read fails.

Obtained from: KAME

- support hmac-ripemd160.
- support AES XCBC MAC/AES counter mode.

Obtained from: KAME

print stats on SPD cache lookups.

Obtained from: KAME

- %d is 12 chars, not 10. use NI_MAX* where appropriate.
- goodbye RC5.
- use %llu directly.
- KNF.

Obtained from: KAME

Use floating point instead of unsigned long longs in percentage
calculations. Long longs should never be used, since they break compiling
with C90 compilers and don't necessarily work any better than longs for
avoiding overflow.

Print percentages with another digit of precision since they can be small
and this is easy to do now that the format is floating point.

Restored some more of the old -m output:
Print the percentage of allocated memory that is in use. This is the
amount of memory in active mbufs and mbuf clusters relative to the
total amount of memory soft-allocated for mbufs and mbuf clusters.

Print the percentage of allocated memory that is wired (cached). The
old mbuf allocator never freed memory so printing this value wasn't
useful. A previous version of netstat for the new allocator printed
the in-use amount as a percentage of the wired amount.

Fixed some nearby style bugs (excessive parenthesization and a redundant
return).

Reviewed by: alfred

Fixed missing declaration of pluralies(). This showed up as strange
printf format warnings for inet6.c (pluralies() was implicit int, but
the context requires a "char *").

Added WARNS?=2 to the Makefile so that such errors don't come back.
Added NO_WERROR?= to the Makefile because I haven't checked that setting
WARNS doesn't uncover more bugs except on i386's.

Fixed style bugs created in rev.1.27 by removing "__P(" and its closing ")"
without removing the space before it.

Teach netstat about the new sendfile statistics.

Clean up the style of the previous commit, and fix a few
type mismatches as well.

Suggested by: bde

Teach netstat to read and display the new sfbuf statistics.

Fix percentages by using long long to hold values for 'space',
overflow was breaking a bunch of the stats, specifically the
percentage displayed for wired memory.

Fix the output for current/peak/max lines, I forgot to output the types.
161/320/51200 (current/peak/max):
-to-
639/25696/51200 mbufs in use (current/peak/max):

I asked Bosko Milekic for help with 'peak' reporting, and he suggested
using the old 'cached' value but reporting it as 'cached'.

I've decided to report the 'cached' as 'peak', why? Well because
it is the peak, the peak of what is actually allocated. 'cached'
doesn't make sense to me as a user.

Restore old netstat -m output.
A new flag '-c' can be used to ask for the cache stats.

Fix some minor nits in netstat whereby large interface names would be
truncated. In environments where many tunnel or vlan interfaces are created,
interface names have high numbers which overflow the field width.

PRs: bin/52349, bin/35838
Submitted by: Mike Tancsa, Scot W. Hetzel
Approved by: re (rwatson)

Replace the if_name and if_unit members of struct ifnet with new members
if_xname, if_dname, and if_dunit. if_xname is the name of the interface
and if_dname/unit are the driver name and instance.

This change paves the way for interface renaming and enhanced pseudo
device creation and configuration symantics.

Approved By: re (in principle)
Reviewed By: njl, imp
Tested On: i386, amd64, sparc64
Obtained From: NetBSD (if_xname)

Print the correct ICMP statistics for "no return routes".

remove unneeded include of route.h

Supported by: FreeBSD Foundation

1. Add support for printing PIM-related statistics with
netstat -s -p pim

2. Print information about the bandwidth meters installed in the kernel with
netstat -g

Submitted by: Pavlin Radoslavov <pavlin@icir.org>

* Use sysctlbyname(3) to print statistics about the MFC and
multicast VIF tables.
This change is needed for consistency with the rest of the
netstat/mroute.c implementation, and because in some
cases "netstat -g" may fail to report the multicast forwarding
information (e.g., if we run a multicast router on PicoBSD).

* Remove "DVMRP" from the head comment of file netstat/mroute.c,
because the printed multicast-related statistics are not
DVMRP-specific anymore.

Submitted by: Pavlin Radoslavov <pavlin@icir.org>

Revert last delta.

The -l option is deprecated (hence undocumented in usage() and
SYNOPSIS), as was threatened in the commitlog accompanying rev.
1.10 of main.c.

Approved by: re (blanket)

Make the mb_alloc low-watermark sysctl-tunable read-only and make
netstat(1) not display it for now because its effects are not yet
completely implemented and we're about to cut 5.2-RELEASE.
This is temporary.

Approved by: re (scottl, rwatson)

Back out support for RFC3514.

RFC3514 poses an unacceptale risk to compliant systems.

Implement support for RFC 3514 (The Security Flag in the IPv4 Header).
(See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt)

This fulfills the host requirements for userland support by
way of the setsockopt() IP_EVIL_INTENT message.

There are three sysctl tunables provided to govern system behavior.

net.inet.ip.rfc3514:

Enables support for rfc3514. As this is an
Informational RFC and support is not yet widespread
this option is disabled by default.

net.inet.ip.hear_no_evil

If set the host will discard all received evil packets.

net.inet.ip.speak_no_evil

If set the host will discard all transmitted evil packets.

The IP statistics counter 'ips_evil' (available via 'netstat') provides
information on the number of 'evil' packets recieved.

For reference, the '-E' option to 'ping' has been provided to demonstrate
and test the implementation.

Document the undcumnt -l option (that's a lowercase `el').

PR: 48466
Submitted by: Peter Philipp <dot.bomb@freenet.de>

Kill #ifdef NS and some leftover #ifdef ISO code. Re-pack the nlist[]
array, it isn't likely to find any ARPAnet IMP drivers in FreeBSD.

o Allow "buckets" in mb_alloc to be differently sized (according to
compile-time constants). That is, a "bucket" now is not necessarily
a page-worth of mbufs or clusters, but it is MBUF_BUCK_SZ, CLUS_BUCK_SZ
worth of mbufs, clusters.
o Rename {mbuf,clust}_limit to {mbuf,clust}_hiwm and introduce
{mbuf,clust}_lowm, which currently has no effect but will be used
to set the low watermarks.
o Fix netstat so that it can deal with the differently-sized buckets
and teach it about the low watermarks too.
o Make sure the per-cpu stats for an absent CPU has mb_active set to 0,
explicitly.
o Get rid of the allocate refcounts from mbuf map mess. Instead,
just malloc() the refcounts in one shot from mbuf_init()
o Clean up / update comments in subr_mbuf.c

- Determine the size of buffers with sizeof() instead of using
plain magic numbers - one of them was apparently wrong but unharmful.
- Remove empty line.

o Typo/Grammar fixes
o Added mini-function to correctly handle singular/plural
of words ending in 'ly'

Approved by: markm (mentor)
Not objected to by: -audit

Warns cleanups for netstat:
1) Include arpa/inet.h for ntohs.
2) Constness fixes.
3) Fix shadowing except for "sin" which shouldn't be in scope.
4) Remove register keyword.
5) Add missing initialsers to user defined structs.
5) Make prototype of netname6 globally visable.
6) Use right macros for printing syncache stats (even though entrie isn't
a word).

Widen struct sockbuf's sb_timeo member to int from short. With
non-default but reasonable values of hz this member overflowed,
breaking NFS over UDP.

Also, as long as I'm plowing up struct sockbuf ... Change certain
members from u_long/long to u_int/int in order to reduce wasted
space on 64-bit machines. This change was requested by Andrew
Gallatin.

Netstat and systat need to be rebuilt. I am incrementing
__FreeBSD_version in case any ports need to change.

Add the tcps_sndrexmitbad statistic, keep track of late acks that caused
unnecessary retransmissions.

Fix incorrect cast.

fixed typo.

obtained from: KAME
MFC after: 3 days

Use calculated column widths for the routing table display when -W is
supplied rather than arbitrarily larger widths. This (almost) guarantees
that no columns will be truncated (routing table additions between the
width calculation and display passes may create a row with column widths
larger than those calculated).

Sponsored by: NTT Multimedia Communications Labs

Use %lu instead of %ld when printing rt_use (aka rt_rmx.rmx_pksent)

Submitted by: Andre Oppermann <oppermann@pipeline.ch>
MFC after: 5 days

Cast to kill warnings. De-register.

fix warnings; change variable/argument names that mask global names.

Remove GCC-specific flags and commented out cruft.

Some easy const fixes.

Print IFT_ETHER addresses with ether_ntoa(3) (with leading zeros).

Style improvements recommended by Bruce as a follow up to some
of the recent WARNS commits. The idea is:

1) FreeBSD id tags should follow vendor tags.
2) Vendor tags should not be compiled (though copyrights probably should).
3) There should be no blank line between including cdefs and __FBSDIF.

- Make ip_rtaddr() global, and use it to look up the correct source
address in icmp_reflect().
- Two new "struct icmpstat" members: icps_badaddr and icps_noroute.

PR: kern/31575
Obtained from: BSD/OS
MFC after: 1 week

Add syncache statistics to netstat.

Fix typo.

PR: docs/31388
Submitted by: Yoshihiko Sarumaru <mistral@imasy.or.jp>

Print statistics for AF_IPX.
Note that the IPX code doesn't update these correctly yet, but should.

Fixed bugs from revision 1.27. Specifically:

- Restore the ability to look up network names in the networks(5)
database by passing getnetbyaddr(3) shifted network numbers,
but without duplicating the old bug that was fixed in 1.27 (we
now only shift netnums with standard netmasks). For example:

Before:

$ netstat -r
[...]
127.0.1/24 localhost UGSc 0 0 lo0
127.0.2/24 localhost UGSc 0 0 lo0

After:

$ netstat -r
[...]
subnet1/24 localhost UGSc 0 0 lo0
subnet2/24 localhost UGSc 0 0 lo0

- Only try to lookup with the forged netmask if the mask was not
explicitly specified, like it was before 1.27. For example:

Before:

$ netstat -r
net-44.ampr.org/25 localhost UGSc 0 0 lo0
net-44.ampr.org/25 localhost UGSc 0 0 lo0

After:

44.108.2/25 localhost UGSc 0 0 lo0
44.108.2.128/25 localhost UGSc 0 0 lo0

- Make sure to null-terminate the resulting string.

MFC after: 1 week

The previous change also disaligned lines with AF_IPX and AF_NS
addresses. Unshrink "Network" width to the previous value, and
make sure everything is aligned again.

Minor output formatting for 'netstat -i':
- Right align Mtu
- Print AF_INET family with correct field width.

Re-enable mbtypes statistics in the mbuf allocator. I disabled these
when I changed the allocator bits. This implements per-CPU mbtypes
stats by keeping net number of decrements/increments of a given mbtype
per-CPU and then summing all of the per-CPU mbtypes to produce the total
net number of allocated mbufs of the given mbtype.
Counters are carefully balanced to avoid/prevent underflows/overflows.

mbtypes stats are re-enabled with the idea that we may occasionally
(although very rarely) observe slight inconsistencies in the stat
reporting. Most of the time, we should be fine, though.

Also make appropriate modifications to netstat(1) and systat(1) to do
the necessary reporting.

Submitted by: Jiangyi Liu <jyliu@163.net>

Implement the ``-f address_family'' filter for -i.

Prodded by: Igor Podlesny <poige@morning.ru>

Update usage() to match reality.

Yay!
Make this manpage readable and match the reality.

If -s -s is specified, don't show zero multicast routing statistics.

Deprecate the -l option in favour of more natural -W.
The compatibility glue is still provided.

(This change is not yet reflected in the manpage, nor
in usage(). This will be fixed at a later time today,
with the general manpage cleanup commit.)

Don't print stray socket addresses (-A) with the listen queue display (-L).
Also, print socket's protocol with the -L.

SECURITY: Drop `setgid kmem' bit as early as possible.

-a is not an options (sic).

Mention what an asterisk means in the -i display.

PR: 30069
Submitted by: andrew@ugh.net.au

Don't misuse the return from snprintf.

MFC after: 2 weeks

Removed duplicate VCS ID tags, as per style(9).

Add a "X KBytes of wired memory reserved" metric that represents
approximately the amount of memory allocated from the mbuf maps
and sitting in the mbuf allocator's cache containers, and display
in parantheses the percentage of said memory that is actually
in use at the given time `netstat -m' is executed.

Suggested by: mjacob

- Do not handle the per-CPU containers in mbuf code as though the cpuids
were indices in a dense array. The cpuids are a sparse set and treat
them as such, setting up containers only for CPUs activated during
mb_init().

- Fix netstat(1) and systat(1) to treat the per-CPU stats area as a sparse
map, in accordance with the above.

This allows us to properly boot with certain CPUs disactivated. However, if
we later decide to re-activate said CPUs, we will barf until we decide to
implement CPU spinon/spinoff callback hooks to allow for said CPUs' per-CPU
containers to get configured on their activation.

Reported by: mjacob
Partially (sys/ diffs) Submitted by: mjacob

Use sysctl to export multicast routing stats

Remove whitespace at EOL.

mdoc(7) police: sort SEE ALSO xrefs (sort -b -f +2 -3 +1 -2).

Make `rttrash' variable (#routes not in table but not freed) visible
through ``netstat -rs''.

Fixed bogon in revision 1.37. Don't bogusly print a radix node's
duped key marker (``=>'') for routes with non-positive rmx_expire
metric, such as ethernet interface routes.

MFC after: 1 week

- create an entry of IPV6CTL_STATS sysctl.
- fix the problem that netstat doesn't show raw6 and icmp6 pcblist.
- make netstat use sysctl to retreive stats of ipv6 and icmpv6
instead of kread.

Obtained from: KAME
MFC after: 1 week

Add netstat(1) knob to reset net.inet.{ip|icmp|tcp|udp|igmp}.stats.
For example, ``netstat -s -p ip -z'' will show and reset IP stats.

PR: bin/17338

- Fix space allocation for mbstat structure
- Make sure to try hw.ncpu if kern.smp.cpus doesn't exist (i.e. on UP) to
get number of CPUs.

Honor -s -s (don't show zero stats) with -r, untangle SYNOPSIS further.
(usage() still is not synchronized with SYNOPSIS, intentionally.)

Introduce numerous SMP friendly changes to the mbuf allocator. Namely,
introduce a modified allocation mechanism for mbufs and mbuf clusters; one
which can scale under SMP and which offers the possibility of resource
reclamation to be implemented in the future. Notable advantages:

o Reduce contention for SMP by offering per-CPU pools and locks.
o Better use of data cache due to per-CPU pools.
o Much less code cache pollution due to excessively large allocation macros.
o Framework for `grouping' objects from same page together so as to be able
to possibly free wired-down pages back to the system if they are no longer
needed by the network stacks.

Additional things changed with this addition:

- Moved some mbuf specific declarations and initializations from
sys/conf/param.c into mbuf-specific code where they belong.
- m_getclr() has been renamed to m_get_clrd() because the old name is really
confusing. m_getclr() HAS been preserved though and is defined to the new
name. No tree sweep has been done "to change the interface," as the old
name will continue to be supported and is not depracated. The change was
merely done because m_getclr() sounds too much like "m_get a cluster."
- TEMPORARILY disabled mbtypes statistics displaying in netstat(1) and
systat(1) (see TODO below).
- Fixed systat(1) to display number of "free mbufs" based on new per-CPU
stat structures.
- Fixed netstat(1) to display new per-CPU stats based on sysctl-exported
per-CPU stat structures. All infos are fetched via sysctl.

TODO (in order of priority):

- Re-enable mbtypes statistics in both netstat(1) and systat(1) after
introducing an SMP friendly way to collect the mbtypes stats under the
already introduced per-CPU locks (i.e. hopefully don't use atomic() - it
seems too costly for a mere stat update, especially when other locks are
already present).
- Optionally have systat(1) display not only "total free mbufs" but also
"total free mbufs per CPU pool."
- Fix minor length-fetching issues in netstat(1) related to recently
re-enabled option to read mbuf stats from a core file.
- Move reference counters at least for mbuf clusters into an unused portion
of the cluster itself, to save space and need to allocate a counter.
- Look into introducing resource freeing possibly from a kproc.

Reviewed by (in parts): jlemon, jake, silby, terry
Tested by: jlemon (Intel & Alpha), mjacob (Intel & Alpha)
Preliminary performance measurements: jlemon (and me, obviously)
URL: http://people.freebsd.org/~bmilekic/mb_alloc/

- Avoid hardcoded constant on icmp6 in/out histogram printing
- Icmp6 histogram update for inverse neighbor solicit/advert.

Obtained from: KAME
MFC after: 2 weeks

remove warnings
remove superfluous declarations
make things more consistent

remove K&R support

revert removal of warning and K&R support

Requested by: bde

nflag -> numeric_port. nflag is no more

Print symbolic names for appletalk ports. Also some very minor style 9 issues.

PR: bin/4157
Submitted by: Denny Gentry <denny1@home.com>

First round of netstat(1) cleanup.

Removed the ambiguity in -s, -f, -p and -i flags handling.
Basically, there are four displays (except others):

1. PCB display.
2. Protocol statistics display. (-s)
3. Interface statistics display. (-i)
4. Per-interface protocol statistics display. (-i -s)

All of the above except 3) can be limited to a particular
protocol family (-f) or a single protocol (-p).

Some examples:

1. netstat -f inet -- show PCBs of all INET protocols
2. netstat -p udp -- show PCB of UDP protocol only (NEW!)
3. netstat -s -- show protocol statistics for all families
4. netstat -s -f inet -- show INET protocols statistics
5. netstat -s -p icmp -- show ICMP protocol statistics

This is a work in progress. Manpage has been fixed slightly,
but is still incomplete.

Line up `netstat -rl' display.

remove most of the warnings

add the option -S for printing port numbers symbolically but addresses
numerically. clean up the CFLAGS in Makefile.

Restore -M -N support for -m.

PR: 20808

Removed -h option.

Really delete the -h option.

CSRG revision 5.33 deleted -h option from getopt(), but not
from usage(). Revision 8.3 restored it in getopt().

Fixed printing of netatalk statistics WRT the -s flag.

PR: bin/6994
Submitted by: Zahemszky Gabor <zgabor@zg.CoDe.hu>
MFC after: 1 week

Mention about -rl behavior change. Now, MTU is printed.

Add missing column for Mtu in header when -rl is specified.

Sync with recent KAME.
This work was based on kame-20010528-freebsd43-snap.tgz and some
critical problem after the snap was out were fixed.
There are many many changes since last KAME merge.

TODO:
- The definitions of SADB_* in sys/net/pfkeyv2.h are still different
from RFC2407/IANA assignment because of binary compatibility
issue. It should be fixed under 5-CURRENT.
- ip6po_m member of struct ip6_pktopts is no longer used. But, it
is still there because of binary compatibility issue. It should
be removed under 5-CURRENT.

Reviewed by: itojun
Obtained from: KAME
MFC after: 3 weeks

Always print at least 2 bytes for IN_CLASSB_NET networks.
Always print at least 3 bytes for IN_CLASSC_NET networks.

The standard 193.0.0 class C network for example, will now
be displayed as "193.0.0" as opposed to the confusing 193.

PR: bin/21546
MFC after: 1 week

Correct some typos.

PR: 27251
Submitted by: Pekka Savola <pekkas@netcore.fi>

Restore printing of routes cloned from a RTF_CLONING parent
(e.g., ARP table entries) with the default routing display.

PR: bin/26970
Reviewed by: wollman
MFC after: 3 days

Add missing break when printing IPv6 multicast addresses.
Use the sockaddr_dl sdl_type, not ifnet.if_type, to decide what type
a multicast sockaddr_dl is.

Fix typo s/thissystem/this system/

Submitted by: Stephen <sdk@shell.yuck.net>

Don't core dump when given "-i -a". Problem caused by a mistaken
dereference of a kernel-pointer in userland.

PR: 26168
Submitted by: Peter Pentchev <roam@orbitel.bg>

Add an example of a novel technique to the IPv6 code. This technique seems
to have been developed after the IPv6 code was written, it's called "checking
for error returns".

Now netstat at least doesnt't go beserk in jails.

s/protocol-cloned/cloned/ I have missed in 1.24 -> 1.25.

Add a -W flag that tells netstat not to truncate addresses even if they are
too long for the column they're printed in.

Move variable definitions out of netstat.h and into main.c.

Clean up some warnings.

net/route.c:

A route generated from an RTF_CLONING route had the RTF_WASCLONED flag
set but did not have a reference to the parent route, as documented in
the rtentry(9) manpage. This prevented such routes from being deleted
when their parent route is deleted.

Now, for example, if you delete an IP address from a network interface,
all ARP entries that were cloned from this interface route are flushed.

This also has an impact on netstat(1) output. Previously, dynamically
created ARP cache entries (RTF_STATIC flag is unset) were displayed as
part of the routing table display (-r). Now, they are only printed if
the -a option is given.

netinet/in.c, netinet/in_rmx.c:

When address is removed from an interface, also delete all routes that
point to this interface and address. Previously, for example, if you
changed the address on an interface, outgoing IP datagrams might still
use the old address. The only solution was to delete and re-add some
routes. (The problem is easily observed with the route(8) command.)

Note, that if the socket was already bound to the local address before
this address is removed, new datagrams generated from this socket will
still be sent from the old address.

PR: kern/20785, kern/21914
Reviewed by: wollman (the idea)

MAXHOSTNAMELEN includes space for a NUL.
Don't roll our own version of trimdomain(), use the one in libutil.

Not objected to by: freebsd-audit

Count and show incoming UDP datagrams with no checksum.

When displaying interface statistics with -i show a '-' for any
values that aren't updated for a particular network-layer address.

Convert if_multiaddrs from LIST to TAILQ so that it can be traversed
backwards in the three drivers which want to do that.

Reviewed by: mikeh

mdoc(7) police: split punctuation characters + misc fixes.

Use macro API to <sys/queue.h>

Submitted by: "Jason" <jsmethers@pdq.net>
Reviewed by: phk

mdoc(7) police: use the new features of the Nm macro.

Now that the amount of (pseudo) interfaces is growing with IPv6,
get rid of stupid upperbound on the amount of interfaces (was 8).

Augment the 'ifaddr' structure with a 'struct if_data' to keep
statistics on a per network address basis.

Teach the IPv4 and IPv6 input/output routines to log packets/bytes
against the network address connected to the flow.

Teach netstat to display the per-address stats for IP protocols
when 'netstat -i' is evoked, instead of displaying the per-interface
stats.

Change the "in use" percentage metric to actually display a real
"in use" percentage. In other words, show how much of mb_map is in use.

Fixed the printing of header for IPv4 routing table without -l option.
Broken in rev 1.44.

Replace the mbuf external reference counting code with something
that should be better.

The old code counted references to mbuf clusters by using the offset
of the cluster from the start of memory allocated for mbufs and
clusters as an index into an array of chars, which did the reference
counting. If the external storage was not a cluster then reference
counting had to be done by the code using that external storage.

NetBSD's system of linked lists of mbufs was cosidered, but Alfred
felt it would have locking issues when the kernel was made more
SMP friendly.

The system implimented uses a pool of unions to track external
storage. The union contains an int for counting the references and
a pointer for forming a free list. The reference counts are
incremented and decremented atomically and so should be SMP friendly.
This system can track reference counts for any sort of external
storage.

Access to the reference counting stuff is now through macros defined
in mbuf.h, so it should be easier to make changes to the system in
the future.

The possibility of storing the reference count in one of the
referencing mbufs was considered, but was rejected 'cos it would
often leave extra mbufs allocated. Storing the reference count in
the cluster was also considered, but because the external storage
may not be a cluster this isn't an option.

The size of the pool of reference counters is available in the
stats provided by "netstat -m".

PR: 19866
Submitted by: Bosko Milekic <bmilekic@dsuper.net>
Reviewed by: alfred (glanced at by others on -net)

To make compilable without -DINET6.

PR: bin/20407
Submitted by: Patrick Bihan-Faou <patrick@mindstep.com>

Do not display icmp(4) sockets as non-existent bridge(4) sockets.

Fix bug: "netstat -si" prints interface information, but the header
line is missing. This apparently was broken in revision 1.31 of
"if.c".

Submitted by: Maxime Henrion <mhenrion@cybercable.fr>

Make mbstat.m_mtypes seperate and viewable via sysctl, also
expand the size from short to ulong

Submitted by: Ian Dowse <iedowse@maths.tcd.ie>
PR: kern/19809

remove m_pulldown related statistics, it is not for production system
(it belongs to kame experiment).

add pfkeystat. sync with kame

sync with latest kame netstat. basically, more statistics

Use Garrett's new (clearer) names.

Add '-L' option to usage().

Don't suppress Flags and Refs info for IPv4 entries.
(They need to be suppressed by default for IPv6 entries to keep the column
size of each entries in 80.)

Add a flag to the usage display.

There was a missing description for a new flags to netstat.
I already added the fix to netstat man, but usage() change is
also necessary.

Specified by: Ben Smithurst <ben@scientia.demon.co.uk>
Approved by: jkh

Add "-l" option description.

Noticed the necessity by Ben Smithurst <ben@scientia.demon.co.uk> message
on freebsd-current.

Remove single-space hard sentence breaks. These degrade the quality
of the typeset output, tend to make diffs harder to read and provide
bad examples for new-comers to mdoc.

IPv6 multicast routing.
kernel IPv6 multicast routing support.
pim6 dense mode daemon
pim6 sparse mode daemon
netstat support of IPv6 multicast routing statistics

Merging to the current and testing with other existing multicast routers
is done by Tatsuya Jinmei <jinmei@kame.net>, who writes and maintainances
the base code in KAME distribution.

Make world check and kernel build check was also successful.

Instead of reporting all 0.0.0.0 as ``default'' only report
a true default of 0.0.0.0/0 as default.

Reviewed by: wollman

-permit protocol specific statistics at iflag,
only when either of sflag and "-f inet6" is specified.
-fix the indentation of default output

Specified by: Stephen McKay <syssgm@detir.qld.gov.au>

Reviewed and Confirmed by: Stephen McKay <syssgm@detir.qld.gov.au>

libipsec and IPsec related apps. (and some KAME related man pages)

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Print mac addresses in standard byte:byte format rather than
byte.byte. This makes it consistent with our other utilities
like arp(8) and ifconfig(8).

Submitted by: Paul Vixie <paul@vix.com>

Add display of maximum allowed mbuf count to match mbuf cluster count.

Submitted by: Bosko Milekic <bmilekic@dsuper.net>

Getaddrinfo(), getnameinfo(), and etc support in libc/net.
Several udp and raw apps IPv6 support.

Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

also, changed prototype of pr_rthdr(), as my previous fix
for netstat/route.c

Added missing declaration for argment specification at pr_rthdr(),
caused by my previous patch, sorry.
Also, changed its var name from 'af' to 'wid_af', to avoid confusion with
global var 'af'.

define WID_DST6 and WID_GW6 and use them only for IPv6, to keep IPv4 related
information in 80 columns.

TODO: IPv6 related information is not likely to be kept in 80 columns, anyway.
Some more print modes could be added,
but what is the priority between those modes?
-print out all information even if they don't fit into 80 columns
-strip off some information to fit them into 80 columns

Reviewed by: markm

Enable INET6 by default.
This should be OK on non INET6 enabled kernel.

Add new option, -L that will listen the various listen queue lengths.

Reviewed by: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
Clive Lin <clive@GnatS.CirX.ORG>

udp IPv6 support, IPv6/IPv4 tunneling support in kernel,
packet divert at kernel for IPv6/IPv4 translater daemon

This includes queue related patch submitted by jburkhol@home.com.

Submitted by: queue related patch from jburkhol@home.com
Reviewed by: freebsd-arch, cvs-committers
Obtained from: KAME project

Fix the output of 'netstat -I de0 1' for the alpha. Fix a bunch of
warnings while I'm here.

uncomment FILES section (it look reasonable here)
mdoc(7)'fy

Put include <netgraph.h> back in - problem was due to a cvsup mess on
freefall. There may also be a real problem w/ buildworld but the fix
would go somewhere else, not here.

Cleanup missing includes, stale includes, and a few printf format
inconsistancies.

Whistle's Netgraph link-layer (sometimes more) networking infrastructure.
Been in production for 3 years now. Gives Instant Frame relay to if_sr
and if_ar drivers, and PPPOE support soon. See:
ftp://ftp.whistle.com/pub/archie/netgraph/index.html
for on-line manual pages.

Reviewed by: Doug Rabson (dfr@freebsd.org)
Obtained from: Whistle CVS tree

Cleanup towards -Wall

Allow suppress printing of lines with zero counts
for an IPX address family.

PR: 14168

Add xrefs to the {f,net,sock}stat.1 manpages. While I'm in there, fix
the sockstat.1 document title, which still remembers when sockstat was
called lsock.

Reviewed by: mpp

Zap $Source$

$Header$ -> $FreeBSD$

$Id$ -> $FreeBSD$

Document the use of the -a flag in conjunction with the -r flag.

PR: docs/13037
Submitted by: Christopher Masto <chris@netmonger.net>

Add $Id$, to make it simpler for members of the translation teams to
track.

The $Id$ line is normally at the bottom of the main comment block in the
man page, separated from the rest of the manpage by an empty comment,
like so;

.\" $Id$
.\"

If the immediately preceding comment is a @(#) format ID marker than the
the $Id$ will line up underneath it with no intervening blank lines.
Otherwise, an additional blank line is inserted.

Approved by: bde

Don't truncate port numbers.

Submitted by: ru

Add support for printing bridging statistics with ``-p bdg '' .
If someone has a better flag to use I'll be glad to change it.

IPX address formatting nit.

PR: bin/11179
Submitted by: Dan Nelson <dnelson@emsphone.com>

Fix fstat compatibility by printing the address of the tcppcb instead of
that of the regular socket pcb for TCP sockets.

PR: bin/9963
Submitted by: Ruslan Ermilov <ru@ucb.crimea.ua>

Fix off-by-one error.

Make the ipx part of netstat work again.

Fix "make world" breakage because MT_RTABLE was still referenced here.

Don't use ip_mrtproto to determine whether multicast routing is in
the kernel; this was left over from the earlier protocol-dependent
kernel multicast routing code.

Learn how to handle the malloc'd multicast routing table (instead of
expecting it to be in mbufs)

Quick hack to allow netstat to compile once more: ifdef out MT_SOOPTS

Change casts from int to u_long and formats from %x to %lx.

Didn't fix the alignment of the output fields on alpha where addresses
require 16 characters to print.

Added a dummy field to the pt_u union to help the alpha compiler align
the u_sa field in a suiable way.

Change a variable from int to size_t.

Make netstat work again.

Don't open /dev/mem until we need it, most cases we don't.

Fixed printf format errors.

Fixed type mismatches and style bugs in rev.1.30.

o Use snprintf over sprintf.
o Use strncpy correctly.
o Use enough buffer for line.

Inspired by or Obtained from: Similar changes in OpenBSD

Make "netstat -s" display stats on fast-forwarded packets.
Obtained from: NetBSD code

Fix rev. 1.7: get offsetof from the correct header file.

Fix broken sun_len usage: it is not sun_path length but bigger

mbuf, inet, and unix modules no longer read kvm.

Remove (now) invalid .Xr trsp 8

PR: 6494
Submitted by: Don Morrison <dmorrisn@u.washington.edu>

Output mbuf clusters as current/peak/max. Requires new kern.ipc.nmbclusters
sysctl variable (previously committed).

netstat truncates info in sockaddr* between kgetsa and p_sockaddr
by dereferencing pointer to smaller structure

PR: 5256
Reviewed by: phk
Submitted by: Gregory D. Moncreaff <moncrg@bt340707.res.ray.com>

The current version of netstat does not print the interface
name for AF_LINK routing entries. This makes debugging
network problems more difficult.
PR: 4182
Reviewed by: phk
Submitted by: Craig Leres <leres@ee.lbl.gov>

Add (unsigned) cast to prevent overflow in %
Submitted by: "Alex G. Bulushev" <bag@demos.su>

Typo fix.

PR: docs/4579
Submitted by: Stephen J. Roznowski <sjr@home.net>

Print out the two new fields in the ICMP stats. While we're at it, also
convert icmp_stats() to use sysctl(3) to retrieve the information
rather than kvm. This makes it easy to also print whether ICMP address
mask responses are enabled, so do so.

While I'm in here, fix address printing for `netstat -f unix' which has been
broken for a couple of weeks now...

Bandaid to make this compile.. These old mbuf types should probably be
ripped out.

Remove prog, unused variables.
Cosmetic in usage string.

Remove -I/sys

Remove some quite bogus code that tried to find subnet names but instead
spammed named with bogus queries.

Add the new ipx statistics variables.

Remove the dns lookup code in the ipx functions. That is bogus and slows
things like netstat -r(f ipx) down, without gaining anything.

Remove the ipx error protocol statistics.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Use the new sysctl(3) interface to mbuf statistics rather than
groveling about in kmem.

Revert $FreeBSD$ to $Id$

When the mbuf code was changed to use a private allocator instead of
the kernel malloc, netstat was never updated to reflect the fact that
there are once again allocated-but-free mbufs, just as there are
clusters, and so the information presented about how much memory was
allocated to the network was bogus. Fixed.

Print out the new uninteresting-multicast-packets statistic.

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Print out the interface's multicast addresses using the new
structures.

TCP statistics are unsigned counters.

Tor Egge reports counter wrap and requests and update to quad_t sized
counters, which is also a good thing to do, but I'm unhappy about adding
two more instructions into the code path every time we doink a counter.

Maybe with or after the Lite2 merge...
Submitted by: Tor Egge <Tor.Egge@idt.ntnu.no>

Update to match changes in <net/if.h> and <netinet/ip_mroute.h>.

Learn to follow the new interface address lists.

Understand queue-ized ifnet structures.

Fix up programs which expect <net/if.h> to include <sys/time.h> to instead
do it themselves. (Some of these programs actually depended on this
beyond compiling the definition of struct ifinfo!) Also fix up some
other #include messes while we're at it.

Display multicast addresses if the "a" flag is used in combination
with "-i". This was already in the man page but was not implemented.

Obtained from: Multicast release 3.5

Eliminate unnecessary include of <sys/mbuf.h>. PCBs aren't stored in mbufs
any more.

Remove reference to oobsolete RTF_MASK flag (soon to be removed).

make appletalk networks not show an un-needed host
part in displaying the routes.

Fixed DPADD.

fix printing of netranges in the i and r displays for netatalk

Try to make netstat more smart about port numbers.
Feedback most welcome.

Submitted by: archie@whistle.com

slight cleanups on yesterday's patches

Submitted by: archie@whistle.com

appletalk cleanups

Adding changes to ipfw and the kernel to support ip packet diversion..
This stuff should not be too destructive if the IPDIVERT is not compiled in..
be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.

appletalk cleanups

e.g.
Active ATALK connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
ddp 0 0 [69.230]130 [*.*]*
ddp 0 0 [69.230]128 [*.*]*
ddp 0 0 [69.230]1 [*.*]*

etc..

make netstat distinguish broadcast and blackhole routes where they appear.

(RTF_BLACKHOLE was already documented as being shown, but the code ignored
it)

Sumbitted by: Greg Lehey <grog@lemis.de>

better appletalk support.

I guess the docs should mention the new protocol at least once.

patches to allow netstat to monitor appletalk sockets openned using the
/sys/netatalk protocol stack

more cleanups and fixes are likely

Print PCB hash miss statistic.

Code cleanup: remove unused variables, use correct *printf format
specifiers (some unsigned values were printed as signed, some longs
were printed as ints), and place parentheses around assignments in
if statements.

Document that ipx is a valid protocol for the -f option.
Comment out ns and iso. They are not supported anymore.

Move #include of queue.h before #include of socketvar.h in preparation for
struct socket changes.

Make the -w option actually useful to people. Instead of it creating a
messy 130 column collage, output the system totals -or- info for a
specific interface if -I is given. Also wait for <interval> before
outputting the first sample so that it represents meaningful data (as
opposed to the total since the system was booted - most busy systems
wrap around many times during their operation, so these numbers are
only misleading).

Add a counter for the number of times the listen queue was overflowed to
the tcpstat structure. (netstat -s)
Reviewed by: wollman
Obtained from: Steves, TCP/IP Ill. vol.3, page 189

For some reason, the changes to make route.c compile didn't make it over.
Fixed.

Pointed-out-by: joerg

XNS sort-of-support is no more.

Remove support for OSI networking in user-land (#ifdef OSI aor CCITT)
in preparation for its removal from the kernel source tree. NB: because
a function was deleted, libc is now at version 3.0 (was 2.2 previously).

Fix a variety of minor typos and cross references in a bunch of
man pages.

Masanobu Saitoh <msaitoh@spa.is.uec.ac.jp>
Giles Lean <giles@nemeton.com.au>
<soda@sra.co.jp>

tidy up the domain name trimming code, and move it to a single place
rather than having the same bit of code duplicated in three places,
each with their own static copy of the host's local name.

A couple of changes of mine that I've been using for a while:
route.c: look up the netname as-is first before the shifted name. this
makes a big speed difference, as the lookups are generally local
DNS. The shifted names can be very wrong (there is still guessing
and fudging involved) and usually go remote, taking a long time
to fail. If you have the RFC reccomended netnames in your reverse
lookups, this is even faster still.
main.c: dont do a sethostent(1) - this is causing the resolver to use a
VC (tcp) connection to the resolver, which has more overheads and
is slower than the default UDP case. This once made sense when
everything was based on text host tables.

Merge in Lite-2 changes.

Change .8s port name restriction to .15s, modern tcp port
have longer names, check /etc/services.
kerberos_master triggers this bug: it is undistiguishable from
simple kerberos for .8s

Submitted by: John Hay

more IPX related fixes

Increase width of Network column from 11 to 13 for the AF_INET case.
This seems to have been missed, when the recent IPX changes went in ...

Fix the bug that caused the AF_UNIX domain sockets to not be shown..
(it was nlist()ing a wrong symbol name). Only problem is that I'd grown
quite partial to the inet-only version.. :-)

Submitted by: Mike Mitchell

oops.
forgot this file then went to bed..

sorry

- #if defined(TF_NEEDSYN) && defined(TF_NEEDSYN)
+ #if defined(TF_NEEDSYN) && defined(TF_NEEDFIN)

Submitted by: john hay

patches to merge the two IPX packages to work with each other and to
not break make-world :)

IPXrouted should be working now, (or at least compiling) :)

Reviewed by: julian and jhay@mikom.csir.co.za
Submitted by: Mike Mitchell, supervisor@alb.asctmd.com

This is a bulk mport of Mike's IPX/SPX protocol stacks and all the
related gunf that goes with it..
it is not guaranteed to work 100% correctly at this time
but as we had several people trying to work on it
I figured it would be better to get it checked in so
they could all get teh same thing to work on..

Mikes been using it for a year or so
but on 2.0

more changes and stuff will be merged in from other developers now that this is in.

Mike Mitchell, Network Engineer
AMTECH Systems Corporation, Technology and Manufacturing
8600 Jefferson Street, Albuquerque, New Mexico 87113 (505) 856-8000
supervisor@alb.asctmd.com

In TCP statistics, display new statistic about how many resends were
initiated as a result of the Path MTU discovery process.

Fixed netstat to not bogusly mangle the argv[] command args by rewriting
the way it stores and handles "interface". The previous behavior resulted
in strange output from 'w' and 'ps' when an interface specification was
given to netstat.

Output statistics as unsigned in the -w section.
Look at error return of kread() and stop on error.
Fix warning in kread() to not output "kvm_read:" twice.
Killed PCB cache misses stat as we no longer have it.

Add "connections dropped by persist timeout" statistic.

Instantiate our own variables instead of depending on bogus common
declarations in system headers that will be fixed soon.

Correct spelling mistake: upcated -> updated.

Print out the statistics for cache updates of rtt, rttvar, and ssthresh.

Re-write `netstat -g' code to match the 3.5 data structures.

Remove trailing whitespace.

That's what I get for doing things in a hurry...applied up-to-date patch
to this file rather than old one (before I renamed the structure element).

Oops, remove some chaff from previous commit.

Updated netstat to grok 4.4 QUEUE macros now being used to like the PCBs
together.

The negative expire times shown by netstat are confusing and ugly.

Destination Gateway Flags Refs Use Netif Expire
199.182.75.128 link#1 UC 0 0 ed0 -842660
Submitted by: John Capo <jc@irbs.com>

Changed "mapped pages in use" to "mbuf clusters in use".

Make netstat report the correct state for T/TCP.

Submitted by: Andras Olah <olah@cs.utwente.nl>

Don't print protocol-cloned routes by default (enabled by -a flag).
Print non-zero expiration timers.
Use err(3) for error reporting.

Document new route flags.

Make it possible to correctly print out new route flags, and do so.

Added '-b' option to display the number of in and out bytes on a given
interface (used with -i and -I flag).

Document router advertisement and solicitation messages in ICMP input
histogram.

Tell netstat about the new multicast forwarding statistics. For the moment,
don't try to do any multicast forwarding cache printouts; it's not clear
that netstat can do anything particularly useful or meaningful.

Changed output formatting to 0 pad hex bytes if necessary. This makes
the output consistent with traditional representations of ethernet
addresses. I still don't like the spacing in netstat -i, however.

Converted 'vmunix' to 'kernel'.

This commit was generated by cvs2svn to compensate for changes in r1590,
which included commits to RCS files with non-trunk default branches.