#
272461 |
|
02-Oct-2014 |
gjb |
Copy stable/10@r272459 to releng/10.1 as part of the 10.1-RELEASE process.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation |
#
256281 |
|
10-Oct-2013 |
gjb |
Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.
Approved by: re (implicit) Sponsored by: The FreeBSD Foundation
|
#
254781 |
|
24-Aug-2013 |
mav |
Make dummynet use new direct callout(9) execution mechanism. Since the only thing done by the dummynet handler is taskqueue_enqueue() call, it doesn't need extra switch to the clock SWI context.
On idle system this change in half reduces number of active CPU cycles and wakes up only one CPU from sleep instead of two.
I was going to make this change much earlier as part of calloutng project, but waited for better solution with skipping idle ticks to be implemented. Unfortunately with 10.0 release coming it is better get at least this.
|
#
250131 |
|
01-May-2013 |
eadler |
Correct a few sizeof()s
Submitted by: swildner@DragonFlyBSD.org Reviewed by: alfred
|
#
250039 |
|
29-Apr-2013 |
glebius |
Remove useless ifdef KLD_MODULE from dummynet module unload path. This fixes panic on unload.
Reported by: pho
|
#
240494 |
|
14-Sep-2012 |
glebius |
o Create directory sys/netpfil, where all packet filters should reside, and move there ipfw(4) and pf(4).
o Move most modified parts of pf out of contrib.
Actual movements:
sys/contrib/pf/net/*.c -> sys/netpfil/pf/ sys/contrib/pf/net/*.h -> sys/net/ contrib/pf/pfctl/*.c -> sbin/pfctl contrib/pf/pfctl/*.h -> sbin/pfctl contrib/pf/pfctl/pfctl.8 -> sbin/pfctl contrib/pf/pfctl/*.4 -> share/man/man4 contrib/pf/pfctl/*.5 -> share/man/man5
sys/netinet/ipfw -> sys/netpfil/ipfw
The arguable movement is pf/net/*.h -> sys/net. There are future plans to refactor pf includes, so I decided not to break things twice.
Not modified bits of pf left in contrib: authpf, ftp-proxy, tftp-proxy, pflogd.
The ipfw(4) movement is planned to be merged to stable/9, to make head and stable match.
Discussed with: bz, luigi
|
#
238988 |
|
02-Aug-2012 |
luigi |
replace __unused with a portable construct; fix a couple of signed/unsigned warnings.
|
#
238063 |
|
03-Jul-2012 |
issyl0 |
- Make ipfw's sched rules case insensitive, for user-friendliness. - Add a note to the ipfw(8) man page about the rules no longer being case sensitive. - Fix some typos in the man page.
PR: docs/164772 Reviewed by: bz Approved by: gabor (doc mentor, src committer) MFC after: 2 weeks
|
#
222560 |
|
01-Jun-2011 |
ae |
Hide some debug messages under debug macro.
MFC after: 1 week
|
#
221521 |
|
06-May-2011 |
ae |
Convert delay parameter back to ms when reporting to user.
PR: 156838 MFC after: 1 week
|
#
220831 |
|
19-Apr-2011 |
ae |
ipdn_bound_var() functions is designed to bound a variable between specified minimum and maximum. In case when specified default value is out of bounds it does not work as expected and does not limit variable. Check that default value is in range and limit it if needed. Also bump max_hash_size value to 65536 to correspond with manual page.
PR: kern/152887 MFC after: 2 weeks
|
#
220812 |
|
19-Apr-2011 |
ae |
Use M_WAITOK instead M_WAIT for malloc. Remove unneded checks.
MFC after: 1 week
|
#
220203 |
|
31-Mar-2011 |
ae |
Fix a memory leak. Memory that is allocated for schedulers hash table was not freed.
PR: kern/156083 MFC after: 1 week
|
#
218741 |
|
16-Feb-2011 |
pluknet |
Bump dummynet module version to meet dummynet schedulers' requirements, and thus unbreak loading dummynet.ko via /boot/loader.conf.
Reported by: rihad <rihad att mail.ru> on freebsd-net Approved by: kib (mentor)
|
#
217361 |
|
13-Jan-2011 |
jhb |
Use a blocking malloc() to initialize the dummynet taskq.
Reviewed by: luigi
|
#
217110 |
|
07-Jan-2011 |
jhb |
Use a regular taskqueue for dummynet rather than a "fast" taskqueue.
Reviewed by: luigi
|
#
213267 |
|
29-Sep-2010 |
luigi |
whitespace changes in preparation for future commits
|
#
213253 |
|
28-Sep-2010 |
luigi |
Whitespace changes to reduce diffs wrt the most recent ipfw/dummynet code: + remove an unused macro, + adjust the constants in an enum + small whitespace changes
MFC after: 3 days
|
#
206845 |
|
19-Apr-2010 |
luigi |
whitespace fixes (trailing whitespace, bad indentation after a merge, etc.)
|
#
206428 |
|
09-Apr-2010 |
luigi |
This commit enables partial operation of dummynet with kernels compiled with "options VIMAGE". As it is now, there is still a single instance of the pipes, and it is only usable from vnet0 (the main instance). Trying to use a pipe from a different vimage does not crash the system as it did before, but the traffic coming out from the pipe goes to the wrong place, and i still need to figure out where.
Support for per-vimage pipes is almost there (just a matter of uncommenting the VNET_* definitions for dn_cfg, plus putting into the structure the remaining static variables), however i need first to figure out how init/uninit work, and also to understand where packets are ending up on exit from a pipe.
In summary: vimage support for dummynet is not complete yet, but we are getting there.
|
#
206425 |
|
09-Apr-2010 |
luigi |
no need to pass an argument to dn_compat_calc_size()
MFC after: 3 days
|
#
205178 |
|
15-Mar-2010 |
luigi |
small fixes to estimate the buffer size when requesting all pipes/flows.
|
#
205173 |
|
15-Mar-2010 |
luigi |
+ implement (two lines) the kernel side of 'lookup dscp N' to use the dscp as a search key in table lookups;
+ (re)implement a sysctl variable to control the expire frequency of pipes and queues when they become empty;
+ add 'queue number' as optional part of the flow_id. This can be enabled with the command
queue X config mask queue ...
and makes it possible to support priority-based schedulers, where packets should be grouped according to the priority and not some fields in the 5-tuple. This is implemented as follows: - redefine a field in the ipfw_flow_id (in sys/netinet/ip_fw.h) but without changing the size or shape of the structure, so there are no ABI changes. On passing, also document how other fields are used, and remove some useless assignments in ip_fw2.c
- implement small changes in the userland code to set/read the field;
- revise the functions in ip_dummynet.c to manipulate masks so they also handle the additional field;
There are no ABI changes in this commit.
|
#
205050 |
|
11-Mar-2010 |
luigi |
implement listing of a subset of pipes/queues/schedulers. The filtering of the output is done in the kernel instead of userland to reduce the amount of data transfered.
|
#
204862 |
|
08-Mar-2010 |
luigi |
do not report an error unnecessarily
|
#
204763 |
|
05-Mar-2010 |
luigi |
plug a memory leak on pipe's reconfiguration
|
#
204754 |
|
05-Mar-2010 |
luigi |
fix a memory leak when deleting RED queues
|
#
204714 |
|
04-Mar-2010 |
luigi |
use callout_drain() (outside the lock) when unloading the module. This prevents a potential deadlock.
Submitted by: Francesco Magno
|
#
204591 |
|
02-Mar-2010 |
luigi |
Bring in the most recent version of ipfw and dummynet, developed and tested over the past two months in the ipfw3-head branch. This also happens to be the same code available in the Linux and Windows ports of ipfw and dummynet.
The major enhancement is a completely restructured version of dummynet, with support for different packet scheduling algorithms (loadable at runtime), faster queue/pipe lookup, and a much cleaner internal architecture and kernel/userland ABI which simplifies future extensions.
In addition to the existing schedulers (FIFO and WF2Q+), we include a Deficit Round Robin (DRR or RR for brevity) scheduler, and a new, very fast version of WF2Q+ called QFQ.
Some test code is also present (in sys/netinet/ipfw/test) that lets you build and test schedulers in userland.
Also, we have added a compatibility layer that understands requests from the RELENG_7 and RELENG_8 versions of the /sbin/ipfw binaries, and replies correctly (at least, it does its best; sometimes you just cannot tell who sent the request and how to answer). The compatibility layer should make it possible to MFC this code in a relatively short time.
Some minor glitches (e.g. handling of ipfw set enable/disable, and a workaround for a bug in RELENG_7's /sbin/ipfw) will be fixed with separate commits.
CREDITS: This work has been partly supported by the ONELAB2 project, and mostly developed by Riccardo Panicucci and myself. The code for the qfq scheduler is mostly from Fabio Checconi, and Marta Carbone and Francesco Magno have helped with testing, debugging and some bug fixes.
|
#
201745 |
|
07-Jan-2010 |
luigi |
we don't use dummynet_drain!
|
#
201732 |
|
07-Jan-2010 |
luigi |
some header shuffling to help decoupling ip_divert from ipfw
|
#
201527 |
|
04-Jan-2010 |
luigi |
Various cleanup done in ipfw3-head branch including: - use a uniform mtag format for all packets that exit and re-enter the firewall in the middle of a rulechain. On reentry, all tags containing reinject info are renamed to MTAG_IPFW_RULE so the processing is simpler.
- make ipfw and dummynet use ip_len and ip_off in network format everywhere. Conversion is done only once instead of tracking the format in every place.
- use a macro FREE_PKT to dispose of mbufs. This eases portability.
On passing i also removed a few typos, staticise or localise variables, remove useless declarations and other minor things.
Overall the code shrinks a bit and is hopefully more readable.
I have tested functionality for all but ng_ipfw and if_bridge/if_ethersubr. For ng_ipfw i am actually waiting for feedback from glebius@ because we might have some small changes to make. For if_bridge and if_ethersubr feedback would be welcome (there are still some redundant parts in these two modules that I would like to remove, but first i need to check functionality).
|
#
201122 |
|
28-Dec-2009 |
luigi |
bring in several cleanups tested in ipfw3-head branch, namely:
r201011 - move most of ng_ipfw.h into ip_fw_private.h, as this code is ipfw-specific. This removes a dependency on ng_ipfw.h from some files.
- move many equivalent definitions of direction (IN, OUT) for reinjected packets into ip_fw_private.h
- document the structure of the packet tags used for dummynet and netgraph;
r201049 - merge some common code to attach/detach hooks into a single function.
r201055 - remove some duplicated code in ip_fw_pfil. The input and output processing uses almost exactly the same code so there is no need to use two separate hooks. ip_fw_pfil.o goes from 2096 to 1382 bytes of .text
r201057 (see the svn log for full details) - macros to make the conversion of ip_len and ip_off between host and network format more explicit
r201113 (the remaining parts) - readability fixes -- put braces around some large for() blocks, localize variables so the compiler does not think they are uninitialized, do not insist on precise allocation size if we have more than we need.
r201119 - when doing a lookup, keys must be in big endian format because this is what the radix code expects (this fixes a bug in the recently-introduced 'lookup' option)
No ABI changes in this commit.
MFC after: 1 week
|
#
201121 |
|
28-Dec-2009 |
luigi |
readability fixes -- add braces on large blocks, remove unnecessary initializations
|
#
200855 |
|
22-Dec-2009 |
luigi |
merge code from ipfw3-head to reduce contention on the ipfw lock and remove all O(N) sequences from kernel critical sections in ipfw.
In detail:
1. introduce a IPFW_UH_LOCK to arbitrate requests from the upper half of the kernel. Some things, such as 'ipfw show', can be done holding this lock in read mode, whereas insert and delete require IPFW_UH_WLOCK.
2. introduce a mapping structure to keep rules together. This replaces the 'next' chain currently used in ipfw rules. At the moment the map is a simple array (sorted by rule number and then rule_id), so we can find a rule quickly instead of having to scan the list. This reduces many expensive lookups from O(N) to O(log N).
3. when an expensive operation (such as insert or delete) is done by userland, we grab IPFW_UH_WLOCK, create a new copy of the map without blocking the bottom half of the kernel, then acquire IPFW_WLOCK and quickly update pointers to the map and related info. After dropping IPFW_LOCK we can then continue the cleanup protected by IPFW_UH_LOCK. So userland still costs O(N) but the kernel side is only blocked for O(1).
4. do not pass pointers to rules through dummynet, netgraph, divert etc, but rather pass a <slot, chain_id, rulenum, rule_id> tuple. We validate the slot index (in the array of #2) with chain_id, and if successful do a O(1) dereference; otherwise, we can find the rule in O(log N) through <rulenum, rule_id>
All the above does not change the userland/kernel ABI, though there are some disgusting casts between pointers and uint32_t
Operation costs now are as follows:
Function Old Now Planned ------------------------------------------------------------------- + skipto X, non cached O(N) O(log N) + skipto X, cached O(1) O(1) XXX dynamic rule lookup O(1) O(log N) O(1) + skipto tablearg O(N) O(1) + reinject, non cached O(N) O(log N) + reinject, cached O(1) O(1) + kernel blocked during setsockopt() O(N) O(1) -------------------------------------------------------------------
The only (very small) regression is on dynamic rule lookup and this will be fixed in a day or two, without changing the userland/kernel ABI
Supported by: Valeria Paoli MFC after: 1 month
|
#
200601 |
|
16-Dec-2009 |
luigi |
Various cosmetic cleanup of the files: - move global variables around to reduce the scope and make them static if possible; - add an ipfw_ prefix to all public functions to prevent conflicts (the same should be done for variables); - try to pack variable declaration in an uniform way across files; - clarify some comments; - remove some misspelling of names (#define V_foo VNET(bar)) that slipped in due to cut&paste - remove duplicate static variables in different files;
MFC after: 1 month
|
#
200580 |
|
15-Dec-2009 |
luigi |
Start splitting ip_fw2.c and ip_fw.h into smaller components. At this time we pull out from ip_fw2.c the logging functions, and support for dynamic rules, and move kernel-only stuff into netinet/ipfw/ip_fw_private.h
No ABI change involved in this commit, unless I made some mistake. ip_fw.h has changed, though not in the userland-visible part.
Files touched by this commit:
conf/files now references the two new source files
netinet/ip_fw.h remove kernel-only definitions gone into netinet/ipfw/ip_fw_private.h.
netinet/ipfw/ip_fw_private.h new file with kernel-specific ipfw definitions
netinet/ipfw/ip_fw_log.c ipfw_log and related functions
netinet/ipfw/ip_fw_dynamic.c code related to dynamic rules
netinet/ipfw/ip_fw2.c removed the pieces that goes in the new files
netinet/ipfw/ip_fw_nat.c minor rearrangement to remove LOOKUP_NAT from the main headers. This require a new function pointer.
A bunch of other kernel files that included netinet/ip_fw.h now require netinet/ipfw/ip_fw_private.h as well. Not 100% sure i caught all of them.
MFC after: 1 month
|
#
200361 |
|
10-Dec-2009 |
luigi |
use div64 when converting back the burst value for userland
|
#
200360 |
|
10-Dec-2009 |
luigi |
when draining a flowset free the entire chain, not just one packet.
|
#
200358 |
|
10-Dec-2009 |
luigi |
centralize the code to free a packet (or a chain) while in dummynet. Remove an old macro and its stale comment.
|
#
200170 |
|
05-Dec-2009 |
oleg |
Fix burst processing for WF2Q pipes - do not increase available burst size unless pipe is idle. This should fix follwing issues: - 'dummynet: OUCH! pipe should have been idle!' log messages. - exceeding configured pipe bandwidth.
MFC after: 1 week
|
#
200029 |
|
02-Dec-2009 |
luigi |
small changes for portability and diff reduction wrt/ FreeBSD 7. No functional differences.
- use the div64() macro to wrap 64 bit divisions (which almost always are 64 / 32 bits) so they are easier to handle with compilers or OS that do not have native support for 64bit divisions;
- use a local variable for p_numbytes even if not strictly necessary on HEAD, as it reduces diffs with FreeBSD7
- in dummynet_send() check that a tag is present before dereferencing the pointer.
- add a couple of blank lines for readability near the end of a function
MFC after: 3 days
|
#
199073 |
|
09-Nov-2009 |
oleg |
style(9): add missing parentheses
|
#
198845 |
|
03-Nov-2009 |
oleg |
Fix two issues that can lead to exceeding configured pipe bandwidth: - do not expire queues which are not ready to be expired. - properly calculate available burst size.
MFC after: 3 days
|
#
196322 |
|
17-Aug-2009 |
jhb |
Purge mergeinfo in sys/ that is either empty or a subset of the parent mergeinfo on sys/ itself.
Approved by: re (mergeinfo blanket)
|
#
194930 |
|
24-Jun-2009 |
oleg |
- fix dummynet 'fast' mode for WF2Q case. - fix printing of pipe profile data. - introduce new pipe parameter: 'burst' - how much data can be sent through pipe bypassing bandwidth limit.
|
#
194245 |
|
15-Jun-2009 |
oleg |
Since dn_pipe.numbytes is int64_t now - remove unnecessary overflow detection code in ready_event_wfq().
|
#
193896 |
|
10-Jun-2009 |
luigi |
in ip_dn_ctl(), do not allocate a large structure on the stack, and use malloc() instead if/when it is necessary.
The problem is less relevant in previous versions because the variable involved (tmp_pipe) is much smaller there. Still worth fixing though.
Submitted by: Marta Carbone (GSOC) MFC after: 3 days
|
#
193859 |
|
09-Jun-2009 |
oleg |
Close long existed race with net.inet.ip.fw.one_pass = 0: If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc) it carries pointer to matching ipfw rule. If this packet then reinjected back to ipfw, ruleset processing starts from that rule. If rule was deleted meanwhile, due to existed race condition panic was possible (as well as other odd effects like parsing rules in 'reap list').
P.S. this commit changes ABI so userland ipfw related binaries should be recompiled.
MFC after: 1 month Tested by: Mikolaj Golub
|
#
193532 |
|
05-Jun-2009 |
luigi |
move kernel ipfw-related sources to a separate directory, adjust conf/files and modules' Makefiles accordingly.
No code or ABI changes so this and most of previous related changes can be easily MFC'ed
MFC after: 5 days
|
#
193497 |
|
05-Jun-2009 |
luigi |
Small changes (no actual code changes) in preparation of moving ipfw-related stuff to its own directory, and cleaning headers and dependencies:
In this commit: + remove one use of a typedef; + document dn_rule_delete(); + replace one usage of the DUMMYNET_LOADED macro with its value;
No MFC planned until the cleanup is complete.
|
#
190865 |
|
09-Apr-2009 |
luigi |
Add emulation of delay profiles, which lets you model various types of MAC overheads such as preambles, link level retransmissions and more.
Note- this commit changes the userland/kernel ABI for pipes (but not for ordinary firewall rules) so you need to rebuild kernel and /sbin/ipfw to use dummynet features.
Please check the manpage for details on the new feature.
The MFC would be trivial but it breaks the ABI, so it will be postponed until after 7.2 is released.
Interested users are welcome to apply the patch manually to their RELENG_7 tree.
Work supported by the European Commission, Projects Onelab and Onelab2 (contract 224263).
|
#
189289 |
|
02-Mar-2009 |
luigi |
curr_time is a 64 bit variable so SYSCTL_LONG is not appropriate as a handler. The variable was exported only for debugging, but there is little reason to do it now that the timekeeping is supported by various other variables. For the time being just comment out the sysctl, but I think this should go away.
|
#
188580 |
|
13-Feb-2009 |
luigi |
remove unnecessary #include, and document some of the others
|
#
185895 |
|
10-Dec-2008 |
zec |
Conditionally compile out V_ globals while instantiating the appropriate container structures, depending on VIMAGE_GLOBALS compile time option.
Make VIMAGE_GLOBALS a new compile-time option, which by default will not be defined, resulting in instatiations of global variables selected for V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be effectively compiled out. Instantiate new global container structures to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0, vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.
Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_ macros resolve either to the original globals, or to fields inside container structures, i.e. effectively
#ifdef VIMAGE_GLOBALS #define V_rt_tables rt_tables #else #define V_rt_tables vnet_net_0._rt_tables #endif
Update SYSCTL_V_*() macros to operate either on globals or on fields inside container structs.
Extend the internal kldsym() lookups with the ability to resolve selected fields inside the virtualization container structs. This applies only to the fields which are explicitly registered for kldsym() visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently this is done only in sys/net/if.c.
Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code, and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in turn result in proper code being generated depending on VIMAGE_GLOBALS.
De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c which were prematurely V_irtualized by automated V_ prepending scripts during earlier merging steps. PF virtualization will be done separately, most probably after next PF import.
Convert a few variable initializations at instantiation to initialization in init functions, most notably in ipfw. Also convert TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in initializer functions.
Discussed at: devsummit Strassburg Reviewed by: bz, julian Approved by: julian (mentor) Obtained from: //depot/projects/vimage-commit2/... X-MFC after: never Sponsored by: NLnet Foundation, The FreeBSD Foundation
|
#
179201 |
|
22-May-2008 |
rwatson |
Consistently check IPFW and DUMMYNET privileges in the configuration routines for those modules, rather than in the raw socket code. This each privilege check to occur in exactly once place and avoids duplicate checks across layers.
MFC after: 3 weeks Sponsored by: nCircle Network Security, Inc.
|
#
176626 |
|
27-Feb-2008 |
dwmalone |
Dummynet has a limit of 100 slots queue size (or 1MB, if you give the limit in bytes) hard coded into both the kernel and userland. Make both these limits a sysctl, so it is easy to change the limit. If the userland part of ipfw finds that the sysctls don't exist, it will just fall back to the traditional limits.
(100 packets is quite a small limit these days. If you want to test TCP at 100Mbps, 100 packets can only accommodate a DBP of 12ms.)
Note these sysctls in the man page and warn against increasing them without thinking first.
MFC after: 3 weeks
|
#
174893 |
|
25-Dec-2007 |
oleg |
Workaround p->numbytes overflow, which can result in infinite loop inside dummynet module (prerequisite is using queues with "fat" pipe).
PR: kern/113548
|
#
173706 |
|
17-Nov-2007 |
oleg |
- New sysctl variable: net.inet.ip.dummynet.io_fast If it is set to zero value (default) dummynet module will try to emulate real link as close as possible (bandwidth & latency): packet will not leave pipe faster than it should be on real link with given bandwidth. (This is original behaviour of dummynet which was altered in previous commit) If it is set to non-zero value only bandwidth is enforced: packet's latency can be lower comparing to real link with given bandwidth.
- Document recently introduced dummynet(4) sysctl variables.
Requested by: luigi, julian MFC after: 3 month
|
#
173399 |
|
06-Nov-2007 |
oleg |
1) dummynet_io() declaration has changed. 2) Alter packet flow inside dummynet: allow certain packets to bypass dummynet scheduler. Benefits are:
- lower latency: if packet flow does not exceed pipe bandwidth, packets will not be (up to tick) delayed (due to dummynet's scheduler granularity). - lower overhead: if packet avoids dummynet scheduler it shouldn't reenter ip stack later. Such packets can be fastforwarded. - recursion (which can lead to kernel stack exhaution) eliminated. This fix long existed panic, which can be triggered this way: kldload dummynet sysctl net.inet.ip.fw.one_pass=0 ipfw pipe 1 config bw 0 for i in `jot 30`; do ipfw add 1 pipe 1 icmp from any to any; done ping -c 1 localhost
3) Three new sysctl nodes are added: net.inet.ip.dummynet.io_pkt - packets passed to dummynet net.inet.ip.dummynet.io_pkt_fast - packets avoided dummynet scheduler net.inet.ip.dummynet.io_pkt_drop - packets dropped by dummynet
P.S. Above comments are true only for layer 3 packets. Layer 2 packet flow is not changed yet.
MFC after: 3 month
|
#
173398 |
|
06-Nov-2007 |
oleg |
style(9) cleanup.
MFC after: 3 month
|
#
172467 |
|
07-Oct-2007 |
silby |
Add FBSDID to all files in netinet so that people can more easily include file version information in bug reports.
Approved by: re (kensmith)
|
#
171744 |
|
06-Aug-2007 |
rwatson |
Remove the now-unused NET_{LOCK,UNLOCK,ASSERT}_GIANT() macros, which previously conditionally acquired Giant based on debug.mpsafenet. As that has now been removed, they are no longer required. Removing them significantly simplifies error-handling in the socket layer, eliminated quite a bit of unwinding of locking in error cases.
While here clean up the now unneeded opt_net.h, which previously was used for the NET_WITH_GIANT kernel option. Clean up some related gotos for consistency.
Reviewed by: bz, csjp Tested by: kris Approved by: re (kensmith)
|
#
171637 |
|
28-Jul-2007 |
rwatson |
Replace references to NET_CALLOUT_MPSAFE with CALLOUT_MPSAFE, and remove definition of NET_CALLOUT_MPSAFE, which is no longer required now that debug.mpsafenet has been removed.
The once over: bz Approved by: re (kensmith)
|
#
170856 |
|
16-Jun-2007 |
mjacob |
Replace incorrect local OFFSET_OF macro with the correct and generic offsetof macro.
|
#
169454 |
|
10-May-2007 |
rwatson |
Move universally to ANSI C function declarations, with relatively consistent style(9)-ish layout.
|
#
163758 |
|
29-Oct-2006 |
oleg |
- Use non-recursive mutex. MTX_RECURSE is unnecessary since rev. 1.70 - Pay respect to net.isr.direct: use netisr_dispatch() instead of ip_input()
Reviewed by: glebius, rwatson
- purge_flow_set(): - Do not leak memory while purging queues which are not bound to pipe. - style(9) cleanup
MFC after: 2 months
|
#
163721 |
|
27-Oct-2006 |
oleg |
- Convert net.inet.ip.dummynet.curr_time net.inet.ip.dummynet.searches net.inet.ip.dummynet.search_steps to SYSCTL_LONG nodes. It will prevent frequent wrap around on 64bit archs.
- Implement simple mechanics for dummynet(4) internal time correction. Under certain circumstances (system high load, dummynet lock contention, etc) dummynet's tick counter can be significantly slower than it should be. (I've observed up to 25% difference on one of my production servers). Since this counter used for packet scheduling, it's accuracy is vital for precise bandwidth limitation.
Introduce new sysctl nodes: net.inet.ip.dummynet. tick_lost - number of ticks coalesced by taskqueue thread. tick_adjustment - number of time corrections done. tick_diff - adjusted vs non-adjusted tick counter difference tick_delta - last vs 'standard' tick differnece (usec). tick_delta_sum - accumulated (and not corrected yet) time difference (usec).
Reviewed by: glebius MFC after: 2 month
|
#
163720 |
|
27-Oct-2006 |
oleg |
Use separate thread for servicing dummynet(4). Utilize taskqueue(9) API.
Submitted by: glebius MFC after: 2 month
|
#
163717 |
|
27-Oct-2006 |
oleg |
style(9) cleanup.
MFC after: 2 month
|
#
159397 |
|
08-Jun-2006 |
oleg |
Fix following rules: pipe X (tag|altq) Y ...
Approved by: glebius (mentor) MFC after: 2 weeks
|
#
155861 |
|
20-Feb-2006 |
ume |
Obey opt_inet6.h in kernel build directory.
Reported by: Peter Losher <plosher-keyword-freebsd.a36e57__at__plosh.net> MFC after: 3 days
|
#
155659 |
|
14-Feb-2006 |
ru |
When sending a packet from dummynet, indicate that we're forwarding it so that ip_id etc. don't get overwritten. This fixes forwarding of fragmented IP packets through a dummynet pipe -- fragments came out with modified and different(!) ip_id's, making it impossible to reassemble a datagram at the receiver side.
Submitted by: Alexander Karptsov (reworked by me) MFC after: 3 days
|
#
155248 |
|
03-Feb-2006 |
glebius |
Dropping the lock in the transmit_event() is not safe, because we store some pipe pointers on stack. If user reconfigures dummynet in the interlock gap, we can work with freed pipes after relock.
To fix this, we decided not to send packets in transmit_event(), but fill a queue. At the end of dummynet() and dummynet_io(), after the lock is dropped, if there is something in the queue we run dummynet_send() to process the queue.
In collaboration with: ru
|
#
155245 |
|
03-Feb-2006 |
glebius |
Axe unused function.
|
#
152910 |
|
28-Nov-2005 |
glebius |
First step in removing welding between ipfw(4) and dummynet.
o Do not use ipfw_insn_pipe->pipe_ptr in locate_flowset(). The _ipfw_insn_pipe isn't touched by this commit to preserve ABI compatibility. o To optimize the lookup of the pipe/flowset in locate_flowset() introduce hashes for pipes and queues: - To preserve ABI compatibility utilize the place of global list pointer for SLIST_ENTRY. - Introduce locate_flowset(queue nr) and locate_pipe(pipe nr). o Rework all the dummynet code to deal with the hashes, not global lists. Also did some style(9) changes in the code blocks that were touched by this sweep: - Be conservative about flowset and pipe variable names on stack, use "fs" and "pipe" everywhere. - Cleanup whitespaces. - Sort variables. - Give variables more meaningful names. - Uppercase and dots in comments. - ENOMEM when malloc(9) failed.
|
#
150636 |
|
27-Sep-2005 |
mlaier |
Remove bridge(4) from the tree. if_bridge(4) is a full functional replacement and has additional features which make it superior.
Discussed on: -arch Reviewed by: thompsa X-MFC-after: never (RELENG_6 as transition period)
|
#
150350 |
|
19-Sep-2005 |
andre |
Use monotonic 'time_uptime' instead of 'time_second' as timebase for timeouts.
|
#
147205 |
|
09-Jun-2005 |
thompsa |
Add dummynet(4) support to if_bridge, this code is largely based on bridge.c.
This is the final piece to match bridge.c in functionality, we can now be a drop-in replacement.
Approved by: mlaier (mentor)
|
#
145864 |
|
04-May-2005 |
glebius |
IPFW version 2 is the only option in HEAD and RELENG_5. Thus, cleanup unnecessary now ifdefs.
|
#
145268 |
|
19-Apr-2005 |
phk |
Make DUMMYNET compile without INET6
|
#
145246 |
|
18-Apr-2005 |
brooks |
Add IPv6 support to IPFW and Dummynet.
Submitted by: Mariano Tortoriello and Raffaele De Lorenzo (via luigi)
|
#
144693 |
|
05-Apr-2005 |
brooks |
Use ACTION_PTR(r) instead of (r->cmd + r->act_ofs).
Reviewed by: md5
|
#
144691 |
|
05-Apr-2005 |
brooks |
Make dummynet_flush() match its prototype.
|
#
142906 |
|
01-Mar-2005 |
glebius |
Use NET_CALLOUT_MPSAFE macro.
|
#
140345 |
|
16-Jan-2005 |
glebius |
- Reduce number of arguments passed to dummynet_io(), we already have cookie in struct ip_fw_args itself. - Remove redundant &= 0xffff from dummynet_io().
|
#
139823 |
|
06-Jan-2005 |
imp |
/* -> /*- for license, minor formatting changes
|
#
134290 |
|
25-Aug-2004 |
pjd |
Allocate memory when dumping pipes with M_WAITOK flag. On a system with huge number of pipes, M_NOWAIT failes almost always, because of memory fragmentation. My fix is different than the patch proposed by Pawel Malachowski, because in FreeBSD 5.x we cannot sleep while holding dummynet mutex (in 4.x there is no such lock). My fix is also ugly, but there is no easy way to prepare nice and clean fix.
PR: kern/46557 Submitted by: Eugene Grosbein <eugen@grosbein.pp.ru> Reviewed by: mlaier
|
#
133920 |
|
17-Aug-2004 |
andre |
Convert ipfw to use PFIL_HOOKS. This is change is transparent to userland and preserves the ipfw ABI. The ipfw core packet inspection and filtering functions have not been changed, only how ipfw is invoked is different.
However there are many changes how ipfw is and its add-on's are handled:
In general ipfw is now called through the PFIL_HOOKS and most associated magic, that was in ip_input() or ip_output() previously, is now done in ipfw_check_[in|out]() in the ipfw PFIL handler.
IPDIVERT is entirely handled within the ipfw PFIL handlers. A packet to be diverted is checked if it is fragmented, if yes, ip_reass() gets in for reassembly. If not, or all fragments arrived and the packet is complete, divert_packet is called directly. For 'tee' no reassembly attempt is made and a copy of the packet is sent to the divert socket unmodified. The original packet continues its way through ip_input/output().
ipfw 'forward' is done via m_tag's. The ipfw PFIL handlers tag the packet with the new destination sockaddr_in. A check if the new destination is a local IP address is made and the m_flags are set appropriately. ip_input() and ip_output() have some more work to do here. For ip_input() the m_flags are checked and a packet for us is directly sent to the 'ours' section for further processing. Destination changes on the input path are only tagged and the 'srcrt' flag to ip_forward() is set to disable destination checks and ICMP replies at this stage. The tag is going to be handled on output. ip_output() again checks for m_flags and the 'ours' tag. If found, the packet will be dropped back to the IP netisr where it is going to be picked up by ip_input() again and the directly sent to the 'ours' section. When only the destination changes, the route's 'dst' is overwritten with the new destination from the forward m_tag. Then it jumps back at the route lookup again and skips the firewall check because it has been marked with M_SKIP_FIREWALL. ipfw 'forward' has to be compiled into the kernel with 'option IPFIREWALL_FORWARD' to enable it.
DUMMYNET is entirely handled within the ipfw PFIL handlers. A packet for a dummynet pipe or queue is directly sent to dummynet_io(). Dummynet will then inject it back into ip_input/ip_output() after it has served its time. Dummynet packets are tagged and will continue from the next rule when they hit the ipfw PFIL handlers again after re-injection.
BRIDGING and IPFW_ETHER are not changed yet and use ipfw_chk() directly as they did before. Later this will be changed to dedicated ETHER PFIL_HOOKS.
More detailed changes to the code:
conf/files Add netinet/ip_fw_pfil.c.
conf/options Add IPFIREWALL_FORWARD option.
modules/ipfw/Makefile Add ip_fw_pfil.c.
net/bridge.c Disable PFIL_HOOKS if ipfw for bridging is active. Bridging ipfw is still directly invoked to handle layer2 headers and packets would get a double ipfw when run through PFIL_HOOKS as well.
netinet/ip_divert.c Removed divert_clone() function. It is no longer used.
netinet/ip_dummynet.[ch] Neither the route 'ro' nor the destination 'dst' need to be stored while in dummynet transit. Structure members and associated macros are removed.
netinet/ip_fastfwd.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code.
netinet/ip_fw.h Removed 'ro' and 'dst' from struct ip_fw_args.
netinet/ip_fw2.c (Re)moved some global variables and the module handling.
netinet/ip_fw_pfil.c New file containing the ipfw PFIL handlers and module initialization.
netinet/ip_input.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code. ip_forward() does not longer require the 'next_hop' struct sockaddr_in argument. Disable early checks if 'srcrt' is set.
netinet/ip_output.c Removed all direct ipfw handling code and replace it with the new 'ipfw forward' handling code.
netinet/ip_var.h Add ip_reass() as general function. (Used from ipfw PFIL handlers for IPDIVERT.)
netinet/raw_ip.c Directly check if ipfw and dummynet control pointers are active.
netinet/tcp_input.c Rework the 'ipfw forward' to local code to work with the new way of forward tags.
netinet/tcp_sack.c Remove include 'opt_ipfw.h' which is not needed here.
sys/mbuf.h Remove m_claim_next() macro which was exclusively for ipfw 'forward' and is no longer needed.
Approved by: re (scottl)
|
#
132199 |
|
15-Jul-2004 |
phk |
Do a pass over all modules in the kernel and make them return EOPNOTSUPP for unknown events.
A number of modules return EINVAL in this instance, and I have left those alone for now and instead taught MOD_QUIESCE to accept this as "didn't do anything".
|
#
131011 |
|
24-Jun-2004 |
rwatson |
When asserting non-Giant locks in the network stack, also assert Giant if debug.mpsafenet=0, as any points that require synchronization in the SMPng world also required it in the Giant-world:
- inpcb locks (including IPv6) - inpcbinfo locks (including IPv6) - dummynet subsystem lock - ipfw2 subsystem lock
|
#
126513 |
|
02-Mar-2004 |
mlaier |
Add some missing DUMMYNET_UNLOCK() in config_pipe().
Noticed by: Simon Coggins Approved by: bms(mentor)
|
#
126239 |
|
25-Feb-2004 |
mlaier |
Re-remove MT_TAGs. The problems with dummynet have been fixed now.
Tested by: -current, bms(mentor), me Approved by: bms(mentor), sam
|
#
125952 |
|
17-Feb-2004 |
mlaier |
Backout MT_TAG removal (i.e. bring back MT_TAGs) for now, as dummynet is not working properly with the patch in place.
Approved by: bms(mentor)
|
#
125784 |
|
13-Feb-2004 |
mlaier |
This set of changes eliminates the use of MT_TAG "pseudo mbufs", replacing them mostly with packet tags (one case is handled by using an mbuf flag since the linkage between "caller" and "callee" is direct and there's no need to incur the overhead of a packet tag).
This is (mostly) work from: sam
Silence from: -arch Approved by: bms(mentor), sam, rwatson
|
#
123893 |
|
27-Dec-2003 |
maxim |
o Fix a comment: softticks lives in sys/kern/kern_timeout.c.
PR: kern/60613 Submitted by: Gleb Smirnoff MFC after: 3 days
|
#
123169 |
|
06-Dec-2003 |
emax |
Do not panic when flushing dummynet firewall rules
Reviewed by: andre Approved by: re (scottl)
|
#
122966 |
|
23-Nov-2003 |
sam |
Use MPSAFE callouts only when debug.mpsafenet is 1. Both timer routines potentially transmit packets that may enter KAME IPsec w/o Giant if the callouts are marked MPSAFE.
Reviewed by: ume Approved by: re (rwatson)
|
#
122334 |
|
08-Nov-2003 |
sam |
replace explicit changes to rt_refcnt by RT_ADDREF and RT_REMREF macros that expand to include assertions when the system is built with INVARIANTS
Supported by: FreeBSD Foundation
|
#
121816 |
|
31-Oct-2003 |
brooks |
Replace the if_name and if_unit members of struct ifnet with new members if_xname, if_dname, and if_dunit. if_xname is the name of the interface and if_dname/unit are the driver name and instance.
This change paves the way for interface renaming and enhanced pseudo device creation and configuration symantics.
Approved By: re (in principle) Reviewed By: njl, imp Tested On: i386, amd64, sparc64 Obtained From: NetBSD (if_xname)
|
#
121699 |
|
29-Oct-2003 |
sam |
o add locking to protect routing table refcnt manipulations o add some more debugging help for figuring out why folks are getting complaints about releasing routing table entries with a zero refcnt o fix comment that talked about spl's o remove duplicate define of DUMMYNET_DEBUG
Supported by: FreeBSD Foundation
|
#
121140 |
|
16-Oct-2003 |
sam |
Drop dummynet lock when calling back into the network stack to deliver packets. This eliminates a LOR with Giant that caused outbound pipes to fail.
Supported by: FreeBSD Foundation
|
#
120140 |
|
16-Sep-2003 |
sam |
Minor fixups + add locking.
o change time to MPSAFE callout o make debug printfs conditional on DUMMYNET_DEBUG and runtime controllable by net.inet.ip.dummynet.debug o make boot-time printf dependent on bootverbose
Sponsored by: FreeBSD Foundation
|
#
118259 |
|
31-Jul-2003 |
maxim |
o Fix a typo in previous commit.
|
#
118008 |
|
25-Jul-2003 |
maxim |
o Do not overwrite saved interrupt priority level by alloc_hash(), use a separate variable. o Restore interrupt priority level before return (no-op in HEAD).
Spotted by: Don Bowman <don@sandvine.com> MFC after: 5 days
|
#
116982 |
|
28-Jun-2003 |
luigi |
Remove a stale comment, fix indentation.
|
#
116764 |
|
23-Jun-2003 |
luigi |
Fix typo in a (commented out) debugging string.
Spotted by: diff
|
#
115793 |
|
03-Jun-2003 |
ticso |
Change handling to support strong alignment architectures such as alpha and sparc64.
PR: alpha/50658 Submitted by: rizzo Tested on: alpha
|
#
112711 |
|
27-Mar-2003 |
maxim |
Fix indentation.
|
#
112710 |
|
27-Mar-2003 |
maxim |
o Protect set_fs_param() by splimp(9).
Quote from kern/37573:
There is an obvious race in netinet/ip_dummynet.c:config_pipe(). Interrupts are not blocked when changing the params of an existing pipe. The specific crash observed:
... -> config_pipe -> set_fs_parms -> config_red
malloc a new w_q_lookup table but take an interrupt before intializing it, interrupt handler does:
... -> dummynet_io -> red_drops
red_drops dereferences the uninitialized (zeroed) w_q_lookup table.
o Flush accumulated credits for idle pipes. o Flush accumulated credits when change pipe characteristics. o Change dn_flow_queue.numbytes type to unsigned long.
Overlapping dn_flow_queue->numbytes in ready_event() leads to numbytes becomes negative and SET_TICKS() macro returns a very big value. heap_insert() overlaps dn_key again and inserts a queue to a ready heap with a sched_time points to the past. That leads to an "infinity" loop.
PR: kern/33234, kern/37573, misc/42459, kern/43133, kern/44045, kern/48099 Submitted by: Mike Hibler <mike@cs.utah.edu> (kern/37573) MFC after: 6 weeks
|
#
109569 |
|
20-Jan-2003 |
maxim |
De-anonymity a couple of messages I missed in a previous sweep. Move one of them under DEB macro.
Noticed by: Wiktor Niesiobedzki <w@evip.pl>
|
#
108533 |
|
01-Jan-2003 |
schweikh |
Correct typos, mostly s/ a / an / where appropriate. Some whitespace cleanup, especially in troff files.
|
#
108258 |
|
24-Dec-2002 |
maxim |
o De-anonymity dummynet(4) and ipfw(4) messages, prepend them by 'dummynet: ' and 'ipfw: ' prefixes.
PR: kern/41609
|
#
107900 |
|
15-Dec-2002 |
maxim |
o Trim EOL whitespaces.
MFC after: 1 week
|
#
107898 |
|
15-Dec-2002 |
maxim |
o M_DONTWAIT is mbuf(9) flag: malloc(M_DONTWAIT) -> malloc(M_NOWAIT). The bug does not affect anything because M_NOWAIT == M_DONTWAIT.
Reviewed by: luigi MFC after: 1 week
|
#
106935 |
|
14-Nov-2002 |
sam |
track changes to not strip the Ethernet header from input packets
Reviewed by: many Approved by: re
|
#
106846 |
|
13-Nov-2002 |
maxim |
Due to a memory alignment sizeof(struct ipfw_flow_id) is bigger than ipfw_flow_id structure actual size and bcmp(3) may fail to compare them properly. Compare members of these structures instead.
PR: kern/44078 Submitted by: Oleg Bulyzhin <oleg@rinet.ru> Reviewed by: luigi MFC after: 2 weeks
|
#
105194 |
|
15-Oct-2002 |
sam |
Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit ABI/module number cookie o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and use this in defining openbsd-compatible m_tag_find and m_tag_get routines o rewrite KAME use of aux mbufs in terms of packet tags o eliminate the most heavily used aux mbufs by adding an additional struct inpcb parameter to ip_output and ip6_output to allow the IPsec code to locate the security policy to apply to outbound packets o bump __FreeBSD_version so code can be conditionalized o fixup ipfilter's call to ip_output based on __FreeBSD_version
Reviewed by: julian, luigi (silent), -arch, -net, darren Approved by: julian, silence from everyone else Obtained from: openbsd (mostly) MFC after: 1 month
|
#
104975 |
|
12-Oct-2002 |
seanc |
Increase the max dummynet hash size from 1024 to 65536. Default is still 1024.
Silence on: -net, -ipfw 4weeks+ Reviewed by: dd Approved by: knu (mentor) MFC after: 3 weeks
|
#
101927 |
|
15-Aug-2002 |
luigi |
Kernel support for a dummynet option: When a pipe or queue has the "noerror" attribute, do not report drops to the caller (ip_output() and friends). (2 lines to implement it, 2 lines to document it.)
This will let you simulate losses on the sender side as if they happened in the middle of the network, i.e. with no explicit feedback to the sender.
manpage and ipfw2.c changes to follow shortly, together with other ipfw2 changes.
Requested by: silby MFC after: 3 days
|
#
100228 |
|
17-Jul-2002 |
luigi |
Fix a panic when doing "ipfw add pipe 1 log ..."
Also synchronize ip_dummynet.c with the version in RELENG_4 to ease MFC's.
|
#
99642 |
|
09-Jul-2002 |
luigi |
Change one variable to make it easier to switch between ipfw and ipfw2
|
#
99620 |
|
08-Jul-2002 |
luigi |
Forgot to update one field name in one of the latest commits.
|
#
98943 |
|
27-Jun-2002 |
luigi |
The new ipfw code.
This code makes use of variable-size kernel representation of rules (exactly the same concept of BPF instructions, as used in the BSDI's firewall), which makes firewall operation a lot faster, and the code more readable and easier to extend and debug.
The interface with the rest of the system is unchanged, as witnessed by this commit. The only extra kernel files that I am touching are if_fw.h and ip_dummynet.c, which is quite tied to ipfw. In userland I only had to touch those programs which manipulate the internal representation of firewall rules).
The code is almost entirely new (and I believe I have written the vast majority of those sections which were taken from the former ip_fw.c), so rather than modifying the old ip_fw.c I decided to create a new file, sys/netinet/ip_fw2.c . Same for the user interface, which is in sbin/ipfw/ipfw2.c (it still compiles to /sbin/ipfw). The old files are still there, and will be removed in due time.
I have not renamed the header file because it would have required touching a one-line change to a number of kernel files.
In terms of user interface, the new "ipfw" is supposed to accepts the old syntax for ipfw rules (and produce the same output with "ipfw show". Only a couple of the old options (out of some 30 of them) has not been implemented, but they will be soon.
On the other hand, the new code has some very powerful extensions. First, you can put "or" connectives between match fields (and soon also between options), and write things like
ipfw add allow ip from { 1.2.3.4/27 or 5.6.7.8/30 } 10-23,25,1024-3000 to any
This should make rulesets slightly more compact (and lines longer!), by condensing 2 or more of the old rules into single ones.
Also, as an example of how easy the rules can be extended, I have implemented an 'address set' match pattern, where you can specify an IP address in a format like this:
10.20.30.0/26{18,44,33,22,9}
which will match the set of hosts listed in braces belonging to the subnet 10.20.30.0/26 . The match is done using a bitmap, so it is essentially a constant time operation requiring a handful of CPU instructions (and a very small amount of memmory -- for a full /24 subnet, the instruction only consumes 40 bytes).
Again, in this commit I have focused on functionality and tried to minimize changes to the other parts of the system. Some performance improvement can be achieved with minor changes to the interface of ip_fw_chk_t. This will be done later when this code is settled.
The code is meant to compile unmodified on RELENG_4 (once the PACKET_TAG_* changes have been merged), for this reason you will see #ifdef __FreeBSD_version in a couple of places. This should minimize errors when (hopefully soon) it will be time to do the MFC.
|
#
98613 |
|
22-Jun-2002 |
luigi |
Remove (almost all) global variables that were used to hold packet forwarding state ("annotations") during ip processing. The code is considerably cleaner now.
The variables removed by this change are:
ip_divert_cookie used by divert sockets ip_fw_fwd_addr used for transparent ip redirection last_pkt used by dynamic pipes in dummynet
Removal of the first two has been done by carrying the annotations into volatile structs prepended to the mbuf chains, and adding appropriate code to add/remove annotations in the routines which make use of them, i.e. ip_input(), ip_output(), tcp_input(), bdg_forward(), ether_demux(), ether_output_frame(), div_output().
On passing, remove a bug in divert handling of fragmented packet. Now it is the fragment at offset 0 which sets the divert status of the whole packet, whereas formerly it was the last incoming fragment to decide.
Removal of last_pkt required a change in the interface of ip_fw_chk() and dummynet_io(). On passing, use the same mechanism for dummynet annotations and for divert/forward annotations.
option IPFIREWALL_FORWARD is effectively useless, the code to implement it is very small and is now in by default to avoid the obfuscation of conditionally compiled code.
NOTES: * there is at least one global variable left, sro_fwd, in ip_output(). I am not sure if/how this can be removed.
* I have deliberately avoided gratuitous style changes in this commit to avoid cluttering the diffs. Minor stule cleanup will likely be necessary
* this commit only focused on the IP layer. I am sure there is a number of global variables used in the TCP and maybe UDP stack.
* despite the number of files touched, there are absolutely no API's or data structures changed by this commit (except the interfaces of ip_fw_chk() and dummynet_io(), which are internal anyways), so an MFC is quite safe and unintrusive (and desirable, given the improved readability of the code).
MFC after: 10 days
|
#
96511 |
|
13-May-2002 |
luigi |
Add ipfw hooks to ether_demux() and ether_output_frame(). Ipfw processing of frames at layer 2 can be enabled by the sysctl variable
net.link.ether.ipfw=1
Consider this feature experimental, because right now, the firewall is invoked in the places indicated below, and controlled by the sysctl variables listed on the right. As a consequence, a packet can be filtered from 1 to 4 times depending on the path it follows, which might make a ruleset a bit hard to follow.
I will add an ipfw option to tell if we want a given rule to apply to ether_demux() and ether_output_frame(), but we have run out of flags in the struct ip_fw so i need to think a bit on how to implement this.
to upper layers | | +----------->-----------+ ^ V [ip_input] [ip_output] net.inet.ip.fw.enable=1 | | ^ V [ether_demux] [ether_output_frame] net.link.ether.ipfw=1 | | +->- [bdg_forward]-->---+ net.link.ether.bridge_ipfw=1 ^ V | | to devices
|
#
91406 |
|
27-Feb-2002 |
jhb |
Simple p_ucred -> td_ucred changes to start using the per-thread ucred reference.
|
#
86047 |
|
04-Nov-2001 |
luigi |
MFS: sync the ipfw/dummynet/bridge code with the one recently merged into stable (mostly , but not only, formatting and comments changes).
|
#
84516 |
|
05-Oct-2001 |
ps |
Make it so dummynet and bridge can be loaded as modules.
Submitted by: billf
|
#
84058 |
|
27-Sep-2001 |
luigi |
Two main changes here: + implement "limit" rules, which permit to limit the number of sessions between certain host pairs (according to masks). These are a special type of stateful rules, which might be of interest in some cases. See the ipfw manpage for details.
+ merge the list pointers and ipfw rule descriptors in the kernel, so the code is smaller, faster and more readable. This patch basically consists in replacing "foo->rule->bar" with "rule->bar" all over the place. I have been willing to do this for ages!
MFC after: 1 week
|
#
83994 |
|
26-Sep-2001 |
brooks |
Include sys/proc.h for the definition of securelevel_ge().
Submitted by: LINT
|
#
83970 |
|
26-Sep-2001 |
rwatson |
o Modify IPFW and DUMMYNET administrative setsockopt() calls to use securelevel_gt() to check the securelevel, rather than direct access to the securelevel variable.
Obtained from: TrustedBSD Project
|
#
72270 |
|
09-Feb-2001 |
luigi |
Sync with the bridge/dummynet/ipfw code already tested in stable.
In ip_fw.[ch] change a couple of variable and field names to avoid having types, variables and fields with the same name.
|
#
71999 |
|
04-Feb-2001 |
phk |
Mechanical change to use <sys/queue.h> macro API instead of fondling implementation details.
Created with: sed(1) Reviewed by: md5(1)
|
#
71909 |
|
01-Feb-2001 |
luigi |
MFS: bridge/ipfw/dummynet fixes (bridge.c will be committed separately)
|
#
71686 |
|
26-Jan-2001 |
luigi |
Minor cleanups after yesterday's patch. The code (bridging and dummynet) actually worked fine!
|
#
71667 |
|
26-Jan-2001 |
luigi |
Bring dummynet in line with the code that now works in -STABLE. It compiles, but I cannot test functionality yet.
|
#
71395 |
|
22-Jan-2001 |
luigi |
Change critical section protection for dummynet from splnet() to splimp() -- we need it because dummynet can be invoked by the bridging code at splimp().
This should cure the pipe "stalls" that several people have been reporting on -stable while using bridging+dummynet (the problem would not affect routers using dummynet).
|
#
71133 |
|
16-Jan-2001 |
luigi |
Some dummynet patches that I forgot to commit last summer. One of them fixes a potential panic when bridging is used and you run out of mbufs (though i have no idea if the bug has ever hit anyone).
|
#
69781 |
|
08-Dec-2000 |
dwmalone |
Convert more malloc+bzero to malloc+M_ZERO.
Submitted by: josh@zipperup.org Submitted by: Robert Drehmel <robd@gmx.net>
|
#
69099 |
|
23-Nov-2000 |
bmilekic |
Fixup (hopefully) bridging + ipfw + dummynet together...
* Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf header structure, called "pkt," and could consequently pollute the mbuf free list if it was ever passed to m_freem(). The fix involved passing not pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf utility routines.
* Also, for dummynet, in bdg_forward(), made the code copy the ethernet header back into the mbuf (prepended) because the dummynet code that follows expects it to be there but it is, unfortunately for dummynet, passed to bdg_forward as a seperate argument.
PRs: kern/19551 ; misc/21534 ; kern/23010 Submitted by: Thomas Moestl <tmoestl@gmx.net> Reviewed by: bmilekic Approved by: luigi
|
#
63330 |
|
17-Jul-2000 |
luigi |
close PR 19544 - ipfw pipe delete causes panic when no pipes defined
PR: 19544
|
#
61657 |
|
14-Jun-2000 |
luigi |
Fix behaviour of "ipfw pipe show" -- previous code gave ambiguous data to the userland program (kernel operation was safe, anyways).
|
#
61413 |
|
08-Jun-2000 |
luigi |
Implement WF2Q+ in dummynet.
|
#
60938 |
|
26-May-2000 |
jake |
Back out the previous change to the queue(3) interface. It was not discussed and should probably not happen.
Requested by: msmith and others
|
#
60833 |
|
23-May-2000 |
jake |
Change the way that the queue(3) structures are declared; don't assume that the type argument to *_HEAD and *_ENTRY is a struct.
Suggested by: phk Reviewed by: phk Approved by: mdodd
|
#
60536 |
|
14-May-2000 |
archie |
Move code to handle BPF and bridging for incoming Ethernet packets out of the individual drivers and into the common routine ether_input(). Also, remove the (incomplete) hack for matching ethernet headers in the ip_fw code.
The good news: net result of 1016 lines removed, and this should make bridging now work with *all* Ethernet drivers.
The bad news: it's nearly impossible to test every driver, especially for bridging, and I was unable to get much testing help on the mailing lists.
Reviewed by: freebsd-net
|
#
57140 |
|
11-Feb-2000 |
luigi |
Forgot one line: don't try to match flags when looking for a flow.
Approved-by: jordan
|
#
57113 |
|
10-Feb-2000 |
luigi |
Support for stateful (dynamic) ipfw rules. They are very similar to ipfilter's keep-state.
Look at the updated ipfw(8) manpage for details.
Approved-by: jordan
|
#
56991 |
|
04-Feb-2000 |
luigi |
Fix a (mostly harmless) scheduling-in-the-past problem with dummynet (already fixed in -stable, was waiting for Jordan's approval due to the code freeze).
Reported-By: Mike Tancsa Approved-By: Jordan
|
#
55597 |
|
08-Jan-2000 |
luigi |
Implement per-flow queueing. Using a single pipe config rule, now you can dynamically create rate-limited queues for different flows using masks on dst/src IP, port and protocols. Read the ipfw(8) manpage for details and examples.
Restructure the internals of the traffic shaper to use heaps, so that it manages efficiently large number of queues.
Fix a bug which was present in the previous versions which could cause, under certain unfrequent conditions, to send out very large bursts of traffic.
All in all, this new code is much cleaner than the previous one and should also perform better.
Work supported by Akamba Corp.
|
#
55009 |
|
22-Dec-1999 |
shin |
IPSEC support in the kernel. pr_input() routines prototype is also changed to support IPSEC and IPV6 chained protocol headers.
Reviewed by: freebsd-arch, cvs-committers Obtained from: KAME project
|
#
53716 |
|
26-Nov-1999 |
luigi |
RTFREE the correct route entry in dummynet_io(). The previous code failed in handling things like "forward" actions.
Reported-and-tested-by: Jean-Hugues ROYER jhroyer@joher.com
|
#
50477 |
|
27-Aug-1999 |
peter |
$Id$ -> $FreeBSD$
|
#
49988 |
|
17-Aug-1999 |
billf |
Fix a printf() formatter to match its variable.
Reviewed by: bde, luigi
|
#
49628 |
|
11-Aug-1999 |
luigi |
Add spl() protection to remove that the timer is invoked multiple times resulting in higher bandwidth and lower delays. Reported-by: Jamshid Madhavi
|
#
46594 |
|
06-May-1999 |
peter |
Fix two warnings; and note a problem where a pointer is stored in an int variable - this can't work on an Alpha.
|
#
46420 |
|
04-May-1999 |
luigi |
Free the dummynet descriptor in ip_dummynet, not in the called routines. The descriptor contains parameters which could be used within those routines (eg. ip_output() ).
On passing, add IPPROTO_PGM entry to netinet/in.h
|
#
46385 |
|
04-May-1999 |
luigi |
assorted dummynet cleanup: + plug an mbuf leak when dummynet used with bridging + make prototype of dummynet_io consistent with usage + code cleanup so that now bandwidth regulation is precise to the bit/s and not to (8*HZ) bit/s as before.
|
#
45869 |
|
20-Apr-1999 |
peter |
Tidy up some stray / unused stuff in the IPFW package and friends. - unifdef -DCOMPAT_IPFW (this was on by default already) - remove traces of in-kernel ip_nat package, it was never committed. - Make IPFW and DUMMYNET initialize themselves rather than depend on compiled-in hooks in ip_init(). This means they initialize the same way both in-kernel and as kld modules. (IPFW initializes now :-)
|
#
45743 |
|
17-Apr-1999 |
peter |
Convert the dummynet lkm code to be kld aware (this isn't actually used anywhere that I can see).
|
#
45048 |
|
26-Mar-1999 |
luigi |
Use the correct length from the mbuf header instead of the one from the IP header (this would not work for bridged packets). This has been fixed long ago in the 2.2 branch.
Problem noticed by: a few people Fix suggested by: Remy Nonnenmacher
|
#
44993 |
|
24-Mar-1999 |
luigi |
add missing #include "opt_bdg.h"
|
#
43305 |
|
27-Jan-1999 |
dillon |
Fix warnings in preparation for adding -Wall -Wcast-qual to the kernel compile
|
#
42592 |
|
12-Jan-1999 |
eivind |
... _and_ the (void*) casts for %p. Next, I'll forget my own name :-(
|
#
42591 |
|
12-Jan-1999 |
eivind |
Avoid unnecessary GCCism - I hadn't noticed the __unused macro.
|
#
42578 |
|
12-Jan-1999 |
eivind |
* Print pointers using the correct type (%p) instead of %x. * Use the correct type for timeout function. * Add missing #include.
|
#
42516 |
|
11-Jan-1999 |
luigi |
Add a missing bzero which could be the source of instability problems reported recently (the rtentry pointer in the dummynet queue was not initialized in all cases, resulting in spurious rt_refcnt decreases in the lucky cases, and memory trashing in other cases.
|
#
42193 |
|
31-Dec-1998 |
luigi |
Remove some unused variables.
|
#
41793 |
|
14-Dec-1998 |
luigi |
Last bits (i think) of dummynet for -current.
|
#
39119 |
|
12-Sep-1998 |
luigi |
Bring in new files for dummynet support
|