#
685dc743 |
|
16-Aug-2023 |
Warner Losh <imp@FreeBSD.org> |
sys: Remove $FreeBSD$: one-line .c pattern Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/
|
#
3d0d5b21 |
|
23-Jan-2023 |
Justin Hibbits <jhibbits@FreeBSD.org> |
IfAPI: Explicitly include <net/if_private.h> in netstack Summary: In preparation of making if_t completely opaque outside of the netstack, explicitly include the header. <net/if_var.h> will stop including the header in the future. Sponsored by: Juniper Networks, Inc. Reviewed by: glebius, melifaro Differential Revision: https://reviews.freebsd.org/D38200
|
#
dda6376b |
|
08-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: employ newly added pfil_mbuf_{in,out} where approriate Reviewed by: glebius Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36454
|
#
14c9a2db |
|
02-Sep-2022 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: retire PFIL_FWD It is now unused and not having it allows further clean ups. Reviewed by: cy, glebius, kp Sponsored by: Rubicon Communications, LLC ("Netgate") Differential Revision: https://reviews.freebsd.org/D36452
|
#
662c1305 |
|
01-Sep-2020 |
Mateusz Guzik <mjg@FreeBSD.org> |
net: clean up empty lines in .c and .h files
|
#
9ac7c6cf |
|
14-Apr-2020 |
Alexander V. Chernikov <melifaro@FreeBSD.org> |
Convert IP/IPv6 forwarding, ICMP processing and IP PCB laddr selection to the new routing KPI. Reviewed by: ae Differential Revision: https://reviews.freebsd.org/D24245
|
#
f6428cdb |
|
03-Mar-2020 |
Bjoern A. Zeeb <bz@FreeBSD.org> |
fib6_rte_to_nh_*: return a link-local gw address with scope embedded In fib6_rte_to_nh_* when returning a link-local gateway address currently we do clear the scope. That could be recovered using the ifp returned as well, but the code in general seems to expect a link-local address with scope embeedded as otherwise the "dst" (gw) passed to the output routines will not include scope and not send the packet out (the right interface). Do not clear the scope when returning a link-local address and allow packets to go out (the right interface). Remove the (now) extra scope recovery in the IPv6 fast-fwd code. Sponsored by: Netflix Reviewed by: melifaro, ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D23872
|
#
b252313f |
|
31-Jan-2019 |
Gleb Smirnoff <glebius@FreeBSD.org> |
New pfil(9) KPI together with newborn pfil API and control utility. The KPI have been reviewed and cleansed of features that were planned back 20 years ago and never implemented. The pfil(9) internals have been made opaque to protocols with only returned types and function declarations exposed. The KPI is made more strict, but at the same time more extensible, as kernel uses same command structures that userland ioctl uses. In nutshell [KA]PI is about declaring filtering points, declaring filters and linking and unlinking them together. New [KA]PI makes it possible to reconfigure pfil(9) configuration: change order of hooks, rehook filter from one filtering point to a different one, disconnect a hook on output leaving it on input only, prepend/append a filter to existing list of filters. Now it possible for a single packet filter to provide multiple rulesets that may be linked to different points. Think of per-interface ACLs in Cisco or Juniper. None of existing packet filters yet support that, however limited usage is already possible, e.g. default ruleset can be moved to single interface, as soon as interface would pride their filtering points. Another future feature is possiblity to create pfil heads, that provide not an mbuf pointer but just a memory pointer with length. That would allow filtering at very early stages of a packet lifecycle, e.g. when packet has just been received by a NIC and no mbuf was yet allocated. Differential Revision: https://reviews.freebsd.org/D18951
|
#
f9656ee6 |
|
02-May-2018 |
Michael Tuexen <tuexen@FreeBSD.org> |
Send an ICMPv6 PacketTooBig message in case of forwading a packet which is too big for the outgoing interface and no firewall is involed. This problem was introduced in https://svnweb.freebsd.org/changeset/base/324996 Thanks to Irene Ruengeler for finding the bug and testing the fix. Reviewed by: kp@ MFC after: 3 days
|
#
56c989df |
|
13-Apr-2018 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add check that mbuf had not multicast layer2 address. Such packets should be handled by ip6_mforward(). Obtained from: Yandex LLC MFC after: 1 week Sponsored by: Yandex LLC
|
#
effaab88 |
|
23-Mar-2018 |
Kristof Provost <kp@FreeBSD.org> |
netpfil: Introduce PFIL_FWD flag Forwarded packets passed through PFIL_OUT, which made it difficult for firewalls to figure out if they were forwarding or producing packets. This in turn is an issue for pf for IPv6 fragment handling: it needs to call ip6_output() or ip6_forward() to handle the fragments. Figuring out which was difficult (and until now, incorrect). Having pfil distinguish the two removes an ugly piece of code from pf. Introduce a new variant of the netpfil callbacks with a flags variable, which has PFIL_FWD set for forwarded packets. This allows pf to reliably work out if a packet is forwarded. Reviewed by: ae, kevans Differential Revision: https://reviews.freebsd.org/D13715
|
#
a0bf3ee4 |
|
25-Oct-2017 |
Kristof Provost <kp@FreeBSD.org> |
Evaluate packet size after the firewall had its chance in the ip6 fast path Defer the packet size check until after the firewall has had a look at it. This means that the firewall now has the opportunity to (re-)fragment an oversized packet. This mirrors what the slow path does. Reviewed by: ae MFC after: 1 week Differential Revision: https://reviews.freebsd.org/D12779
|
#
5a1842a2 |
|
12-Dec-2016 |
Andrey V. Elsukov <ae@FreeBSD.org> |
Add ip6_tryforward() - a run to completion forwarding implementation for IPv6. It gets performance benefits from reduced number of checks. It doesn't copy mbuf to be able send ICMPv6 error message, because it keeps mbuf unchanged until the moment, when the route decision has been made. It doesn't do IPsec checks, and when some IPsec security policies present, ip6_input() uses normal slow path. Reviewed by: bz, gnn Obtained from: Yandex LLC MFC after: 1 month Sponsored by: Yandex LLC Differential Revision: https://reviews.freebsd.org/D8527
|