2005-01-07 01:45:51 +00:00
|
|
|
/*-
|
1995-10-03 16:54:17 +00:00
|
|
|
* Copyright (c) 1982, 1986, 1988, 1990, 1993, 1995
|
1994-05-24 10:09:53 +00:00
|
|
|
* The Regents of the University of California. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
|
* 4. Neither the name of the University nor the names of its contributors
|
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
|
* without specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
|
*
|
1995-10-03 16:54:17 +00:00
|
|
|
* @(#)tcp_subr.c 8.2 (Berkeley) 5/24/95
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
|
2007-10-07 20:44:24 +00:00
|
|
|
#include <sys/cdefs.h>
|
|
|
|
|
__FBSDID("$FreeBSD$");
|
|
|
|
|
|
1998-01-25 04:23:33 +00:00
|
|
|
#include "opt_compat.h"
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#include "opt_inet.h"
|
1999-12-07 17:39:16 +00:00
|
|
|
#include "opt_inet6.h"
|
2000-01-15 14:56:38 +00:00
|
|
|
#include "opt_ipsec.h"
|
2002-07-31 19:06:49 +00:00
|
|
|
#include "opt_mac.h"
|
1997-09-16 18:36:06 +00:00
|
|
|
#include "opt_tcpdebug.h"
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
#include <sys/systm.h>
|
1999-08-30 21:17:07 +00:00
|
|
|
#include <sys/callout.h>
|
1995-11-09 20:23:09 +00:00
|
|
|
#include <sys/kernel.h>
|
|
|
|
|
#include <sys/sysctl.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/malloc.h>
|
|
|
|
|
#include <sys/mbuf.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <sys/domain.h>
|
|
|
|
|
#endif
|
2006-11-06 13:42:10 +00:00
|
|
|
#include <sys/priv.h>
|
1999-07-11 18:32:46 +00:00
|
|
|
#include <sys/proc.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <sys/socketvar.h>
|
|
|
|
|
#include <sys/protosw.h>
|
2001-04-17 18:08:01 +00:00
|
|
|
#include <sys/random.h>
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
#include <sys/vimage.h>
|
1998-03-28 10:18:26 +00:00
|
|
|
|
2002-03-20 05:48:55 +00:00
|
|
|
#include <vm/uma.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
|
|
|
|
|
#include <net/route.h>
|
|
|
|
|
#include <net/if.h>
|
|
|
|
|
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <netinet/in_systm.h>
|
|
|
|
|
#include <netinet/ip.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netinet/ip6.h>
|
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/in_pcb.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netinet6/in6_pcb.h>
|
|
|
|
|
#endif
|
1995-03-16 18:17:34 +00:00
|
|
|
#include <netinet/in_var.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/ip_var.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netinet6/ip6_var.h>
|
2005-07-25 12:31:43 +00:00
|
|
|
#include <netinet6/scope6_var.h>
|
2003-11-20 20:07:39 +00:00
|
|
|
#include <netinet6/nd6.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif
|
2005-04-21 14:29:34 +00:00
|
|
|
#include <netinet/ip_icmp.h>
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/tcp.h>
|
|
|
|
|
#include <netinet/tcp_fsm.h>
|
|
|
|
|
#include <netinet/tcp_seq.h>
|
|
|
|
|
#include <netinet/tcp_timer.h>
|
|
|
|
|
#include <netinet/tcp_var.h>
|
2007-07-27 00:57:06 +00:00
|
|
|
#include <netinet/tcp_syncache.h>
|
2007-12-18 22:59:07 +00:00
|
|
|
#include <netinet/tcp_offload.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netinet6/tcp6_var.h>
|
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
#include <netinet/tcpip.h>
|
1995-02-09 23:13:27 +00:00
|
|
|
#ifdef TCPDEBUG
|
|
|
|
|
#include <netinet/tcp_debug.h>
|
|
|
|
|
#endif
|
2008-12-02 21:37:28 +00:00
|
|
|
#include <netinet/vinet.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
#include <netinet6/ip6protosw.h>
|
2008-12-02 21:37:28 +00:00
|
|
|
#include <netinet6/vinet6.h>
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2007-07-03 12:13:45 +00:00
|
|
|
#ifdef IPSEC
|
2002-10-16 02:25:05 +00:00
|
|
|
#include <netipsec/ipsec.h>
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#include <netipsec/xform.h>
|
2002-10-16 02:25:05 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#include <netipsec/ipsec6.h>
|
|
|
|
|
#endif
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#include <netipsec/key.h>
|
2008-09-13 17:26:46 +00:00
|
|
|
#include <sys/syslog.h>
|
2007-07-03 12:13:45 +00:00
|
|
|
#endif /*IPSEC*/
|
2002-10-16 02:25:05 +00:00
|
|
|
|
2000-03-27 19:14:27 +00:00
|
|
|
#include <machine/in_cksum.h>
|
2001-08-22 00:58:16 +00:00
|
|
|
#include <sys/md5.h>
|
2000-03-27 19:14:27 +00:00
|
|
|
|
2006-10-22 11:52:19 +00:00
|
|
|
#include <security/mac/mac_framework.h>
|
|
|
|
|
|
2008-11-19 09:39:34 +00:00
|
|
|
#ifdef VIMAGE_GLOBALS
|
|
|
|
|
int tcp_mssdflt;
|
1999-11-05 14:41:39 +00:00
|
|
|
#ifdef INET6
|
2008-11-19 09:39:34 +00:00
|
|
|
int tcp_v6mssdflt;
|
|
|
|
|
#endif
|
|
|
|
|
int tcp_minmss;
|
|
|
|
|
int tcp_do_rfc1323;
|
|
|
|
|
static int icmp_may_rst;
|
|
|
|
|
static int tcp_isn_reseed_interval;
|
|
|
|
|
static int tcp_inflight_enable;
|
|
|
|
|
static int tcp_inflight_rttthresh;
|
|
|
|
|
static int tcp_inflight_min;
|
|
|
|
|
static int tcp_inflight_max;
|
|
|
|
|
static int tcp_inflight_stab;
|
2008-09-07 14:44:55 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
sysctl_net_inet_tcp_mss_check(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
2008-11-26 22:32:07 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2008-09-07 14:44:55 +00:00
|
|
|
int error, new;
|
|
|
|
|
|
2008-09-07 15:20:21 +00:00
|
|
|
new = V_tcp_mssdflt;
|
2008-09-07 14:44:55 +00:00
|
|
|
error = sysctl_handle_int(oidp, &new, 0, req);
|
|
|
|
|
if (error == 0 && req->newptr) {
|
|
|
|
|
if (new < TCP_MINMSS)
|
|
|
|
|
error = EINVAL;
|
|
|
|
|
else
|
2008-09-07 15:20:21 +00:00
|
|
|
V_tcp_mssdflt = new;
|
2008-09-07 14:44:55 +00:00
|
|
|
}
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-26 22:32:07 +00:00
|
|
|
SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_MSSDFLT, mssdflt,
|
|
|
|
|
CTLTYPE_INT|CTLFLAG_RW, tcp_mssdflt, 0,
|
|
|
|
|
&sysctl_net_inet_tcp_mss_check, "I",
|
|
|
|
|
"Default TCP Maximum Segment Size");
|
2008-09-07 14:44:55 +00:00
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
static int
|
|
|
|
|
sysctl_net_inet_tcp_mss_v6_check(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
2008-12-11 16:05:07 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2008-09-07 14:44:55 +00:00
|
|
|
int error, new;
|
|
|
|
|
|
2008-09-07 15:20:21 +00:00
|
|
|
new = V_tcp_v6mssdflt;
|
2008-09-07 14:44:55 +00:00
|
|
|
error = sysctl_handle_int(oidp, &new, 0, req);
|
|
|
|
|
if (error == 0 && req->newptr) {
|
|
|
|
|
if (new < TCP_MINMSS)
|
|
|
|
|
error = EINVAL;
|
|
|
|
|
else
|
2008-09-07 15:20:21 +00:00
|
|
|
V_tcp_v6mssdflt = new;
|
2008-09-07 14:44:55 +00:00
|
|
|
}
|
|
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-26 22:32:07 +00:00
|
|
|
SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_V6MSSDFLT, v6mssdflt,
|
|
|
|
|
CTLTYPE_INT|CTLFLAG_RW, tcp_v6mssdflt, 0,
|
|
|
|
|
&sysctl_net_inet_tcp_mss_v6_check, "I",
|
|
|
|
|
"Default TCP Maximum Segment Size for IPv6");
|
1999-11-05 14:41:39 +00:00
|
|
|
#endif
|
|
|
|
|
|
2004-01-08 17:40:07 +00:00
|
|
|
/*
|
|
|
|
|
* Minimum MSS we accept and use. This prevents DoS attacks where
|
|
|
|
|
* we are forced to a ridiculous low MSS like 20 and send hundreds
|
|
|
|
|
* of packets instead of one. The effect scales with the available
|
|
|
|
|
* bandwidth and quickly saturates the CPU and network interface
|
|
|
|
|
* with packet generation and sending. Set to zero to disable MINMSS
|
|
|
|
|
* checking. This setting prevents us from sending too small packets.
|
|
|
|
|
*/
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, minmss,
|
|
|
|
|
CTLFLAG_RW, tcp_minmss , 0, "Minmum TCP Maximum Segment Size");
|
2004-01-08 17:40:07 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, TCPCTL_DO_RFC1323, rfc1323,
|
|
|
|
|
CTLFLAG_RW, tcp_do_rfc1323, 0,
|
|
|
|
|
"Enable rfc1323 (high performance TCP) extensions");
|
1995-11-14 20:34:56 +00:00
|
|
|
|
2007-10-05 22:39:44 +00:00
|
|
|
static int tcp_log_debug = 0;
|
2007-07-28 12:20:39 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, log_debug, CTLFLAG_RW,
|
|
|
|
|
&tcp_log_debug, 0, "Log errors caused by incoming TCP segments");
|
|
|
|
|
|
1999-08-26 19:52:17 +00:00
|
|
|
static int tcp_tcbhashsize = 0;
|
2003-10-21 18:28:36 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, tcbhashsize, CTLFLAG_RDTUN,
|
2007-03-19 19:00:51 +00:00
|
|
|
&tcp_tcbhashsize, 0, "Size of TCP control-block hashtable");
|
1999-08-26 19:52:17 +00:00
|
|
|
|
1999-12-28 23:18:33 +00:00
|
|
|
static int do_tcpdrain = 1;
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp, OID_AUTO, do_tcpdrain, CTLFLAG_RW, &do_tcpdrain, 0,
|
2007-03-19 19:00:51 +00:00
|
|
|
"Enable tcp_drain routine for extra help when low on mbufs");
|
1999-12-28 23:18:33 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, pcbcount,
|
Conditionally compile out V_ globals while instantiating the appropriate
container structures, depending on VIMAGE_GLOBALS compile time option.
Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out. Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.
Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively
#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif
Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.
Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs. This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.
Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.
De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps. PF virtualization will be done
separately, most probably after next PF import.
Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw. Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.
Discussed at: devsummit Strassburg
Reviewed by: bz, julian
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-12-10 23:12:39 +00:00
|
|
|
CTLFLAG_RD, tcbinfo.ipi_count, 0, "Number of active PCBs");
|
1998-05-15 20:11:40 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, icmp_may_rst,
|
|
|
|
|
CTLFLAG_RW, icmp_may_rst, 0,
|
2001-02-23 20:51:46 +00:00
|
|
|
"Certain ICMP unreachable messages may abort connections in SYN_SENT");
|
We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.
rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.
quote begin.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
quote end.
I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.
When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.
The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.
I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.
PR: 23086
Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp, OID_AUTO, isn_reseed_interval,
|
|
|
|
|
CTLFLAG_RW, tcp_isn_reseed_interval, 0,
|
|
|
|
|
"Seconds between reseeding of ISN secret");
|
2001-07-08 02:20:47 +00:00
|
|
|
|
2002-08-17 18:26:02 +00:00
|
|
|
/*
|
2004-08-16 18:32:07 +00:00
|
|
|
* TCP bandwidth limiting sysctls. Note that the default lower bound of
|
|
|
|
|
* 1024 exists only for debugging. A good production default would be
|
2002-08-17 18:26:02 +00:00
|
|
|
* something like 6100.
|
|
|
|
|
*/
|
2004-08-03 13:54:11 +00:00
|
|
|
SYSCTL_NODE(_net_inet_tcp, OID_AUTO, inflight, CTLFLAG_RW, 0,
|
|
|
|
|
"TCP inflight data limiting");
|
|
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, enable,
|
|
|
|
|
CTLFLAG_RW, tcp_inflight_enable, 0,
|
|
|
|
|
"Enable automatic TCP inflight data limiting");
|
2002-08-17 18:26:02 +00:00
|
|
|
|
2002-10-10 21:41:30 +00:00
|
|
|
static int tcp_inflight_debug = 0;
|
2004-08-03 13:54:11 +00:00
|
|
|
SYSCTL_INT(_net_inet_tcp_inflight, OID_AUTO, debug, CTLFLAG_RW,
|
2002-08-17 18:26:02 +00:00
|
|
|
&tcp_inflight_debug, 0, "Debug TCP inflight calculations");
|
|
|
|
|
|
2008-11-26 22:32:07 +00:00
|
|
|
SYSCTL_V_PROC(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, rttthresh,
|
|
|
|
|
CTLTYPE_INT|CTLFLAG_RW, tcp_inflight_rttthresh, 0, sysctl_msec_to_ticks,
|
|
|
|
|
"I", "RTT threshold below which inflight will deactivate itself");
|
2006-02-16 19:38:07 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, min,
|
|
|
|
|
CTLFLAG_RW, tcp_inflight_min, 0, "Lower-bound for TCP inflight window");
|
2002-08-17 18:26:02 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, max,
|
|
|
|
|
CTLFLAG_RW, tcp_inflight_max, 0, "Upper-bound for TCP inflight window");
|
2004-08-03 13:54:11 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
SYSCTL_V_INT(V_NET, vnet_inet, _net_inet_tcp_inflight, OID_AUTO, stab,
|
|
|
|
|
CTLFLAG_RW, tcp_inflight_stab, 0,
|
|
|
|
|
"Inflight Algorithm Stabilization 20 = 2 packets");
|
2002-08-17 18:26:02 +00:00
|
|
|
|
2004-06-23 21:04:37 +00:00
|
|
|
uma_zone_t sack_hole_zone;
|
|
|
|
|
|
2002-06-14 08:35:21 +00:00
|
|
|
static struct inpcb *tcp_notify(struct inpcb *, int);
|
2004-04-20 06:33:39 +00:00
|
|
|
static void tcp_isn_tick(void *);
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1995-04-09 01:29:31 +00:00
|
|
|
/*
|
Improved connection establishment performance by doing local port lookups via
a hashed port list. In the new scheme, in_pcblookup() goes away and is
replaced by a new routine, in_pcblookup_local() for doing the local port
check. Note that this implementation is space inefficient in that the PCB
struct is now too large to fit into 128 bytes. I might deal with this in the
future by using the new zone allocator, but I wanted these changes to be
extensively tested in their current form first.
Also:
1) Fixed off-by-one errors in the port lookup loops in in_pcbbind().
2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash()
to do the initialial hash insertion.
3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability.
4) Added a new routine, in_pcbremlists() to remove the PCB from the various
hash lists.
5) Added/deleted comments where appropriate.
6) Removed unnecessary splnet() locking. In general, the PCB functions should
be called at splnet()...there are unfortunately a few exceptions, however.
7) Reorganized a few structs for better cache line behavior.
8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in
the future, however.
These changes have been tested on wcarchive for more than a month. In tests
done here, connection establishment overhead is reduced by more than 50
times, thus getting rid of one of the major networking scalability problems.
Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a
large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult.
WARNING: Anything that knows about inpcb and tcpcb structs will have to be
recompiled; at the very least, this includes netstat(1).
1998-01-27 09:15:13 +00:00
|
|
|
* Target size of TCP PCB hash tables. Must be a power of two.
|
1999-02-03 08:59:30 +00:00
|
|
|
*
|
|
|
|
|
* Note that this can be overridden by the kernel environment
|
|
|
|
|
* variable net.inet.tcp.tcbhashsize
|
1995-04-09 01:29:31 +00:00
|
|
|
*/
|
|
|
|
|
#ifndef TCBHASHSIZE
|
Improved connection establishment performance by doing local port lookups via
a hashed port list. In the new scheme, in_pcblookup() goes away and is
replaced by a new routine, in_pcblookup_local() for doing the local port
check. Note that this implementation is space inefficient in that the PCB
struct is now too large to fit into 128 bytes. I might deal with this in the
future by using the new zone allocator, but I wanted these changes to be
extensively tested in their current form first.
Also:
1) Fixed off-by-one errors in the port lookup loops in in_pcbbind().
2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash()
to do the initialial hash insertion.
3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability.
4) Added a new routine, in_pcbremlists() to remove the PCB from the various
hash lists.
5) Added/deleted comments where appropriate.
6) Removed unnecessary splnet() locking. In general, the PCB functions should
be called at splnet()...there are unfortunately a few exceptions, however.
7) Reorganized a few structs for better cache line behavior.
8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in
the future, however.
These changes have been tested on wcarchive for more than a month. In tests
done here, connection establishment overhead is reduced by more than 50
times, thus getting rid of one of the major networking scalability problems.
Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a
large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult.
WARNING: Anything that knows about inpcb and tcpcb structs will have to be
recompiled; at the very least, this includes netstat(1).
1998-01-27 09:15:13 +00:00
|
|
|
#define TCBHASHSIZE 512
|
1995-04-09 01:29:31 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1998-03-24 18:06:34 +00:00
|
|
|
/*
|
2003-02-19 22:32:43 +00:00
|
|
|
* XXX
|
|
|
|
|
* Callouts should be moved into struct tcp directly. They are currently
|
2003-12-17 16:12:01 +00:00
|
|
|
* separate because the tcpcb structure is exported to userland for sysctl
|
2003-02-19 22:32:43 +00:00
|
|
|
* parsing purposes, which do not know about callouts.
|
1998-03-24 18:06:34 +00:00
|
|
|
*/
|
2007-04-11 09:45:16 +00:00
|
|
|
struct tcpcb_mem {
|
|
|
|
|
struct tcpcb tcb;
|
2007-09-24 05:26:24 +00:00
|
|
|
struct tcp_timer tt;
|
2003-02-19 22:32:43 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static uma_zone_t tcpcb_zone;
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
MALLOC_DEFINE(M_TCPLOG, "tcplog", "TCP address and flags print buffers");
|
2004-04-20 06:33:39 +00:00
|
|
|
struct callout isn_callout;
|
2006-04-22 19:23:24 +00:00
|
|
|
static struct mtx isn_mtx;
|
1998-03-24 18:06:34 +00:00
|
|
|
|
2006-04-23 12:27:42 +00:00
|
|
|
#define ISN_LOCK_INIT() mtx_init(&isn_mtx, "isn_mtx", NULL, MTX_DEF)
|
|
|
|
|
#define ISN_LOCK() mtx_lock(&isn_mtx)
|
|
|
|
|
#define ISN_UNLOCK() mtx_unlock(&isn_mtx)
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
2006-04-03 12:59:27 +00:00
|
|
|
* TCP initialization.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2006-04-21 09:25:40 +00:00
|
|
|
static void
|
|
|
|
|
tcp_zone_change(void *tag)
|
|
|
|
|
{
|
|
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets);
|
2006-04-21 09:25:40 +00:00
|
|
|
uma_zone_set_max(tcpcb_zone, maxsockets);
|
2007-05-13 22:16:13 +00:00
|
|
|
tcp_tw_zone_change();
|
2006-04-21 09:25:40 +00:00
|
|
|
}
|
|
|
|
|
|
2006-07-18 22:34:27 +00:00
|
|
|
static int
|
|
|
|
|
tcp_inpcb_init(void *mem, int size, int flags)
|
|
|
|
|
{
|
2006-12-30 17:53:28 +00:00
|
|
|
struct inpcb *inp = mem;
|
|
|
|
|
|
2006-07-18 22:34:27 +00:00
|
|
|
INP_LOCK_INIT(inp, "inp", "tcpinp");
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_init(void)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2008-11-19 09:39:34 +00:00
|
|
|
int hashsize;
|
|
|
|
|
|
|
|
|
|
V_blackhole = 0;
|
|
|
|
|
V_tcp_delack_enabled = 1;
|
|
|
|
|
V_drop_synfin = 0;
|
|
|
|
|
V_tcp_do_rfc3042 = 1;
|
|
|
|
|
V_tcp_do_rfc3390 = 1;
|
|
|
|
|
V_tcp_do_ecn = 0;
|
|
|
|
|
V_tcp_ecn_maxretries = 1;
|
|
|
|
|
V_tcp_insecure_rst = 0;
|
|
|
|
|
V_tcp_do_autorcvbuf = 1;
|
|
|
|
|
V_tcp_autorcvbuf_inc = 16*1024;
|
|
|
|
|
V_tcp_autorcvbuf_max = 256*1024;
|
|
|
|
|
|
|
|
|
|
V_tcp_mssdflt = TCP_MSS;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
V_tcp_v6mssdflt = TCP6_MSS;
|
|
|
|
|
#endif
|
|
|
|
|
V_tcp_minmss = TCP_MINMSS;
|
|
|
|
|
V_tcp_do_rfc1323 = 1;
|
|
|
|
|
V_icmp_may_rst = 1;
|
|
|
|
|
V_tcp_isn_reseed_interval = 0;
|
|
|
|
|
V_tcp_inflight_enable = 1;
|
|
|
|
|
V_tcp_inflight_min = 6144;
|
|
|
|
|
V_tcp_inflight_max = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
|
|
|
V_tcp_inflight_stab = 20;
|
|
|
|
|
|
|
|
|
|
V_path_mtu_discovery = 1;
|
|
|
|
|
V_ss_fltsz = 1;
|
|
|
|
|
V_ss_fltsz_local = 4;
|
|
|
|
|
V_tcp_do_newreno = 1;
|
|
|
|
|
V_tcp_do_tso = 1;
|
|
|
|
|
V_tcp_do_autosndbuf = 1;
|
|
|
|
|
V_tcp_autosndbuf_inc = 8*1024;
|
|
|
|
|
V_tcp_autosndbuf_max = 256*1024;
|
|
|
|
|
|
|
|
|
|
V_nolocaltimewait = 0;
|
|
|
|
|
|
|
|
|
|
V_tcp_do_sack = 1;
|
|
|
|
|
V_tcp_sack_maxholes = 128;
|
|
|
|
|
V_tcp_sack_globalmaxholes = 65536;
|
|
|
|
|
V_tcp_sack_globalholes = 0;
|
2004-08-16 18:32:07 +00:00
|
|
|
|
1999-08-30 21:17:07 +00:00
|
|
|
tcp_delacktime = TCPTV_DELACK;
|
|
|
|
|
tcp_keepinit = TCPTV_KEEP_INIT;
|
|
|
|
|
tcp_keepidle = TCPTV_KEEP_IDLE;
|
|
|
|
|
tcp_keepintvl = TCPTV_KEEPINTVL;
|
|
|
|
|
tcp_maxpersistidle = TCPTV_KEEP_IDLE;
|
|
|
|
|
tcp_msl = TCPTV_MSL;
|
2002-07-18 19:06:12 +00:00
|
|
|
tcp_rexmit_min = TCPTV_MIN;
|
Change TCPTV_MIN to be independent of HZ. While it was documented to
be in ticks "for algorithm stability" when originally committed, it turns
out that it has a significant impact in timing out connections. When we
changed HZ from 100 to 1000, this had a big effect on reducing the time
before dropping connections.
To demonstrate, boot with kern.hz=100. ssh to a box on local ethernet
and establish a reliable round-trip-time (ie: type a few commands).
Then unplug the ethernet and press a key. Time how long it takes to
drop the connection.
The old behavior (with hz=100) caused the connection to typically drop
between 90 and 110 seconds of getting no response.
Now boot with kern.hz=1000 (default). The same test causes the ssh session
to drop after just 9-10 seconds. This is a big deal on a wifi connection.
With kern.hz=1000, change sysctl net.inet.tcp.rexmit_min from 3 to 30.
Note how it behaves the same as when HZ was 100. Also, note that when
booting with hz=100, net.inet.tcp.rexmit_min *used* to be 30.
This commit changes TCPTV_MIN to be scaled with hz. rexmit_min should
always be about 30. If you set hz to Really Slow(TM), there is a safety
feature to prevent a value of 0 being used.
This may be revised in the future, but for the time being, it restores the
old, pre-hz=1000 behavior, which is significantly less annoying.
As a workaround, to avoid rebooting or rebuilding a kernel, you can run
"sysctl net.inet.tcp.rexmit_min=30" and add "net.inet.tcp.rexmit_min=30"
to /etc/sysctl.conf. This is safe to run from 6.0 onwards.
Approved by: re (rwatson)
Reviewed by: andre, silby
2007-07-31 22:11:55 +00:00
|
|
|
if (tcp_rexmit_min < 1)
|
|
|
|
|
tcp_rexmit_min = 1;
|
2002-07-18 19:06:12 +00:00
|
|
|
tcp_rexmit_slop = TCPTV_CPU_VAR;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcp_inflight_rttthresh = TCPTV_INFLIGHT_RTTTHRESH;
|
2007-02-26 22:25:21 +00:00
|
|
|
tcp_finwait2_timeout = TCPTV_FINWAIT2_TIMEOUT;
|
1999-08-30 21:17:07 +00:00
|
|
|
|
Conditionally compile out V_ globals while instantiating the appropriate
container structures, depending on VIMAGE_GLOBALS compile time option.
Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out. Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.
Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively
#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif
Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.
Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs. This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.
Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.
De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps. PF virtualization will be done
separately, most probably after next PF import.
Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw. Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.
Discussed at: devsummit Strassburg
Reviewed by: bz, julian
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-12-10 23:12:39 +00:00
|
|
|
TUNABLE_INT_FETCH("net.inet.tcp.sack.enable", &V_tcp_do_sack);
|
|
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_LOCK_INIT(&V_tcbinfo, "tcp");
|
|
|
|
|
LIST_INIT(&V_tcb);
|
|
|
|
|
V_tcbinfo.ipi_listhead = &V_tcb;
|
2008-11-19 09:39:34 +00:00
|
|
|
hashsize = TCBHASHSIZE;
|
2001-06-08 05:24:21 +00:00
|
|
|
TUNABLE_INT_FETCH("net.inet.tcp.tcbhashsize", &hashsize);
|
1999-02-04 03:27:43 +00:00
|
|
|
if (!powerof2(hashsize)) {
|
1999-02-03 08:59:30 +00:00
|
|
|
printf("WARNING: TCB hash size not a power of 2\n");
|
|
|
|
|
hashsize = 512; /* safe default */
|
|
|
|
|
}
|
1999-08-26 19:52:17 +00:00
|
|
|
tcp_tcbhashsize = hashsize;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcbinfo.ipi_hashbase = hashinit(hashsize, M_PCB,
|
|
|
|
|
&V_tcbinfo.ipi_hashmask);
|
|
|
|
|
V_tcbinfo.ipi_porthashbase = hashinit(hashsize, M_PCB,
|
|
|
|
|
&V_tcbinfo.ipi_porthashmask);
|
|
|
|
|
V_tcbinfo.ipi_zone = uma_zcreate("inpcb", sizeof(struct inpcb),
|
2006-07-18 22:34:27 +00:00
|
|
|
NULL, NULL, tcp_inpcb_init, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
uma_zone_set_max(V_tcbinfo.ipi_zone, maxsockets);
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
#define TCP_MINPROTOHDR (sizeof(struct ip6_hdr) + sizeof(struct tcphdr))
|
|
|
|
|
#else /* INET6 */
|
|
|
|
|
#define TCP_MINPROTOHDR (sizeof(struct tcpiphdr))
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
if (max_protohdr < TCP_MINPROTOHDR)
|
|
|
|
|
max_protohdr = TCP_MINPROTOHDR;
|
|
|
|
|
if (max_linkhdr + TCP_MINPROTOHDR > MHLEN)
|
1994-05-24 10:09:53 +00:00
|
|
|
panic("tcp_init");
|
2000-01-09 19:17:30 +00:00
|
|
|
#undef TCP_MINPROTOHDR
|
2003-02-19 22:32:43 +00:00
|
|
|
/*
|
|
|
|
|
* These have to be type stable for the benefit of the timers.
|
|
|
|
|
*/
|
2004-08-16 18:32:07 +00:00
|
|
|
tcpcb_zone = uma_zcreate("tcpcb", sizeof(struct tcpcb_mem),
|
2004-08-11 20:30:08 +00:00
|
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
2003-02-19 22:32:43 +00:00
|
|
|
uma_zone_set_max(tcpcb_zone, maxsockets);
|
2007-05-13 22:16:13 +00:00
|
|
|
tcp_tw_init();
|
2001-11-22 04:50:44 +00:00
|
|
|
syncache_init();
|
2003-11-20 20:07:39 +00:00
|
|
|
tcp_hc_init();
|
2004-02-24 15:27:41 +00:00
|
|
|
tcp_reass_init();
|
2006-04-23 12:27:42 +00:00
|
|
|
ISN_LOCK_INIT();
|
2004-04-20 06:33:39 +00:00
|
|
|
callout_init(&isn_callout, CALLOUT_MPSAFE);
|
|
|
|
|
tcp_isn_tick(NULL);
|
|
|
|
|
EVENTHANDLER_REGISTER(shutdown_pre_sync, tcp_fini, NULL,
|
|
|
|
|
SHUTDOWN_PRI_DEFAULT);
|
2004-08-16 18:32:07 +00:00
|
|
|
sack_hole_zone = uma_zcreate("sackhole", sizeof(struct sackhole),
|
2004-08-11 20:30:08 +00:00
|
|
|
NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NOFREE);
|
2006-04-21 09:25:40 +00:00
|
|
|
EVENTHANDLER_REGISTER(maxsockets_change, tcp_zone_change, NULL,
|
|
|
|
|
EVENTHANDLER_PRI_ANY);
|
2004-04-20 06:33:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_fini(void *xtp)
|
2004-04-20 06:33:39 +00:00
|
|
|
{
|
|
|
|
|
|
2006-04-03 12:59:27 +00:00
|
|
|
callout_stop(&isn_callout);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2001-06-23 03:21:46 +00:00
|
|
|
* Fill in the IP and TCP headers for an outgoing packet, given the tcpcb.
|
|
|
|
|
* tcp_template used to store this data in mbufs, but we now recopy it out
|
|
|
|
|
* of the tcpcb each time to conserve mbufs.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2001-06-23 03:21:46 +00:00
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcpip_fillheaders(struct inpcb *inp, void *ip_ptr, void *tcp_ptr)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2003-02-19 22:18:06 +00:00
|
|
|
struct tcphdr *th = (struct tcphdr *)tcp_ptr;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2004-12-05 22:27:53 +00:00
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
if ((inp->inp_vflag & INP_IPV6) != 0) {
|
2001-06-23 03:21:46 +00:00
|
|
|
struct ip6_hdr *ip6;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2001-06-23 03:21:46 +00:00
|
|
|
ip6 = (struct ip6_hdr *)ip_ptr;
|
2000-01-09 19:17:30 +00:00
|
|
|
ip6->ip6_flow = (ip6->ip6_flow & ~IPV6_FLOWINFO_MASK) |
|
|
|
|
|
(inp->in6p_flowinfo & IPV6_FLOWINFO_MASK);
|
|
|
|
|
ip6->ip6_vfc = (ip6->ip6_vfc & ~IPV6_VERSION_MASK) |
|
|
|
|
|
(IPV6_VERSION & IPV6_VERSION_MASK);
|
|
|
|
|
ip6->ip6_nxt = IPPROTO_TCP;
|
2008-09-07 20:44:45 +00:00
|
|
|
ip6->ip6_plen = htons(sizeof(struct tcphdr));
|
2000-01-09 19:17:30 +00:00
|
|
|
ip6->ip6_src = inp->in6p_laddr;
|
|
|
|
|
ip6->ip6_dst = inp->in6p_faddr;
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
2001-06-23 03:21:46 +00:00
|
|
|
{
|
2003-02-19 22:18:06 +00:00
|
|
|
struct ip *ip;
|
|
|
|
|
|
|
|
|
|
ip = (struct ip *)ip_ptr;
|
|
|
|
|
ip->ip_v = IPVERSION;
|
|
|
|
|
ip->ip_hl = 5;
|
|
|
|
|
ip->ip_tos = inp->inp_ip_tos;
|
|
|
|
|
ip->ip_len = 0;
|
|
|
|
|
ip->ip_id = 0;
|
|
|
|
|
ip->ip_off = 0;
|
|
|
|
|
ip->ip_ttl = inp->inp_ip_ttl;
|
|
|
|
|
ip->ip_sum = 0;
|
|
|
|
|
ip->ip_p = IPPROTO_TCP;
|
|
|
|
|
ip->ip_src = inp->inp_laddr;
|
|
|
|
|
ip->ip_dst = inp->inp_faddr;
|
2001-06-23 03:21:46 +00:00
|
|
|
}
|
2003-02-19 22:18:06 +00:00
|
|
|
th->th_sport = inp->inp_lport;
|
|
|
|
|
th->th_dport = inp->inp_fport;
|
|
|
|
|
th->th_seq = 0;
|
|
|
|
|
th->th_ack = 0;
|
|
|
|
|
th->th_x2 = 0;
|
|
|
|
|
th->th_off = 5;
|
|
|
|
|
th->th_flags = 0;
|
|
|
|
|
th->th_win = 0;
|
|
|
|
|
th->th_urp = 0;
|
|
|
|
|
th->th_sum = 0; /* in_pseudo() is called later for ipv4 */
|
2001-06-23 03:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Create template to be used to send tcp packets on a connection.
|
|
|
|
|
* Allocates an mbuf and fills in a skeletal tcp/ip header. The only
|
|
|
|
|
* use for this function is in keepalives, which use tcp_respond.
|
|
|
|
|
*/
|
|
|
|
|
struct tcptemp *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcpip_maketemplate(struct inpcb *inp)
|
2001-06-23 03:21:46 +00:00
|
|
|
{
|
2008-06-02 14:20:26 +00:00
|
|
|
struct tcptemp *t;
|
2001-06-23 03:21:46 +00:00
|
|
|
|
2008-06-02 14:20:26 +00:00
|
|
|
t = malloc(sizeof(*t), M_TEMP, M_NOWAIT);
|
|
|
|
|
if (t == NULL)
|
|
|
|
|
return (NULL);
|
|
|
|
|
tcpip_fillheaders(inp, (void *)&t->tt_ipgen, (void *)&t->tt_t);
|
|
|
|
|
return (t);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Send a single message to the TCP at address specified by
|
2004-04-05 00:49:07 +00:00
|
|
|
* the given TCP/IP header. If m == NULL, then we make a copy
|
1994-05-24 10:09:53 +00:00
|
|
|
* of the tcpiphdr at ti and send directly to the addressed host.
|
|
|
|
|
* This is used to force keep alive messages out using the TCP
|
2001-06-23 03:21:46 +00:00
|
|
|
* template for a connection. If flags are given then we send
|
|
|
|
|
* a message back to the TCP which originated the * segment ti,
|
|
|
|
|
* and discard the mbuf containing it and any other attached mbufs.
|
1994-05-24 10:09:53 +00:00
|
|
|
*
|
|
|
|
|
* In any case the ack and sequence number of the transmitted
|
|
|
|
|
* segment are as specified by the parameters.
|
1997-12-19 03:36:15 +00:00
|
|
|
*
|
|
|
|
|
* NOTE: If m != NULL, then ti must point to *inside* the mbuf.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
void
|
2007-05-10 15:58:48 +00:00
|
|
|
tcp_respond(struct tcpcb *tp, void *ipgen, struct tcphdr *th, struct mbuf *m,
|
|
|
|
|
tcp_seq ack, tcp_seq seq, int flags)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2007-03-21 19:37:55 +00:00
|
|
|
int tlen;
|
1994-05-24 10:09:53 +00:00
|
|
|
int win = 0;
|
2000-01-09 19:17:30 +00:00
|
|
|
struct ip *ip;
|
|
|
|
|
struct tcphdr *nth;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
|
int isipv6;
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
int ipflags = 0;
|
2004-05-04 02:11:47 +00:00
|
|
|
struct inpcb *inp;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2002-08-01 03:54:43 +00:00
|
|
|
KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL"));
|
|
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2002-10-20 22:52:07 +00:00
|
|
|
isipv6 = ((struct ip *)ipgen)->ip_v == 6;
|
2000-01-09 19:17:30 +00:00
|
|
|
ip6 = ipgen;
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
ip = ipgen;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2004-04-05 00:52:05 +00:00
|
|
|
if (tp != NULL) {
|
2003-11-08 22:59:22 +00:00
|
|
|
inp = tp->t_inpcb;
|
|
|
|
|
KASSERT(inp != NULL, ("tcp control block w/o inpcb"));
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2004-05-04 02:11:47 +00:00
|
|
|
} else
|
|
|
|
|
inp = NULL;
|
|
|
|
|
|
|
|
|
|
if (tp != NULL) {
|
2000-02-28 21:18:21 +00:00
|
|
|
if (!(flags & TH_RST)) {
|
2003-11-08 22:59:22 +00:00
|
|
|
win = sbspace(&inp->inp_socket->so_rcv);
|
2000-02-28 21:18:21 +00:00
|
|
|
if (win > (long)TCP_MAXWIN << tp->rcv_scale)
|
|
|
|
|
win = (long)TCP_MAXWIN << tp->rcv_scale;
|
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2004-04-05 00:49:07 +00:00
|
|
|
if (m == NULL) {
|
2005-11-02 13:46:32 +00:00
|
|
|
m = m_gethdr(M_DONTWAIT, MT_DATA);
|
1994-05-24 10:09:53 +00:00
|
|
|
if (m == NULL)
|
|
|
|
|
return;
|
|
|
|
|
tlen = 0;
|
|
|
|
|
m->m_data += max_linkhdr;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
if (isipv6) {
|
2004-08-16 18:32:07 +00:00
|
|
|
bcopy((caddr_t)ip6, mtod(m, caddr_t),
|
2000-01-09 19:17:30 +00:00
|
|
|
sizeof(struct ip6_hdr));
|
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
|
nth = (struct tcphdr *)(ip6 + 1);
|
|
|
|
|
} else
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
{
|
|
|
|
|
bcopy((caddr_t)ip, mtod(m, caddr_t), sizeof(struct ip));
|
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
|
nth = (struct tcphdr *)(ip + 1);
|
|
|
|
|
}
|
|
|
|
|
bcopy((caddr_t)th, (caddr_t)nth, sizeof(struct tcphdr));
|
1994-05-24 10:09:53 +00:00
|
|
|
flags = TH_ACK;
|
|
|
|
|
} else {
|
Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
|
|
|
/*
|
|
|
|
|
* reuse the mbuf.
|
|
|
|
|
* XXX MRT We inherrit the FIB, which is lucky.
|
|
|
|
|
*/
|
1994-05-24 10:09:53 +00:00
|
|
|
m_freem(m->m_next);
|
2004-04-05 00:49:07 +00:00
|
|
|
m->m_next = NULL;
|
2000-01-09 19:17:30 +00:00
|
|
|
m->m_data = (caddr_t)ipgen;
|
|
|
|
|
/* m_len is set later */
|
1994-05-24 10:09:53 +00:00
|
|
|
tlen = 0;
|
|
|
|
|
#define xchg(a,b,type) { type t; t=a; a=b; b=t; }
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
if (isipv6) {
|
|
|
|
|
xchg(ip6->ip6_dst, ip6->ip6_src, struct in6_addr);
|
|
|
|
|
nth = (struct tcphdr *)(ip6 + 1);
|
|
|
|
|
} else
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
{
|
|
|
|
|
xchg(ip->ip_dst.s_addr, ip->ip_src.s_addr, n_long);
|
|
|
|
|
nth = (struct tcphdr *)(ip + 1);
|
|
|
|
|
}
|
|
|
|
|
if (th != nth) {
|
|
|
|
|
/*
|
|
|
|
|
* this is usually a case when an extension header
|
|
|
|
|
* exists between the IPv6 header and the
|
|
|
|
|
* TCP header.
|
|
|
|
|
*/
|
|
|
|
|
nth->th_sport = th->th_sport;
|
|
|
|
|
nth->th_dport = th->th_dport;
|
|
|
|
|
}
|
|
|
|
|
xchg(nth->th_dport, nth->th_sport, n_short);
|
1994-05-24 10:09:53 +00:00
|
|
|
#undef xchg
|
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
if (isipv6) {
|
2002-02-04 17:37:06 +00:00
|
|
|
ip6->ip6_flow = 0;
|
|
|
|
|
ip6->ip6_vfc = IPV6_VERSION;
|
|
|
|
|
ip6->ip6_nxt = IPPROTO_TCP;
|
2000-01-09 19:17:30 +00:00
|
|
|
ip6->ip6_plen = htons((u_short)(sizeof (struct tcphdr) +
|
|
|
|
|
tlen));
|
|
|
|
|
tlen += sizeof (struct ip6_hdr) + sizeof (struct tcphdr);
|
2000-01-15 14:34:56 +00:00
|
|
|
} else
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif
|
2004-08-16 18:32:07 +00:00
|
|
|
{
|
|
|
|
|
tlen += sizeof (struct tcpiphdr);
|
|
|
|
|
ip->ip_len = tlen;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
ip->ip_ttl = V_ip_defttl;
|
|
|
|
|
if (V_path_mtu_discovery)
|
2004-08-16 18:32:07 +00:00
|
|
|
ip->ip_off |= IP_DF;
|
|
|
|
|
}
|
1994-05-24 10:09:53 +00:00
|
|
|
m->m_len = tlen;
|
|
|
|
|
m->m_pkthdr.len = tlen;
|
2004-04-05 00:49:07 +00:00
|
|
|
m->m_pkthdr.rcvif = NULL;
|
2002-07-31 19:06:49 +00:00
|
|
|
#ifdef MAC
|
2003-11-08 22:59:22 +00:00
|
|
|
if (inp != NULL) {
|
2002-07-31 19:06:49 +00:00
|
|
|
/*
|
|
|
|
|
* Packet is associated with a socket, so allow the
|
|
|
|
|
* label of the response to reflect the socket label.
|
|
|
|
|
*/
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_inpcb_create_mbuf(inp, m);
|
2002-07-31 19:06:49 +00:00
|
|
|
} else {
|
|
|
|
|
/*
|
2003-08-21 18:39:16 +00:00
|
|
|
* Packet is not associated with a socket, so possibly
|
|
|
|
|
* update the label in place.
|
2002-07-31 19:06:49 +00:00
|
|
|
*/
|
2007-10-24 19:04:04 +00:00
|
|
|
mac_netinet_tcp_reply(m);
|
2002-07-31 19:06:49 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2000-01-09 19:17:30 +00:00
|
|
|
nth->th_seq = htonl(seq);
|
|
|
|
|
nth->th_ack = htonl(ack);
|
|
|
|
|
nth->th_x2 = 0;
|
|
|
|
|
nth->th_off = sizeof (struct tcphdr) >> 2;
|
|
|
|
|
nth->th_flags = flags;
|
2004-04-05 00:49:07 +00:00
|
|
|
if (tp != NULL)
|
2000-01-09 19:17:30 +00:00
|
|
|
nth->th_win = htons((u_short) (win >> tp->rcv_scale));
|
1994-05-24 10:09:53 +00:00
|
|
|
else
|
2000-01-09 19:17:30 +00:00
|
|
|
nth->th_win = htons((u_short)win);
|
|
|
|
|
nth->th_urp = 0;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
if (isipv6) {
|
2000-04-19 15:05:00 +00:00
|
|
|
nth->th_sum = 0;
|
2000-01-09 19:17:30 +00:00
|
|
|
nth->th_sum = in6_cksum(m, IPPROTO_TCP,
|
|
|
|
|
sizeof(struct ip6_hdr),
|
|
|
|
|
tlen - sizeof(struct ip6_hdr));
|
2004-04-05 00:49:07 +00:00
|
|
|
ip6->ip6_hlim = in6_selecthlim(tp != NULL ? tp->t_inpcb :
|
|
|
|
|
NULL, NULL);
|
2000-01-09 19:17:30 +00:00
|
|
|
} else
|
|
|
|
|
#endif /* INET6 */
|
2004-08-16 18:32:07 +00:00
|
|
|
{
|
|
|
|
|
nth->th_sum = in_pseudo(ip->ip_src.s_addr, ip->ip_dst.s_addr,
|
|
|
|
|
htons((u_short)(tlen - sizeof(struct ip) + ip->ip_p)));
|
|
|
|
|
m->m_pkthdr.csum_flags = CSUM_TCP;
|
|
|
|
|
m->m_pkthdr.csum_data = offsetof(struct tcphdr, th_sum);
|
|
|
|
|
}
|
1995-02-09 23:13:27 +00:00
|
|
|
#ifdef TCPDEBUG
|
2003-11-08 22:59:22 +00:00
|
|
|
if (tp == NULL || (inp->inp_socket->so_options & SO_DEBUG))
|
2000-01-09 19:17:30 +00:00
|
|
|
tcp_trace(TA_OUTPUT, 0, tp, mtod(m, void *), th, 0);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef INET6
|
2003-11-20 20:07:39 +00:00
|
|
|
if (isipv6)
|
|
|
|
|
(void) ip6_output(m, NULL, NULL, ipflags, NULL, NULL, inp);
|
|
|
|
|
else
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif /* INET6 */
|
2003-11-20 20:07:39 +00:00
|
|
|
(void) ip_output(m, NULL, NULL, ipflags, NULL, inp);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Create a new TCP control block, making an
|
|
|
|
|
* empty reassembly queue and hooking it to the argument
|
1998-03-24 18:06:34 +00:00
|
|
|
* protocol control block. The `inp' parameter must have
|
|
|
|
|
* come from the zone allocator set up in tcp_init().
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
|
|
|
|
struct tcpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_newtcpcb(struct inpcb *inp)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(inp->inp_vnet);
|
2003-02-19 22:32:43 +00:00
|
|
|
struct tcpcb_mem *tm;
|
|
|
|
|
struct tcpcb *tp;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
|
|
|
|
|
#endif /* INET6 */
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2003-02-19 22:32:43 +00:00
|
|
|
tm = uma_zalloc(tcpcb_zone, M_NOWAIT | M_ZERO);
|
|
|
|
|
if (tm == NULL)
|
|
|
|
|
return (NULL);
|
|
|
|
|
tp = &tm->tcb;
|
2007-09-24 05:26:24 +00:00
|
|
|
tp->t_timers = &tm->tt;
|
2003-02-19 22:32:43 +00:00
|
|
|
/* LIST_INIT(&tp->t_segq); */ /* XXX covered by M_ZERO */
|
2000-01-09 19:17:30 +00:00
|
|
|
tp->t_maxseg = tp->t_maxopd =
|
|
|
|
|
#ifdef INET6
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
isipv6 ? V_tcp_v6mssdflt :
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif /* INET6 */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcp_mssdflt;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
1999-08-30 21:17:07 +00:00
|
|
|
/* Set up our timeouts. */
|
2007-09-24 05:26:24 +00:00
|
|
|
callout_init(&tp->t_timers->tt_rexmt, CALLOUT_MPSAFE);
|
|
|
|
|
callout_init(&tp->t_timers->tt_persist, CALLOUT_MPSAFE);
|
|
|
|
|
callout_init(&tp->t_timers->tt_keep, CALLOUT_MPSAFE);
|
|
|
|
|
callout_init(&tp->t_timers->tt_2msl, CALLOUT_MPSAFE);
|
|
|
|
|
callout_init(&tp->t_timers->tt_delack, CALLOUT_MPSAFE);
|
1999-08-30 21:17:07 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_tcp_do_rfc1323)
|
1995-02-09 23:13:27 +00:00
|
|
|
tp->t_flags = (TF_REQ_SCALE|TF_REQ_TSTMP);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if (V_tcp_do_sack)
|
2007-05-06 15:56:31 +00:00
|
|
|
tp->t_flags |= TF_SACK_PERMIT;
|
2005-07-01 22:54:18 +00:00
|
|
|
TAILQ_INIT(&tp->snd_holes);
|
1998-03-24 18:06:34 +00:00
|
|
|
tp->t_inpcb = inp; /* XXX */
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
|
* Init srtt to TCPTV_SRTTBASE (0), so we can tell that we have no
|
1996-06-14 17:17:32 +00:00
|
|
|
* rtt estimate. Set rttvar so that srtt + 4 * rttvar gives
|
1994-05-24 10:09:53 +00:00
|
|
|
* reasonable initial retransmit time.
|
|
|
|
|
*/
|
|
|
|
|
tp->t_srtt = TCPTV_SRTTBASE;
|
1996-06-14 17:17:32 +00:00
|
|
|
tp->t_rttvar = ((TCPTV_RTOBASE - TCPTV_SRTTBASE) << TCP_RTTVAR_SHIFT) / 4;
|
2002-07-18 19:06:12 +00:00
|
|
|
tp->t_rttmin = tcp_rexmit_min;
|
1996-06-14 17:17:32 +00:00
|
|
|
tp->t_rxtcur = TCPTV_RTOBASE;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_cwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
2002-08-17 18:26:02 +00:00
|
|
|
tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->snd_ssthresh = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
1999-08-30 21:17:07 +00:00
|
|
|
tp->t_rcvtime = ticks;
|
2002-08-17 18:26:02 +00:00
|
|
|
tp->t_bw_rtttime = ticks;
|
2004-08-16 18:32:07 +00:00
|
|
|
/*
|
2000-01-25 01:05:18 +00:00
|
|
|
* IPv4 TTL initialization is necessary for an IPv6 socket as well,
|
|
|
|
|
* because the socket may be bound to an IPv6 wildcard address,
|
|
|
|
|
* which may match an IPv4-mapped IPv6 address.
|
|
|
|
|
*/
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
inp->inp_ip_ttl = V_ip_defttl;
|
2006-04-03 13:33:55 +00:00
|
|
|
inp->inp_ppcb = tp;
|
1998-03-24 18:06:34 +00:00
|
|
|
return (tp); /* XXX */
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Drop a TCP connection, reporting
|
|
|
|
|
* the specified error. If connection is synchronized,
|
|
|
|
|
* then send a RST to peer.
|
|
|
|
|
*/
|
|
|
|
|
struct tcpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_drop(struct tcpcb *tp, int errno)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(tp->t_inpcb->inp_vnet);
|
1994-05-24 10:09:53 +00:00
|
|
|
struct socket *so = tp->t_inpcb->inp_socket;
|
|
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(tp->t_inpcb);
|
2005-06-01 12:06:07 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
if (TCPS_HAVERCVDSYN(tp->t_state)) {
|
|
|
|
|
tp->t_state = TCPS_CLOSED;
|
2007-12-18 22:59:07 +00:00
|
|
|
(void) tcp_output_reset(tp);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcpstat.tcps_drops++;
|
1994-05-24 10:09:53 +00:00
|
|
|
} else
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcpstat.tcps_conndrops++;
|
1994-05-24 10:09:53 +00:00
|
|
|
if (errno == ETIMEDOUT && tp->t_softerror)
|
|
|
|
|
errno = tp->t_softerror;
|
|
|
|
|
so->so_error = errno;
|
|
|
|
|
return (tcp_close(tp));
|
|
|
|
|
}
|
|
|
|
|
|
Update TCP for infrastructural changes to the socket/pcb refcount model,
pru_abort(), pru_detach(), and in_pcbdetach():
- Universally support and enforce the invariant that so_pcb is
never NULL, converting dozens of unnecessary NULL checks into
assertions, and eliminating dozens of unnecessary error handling
cases in protocol code.
- In some cases, eliminate unnecessary pcbinfo locking, as it is no
longer required to ensure so_pcb != NULL. For example, the receive
code no longer requires the pcbinfo lock, and the send code only
requires it if building a new connection on an otherwise unconnected
socket triggered via sendto() with an address. This should
significnatly reduce tcbinfo lock contention in the receive and send
cases.
- In order to support the invariant that so_pcb != NULL, it is now
necessary for the TCP code to not discard the tcpcb any time a
connection is dropped, but instead leave the tcpcb until the socket
is shutdown. This case is handled by setting INP_DROPPED, to
substitute for using a NULL so_pcb to indicate that the connection
has been dropped. This requires the inpcb lock, but not the pcbinfo
lock.
- Unlike all other protocols in the tree, TCP may need to retain access
to the socket after the file descriptor has been closed. Set
SS_PROTOREF in tcp_detach() in order to prevent the socket from being
freed, and add a flag, INP_SOCKREF, so that the TCP code knows whether
or not it needs to free the socket when the connection finally does
close. The typical case where this occurs is if close() is called on
a TCP socket before all sent data in the send socket buffer has been
transmitted or acknowledged. If INP_SOCKREF is found when the
connection is dropped, we release the inpcb, tcpcb, and socket instead
of flagging INP_DROPPED.
- Abort and detach protocol switch methods no longer return failures,
nor attempt to free sockets, as the socket layer does this.
- Annotate the existence of a long-standing race in the TCP timer code,
in which timers are stopped but not drained when the socket is freed,
as waiting for drain may lead to deadlocks, or have to occur in a
context where waiting is not permitted. This race has been handled
by testing to see if the tcpcb pointer in the inpcb is NULL (and vice
versa), which is not normally permitted, but may be true of a inpcb
and tcpcb have been freed. Add a counter to test how often this race
has actually occurred, and a large comment for each instance where
we compare potentially freed memory with NULL. This will have to be
fixed in the near future, but requires is to further address how to
handle the timer shutdown shutdown issue.
- Several TCP calls no longer potentially free the passed inpcb/tcpcb,
so no longer need to return a pointer to indicate whether the argument
passed in is still valid.
- Un-macroize debugging and locking setup for various protocol switch
methods for TCP, as it lead to more obscurity, and as locking becomes
more customized to the methods, offers less benefit.
- Assert copyright on tcp_usrreq.c due to significant modifications that
have been made as part of this work.
These changes significantly modify the memory management and connection
logic of our TCP implementation, and are (as such) High Risk Changes,
and likely to contain serious bugs. Please report problems to the
current@ mailing list ASAP, ideally with simple test cases, and
optionally, packet traces.
MFC after: 3 months
2006-04-01 16:36:36 +00:00
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_discardcb(struct tcpcb *tp)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(tp->t_vnet);
|
2003-02-19 22:32:43 +00:00
|
|
|
struct tseg_qent *q;
|
1994-05-24 10:09:53 +00:00
|
|
|
struct inpcb *inp = tp->t_inpcb;
|
|
|
|
|
struct socket *so = inp->inp_socket;
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
int isipv6 = (inp->inp_vflag & INP_IPV6) != 0;
|
|
|
|
|
#endif /* INET6 */
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2004-12-05 22:27:53 +00:00
|
|
|
|
1999-08-30 21:17:07 +00:00
|
|
|
/*
|
|
|
|
|
* Make sure that all of our timers are stopped before we
|
|
|
|
|
* delete the PCB.
|
|
|
|
|
*/
|
2007-09-24 05:26:24 +00:00
|
|
|
callout_stop(&tp->t_timers->tt_rexmt);
|
|
|
|
|
callout_stop(&tp->t_timers->tt_persist);
|
|
|
|
|
callout_stop(&tp->t_timers->tt_keep);
|
|
|
|
|
callout_stop(&tp->t_timers->tt_2msl);
|
|
|
|
|
callout_stop(&tp->t_timers->tt_delack);
|
1999-08-30 21:17:07 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
1995-06-29 18:11:24 +00:00
|
|
|
* If we got enough samples through the srtt filter,
|
|
|
|
|
* save the rtt and rttvar in the routing entry.
|
2003-11-20 20:07:39 +00:00
|
|
|
* 'Enough' is arbitrarily defined as 4 rtt samples.
|
|
|
|
|
* 4 samples is enough for the srtt filter to converge
|
|
|
|
|
* to within enough % of the correct value; fewer samples
|
|
|
|
|
* and we could save a bogus rtt. The danger is not high
|
|
|
|
|
* as tcp quickly recovers from everything.
|
|
|
|
|
* XXX: Works very well but needs some more statistics!
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2003-11-20 20:07:39 +00:00
|
|
|
if (tp->t_rttupdated >= 4) {
|
|
|
|
|
struct hc_metrics_lite metrics;
|
|
|
|
|
u_long ssthresh;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2003-11-20 20:07:39 +00:00
|
|
|
bzero(&metrics, sizeof(metrics));
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
2003-11-20 20:07:39 +00:00
|
|
|
* Update the ssthresh always when the conditions below
|
|
|
|
|
* are satisfied. This gives us better new start value
|
|
|
|
|
* for the congestion avoidance for new connections.
|
|
|
|
|
* ssthresh is only set if packet loss occured on a session.
|
2006-08-02 16:18:05 +00:00
|
|
|
*
|
|
|
|
|
* XXXRW: 'so' may be NULL here, and/or socket buffer may be
|
|
|
|
|
* being torn down. Ideally this code would not use 'so'.
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2003-11-20 20:07:39 +00:00
|
|
|
ssthresh = tp->snd_ssthresh;
|
|
|
|
|
if (ssthresh != 0 && ssthresh < so->so_snd.sb_hiwat / 2) {
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
|
* convert the limit from user data bytes to
|
|
|
|
|
* packets then to packet data bytes.
|
|
|
|
|
*/
|
2003-11-20 20:07:39 +00:00
|
|
|
ssthresh = (ssthresh + tp->t_maxseg / 2) / tp->t_maxseg;
|
|
|
|
|
if (ssthresh < 2)
|
|
|
|
|
ssthresh = 2;
|
|
|
|
|
ssthresh *= (u_long)(tp->t_maxseg +
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
(isipv6 ? sizeof (struct ip6_hdr) +
|
|
|
|
|
sizeof (struct tcphdr) :
|
|
|
|
|
#endif
|
|
|
|
|
sizeof (struct tcpiphdr)
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
)
|
|
|
|
|
#endif
|
|
|
|
|
);
|
2003-11-20 20:07:39 +00:00
|
|
|
} else
|
|
|
|
|
ssthresh = 0;
|
|
|
|
|
metrics.rmx_ssthresh = ssthresh;
|
|
|
|
|
|
|
|
|
|
metrics.rmx_rtt = tp->t_srtt;
|
|
|
|
|
metrics.rmx_rttvar = tp->t_rttvar;
|
|
|
|
|
/* XXX: This wraps if the pipe is more than 4 Gbit per second */
|
|
|
|
|
metrics.rmx_bandwidth = tp->snd_bandwidth;
|
|
|
|
|
metrics.rmx_cwnd = tp->snd_cwnd;
|
2004-08-16 18:32:07 +00:00
|
|
|
metrics.rmx_sendpipe = 0;
|
2003-11-20 20:07:39 +00:00
|
|
|
metrics.rmx_recvpipe = 0;
|
|
|
|
|
|
|
|
|
|
tcp_hc_update(&inp->inp_inc, &metrics);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2003-11-20 20:07:39 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/* free the reassembly queue, if any */
|
2003-02-19 22:32:43 +00:00
|
|
|
while ((q = LIST_FIRST(&tp->t_segq)) != NULL) {
|
2000-01-09 19:17:30 +00:00
|
|
|
LIST_REMOVE(q, tqe_q);
|
|
|
|
|
m_freem(q->tqe_m);
|
2004-02-24 15:27:41 +00:00
|
|
|
uma_zfree(tcp_reass_zone, q);
|
|
|
|
|
tp->t_segqlen--;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcp_reass_qsize--;
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
2007-12-18 22:59:07 +00:00
|
|
|
/* Disconnect offload device, if any. */
|
|
|
|
|
tcp_offload_detach(tp);
|
|
|
|
|
|
2004-06-23 21:04:37 +00:00
|
|
|
tcp_free_sackholes(tp);
|
Improved connection establishment performance by doing local port lookups via
a hashed port list. In the new scheme, in_pcblookup() goes away and is
replaced by a new routine, in_pcblookup_local() for doing the local port
check. Note that this implementation is space inefficient in that the PCB
struct is now too large to fit into 128 bytes. I might deal with this in the
future by using the new zone allocator, but I wanted these changes to be
extensively tested in their current form first.
Also:
1) Fixed off-by-one errors in the port lookup loops in in_pcbbind().
2) Got rid of some unneeded rehashing. Adding a new routine, in_pcbinshash()
to do the initialial hash insertion.
3) Renamed in_pcblookuphash() to in_pcblookup_hash() for easier readability.
4) Added a new routine, in_pcbremlists() to remove the PCB from the various
hash lists.
5) Added/deleted comments where appropriate.
6) Removed unnecessary splnet() locking. In general, the PCB functions should
be called at splnet()...there are unfortunately a few exceptions, however.
7) Reorganized a few structs for better cache line behavior.
8) Killed my TCP_ACK_HACK kludge. It may come back in a different form in
the future, however.
These changes have been tested on wcarchive for more than a month. In tests
done here, connection establishment overhead is reduced by more than 50
times, thus getting rid of one of the major networking scalability problems.
Still to do: make tcp_fastimo/tcp_slowtimo scale well for systems with a
large number of connections. tcp_fastimo is easy; tcp_slowtimo is difficult.
WARNING: Anything that knows about inpcb and tcpcb structs will have to be
recompiled; at the very least, this includes netstat(1).
1998-01-27 09:15:13 +00:00
|
|
|
inp->inp_ppcb = NULL;
|
2002-12-24 21:00:31 +00:00
|
|
|
tp->t_inpcb = NULL;
|
2003-02-19 22:32:43 +00:00
|
|
|
uma_zfree(tcpcb_zone, tp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2006-04-03 12:52:13 +00:00
|
|
|
* Attempt to close a TCP control block, marking it as dropped, and freeing
|
|
|
|
|
* the socket if we hold the only reference.
|
2003-02-19 22:32:43 +00:00
|
|
|
*/
|
|
|
|
|
struct tcpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_close(struct tcpcb *tp)
|
2003-02-19 22:32:43 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(tp->t_inpcb->inp_vnet);
|
2003-02-19 22:32:43 +00:00
|
|
|
struct inpcb *inp = tp->t_inpcb;
|
Update TCP for infrastructural changes to the socket/pcb refcount model,
pru_abort(), pru_detach(), and in_pcbdetach():
- Universally support and enforce the invariant that so_pcb is
never NULL, converting dozens of unnecessary NULL checks into
assertions, and eliminating dozens of unnecessary error handling
cases in protocol code.
- In some cases, eliminate unnecessary pcbinfo locking, as it is no
longer required to ensure so_pcb != NULL. For example, the receive
code no longer requires the pcbinfo lock, and the send code only
requires it if building a new connection on an otherwise unconnected
socket triggered via sendto() with an address. This should
significnatly reduce tcbinfo lock contention in the receive and send
cases.
- In order to support the invariant that so_pcb != NULL, it is now
necessary for the TCP code to not discard the tcpcb any time a
connection is dropped, but instead leave the tcpcb until the socket
is shutdown. This case is handled by setting INP_DROPPED, to
substitute for using a NULL so_pcb to indicate that the connection
has been dropped. This requires the inpcb lock, but not the pcbinfo
lock.
- Unlike all other protocols in the tree, TCP may need to retain access
to the socket after the file descriptor has been closed. Set
SS_PROTOREF in tcp_detach() in order to prevent the socket from being
freed, and add a flag, INP_SOCKREF, so that the TCP code knows whether
or not it needs to free the socket when the connection finally does
close. The typical case where this occurs is if close() is called on
a TCP socket before all sent data in the send socket buffer has been
transmitted or acknowledged. If INP_SOCKREF is found when the
connection is dropped, we release the inpcb, tcpcb, and socket instead
of flagging INP_DROPPED.
- Abort and detach protocol switch methods no longer return failures,
nor attempt to free sockets, as the socket layer does this.
- Annotate the existence of a long-standing race in the TCP timer code,
in which timers are stopped but not drained when the socket is freed,
as waiting for drain may lead to deadlocks, or have to occur in a
context where waiting is not permitted. This race has been handled
by testing to see if the tcpcb pointer in the inpcb is NULL (and vice
versa), which is not normally permitted, but may be true of a inpcb
and tcpcb have been freed. Add a counter to test how often this race
has actually occurred, and a large comment for each instance where
we compare potentially freed memory with NULL. This will have to be
fixed in the near future, but requires is to further address how to
handle the timer shutdown shutdown issue.
- Several TCP calls no longer potentially free the passed inpcb/tcpcb,
so no longer need to return a pointer to indicate whether the argument
passed in is still valid.
- Un-macroize debugging and locking setup for various protocol switch
methods for TCP, as it lead to more obscurity, and as locking becomes
more customized to the methods, offers less benefit.
- Assert copyright on tcp_usrreq.c due to significant modifications that
have been made as part of this work.
These changes significantly modify the memory management and connection
logic of our TCP implementation, and are (as such) High Risk Changes,
and likely to contain serious bugs. Please report problems to the
current@ mailing list ASAP, ideally with simple test cases, and
optionally, packet traces.
MFC after: 3 months
2006-04-01 16:36:36 +00:00
|
|
|
struct socket *so;
|
2003-02-19 22:32:43 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2004-12-05 22:27:53 +00:00
|
|
|
|
2007-12-18 22:59:07 +00:00
|
|
|
/* Notify any offload devices of listener close */
|
|
|
|
|
if (tp->t_state == TCPS_LISTEN)
|
|
|
|
|
tcp_offload_listen_close(tp);
|
2006-04-25 11:17:35 +00:00
|
|
|
in_pcbdrop(inp);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcpstat.tcps_closed++;
|
Update TCP for infrastructural changes to the socket/pcb refcount model,
pru_abort(), pru_detach(), and in_pcbdetach():
- Universally support and enforce the invariant that so_pcb is
never NULL, converting dozens of unnecessary NULL checks into
assertions, and eliminating dozens of unnecessary error handling
cases in protocol code.
- In some cases, eliminate unnecessary pcbinfo locking, as it is no
longer required to ensure so_pcb != NULL. For example, the receive
code no longer requires the pcbinfo lock, and the send code only
requires it if building a new connection on an otherwise unconnected
socket triggered via sendto() with an address. This should
significnatly reduce tcbinfo lock contention in the receive and send
cases.
- In order to support the invariant that so_pcb != NULL, it is now
necessary for the TCP code to not discard the tcpcb any time a
connection is dropped, but instead leave the tcpcb until the socket
is shutdown. This case is handled by setting INP_DROPPED, to
substitute for using a NULL so_pcb to indicate that the connection
has been dropped. This requires the inpcb lock, but not the pcbinfo
lock.
- Unlike all other protocols in the tree, TCP may need to retain access
to the socket after the file descriptor has been closed. Set
SS_PROTOREF in tcp_detach() in order to prevent the socket from being
freed, and add a flag, INP_SOCKREF, so that the TCP code knows whether
or not it needs to free the socket when the connection finally does
close. The typical case where this occurs is if close() is called on
a TCP socket before all sent data in the send socket buffer has been
transmitted or acknowledged. If INP_SOCKREF is found when the
connection is dropped, we release the inpcb, tcpcb, and socket instead
of flagging INP_DROPPED.
- Abort and detach protocol switch methods no longer return failures,
nor attempt to free sockets, as the socket layer does this.
- Annotate the existence of a long-standing race in the TCP timer code,
in which timers are stopped but not drained when the socket is freed,
as waiting for drain may lead to deadlocks, or have to occur in a
context where waiting is not permitted. This race has been handled
by testing to see if the tcpcb pointer in the inpcb is NULL (and vice
versa), which is not normally permitted, but may be true of a inpcb
and tcpcb have been freed. Add a counter to test how often this race
has actually occurred, and a large comment for each instance where
we compare potentially freed memory with NULL. This will have to be
fixed in the near future, but requires is to further address how to
handle the timer shutdown shutdown issue.
- Several TCP calls no longer potentially free the passed inpcb/tcpcb,
so no longer need to return a pointer to indicate whether the argument
passed in is still valid.
- Un-macroize debugging and locking setup for various protocol switch
methods for TCP, as it lead to more obscurity, and as locking becomes
more customized to the methods, offers less benefit.
- Assert copyright on tcp_usrreq.c due to significant modifications that
have been made as part of this work.
These changes significantly modify the memory management and connection
logic of our TCP implementation, and are (as such) High Risk Changes,
and likely to contain serious bugs. Please report problems to the
current@ mailing list ASAP, ideally with simple test cases, and
optionally, packet traces.
MFC after: 3 months
2006-04-01 16:36:36 +00:00
|
|
|
KASSERT(inp->inp_socket != NULL, ("tcp_close: inp_socket NULL"));
|
|
|
|
|
so = inp->inp_socket;
|
|
|
|
|
soisdisconnected(so);
|
|
|
|
|
if (inp->inp_vflag & INP_SOCKREF) {
|
|
|
|
|
KASSERT(so->so_state & SS_PROTOREF,
|
|
|
|
|
("tcp_close: !SS_PROTOREF"));
|
|
|
|
|
inp->inp_vflag &= ~INP_SOCKREF;
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inp);
|
Update TCP for infrastructural changes to the socket/pcb refcount model,
pru_abort(), pru_detach(), and in_pcbdetach():
- Universally support and enforce the invariant that so_pcb is
never NULL, converting dozens of unnecessary NULL checks into
assertions, and eliminating dozens of unnecessary error handling
cases in protocol code.
- In some cases, eliminate unnecessary pcbinfo locking, as it is no
longer required to ensure so_pcb != NULL. For example, the receive
code no longer requires the pcbinfo lock, and the send code only
requires it if building a new connection on an otherwise unconnected
socket triggered via sendto() with an address. This should
significnatly reduce tcbinfo lock contention in the receive and send
cases.
- In order to support the invariant that so_pcb != NULL, it is now
necessary for the TCP code to not discard the tcpcb any time a
connection is dropped, but instead leave the tcpcb until the socket
is shutdown. This case is handled by setting INP_DROPPED, to
substitute for using a NULL so_pcb to indicate that the connection
has been dropped. This requires the inpcb lock, but not the pcbinfo
lock.
- Unlike all other protocols in the tree, TCP may need to retain access
to the socket after the file descriptor has been closed. Set
SS_PROTOREF in tcp_detach() in order to prevent the socket from being
freed, and add a flag, INP_SOCKREF, so that the TCP code knows whether
or not it needs to free the socket when the connection finally does
close. The typical case where this occurs is if close() is called on
a TCP socket before all sent data in the send socket buffer has been
transmitted or acknowledged. If INP_SOCKREF is found when the
connection is dropped, we release the inpcb, tcpcb, and socket instead
of flagging INP_DROPPED.
- Abort and detach protocol switch methods no longer return failures,
nor attempt to free sockets, as the socket layer does this.
- Annotate the existence of a long-standing race in the TCP timer code,
in which timers are stopped but not drained when the socket is freed,
as waiting for drain may lead to deadlocks, or have to occur in a
context where waiting is not permitted. This race has been handled
by testing to see if the tcpcb pointer in the inpcb is NULL (and vice
versa), which is not normally permitted, but may be true of a inpcb
and tcpcb have been freed. Add a counter to test how often this race
has actually occurred, and a large comment for each instance where
we compare potentially freed memory with NULL. This will have to be
fixed in the near future, but requires is to further address how to
handle the timer shutdown shutdown issue.
- Several TCP calls no longer potentially free the passed inpcb/tcpcb,
so no longer need to return a pointer to indicate whether the argument
passed in is still valid.
- Un-macroize debugging and locking setup for various protocol switch
methods for TCP, as it lead to more obscurity, and as locking becomes
more customized to the methods, offers less benefit.
- Assert copyright on tcp_usrreq.c due to significant modifications that
have been made as part of this work.
These changes significantly modify the memory management and connection
logic of our TCP implementation, and are (as such) High Risk Changes,
and likely to contain serious bugs. Please report problems to the
current@ mailing list ASAP, ideally with simple test cases, and
optionally, packet traces.
MFC after: 3 months
2006-04-01 16:36:36 +00:00
|
|
|
ACCEPT_LOCK();
|
|
|
|
|
SOCK_LOCK(so);
|
|
|
|
|
so->so_state &= ~SS_PROTOREF;
|
|
|
|
|
sofree(so);
|
|
|
|
|
return (NULL);
|
|
|
|
|
}
|
|
|
|
|
return (tp);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_drain(void)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
VNET_ITERATOR_DECL(vnet_iter);
|
2006-04-03 12:59:27 +00:00
|
|
|
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
if (!do_tcpdrain)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
VNET_LIST_RLOCK();
|
|
|
|
|
VNET_FOREACH(vnet_iter) {
|
|
|
|
|
CURVNET_SET(vnet_iter);
|
|
|
|
|
INIT_VNET_INET(vnet_iter);
|
1999-12-28 23:18:33 +00:00
|
|
|
struct inpcb *inpb;
|
|
|
|
|
struct tcpcb *tcpb;
|
2000-01-09 19:17:30 +00:00
|
|
|
struct tseg_qent *te;
|
1999-12-28 23:18:33 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Walk the tcpbs, if existing, and flush the reassembly queue,
|
|
|
|
|
* if there is one...
|
|
|
|
|
* XXX: The "Net/3" implementation doesn't imply that the TCP
|
|
|
|
|
* reassembly queue should be flushed, but in a situation
|
2004-08-16 18:32:07 +00:00
|
|
|
* where we're really low on mbufs, this is potentially
|
|
|
|
|
* usefull.
|
1999-12-28 23:18:33 +00:00
|
|
|
*/
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
|
|
|
|
LIST_FOREACH(inpb, V_tcbinfo.ipi_listhead, inp_list) {
|
2003-02-19 22:32:43 +00:00
|
|
|
if (inpb->inp_vflag & INP_TIMEWAIT)
|
|
|
|
|
continue;
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK(inpb);
|
2004-04-05 00:49:07 +00:00
|
|
|
if ((tcpb = intotcpcb(inpb)) != NULL) {
|
2001-03-16 20:00:53 +00:00
|
|
|
while ((te = LIST_FIRST(&tcpb->t_segq))
|
|
|
|
|
!= NULL) {
|
2000-01-09 19:17:30 +00:00
|
|
|
LIST_REMOVE(te, tqe_q);
|
|
|
|
|
m_freem(te->tqe_m);
|
2004-02-24 15:27:41 +00:00
|
|
|
uma_zfree(tcp_reass_zone, te);
|
|
|
|
|
tcpb->t_segqlen--;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcp_reass_qsize--;
|
1999-12-28 23:18:33 +00:00
|
|
|
}
|
2005-04-10 05:21:29 +00:00
|
|
|
tcp_clean_sackreport(tcpb);
|
1999-12-28 23:18:33 +00:00
|
|
|
}
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inpb);
|
1999-12-28 23:18:33 +00:00
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
CURVNET_RESTORE();
|
1999-12-28 23:18:33 +00:00
|
|
|
}
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
VNET_LIST_RUNLOCK();
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Notify a tcp user of an asynchronous error;
|
|
|
|
|
* store error as soft error, but wake up user
|
|
|
|
|
* (for now, won't do anything until can select for soft error).
|
2001-02-23 21:07:06 +00:00
|
|
|
*
|
|
|
|
|
* Do not wake up user since there currently is no mechanism for
|
|
|
|
|
* reporting soft errors (yet - a kqueue filter may be added).
|
1994-05-24 10:09:53 +00:00
|
|
|
*/
|
2002-06-14 08:35:21 +00:00
|
|
|
static struct inpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_notify(struct inpcb *inp, int error)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
2006-04-03 13:33:55 +00:00
|
|
|
struct tcpcb *tp;
|
2008-11-26 22:32:07 +00:00
|
|
|
#ifdef INVARIANTS
|
|
|
|
|
INIT_VNET_INET(inp->inp_vnet); /* V_tcbinfo WLOCK ASSERT */
|
|
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
|
|
|
|
|
if ((inp->inp_vflag & INP_TIMEWAIT) ||
|
|
|
|
|
(inp->inp_vflag & INP_DROPPED))
|
|
|
|
|
return (inp);
|
|
|
|
|
|
2006-04-03 13:33:55 +00:00
|
|
|
tp = intotcpcb(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
KASSERT(tp != NULL, ("tcp_notify: tp == NULL"));
|
2004-12-05 22:27:53 +00:00
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
/*
|
|
|
|
|
* Ignore some errors if we are hooked up.
|
|
|
|
|
* If connection hasn't completed, has retransmitted several times,
|
|
|
|
|
* and receives a second error, give up now. This is better
|
|
|
|
|
* than waiting a long time to establish a connection that
|
|
|
|
|
* can never complete.
|
|
|
|
|
*/
|
|
|
|
|
if (tp->t_state == TCPS_ESTABLISHED &&
|
2003-02-15 02:37:57 +00:00
|
|
|
(error == EHOSTUNREACH || error == ENETUNREACH ||
|
|
|
|
|
error == EHOSTDOWN)) {
|
2004-12-23 01:34:26 +00:00
|
|
|
return (inp);
|
1994-05-24 10:09:53 +00:00
|
|
|
} else if (tp->t_state < TCPS_ESTABLISHED && tp->t_rxtshift > 3 &&
|
2002-06-14 08:35:21 +00:00
|
|
|
tp->t_softerror) {
|
Update TCP for infrastructural changes to the socket/pcb refcount model,
pru_abort(), pru_detach(), and in_pcbdetach():
- Universally support and enforce the invariant that so_pcb is
never NULL, converting dozens of unnecessary NULL checks into
assertions, and eliminating dozens of unnecessary error handling
cases in protocol code.
- In some cases, eliminate unnecessary pcbinfo locking, as it is no
longer required to ensure so_pcb != NULL. For example, the receive
code no longer requires the pcbinfo lock, and the send code only
requires it if building a new connection on an otherwise unconnected
socket triggered via sendto() with an address. This should
significnatly reduce tcbinfo lock contention in the receive and send
cases.
- In order to support the invariant that so_pcb != NULL, it is now
necessary for the TCP code to not discard the tcpcb any time a
connection is dropped, but instead leave the tcpcb until the socket
is shutdown. This case is handled by setting INP_DROPPED, to
substitute for using a NULL so_pcb to indicate that the connection
has been dropped. This requires the inpcb lock, but not the pcbinfo
lock.
- Unlike all other protocols in the tree, TCP may need to retain access
to the socket after the file descriptor has been closed. Set
SS_PROTOREF in tcp_detach() in order to prevent the socket from being
freed, and add a flag, INP_SOCKREF, so that the TCP code knows whether
or not it needs to free the socket when the connection finally does
close. The typical case where this occurs is if close() is called on
a TCP socket before all sent data in the send socket buffer has been
transmitted or acknowledged. If INP_SOCKREF is found when the
connection is dropped, we release the inpcb, tcpcb, and socket instead
of flagging INP_DROPPED.
- Abort and detach protocol switch methods no longer return failures,
nor attempt to free sockets, as the socket layer does this.
- Annotate the existence of a long-standing race in the TCP timer code,
in which timers are stopped but not drained when the socket is freed,
as waiting for drain may lead to deadlocks, or have to occur in a
context where waiting is not permitted. This race has been handled
by testing to see if the tcpcb pointer in the inpcb is NULL (and vice
versa), which is not normally permitted, but may be true of a inpcb
and tcpcb have been freed. Add a counter to test how often this race
has actually occurred, and a large comment for each instance where
we compare potentially freed memory with NULL. This will have to be
fixed in the near future, but requires is to further address how to
handle the timer shutdown shutdown issue.
- Several TCP calls no longer potentially free the passed inpcb/tcpcb,
so no longer need to return a pointer to indicate whether the argument
passed in is still valid.
- Un-macroize debugging and locking setup for various protocol switch
methods for TCP, as it lead to more obscurity, and as locking becomes
more customized to the methods, offers less benefit.
- Assert copyright on tcp_usrreq.c due to significant modifications that
have been made as part of this work.
These changes significantly modify the memory management and connection
logic of our TCP implementation, and are (as such) High Risk Changes,
and likely to contain serious bugs. Please report problems to the
current@ mailing list ASAP, ideally with simple test cases, and
optionally, packet traces.
MFC after: 3 months
2006-04-01 16:36:36 +00:00
|
|
|
tp = tcp_drop(tp, error);
|
|
|
|
|
if (tp != NULL)
|
|
|
|
|
return (inp);
|
|
|
|
|
else
|
|
|
|
|
return (NULL);
|
2002-06-14 08:35:21 +00:00
|
|
|
} else {
|
1994-05-24 10:09:53 +00:00
|
|
|
tp->t_softerror = error;
|
2004-12-23 01:34:26 +00:00
|
|
|
return (inp);
|
2002-06-14 08:35:21 +00:00
|
|
|
}
|
2001-02-23 21:07:06 +00:00
|
|
|
#if 0
|
2003-03-02 16:54:40 +00:00
|
|
|
wakeup( &so->so_timeo);
|
1994-05-24 10:09:53 +00:00
|
|
|
sorwakeup(so);
|
|
|
|
|
sowwakeup(so);
|
2001-02-23 21:07:06 +00:00
|
|
|
#endif
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
1998-05-15 20:11:40 +00:00
|
|
|
static int
|
2000-07-04 11:25:35 +00:00
|
|
|
tcp_pcblist(SYSCTL_HANDLER_ARGS)
|
1998-05-15 20:11:40 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2007-07-27 00:57:06 +00:00
|
|
|
int error, i, m, n, pcb_count;
|
1998-05-15 20:11:40 +00:00
|
|
|
struct inpcb *inp, **inp_list;
|
|
|
|
|
inp_gen_t gencnt;
|
|
|
|
|
struct xinpgen xig;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* The process of preparing the TCB list is too time-consuming and
|
|
|
|
|
* resource-intensive to repeat twice on every request.
|
|
|
|
|
*/
|
2004-04-05 00:49:07 +00:00
|
|
|
if (req->oldptr == NULL) {
|
2007-07-27 00:57:06 +00:00
|
|
|
m = syncache_pcbcount();
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
n = V_tcbinfo.ipi_count;
|
1998-05-15 20:11:40 +00:00
|
|
|
req->oldidx = 2 * (sizeof xig)
|
2007-07-27 00:57:06 +00:00
|
|
|
+ ((m + n) + n/8) * sizeof(struct xtcpcb);
|
2004-12-23 01:34:26 +00:00
|
|
|
return (0);
|
1998-05-15 20:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
2004-04-05 00:49:07 +00:00
|
|
|
if (req->newptr != NULL)
|
2004-12-23 01:34:26 +00:00
|
|
|
return (EPERM);
|
1998-05-15 20:11:40 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* OK, now we're committed to doing something.
|
|
|
|
|
*/
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
|
|
|
|
gencnt = V_tcbinfo.ipi_gencnt;
|
|
|
|
|
n = V_tcbinfo.ipi_count;
|
|
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
1998-05-15 20:11:40 +00:00
|
|
|
|
2007-07-27 00:57:06 +00:00
|
|
|
m = syncache_pcbcount();
|
|
|
|
|
|
2004-02-26 00:27:04 +00:00
|
|
|
error = sysctl_wire_old_buffer(req, 2 * (sizeof xig)
|
2007-07-27 00:57:06 +00:00
|
|
|
+ (n + m) * sizeof(struct xtcpcb));
|
2004-02-26 00:27:04 +00:00
|
|
|
if (error != 0)
|
|
|
|
|
return (error);
|
2002-07-28 19:59:31 +00:00
|
|
|
|
1998-05-15 20:11:40 +00:00
|
|
|
xig.xig_len = sizeof xig;
|
2007-07-27 00:57:06 +00:00
|
|
|
xig.xig_count = n + m;
|
1998-05-15 20:11:40 +00:00
|
|
|
xig.xig_gen = gencnt;
|
|
|
|
|
xig.xig_sogen = so_gencnt;
|
|
|
|
|
error = SYSCTL_OUT(req, &xig, sizeof xig);
|
|
|
|
|
if (error)
|
2004-12-23 01:34:26 +00:00
|
|
|
return (error);
|
1998-05-15 20:11:40 +00:00
|
|
|
|
2007-07-27 00:57:06 +00:00
|
|
|
error = syncache_pcblist(req, m, &pcb_count);
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
2003-02-19 05:47:46 +00:00
|
|
|
inp_list = malloc(n * sizeof *inp_list, M_TEMP, M_WAITOK);
|
2004-04-05 00:49:07 +00:00
|
|
|
if (inp_list == NULL)
|
2004-12-23 01:34:26 +00:00
|
|
|
return (ENOMEM);
|
2004-08-16 18:32:07 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
2008-08-20 01:05:56 +00:00
|
|
|
for (inp = LIST_FIRST(V_tcbinfo.ipi_listhead), i = 0;
|
2008-08-20 01:24:55 +00:00
|
|
|
inp != NULL && i < n; inp = LIST_NEXT(inp, inp_list)) {
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RLOCK(inp);
|
2003-04-10 20:33:10 +00:00
|
|
|
if (inp->inp_gencnt <= gencnt) {
|
|
|
|
|
/*
|
|
|
|
|
* XXX: This use of cr_cansee(), introduced with
|
|
|
|
|
* TCP state changes, is not quite right, but for
|
|
|
|
|
* now, better than nothing.
|
|
|
|
|
*/
|
2006-04-04 12:26:07 +00:00
|
|
|
if (inp->inp_vflag & INP_TIMEWAIT) {
|
|
|
|
|
if (intotw(inp) != NULL)
|
|
|
|
|
error = cr_cansee(req->td->td_ucred,
|
|
|
|
|
intotw(inp)->tw_cred);
|
|
|
|
|
else
|
|
|
|
|
error = EINVAL; /* Skip this inp. */
|
|
|
|
|
} else
|
2008-10-17 16:26:16 +00:00
|
|
|
error = cr_canseeinpcb(req->td->td_ucred, inp);
|
2003-04-10 20:33:10 +00:00
|
|
|
if (error == 0)
|
|
|
|
|
inp_list[i++] = inp;
|
|
|
|
|
}
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RUNLOCK(inp);
|
1998-05-15 20:11:40 +00:00
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
1998-05-15 20:11:40 +00:00
|
|
|
n = i;
|
|
|
|
|
|
|
|
|
|
error = 0;
|
|
|
|
|
for (i = 0; i < n; i++) {
|
|
|
|
|
inp = inp_list[i];
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RLOCK(inp);
|
1998-05-15 20:11:40 +00:00
|
|
|
if (inp->inp_gencnt <= gencnt) {
|
|
|
|
|
struct xtcpcb xt;
|
2006-04-03 13:33:55 +00:00
|
|
|
void *inp_ppcb;
|
2005-05-07 00:41:36 +00:00
|
|
|
|
|
|
|
|
bzero(&xt, sizeof(xt));
|
1998-05-15 20:11:40 +00:00
|
|
|
xt.xt_len = sizeof xt;
|
|
|
|
|
/* XXX should avoid extra copy */
|
|
|
|
|
bcopy(inp, &xt.xt_inp, sizeof *inp);
|
1999-06-16 19:05:17 +00:00
|
|
|
inp_ppcb = inp->inp_ppcb;
|
2003-02-19 22:32:43 +00:00
|
|
|
if (inp_ppcb == NULL)
|
|
|
|
|
bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
|
|
|
|
|
else if (inp->inp_vflag & INP_TIMEWAIT) {
|
1999-06-16 19:05:17 +00:00
|
|
|
bzero((char *) &xt.xt_tp, sizeof xt.xt_tp);
|
2003-02-19 22:32:43 +00:00
|
|
|
xt.xt_tp.t_state = TCPS_TIME_WAIT;
|
|
|
|
|
} else
|
|
|
|
|
bcopy(inp_ppcb, &xt.xt_tp, sizeof xt.xt_tp);
|
2004-04-05 00:49:07 +00:00
|
|
|
if (inp->inp_socket != NULL)
|
1998-05-15 20:11:40 +00:00
|
|
|
sotoxsocket(inp->inp_socket, &xt.xt_socket);
|
2003-02-19 22:32:43 +00:00
|
|
|
else {
|
|
|
|
|
bzero(&xt.xt_socket, sizeof xt.xt_socket);
|
|
|
|
|
xt.xt_socket.xso_protocol = IPPROTO_TCP;
|
|
|
|
|
}
|
2003-02-15 02:37:57 +00:00
|
|
|
xt.xt_inp.inp_gencnt = inp->inp_gencnt;
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RUNLOCK(inp);
|
1998-05-15 20:11:40 +00:00
|
|
|
error = SYSCTL_OUT(req, &xt, sizeof xt);
|
2006-07-18 22:34:27 +00:00
|
|
|
} else
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RUNLOCK(inp);
|
2006-07-18 22:34:27 +00:00
|
|
|
|
1998-05-15 20:11:40 +00:00
|
|
|
}
|
|
|
|
|
if (!error) {
|
|
|
|
|
/*
|
|
|
|
|
* Give the user an updated idea of our state.
|
|
|
|
|
* If the generation differs from what we told
|
|
|
|
|
* her before, she knows that something happened
|
|
|
|
|
* while we were processing this request, and it
|
|
|
|
|
* might be necessary to retry.
|
|
|
|
|
*/
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
|
|
|
|
xig.xig_gen = V_tcbinfo.ipi_gencnt;
|
1998-05-15 20:11:40 +00:00
|
|
|
xig.xig_sogen = so_gencnt;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
xig.xig_count = V_tcbinfo.ipi_count + pcb_count;
|
|
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
1998-05-15 20:11:40 +00:00
|
|
|
error = SYSCTL_OUT(req, &xig, sizeof xig);
|
|
|
|
|
}
|
|
|
|
|
free(inp_list, M_TEMP);
|
2004-12-23 01:34:26 +00:00
|
|
|
return (error);
|
1998-05-15 20:11:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCTL_PROC(_net_inet_tcp, TCPCTL_PCBLIST, pcblist, CTLFLAG_RD, 0, 0,
|
2007-03-21 19:37:55 +00:00
|
|
|
tcp_pcblist, "S,xtcpcb", "List of active TCP connections");
|
1998-05-15 20:11:40 +00:00
|
|
|
|
1999-07-11 18:32:46 +00:00
|
|
|
static int
|
2000-07-04 11:25:35 +00:00
|
|
|
tcp_getcred(SYSCTL_HANDLER_ARGS)
|
1999-07-11 18:32:46 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2001-02-18 13:30:20 +00:00
|
|
|
struct xucred xuc;
|
1999-07-11 18:32:46 +00:00
|
|
|
struct sockaddr_in addrs[2];
|
|
|
|
|
struct inpcb *inp;
|
2005-07-19 12:21:26 +00:00
|
|
|
int error;
|
1999-07-11 18:32:46 +00:00
|
|
|
|
2007-06-12 00:12:01 +00:00
|
|
|
error = priv_check(req->td, PRIV_NETINET_GETCRED);
|
1999-07-11 18:32:46 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
2008-08-20 01:05:56 +00:00
|
|
|
inp = in_pcblookup_hash(&V_tcbinfo, addrs[1].sin_addr,
|
|
|
|
|
addrs[1].sin_port, addrs[0].sin_addr, addrs[0].sin_port, 0, NULL);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (inp != NULL) {
|
|
|
|
|
INP_RLOCK(inp);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (inp->inp_socket == NULL)
|
|
|
|
|
error = ENOENT;
|
|
|
|
|
if (error == 0)
|
2008-10-17 16:26:16 +00:00
|
|
|
error = cr_canseeinpcb(req->td->td_ucred, inp);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (error == 0)
|
2008-10-04 15:06:34 +00:00
|
|
|
cru2x(inp->inp_cred, &xuc);
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RUNLOCK(inp);
|
|
|
|
|
} else {
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
2002-07-11 23:13:31 +00:00
|
|
|
error = ENOENT;
|
|
|
|
|
}
|
2002-07-11 23:18:43 +00:00
|
|
|
if (error == 0)
|
|
|
|
|
error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
|
1999-07-11 18:32:46 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2001-06-24 12:18:27 +00:00
|
|
|
SYSCTL_PROC(_net_inet_tcp, OID_AUTO, getcred,
|
|
|
|
|
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
|
|
|
|
tcp_getcred, "S,xucred", "Get the xucred of a TCP connection");
|
1999-07-11 18:32:46 +00:00
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
static int
|
2000-07-04 11:25:35 +00:00
|
|
|
tcp6_getcred(SYSCTL_HANDLER_ARGS)
|
2000-01-09 19:17:30 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
|
|
|
|
INIT_VNET_INET6(curvnet);
|
2001-02-18 13:30:20 +00:00
|
|
|
struct xucred xuc;
|
2000-01-09 19:17:30 +00:00
|
|
|
struct sockaddr_in6 addrs[2];
|
|
|
|
|
struct inpcb *inp;
|
2005-07-19 12:21:26 +00:00
|
|
|
int error, mapped = 0;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2007-06-12 00:12:01 +00:00
|
|
|
error = priv_check(req->td, PRIV_NETINET_GETCRED);
|
2000-01-09 19:17:30 +00:00
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
error = SYSCTL_IN(req, addrs, sizeof(addrs));
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if ((error = sa6_embedscope(&addrs[0], V_ip6_use_defzone)) != 0 ||
|
|
|
|
|
(error = sa6_embedscope(&addrs[1], V_ip6_use_defzone)) != 0) {
|
2005-07-25 12:31:43 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
if (IN6_IS_ADDR_V4MAPPED(&addrs[0].sin6_addr)) {
|
|
|
|
|
if (IN6_IS_ADDR_V4MAPPED(&addrs[1].sin6_addr))
|
|
|
|
|
mapped = 1;
|
|
|
|
|
else
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
}
|
2005-07-25 12:31:43 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RLOCK(&V_tcbinfo);
|
2000-01-09 19:17:30 +00:00
|
|
|
if (mapped == 1)
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
inp = in_pcblookup_hash(&V_tcbinfo,
|
2000-01-09 19:17:30 +00:00
|
|
|
*(struct in_addr *)&addrs[1].sin6_addr.s6_addr[12],
|
|
|
|
|
addrs[1].sin6_port,
|
|
|
|
|
*(struct in_addr *)&addrs[0].sin6_addr.s6_addr[12],
|
|
|
|
|
addrs[0].sin6_port,
|
|
|
|
|
0, NULL);
|
|
|
|
|
else
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
inp = in6_pcblookup_hash(&V_tcbinfo,
|
2005-10-12 09:24:18 +00:00
|
|
|
&addrs[1].sin6_addr, addrs[1].sin6_port,
|
|
|
|
|
&addrs[0].sin6_addr, addrs[0].sin6_port, 0, NULL);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (inp != NULL) {
|
|
|
|
|
INP_RLOCK(inp);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (inp->inp_socket == NULL)
|
|
|
|
|
error = ENOENT;
|
|
|
|
|
if (error == 0)
|
2008-10-17 16:26:16 +00:00
|
|
|
error = cr_canseeinpcb(req->td->td_ucred, inp);
|
2008-05-29 14:28:26 +00:00
|
|
|
if (error == 0)
|
2008-10-04 15:06:34 +00:00
|
|
|
cru2x(inp->inp_cred, &xuc);
|
2008-05-29 14:28:26 +00:00
|
|
|
INP_RUNLOCK(inp);
|
|
|
|
|
} else {
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_RUNLOCK(&V_tcbinfo);
|
2002-07-11 23:13:31 +00:00
|
|
|
error = ENOENT;
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
2002-07-11 23:18:43 +00:00
|
|
|
if (error == 0)
|
|
|
|
|
error = SYSCTL_OUT(req, &xuc, sizeof(struct xucred));
|
2000-01-09 19:17:30 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
2001-06-24 12:18:27 +00:00
|
|
|
SYSCTL_PROC(_net_inet6_tcp6, OID_AUTO, getcred,
|
|
|
|
|
CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0,
|
|
|
|
|
tcp6_getcred, "S,xucred", "Get the xucred of a TCP6 connection");
|
2000-01-09 19:17:30 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
|
1994-05-24 10:09:53 +00:00
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_ctlinput(int cmd, struct sockaddr *sa, void *vip)
|
1994-05-24 10:09:53 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2001-02-23 20:51:46 +00:00
|
|
|
struct ip *ip = vip;
|
|
|
|
|
struct tcphdr *th;
|
2001-02-26 21:19:47 +00:00
|
|
|
struct in_addr faddr;
|
|
|
|
|
struct inpcb *inp;
|
|
|
|
|
struct tcpcb *tp;
|
2002-06-14 08:35:21 +00:00
|
|
|
struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
|
2005-04-21 14:29:34 +00:00
|
|
|
struct icmp *icp;
|
|
|
|
|
struct in_conninfo inc;
|
|
|
|
|
tcp_seq icmp_tcp_seq;
|
2005-07-19 12:21:26 +00:00
|
|
|
int mtu;
|
2001-02-26 21:19:47 +00:00
|
|
|
|
|
|
|
|
faddr = ((struct sockaddr_in *)sa)->sin_addr;
|
|
|
|
|
if (sa->sa_family != AF_INET || faddr.s_addr == INADDR_ANY)
|
|
|
|
|
return;
|
1994-05-24 10:09:53 +00:00
|
|
|
|
2005-04-21 12:37:12 +00:00
|
|
|
if (cmd == PRC_MSGSIZE)
|
|
|
|
|
notify = tcp_mtudisc;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
else if (V_icmp_may_rst && (cmd == PRC_UNREACH_ADMIN_PROHIB ||
|
2002-06-30 20:07:21 +00:00
|
|
|
cmd == PRC_UNREACH_PORT || cmd == PRC_TIMXCEED_INTRANS) && ip)
|
2001-02-23 20:51:46 +00:00
|
|
|
notify = tcp_drop_syn_sent;
|
2003-11-20 20:07:39 +00:00
|
|
|
/*
|
|
|
|
|
* Redirects don't need to be handled up here.
|
|
|
|
|
*/
|
|
|
|
|
else if (PRC_IS_REDIRECT(cmd))
|
|
|
|
|
return;
|
2005-04-21 12:37:12 +00:00
|
|
|
/*
|
|
|
|
|
* Source quench is depreciated.
|
|
|
|
|
*/
|
|
|
|
|
else if (cmd == PRC_QUENCH)
|
|
|
|
|
return;
|
2003-11-20 20:07:39 +00:00
|
|
|
/*
|
|
|
|
|
* Hostdead is ugly because it goes linearly through all PCBs.
|
|
|
|
|
* XXX: We never get this from ICMP, otherwise it makes an
|
|
|
|
|
* excellent DoS attack on machines with many connections.
|
|
|
|
|
*/
|
|
|
|
|
else if (cmd == PRC_HOSTDEAD)
|
2004-04-05 00:49:07 +00:00
|
|
|
ip = NULL;
|
2003-09-11 21:40:21 +00:00
|
|
|
else if ((unsigned)cmd >= PRC_NCMDS || inetctlerrmap[cmd] == 0)
|
1994-05-24 10:09:53 +00:00
|
|
|
return;
|
2004-04-05 00:49:07 +00:00
|
|
|
if (ip != NULL) {
|
2005-04-21 14:29:34 +00:00
|
|
|
icp = (struct icmp *)((caddr_t)ip
|
|
|
|
|
- offsetof(struct icmp, icmp_ip));
|
2004-08-16 18:32:07 +00:00
|
|
|
th = (struct tcphdr *)((caddr_t)ip
|
2002-10-20 22:52:07 +00:00
|
|
|
+ (ip->ip_hl << 2));
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK(&V_tcbinfo);
|
|
|
|
|
inp = in_pcblookup_hash(&V_tcbinfo, faddr, th->th_dport,
|
2001-02-26 21:19:47 +00:00
|
|
|
ip->ip_src, th->th_sport, 0, NULL);
|
2002-06-10 20:05:46 +00:00
|
|
|
if (inp != NULL) {
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
if (!(inp->inp_vflag & INP_TIMEWAIT) &&
|
|
|
|
|
!(inp->inp_vflag & INP_DROPPED) &&
|
|
|
|
|
!(inp->inp_socket == NULL)) {
|
2005-04-21 14:29:34 +00:00
|
|
|
icmp_tcp_seq = htonl(th->th_seq);
|
2002-06-10 20:05:46 +00:00
|
|
|
tp = intotcpcb(inp);
|
2005-04-21 14:29:34 +00:00
|
|
|
if (SEQ_GEQ(icmp_tcp_seq, tp->snd_una) &&
|
|
|
|
|
SEQ_LT(icmp_tcp_seq, tp->snd_max)) {
|
|
|
|
|
if (cmd == PRC_MSGSIZE) {
|
|
|
|
|
/*
|
|
|
|
|
* MTU discovery:
|
|
|
|
|
* If we got a needfrag set the MTU
|
|
|
|
|
* in the route to the suggested new
|
|
|
|
|
* value (if given) and then notify.
|
|
|
|
|
*/
|
|
|
|
|
bzero(&inc, sizeof(inc));
|
|
|
|
|
inc.inc_flags = 0; /* IPv4 */
|
|
|
|
|
inc.inc_faddr = faddr;
|
Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
|
|
|
inc.inc_fibnum =
|
|
|
|
|
inp->inp_inc.inc_fibnum;
|
2005-04-21 14:29:34 +00:00
|
|
|
|
|
|
|
|
mtu = ntohs(icp->icmp_nextmtu);
|
2005-05-04 13:48:44 +00:00
|
|
|
/*
|
|
|
|
|
* If no alternative MTU was
|
|
|
|
|
* proposed, try the next smaller
|
2005-09-10 07:43:29 +00:00
|
|
|
* one. ip->ip_len has already
|
|
|
|
|
* been swapped in icmp_input().
|
2005-05-04 13:48:44 +00:00
|
|
|
*/
|
|
|
|
|
if (!mtu)
|
2005-09-10 07:43:29 +00:00
|
|
|
mtu = ip_next_mtu(ip->ip_len,
|
2005-05-04 13:48:44 +00:00
|
|
|
1);
|
2008-08-20 01:05:56 +00:00
|
|
|
if (mtu < max(296, V_tcp_minmss
|
2005-05-04 13:48:44 +00:00
|
|
|
+ sizeof(struct tcpiphdr)))
|
|
|
|
|
mtu = 0;
|
2005-04-21 14:29:34 +00:00
|
|
|
if (!mtu)
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
mtu = V_tcp_mssdflt
|
2005-05-04 13:48:44 +00:00
|
|
|
+ sizeof(struct tcpiphdr);
|
|
|
|
|
/*
|
|
|
|
|
* Only cache the the MTU if it
|
|
|
|
|
* is smaller than the interface
|
|
|
|
|
* or route MTU. tcp_mtudisc()
|
|
|
|
|
* will do right thing by itself.
|
|
|
|
|
*/
|
2006-09-06 21:51:59 +00:00
|
|
|
if (mtu <= tcp_maxmtu(&inc, NULL))
|
2005-04-21 14:29:34 +00:00
|
|
|
tcp_hc_updatemtu(&inc, mtu);
|
|
|
|
|
}
|
|
|
|
|
|
2002-06-14 08:35:21 +00:00
|
|
|
inp = (*notify)(inp, inetctlerrmap[cmd]);
|
2005-04-21 14:29:34 +00:00
|
|
|
}
|
2002-06-10 20:05:46 +00:00
|
|
|
}
|
2004-04-05 00:49:07 +00:00
|
|
|
if (inp != NULL)
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inp);
|
2001-11-22 04:50:44 +00:00
|
|
|
} else {
|
|
|
|
|
inc.inc_fport = th->th_dport;
|
|
|
|
|
inc.inc_lport = th->th_sport;
|
|
|
|
|
inc.inc_faddr = faddr;
|
|
|
|
|
inc.inc_laddr = ip->ip_src;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
inc.inc_isipv6 = 0;
|
|
|
|
|
#endif
|
|
|
|
|
syncache_unreach(&inc, th);
|
2001-02-26 21:19:47 +00:00
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WUNLOCK(&V_tcbinfo);
|
1994-05-24 10:09:53 +00:00
|
|
|
} else
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
in_pcbnotifyall(&V_tcbinfo, faddr, inetctlerrmap[cmd], notify);
|
1994-05-24 10:09:53 +00:00
|
|
|
}
|
|
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp6_ctlinput(int cmd, struct sockaddr *sa, void *d)
|
2000-01-09 19:17:30 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
2000-01-09 19:17:30 +00:00
|
|
|
struct tcphdr th;
|
2002-06-14 08:35:21 +00:00
|
|
|
struct inpcb *(*notify)(struct inpcb *, int) = tcp_notify;
|
2000-01-09 19:17:30 +00:00
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
|
struct mbuf *m;
|
2001-06-11 12:39:29 +00:00
|
|
|
struct ip6ctlparam *ip6cp = NULL;
|
|
|
|
|
const struct sockaddr_in6 *sa6_src = NULL;
|
2000-01-09 19:17:30 +00:00
|
|
|
int off;
|
2001-06-11 12:39:29 +00:00
|
|
|
struct tcp_portonly {
|
|
|
|
|
u_int16_t th_sport;
|
|
|
|
|
u_int16_t th_dport;
|
|
|
|
|
} *thp;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
|
|
|
|
if (sa->sa_family != AF_INET6 ||
|
|
|
|
|
sa->sa_len != sizeof(struct sockaddr_in6))
|
|
|
|
|
return;
|
|
|
|
|
|
2005-04-21 12:37:12 +00:00
|
|
|
if (cmd == PRC_MSGSIZE)
|
2000-01-09 19:17:30 +00:00
|
|
|
notify = tcp_mtudisc;
|
|
|
|
|
else if (!PRC_IS_REDIRECT(cmd) &&
|
2003-09-11 21:40:21 +00:00
|
|
|
((unsigned)cmd >= PRC_NCMDS || inet6ctlerrmap[cmd] == 0))
|
2000-01-09 19:17:30 +00:00
|
|
|
return;
|
2005-04-21 12:37:12 +00:00
|
|
|
/* Source quench is depreciated. */
|
|
|
|
|
else if (cmd == PRC_QUENCH)
|
|
|
|
|
return;
|
2000-01-09 19:17:30 +00:00
|
|
|
|
|
|
|
|
/* if the parameter is from icmp6, decode it. */
|
|
|
|
|
if (d != NULL) {
|
2001-06-11 12:39:29 +00:00
|
|
|
ip6cp = (struct ip6ctlparam *)d;
|
2000-01-09 19:17:30 +00:00
|
|
|
m = ip6cp->ip6c_m;
|
|
|
|
|
ip6 = ip6cp->ip6c_ip6;
|
|
|
|
|
off = ip6cp->ip6c_off;
|
2001-06-11 12:39:29 +00:00
|
|
|
sa6_src = ip6cp->ip6c_src;
|
2000-01-09 19:17:30 +00:00
|
|
|
} else {
|
|
|
|
|
m = NULL;
|
|
|
|
|
ip6 = NULL;
|
2000-10-23 07:11:01 +00:00
|
|
|
off = 0; /* fool gcc */
|
2001-06-11 12:39:29 +00:00
|
|
|
sa6_src = &sa6_any;
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
|
|
|
|
|
2004-04-05 00:49:07 +00:00
|
|
|
if (ip6 != NULL) {
|
2001-11-22 04:50:44 +00:00
|
|
|
struct in_conninfo inc;
|
2000-01-09 19:17:30 +00:00
|
|
|
/*
|
|
|
|
|
* XXX: We assume that when IPV6 is non NULL,
|
|
|
|
|
* M and OFF are valid.
|
|
|
|
|
*/
|
|
|
|
|
|
2000-10-23 07:11:01 +00:00
|
|
|
/* check if we can safely examine src and dst ports */
|
2001-06-11 12:39:29 +00:00
|
|
|
if (m->m_pkthdr.len < off + sizeof(*thp))
|
2000-10-23 07:11:01 +00:00
|
|
|
return;
|
|
|
|
|
|
2001-06-11 12:39:29 +00:00
|
|
|
bzero(&th, sizeof(th));
|
|
|
|
|
m_copydata(m, off, sizeof(*thp), (caddr_t)&th);
|
|
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
in6_pcbnotify(&V_tcbinfo, sa, th.th_dport,
|
2001-06-11 12:39:29 +00:00
|
|
|
(struct sockaddr *)ip6cp->ip6c_src,
|
2004-02-13 14:50:01 +00:00
|
|
|
th.th_sport, cmd, NULL, notify);
|
2001-11-22 04:50:44 +00:00
|
|
|
|
|
|
|
|
inc.inc_fport = th.th_dport;
|
|
|
|
|
inc.inc_lport = th.th_sport;
|
|
|
|
|
inc.inc6_faddr = ((struct sockaddr_in6 *)sa)->sin6_addr;
|
|
|
|
|
inc.inc6_laddr = ip6cp->ip6c_src->sin6_addr;
|
|
|
|
|
inc.inc_isipv6 = 1;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK(&V_tcbinfo);
|
2001-11-22 04:50:44 +00:00
|
|
|
syncache_unreach(&inc, &th);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WUNLOCK(&V_tcbinfo);
|
2000-01-09 19:17:30 +00:00
|
|
|
} else
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
in6_pcbnotify(&V_tcbinfo, sa, 0, (const struct sockaddr *)sa6_src,
|
2004-02-13 14:50:01 +00:00
|
|
|
0, cmd, NULL, notify);
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
|
2001-04-17 18:08:01 +00:00
|
|
|
|
2001-08-22 00:58:16 +00:00
|
|
|
/*
|
|
|
|
|
* Following is where TCP initial sequence number generation occurs.
|
|
|
|
|
*
|
|
|
|
|
* There are two places where we must use initial sequence numbers:
|
|
|
|
|
* 1. In SYN-ACK packets.
|
|
|
|
|
* 2. In SYN packets.
|
|
|
|
|
*
|
2002-04-10 22:12:01 +00:00
|
|
|
* All ISNs for SYN-ACK packets are generated by the syncache. See
|
|
|
|
|
* tcp_syncache.c for details.
|
2001-08-22 00:58:16 +00:00
|
|
|
*
|
|
|
|
|
* The ISNs in SYN packets must be monotonic; TIME_WAIT recycling
|
|
|
|
|
* depends on this property. In addition, these ISNs should be
|
|
|
|
|
* unguessable so as to prevent connection hijacking. To satisfy
|
|
|
|
|
* the requirements of this situation, the algorithm outlined in
|
2004-08-16 18:32:07 +00:00
|
|
|
* RFC 1948 is used, with only small modifications.
|
2001-08-22 00:58:16 +00:00
|
|
|
*
|
|
|
|
|
* Implementation details:
|
|
|
|
|
*
|
|
|
|
|
* Time is based off the system timer, and is corrected so that it
|
|
|
|
|
* increases by one megabyte per second. This allows for proper
|
|
|
|
|
* recycling on high speed LANs while still leaving over an hour
|
|
|
|
|
* before rollover.
|
|
|
|
|
*
|
2004-04-20 06:33:39 +00:00
|
|
|
* As reading the *exact* system time is too expensive to be done
|
|
|
|
|
* whenever setting up a TCP connection, we increment the time
|
|
|
|
|
* offset in two ways. First, a small random positive increment
|
|
|
|
|
* is added to isn_offset for each connection that is set up.
|
|
|
|
|
* Second, the function tcp_isn_tick fires once per clock tick
|
|
|
|
|
* and increments isn_offset as necessary so that sequence numbers
|
|
|
|
|
* are incremented at approximately ISN_BYTES_PER_SECOND. The
|
|
|
|
|
* random positive increments serve only to ensure that the same
|
|
|
|
|
* exact sequence number is never sent out twice (as could otherwise
|
|
|
|
|
* happen when a port is recycled in less than the system tick
|
|
|
|
|
* interval.)
|
|
|
|
|
*
|
2001-08-22 00:58:16 +00:00
|
|
|
* net.inet.tcp.isn_reseed_interval controls the number of seconds
|
|
|
|
|
* between seeding of isn_secret. This is normally set to zero,
|
|
|
|
|
* as reseeding should not be necessary.
|
|
|
|
|
*
|
2004-11-23 15:59:43 +00:00
|
|
|
* Locking of the global variables isn_secret, isn_last_reseed, isn_offset,
|
|
|
|
|
* isn_offset_old, and isn_ctx is performed using the TCP pcbinfo lock. In
|
|
|
|
|
* general, this means holding an exclusive (write) lock.
|
2001-08-22 00:58:16 +00:00
|
|
|
*/
|
2001-04-17 18:08:01 +00:00
|
|
|
|
2001-08-22 00:58:16 +00:00
|
|
|
#define ISN_BYTES_PER_SECOND 1048576
|
2004-04-20 06:33:39 +00:00
|
|
|
#define ISN_STATIC_INCREMENT 4096
|
|
|
|
|
#define ISN_RANDOM_INCREMENT (4096 - 1)
|
2001-04-17 18:08:01 +00:00
|
|
|
|
2008-11-19 09:39:34 +00:00
|
|
|
#ifdef VIMAGE_GLOBALS
|
2004-11-23 15:59:43 +00:00
|
|
|
static u_char isn_secret[32];
|
|
|
|
|
static int isn_last_reseed;
|
|
|
|
|
static u_int32_t isn_offset, isn_offset_old;
|
|
|
|
|
static MD5_CTX isn_ctx;
|
2008-11-19 09:39:34 +00:00
|
|
|
#endif
|
2001-04-17 18:08:01 +00:00
|
|
|
|
|
|
|
|
tcp_seq
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_new_isn(struct tcpcb *tp)
|
2001-04-17 18:08:01 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(tp->t_vnet);
|
2001-08-22 00:58:16 +00:00
|
|
|
u_int32_t md5_buffer[4];
|
|
|
|
|
tcp_seq new_isn;
|
|
|
|
|
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(tp->t_inpcb);
|
2004-11-23 15:59:43 +00:00
|
|
|
|
2006-04-23 12:27:42 +00:00
|
|
|
ISN_LOCK();
|
2001-08-22 00:58:16 +00:00
|
|
|
/* Seed if this is the first use, reseed if requested. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if ((V_isn_last_reseed == 0) || ((V_tcp_isn_reseed_interval > 0) &&
|
|
|
|
|
(((u_int)V_isn_last_reseed + (u_int)V_tcp_isn_reseed_interval*hz)
|
2001-08-22 00:58:16 +00:00
|
|
|
< (u_int)ticks))) {
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
read_random(&V_isn_secret, sizeof(V_isn_secret));
|
|
|
|
|
V_isn_last_reseed = ticks;
|
2001-08-22 00:58:16 +00:00
|
|
|
}
|
2004-08-16 18:32:07 +00:00
|
|
|
|
2001-08-22 00:58:16 +00:00
|
|
|
/* Compute the md5 hash and return the ISN. */
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Init(&V_isn_ctx);
|
|
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->inp_fport, sizeof(u_short));
|
|
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->inp_lport, sizeof(u_short));
|
2001-08-22 00:58:16 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
if ((tp->t_inpcb->inp_vflag & INP_IPV6) != 0) {
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->in6p_faddr,
|
2001-08-22 00:58:16 +00:00
|
|
|
sizeof(struct in6_addr));
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->in6p_laddr,
|
2001-08-22 00:58:16 +00:00
|
|
|
sizeof(struct in6_addr));
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
|
|
|
|
{
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->inp_faddr,
|
2001-08-22 00:58:16 +00:00
|
|
|
sizeof(struct in_addr));
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &tp->t_inpcb->inp_laddr,
|
2001-08-22 00:58:16 +00:00
|
|
|
sizeof(struct in_addr));
|
|
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
MD5Update(&V_isn_ctx, (u_char *) &V_isn_secret, sizeof(V_isn_secret));
|
|
|
|
|
MD5Final((u_char *) &md5_buffer, &V_isn_ctx);
|
2001-08-22 00:58:16 +00:00
|
|
|
new_isn = (tcp_seq) md5_buffer[0];
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_isn_offset += ISN_STATIC_INCREMENT +
|
2004-04-20 06:33:39 +00:00
|
|
|
(arc4random() & ISN_RANDOM_INCREMENT);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
new_isn += V_isn_offset;
|
2006-04-23 12:27:42 +00:00
|
|
|
ISN_UNLOCK();
|
2004-12-23 01:34:26 +00:00
|
|
|
return (new_isn);
|
2001-04-17 18:08:01 +00:00
|
|
|
}
|
|
|
|
|
|
2004-04-20 06:33:39 +00:00
|
|
|
/*
|
2007-08-16 01:35:55 +00:00
|
|
|
* Increment the offset to the next ISN_BYTES_PER_SECOND / 100 boundary
|
2004-04-20 06:33:39 +00:00
|
|
|
* to keep time flowing at a relatively constant rate. If the random
|
|
|
|
|
* increments have already pushed us past the projected offset, do nothing.
|
|
|
|
|
*/
|
|
|
|
|
static void
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_isn_tick(void *xtp)
|
2004-04-20 06:33:39 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
VNET_ITERATOR_DECL(vnet_iter);
|
2004-04-20 06:33:39 +00:00
|
|
|
u_int32_t projected_offset;
|
2004-08-16 18:32:07 +00:00
|
|
|
|
2006-04-23 12:27:42 +00:00
|
|
|
ISN_LOCK();
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
VNET_LIST_RLOCK();
|
|
|
|
|
VNET_FOREACH(vnet_iter) {
|
|
|
|
|
CURVNET_SET(vnet_iter); /* XXX appease INVARIANTS */
|
|
|
|
|
INIT_VNET_INET(curvnet);
|
|
|
|
|
projected_offset =
|
|
|
|
|
V_isn_offset_old + ISN_BYTES_PER_SECOND / 100;
|
|
|
|
|
|
|
|
|
|
if (SEQ_GT(projected_offset, V_isn_offset))
|
|
|
|
|
V_isn_offset = projected_offset;
|
|
|
|
|
|
|
|
|
|
V_isn_offset_old = V_isn_offset;
|
|
|
|
|
CURVNET_RESTORE();
|
|
|
|
|
}
|
|
|
|
|
VNET_LIST_RUNLOCK();
|
2005-01-30 23:30:28 +00:00
|
|
|
callout_reset(&isn_callout, hz/100, tcp_isn_tick, NULL);
|
2006-04-23 12:27:42 +00:00
|
|
|
ISN_UNLOCK();
|
2004-04-20 06:33:39 +00:00
|
|
|
}
|
|
|
|
|
|
We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.
rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.
quote begin.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
quote end.
I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.
When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.
The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.
I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.
PR: 23086
Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
|
|
|
/*
|
2001-02-23 20:51:46 +00:00
|
|
|
* When a specific ICMP unreachable message is received and the
|
|
|
|
|
* connection state is SYN-SENT, drop the connection. This behavior
|
|
|
|
|
* is controlled by the icmp_may_rst sysctl.
|
We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.
rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.
quote begin.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
quote end.
I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.
When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.
The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.
I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.
PR: 23086
Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
|
|
|
*/
|
2002-06-14 08:35:21 +00:00
|
|
|
struct inpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_drop_syn_sent(struct inpcb *inp, int errno)
|
We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.
rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.
quote begin.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
quote end.
I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.
When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.
The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.
I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.
PR: 23086
Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
#ifdef INVARIANTS
|
|
|
|
|
INIT_VNET_INET(inp->inp_vnet);
|
|
|
|
|
#endif
|
2006-04-03 13:33:55 +00:00
|
|
|
struct tcpcb *tp;
|
We currently does not react to ICMP administratively prohibited
messages send by routers when they deny our traffic, this causes
a timeout when trying to connect to TCP ports/services on a remote
host, which is blocked by routers or firewalls.
rfc1122 (Requirements for Internet Hosts) section 3.2.2.1 actually
requi re that we treat such a message for a TCP session, that we
treat it like if we had recieved a RST.
quote begin.
A Destination Unreachable message that is received MUST be
reported to the transport layer. The transport layer SHOULD
use the information appropriately; for example, see Sections
4.1.3.3, 4.2.3.9, and 4.2.4 below. A transport protocol
that has its own mechanism for notifying the sender that a
port is unreachable (e.g., TCP, which sends RST segments)
MUST nevertheless accept an ICMP Port Unreachable for the
same purpose.
quote end.
I've written a small extension that implement this, it also create
a sysctl "net.inet.tcp.icmp_admin_prohib_like_rst" to control if
this new behaviour is activated.
When it's activated (set to 1) we'll treat a ICMP administratively
prohibited message (icmp type 3 code 9, 10 and 13) for a TCP
sessions, as if we recived a TCP RST, but only if the TCP session
is in SYN_SENT state.
The reason for only reacting when in SYN_SENT state, is that this
will solve the problem, and at the same time minimize the risk of
this being abused.
I suggest that we enable this new behaviour by default, but it
would be a change of current behaviour, so if people prefer to
leave it disabled by default, at least for now, this would be ok
for me, the attached diff actually have the sysctl set to 0 by
default.
PR: 23086
Submitted by: Jesper Skriver <jesper@skriver.dk>
2000-12-16 19:42:06 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK_ASSERT(&V_tcbinfo);
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
|
|
|
|
|
if ((inp->inp_vflag & INP_TIMEWAIT) ||
|
|
|
|
|
(inp->inp_vflag & INP_DROPPED))
|
|
|
|
|
return (inp);
|
|
|
|
|
|
2006-04-03 13:33:55 +00:00
|
|
|
tp = intotcpcb(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
if (tp->t_state != TCPS_SYN_SENT)
|
|
|
|
|
return (inp);
|
2005-06-01 12:06:07 +00:00
|
|
|
|
2006-04-03 14:07:50 +00:00
|
|
|
tp = tcp_drop(tp, errno);
|
|
|
|
|
if (tp != NULL)
|
|
|
|
|
return (inp);
|
|
|
|
|
else
|
|
|
|
|
return (NULL);
|
2001-02-18 09:34:55 +00:00
|
|
|
}
|
|
|
|
|
|
1995-09-18 15:51:40 +00:00
|
|
|
/*
|
|
|
|
|
* When `need fragmentation' ICMP is received, update our idea of the MSS
|
|
|
|
|
* based on the new value in the route. Also nudge TCP to send something,
|
|
|
|
|
* since we know the packet we just sent was dropped.
|
1995-09-20 21:00:59 +00:00
|
|
|
* This duplicates some code in the tcp_mss() function in tcp_input.c.
|
1995-09-18 15:51:40 +00:00
|
|
|
*/
|
2002-06-14 08:35:21 +00:00
|
|
|
struct inpcb *
|
2006-04-03 12:59:27 +00:00
|
|
|
tcp_mtudisc(struct inpcb *inp, int errno)
|
1995-09-18 15:51:40 +00:00
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(inp->inp_vnet);
|
2006-04-03 13:33:55 +00:00
|
|
|
struct tcpcb *tp;
|
2008-09-07 18:50:25 +00:00
|
|
|
struct socket *so;
|
1995-09-18 15:51:40 +00:00
|
|
|
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
if ((inp->inp_vflag & INP_TIMEWAIT) ||
|
|
|
|
|
(inp->inp_vflag & INP_DROPPED))
|
|
|
|
|
return (inp);
|
|
|
|
|
|
2006-04-03 13:33:55 +00:00
|
|
|
tp = intotcpcb(inp);
|
2006-04-03 14:07:50 +00:00
|
|
|
KASSERT(tp != NULL, ("tcp_mtudisc: tp == NULL"));
|
|
|
|
|
|
2008-11-06 13:25:59 +00:00
|
|
|
tcp_mss_update(tp, -1, NULL, NULL);
|
2008-09-07 18:50:25 +00:00
|
|
|
|
|
|
|
|
so = inp->inp_socket;
|
|
|
|
|
SOCKBUF_LOCK(&so->so_snd);
|
|
|
|
|
/* If the mss is larger than the socket buffer, decrease the mss. */
|
|
|
|
|
if (so->so_snd.sb_hiwat < tp->t_maxseg)
|
|
|
|
|
tp->t_maxseg = so->so_snd.sb_hiwat;
|
|
|
|
|
SOCKBUF_UNLOCK(&so->so_snd);
|
1995-09-20 21:00:59 +00:00
|
|
|
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
V_tcpstat.tcps_mturesent++;
|
2006-04-03 14:07:50 +00:00
|
|
|
tp->t_rtttime = 0;
|
|
|
|
|
tp->snd_nxt = tp->snd_una;
|
2006-08-26 17:53:19 +00:00
|
|
|
tcp_free_sackholes(tp);
|
|
|
|
|
tp->snd_recover = tp->snd_max;
|
2007-05-06 15:56:31 +00:00
|
|
|
if (tp->t_flags & TF_SACK_PERMIT)
|
2006-08-26 17:53:19 +00:00
|
|
|
EXIT_FASTRECOVERY(tp);
|
2007-12-18 22:59:07 +00:00
|
|
|
tcp_output_send(tp);
|
2004-12-23 01:34:26 +00:00
|
|
|
return (inp);
|
1995-09-18 15:51:40 +00:00
|
|
|
}
|
|
|
|
|
|
1995-02-09 23:13:27 +00:00
|
|
|
/*
|
|
|
|
|
* Look-up the routing entry to the peer of this inpcb. If no route
|
2008-11-06 12:59:00 +00:00
|
|
|
* is found and it cannot be allocated, then return 0. This routine
|
|
|
|
|
* is called by TCP routines that access the rmx structure and by
|
|
|
|
|
* tcp_mss_update to get the peer/interface MTU.
|
1995-02-09 23:13:27 +00:00
|
|
|
*/
|
2004-08-16 18:32:07 +00:00
|
|
|
u_long
|
2006-09-06 21:51:59 +00:00
|
|
|
tcp_maxmtu(struct in_conninfo *inc, int *flags)
|
1995-02-09 23:13:27 +00:00
|
|
|
{
|
2003-11-20 20:07:39 +00:00
|
|
|
struct route sro;
|
|
|
|
|
struct sockaddr_in *dst;
|
|
|
|
|
struct ifnet *ifp;
|
|
|
|
|
u_long maxmtu = 0;
|
|
|
|
|
|
|
|
|
|
KASSERT(inc != NULL, ("tcp_maxmtu with NULL in_conninfo pointer"));
|
|
|
|
|
|
2003-11-26 20:31:13 +00:00
|
|
|
bzero(&sro, sizeof(sro));
|
2003-11-20 20:07:39 +00:00
|
|
|
if (inc->inc_faddr.s_addr != INADDR_ANY) {
|
|
|
|
|
dst = (struct sockaddr_in *)&sro.ro_dst;
|
|
|
|
|
dst->sin_family = AF_INET;
|
|
|
|
|
dst->sin_len = sizeof(*dst);
|
|
|
|
|
dst->sin_addr = inc->inc_faddr;
|
Add code to allow the system to handle multiple routing tables.
This particular implementation is designed to be fully backwards compatible
and to be MFC-able to 7.x (and 6.x)
Currently the only protocol that can make use of the multiple tables is IPv4
Similar functionality exists in OpenBSD and Linux.
From my notes:
-----
One thing where FreeBSD has been falling behind, and which by chance I
have some time to work on is "policy based routing", which allows
different
packet streams to be routed by more than just the destination address.
Constraints:
------------
I want to make some form of this available in the 6.x tree
(and by extension 7.x) , but FreeBSD in general needs it so I might as
well do it in -current and back port the portions I need.
One of the ways that this can be done is to have the ability to
instantiate multiple kernel routing tables (which I will now
refer to as "Forwarding Information Bases" or "FIBs" for political
correctness reasons). Which FIB a particular packet uses to make
the next hop decision can be decided by a number of mechanisms.
The policies these mechanisms implement are the "Policies" referred
to in "Policy based routing".
One of the constraints I have if I try to back port this work to
6.x is that it must be implemented as a EXTENSION to the existing
ABIs in 6.x so that third party applications do not need to be
recompiled in timespan of the branch.
This first version will not have some of the bells and whistles that
will come with later versions. It will, for example, be limited to 16
tables in the first commit.
Implementation method, Compatible version. (part 1)
-------------------------------
For this reason I have implemented a "sufficient subset" of a
multiple routing table solution in Perforce, and back-ported it
to 6.x. (also in Perforce though not always caught up with what I
have done in -current/P4). The subset allows a number of FIBs
to be defined at compile time (8 is sufficient for my purposes in 6.x)
and implements the changes needed to allow IPV4 to use them. I have not
done the changes for ipv6 simply because I do not need it, and I do not
have enough knowledge of ipv6 (e.g. neighbor discovery) needed to do it.
Other protocol families are left untouched and should there be
users with proprietary protocol families, they should continue to work
and be oblivious to the existence of the extra FIBs.
To understand how this is done, one must know that the current FIB
code starts everything off with a single dimensional array of
pointers to FIB head structures (One per protocol family), each of
which in turn points to the trie of routes available to that family.
The basic change in the ABI compatible version of the change is to
extent that array to be a 2 dimensional array, so that
instead of protocol family X looking at rt_tables[X] for the
table it needs, it looks at rt_tables[Y][X] when for all
protocol families except ipv4 Y is always 0.
Code that is unaware of the change always just sees the first row
of the table, which of course looks just like the one dimensional
array that existed before.
The entry points rtrequest(), rtalloc(), rtalloc1(), rtalloc_ign()
are all maintained, but refer only to the first row of the array,
so that existing callers in proprietary protocols can continue to
do the "right thing".
Some new entry points are added, for the exclusive use of ipv4 code
called in_rtrequest(), in_rtalloc(), in_rtalloc1() and in_rtalloc_ign(),
which have an extra argument which refers the code to the correct row.
In addition, there are some new entry points (currently called
rtalloc_fib() and friends) that check the Address family being
looked up and call either rtalloc() (and friends) if the protocol
is not IPv4 forcing the action to row 0 or to the appropriate row
if it IS IPv4 (and that info is available). These are for calling
from code that is not specific to any particular protocol. The way
these are implemented would change in the non ABI preserving code
to be added later.
One feature of the first version of the code is that for ipv4,
the interface routes show up automatically on all the FIBs, so
that no matter what FIB you select you always have the basic
direct attached hosts available to you. (rtinit() does this
automatically).
You CAN delete an interface route from one FIB should you want
to but by default it's there. ARP information is also available
in each FIB. It's assumed that the same machine would have the
same MAC address, regardless of which FIB you are using to get
to it.
This brings us as to how the correct FIB is selected for an outgoing
IPV4 packet.
Firstly, all packets have a FIB associated with them. if nothing
has been done to change it, it will be FIB 0. The FIB is changed
in the following ways.
Packets fall into one of a number of classes.
1/ locally generated packets, coming from a socket/PCB.
Such packets select a FIB from a number associated with the
socket/PCB. This in turn is inherited from the process,
but can be changed by a socket option. The process in turn
inherits it on fork. I have written a utility call setfib
that acts a bit like nice..
setfib -3 ping target.example.com # will use fib 3 for ping.
It is an obvious extension to make it a property of a jail
but I have not done so. It can be achieved by combining the setfib and
jail commands.
2/ packets received on an interface for forwarding.
By default these packets would use table 0,
(or possibly a number settable in a sysctl(not yet)).
but prior to routing the firewall can inspect them (see below).
(possibly in the future you may be able to associate a FIB
with packets received on an interface.. An ifconfig arg, but not yet.)
3/ packets inspected by a packet classifier, which can arbitrarily
associate a fib with it on a packet by packet basis.
A fib assigned to a packet by a packet classifier
(such as ipfw) would over-ride a fib associated by
a more default source. (such as cases 1 or 2).
4/ a tcp listen socket associated with a fib will generate
accept sockets that are associated with that same fib.
5/ Packets generated in response to some other packet (e.g. reset
or icmp packets). These should use the FIB associated with the
packet being reponded to.
6/ Packets generated during encapsulation.
gif, tun and other tunnel interfaces will encapsulate using the FIB
that was in effect withthe proces that set up the tunnel.
thus setfib 1 ifconfig gif0 [tunnel instructions]
will set the fib for the tunnel to use to be fib 1.
Routing messages would be associated with their
process, and thus select one FIB or another.
messages from the kernel would be associated with the fib they
refer to and would only be received by a routing socket associated
with that fib. (not yet implemented)
In addition Netstat has been edited to be able to cope with the
fact that the array is now 2 dimensional. (It looks in system
memory using libkvm (!)). Old versions of netstat see only the first FIB.
In addition two sysctls are added to give:
a) the number of FIBs compiled in (active)
b) the default FIB of the calling process.
Early testing experience:
-------------------------
Basically our (IronPort's) appliance does this functionality already
using ipfw fwd but that method has some drawbacks.
For example,
It can't fully simulate a routing table because it can't influence the
socket's choice of local address when a connect() is done.
Testing during the generating of these changes has been
remarkably smooth so far. Multiple tables have co-existed
with no notable side effects, and packets have been routes
accordingly.
ipfw has grown 2 new keywords:
setfib N ip from anay to any
count ip from any to any fib N
In pf there seems to be a requirement to be able to give symbolic names to the
fibs but I do not have that capacity. I am not sure if it is required.
SCTP has interestingly enough built in support for this, called VRFs
in Cisco parlance. it will be interesting to see how that handles it
when it suddenly actually does something.
Where to next:
--------------------
After committing the ABI compatible version and MFCing it, I'd
like to proceed in a forward direction in -current. this will
result in some roto-tilling in the routing code.
Firstly: the current code's idea of having a separate tree per
protocol family, all of the same format, and pointed to by the
1 dimensional array is a bit silly. Especially when one considers that
there is code that makes assumptions about every protocol having the
same internal structures there. Some protocols don't WANT that
sort of structure. (for example the whole idea of a netmask is foreign
to appletalk). This needs to be made opaque to the external code.
My suggested first change is to add routing method pointers to the
'domain' structure, along with information pointing the data.
instead of having an array of pointers to uniform structures,
there would be an array pointing to the 'domain' structures
for each protocol address domain (protocol family),
and the methods this reached would be called. The methods would have
an argument that gives FIB number, but the protocol would be free
to ignore it.
When the ABI can be changed it raises the possibilty of the
addition of a fib entry into the "struct route". Currently,
the structure contains the sockaddr of the desination, and the resulting
fib entry. To make this work fully, one could add a fib number
so that given an address and a fib, one can find the third element, the
fib entry.
Interaction with the ARP layer/ LL layer would need to be
revisited as well. Qing Li has been working on this already.
This work was sponsored by Ironport Systems/Cisco
Reviewed by: several including rwatson, bz and mlair (parts each)
Obtained from: Ironport systems/Cisco
2008-05-09 23:03:00 +00:00
|
|
|
in_rtalloc_ign(&sro, RTF_CLONING, inc->inc_fibnum);
|
2003-11-20 20:07:39 +00:00
|
|
|
}
|
|
|
|
|
if (sro.ro_rt != NULL) {
|
|
|
|
|
ifp = sro.ro_rt->rt_ifp;
|
|
|
|
|
if (sro.ro_rt->rt_rmx.rmx_mtu == 0)
|
|
|
|
|
maxmtu = ifp->if_mtu;
|
|
|
|
|
else
|
|
|
|
|
maxmtu = min(sro.ro_rt->rt_rmx.rmx_mtu, ifp->if_mtu);
|
2006-09-06 21:51:59 +00:00
|
|
|
|
|
|
|
|
/* Report additional interface capabilities. */
|
|
|
|
|
if (flags != NULL) {
|
|
|
|
|
if (ifp->if_capenable & IFCAP_TSO4 &&
|
|
|
|
|
ifp->if_hwassist & CSUM_TSO)
|
|
|
|
|
*flags |= CSUM_TSO;
|
|
|
|
|
}
|
2003-11-20 20:07:39 +00:00
|
|
|
RTFREE(sro.ro_rt);
|
1995-02-09 23:13:27 +00:00
|
|
|
}
|
2003-11-20 20:07:39 +00:00
|
|
|
return (maxmtu);
|
1995-02-09 23:13:27 +00:00
|
|
|
}
|
|
|
|
|
|
2000-01-09 19:17:30 +00:00
|
|
|
#ifdef INET6
|
2003-11-20 20:07:39 +00:00
|
|
|
u_long
|
2006-09-06 21:51:59 +00:00
|
|
|
tcp_maxmtu6(struct in_conninfo *inc, int *flags)
|
2000-01-09 19:17:30 +00:00
|
|
|
{
|
2003-11-20 20:07:39 +00:00
|
|
|
struct route_in6 sro6;
|
|
|
|
|
struct ifnet *ifp;
|
|
|
|
|
u_long maxmtu = 0;
|
|
|
|
|
|
|
|
|
|
KASSERT(inc != NULL, ("tcp_maxmtu6 with NULL in_conninfo pointer"));
|
|
|
|
|
|
2003-11-26 20:31:13 +00:00
|
|
|
bzero(&sro6, sizeof(sro6));
|
2003-11-20 20:07:39 +00:00
|
|
|
if (!IN6_IS_ADDR_UNSPECIFIED(&inc->inc6_faddr)) {
|
|
|
|
|
sro6.ro_dst.sin6_family = AF_INET6;
|
|
|
|
|
sro6.ro_dst.sin6_len = sizeof(struct sockaddr_in6);
|
|
|
|
|
sro6.ro_dst.sin6_addr = inc->inc6_faddr;
|
|
|
|
|
rtalloc_ign((struct route *)&sro6, RTF_CLONING);
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
2003-11-20 20:07:39 +00:00
|
|
|
if (sro6.ro_rt != NULL) {
|
|
|
|
|
ifp = sro6.ro_rt->rt_ifp;
|
|
|
|
|
if (sro6.ro_rt->rt_rmx.rmx_mtu == 0)
|
|
|
|
|
maxmtu = IN6_LINKMTU(sro6.ro_rt->rt_ifp);
|
|
|
|
|
else
|
|
|
|
|
maxmtu = min(sro6.ro_rt->rt_rmx.rmx_mtu,
|
|
|
|
|
IN6_LINKMTU(sro6.ro_rt->rt_ifp));
|
2006-09-06 21:51:59 +00:00
|
|
|
|
|
|
|
|
/* Report additional interface capabilities. */
|
|
|
|
|
if (flags != NULL) {
|
|
|
|
|
if (ifp->if_capenable & IFCAP_TSO6 &&
|
|
|
|
|
ifp->if_hwassist & CSUM_TSO)
|
|
|
|
|
*flags |= CSUM_TSO;
|
|
|
|
|
}
|
2003-11-20 20:07:39 +00:00
|
|
|
RTFREE(sro6.ro_rt);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return (maxmtu);
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
|
2007-07-03 12:13:45 +00:00
|
|
|
#ifdef IPSEC
|
2000-01-09 19:17:30 +00:00
|
|
|
/* compute ESP/AH header size for TCP, including outer IP header. */
|
|
|
|
|
size_t
|
2006-04-03 12:59:27 +00:00
|
|
|
ipsec_hdrsiz_tcp(struct tcpcb *tp)
|
2000-01-09 19:17:30 +00:00
|
|
|
{
|
|
|
|
|
struct inpcb *inp;
|
|
|
|
|
struct mbuf *m;
|
|
|
|
|
size_t hdrsiz;
|
|
|
|
|
struct ip *ip;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
struct ip6_hdr *ip6;
|
2003-02-19 22:32:43 +00:00
|
|
|
#endif
|
2000-01-09 19:17:30 +00:00
|
|
|
struct tcphdr *th;
|
|
|
|
|
|
2001-06-23 03:21:46 +00:00
|
|
|
if ((tp == NULL) || ((inp = tp->t_inpcb) == NULL))
|
2004-12-23 01:34:26 +00:00
|
|
|
return (0);
|
2003-02-19 05:47:46 +00:00
|
|
|
MGETHDR(m, M_DONTWAIT, MT_DATA);
|
2000-01-09 19:17:30 +00:00
|
|
|
if (!m)
|
2004-12-23 01:34:26 +00:00
|
|
|
return (0);
|
2000-01-09 19:17:30 +00:00
|
|
|
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
if ((inp->inp_vflag & INP_IPV6) != 0) {
|
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
|
th = (struct tcphdr *)(ip6 + 1);
|
|
|
|
|
m->m_pkthdr.len = m->m_len =
|
|
|
|
|
sizeof(struct ip6_hdr) + sizeof(struct tcphdr);
|
2003-02-19 22:18:06 +00:00
|
|
|
tcpip_fillheaders(inp, ip6, th);
|
2000-01-09 19:17:30 +00:00
|
|
|
hdrsiz = ipsec6_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
|
|
|
|
|
} else
|
|
|
|
|
#endif /* INET6 */
|
2004-08-16 18:32:07 +00:00
|
|
|
{
|
|
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
|
th = (struct tcphdr *)(ip + 1);
|
|
|
|
|
m->m_pkthdr.len = m->m_len = sizeof(struct tcpiphdr);
|
|
|
|
|
tcpip_fillheaders(inp, ip, th);
|
|
|
|
|
hdrsiz = ipsec4_hdrsiz(m, IPSEC_DIR_OUTBOUND, inp);
|
|
|
|
|
}
|
2000-01-09 19:17:30 +00:00
|
|
|
|
|
|
|
|
m_free(m);
|
2004-12-23 01:34:26 +00:00
|
|
|
return (hdrsiz);
|
2000-01-09 19:17:30 +00:00
|
|
|
}
|
2007-07-03 12:13:45 +00:00
|
|
|
#endif /* IPSEC */
|
2000-01-09 19:17:30 +00:00
|
|
|
|
2002-08-17 18:26:02 +00:00
|
|
|
/*
|
|
|
|
|
* TCP BANDWIDTH DELAY PRODUCT WINDOW LIMITING
|
|
|
|
|
*
|
|
|
|
|
* This code attempts to calculate the bandwidth-delay product as a
|
|
|
|
|
* means of determining the optimal window size to maximize bandwidth,
|
|
|
|
|
* minimize RTT, and avoid the over-allocation of buffers on interfaces and
|
|
|
|
|
* routers. This code also does a fairly good job keeping RTTs in check
|
|
|
|
|
* across slow links like modems. We implement an algorithm which is very
|
|
|
|
|
* similar (but not meant to be) TCP/Vegas. The code operates on the
|
|
|
|
|
* transmitter side of a TCP connection and so only effects the transmit
|
|
|
|
|
* side of the connection.
|
|
|
|
|
*
|
|
|
|
|
* BACKGROUND: TCP makes no provision for the management of buffer space
|
2004-08-16 18:32:07 +00:00
|
|
|
* at the end points or at the intermediate routers and switches. A TCP
|
2002-08-17 18:26:02 +00:00
|
|
|
* stream, whether using NewReno or not, will eventually buffer as
|
|
|
|
|
* many packets as it is able and the only reason this typically works is
|
|
|
|
|
* due to the fairly small default buffers made available for a connection
|
|
|
|
|
* (typicaly 16K or 32K). As machines use larger windows and/or window
|
|
|
|
|
* scaling it is now fairly easy for even a single TCP connection to blow-out
|
2004-08-16 18:32:07 +00:00
|
|
|
* all available buffer space not only on the local interface, but on
|
2002-08-17 18:26:02 +00:00
|
|
|
* intermediate routers and switches as well. NewReno makes a misguided
|
|
|
|
|
* attempt to 'solve' this problem by waiting for an actual failure to occur,
|
|
|
|
|
* then backing off, then steadily increasing the window again until another
|
|
|
|
|
* failure occurs, ad-infinitum. This results in terrible oscillation that
|
|
|
|
|
* is only made worse as network loads increase and the idea of intentionally
|
|
|
|
|
* blowing out network buffers is, frankly, a terrible way to manage network
|
|
|
|
|
* resources.
|
|
|
|
|
*
|
|
|
|
|
* It is far better to limit the transmit window prior to the failure
|
|
|
|
|
* condition being achieved. There are two general ways to do this: First
|
|
|
|
|
* you can 'scan' through different transmit window sizes and locate the
|
|
|
|
|
* point where the RTT stops increasing, indicating that you have filled the
|
|
|
|
|
* pipe, then scan backwards until you note that RTT stops decreasing, then
|
|
|
|
|
* repeat ad-infinitum. This method works in principle but has severe
|
|
|
|
|
* implementation issues due to RTT variances, timer granularity, and
|
|
|
|
|
* instability in the algorithm which can lead to many false positives and
|
|
|
|
|
* create oscillations as well as interact badly with other TCP streams
|
|
|
|
|
* implementing the same algorithm.
|
|
|
|
|
*
|
|
|
|
|
* The second method is to limit the window to the bandwidth delay product
|
|
|
|
|
* of the link. This is the method we implement. RTT variances and our
|
2004-08-16 18:32:07 +00:00
|
|
|
* own manipulation of the congestion window, bwnd, can potentially
|
2002-08-17 18:26:02 +00:00
|
|
|
* destabilize the algorithm. For this reason we have to stabilize the
|
|
|
|
|
* elements used to calculate the window. We do this by using the minimum
|
|
|
|
|
* observed RTT, the long term average of the observed bandwidth, and
|
|
|
|
|
* by adding two segments worth of slop. It isn't perfect but it is able
|
|
|
|
|
* to react to changing conditions and gives us a very stable basis on
|
|
|
|
|
* which to extend the algorithm.
|
|
|
|
|
*/
|
|
|
|
|
void
|
|
|
|
|
tcp_xmit_bandwidth_limit(struct tcpcb *tp, tcp_seq ack_seq)
|
|
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(tp->t_vnet);
|
2002-08-17 18:26:02 +00:00
|
|
|
u_long bw;
|
|
|
|
|
u_long bwnd;
|
|
|
|
|
int save_ticks;
|
|
|
|
|
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK_ASSERT(tp->t_inpcb);
|
2004-12-05 22:27:53 +00:00
|
|
|
|
2002-08-17 18:26:02 +00:00
|
|
|
/*
|
|
|
|
|
* If inflight_enable is disabled in the middle of a tcp connection,
|
|
|
|
|
* make sure snd_bwnd is effectively disabled.
|
|
|
|
|
*/
|
2008-08-20 01:05:56 +00:00
|
|
|
if (V_tcp_inflight_enable == 0 ||
|
|
|
|
|
tp->t_rttlow < V_tcp_inflight_rttthresh) {
|
2002-08-17 18:26:02 +00:00
|
|
|
tp->snd_bwnd = TCP_MAXWIN << TCP_MAX_WINSHIFT;
|
|
|
|
|
tp->snd_bandwidth = 0;
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Figure out the bandwidth. Due to the tick granularity this
|
|
|
|
|
* is a very rough number and it MUST be averaged over a fairly
|
|
|
|
|
* long period of time. XXX we need to take into account a link
|
|
|
|
|
* that is not using all available bandwidth, but for now our
|
|
|
|
|
* slop will ramp us up if this case occurs and the bandwidth later
|
|
|
|
|
* increases.
|
2002-08-24 17:22:44 +00:00
|
|
|
*
|
|
|
|
|
* Note: if ticks rollover 'bw' may wind up negative. We must
|
|
|
|
|
* effectively reset t_bw_rtttime for this case.
|
2002-08-17 18:26:02 +00:00
|
|
|
*/
|
|
|
|
|
save_ticks = ticks;
|
|
|
|
|
if ((u_int)(save_ticks - tp->t_bw_rtttime) < 1)
|
|
|
|
|
return;
|
|
|
|
|
|
2004-08-16 18:32:07 +00:00
|
|
|
bw = (int64_t)(ack_seq - tp->t_bw_rtseq) * hz /
|
2002-08-17 18:26:02 +00:00
|
|
|
(save_ticks - tp->t_bw_rtttime);
|
|
|
|
|
tp->t_bw_rtttime = save_ticks;
|
|
|
|
|
tp->t_bw_rtseq = ack_seq;
|
2002-08-24 17:22:44 +00:00
|
|
|
if (tp->t_bw_rtttime == 0 || (int)bw < 0)
|
2002-08-17 18:26:02 +00:00
|
|
|
return;
|
|
|
|
|
bw = ((int64_t)tp->snd_bandwidth * 15 + bw) >> 4;
|
|
|
|
|
|
|
|
|
|
tp->snd_bandwidth = bw;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Calculate the semi-static bandwidth delay product, plus two maximal
|
|
|
|
|
* segments. The additional slop puts us squarely in the sweet
|
2002-12-14 21:00:17 +00:00
|
|
|
* spot and also handles the bandwidth run-up case and stabilization.
|
|
|
|
|
* Without the slop we could be locking ourselves into a lower
|
|
|
|
|
* bandwidth.
|
2002-08-17 18:26:02 +00:00
|
|
|
*
|
|
|
|
|
* Situations Handled:
|
|
|
|
|
* (1) Prevents over-queueing of packets on LANs, especially on
|
|
|
|
|
* high speed LANs, allowing larger TCP buffers to be
|
2004-08-16 18:32:07 +00:00
|
|
|
* specified, and also does a good job preventing
|
2002-08-17 18:26:02 +00:00
|
|
|
* over-queueing of packets over choke points like modems
|
|
|
|
|
* (at least for the transmit side).
|
|
|
|
|
*
|
|
|
|
|
* (2) Is able to handle changing network loads (bandwidth
|
|
|
|
|
* drops so bwnd drops, bandwidth increases so bwnd
|
|
|
|
|
* increases).
|
|
|
|
|
*
|
|
|
|
|
* (3) Theoretically should stabilize in the face of multiple
|
|
|
|
|
* connections implementing the same algorithm (this may need
|
|
|
|
|
* a little work).
|
2002-12-14 21:00:17 +00:00
|
|
|
*
|
|
|
|
|
* (4) Stability value (defaults to 20 = 2 maximal packets) can
|
|
|
|
|
* be adjusted with a sysctl but typically only needs to be
|
|
|
|
|
* on very slow connections. A value no smaller then 5
|
|
|
|
|
* should be used, but only reduce this default if you have
|
|
|
|
|
* no other choice.
|
2002-08-17 18:26:02 +00:00
|
|
|
*/
|
|
|
|
|
#define USERTT ((tp->t_srtt + tp->t_rttbest) / 2)
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
bwnd = (int64_t)bw * USERTT / (hz << TCP_RTT_SHIFT) + V_tcp_inflight_stab * tp->t_maxseg / 10;
|
2002-08-24 17:22:44 +00:00
|
|
|
#undef USERTT
|
2002-08-17 18:26:02 +00:00
|
|
|
|
|
|
|
|
if (tcp_inflight_debug > 0) {
|
|
|
|
|
static int ltime;
|
|
|
|
|
if ((u_int)(ticks - ltime) >= hz / tcp_inflight_debug) {
|
|
|
|
|
ltime = ticks;
|
|
|
|
|
printf("%p bw %ld rttbest %d srtt %d bwnd %ld\n",
|
|
|
|
|
tp,
|
|
|
|
|
bw,
|
|
|
|
|
tp->t_rttbest,
|
|
|
|
|
tp->t_srtt,
|
|
|
|
|
bwnd
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
if ((long)bwnd < V_tcp_inflight_min)
|
|
|
|
|
bwnd = V_tcp_inflight_min;
|
|
|
|
|
if (bwnd > V_tcp_inflight_max)
|
|
|
|
|
bwnd = V_tcp_inflight_max;
|
2002-08-17 18:26:02 +00:00
|
|
|
if ((long)bwnd < tp->t_maxseg * 2)
|
|
|
|
|
bwnd = tp->t_maxseg * 2;
|
|
|
|
|
tp->snd_bwnd = bwnd;
|
|
|
|
|
}
|
|
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
#ifdef TCP_SIGNATURE
|
2004-02-13 18:21:45 +00:00
|
|
|
/*
|
|
|
|
|
* Callback function invoked by m_apply() to digest TCP segment data
|
|
|
|
|
* contained within an mbuf chain.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
tcp_signature_apply(void *fstate, void *data, u_int len)
|
|
|
|
|
{
|
|
|
|
|
|
2004-02-14 21:49:48 +00:00
|
|
|
MD5Update(fstate, (u_char *)data, len);
|
2004-02-13 18:21:45 +00:00
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
/*
|
2008-09-13 17:26:46 +00:00
|
|
|
* Compute TCP-MD5 hash of a TCP segment. (RFC2385)
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
*
|
2004-02-12 20:12:48 +00:00
|
|
|
* Parameters:
|
|
|
|
|
* m pointer to head of mbuf chain
|
2008-09-13 17:26:46 +00:00
|
|
|
* _unused
|
2004-02-12 20:12:48 +00:00
|
|
|
* len length of TCP segment data, excluding options
|
|
|
|
|
* optlen length of TCP segment options
|
|
|
|
|
* buf pointer to storage for computed MD5 digest
|
|
|
|
|
* direction direction of flow (IPSEC_DIR_INBOUND or OUTBOUND)
|
|
|
|
|
*
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
* We do this over ip, tcphdr, segment data, and the key in the SADB.
|
|
|
|
|
* When called from tcp_input(), we can be sure that th_sum has been
|
|
|
|
|
* zeroed out and verified already.
|
|
|
|
|
*
|
|
|
|
|
* Return 0 if successful, otherwise return -1.
|
|
|
|
|
*
|
|
|
|
|
* XXX The key is retrieved from the system's PF_KEY SADB, by keying a
|
|
|
|
|
* search with the destination IP address, and a 'magic SPI' to be
|
|
|
|
|
* determined by the application. This is hardcoded elsewhere to 1179
|
|
|
|
|
* right now. Another branch of this code exists which uses the SPD to
|
|
|
|
|
* specify per-application flows but it is unstable.
|
|
|
|
|
*/
|
|
|
|
|
int
|
2008-09-13 17:26:46 +00:00
|
|
|
tcp_signature_compute(struct mbuf *m, int _unused, int len, int optlen,
|
2004-02-12 20:12:48 +00:00
|
|
|
u_char *buf, u_int direction)
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
{
|
2008-11-26 22:32:07 +00:00
|
|
|
INIT_VNET_IPSEC(curvnet);
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
union sockaddr_union dst;
|
|
|
|
|
struct ippseudo ippseudo;
|
|
|
|
|
MD5_CTX ctx;
|
|
|
|
|
int doff;
|
|
|
|
|
struct ip *ip;
|
|
|
|
|
struct ipovly *ipovly;
|
|
|
|
|
struct secasvar *sav;
|
|
|
|
|
struct tcphdr *th;
|
2008-09-13 17:26:46 +00:00
|
|
|
#ifdef INET6
|
|
|
|
|
struct ip6_hdr *ip6;
|
|
|
|
|
struct in6_addr in6;
|
|
|
|
|
char ip6buf[INET6_ADDRSTRLEN];
|
|
|
|
|
uint32_t plen;
|
|
|
|
|
uint16_t nhdr;
|
|
|
|
|
#endif
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
u_short savecsum;
|
|
|
|
|
|
2004-02-12 20:12:48 +00:00
|
|
|
KASSERT(m != NULL, ("NULL mbuf chain"));
|
|
|
|
|
KASSERT(buf != NULL, ("NULL signature pointer"));
|
|
|
|
|
|
|
|
|
|
/* Extract the destination from the IP header in the mbuf. */
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
bzero(&dst, sizeof(union sockaddr_union));
|
2008-09-13 17:26:46 +00:00
|
|
|
ip = mtod(m, struct ip *);
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
ip6 = NULL; /* Make the compiler happy. */
|
|
|
|
|
#endif
|
|
|
|
|
switch (ip->ip_v) {
|
|
|
|
|
case IPVERSION:
|
|
|
|
|
dst.sa.sa_len = sizeof(struct sockaddr_in);
|
|
|
|
|
dst.sa.sa_family = AF_INET;
|
|
|
|
|
dst.sin.sin_addr = (direction == IPSEC_DIR_INBOUND) ?
|
|
|
|
|
ip->ip_src : ip->ip_dst;
|
|
|
|
|
break;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case (IPV6_VERSION >> 4):
|
|
|
|
|
ip6 = mtod(m, struct ip6_hdr *);
|
|
|
|
|
dst.sa.sa_len = sizeof(struct sockaddr_in6);
|
|
|
|
|
dst.sa.sa_family = AF_INET6;
|
|
|
|
|
dst.sin6.sin6_addr = (direction == IPSEC_DIR_INBOUND) ?
|
|
|
|
|
ip6->ip6_src : ip6->ip6_dst;
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
/* NOTREACHED */
|
|
|
|
|
break;
|
|
|
|
|
}
|
2004-02-12 20:12:48 +00:00
|
|
|
|
|
|
|
|
/* Look up an SADB entry which matches the address of the peer. */
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
sav = KEY_ALLOCSA(&dst, IPPROTO_TCP, htonl(TCP_SIG_SPI));
|
|
|
|
|
if (sav == NULL) {
|
2008-09-13 17:26:46 +00:00
|
|
|
ipseclog((LOG_ERR, "%s: SADB lookup failed for %s\n", __func__,
|
|
|
|
|
(ip->ip_v == IPVERSION) ? inet_ntoa(dst.sin.sin_addr) :
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
(ip->ip_v == (IPV6_VERSION >> 4)) ?
|
|
|
|
|
ip6_sprintf(ip6buf, &dst.sin6.sin6_addr) :
|
|
|
|
|
#endif
|
|
|
|
|
"(unsupported)"));
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
return (EINVAL);
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-12 20:12:48 +00:00
|
|
|
MD5Init(&ctx);
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
/*
|
2008-09-13 17:26:46 +00:00
|
|
|
* Step 1: Update MD5 hash with IP(v6) pseudo-header.
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
*
|
|
|
|
|
* XXX The ippseudo header MUST be digested in network byte order,
|
|
|
|
|
* or else we'll fail the regression test. Assume all fields we've
|
|
|
|
|
* been doing arithmetic on have been in host byte order.
|
|
|
|
|
* XXX One cannot depend on ipovly->ih_len here. When called from
|
|
|
|
|
* tcp_output(), the underlying ip_len member has not yet been set.
|
|
|
|
|
*/
|
2008-09-13 17:26:46 +00:00
|
|
|
switch (ip->ip_v) {
|
|
|
|
|
case IPVERSION:
|
|
|
|
|
ipovly = (struct ipovly *)ip;
|
|
|
|
|
ippseudo.ippseudo_src = ipovly->ih_src;
|
|
|
|
|
ippseudo.ippseudo_dst = ipovly->ih_dst;
|
|
|
|
|
ippseudo.ippseudo_pad = 0;
|
|
|
|
|
ippseudo.ippseudo_p = IPPROTO_TCP;
|
|
|
|
|
ippseudo.ippseudo_len = htons(len + sizeof(struct tcphdr) +
|
|
|
|
|
optlen);
|
|
|
|
|
MD5Update(&ctx, (char *)&ippseudo, sizeof(struct ippseudo));
|
|
|
|
|
|
|
|
|
|
th = (struct tcphdr *)((u_char *)ip + sizeof(struct ip));
|
|
|
|
|
doff = sizeof(struct ip) + sizeof(struct tcphdr) + optlen;
|
|
|
|
|
break;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
/*
|
|
|
|
|
* RFC 2385, 2.0 Proposal
|
|
|
|
|
* For IPv6, the pseudo-header is as described in RFC 2460, namely the
|
|
|
|
|
* 128-bit source IPv6 address, 128-bit destination IPv6 address, zero-
|
|
|
|
|
* extended next header value (to form 32 bits), and 32-bit segment
|
|
|
|
|
* length.
|
|
|
|
|
* Note: Upper-Layer Packet Length comes before Next Header.
|
|
|
|
|
*/
|
|
|
|
|
case (IPV6_VERSION >> 4):
|
|
|
|
|
in6 = ip6->ip6_src;
|
|
|
|
|
in6_clearscope(&in6);
|
|
|
|
|
MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr));
|
|
|
|
|
in6 = ip6->ip6_dst;
|
|
|
|
|
in6_clearscope(&in6);
|
|
|
|
|
MD5Update(&ctx, (char *)&in6, sizeof(struct in6_addr));
|
|
|
|
|
plen = htonl(len + sizeof(struct tcphdr) + optlen);
|
|
|
|
|
MD5Update(&ctx, (char *)&plen, sizeof(uint32_t));
|
|
|
|
|
nhdr = 0;
|
|
|
|
|
MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
|
|
|
|
|
MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
|
|
|
|
|
MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
|
|
|
|
|
nhdr = IPPROTO_TCP;
|
|
|
|
|
MD5Update(&ctx, (char *)&nhdr, sizeof(uint8_t));
|
|
|
|
|
|
|
|
|
|
th = (struct tcphdr *)((u_char *)ip6 + sizeof(struct ip6_hdr));
|
|
|
|
|
doff = sizeof(struct ip6_hdr) + sizeof(struct tcphdr) + optlen;
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
default:
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
/* NOTREACHED */
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2004-02-12 20:12:48 +00:00
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
/*
|
|
|
|
|
* Step 2: Update MD5 hash with TCP header, excluding options.
|
|
|
|
|
* The TCP checksum must be set to zero.
|
|
|
|
|
*/
|
|
|
|
|
savecsum = th->th_sum;
|
|
|
|
|
th->th_sum = 0;
|
|
|
|
|
MD5Update(&ctx, (char *)th, sizeof(struct tcphdr));
|
|
|
|
|
th->th_sum = savecsum;
|
2004-02-12 20:12:48 +00:00
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
/*
|
|
|
|
|
* Step 3: Update MD5 hash with TCP segment data.
|
|
|
|
|
* Use m_apply() to avoid an early m_pullup().
|
|
|
|
|
*/
|
|
|
|
|
if (len > 0)
|
2004-02-13 18:21:45 +00:00
|
|
|
m_apply(m, doff, len, tcp_signature_apply, &ctx);
|
2004-02-12 20:12:48 +00:00
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
/*
|
|
|
|
|
* Step 4: Update MD5 hash with shared secret.
|
|
|
|
|
*/
|
2007-11-28 13:23:50 +00:00
|
|
|
MD5Update(&ctx, sav->key_auth->key_data, _KEYLEN(sav->key_auth));
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
MD5Final(buf, &ctx);
|
2004-02-12 20:12:48 +00:00
|
|
|
|
Initial import of RFC 2385 (TCP-MD5) digest support.
This is the first of two commits; bringing in the kernel support first.
This can be enabled by compiling a kernel with options TCP_SIGNATURE
and FAST_IPSEC.
For the uninitiated, this is a TCP option which provides for a means of
authenticating TCP sessions which came into being before IPSEC. It is
still relevant today, however, as it is used by many commercial router
vendors, particularly with BGP, and as such has become a requirement for
interconnect at many major Internet points of presence.
Several parts of the TCP and IP headers, including the segment payload,
are digested with MD5, including a shared secret. The PF_KEY interface
is used to manage the secrets using security associations in the SADB.
There is a limitation here in that as there is no way to map a TCP flow
per-port back to an SPI without polluting tcpcb or using the SPD; the
code to do the latter is unstable at this time. Therefore this code only
supports per-host keying granularity.
Whilst FAST_IPSEC is mutually exclusive with KAME IPSEC (and thus IPv6),
TCP_SIGNATURE applies only to IPv4. For the vast majority of prospective
users of this feature, this will not pose any problem.
This implementation is output-only; that is, the option is honoured when
responding to a host initiating a TCP session, but no effort is made
[yet] to authenticate inbound traffic. This is, however, sufficient to
interwork with Cisco equipment.
Tested with a Cisco 2501 running IOS 12.0(27), and Quagga 0.96.4 with
local patches. Patches for tcpdump to validate TCP-MD5 sessions are also
available from me upon request.
Sponsored by: sentex.net
2004-02-11 04:26:04 +00:00
|
|
|
key_sa_recordxfer(sav, m);
|
|
|
|
|
KEY_FREESAV(&sav);
|
|
|
|
|
return (0);
|
|
|
|
|
}
|
|
|
|
|
#endif /* TCP_SIGNATURE */
|
2005-02-14 07:37:51 +00:00
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
sysctl_drop(SYSCTL_HANDLER_ARGS)
|
|
|
|
|
{
|
Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit
Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.
Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().
Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).
All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).
(*) netipsec/keysock.c did not validate depending on compile time options.
Implemented by: julian, bz, brooks, zec
Reviewed by: julian, bz, brooks, kris, rwatson, ...
Approved by: julian (mentor)
Obtained from: //depot/projects/vimage-commit2/...
X-MFC after: never
Sponsored by: NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
|
|
|
INIT_VNET_INET(curvnet);
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
INIT_VNET_INET6(curvnet);
|
|
|
|
|
#endif
|
2005-02-14 07:37:51 +00:00
|
|
|
/* addrs[0] is a foreign socket, addrs[1] is a local one. */
|
|
|
|
|
struct sockaddr_storage addrs[2];
|
|
|
|
|
struct inpcb *inp;
|
|
|
|
|
struct tcpcb *tp;
|
2005-10-02 08:43:57 +00:00
|
|
|
struct tcptw *tw;
|
2005-02-14 07:37:51 +00:00
|
|
|
struct sockaddr_in *fin, *lin;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
struct sockaddr_in6 *fin6, *lin6;
|
|
|
|
|
struct in6_addr f6, l6;
|
|
|
|
|
#endif
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
inp = NULL;
|
|
|
|
|
fin = lin = NULL;
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
fin6 = lin6 = NULL;
|
|
|
|
|
#endif
|
|
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
if (req->oldptr != NULL || req->oldlen != 0)
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
if (req->newptr == NULL)
|
|
|
|
|
return (EPERM);
|
|
|
|
|
if (req->newlen < sizeof(addrs))
|
|
|
|
|
return (ENOMEM);
|
|
|
|
|
error = SYSCTL_IN(req, &addrs, sizeof(addrs));
|
|
|
|
|
if (error)
|
|
|
|
|
return (error);
|
|
|
|
|
|
|
|
|
|
switch (addrs[0].ss_family) {
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6:
|
|
|
|
|
fin6 = (struct sockaddr_in6 *)&addrs[0];
|
|
|
|
|
lin6 = (struct sockaddr_in6 *)&addrs[1];
|
|
|
|
|
if (fin6->sin6_len != sizeof(struct sockaddr_in6) ||
|
|
|
|
|
lin6->sin6_len != sizeof(struct sockaddr_in6))
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
if (IN6_IS_ADDR_V4MAPPED(&fin6->sin6_addr)) {
|
|
|
|
|
if (!IN6_IS_ADDR_V4MAPPED(&lin6->sin6_addr))
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
in6_sin6_2_sin_in_sock((struct sockaddr *)&addrs[0]);
|
|
|
|
|
in6_sin6_2_sin_in_sock((struct sockaddr *)&addrs[1]);
|
|
|
|
|
fin = (struct sockaddr_in *)&addrs[0];
|
|
|
|
|
lin = (struct sockaddr_in *)&addrs[1];
|
|
|
|
|
break;
|
|
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
error = sa6_embedscope(fin6, V_ip6_use_defzone);
|
2005-02-14 07:37:51 +00:00
|
|
|
if (error)
|
2005-07-25 12:31:43 +00:00
|
|
|
return (error);
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
error = sa6_embedscope(lin6, V_ip6_use_defzone);
|
2005-08-01 12:08:49 +00:00
|
|
|
if (error)
|
2005-07-25 12:31:43 +00:00
|
|
|
return (error);
|
2005-02-14 07:37:51 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
case AF_INET:
|
|
|
|
|
fin = (struct sockaddr_in *)&addrs[0];
|
|
|
|
|
lin = (struct sockaddr_in *)&addrs[1];
|
|
|
|
|
if (fin->sin_len != sizeof(struct sockaddr_in) ||
|
|
|
|
|
lin->sin_len != sizeof(struct sockaddr_in))
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return (EINVAL);
|
|
|
|
|
}
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WLOCK(&V_tcbinfo);
|
2005-02-14 07:37:51 +00:00
|
|
|
switch (addrs[0].ss_family) {
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
case AF_INET6:
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
inp = in6_pcblookup_hash(&V_tcbinfo, &f6, fin6->sin6_port,
|
2005-02-14 07:37:51 +00:00
|
|
|
&l6, lin6->sin6_port, 0, NULL);
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
case AF_INET:
|
2008-08-20 01:05:56 +00:00
|
|
|
inp = in_pcblookup_hash(&V_tcbinfo, fin->sin_addr,
|
|
|
|
|
fin->sin_port, lin->sin_addr, lin->sin_port, 0, NULL);
|
2005-02-14 07:37:51 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (inp != NULL) {
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WLOCK(inp);
|
2006-04-03 11:57:12 +00:00
|
|
|
if (inp->inp_vflag & INP_TIMEWAIT) {
|
2006-04-04 12:26:07 +00:00
|
|
|
/*
|
|
|
|
|
* XXXRW: There currently exists a state where an
|
|
|
|
|
* inpcb is present, but its timewait state has been
|
|
|
|
|
* discarded. For now, don't allow dropping of this
|
|
|
|
|
* type of inpcb.
|
|
|
|
|
*/
|
2006-04-03 11:57:12 +00:00
|
|
|
tw = intotw(inp);
|
2006-04-04 12:26:07 +00:00
|
|
|
if (tw != NULL)
|
|
|
|
|
tcp_twclose(tw, 0);
|
2007-11-24 18:43:59 +00:00
|
|
|
else
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inp);
|
2006-04-03 11:57:12 +00:00
|
|
|
} else if (!(inp->inp_vflag & INP_DROPPED) &&
|
|
|
|
|
!(inp->inp_socket->so_options & SO_ACCEPTCONN)) {
|
|
|
|
|
tp = intotcpcb(inp);
|
2007-11-24 18:43:59 +00:00
|
|
|
tp = tcp_drop(tp, ECONNABORTED);
|
|
|
|
|
if (tp != NULL)
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inp);
|
2007-11-24 18:43:59 +00:00
|
|
|
} else
|
2008-04-17 21:38:18 +00:00
|
|
|
INP_WUNLOCK(inp);
|
2005-02-14 07:37:51 +00:00
|
|
|
} else
|
|
|
|
|
error = ESRCH;
|
Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).
This is the first in a series of commits over the course
of the next few weeks.
Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.
We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.
Obtained from: //depot/projects/vimage-commit2/...
Reviewed by: brooks, des, ed, mav, julian,
jamie, kris, rwatson, zec, ...
(various people I forgot, different versions)
md5 (with a bit of help)
Sponsored by: NLnet Foundation, The FreeBSD Foundation
X-MFC after: never
V_Commit_Message_Reviewed_By: more people than the patch
2008-08-17 23:27:27 +00:00
|
|
|
INP_INFO_WUNLOCK(&V_tcbinfo);
|
2005-02-14 07:37:51 +00:00
|
|
|
return (error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
SYSCTL_PROC(_net_inet_tcp, TCPCTL_DROP, drop,
|
|
|
|
|
CTLTYPE_STRUCT|CTLFLAG_WR|CTLFLAG_SKIP, NULL,
|
|
|
|
|
0, sysctl_drop, "", "Drop TCP connection");
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Generate a standardized TCP log line for use throughout the
|
|
|
|
|
* tcp subsystem. Memory allocation is done with M_NOWAIT to
|
|
|
|
|
* allow use in the interrupt context.
|
|
|
|
|
*
|
|
|
|
|
* NB: The caller MUST free(s, M_TCPLOG) the returned string.
|
|
|
|
|
* NB: The function may return NULL if memory allocation failed.
|
|
|
|
|
*
|
|
|
|
|
* Due to header inclusion and ordering limitations the struct ip
|
|
|
|
|
* and ip6_hdr pointers have to be passed as void pointers.
|
|
|
|
|
*/
|
|
|
|
|
char *
|
|
|
|
|
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
|
2007-07-05 05:55:57 +00:00
|
|
|
const void *ip6hdr)
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
{
|
|
|
|
|
char *s, *sp;
|
|
|
|
|
size_t size;
|
|
|
|
|
struct ip *ip;
|
|
|
|
|
#ifdef INET6
|
2007-07-05 06:04:46 +00:00
|
|
|
const struct ip6_hdr *ip6;
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
|
2007-07-05 06:04:46 +00:00
|
|
|
ip6 = (const struct ip6_hdr *)ip6hdr;
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
#endif /* INET6 */
|
|
|
|
|
ip = (struct ip *)ip4hdr;
|
|
|
|
|
|
|
|
|
|
/*
|
2007-05-23 19:07:53 +00:00
|
|
|
* The log line looks like this:
|
|
|
|
|
* "TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags 0x2<SYN>"
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
*/
|
2007-05-23 19:07:53 +00:00
|
|
|
size = sizeof("TCP: []:12345 to []:12345 tcpflags 0x2<>") +
|
|
|
|
|
sizeof(PRINT_TH_FLAGS) + 1 +
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
#ifdef INET6
|
2007-05-23 19:07:53 +00:00
|
|
|
2 * INET6_ADDRSTRLEN;
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
#else
|
2007-05-23 19:07:53 +00:00
|
|
|
2 * INET_ADDRSTRLEN;
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
#endif /* INET6 */
|
|
|
|
|
|
2007-07-28 12:20:39 +00:00
|
|
|
/* Is logging enabled? */
|
|
|
|
|
if (tcp_log_debug == 0 && tcp_log_in_vain == 0)
|
|
|
|
|
return (NULL);
|
|
|
|
|
|
2007-05-27 17:02:54 +00:00
|
|
|
s = malloc(size, M_TCPLOG, M_ZERO|M_NOWAIT);
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
if (s == NULL)
|
|
|
|
|
return (NULL);
|
|
|
|
|
|
|
|
|
|
strcat(s, "TCP: [");
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
|
|
|
|
|
if (inc && inc->inc_isipv6 == 0) {
|
|
|
|
|
inet_ntoa_r(inc->inc_faddr, sp);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i to [", ntohs(inc->inc_fport));
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
inet_ntoa_r(inc->inc_laddr, sp);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i", ntohs(inc->inc_lport));
|
|
|
|
|
#ifdef INET6
|
|
|
|
|
} else if (inc) {
|
|
|
|
|
ip6_sprintf(sp, &inc->inc6_faddr);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i to [", ntohs(inc->inc_fport));
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
ip6_sprintf(sp, &inc->inc6_laddr);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i", ntohs(inc->inc_lport));
|
|
|
|
|
} else if (ip6 && th) {
|
|
|
|
|
ip6_sprintf(sp, &ip6->ip6_src);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i to [", ntohs(th->th_sport));
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
ip6_sprintf(sp, &ip6->ip6_dst);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i", ntohs(th->th_dport));
|
|
|
|
|
#endif /* INET6 */
|
|
|
|
|
} else if (ip && th) {
|
|
|
|
|
inet_ntoa_r(ip->ip_src, sp);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i to [", ntohs(th->th_sport));
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
inet_ntoa_r(ip->ip_dst, sp);
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
sprintf(sp, "]:%i", ntohs(th->th_dport));
|
|
|
|
|
} else {
|
|
|
|
|
free(s, M_TCPLOG);
|
|
|
|
|
return (NULL);
|
|
|
|
|
}
|
|
|
|
|
sp = s + strlen(s);
|
|
|
|
|
if (th)
|
|
|
|
|
sprintf(sp, " tcpflags 0x%b", th->th_flags, PRINT_TH_FLAGS);
|
2007-05-23 19:07:53 +00:00
|
|
|
if (*(s + size - 1) != '\0')
|
Add tcp_log_addrs() function to generate and standardized TCP log line
for use thoughout the tcp subsystem.
It is IPv4 and IPv6 aware creates a line in the following format:
"TCP: [1.2.3.4]:50332 to [1.2.3.4]:80 tcpflags <RST>"
A "\n" is not included at the end. The caller is supposed to add
further information after the standard tcp log header.
The function returns a NUL terminated string which the caller has
to free(s, M_TCPLOG) after use. All memory allocation is done
with M_NOWAIT and the return value may be NULL in memory shortage
situations.
Either struct in_conninfo || (struct tcphdr && (struct ip || struct
ip6_hdr) have to be supplied.
Due to ip[6].h header inclusion limitations and ordering issues the
struct ip and struct ip6_hdr parameters have to be casted and passed
as void * pointers.
tcp_log_addrs(struct in_conninfo *inc, struct tcphdr *th, void *ip4hdr,
void *ip6hdr)
Usage example:
struct ip *ip;
char *tcplog;
if (tcplog = tcp_log_addrs(NULL, th, (void *)ip, NULL)) {
log(LOG_DEBUG, "%s; %s: Connection attempt to closed port\n",
tcplog, __func__);
free(s, M_TCPLOG);
}
2007-05-18 19:58:37 +00:00
|
|
|
panic("%s: string too long", __func__);
|
|
|
|
|
return (s);
|
|
|
|
|
}
|
