Commit Graph

34 Commits

Author SHA1 Message Date
Bruce M Simpson
05d91e4363 In member interface detach event handler, do not attempt to free state
which has already been freed by in_ifdetach(). With this cumulative change,
the removal of a member interface will not cause a panic in pfsync(4).

Requested by:	yar
PR:		86848
2007-04-14 01:01:46 +00:00
Bruce M Simpson
6b47cca2a7 Teach pfsync(4) that its member interfaces may go away.
This change partially resolves the issue in the PR. Further architectural
fixes, in the form of reference counting, are needed.

PR:		86848
Reviewed by:	yar
MFC after:	1 month
2007-03-19 17:52:15 +00:00
John Baldwin
0dea849ae9 Various bpf(4) related fixes to catch places up to the new bpf(4)
semantics.
- Stop testing bpf pointers for NULL.  In some cases use
  bpf_peers_present() and then call the function directly inside the
  conditional block instead of the macro.
- For places where the entire conditional block is the macro, remove the
  test and make the macro unconditional.
- Use BPF_MTAP() in if_pfsync on FreeBSD instead of an expanded version of
  the old semantics.

Reviewed by:	csjp (older version)
2006-12-29 13:59:50 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Sam Leffler
6b7330e2d4 Revise network interface cloning to take an optional opaque
parameter that can specify configuration parameters:
o rev cloner api's to add optional parameter block
o add SIOCCREATE2 that accepts parameter data
o rev vlan support to use new api (maintain old code)

Reviewed by:	arch@
2006-07-09 06:04:01 +00:00
Max Laier
05206588f2 Make in-kernel multicast protocols for pfsync and carp work after enabling
dynamic resizing of multicast membership array.

Reported and testing by:	Maxim Konovalov, Scott Ullrich
Reminded by:			thompsa
MFC after:			2 weeks
2006-07-08 00:01:01 +00:00
Max Laier
a6831e7e3a Fix pfsync w/o carp compilation.
Submitted by:	yar
2006-06-16 10:25:06 +00:00
Max Laier
c0e9fdd321 Fix byteorder of syncpeer and make it actually work.
Submitted by:	glebius
MFC after:	1 week
2006-06-14 11:11:54 +00:00
Ruslan Ermilov
342ed5d948 Fix -Wundef warnings found when compiling i386 LINT, GENERIC and
custom kernels.
2005-12-05 11:58:35 +00:00
Andrew Thompson
4e7e0183e1 Move the cloned interface list management in to if_clone. For some drivers the
softc lists and associated mutex are now unused so these have been removed.

Calling if_clone_detach() will now destroy all the cloned interfaces for the
driver and in most cases is all thats needed to unload.

Idea by:	brooks
Reviewed by:	brooks
2005-11-08 20:08:34 +00:00
Andrew Thompson
febd0759f3 Change the reference counting to count the number of cloned interfaces for each
cloner. This ensures that ifc->ifc_units is not prematurely freed in
if_clone_detach() before the clones are destroyed, resulting in memory modified
after free. This could be triggered with if_vlan.

Assert that all cloners have been destroyed when freeing the memory.

Change all simple cloners to destroy their clones with ifc_simple_destroy() on
module unload so the reference count is properly updated. This also cleans up
the interface destroy routines and allows future optimisation.

Discussed with:	brooks, pjd, -current
Reviewed by:	brooks
2005-10-12 19:52:16 +00:00
Max Laier
922e338183 Stop leaking a lock. This used to cause a propagate_priority() page fault
when setting syncdev and syncpeer.

Reported by:	Dominic Marks
2005-09-11 11:55:39 +00:00
Max Laier
ef2e5f06f2 Wrap the new world order in __FreeBSD__ to ease future imports. 2005-08-09 11:59:02 +00:00
Robert Watson
13f4c340ae Propagate rename of IFF_OACTIVE and IFF_RUNNING to IFF_DRV_OACTIVE and
IFF_DRV_RUNNING, as well as the move from ifnet.if_flags to
ifnet.if_drv_flags.  Device drivers are now responsible for
synchronizing access to these flags, as they are in if_drv_flags.  This
helps prevent races between the network stack and device driver in
maintaining the interface flags field.

Many __FreeBSD__ and __FreeBSD_version checks maintained and continued;
some less so.

Reviewed by:	pjd, bz
MFC after:	7 days
2005-08-09 10:20:02 +00:00
Max Laier
6de8d9dc52 Export pfsyncstats via sysctl "net.inet.pfsync" in order to print them with
netstat (seperate commit).

Requested by:	glebius
MFC after:	1 week
2005-07-14 22:22:51 +00:00
Max Laier
889ad0384e Properly initialize ifq_maxlen for the defered send queue and make it
actually work.  Also use the right semantics for IF_HANDOFF to get correct
stats.

Reported and tested by:	Sascha Luck <sascha at c4inet dot net>
Approved by:		re (blanket)
2005-06-26 21:00:52 +00:00
Max Laier
c8d1dc8cc8 Mark pf callouts as NET_MPSAFE.
Requested by:	yongari (serveral times)
Approved by:	re (blanket)
MFC after:	1 week
2005-06-12 16:46:20 +00:00
Max Laier
fe2f7b3b0d Defer ip_output of pfsync updates to an independent callout thread instead
of just dropping the lock around the ip_output call.  This used to cause
corrupted state tree walks for some call-paths.

In a second stage all callouts will be marked MPSAFE according to the
setting of mpsafenet.

Reported and tested by:	Matthew Grooms <mgrooms at seton dot org>
MFC after:		3 days
X-MFC after:		Marking callouts MPSAFE + 1 week
2005-06-10 17:23:49 +00:00
Brooks Davis
fc74a9f93a Stop embedding struct ifnet at the top of driver softcs. Instead the
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.

This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.

Other changes of note:
 - Struct arpcom is no longer referenced in normal interface code.
   Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
   To enforce this ac_enaddr has been renamed to _ac_enaddr.
 - The second argument to ether_ifattach is now always the mac address
   from driver private storage rather than sometimes being ac_enaddr.

Reviewed by:	sobomax, sam
2005-06-10 16:49:24 +00:00
Max Laier
b01933e6bf Resolve conflicts created during the import of pf 3.7 Some features are
missing and will be implemented in a second step.  This is functional as is.

Tested by:	freebsd-pf, pfsense.org
Obtained from:	OpenBSD
X-MFC after:	never (breaks API/ABI)
2005-05-03 16:43:32 +00:00
Max Laier
68198dedf8 Access softc embedded struct ifnet via function macro to make it easier to
untangle struct ifnet and softc/arpcom in the future.

Requested by:	brooks
2005-02-09 19:29:13 +00:00
Max Laier
7cadbe4109 Compile pfsync w/o bpf.
Noticed by:	"Jayel Villamin" <jarthel operamail com>
2004-12-10 17:42:47 +00:00
Max Laier
f78086efb6 Move pf* init from SI_SUB_PSEUDO to SI_SUB_PROTO_IFATTACHDOMAIN where it is
save to call if_attachdomain from if_attach() (as done for if_loop.c). We
will now end up with a properly initialized if_afdata array and the nd6
callout will no longer try to deref a NULL pointer.

Still this is a temp workaround and the locking for if_afdata should be
revisited at a later point.

Requested by:			rwatson
Discussed with and tested by:	yongari (a while ago)
PR:				kern/70393
MFC after:			5 days
2004-09-14 03:12:01 +00:00
David Malone
1f44b0a1b5 Get rid of the RANDOM_IP_ID option and make it a sysctl. NetBSD
have already done this, so I have styled the patch on their work:

        1) introduce a ip_newid() static inline function that checks
        the sysctl and then decides if it should return a sequential
        or random IP ID.

        2) named the sysctl net.inet.ip.random_id

        3) IPv6 flow IDs and fragment IDs are now always random.
        Flow IDs and frag IDs are significantly less common in the
        IPv6 world (ie. rarely generated per-packet), so there should
        be smaller performance concerns.

The sysctl defaults to 0 (sequential IP IDs).

Reviewed by:	andre, silby, mlaier, ume
Based on:	NetBSD
MFC after:	2 months
2004-08-14 15:32:40 +00:00
Alexander Kabaev
7e86873d5c Initialize s variable early to shut up GCC warnings.
Do not declare inline functions without body as this is useless in
general and generates a warning with GCC 3.4.x.

Glanced over by:	dhartmei
2004-07-28 06:14:44 +00:00
Brooks Davis
f889d2ef8d Major overhaul of pseudo-interface cloning. Highlights include:
- Split the code out into if_clone.[ch].
 - Locked struct if_clone. [1]
 - Add a per-cloner match function rather then simply matching names of
   the form <name><unit> and <name>.
 - Use the match function to allow creation of <interface>.<tag>
   vlan interfaces.  The old way is preserved unchanged!
 - Also the match function to allow creation of stf(4) interfaces named
   stf0, stf, or 6to4.  This is the only major user visible change in
   that "ifconfig stf" creates the interface stf rather then stf0 and
   does not print "stf0" to stdout.
 - Allow destroy functions to fail so they can refuse to delete
   interfaces.  Currently, we forbid the deletion of interfaces which
   were created in the init function, particularly lo0, pflog0, and
   pfsync0.  In the case of lo0 this was a panic implementation so it
   does not count as a user visiable change. :-)
 - Since most interfaces do not need the new functionality, an family of
   wrapper functions, ifc_simple_*(), were created to wrap old style
   cloner functions.
 - The IF_CLONE_INITIALIZER macro is replaced with a new incompatible
   IFC_CLONE_INITIALIZER and ifc_simple consumers use IFC_SIMPLE_DECLARE
   instead.

Submitted by:   Maurycy Pawlowski-Wieronski <maurycy at fouk.org> [1]
Reviewed by:    andre, mlaier
Discussed on:	net
2004-06-22 20:13:25 +00:00
Max Laier
7c1fe95333 Commit pf version 3.5 and link additional files to the kernel build.
Version 3.5 brings:
 - Atomic commits of ruleset changes (reduce the chance of ending up in an
   inconsistent state).
 - A 30% reduction in the size of state table entries.
 - Source-tracking (limit number of clients and states per client).
 - Sticky-address (the flexibility of round-robin with the benefits of
   source-hash).
 - Significant improvements to interface handling.
 - and many more ...
2004-06-16 23:24:02 +00:00
Max Laier
4e6d06effe Remove some more leftover from the old pfaltq_module hack to allow for
kernels w/ pf, but w/o altq.

Reported-by:	 Xin LI
2004-06-14 16:13:05 +00:00
Max Laier
1fb675e712 "Get rid of the nested include of <sys/module.h> from <sys/kernel.h>" or
better do no longer depend on it.

Requested-by:	phk
Approved-by:	bms(mentor)
2004-05-31 22:48:19 +00:00
Brooks Davis
bb2bfb4fa9 Staticize <if>_clone_{create,destroy} functions.
Reviewed by:	mlaier
2004-04-14 00:57:49 +00:00
Max Laier
cc7e902276 Style(9) round for the pf kernel parts. Mostly #if defined() -> #ifdef
Also set HOOK_HACK to true (remove the related #ifdef's) as we have the
hooks in the kernel this was missed during the merge from the port.

Noticed by:	Amir S.	(for the HOOK_HACK part)
Approved by:	bms(mentor)
2004-03-17 21:11:02 +00:00
Max Laier
7b3832e8d6 Remove `$Name$' leftovers from the port version reporting.
Noticed by:	Craig Rodrigues
Approved by:	bms(mentor)
2004-03-10 15:08:21 +00:00
Max Laier
2bbe8ffc9d Bring diff from the security/pf port. This has code been tested as a port
for a long time and is run in production use. This is the code present in
portversion 2.03 with some additional tweaks.

The rather extensive diff accounts for:
 - locking (to enable pf to work with a giant-free netstack)
 - byte order difference between OpenBSD and FreeBSD for ip_len/ip_off
 - conversion from pool(9) to zone(9)
 - api differences etc.

Approved by: bms(mentor) (in general)
2004-02-26 02:34:12 +00:00
Max Laier
5c45a928b9 Vendor import of OpenBSD's packet filter (pf) as of OpenBSD 3.4
Approved by: bms(mentor), core (in general)
2004-02-26 02:04:28 +00:00