Commit Graph

205 Commits

Author SHA1 Message Date
Robert Watson
c2259ba44f Include priv.h to pick up suser(9) definitions, missed in an earlier
commit.

Warnings spotted by:	kris
2007-06-13 22:42:43 +00:00
Robert Watson
2281b8f054 Remove IPX over IP tunneling support, which allows IPX routing over IP
tunnels, and was not MPSAFE.  The code can be easily restored in the
event that someone with an IPX over IP tunnel configuration can work
with me to test patches.

This removes one of five remaining consumers of NET_NEEDS_GIANT.

Approved by:	re (kensmith)
2007-06-13 14:01:43 +00:00
Robert Watson
94ad7d68c7 Use ANSI C function declarations throughout netipx.
Remove 'register' use.
2007-05-11 10:38:34 +00:00
Robert Watson
54d642bbe5 Reduce network stack oddness: implement .pru_sockaddr and .pru_peeraddr
protocol entry points using functions named proto_getsockaddr and
proto_getpeeraddr rather than proto_setsockaddr and proto_setpeeraddr.
While it's true that sockaddrs are allocated and set, the net effect is
to retrieve (get) the socket address or peer address from a socket, not
set it, so align names to that intent.
2007-05-11 10:20:51 +00:00
Robert Watson
c724ad6648 Build ipx_ip.c only if options IPXIP is defined. No functional change. 2007-02-26 11:55:34 +00:00
Robert Watson
e89beb720d Fix a likely bug by adding what appears to be a missing break statement
in the IPX over IP configuration ioctl: when changing the flags on a
tunnel interface, return the generated error rather than always EINVAL.
2007-02-26 10:16:53 +00:00
Robert Watson
dd0cb30f89 Further style(9) for ipx_ip. 2007-02-25 00:17:56 +00:00
Robert Watson
ca642fe976 Improve ipx_ip.c's approximation of style(9). 2007-02-25 00:10:59 +00:00
Robert Watson
28b2aee58f Factor out UCB and my copyrights from copyrights of Mike Mitchell;
the former use a three-clause BSD license (per UCB authorization
letter), whereas he uses a four-clause BSD license.

MFC after:	3 days
2007-01-08 22:14:00 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Robert Watson
a152f8a361 Change semantics of socket close and detach. Add a new protocol switch
function, pru_close, to notify protocols that the file descriptor or
other consumer of a socket is closing the socket.  pru_abort is now a
notification of close also, and no longer detaches.  pru_detach is no
longer used to notify of close, and will be called during socket
tear-down by sofree() when all references to a socket evaporate after
an earlier call to abort or close the socket.  This means detach is now
an unconditional teardown of a socket, whereas previously sockets could
persist after detach of the protocol retained a reference.

This faciliates sharing mutexes between layers of the network stack as
the mutex is required during the checking and removal of references at
the head of sofree().  With this change, pru_detach can now assume that
the mutex will no longer be required by the socket layer after
completion, whereas before this was not necessarily true.

Reviewed by:	gnn
2006-07-21 17:11:15 +00:00
Olivier Houchard
1334cfe00c Make this compile without INVARIANTS. 2006-04-11 23:15:47 +00:00
Robert Watson
bc725eafc7 Chance protocol switch method pru_detach() so that it returns void
rather than an error.  Detaches do not "fail", they other occur or
the protocol flags SS_PROTOREF to take ownership of the socket.

soclose() no longer looks at so_pcb to see if it's NULL, relying
entirely on the protocol to decide whether it's time to free the
socket or not using SS_PROTOREF.  so_pcb is now entirely owned and
managed by the protocol code.  Likewise, no longer test so_pcb in
other socket functions, such as soreceive(), which have no business
digging into protocol internals.

Protocol detach routines no longer try to free the socket on detach,
this is performed in the socket code if the protocol permits it.

In rts_detach(), no longer test for rp != NULL in detach, and
likewise in other protocols that don't permit a NULL so_pcb, reduce
the incidence of testing for it during detach.

netinet and netinet6 are not fully updated to this change, which
will be in an upcoming commit.  In their current state they may leak
memory or panic.

MFC after:	3 months
2006-04-01 15:42:02 +00:00
Robert Watson
ac45e92ff2 Change protocol switch pru_abort() API so that it returns void rather
than an int, as an error here is not meaningful.  Modify soabort() to
unconditionally free the socket on the return of pru_abort(), and
modify most protocols to no longer conditionally free the socket,
since the caller will do this.

This commit likely leaves parts of netinet and netinet6 in a situation
where they may panic or leak memory, as they have not are not fully
updated by this commit.  This will be corrected shortly in followup
commits to these components.

MFC after:      3 months
2006-04-01 15:15:05 +00:00
Robert Watson
e3c26fb50d Add a simple netipx TODO list to the end of README, since there are a
number of problems with netipx that I have not yet resolved, and I
don't want them lost track of.

MFC after:	1 month
2006-03-27 09:10:09 +00:00
Robert Watson
1322b45c3d Canonicalize copyright order in one more file that contains my
copyright.

MFC after:	1 month
2006-03-27 01:12:58 +00:00
Robert Watson
c3784d3460 In spx_output(), use M_DONTWAIT instead of M_TRYWAIT, as we hold the
ipxpcb mutex.  Contrary to the comment, even in 4.x this was unsafe,
as parallel use of the socket by another process would result in pcb
corruption if the mbuf allocation slept.

MFC after:	1 month
2006-03-27 00:48:21 +00:00
Robert Watson
dc6519ce4c In spx_input(), change a '&&' to a '||', as the spx trace code is able
to handle a NULL 'cb' here.

MFC after:	1 month
2006-03-27 00:08:32 +00:00
Robert Watson
0f5650dbf9 In spx_accept, assert ipxp != NULL, not == NULL.
MFC after:	1 month
2006-03-26 19:51:44 +00:00
Robert Watson
46589e7054 In various SPX protocol entry points from the socket layer, check
IPXP_DROPPED before continuing, and return EINVAL or ECONNRESET if
it is flagged.  It's unclear why each situation should be one or
the other, but it is copied from netinet which has the same bugs.

MFC after:	1 month
2006-03-26 19:37:37 +00:00
Robert Watson
722542bc34 Add a new ipxpcb flag, IPXP_SPX, which is set on ipxpcb's to mark them
as belonging to SPX.  This replaces the implicit assumption that the cb
pointer for non-SPX pcb's will be NULL.  This isn't required in TCP/IP
as different pcb lists are maintained for different IP protocols; IPX
stores all pcbs on the same global ipxpcb_list.

Foot provided by:	gnn
MFC after:		1 month
2006-03-26 15:41:44 +00:00
Robert Watson
0597c8cf73 Restore original formulation of SPX segment queue draining during SPX
PCB detach.

MFC after:	1 month
2006-03-26 02:33:44 +00:00
Robert Watson
818812244b Rework IPX/SPX socket and pcb reference model:
- Introduce invariant that all IPX/SPX sockets will have valid so_pcb
  pointers to ipxpcb structures, and that for SPX, the control block
  pointer will always be valid.  Don't attempt to free the socket or
  pcb at various odd points, such as disconnect.

- Add a new ipxpcb flag, IPXP_DROPPED, which will be set in place of
  freeing PCB's so that this invariant can be maintained.  This flag
  is now checked instead of a NULL check in various socket protocol
  calls.

- Introduce many assertions that this invariant holds.

- Various pieces of code, such as the SPX timer code, no longer needs
  to jump through hoops in case it frees a PCB while running.

- Break out ipx_pcbfree() from ipx_pcbdetach().  Likewise
  spx_pcbdetach().

- Comment on some SMP-related limitations to the SPX code.

- Update copyrights.

MFC after:	1 month
2006-03-25 17:28:42 +00:00
Robert Watson
92676aa962 Restructure spx_attach() to properly free memory in the event that one
of its allocations fails.  Allocate the ipxp last so as to avoid having
to free it if another allocation goes wrong.

Normalize retrieval of ipxp and cb from socket in spx_sp_attach(), and
add assertions.

MFC after:	1 month
2006-03-25 15:03:29 +00:00
Robert Watson
e7b7fc0ecd Don't bother restoring host byte order of mbuf fields when we're just
about to free the mbuf in the spx_input() error path.

MFC after:	1 month
2006-03-25 14:45:08 +00:00
Robert Watson
3945bca516 In spx_ctloutput(), acquire the ipxp lock around read operations,
especially reads of spx header structures, which will now be cached
in the stack until they can be copied out after releasing the lock.
Panic if a bad socket option direction is passed in by the caller.

MFC after:	1 month
2006-03-25 14:44:05 +00:00
Robert Watson
6d3d51f03e Slight style reformatting of spx_timers() comments; panic if an
unrecognized timer is passed into the function.

MFC after:	1 month
2006-03-25 14:29:03 +00:00
Robert Watson
a52526165e Include kernel.h to get NET_NEEDS_GIANT() definition, which for some
reason compiled fine here.  I may be running with other include file
changes locally.

MFC after:	3 days
2006-03-24 20:08:48 +00:00
Robert Watson
b8e00b4cf4 Clean up and style(9) SPX code prior to significant functional changes
being committed:

- Wrap comments more evenly on right border.
- Clean up braces.

Also, along similar lines:

- Assert some pointers are non-NULL before dereferencing them.
- Remove one assertion that looks, on face value, poor.

MFC after:	1 month
2006-03-24 13:58:23 +00:00
Robert Watson
ba8cc9aa46 Protect spx_iss using its own mutex, spx_mtx, rather than piggy-backing
on the global IPX mutex, which is not held at all necessary strategic
points.

MFC after:	1 month
2006-03-24 00:26:25 +00:00
Robert Watson
0850baa938 Move definition of spxrexmtthresh to top of file with other global
variables.

MFC after:	1 month
2006-03-24 00:22:25 +00:00
Robert Watson
8dba0c89c1 Canonicalize, update copyright.
Remove 'register'.
Use ANSI prototypes, not K&R.

MFC after:	1 month
2006-03-24 00:15:58 +00:00
Robert Watson
5ca770c90c Update copyright to 2006, comment on my contribution to this code in the
style of previous contributors.

MFC after:	1 month
2006-03-24 00:02:15 +00:00
Robert Watson
6252bd331d Comment that raw output filter code for IPX should run in a netisr so as
to avoid recursing the socket code, as this input path can run in the
call stack of an output path.

MFC after:	1 month
2006-03-24 00:00:23 +00:00
Robert Watson
48d699a78f When the kernel is compiled with options IPXIP, run the network stack
with Giant, as there is current unsafety in the IPX tunneled over IP
code.  There have been no reports of trouble, but there probably would
be if anyone were running this code at high speed on SMP systems.

MFC after:	3 days
2006-03-23 23:07:56 +00:00
Robert Watson
ddd14ad4fb Move spx_savesi from being a global variable to an automatically allocated
variable on the spx_input() stack.  It's not very large, and this will
avoid parallelism issues when spx_input() runs in more than one thread at
a time.

MFC after:	1 month
2006-03-23 19:58:12 +00:00
Robert Watson
7d01b89631 Admit to ourselves that we don't actually implement pr_ctlinput() for
IPX or SPX, as the code in the implementing functions is essentially
a no-op.  Replace with a comment indicating we don't implement these
currently.
2006-03-23 19:50:00 +00:00
Robert Watson
71c47d1480 In spx_attach() and spx_detach(), there is no need to check whether the
ipxpcb is NULL or not: in attach it will be, and on detach it won't be.
If for any reason these invariants don't hold true, panicking is a good
idea.

Noticed by:	Coverity Prevent analysis tool
MFC after:	3 days
2006-01-14 00:05:44 +00:00
Robert Watson
bfcff7c78e Remove dead code associated with 'mcopy' in ipx_forward(): at no point
are the contents of the forwarded mbuf ever copied into mcopy, so there's
no need to have mcopy, conditionally look at mcopy, or conditionally free
it.

Noticed by:	Coverity Prevent analysis tool
MFC after:	3 days
2006-01-13 23:47:55 +00:00
Andre Oppermann
71590103f4 Include ip_options.h for IPX-IP encapsulation.
Noticed by:	Tinderbox
Sponsored by:   TCP/IP Optimization Fundraise 2005
2005-11-20 16:17:12 +00:00
Ruslan Ermilov
303989a2f3 Use sparse initializers for "struct domain" and "struct protosw",
so they are easier to follow for the human being.
2005-11-09 13:29:16 +00:00
Andre Oppermann
34333b16cd Retire MT_HEADER mbuf type and change its users to use MT_DATA.
Having an additional MT_HEADER mbuf type is superfluous and redundant
as nothing depends on it.  It only adds a layer of confusion.  The
distinction between header mbuf's and data mbuf's is solely done
through the m->m_flags M_PKTHDR flag.

Non-native code is not changed in this commit.  For compatibility
MT_HEADER is mapped to MT_DATA.

Sponsored by:	TCP/IP Optimization Fundraise 2005
2005-11-02 13:46:32 +00:00
Robert Watson
d374e81efd Push the assignment of a new or updated so_qlimit from solisten()
following the protocol pru_listen() call to solisten_proto(), so
that it occurs under the socket lock acquisition that also sets
SO_ACCEPTCONN.  This requires passing the new backlog parameter
to the protocol, which also allows the protocol to be aware of
changes in queue limit should it wish to do something about the
new queue limit.  This continues a move towards the socket layer
acting as a library for the protocol.

Bump __FreeBSD_version due to a change in the in-kernel protocol
interface.  This change has been tested with IPv4 and UNIX domain
sockets, but not other protocols.
2005-10-30 19:44:40 +00:00
David E. O'Brien
5b1c0294e4 Forward declaring static variables as extern is invalid ISO-C. Now that
GCC can properly handle forward static declarations, do this properly.
2005-09-07 10:06:14 +00:00
Brooks Davis
fc74a9f93a Stop embedding struct ifnet at the top of driver softcs. Instead the
struct ifnet or the layer 2 common structure it was embedded in have
been replaced with a struct ifnet pointer to be filled by a call to the
new function, if_alloc(). The layer 2 common structure is also allocated
via if_alloc() based on the interface type. It is hung off the new
struct ifnet member, if_l2com.

This change removes the size of these structures from the kernel ABI and
will allow us to better manage them as interfaces come and go.

Other changes of note:
 - Struct arpcom is no longer referenced in normal interface code.
   Instead the Ethernet address is accessed via the IFP2ENADDR() macro.
   To enforce this ac_enaddr has been renamed to _ac_enaddr.
 - The second argument to ether_ifattach is now always the mac address
   from driver private storage rather than sometimes being ac_enaddr.

Reviewed by:	sobomax, sam
2005-06-10 16:49:24 +00:00
Robert Watson
886f89afda Back out ipx.h:1.18, which introduced a Linux API compatibility field in
the ipx_net data structure.  Doing so introduced a stronger alignment
requirement for the address structure, which in turn propagated into
other dependent data structures, which turns out not to be suported by
the available IPX source code.  As a result, a number of user space
applications, such as IPX routing components, failed to operate
correctly.

RELENG_5_3 candidate?

PRs:		74059, 80266
Pointy hat to:	bms
Fix by:		bde
Tested by:	Keith White <Keith dot White at site dot uottawa dot ca>
MFC after:	1 week
Suffering:	great
2005-05-27 12:25:42 +00:00
Robert Watson
313bcc9cb8 Update copyright: parts of the netipx implementation are covered by a
2005 copyright.

MFC after:	3 days
2005-04-10 18:05:46 +00:00
Robert Watson
e1968df17f Compare (mbuf *) with NULL, not 0.
MFC after:	3 days
2005-04-10 18:05:02 +00:00
Robert Watson
47605579c9 Marginally reformat my copyright statement to remove the spurious ','. 2005-03-10 14:19:31 +00:00
Robert Watson
0daccb9c94 In the current world order, solisten() implements the state transition of
a socket from a regular socket to a listening socket able to accept new
connections.  As part of this state transition, solisten() calls into the
protocol to update protocol-layer state.  There were several bugs in this
implementation that could result in a race wherein a TCP SYN received
in the interval between the protocol state transition and the shortly
following socket layer transition would result in a panic in the TCP code,
as the socket would be in the TCPS_LISTEN state, but the socket would not
have the SO_ACCEPTCONN flag set.

This change does the following:

- Pushes the socket state transition from the socket layer solisten() to
  to socket "library" routines called from the protocol.  This permits
  the socket routines to be called while holding the protocol mutexes,
  preventing a race exposing the incomplete socket state transition to TCP
  after the TCP state transition has completed.  The check for a socket
  layer state transition is performed by solisten_proto_check(), and the
  actual transition is performed by solisten_proto().

- Holds the socket lock for the duration of the socket state test and set,
  and over the protocol layer state transition, which is now possible as
  the socket lock is acquired by the protocol layer, rather than vice
  versa.  This prevents additional state related races in the socket
  layer.

This permits the dual transition of socket layer and protocol layer state
to occur while holding locks for both layers, making the two changes
atomic with respect to one another.  Similar changes are likely require
elsewhere in the socket/protocol code.

Reported by:		Peter Holm <peter@holm.cc>
Review and fixes from:	emax, Antoine Brodin <antoine.brodin@laposte.net>
Philosophical head nod:	gnn
2005-02-21 21:58:17 +00:00