Commit Graph

67 Commits

Author SHA1 Message Date
Warner Losh
a163d034fa Back out M_* changes, per decision of the TRB.
Approved by: trb
2003-02-19 05:47:46 +00:00
Peter Wemm
cc8557f550 Do not do an assignment in a truth test (previous commit) or gcc gives a
warning which breaks builds.

cc1: warnings being treated as errors
src/sys/net/bridge.c: In function `bdg_forward':
sys/net/bridge.c:931: warning: suggest parentheses around assignment used as truth value
*** Error code 1
2003-02-12 19:34:34 +00:00
Sam Leffler
ee7785a7f8 PFIL_HOOKS optimization: check if at least one hook is present before
munging the IP header to pass to the hooks
2003-02-11 21:48:20 +00:00
Alfred Perlstein
44956c9863 Remove M_TRYWAIT/M_WAITOK/M_WAIT. Callers should use 0.
Merge M_NOWAIT/M_DONTWAIT into a single flag M_NOWAIT.
2003-01-21 08:56:16 +00:00
Ian Dowse
03a585553a Oops, I misread the purpose of the NULL check in EH_RESTORE() in
revision 1.62. It was checking for M_PREPEND() failing, not for the
case of a NULL mbuf pointer being supplied to the macro. Back out
that revision, and fix the NULL dereference by not calling EH_RESTORE()
in the case where the mbuf pointer is NULL because the firewall
rejected the packet.
2002-12-27 17:15:16 +00:00
Ian Dowse
bf235b1710 Fix a bug introduced by revision 1.59 that would cause an immediate
NULL dereference if a bridged packet was rejected by ipfw.
2002-12-27 16:27:45 +00:00
Jeffrey Hsu
b30a244c34 SMP locking for ifnet list. 2002-12-22 05:35:03 +00:00
Bosko Milekic
86fea6be59 o Untangle the confusion with the malloc flags {M_WAITOK, M_NOWAIT} and
the mbuf allocator flags {M_TRYWAIT, M_DONTWAIT}.
o Fix a bpf_compat issue where malloc() was defined to just call
  bpf_alloc() and pass the 'canwait' flag(s) along.  It's been changed
  to call bpf_alloc() but pass the corresponding M_TRYWAIT or M_DONTWAIT
  flag (and only one of those two).

Submitted by: Hiten Pandya <hiten@unixdaemons.com> (hiten->commit_count++)
2002-12-19 22:58:27 +00:00
Sam Leffler
2f907a97c7 track changes to ethernet input handling to no longer strip the Ethernet header
Reviewed by:	many
Approved by:	re
2002-11-14 23:57:09 +00:00
Poul-Henning Kamp
c694310048 FIx misindentation.
Spotted by:	FlexeLint.
2002-10-16 09:00:53 +00:00
Sam Leffler
5d84645305 Replace aux mbufs with packet tags:
o instead of a list of mbufs use a list of m_tag structures a la openbsd
o for netgraph et. al. extend the stock openbsd m_tag to include a 32-bit
  ABI/module number cookie
o for openbsd compatibility define a well-known cookie MTAG_ABI_COMPAT and
  use this in defining openbsd-compatible m_tag_find and m_tag_get routines
o rewrite KAME use of aux mbufs in terms of packet tags
o eliminate the most heavily used aux mbufs by adding an additional struct
  inpcb parameter to ip_output and ip6_output to allow the IPsec code to
  locate the security policy to apply to outbound packets
o bump __FreeBSD_version so code can be conditionalized
o fixup ipfilter's call to ip_output based on __FreeBSD_version

Reviewed by:	julian, luigi (silent), -arch, -net, darren
Approved by:	julian, silence from everyone else
Obtained from:	openbsd (mostly)
MFC after:	1 month
2002-10-16 01:54:46 +00:00
Maxime Henrion
1f6973c5b4 When reusing a pointer as a number, at least cast it
to uintptr_t rather than u_int to avoid warnings on
64 bits architectures.
2002-10-06 14:02:35 +00:00
Luigi Rizzo
015d72e0c9 Make bridging and layer2-ipfw obey net.inet.ip.fw.one_pass.
I should have committed this ages ago.

The MFC for if_ethersubr.c could be done in the usual few days (only
ipfw2 uses it), the one for bridge.c should probably wait until
after 4.7 because it changes an existing though mostly undocumented
behaviour (on which i hope nobody relies). All in all, i'll wait for
both things unless there is demand.

MFC after: 35 days
2002-09-12 01:05:46 +00:00
Luigi Rizzo
c4ddb6caf5 Remove 0 initializers for global/static variables, so they end up in
BSS instead of DATA. This marginally reduces the kernel image size, though
the difference is almost irrelevant for compressed kernels.
2002-07-07 22:42:57 +00:00
Maxim Konovalov
0e37791701 Remove trailing whitespaces.
Approved by:	luigi
2002-07-03 11:04:17 +00:00
Maxim Konovalov
b4eabccf51 o Strict interface names comparison. The old code assumed "fxp1" == "fxp11".
o Use an appropriate constant for interface name buffer.

Reviewed by:	luigi
Approved by:	luigi
MFC after:	1 month
2002-07-03 11:00:55 +00:00
Luigi Rizzo
2f8ebbf49f fix indentation, whitespace and a few comments. 2002-06-23 11:19:53 +00:00
Luigi Rizzo
2b25acc158 Remove (almost all) global variables that were used to hold
packet forwarding state ("annotations") during ip processing.
The code is considerably cleaner now.

The variables removed by this change are:

        ip_divert_cookie        used by divert sockets
        ip_fw_fwd_addr          used for transparent ip redirection
        last_pkt                used by dynamic pipes in dummynet

Removal of the first two has been done by carrying the annotations
into volatile structs prepended to the mbuf chains, and adding
appropriate code to add/remove annotations in the routines which
make use of them, i.e. ip_input(), ip_output(), tcp_input(),
bdg_forward(), ether_demux(), ether_output_frame(), div_output().

On passing, remove a bug in divert handling of fragmented packet.
Now it is the fragment at offset 0 which sets the divert status of
the whole packet, whereas formerly it was the last incoming fragment
to decide.

Removal of last_pkt required a change in the interface of ip_fw_chk()
and dummynet_io(). On passing, use the same mechanism for dummynet
annotations and for divert/forward annotations.

option IPFIREWALL_FORWARD is effectively useless, the code to
implement it is very small and is now in by default to avoid the
obfuscation of conditionally compiled code.

NOTES:
 * there is at least one global variable left, sro_fwd, in ip_output().
   I am not sure if/how this can be removed.

 * I have deliberately avoided gratuitous style changes in this commit
   to avoid cluttering the diffs. Minor stule cleanup will likely be
   necessary

 * this commit only focused on the IP layer. I am sure there is a
   number of global variables used in the TCP and maybe UDP stack.

 * despite the number of files touched, there are absolutely no API's
   or data structures changed by this commit (except the interfaces of
   ip_fw_chk() and dummynet_io(), which are internal anyways), so
   an MFC is quite safe and unintrusive (and desirable, given the
   improved readability of the code).

MFC after: 10 days
2002-06-22 11:51:02 +00:00
Luigi Rizzo
d60315bef5 Cleanup the interface to ip_fw_chk, two of the input arguments
were totally useless and have been removed.

ip_input.c, ip_output.c:
    Properly initialize the "ip" pointer in case the firewall does an
    m_pullup() on the packet.

    Remove some debugging code forgotten long ago.

ip_fw.[ch], bridge.c:
    Prepare the grounds for matching MAC header fields in bridged packets,
    so we can have 'etherfw' functionality without a lot of kernel and
    userland bloat.
2002-05-09 10:34:57 +00:00
Crist J. Clark
42786f6c03 Add hooks for very basic IPFilter support in bridging. Set,
# sysctl net.link.ether.bdg_ipf=1

To enable. Just like ipfw(8) bridging, only input packets are filtered
in the bridge. Filtering works just like in the IP layer, ipf(8)
first, then ipfw(8). And just like in the IP layer, both are
independent, one need not be run to use the other. (Note: This will
not work in, but doesn't break, the bridge.ko module. The ipl.ko
module would need to be fixed before that is worth worrying about.)

Reviewed by:	luigi
2002-03-18 00:55:23 +00:00
Crist J. Clark
3174c81c9c Unbreak bridge.ko. Replace an unresolved symbol with the actions it
was meant to take.

Submitted by:	luigi
Approved by:	luigi
MFC after:	3 days
2002-03-05 00:07:17 +00:00
Mike Barcroft
fd8e4ebc8c o Move NTOHL() and associated macros into <sys/param.h>. These are
deprecated in favor of the POSIX-defined lowercase variants.
o Change all occurrences of NTOHL() and associated marcros in the
  source tree to use the lowercase function variants.
o Add missing license bits to sparc64's <machine/endian.h>.
  Approved by: jake
o Clean up <machine/endian.h> files.
o Remove unused __uint16_swap_uint32() from i386's <machine/endian.h>.
o Remove prototypes for non-existent bswapXX() functions.
o Include <machine/endian.h> in <arpa/inet.h> to define the
  POSIX-required ntohl() family of functions.
o Do similar things to expose the ntohl() family in libstand, <netinet/in.h>,
  and <sys/param.h>.
o Prepend underscores to the ntohl() family to help deal with
  complexities associated with having MD (asm and inline) versions, and
  having to prevent exposure of these functions in other headers that
  happen to make use of endian-specific defines.
o Create weak aliases to the canonical function name to help deal with
  third-party software forgetting to include an appropriate header.
o Remove some now unneeded pollution from <sys/types.h>.
o Add missing <arpa/inet.h> includes in userland.

Tested on:	alpha, i386
Reviewed by:	bde, jake, tmm
2002-02-18 20:35:27 +00:00
Luigi Rizzo
e88516c29b Lots of improvement to the bridging code.
In order of importance:

 + each cluster now uses private data structures (filtering and
   local address tables) so you can treat them as fully independent
   switches. This part of the work was supported by:
        Cisco Systems, Inc. - NSITE lab, RTP, NC.

 + cleaned up the handling of configuration, so the system will behave
   much better when real or pseudo devices are dynamically attached
   or detached. It should also not panic anymore on systems with large
   number of devices, closing a few existings PRs on the topic.

 + while at it, add support for VLAN. This means that a FreeBSD box
   can now work as a real VLAN switch, with trunk interfaces etc.
   As an example:
        ifconfig vlan0 vlan 3 vlandev dc0
        ifconfig vlan1 vlan 4 vlandev dc0
        net.link.ether.bridge_cfg="vlan0:3,dc1:3,vlan1:4,dc1:4"
   uses dc0 as a trunk interface, and dc1 and dc3 as ports on vlans 3 and 4
   You get the idea...
   NOTA BENE: by default bridge_cfg is initialised to "" so even if
   you enable bridging, no packets will be bridged until you set the
   list of interfaces on which you want this to happen.

 + large restructuring of the code, moving private vars and types from
   bridge.h to bridge.c.

 + added a lot of comments to the code to explain how to use it.
2002-02-15 05:11:11 +00:00
Luigi Rizzo
31083dbb03 Whitespace change - replace leading spaces with tabs. 2001-11-24 01:47:50 +00:00
Luigi Rizzo
7b109fa404 MFS: sync the ipfw/dummynet/bridge code with the one recently merged
into stable (mostly , but not only, formatting and comments changes).
2001-11-04 22:56:25 +00:00
Luigi Rizzo
99e630c5c8 Remove an extra splimp() call.
Spotted-by: diff(1)
2001-11-01 08:30:38 +00:00
Matt Jacob
e58c2b8381 Fix this so it compiles cleanly for alpha. Tried to do some minimal testing.
Reviewed by:	freebsd-net
2001-10-19 18:29:57 +00:00
Matt Jacob
b03c6ed6e5 Traverse the list of network interfaces rather than use if_index- if_index is
not guaranteed to be dense with respect to the actual list of interfaces.
2001-10-12 18:04:44 +00:00
Paul Saab
db69a05dce Make it so dummynet and bridge can be loaded as modules.
Submitted by:	billf
2001-10-05 05:45:27 +00:00
Luigi Rizzo
830cc17841 Two main changes here:
+ implement "limit" rules, which permit to limit the number of sessions
   between certain host pairs (according to masks). These are a special
   type of stateful rules, which might be of interest in some cases.
   See the ipfw manpage for details.

 + merge the list pointers and ipfw rule descriptors in the kernel, so
   the code is smaller, faster and more readable. This patch basically
   consists in replacing "foo->rule->bar" with "rule->bar" all over
   the place.
   I have been willing to do this for ages!

MFC after: 1 week
2001-09-27 23:44:27 +00:00
Peter Wemm
bd1c51b1e7 Remove unused variable 2001-06-15 07:31:15 +00:00
Luigi Rizzo
7e1cd0d23d Sync with the bridge/dummynet/ipfw code already tested in stable.
In ip_fw.[ch] change a couple of variable and field names to
avoid having types, variables and fields with the same name.
2001-02-10 00:10:18 +00:00
Poul-Henning Kamp
fc2ffbe604 Mechanical change to use <sys/queue.h> macro API instead of
fondling implementation details.

Created with: sed(1)
Reviewed by: md5(1)
2001-02-04 13:13:25 +00:00
Poul-Henning Kamp
22f2982675 Use <sys/queue.h> macro api rather than fondle its implementation detals.
Created with:	/usr/bin/sed
Reviewed by:	/sbin/md5
2001-02-03 11:46:35 +00:00
Luigi Rizzo
7497319b6c MFS: bridge/ipfw/dummynet fixes 2001-02-02 00:19:25 +00:00
Luigi Rizzo
26fb17bdd0 Minor cleanups after yesterday's patch.
The code (bridging and dummynet) actually worked fine!
2001-01-26 19:43:54 +00:00
Luigi Rizzo
c353c285ee Bring bridging code in line with the one which works on -STABLE.
It compiles on -CURRENT, but I can not test functionality yet.
2001-01-26 06:47:19 +00:00
Luigi Rizzo
bfcd631529 Assorted bugfixes:
+ configuration: make sure that the NUL at the end of the config
   string is properly detected and handled, and the stats passed
   up via sysctl properly reflect which interfaces do bridging.
   (The whole config support might make good use of some cleanup
   in the future).

 + fixed some bugs related to the corruption of multicast and
   broadcast packets: make sure that for those packets the entire
   IP + ethernet header is in the mbuf, not in a cluster, so
   that writes performed in that area by the upper layers do
   not affect us.

 + performance: when calling m_pullup, make room for the ethernet header
   as well, we are going to add it in right after. Also, change an m_dup
   back to m_copypacket. The former is not necessary anymore now, and
   it did not help, anyways.

I will do a fast MFC because 95% of this patch is fixing bad bugs
and i doubt anyone would test the fix in CURRENT. Plus the last
two items mostly bring back some code which was already there in 4.0
times.
2001-01-22 22:34:53 +00:00
David Malone
7cc0979fd6 Convert more malloc+bzero to malloc+M_ZERO.
Submitted by:	josh@zipperup.org
Submitted by:	Robert Drehmel <robd@gmx.net>
2000-12-08 21:51:06 +00:00
Jonathan Lemon
df5e198723 Lock down the network interface queues. The queue mutex must be obtained
before adding/removing packets from the queue.  Also, the if_obytes and
if_omcasts fields should only be manipulated under protection of the mutex.

IF_ENQUEUE, IF_PREPEND, and IF_DEQUEUE perform all necessary locking on
the queue.  An IF_LOCK macro is provided, as well as the old (mutex-less)
versions of the macros in the form _IF_ENQUEUE, _IF_QFULL, for code which
needs them, but their use is discouraged.

Two new macros are introduced: IF_DRAIN() to drain a queue, and IF_HANDOFF,
which takes care of locking/enqueue, and also statistics updating/start
if necessary.
2000-11-25 07:35:38 +00:00
Bosko Milekic
a352dd9a71 Fixup (hopefully) bridging + ipfw + dummynet together...
* Some dummynet code incorrectly handled a malloc()-allocated pseudo-mbuf
  header structure, called "pkt," and could consequently pollute the mbuf
  free list if it was ever passed to m_freem(). The fix involved passing not
  pkt, but essentially pkt->m_next (which is a real mbuf) to the mbuf
  utility routines.

* Also, for dummynet, in bdg_forward(), made the code copy the ethernet header
  back into the mbuf (prepended) because the dummynet code that follows expects
  it to be there but it is, unfortunately for dummynet, passed to bdg_forward
  as a seperate argument.

PRs: kern/19551 ; misc/21534 ; kern/23010
Submitted by: Thomas Moestl <tmoestl@gmx.net>
Reviewed by: bmilekic
Approved by: luigi
2000-11-23 22:25:03 +00:00
Nick Sayer
54d2be5a40 In theory, m_dup should not be necessary, as m_copypacket should be
sifficient. But somewhere (I believe in the UDP stuff), someone is
overwriting an mbuf without calling m_pullup() first. This results in
broad- and multi-cast traffic that is passed through the bridge getting
corrupted.

This should be backed out when there is some assurance that the upper
layers (and I suppose all of the device drivers) are fixed.

Suggested by: archie
2000-09-25 17:24:02 +00:00
Bosko Milekic
ddacb30f2d Get rid of a panic that occurs in ether_demux() by dereferencing a NULL mbuf
pointer, when bridging and bridge_ipfw are enabled, and when bdg_forward()
happens to free the packet and make our pointer NULL. There may be
more similar problems like this one with calls to bdg_forward().

PR: Related to kern/19551
Reviewed by: jlemon
2000-09-24 04:08:38 +00:00
Ruslan Ermilov
e30177e024 Follow BSD/OS and NetBSD, keep the ip_id field in network order all the time.
Requested by:	wollman
2000-09-14 14:42:04 +00:00
Nick Sayer
82902fa3d8 Make the bridge_refresh operation automatic when ethernet interfaces
are attached or detached.
2000-07-29 02:00:12 +00:00
Nick Sayer
39902b5bea Oops. SYSCTL_HANDLER_ARGS -> (SYSCTL_HANDLER_ARGS) 2000-07-20 17:57:20 +00:00
Nick Sayer
12dc24ded3 Add sysctl to perform bridge refresh. This is required if bridged
configurations include loadable interfaces. After loading new
interface drivers, perform a 'sysctl -w net.link.ether.bridge_refresh=1'
and the bridge code will reinitialize itself.

Submitted by: <vsilyaev@mindspring.com>
2000-07-20 17:07:06 +00:00
Poul-Henning Kamp
77978ab8bc Previous commit changing SYSCTL_HANDLER_ARGS violated KNF.
Pointed out by:	bde
2000-07-04 11:25:35 +00:00
Poul-Henning Kamp
82d9ae4e32 Style police catches up with rev 1.26 of src/sys/sys/sysctl.h:
Sanitize SYSCTL_HANDLER_ARGS so that simplistic tools can grog our
sources:

        -sysctl_vm_zone SYSCTL_HANDLER_ARGS
        +sysctl_vm_zone (SYSCTL_HANDLER_ARGS)
2000-07-03 09:35:31 +00:00
Archie Cobbs
756fff0053 Don't try to apply ipfw filtering to non-IP packets.
Reported-by:	"Lachlan O'Dea" <lodea@vet.com.au>
2000-06-02 22:47:53 +00:00