Commit Graph

2642 Commits

Author SHA1 Message Date
Bjoern A. Zeeb
89e7e7e32a Add SCTP as a known upper layer protocol over v6.
We are not yet aware of the protocol internals but this way
SCTP traffic over v6 will not be discarded.

Reported by: Peter Lei via rrs
Tested by:   Peter Lei <peterlei cisco.com>
2006-11-13 19:07:32 +00:00
Randall Stewart
7f34832b95 In a true restart case, the send_lock was
not being aquired. This meant that when we cleanup
the outbound we may have one in transit to be
added with the old sequence number. This is bad
since then we loose a message :(

Also the report_outbound needed to have the right
lock when its called which it did not.. I added
the lock with of course a flag since we want to
have the lock before we call it in the restart
case.

This also fixed the FIX ME case where, in the cookie
collision case, we mark for retransmit any that
were bundled with the cookie that was dropped.
This also means changes to the output routine
so we can assure getting the COOKIE-ACK sent
BEFORE we retransmit the Data.

Approved by:	gnn
2006-11-11 22:44:12 +00:00
Randall Stewart
6a91f103b6 Turns out we would reset the TSN seq counter during
a colliding INIT. This if fine except when we have
data outstanding... we basically reset it to the
previous value it was.. so then we end up assigning
the same TSN to two different data chunks.
This patch:

1) Finds a missing lock for when we change the stream
   numbers during COOKIE and INIT-ACK processing.. we
   were NOT locking the send_buffer.. which COULD cause
   problems (found by inspection looking for <2>)

2) Fixes a case during a colliding INIT where we incorrectly
   reset the sending Sequence thus in some cases duplicately
   assigning a TSN.

3) Additional enhancments to logging so we can see strm/tsn in
   the receiver AND new tracking to watch what the sender
   is doing with TSN and STRM seq's.

Approved by:	gnn
2006-11-11 15:59:01 +00:00
Randall Stewart
de0e935b29 This patch fixes a LOR that happens during INIT-ACK collision.
We were calling select_a_tag() inside sctp_send_initate_ack().
During collision cases we have a stcb and thus a SCTP_LOCK. When
we call select_a_tag it (below it) locks the INFO lock. We now
1) pre-select the nonce-tie-tags in sctputil.c during setup of
   a tcb.
2) In the other case where we have to select tags, we unlock after
   incr the ref cnt (so assoc won't go away0 and then do the
   tag selection followed by a relock and decr the refcnt.
Approved by:	gnn
2006-11-10 13:34:55 +00:00
Randall Stewart
08598d7067 Fixes an issue with handling of stream reset. When a
reset comes in we need to calculate the length and
therefore the number of listed streams (if any) based
on the TLV type. Otherwise if we get a retran we could
in theory panic by sending a notification to a user with
a incorrect list and thus no memory listing the streams.
Found in IOS by devtest :-)
Approved by:	gnn
2006-11-09 21:01:07 +00:00
Randall Stewart
03b0b02163 -Fixes first of all the getcred on IPv6 and V4. The
copy's were incorrect and so was the locking.
-A bug was also found that would create a race and
 panic when an abort arrived on a socket being read
 from.
-Also fix the reader to get MSG_TRUNC when a partial
 delivery is aborted.
-Also addresses a couple of coverity caught error path
 memory leaks and a couple of other valid complaints
Approved by:	gnn
2006-11-08 00:21:13 +00:00
Joe Marcus Clarke
1bc3d4c1d1 Fix TFTP NAT support by making sure the appropriate fingerprinting checks
are done.

Reviewed by:	piso
2006-11-07 21:06:48 +00:00
Robert Watson
b96fbb37da Convert three new suser(9) calls introduced between when the priv(9)
patch was prepared and committed to priv(9) calls.  Add XXX comments
as, in each case, the semantics appear to differ from the TCP/UDP
versions of the calls with respect to jail, and because cr_canseecred()
is not used to validate the query.

Obtained from:	TrustedBSD Project
2006-11-06 14:54:06 +00:00
Randall Stewart
f4ad963c9f This changes tracks down the EEOR->NonEEOR mode failure
to wakeup on close of the sender. It basically moves
the return (when the asoc has a reader/writer) further
down and gets the wakeup and assoc appending (of the
PD-API event) moved up before the return.  It also
moves the flag set right before the return so we can
assure only once adding the PD-API events.

Approved by:	gnn
2006-11-06 14:34:21 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Ruslan Ermilov
9274ba8a1f Revert previous commit, and instead make the expression in rev. 1.2
match the style of this file.

OK'ed by:	rrs
2006-11-05 14:36:59 +00:00
Randall Stewart
50cec91936 Tons of fixes to get all the 64bit issues removed.
This also moves two 16 bit int's to become 32 bit
values so we do not have to use atomic_add_16.
Most of the changes are %p, casts and other various
nasty's that were in the orignal code base. With this
commit my machine will now do a build universe.. however
I as yet have not tested on a 64bit machine .. it may not work :-(
2006-11-05 13:25:18 +00:00
Ruslan Ermilov
11acae799a Fix pointer arithmetic to be 64-bit friendly. 2006-11-04 08:45:50 +00:00
Ruslan Ermilov
e349e6b8a0 Remove bogus casts that Randall for some reason didn't borrow
from my supplied patch.
2006-11-04 08:19:01 +00:00
John Birrell
5051417909 Remove a bogus cast in an attempt to fix the tinderbox builds on
lots of arches.
2006-11-04 05:39:39 +00:00
Randall Stewart
562a89b562 More 64 bit pointer fun.
%p changed in multiple prints
the mtod() was also fixed.
2006-11-03 23:04:34 +00:00
Randall Stewart
249820a7d8 Fix two of the 64bit errors on the printfs. 2006-11-03 21:19:54 +00:00
Randall Stewart
cef8ad061a Somehow I missed this one. The sys/cdef.h was out
of order with respect to the FSBID..
2006-11-03 19:48:56 +00:00
Randall Stewart
73932c69b6 Opps... in my fix up of all the $FreeBSD:$-> $FreeBSD$ I
inserted a few to the new files.. but I falied to
add the #include <sys/cdef.h>

Which causes a compile error.. sorry about that... got it
now :-)

Approved by:gnn
2006-11-03 17:21:53 +00:00
Randall Stewart
f8829a4a40 Ok, here it is, we finally add SCTP to current. Note that this
work is not just mine, but it is also the works of Peter Lei
and Michael Tuexen. They both are my two key other developers
working on the project.. and they need ata-boy's too:
****
peterlei@cisco.com
tuexen@fh-muenster.de
****
I did do a make sysent which updated the
syscall's and sysproto.. I hope that is correct... without
it you don't build since we have new syscalls for SCTP :-0

So go out and look at the NOTES, add
option SCTP (make sure inet and inet6 are present too)
and play with SCTP.

I will see about comitting some test tools I have after I
figure out where I should place them. I also have a
lib (libsctp.a) that adds some of the missing socketapi
functions that I need to put into lib's.. I will talk
to George about this :-)

There may still be some 64 bit issues in here, none of
us have a 64 bit processor to test with yet.. Michael
may have a MAC but thats another beast too..

If you have a mac and want to use SCTP contact Michael
he maintains a web site with a loadable module with
this code :-)

Reviewed by:	gnn
Approved by:	gnn
2006-11-03 15:23:16 +00:00
Oleg Bulyzhin
35da9180dc - Use non-recursive mutex. MTX_RECURSE is unnecessary since rev. 1.70
- Pay respect to net.isr.direct: use netisr_dispatch() instead of ip_input()

Reviewed by:	glebius, rwatson

- purge_flow_set():
    - Do not leak memory while purging queues which are not bound to pipe.
    - style(9) cleanup

MFC after:	2 months
2006-10-29 12:09:24 +00:00
Oleg Bulyzhin
c2df509a1d - Convert
net.inet.ip.dummynet.curr_time
	net.inet.ip.dummynet.searches
	net.inet.ip.dummynet.search_steps
  to SYSCTL_LONG nodes. It will prevent frequent wrap around on 64bit archs.

- Implement simple mechanics for dummynet(4) internal time correction.
  Under certain circumstances (system high load, dummynet lock contention, etc)
  dummynet's tick counter can be significantly slower than it should be.
  (I've observed up to 25% difference on one of my production servers).
  Since this counter used for packet scheduling, it's accuracy is vital for
  precise bandwidth limitation.

  Introduce new sysctl nodes:
  net.inet.ip.dummynet.
    tick_lost		- number of ticks coalesced by taskqueue thread.
    tick_adjustment	- number of time corrections done.
    tick_diff		- adjusted vs non-adjusted tick counter difference
    tick_delta		- last vs 'standard' tick differnece (usec).
    tick_delta_sum	- accumulated (and not corrected yet) time
  			  difference (usec).

Reviewed by:	glebius
MFC after:	2 month
2006-10-27 13:05:37 +00:00
Oleg Bulyzhin
b2b05096fd Use separate thread for servicing dummynet(4).
Utilize taskqueue(9) API.

Submitted by:	glebius
MFC after:	2 month
2006-10-27 11:16:58 +00:00
Oleg Bulyzhin
c447b19f6e style(9) cleanup.
MFC after:	2 month
2006-10-27 10:52:32 +00:00
Robert Watson
aed5570872 Complete break-out of sys/sys/mac.h into sys/security/mac/mac_framework.h
begun with a repo-copy of mac.h to mac_framework.h.  sys/mac.h now
contains the userspace and user<->kernel API and definitions, with all
in-kernel interfaces moved to mac_framework.h, which is now included
across most of the kernel instead.

This change is the first step in a larger cleanup and sweep of MAC
Framework interfaces in the kernel, and will not be MFC'd.

Obtained from:	TrustedBSD Project
Sponsored by:	SPARTA
2006-10-22 11:52:19 +00:00
Julian Elischer
010b65f54a revert last change.. premature.. need to wait until if_ethersubr.c
uses pfil to get to ipfw.
2006-10-21 00:16:31 +00:00
Julian Elischer
3df668cc38 Move some variables to a more likely place
and remove "temporary" stuff that is not needed any more.
2006-10-20 19:32:08 +00:00
Maxim Konovalov
428b67b194 o Do not do args->f_id.addr_type == 6 when there is
IS_IP6_FLOW_ID() exactly for that.
2006-10-11 12:14:28 +00:00
Maxim Konovalov
f16ccf6814 o Kill a nit in the comment. 2006-10-11 12:00:53 +00:00
Maxim Konovalov
5f197ce41e o Extend not very informative ipfw(4) message 'drop session, too many
entries' by src:port and dst:port pairs.  IPv6 part is non-functional
as ``limit'' does not support IPv6 flows.

PR:		kern/103967
Submitted by:	based on Bruce Campbell patch
MFC after:	1 month
2006-10-11 11:52:34 +00:00
Ruslan Ermilov
cc81ddd9db Merge the rest of my changes. 2006-10-11 07:11:56 +00:00
Paolo Pisati
f3d9aab351 Various mdoc and grammar fixes.
Approved by: glebius
Reviewed by: glebius, ru
2006-10-08 13:53:45 +00:00
Bjoern A. Zeeb
7002145d8e Set scope on MC address so IPv6 carp advertisement will not get dropped
in ip6_output. In case this fails  handle the error directly and log it[1].
In addition permit CARP over v6 in ip_fw2.

PR:                     kern/98622
Similar patch by:       suz
Discussed with:         glebius [1]
Tested by:              Paul.Dekkers surfnet.nl, Philippe.Pegon crc.u-strasbg.fr
MFC after:              3 days
2006-10-07 10:19:58 +00:00
Gleb Smirnoff
f7a679b200 Save space on stack moving token ring stuff to its own hack block. 2006-10-04 11:08:14 +00:00
Gleb Smirnoff
9b9a52b496 Style rev. 1.152. 2006-10-04 10:59:21 +00:00
Andre Oppermann
6a7c943c59 Remove stone-aged and irrelevant "#ifndef notdef". 2006-09-29 16:44:45 +00:00
Bruce M Simpson
910e1364b6 Nits.
Submitted by:	ru
2006-09-29 16:16:41 +00:00
Bruce M Simpson
2d20d32344 Push removal of mrouted down to the rest of the tree. 2006-09-29 15:45:11 +00:00
Maxim Konovalov
acc03ac6bb o Convert w/spaces to tabs in the previous commit. 2006-09-29 06:46:31 +00:00
Mike Silbersack
d4bdcb16cc Rather than autoscaling the number of TIME_WAIT sockets to maxsockets / 5,
scale it to min(ephemeral port range / 2, maxsockets / 5) so that people
with large gobs of memory and/or large maxsockets settings will not
exhaust their entire ephemeral port range with sockets in the TIME_WAIT
state during periods of heavy load.

Those who wish to tweak the size of the TIME_WAIT zone can still do so with
net.inet.tcp.maxtcptw.

Reviewed by: glebius, ru
2006-09-29 06:24:26 +00:00
Andre Oppermann
2c30ec0a1f When tcp_output() receives an error upon sending a packet it reverts parts
of its internal state to ignore the failed send and try again a bit later.
If the error is EPERM the packet got blocked by the local firewall and the
revert may cause the session to get stuck and retry indefinitely.  This way
we treat it like a packet loss and let the retransmit timer and timeouts
do their work over time.

The correct behavior is to drop a connection that gets an EPERM error.
However this _may_ introduce some POLA problems and a two commit approach
was chosen.

Discussed with:	glebius
PR:		kern/25986
PR:		kern/102653
2006-09-28 18:02:46 +00:00
Andre Oppermann
6a2257d911 When doing TSO correctly do the check to prevent a maximum sized IP packet
from overflowing.
2006-09-28 13:59:26 +00:00
Bruce M Simpson
050596b4a0 Fix the IPv4 multicast routing detach path. On interface detach whilst
the MROUTER is running, the system would panic as described in the PR.

The fix in the PR is a good start, however, the other state associated
with the multicast forwarding cache has to be freed in order to avoid
leaking memory and other possible panics.

More care and attention is needed in this area.

PR:		kern/82882
MFC after:	1 week
2006-09-28 12:21:08 +00:00
Bruce M Simpson
d966841427 The IPv4 code should clean up multicast group state when an interface
goes away. Without this change, it leaks in_multi (and often ether_multi
state) if many clonable interfaces are created and destroyed in quick
succession.

The concept of this fix is borrowed from KAME. Detailed information about
this behaviour, as well as test cases, are available in the PR.

PR:		kern/78227
MFC after:	1 week
2006-09-28 10:04:07 +00:00
Paolo Pisati
7c00cc76f0 Compilation. 2006-09-27 02:08:44 +00:00
Paolo Pisati
be4f3cd0d9 Summer of Code 2005: improve libalias - part 1 of 2
With the first part of my previous Summer of Code work, we get:

-made libalias modular:

 -support for 'particular' protocols (like ftp/irc/etcetc) is no more
  hardcoded inside libalias, but it's available through external
  modules loadable at runtime

 -modules are available both in kernel (/boot/kernel/alias_*.ko) and
  user land (/lib/libalias_*)

 -protocols/applications modularized are: cuseeme, ftp, irc, nbt, pptp,
  skinny and smedia

-added logging support for kernel side

-cleanup

After a buildworld, do a 'mergemaster -i' to install the file libalias.conf
in /etc or manually copy it.

During startup (and after every HUP signal) user land applications running
the new libalias will try to read a file in /etc called libalias.conf:
that file contains the list of modules to load.

User land applications affected by this commit are ppp and natd:
if libalias.conf is present in /etc you won't notice any difference.

The only kernel land bit affected by this commit is ng_nat:
if you are using ng_nat, and it doesn't correctly handle
ftp/irc/etcetc sessions anymore, remember to kldload
the correspondent module (i.e. kldload alias_ftp).

General information and details about the inner working are available
in the libalias man page under the section 'MODULAR ARCHITECTURE
(AND ipfw(4) SUPPORT)'.

NOTA BENE: this commit affects _ONLY_ libalias, ipfw in-kernel nat
support will be part of the next libalias-related commit.

Approved by: glebius
Reviewed by: glebius, ru
2006-09-26 23:26:53 +00:00
John-Mark Gurney
e16fa5ca55 fix calculating to_tsecr... This prevents the rtt calculations from
going all wonky...
2006-09-26 01:21:46 +00:00
Bruce M Simpson
13c8384424 Fix an incompatibility between CARP and IPv4 multicast routing, whereby
the VRRPv2 advertisements will originate from the wrong source address.
This only affects kernels compiled with MROUTING and after the MRT_INIT
ioctl() has been issued.
Set imo_multicast_vif in carp's softc to the invalid value -1 after it is
zeroed by softc allocation, to stop the ip_output() path looking up the
incorrect source address thinking a vif is set.

PR:		kern/100532
Submitted by:	Bohus Plucinsky
MFC after:	1 week
2006-09-25 11:53:54 +00:00
Bruce M Simpson
e2fd806b36 Spleling
Submitted by:	pjd
2006-09-25 11:48:07 +00:00
Bruce M Simpson
07ea6709ea Account for output IP datagrams on the ifaddr where they originated from,
*not* the first ifaddr on the ifp.  This is similar to what NetBSD does.

PR:		kern/72936
Submitted by:	alfred
Reviewed by:	andre
2006-09-25 10:11:16 +00:00