Commit Graph

127 Commits

Author SHA1 Message Date
Bjoern A. Zeeb
259d2d5431 carp(4) allows people to share a set of IP addresses and can only
use IPv4/v6 for inter-node communication (according to my reading).

Properly wrap the carp callouts in INET || INET6 and refelect this
in sys/conf/files as well.  While in theory this should be ok,
it might be a bit optimistic to think that carp could build with
inet6 only[1].

Discussed with:		mlaier [1]
2009-06-11 10:26:38 +00:00
Oleg Bulyzhin
dda10d624c Close long existed race with net.inet.ip.fw.one_pass = 0:
If packet leaves ipfw to other kernel subsystem (dummynet, netgraph, etc)
it carries pointer to matching ipfw rule. If this packet then reinjected back
to ipfw, ruleset processing starts from that rule. If rule was deleted
meanwhile, due to existed race condition panic was possible (as well as
other odd effects like parsing rules in 'reap list').

P.S. this commit changes ABI so userland ipfw related binaries should be
recompiled.

MFC after:	1 month
Tested by:	Mikolaj Golub
2009-06-09 21:27:11 +00:00
Luigi Rizzo
115a40c7bf More cleanup in preparation of ipfw relocation (no actual code change):
+ move ipfw and dummynet hooks declarations to raw_ip.c (definitions
  in ip_var.h) same as for most other global variables.
  This removes some dependencies from ip_input.c;

+ remove the IPFW_LOADED macro, just test ip_fw_chk_ptr directly;

+ remove the DUMMYNET_LOADED macro, just test ip_dn_io_ptr directly;

+ move ip_dn_ruledel_ptr to ip_fw2.c which is the only file using it;

To be merged together with rev 193497

MFC after:	5 days
2009-06-05 13:44:30 +00:00
Andrew Thompson
3f11aba75f Reorder the bridge add and delete routines to avoid calling ifpromisc() with
the bridge lock held.
2009-05-01 19:46:42 +00:00
Sam Leffler
5d3220403f use if_transmit intead of direct frobbing of the if_snd q; this is no
longer allowed

Identified by:	rwatson
Reviewed by:	kmacy
2009-04-27 22:06:49 +00:00
Robert Watson
86425c62a0 Update stats in struct ipstat using four new macros, IPSTAT_ADD(),
IPSTAT_INC(), IPSTAT_SUB(), and IPSTAT_DEC(), rather than directly
manipulating the fields across the kernel.  This will make it easier
to change the implementation of these statistics, such as using
per-CPU versions of the data structures.

MFC after:	3 days
2009-04-11 23:35:20 +00:00
Robert Watson
e5adda3d51 Remove IFF_NEEDSGIANT, a compatibility infrastructure introduced
in FreeBSD 5.x to allow network device drivers to run with Giant
despite the network stack being Giant-free.  This significantly
simplifies calls into ioctl() on network interfaces, especially
in the multicast code, as well as eliminates deferred invocation
of interface if_start routines.

Disable the build on device drivers still depending on
IFF_NEEDSGIANT as they no longer compile.  They will be removed
in a few weeks if they haven't been made MPSAFE in that time.
Disabled drivers:

        if_ar
        if_axe
        if_aue
        if_cdce
        if_cue
        if_kue
        if_ray
        if_rue
        if_rum
        if_sr
        if_udav
        if_ural
        if_zyd

Drivers that were already disabled because of tty changes:

        if_ppp
        if_sl

Discussed on:	arch@
2009-03-15 14:21:05 +00:00
Andrew Thompson
66c84010b4 bridge_delete_member is called via the event handler from if_detach
after the LLADDR is reclaimed which causes a null pointer deref with
inherit_mac enabled. Record the ifnet pointer of the interface and then compare
that to find when to re-assign the bridge address.

Submitted by:	sam
2009-02-13 19:20:25 +00:00
Marko Zec
385195c062 Conditionally compile out V_ globals while instantiating the appropriate
container structures, depending on VIMAGE_GLOBALS compile time option.

Make VIMAGE_GLOBALS a new compile-time option, which by default will not
be defined, resulting in instatiations of global variables selected for
V_irtualization (enclosed in #ifdef VIMAGE_GLOBALS blocks) to be
effectively compiled out.  Instantiate new global container structures
to hold V_irtualized variables: vnet_net_0, vnet_inet_0, vnet_inet6_0,
vnet_ipsec_0, vnet_netgraph_0, and vnet_gif_0.

Update the VSYM() macro so that depending on VIMAGE_GLOBALS the V_
macros resolve either to the original globals, or to fields inside
container structures, i.e. effectively

#ifdef VIMAGE_GLOBALS
#define V_rt_tables rt_tables
#else
#define V_rt_tables vnet_net_0._rt_tables
#endif

Update SYSCTL_V_*() macros to operate either on globals or on fields
inside container structs.

Extend the internal kldsym() lookups with the ability to resolve
selected fields inside the virtualization container structs.  This
applies only to the fields which are explicitly registered for kldsym()
visibility via VNET_MOD_DECLARE() and vnet_mod_register(), currently
this is done only in sys/net/if.c.

Fix a few broken instances of MODULE_GLOBAL() macro use in SCTP code,
and modify the MODULE_GLOBAL() macro to resolve to V_ macros, which in
turn result in proper code being generated depending on VIMAGE_GLOBALS.

De-virtualize local static variables in sys/contrib/pf/net/pf_subr.c
which were prematurely V_irtualized by automated V_ prepending scripts
during earlier merging steps.  PF virtualization will be done
separately, most probably after next PF import.

Convert a few variable initializations at instantiation to
initialization in init functions, most notably in ipfw.  Also convert
TUNABLE_INT() initializers for V_ variables to TUNABLE_FETCH_INT() in
initializer functions.

Discussed at:	devsummit Strassburg
Reviewed by:	bz, julian
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
2008-12-10 23:12:39 +00:00
Bjoern A. Zeeb
4b79449e2f Rather than using hidden includes (with cicular dependencies),
directly include only the header files needed. This reduces the
unneeded spamming of various headers into lots of files.

For now, this leaves us with very few modules including vnet.h
and thus needing to depend on opt_route.h.

Reviewed by:	brooks, gnn, des, zec, imp
Sponsored by:	The FreeBSD Foundation
2008-12-02 21:37:28 +00:00
Marko Zec
8b615593fc Step 1.5 of importing the network stack virtualization infrastructure
from the vimage project, as per plan established at devsummit 08/08:
http://wiki.freebsd.org/Image/Notes200808DevSummit

Introduce INIT_VNET_*() initializer macros, VNET_FOREACH() iterator
macros, and CURVNET_SET() context setting macros, all currently
resolving to NOPs.

Prepare for virtualization of selected SYSCTL objects by introducing a
family of SYSCTL_V_*() macros, currently resolving to their global
counterparts, i.e. SYSCTL_V_INT() == SYSCTL_INT().

Move selected #defines from sys/sys/vimage.h to newly introduced header
files specific to virtualized subsystems (sys/net/vnet.h,
sys/netinet/vinet.h etc.).

All the changes are verified to have zero functional impact at this
point in time by doing MD5 comparision between pre- and post-change
object files(*).

(*) netipsec/keysock.c did not validate depending on compile time options.

Implemented by:	julian, bz, brooks, zec
Reviewed by:	julian, bz, brooks, kris, rwatson, ...
Approved by:	julian (mentor)
Obtained from:	//depot/projects/vimage-commit2/...
X-MFC after:	never
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
2008-10-02 15:37:58 +00:00
Andrew Thompson
6945d73b44 Put the bridge mac inheritance behind a sysctl with the default off as this
still needs all the edge cases fixed.

Submitted by:	Eygene Ryabinkin
2008-09-08 03:28:26 +00:00
Bjoern A. Zeeb
603724d3ab Commit step 1 of the vimage project, (network stack)
virtualization work done by Marko Zec (zec@).

This is the first in a series of commits over the course
of the next few weeks.

Mark all uses of global variables to be virtualized
with a V_ prefix.
Use macros to map them back to their global names for
now, so this is a NOP change only.

We hope to have caught at least 85-90% of what is needed
so we do not invalidate a lot of outstanding patches again.

Obtained from:	//depot/projects/vimage-commit2/...
Reviewed by:	brooks, des, ed, mav, julian,
		jamie, kris, rwatson, zec, ...
		(various people I forgot, different versions)
		md5 (with a bit of help)
Sponsored by:	NLnet Foundation, The FreeBSD Foundation
X-MFC after:	never
V_Commit_Message_Reviewed_By:	more people than the patch
2008-08-17 23:27:27 +00:00
Andrew Thompson
ef57ba98a7 LRO combined packets can actually be bridged as long as all the interfaces also
support TSO, this can always be disabled manually if undesirable.

Pointed out by:		gallatin
2008-08-16 23:59:17 +00:00
Andrew Thompson
ec29c62300 Be smarter about disabling interface capabilities. TOE/TSO/TXCSUM will only be
disabled if one (or more) of the member interfaces does not support it. Always
turn off LRO since we can not bridge a combined frame.

Tested by:	Stefan Lambrev
2008-07-03 15:58:30 +00:00
Philip Paeps
fe878019fa Set bridge MAC addresses to the MAC address of their first interface unless
locally configured.  This is more in line with the behaviour of other popular
bridging implementations and makes bridges more predictable after reboots for
example.

Reviewed by:	thompsa
MFC after:	1 week
2008-07-01 08:14:58 +00:00
Andrew Thompson
fdf229b124 Remove a chunk of duplicated code, test the destination address against the
bridge the same way we check member interfaces.
2008-01-18 09:34:09 +00:00
Andrew Thompson
905925d349 IEEE 802.1D-2004 states, frames containing any of the group MAC Addresses
specified in Table 7-10 in their destination address field shall not be relayed
by the Bridge. Add a check in bridge_forward() to adhere to this.

PR:		kern/119744
2008-01-18 00:19:10 +00:00
Andrew Thompson
eaf56834f1 Sync from OpenBSD r1.118, nuke clause 3 & 4. 2008-01-17 09:46:16 +00:00
Andrew Thompson
8411d52a93 Simplify the error handling and use the dereferenced sc->sc_ifp pointer. 2007-12-18 09:13:04 +00:00
Andrew Thompson
155f68d1aa When the bridge has an address and a packet comes in for it then drop it if the
link has been marked discarding by Spanning Tree. This would cause the bridge
to see duplicate packets to itself even if STP has correctly calculated the
topology and blocked redundant links.

Reported by:	trasz
Tested by:	trasz
MFC after:	3 days
2007-12-18 07:04:50 +00:00
Oleg Bulyzhin
897c0f57d4 1) dummynet_io() declaration has changed.
2) Alter packet flow inside dummynet: allow certain packets to bypass
dummynet scheduler. Benefits are:

- lower latency: if packet flow does not exceed pipe bandwidth, packets
  will not be (up to tick) delayed (due to dummynet's scheduler granularity).
- lower overhead: if packet avoids dummynet scheduler it shouldn't reenter ip
  stack later. Such packets can be fastforwarded.
- recursion (which can lead to kernel stack exhaution) eliminated. This fix
  long existed panic, which can be triggered this way:
  	kldload dummynet
	sysctl net.inet.ip.fw.one_pass=0
	ipfw pipe 1 config bw 0
	for i in `jot 30`; do ipfw add 1 pipe 1 icmp from any to any; done
	ping -c 1 localhost

3) Three new sysctl nodes are added:
net.inet.ip.dummynet.io_pkt -		packets passed to dummynet
net.inet.ip.dummynet.io_pkt_fast - 	packets avoided dummynet scheduler
net.inet.ip.dummynet.io_pkt_drop -	packets dropped by dummynet

P.S. Above comments are true only for layer 3 packets. Layer 2 packet flow
     is not changed yet.

MFC after:	3 month
2007-11-06 23:01:42 +00:00
Andrew Thompson
5f33ec7ba2 Add an option to limit the number of source MACs that can be behind a bridge
interface.  Once the limit is reached packets with unknown source addresses are
dropped until an existing host cache entry expires or is removed.  Useful to
use with the STICKY cache option.

Sponsored by:	miniSuperHappyDevHouse NZ
2007-11-04 08:32:27 +00:00
Andrew Thompson
3565f9bc31 Use ETHER_BPF_MTAP so that the vlan tags are visible to bpf(4) when bridging a
vlan trunk.

Discussed with:		csjp
MFC after:		3 days
2007-10-20 02:10:10 +00:00
Andrew Thompson
60e87ca8df The bridging output function puts the mbuf directly on the interfaces send
queue so the output network card must support the same tagging mechanism as
how the frame was input (prepended Ethernet header tag or stripped HW mflag).

Now the vlan Ethernet header is _always_ stripped in ether_input and the mbuf
flagged, only only network cards with VLAN_HWTAGGING enabled would properly
re-tag any outgoing vlan frames.

If the outgoing interface does not support hardware tagging then readd the vlan
header to the front of the frame. Move the common vlan encapsulation in to
ether_vlanencap().

Reported by:	Erik Osterholm, Jon Otterholm
MFC after:	1 week
2007-10-18 21:22:15 +00:00
Andrew Thompson
31e4cb54e9 Allow additional packet filtering on the physical interface for locally
destined packets, disabled by default.

PR:		kern/116051
Submitted by:	Eygene Ryabinkin
Approved by:	re (bmah)
MFC after:	2 weeks
2007-09-16 21:09:15 +00:00
Andrew Thompson
85ce729794 Add a bridge interface flag called PRIVATE where any private port can not
communicate with another private port.

All unicast/broadcast/multicast layer2 traffic is blocked so it works much the
same way as using firewall rules but scales better and is generally easier as
firewall packages usually do not allow ARP blocking.

An example usage would be having a number of customers on separate vlans
bridged with a server network. All the vlans are marked private, they can all
communicate with the server network unhindered, but can not exchange any
traffic whatsoever with each other.

Approved by:	re (rwatson)
2007-08-01 00:33:52 +00:00
Andrew Thompson
82056f42cf Avoid holding the softc lock when using copyout().
Reported by:	dfr
Approved by:	re (rwatson)
2007-07-26 20:30:18 +00:00
Andrew Thompson
22dcc3c17b Add the vlan tag to the bridge route table. This allows a vlan trunk to be
bridged, previously legitimate traffic was not passed as the bridge could not
tell that it was on a different Ethernet segment.

All non-tagged traffic is treated as vlan1 as per IEEE 802.1Q-2003
2007-06-13 18:58:04 +00:00
Andrew Thompson
5adfb0cc39 Remove a KASSERT intended to help the developer, the condition is no longer
valid since the span code was added.

PR:		kern/113170
MFC after:	1 week
2007-05-30 19:39:55 +00:00
Andrew Thompson
6c655efcaf etherbroadcastaddr is now unused. 2007-03-19 19:20:35 +00:00
Andrew Thompson
82912c1f69 M_BCAST & M_MCAST are now set by ether_input before passing to the bridge. 2007-03-19 19:13:02 +00:00
Roman Kurakin
3d0a65c88d Give a chance for packet to appear with a correct input interfaces
in case of multiple interfaces with the same MAC in the same bridge.
This commit do not solve the entire problem. Only case where packet
arrived from such interface.

PR:     kern/109815
MFC after:      7 days
Submitted by:   Eygene Ryabinkin and rik@
Discussed with: bms@, thompsa@, yar@
2007-03-18 23:28:53 +00:00
Andrew Thompson
8bc736d0dd Properly move the setting of bstp_linkstate_p to the bridgestp module. 2007-03-14 20:55:51 +00:00
Andrew Thompson
e5bda9fb3a Change the passing of callbacks to a struct in case this needs to be extended in the future. 2007-03-09 19:34:55 +00:00
Andrew Thompson
9c68675bae Move the lock init until after if_alloc in case the allocation fails and we
free the softc and return.

MFC after:	3 days
2007-02-23 19:37:55 +00:00
Andrew Thompson
787096051b These days P2P means peer-2-peer (also well known from serveral filesharing
protocols) while PointToPoint has been PtP links. Change the variables
accordingly while the code is still fresh and undocumented.

Requested by:	bz
2006-12-11 23:46:40 +00:00
Shteryana Shopova
daacddcac8 Add two new flags to if_bridge(4) indicating whether the edge flag
of the bridge port and path cost have been administratively set or
calculated automatically by RSTP.

Make sure to transition from non-edge to edge when the port goes down
and the edge flag was manually set before.
This is needed to comply with the condition
	((!portEnabled && AdminEdge) || ....)
in the Bridge Detection State Machine (IEE802.1D-2004, p. 171).

Reviewed by:	thompsa
Approved by:	bz (mentor)
2006-12-04 14:45:02 +00:00
Shteryana Shopova
b8f45801b0 Fix SIOCGDRVSPEC/BRDGGIFSSTP ioctl: make it copyin() the user
provided buffer length before trying to use it.

Reviewed by:	thompsa
Approved by:	bz (mentor)
MFC after:	3 days
2006-12-03 21:50:57 +00:00
Andrew Thompson
6c32e05ca3 Sync with the OpenBSD port of RSTP
- use flags rather than sperate ioctls for edge, p2p
 - implement p2p and autop2p flags
 - define large pathcost constant as ULL
 - show bridgeid and rootid in ifconfig

Obtained from:	Reyk Floeter <reyk@openbsd.org>
2006-11-27 00:35:40 +00:00
Andrew Thompson
071fff62be use two stage creation of stp ports, this means that the stp variables can be
set before the port is marked STP and they will no longer be overwrittten
2006-11-26 18:43:48 +00:00
Andrew Thompson
3df7fad0cf Add a new address cache type called sticky. On an interface marked sticky any
address learned by the bridge is made permanent, the address will not age out
and most importantly will not migrate to another interface.

This can be used to stop mac address poisoning or clients roaming in much the
same way as static entries without the hassle of preloading the table.
2006-11-09 06:32:38 +00:00
Robert Watson
acd3428b7d Sweep kernel replacing suser(9) calls with priv(9) calls, assigning
specific privilege names to a broad range of privileges.  These may
require some future tweaking.

Sponsored by:           nCircle Network Security, Inc.
Obtained from:          TrustedBSD Project
Discussed on:           arch@
Reviewed (at least in part) by: mlaier, jmg, pjd, bde, ceri,
                        Alex Lyashkov <umka at sevcity dot net>,
                        Skip Ford <skip dot ford at verizon dot net>,
                        Antoine Brodin <antoine dot brodin at laposte dot net>
2006-11-06 13:42:10 +00:00
Christian S.J. Peron
67be76c039 Fix possible leak when bridge is in monitor mode. Use m_freem() which will
free the entire chain, instead of using m_free() which will free just the
mbuf that was passed.

Discussed with:	thompsa
MFC after:	3 days
2006-11-05 17:56:25 +00:00
Andrew Thompson
59ee2183e2 When the packet is for the bridge then note which interface to send the reply
to, previously it was always broadcast to all interfaces (a bug). This is
useful when the bridge is the default gateway and vlans are used to isolate
each client, the reply is now kept private to the vlan which the client
resides.

Reported by:	Jon Otterholm
Tested by:	Jon Otterholm
MFC after:	3 days
2006-11-04 10:40:59 +00:00
Andrew Thompson
3fab76690c Bring in support for the Rapid Spanning Tree Protocol (802.1w).
RSTP provides faster spanning tree convergence, the protocol will exchange
information with neighboring switches to quickly transition to forwarding
without creating loops. The code will default to RSTP mode but will downgrade
any port connected to a legacy STP network so is fully backward compatible.

Reviewed by:	syrinx
Tested by:	syrinx
2006-11-01 09:07:47 +00:00
Andrew Thompson
8408ecd6d8 Use LIST_FOREACH_SAFE instead of a hand rolled version. 2006-10-09 00:49:57 +00:00
Andrew Thompson
0a6f8a5050 Revert r1.80 as the ethernet header was inadvertently stripped from ARP
packets. Reimplement this correctly and use a sysctl that defaults to off so
the user doesnt get any suprises if ipfw blocks the ARP packet.

MFC after:	3 days
2006-09-22 21:57:52 +00:00
Andrew Thompson
781dd9ae05 Rearrange things so that ARP packets can be filtered or rate limited with IPFW.
Requested by:	Jon Otterholm
Tested by:	Jon Otterholm
2006-09-17 08:20:56 +00:00
Andrew Thompson
4ec528c7a4 The bridge cant hear its own transmissions so set IFF_SIMPLEX.
PR:		kern/102361
Tested by:	Radim Kolar <hsn@netmag.cz>
MFC after:	3 days
2006-08-25 20:11:56 +00:00